Refactor Wallet Core usage from android device auth flow

Author: 0xh3rman

android/data/coordinators/src/main/kotlin/com/gemwallet/android/data/coordinators/GetAuthPayloadImpl.kt

@@ -4,19 +4,17 @@ import com.gemwallet.android.application.GetAuthPayload
 import com.gemwallet.android.application.PasswordStore
 import com.gemwallet.android.application.device.coordinators.GetDeviceId
 import com.gemwallet.android.blockchain.operators.LoadPrivateKeyOperator
-import com.gemwallet.android.blockchain.operators.walletcore.WCChainTypeProxy
 import com.gemwallet.android.data.services.gemapi.GemDeviceApiClient
-import com.gemwallet.android.domains.referral.values.ReferralError
 import com.gemwallet.android.ext.getAccount
-import com.gemwallet.android.math.append0x
-import com.gemwallet.android.math.hex
+import com.gemwallet.android.ext.referralChain
 import com.wallet.core.primitives.AuthPayload
 import com.wallet.core.primitives.Chain
 import com.wallet.core.primitives.Wallet
 import uniffi.gemstone.GemAuthNonce
-import wallet.core.jni.PrivateKey
-import java.util.Arrays
+import uniffi.gemstone.createAuthMessage
+import uniffi.gemstone.signAuthMessageHash
 import java.io.IOException
+import java.util.Arrays
 
 class GetAuthPayloadImpl(
     private val gemDeviceApiClient: GemDeviceApiClient,
@@ -25,7 +23,8 @@ class GetAuthPayloadImpl(
     private val loadPrivateKeyOperator: LoadPrivateKeyOperator,
 ) : GetAuthPayload {
 
-    override suspend fun getAuthPayload(wallet: Wallet, chain: Chain): AuthPayload {
+    override suspend fun getAuthPayload(wallet: Wallet): AuthPayload {
+        val chain = Chain.referralChain
         val account = wallet.getAccount(chain) ?: throw Exception() // TODO
         val deviceId = getDeviceId.getDeviceId()
         val key = loadPrivateKeyOperator(
@@ -36,14 +35,12 @@ class GetAuthPayloadImpl(
 
         try {
             val nonce = gemDeviceApiClient.getAuthNonce() ?: throw IOException("Auth nonce unavailable")
-            val message = uniffi.gemstone.createAuthMessage(
-                chain = Chain.Ethereum.string,
+            val message = createAuthMessage(
                 address = account.address,
                 authNonce = GemAuthNonce(nonce.nonce, nonce.timestamp)
             )
 
-            val signature = PrivateKey(key).sign(message.hash, WCChainTypeProxy()(chain).curve())
-                .hex.append0x()
+            val signature = signAuthMessageHash(message.hash, key)
             return AuthPayload(
                 deviceId = deviceId,
                 chain = account.chain,

android/data/coordinators/src/main/kotlin/com/gemwallet/android/data/coordinators/device/GetDeviceIdImpl.kt

@@ -2,10 +2,8 @@ package com.gemwallet.android.data.coordinators.device
 
 import com.gemwallet.android.application.SecurityStore
 import com.gemwallet.android.application.device.coordinators.GetDeviceId
-import com.gemwallet.android.math.hex
+import com.gemwallet.android.data.services.gemapi.DeviceKeyPair
 import kotlinx.coroutines.runBlocking
-import wallet.core.jni.Curve
-import wallet.core.jni.HDWallet
 
 class GetDeviceIdImpl(
     private val store: SecurityStore<Any>
@@ -24,9 +22,9 @@ class GetDeviceIdImpl(
             return data
         } catch (_: Throwable) {}
 
-        val deviceKey = HDWallet(128, "").getMasterKey(Curve.ED25519)
-        val privateKey = deviceKey.data().hex
-        val publicKey = deviceKey.publicKeyEd25519.data().hex
+        val deviceKey = DeviceKeyPair.generate()
+        val privateKey = deviceKey.privateKeyHex
+        val publicKey = deviceKey.publicKeyHex
 
         store.putValue(Keys.PrivateKey, privateKey)
         store.putValue(Keys.PublicKey, publicKey)

android/data/coordinators/src/main/kotlin/com/gemwallet/android/data/coordinators/referral/CreateReferralImpl.kt

@@ -3,11 +3,7 @@ package com.gemwallet.android.data.coordinators.referral
 import com.gemwallet.android.application.GetAuthPayload
 import com.gemwallet.android.application.referral.coordinators.CreateReferral
 import com.gemwallet.android.data.services.gemapi.GemDeviceApiClient
-import com.gemwallet.android.domains.referral.values.ReferralError
-import com.gemwallet.android.ext.getAccount
-import com.gemwallet.android.ext.referralChain
 import com.wallet.core.primitives.AuthenticatedRequest
-import com.wallet.core.primitives.Chain
 import com.wallet.core.primitives.ReferralCode
 import com.wallet.core.primitives.Rewards
 import com.wallet.core.primitives.Wallet
@@ -20,8 +16,7 @@ class CreateReferralImpl(
 
 
     override suspend fun createReferral(code: String, wallet: Wallet): Rewards {
-        val account = wallet.getAccount(Chain.referralChain) ?: throw ReferralError.BadWallet
-        val authPayload = getAuthPayload.getAuthPayload(wallet, account.chain)
+        val authPayload = getAuthPayload.getAuthPayload(wallet)
         return gemDeviceApiClient.createReferral(
             walletId = wallet.id,
             body = AuthenticatedRequest(

android/data/coordinators/src/main/kotlin/com/gemwallet/android/data/coordinators/referral/RedeemImpl.kt

@@ -7,9 +7,7 @@ import com.gemwallet.android.data.repositories.session.SessionRepository
 import com.gemwallet.android.data.services.gemapi.GemDeviceApiClient
 import com.gemwallet.android.domains.referral.values.ReferralError
 import com.gemwallet.android.ext.getAccount
-import com.gemwallet.android.ext.referralChain
 import com.wallet.core.primitives.AuthenticatedRequest
-import com.wallet.core.primitives.Chain
 import com.wallet.core.primitives.RedemptionRequest
 import com.wallet.core.primitives.RedemptionResult
 import com.wallet.core.primitives.RewardRedemptionOption
@@ -25,8 +23,7 @@ class RedeemImpl(
 ) : Redeem {
 
     override suspend fun redeem(wallet: Wallet, rewards: Rewards, option: RewardRedemptionOption): RedemptionResult {
-        val account = wallet.getAccount(Chain.referralChain) ?: throw ReferralError.BadWallet
-        val authPayload = getAuthPayload.getAuthPayload(wallet, account.chain)
+        val authPayload = getAuthPayload.getAuthPayload(wallet)
         if (rewards.points < option.points) {
             throw ReferralError.InsufficientPoints
         }

android/data/coordinators/src/main/kotlin/com/gemwallet/android/data/coordinators/referral/UseReferralCodeImpl.kt

@@ -3,11 +3,7 @@ package com.gemwallet.android.data.coordinators.referral
 import com.gemwallet.android.application.GetAuthPayload
 import com.gemwallet.android.application.referral.coordinators.UseReferralCode
 import com.gemwallet.android.data.services.gemapi.GemDeviceApiClient
-import com.gemwallet.android.domains.referral.values.ReferralError
-import com.gemwallet.android.ext.getAccount
-import com.gemwallet.android.ext.referralChain
 import com.wallet.core.primitives.AuthenticatedRequest
-import com.wallet.core.primitives.Chain
 import com.wallet.core.primitives.ReferralCode
 import com.wallet.core.primitives.Wallet
 
@@ -18,8 +14,7 @@ class UseReferralCodeImpl(
 
 
     override suspend fun useReferralCode(code: String, wallet: Wallet): Boolean {
-        val account = wallet.getAccount(Chain.referralChain) ?: throw ReferralError.BadWallet
-        val auth = getAuthPayload.getAuthPayload(wallet, account.chain)
+        val auth = getAuthPayload.getAuthPayload(wallet)
         gemDeviceApiClient.useReferralCode(
             walletId = wallet.id,
             body = AuthenticatedRequest(

android/data/services/remote-gem/build.gradle.kts

@@ -58,8 +58,10 @@ dependencies {
 
     implementation(libs.ktx.core)
     implementation(libs.kotlinx.coroutines.android)
+    implementation(libs.tink)
 
     testImplementation(libs.junit)
+    testImplementation(testFixtures(project(":gemcore")))
     androidTestImplementation(libs.androidx.junit)
     androidTestImplementation(libs.androidx.espresso.core)
 }

android/data/services/remote-gem/src/main/kotlin/com/gemwallet/android/data/services/gemapi/DeviceKeyPair.kt

@@ -0,0 +1,52 @@
+package com.gemwallet.android.data.services.gemapi
+
+import com.gemwallet.android.math.fromHex
+import com.gemwallet.android.math.hex
+import com.google.crypto.tink.subtle.Ed25519Sign
+import java.security.GeneralSecurityException
+import java.util.Arrays
+
+class DeviceKeyPair private constructor(
+    private val privateKey: ByteArray,
+    private val publicKey: ByteArray,
+) {
+    val privateKeyHex: String
+        get() = privateKey.hex
+
+    val publicKeyHex: String
+        get() = publicKey.hex
+
+    fun sign(message: ByteArray): String {
+        return Ed25519Sign(privateKey).sign(message).hex
+    }
+
+    companion object {
+        fun generate(): DeviceKeyPair {
+            val keyPair = Ed25519Sign.KeyPair.newKeyPair()
+            return DeviceKeyPair(
+                privateKey = keyPair.privateKey,
+                publicKey = keyPair.publicKey,
+            )
+        }
+
+        fun fromHex(privateKeyHex: String): DeviceKeyPair {
+            val privateKey = try {
+                privateKeyHex.fromHex()
+            } catch (err: IllegalArgumentException) {
+                throw IllegalArgumentException("Invalid device private key", err)
+            }
+            val seed = privateKey.copyOf()
+            return try {
+                DeviceKeyPair(
+                    privateKey = privateKey,
+                    publicKey = Ed25519Sign.KeyPair.newKeyPairFromSeed(seed).publicKey,
+                )
+            } catch (err: GeneralSecurityException) {
+                Arrays.fill(privateKey, 0)
+                throw IllegalArgumentException("Invalid device private key", err)
+            } finally {
+                Arrays.fill(seed, 0)
+            }
+        }
+    }
+}

android/data/services/remote-gem/src/main/kotlin/com/gemwallet/android/data/services/gemapi/http/DeviceRequestSigner.kt

@@ -1,12 +1,9 @@
 package com.gemwallet.android.data.services.gemapi.http
 
 import com.gemwallet.android.application.device.coordinators.GetDeviceId
-import com.gemwallet.android.math.fromHex
-import com.gemwallet.android.math.hex
+import com.gemwallet.android.data.services.gemapi.DeviceKeyPair
+import com.gemwallet.android.math.sha256Hex
 import java.util.Base64
-import wallet.core.jni.Curve
-import wallet.core.jni.Hash
-import wallet.core.jni.PrivateKey
 
 data class DeviceSignature(
     val authorization: String,
@@ -17,34 +14,36 @@ data class DeviceSignature(
 }
 
 class DeviceRequestSigner(
-    private val getDeviceId: GetDeviceId,
+    getDeviceId: GetDeviceId,
 ) {
+    private val deviceKeyPair = DeviceKeyPair.fromHex(getDeviceId.getDeviceKey())
     private var bodyHash: (ByteArray) -> String = { body: ByteArray ->
-        Hash.sha256(body).hex
+        body.sha256Hex()
     }
-    private var signMessage: (String, ByteArray) -> String = { privateKeyHex: String, message: ByteArray ->
-        PrivateKey(privateKeyHex.fromHex()).sign(message, Curve.ED25519).hex
+    private var signMessage: (DeviceKeyPair, ByteArray) -> String = { deviceKeyPair, message ->
+        deviceKeyPair.sign(message)
     }
     private var currentTimeMillis: () -> Long = System::currentTimeMillis
 
     fun sign(method: String, path: String, body: ByteArray? = null, walletId: String = ""): DeviceSignature {
-        val publicKeyHex = getDeviceId.getDeviceId()
         val bodyHash = bodyHash(body ?: ByteArray(0))
         val timestamp = currentTimeMillis().toString()
 
         val message = "${timestamp}.${method}.${path}.${walletId}.${bodyHash}"
-        val signatureHex = signMessage(getDeviceId.getDeviceKey(), message.toByteArray())
+        val signatureHex = signMessage(deviceKeyPair, message.toByteArray())
 
-        val payload = "${publicKeyHex}.${timestamp}.${walletId}.${bodyHash}.${signatureHex}"
+        val payload = "${deviceKeyPair.publicKeyHex}.${timestamp}.${walletId}.${bodyHash}.${signatureHex}"
         val encoded = Base64.getEncoder().encodeToString(payload.toByteArray())
         return DeviceSignature(authorization = "Gem $encoded")
     }
 
     internal constructor(
         getDeviceId: GetDeviceId,
-        bodyHash: (ByteArray) -> String,
-        signMessage: (String, ByteArray) -> String,
-        currentTimeMillis: () -> Long,
+        bodyHash: (ByteArray) -> String = { body -> body.sha256Hex() },
+        signMessage: (DeviceKeyPair, ByteArray) -> String = { deviceKeyPair, message ->
+            deviceKeyPair.sign(message)
+        },
+        currentTimeMillis: () -> Long = System::currentTimeMillis,
     ) : this(getDeviceId) {
         this.bodyHash = bodyHash
         this.signMessage = signMessage

android/data/services/remote-gem/src/test/kotlin/com/gemwallet/android/data/services/gemapi/DeviceKeyPairFixture.kt

@@ -0,0 +1,8 @@
+package com.gemwallet.android.data.services.gemapi
+
+internal object DeviceKeyPairFixture {
+    val privateKeyHex = "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60"
+    val publicKeyHex = "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a"
+    val deviceAuthMessage = "device-auth".toByteArray()
+    val deviceAuthSignatureHex = "121bb28074b00114a7b267ae8a6292c9ffe56db6254b0c65389fd726dbdeffe95b15e6f48d3a3980f7a983da44a3de24c0771d0d8723cef2ced6d08d343a2101"
+}

android/data/services/remote-gem/src/test/kotlin/com/gemwallet/android/data/services/gemapi/DeviceKeyPairTest.kt

@@ -0,0 +1,42 @@
+package com.gemwallet.android.data.services.gemapi
+
+import com.gemwallet.android.math.fromHex
+import com.google.crypto.tink.subtle.Ed25519Verify
+import org.junit.Assert.assertEquals
+import org.junit.Assert.assertThrows
+import org.junit.Test
+
+class DeviceKeyPairTest {
+
+    @Test
+    fun generateCreatesVerifiableEd25519KeyPair() {
+        val keyPair = DeviceKeyPair.generate()
+        val publicKey = keyPair.publicKeyHex.fromHex()
+
+        val signature = keyPair.sign(DeviceKeyPairFixture.deviceAuthMessage).fromHex()
+
+        Ed25519Verify(publicKey).verify(signature, DeviceKeyPairFixture.deviceAuthMessage)
+        assertEquals(64, keyPair.privateKeyHex.length)
+        assertEquals(64, keyPair.publicKeyHex.length)
+    }
+
+    @Test
+    fun fromHexUsesDecodedEd25519PrivateKey() {
+        val keyPair = DeviceKeyPair.fromHex(DeviceKeyPairFixture.privateKeyHex)
+        val publicKey = DeviceKeyPairFixture.publicKeyHex.fromHex()
+
+        val signatureHex = keyPair.sign(DeviceKeyPairFixture.deviceAuthMessage)
+
+        assertEquals(DeviceKeyPairFixture.privateKeyHex, keyPair.privateKeyHex)
+        assertEquals(DeviceKeyPairFixture.publicKeyHex, keyPair.publicKeyHex)
+        assertEquals(DeviceKeyPairFixture.deviceAuthSignatureHex, signatureHex)
+        Ed25519Verify(publicKey).verify(signatureHex.fromHex(), DeviceKeyPairFixture.deviceAuthMessage)
+    }
+
+    @Test
+    fun fromHexRejectsInvalidPrivateKeyHex() {
+        assertThrows(IllegalArgumentException::class.java) {
+            DeviceKeyPair.fromHex("abcd")
+        }
+    }
+}