Implement the flow using the recovery flow happy path (#3453)

* Recovery flow happy path

* Refactor to a function

* Support pasting words

* Use global agent options and submit on enter or word pasting

* Revert and improve comments

* Remove unnecessary comment and unused import

* Remove unnecessary import

* GH review changes

* Change submit trigger

* Refactor to throw instead of variant

Author: lmuntaner

src/frontend/src/lib/flows/recoverWithPhraseFlow.svelte.ts

@@ -0,0 +1,84 @@
+import {
+  DeviceKey,
+  IdentityInfo,
+} from "$lib/generated/internet_identity_types";
+import { agentOptions, anonymousActor } from "$lib/globals";
+import {
+  fromMnemonicWithoutValidation,
+  IC_DERIVATION_PATH,
+  isValidMnemonic,
+} from "$lib/utils/recoveryPhrase";
+import { throwCanisterError } from "$lib/utils/utils";
+import { DerEncodedPublicKey, HttpAgent, SignIdentity } from "@dfinity/agent";
+import {
+  DelegationChain,
+  DelegationIdentity,
+  ECDSAKeyIdentity,
+} from "@icp-sdk/core/identity";
+
+const authenticateWithRecoveryPhrase = async (
+  identity: SignIdentity,
+): Promise<DelegationIdentity> => {
+  const sessionKey = await ECDSAKeyIdentity.generate({ extractable: false });
+  const tenMinutesInMsec = 10 * 1000 * 60;
+  const chain = await DelegationChain.create(
+    identity,
+    sessionKey.getPublicKey(),
+    new Date(Date.now() + tenMinutesInMsec),
+  );
+  return DelegationIdentity.fromDelegation(sessionKey, chain);
+};
+
+const bufferEqual = (buf1: ArrayBuffer, buf2: ArrayBuffer): boolean => {
+  if (buf1.byteLength !== buf2.byteLength) return false;
+  const dv1 = new Int8Array(buf1);
+  const dv2 = new Int8Array(buf2);
+  for (let i = 0; i !== buf1.byteLength; i++) {
+    if (dv1[i] !== dv2[i]) return false;
+  }
+  return true;
+};
+
+const derFromPubkey = (pubkey: DeviceKey): DerEncodedPublicKey =>
+  new Uint8Array(pubkey).buffer as DerEncodedPublicKey;
+
+export class InvalidMnemonicError extends Error {
+  constructor() {
+    super("Invalid mnemonic");
+  }
+}
+
+export const recoverWithPhrase = async (
+  words: string[],
+): Promise<{ info: IdentityInfo; identity: DelegationIdentity }> => {
+  const recoveryPhrase = words.join(" ");
+  if (!isValidMnemonic(recoveryPhrase)) {
+    throw new InvalidMnemonicError();
+  }
+  const identity = await fromMnemonicWithoutValidation(
+    recoveryPhrase,
+    IC_DERIVATION_PATH,
+  );
+  // TODO: Use lookup endpoint of recovery phrase to user number.
+  const userNumber = BigInt(window.prompt("Identity number")!);
+  const devices = await anonymousActor.get_anchor_credentials(userNumber);
+  const isCorrectPhrase = devices.recovery_phrases.some((pubkey) =>
+    bufferEqual(identity.getPublicKey().toDer(), derFromPubkey(pubkey)),
+  );
+  if (!isCorrectPhrase) {
+    throw new Error("Invalid phrase");
+  }
+  const delegationIdentity = await authenticateWithRecoveryPhrase(identity);
+  const agent = HttpAgent.createSync({
+    ...agentOptions,
+    identity: delegationIdentity,
+  });
+  // Make call to lookup endpoint
+  const identityInfo = await anonymousActor.identity_info
+    .withOptions({ agent })(userNumber)
+    .then(throwCanisterError);
+  return {
+    info: identityInfo,
+    identity: delegationIdentity,
+  };
+};

src/frontend/src/lib/utils/recoveryPhrase.test.ts

@@ -0,0 +1,99 @@
+import { hexToBytes } from "@noble/hashes/utils";
+import { Ed25519PublicKey } from "@icp-sdk/core/identity";
+import * as ed25519 from "./recoveryPhrase";
+
+type TestVector = {
+  seed: string;
+  privateKey: string;
+  publicKey: string;
+  derivationPath?: number[];
+};
+
+// Test vectors are taken from
+// https://github.com/satoshilabs/slips/blob/master/slip-0010.md
+// The public key vectors contained a leading 0-byte for no obvious reason.
+// These were removed.
+const testVectorsSLIP10 = [
+  {
+    seed: "000102030405060708090a0b0c0d0e0f",
+    privateKey:
+      "2b4be7f19ee27bbf30c667b642d5f4aa69fd169872f8fc3059c08ebae2eb19e7",
+    publicKey:
+      "a4b2856bfec510abab89753fac1ac0e1112364e7d250545963f135f2a33188ed",
+  },
+  {
+    seed: "000102030405060708090a0b0c0d0e0f",
+    privateKey:
+      "68e0fe46dfb67e368c75379acec591dad19df3cde26e63b93a8e704f1dade7a3",
+    publicKey:
+      "8c8a13df77a28f3445213a0f432fde644acaa215fc72dcdf300d5efaa85d350c",
+    derivationPath: [0],
+  },
+  {
+    seed: "000102030405060708090a0b0c0d0e0f",
+    privateKey:
+      "b1d0bad404bf35da785a64ca1ac54b2617211d2777696fbffaf208f746ae84f2",
+    publicKey:
+      "1932a5270f335bed617d5b935c80aedb1a35bd9fc1e31acafd5372c30f5c1187",
+    derivationPath: [0, 1],
+  },
+  {
+    seed: "000102030405060708090a0b0c0d0e0f",
+    privateKey:
+      "92a5b23c0b8a99e37d07df3fb9966917f5d06e02ddbd909c7e184371463e9fc9",
+    publicKey:
+      "ae98736566d30ed0e9d2f4486a64bc95740d89c7db33f52121f8ea8f76ff0fc1",
+    derivationPath: [0, 1, 2],
+  },
+  {
+    seed: "000102030405060708090a0b0c0d0e0f",
+    privateKey:
+      "30d1dc7e5fc04c31219ab25a27ae00b50f6fd66622f6e9c913253d6511d1e662",
+    publicKey:
+      "8abae2d66361c879b900d204ad2cc4984fa2aa344dd7ddc46007329ac76c429c",
+    derivationPath: [0, 1, 2, 2],
+  },
+  {
+    seed: "000102030405060708090a0b0c0d0e0f",
+    privateKey:
+      "8f94d394a8e8fd6b1bc2f3f49f5c47e385281d5c17e65324b0f62483e37e8793",
+    publicKey:
+      "3c24da049451555d51a7014a37337aa4e12d41e485abccfa46b47dfb2af54b7a",
+    derivationPath: [0, 1, 2, 2, 1000000000],
+  },
+];
+
+test("derive Ed25519 via SLIP 0010", async () => {
+  await Promise.all(
+    testVectorsSLIP10.map(async (testVector: TestVector) => {
+      const seedBlob = hexToBytes(testVector.seed);
+      const expectedPrivateKey = hexToBytes(testVector.privateKey);
+      const expectedPublicKey = hexToBytes(testVector.publicKey);
+
+      const identity = await ed25519.fromSeedWithSlip0010(
+        new Uint8Array(seedBlob),
+        testVector.derivationPath,
+      );
+
+      const keyPair = identity.getKeyPair();
+      expect(keyPair.secretKey.slice(0, 32)).toEqual(
+        new Uint8Array(expectedPrivateKey),
+      );
+      expect(keyPair.publicKey.toDer()).toEqual(
+        Ed25519PublicKey.fromRaw(expectedPublicKey).toDer(),
+      );
+    }),
+  );
+});
+
+test("Can derive identity from invalid mnemonic", async () => {
+  await expect(
+    ed25519.fromMnemonicWithoutValidation(""),
+  ).resolves.not.toThrow();
+  await expect(
+    ed25519.fromMnemonicWithoutValidation("g4rb4g3"),
+  ).resolves.not.toThrow();
+  await expect(
+    ed25519.fromMnemonicWithoutValidation("basket actual"),
+  ).resolves.not.toThrow();
+});

src/frontend/src/lib/utils/recoveryPhrase.ts

@@ -0,0 +1,114 @@
+import { Ed25519KeyIdentity } from "@icp-sdk/core/identity";
+import { mnemonicToSeedSync, validateMnemonic } from "bip39";
+
+export const IC_DERIVATION_PATH = [44, 223, 0, 0, 0];
+
+// A constant used for xor-ing derived paths to make them hardened.
+const HARDENED = 0x80000000;
+
+/**
+ * Validates a mnemonic phrase using BIP-39.
+ *
+ * @param mnemonic A BIP-39 mnemonic phrase.
+ * @returns {boolean} True if the mnemonic is valid, false otherwise.
+ */
+export const isValidMnemonic = (mnemonic: string): boolean =>
+  validateMnemonic(mnemonic);
+
+/**
+ * Create an Ed25519 according to SLIP 0010:
+ * https://github.com/satoshilabs/slips/blob/master/slip-0010.md
+ *
+ * The derivation path is an array that is always interpreted as a hardened path.
+ * e.g. to generate m/44'/223’/0’/0’/0' the derivation path should be [44, 223, 0, 0, 0]
+ */
+export async function fromSeedWithSlip0010(
+  masterSeed: Uint8Array,
+  derivationPath: number[] = [],
+): Promise<Ed25519KeyIdentity> {
+  let [slipSeed, chainCode] = await generateMasterKey(masterSeed);
+
+  for (let i = 0; i < derivationPath.length; i++) {
+    [slipSeed, chainCode] = await derive(
+      slipSeed,
+      chainCode,
+      derivationPath[i] | HARDENED,
+    );
+  }
+
+  return Ed25519KeyIdentity.generate(slipSeed);
+}
+
+/**
+ * Create an Ed25519 based on a mnemonic phrase according to SLIP 0010:
+ * https://github.com/satoshilabs/slips/blob/master/slip-0010.md
+ *
+ * NOTE: This method derives an identity even if the mnemonic is invalid. It's
+ * the responsibility of the caller to validate the mnemonic before calling this method.
+ *
+ * @param mnemonic A BIP-39 mnemonic.
+ * @param derivationPath an array that is always interpreted as a hardened path.
+ * e.g. to generate m/44'/223’/0’/0’/0' the derivation path should be [44, 223, 0, 0, 0]
+ */
+export function fromMnemonicWithoutValidation(
+  mnemonic: string,
+  derivationPath: number[] = [],
+): Promise<Ed25519KeyIdentity> {
+  const seed = mnemonicToSeedSync(mnemonic);
+  return fromSeedWithSlip0010(seed, derivationPath);
+}
+
+async function generateMasterKey(
+  seed: Uint8Array,
+): Promise<[Uint8Array, Uint8Array]> {
+  const data = new TextEncoder().encode("ed25519 seed");
+  const key = await window.crypto.subtle.importKey(
+    "raw",
+    data,
+    {
+      name: "HMAC",
+      hash: { name: "SHA-512" },
+    },
+    false,
+    ["sign"],
+  );
+  const h = await window.crypto.subtle.sign("HMAC", key, seed);
+  const slipSeed = new Uint8Array(h.slice(0, 32));
+  const chainCode = new Uint8Array(h.slice(32));
+  return [slipSeed, chainCode];
+}
+
+async function derive(
+  parentKey: Uint8Array,
+  parentChaincode: Uint8Array,
+  i: number,
+): Promise<[Uint8Array, Uint8Array]> {
+  // From the spec: Data = 0x00 || ser256(kpar) || ser32(i)
+  const data = new Uint8Array([0, ...parentKey, ...toBigEndianArray(i)]);
+  const key = await window.crypto.subtle.importKey(
+    "raw",
+    parentChaincode,
+    {
+      name: "HMAC",
+      hash: { name: "SHA-512" },
+    },
+    false,
+    ["sign"],
+  );
+
+  const h = await window.crypto.subtle.sign("HMAC", key, data);
+  const slipSeed = new Uint8Array(h.slice(0, 32));
+  const chainCode = new Uint8Array(h.slice(32));
+  return [slipSeed, chainCode];
+}
+
+// Converts a 32-bit unsigned integer to a big endian byte array.
+function toBigEndianArray(n: number): Uint8Array {
+  const byteArray = new Uint8Array([0, 0, 0, 0]);
+  for (let i = byteArray.length - 1; i >= 0; i--) {
+    const byte = n & 0xff;
+    byteArray[i] = byte;
+    n = (n - byte) / 256;
+  }
+  return byteArray;
+}