Add padding byte validation during extended private key de-serialization to match bip 32's spec#1871
Conversation
| const auto child = source.read_4_bytes_big_endian(); | ||
| const auto chain = source.read_hash(); | ||
| source.skip_byte(); | ||
| const auto padding = source.read_byte(); |
There was a problem hiding this comment.
It's been a long time since I've looked at this, but isn't the skip_byte or padding check only required in the hardened key case? Quick glance I'm not seeing that distinction, so just curious if you can point me to that if it's correct.
There was a problem hiding this comment.
You're correct, the 0x00 byte used as HMAC input is only required for hardened derivation, we can see that in hd_private::derive_private().
But this skip_byte() is not in derivation. It is in parsing serialized extended private key data, where BIP32 always encodes private key data as 0x00 || ser256(k), regardless of whether the extended private key is a master key, a hardened child, or a non-hardened child.
I've updated the title to clarify that the byte-reading change relates to the serialized format and not key derivation. Thanks for pointing that out.
There was a problem hiding this comment.
Thank you for satisfying my curiosity, makes a lot more sense now!
KY-U
changed the title
2 participants
Validate padding byte is 0 in extended private key de-serialization in order to match BIP 32's spec.