move paths to a separate module

bin/secret-service/src/seeded_impl/mod.rs

@@ -18,6 +18,7 @@ use wots::SeededWotsSigner;
 pub mod musig2;
 pub mod operator;
 pub mod p2p;
+pub mod paths;
 pub mod stakechain;
 pub mod wots;
 

bin/secret-service/src/seeded_impl/musig2.rs

@@ -1,7 +1,7 @@
 //! In-memory persistence for MuSig2's secret data.
 
 use bitcoin::{
-    bip32::{ChildNumber, Xpriv},
+    bip32::Xpriv,
     hashes::Hash,
     key::{Keypair, Parity},
     Txid, XOnlyPublicKey,
@@ -20,6 +20,8 @@ use secret_service_proto::v1::traits::{
 use sha2::Sha256;
 use strata_bridge_primitives::{scripts::taproot::TaprootWitness, secp::EvenSecretKey};
 
+use super::paths::{MUSIG2_KEY_PATH, MUSIG2_NONCE_IKM_PATH};
+
 /// Secret data for the MuSig2 signer.
 #[derive(Debug)]
 pub struct Ms2Signer {
@@ -30,24 +32,15 @@ pub struct Ms2Signer {
     ikm: [u8; 32],
 }
 
-const KEY_PATH: &[ChildNumber] = &[
-    ChildNumber::Hardened { index: 20 },
-    ChildNumber::Hardened { index: 101 },
-];
-const NONCE_IKM_PATH: &[ChildNumber] = &[
-    ChildNumber::Hardened { index: 666 },
-    ChildNumber::Hardened { index: 0 },
-];
-
 impl Ms2Signer {
     /// Creates a new MuSig2 signer given a master [`Xpriv`].
     pub fn new(base: &Xpriv) -> Self {
         let key = base
-            .derive_priv(SECP256K1, &KEY_PATH)
+            .derive_priv(SECP256K1, &MUSIG2_KEY_PATH)
             .expect("valid key")
             .private_key;
         let ikm = base
-            .derive_priv(SECP256K1, &NONCE_IKM_PATH)
+            .derive_priv(SECP256K1, &MUSIG2_NONCE_IKM_PATH)
             .expect("valid child")
             .private_key
             .secret_bytes();

bin/secret-service/src/seeded_impl/paths.rs

@@ -0,0 +1,33 @@
+//! BIP32 paths used for various secret material derivation
+
+use bitcoin::bip32::ChildNumber;
+
+/// Path for initial key material used for 160-bit WOTS keys
+pub const WOTS_IKM_160_PATH: &[ChildNumber] = &[
+    ChildNumber::Hardened { index: 79 },
+    ChildNumber::Hardened { index: 160 },
+    ChildNumber::Hardened { index: 0 },
+];
+/// Path for initial key material used for 256-bit WOTS keys
+pub const WOTS_IKM_256_PATH: &[ChildNumber] = &[
+    ChildNumber::Hardened { index: 79 },
+    ChildNumber::Hardened { index: 256 },
+    ChildNumber::Hardened { index: 0 },
+];
+
+/// Path for the Musig2 key
+pub const MUSIG2_KEY_PATH: &[ChildNumber] = &[
+    ChildNumber::Hardened { index: 20 },
+    ChildNumber::Hardened { index: 101 },
+];
+/// Path for inital key material for secnonce generation in musig2
+pub const MUSIG2_NONCE_IKM_PATH: &[ChildNumber] = &[
+    ChildNumber::Hardened { index: 666 },
+    ChildNumber::Hardened { index: 0 },
+];
+
+/// Path for initial key material for stakechain preimages
+pub const STAKECHAIN_PREIMG_IKM_PATH: &[ChildNumber] = &[
+    ChildNumber::Hardened { index: 80 },
+    ChildNumber::Hardened { index: 0 },
+];

bin/secret-service/src/seeded_impl/stakechain.rs

@@ -1,33 +1,26 @@
 //! In-memory persistence for Stake Chain preimages.
 
-use bitcoin::{
-    bip32::{ChildNumber, Xpriv},
-    hashes::Hash,
-    Txid,
-};
+use bitcoin::{bip32::Xpriv, hashes::Hash, Txid};
 use hkdf::Hkdf;
 use make_buf::make_buf;
 use musig2::secp256k1::SECP256K1;
 use secret_service_proto::v1::traits::{Server, StakeChainPreimages};
 use sha2::Sha256;
 
+use super::paths::STAKECHAIN_PREIMG_IKM_PATH;
+
 /// Secret data for the Stake Chain preimages.
 #[derive(Debug)]
 pub struct StakeChain {
     /// The initial key material to derive Stake Chain preimages.
     ikm: [u8; 32],
 }
 
-const IKM_PATH: &[ChildNumber] = &[
-    ChildNumber::Hardened { index: 80 },
-    ChildNumber::Hardened { index: 0 },
-];
-
 impl StakeChain {
     /// Creates a new [`StakeChain`] given a master [`Xpriv`].
     pub fn new(base: &Xpriv) -> Self {
         let xpriv = base
-            .derive_priv(SECP256K1, &IKM_PATH)
+            .derive_priv(SECP256K1, &STAKECHAIN_PREIMG_IKM_PATH)
             .expect("good child key");
         Self {
             ikm: xpriv.private_key.secret_bytes(),

bin/secret-service/src/seeded_impl/wots.rs

@@ -1,16 +1,14 @@
 //! In-memory persistence for the Winternitz One-Time Signature (WOTS) keys.
 
-use bitcoin::{
-    bip32::{ChildNumber, Xpriv},
-    hashes::Hash,
-    Txid,
-};
+use bitcoin::{bip32::Xpriv, hashes::Hash, Txid};
 use hkdf::Hkdf;
 use make_buf::make_buf;
 use musig2::secp256k1::SECP256K1;
 use secret_service_proto::v1::traits::{Server, WotsSigner};
 use sha2::Sha256;
 
+use super::paths::{WOTS_IKM_160_PATH, WOTS_IKM_256_PATH};
+
 /// A Winternitz One-Time Signature (WOTS) key generator seeded with some initial key material.
 #[derive(Debug)]
 pub struct SeededWotsSigner {
@@ -20,31 +18,17 @@ pub struct SeededWotsSigner {
     ikm_256: [u8; 32],
 }
 
-const IKM_PATH: &[ChildNumber] = &[
-    ChildNumber::Hardened { index: 79 },
-    ChildNumber::Hardened { index: 160 },
-    ChildNumber::Hardened { index: 0 },
-];
-
 impl SeededWotsSigner {
     /// Creates a new WOTS signer from an operator's base private key (m/20000').
     pub fn new(base: &Xpriv) -> Self {
         Self {
             ikm_160: base
-                .derive_priv(SECP256K1, &IKM_PATH)
+                .derive_priv(SECP256K1, &WOTS_IKM_160_PATH)
                 .unwrap()
                 .private_key
                 .secret_bytes(),
             ikm_256: base
-                .derive_priv(
-                    SECP256K1,
-                    &[
-                        // TODO: move to constants.
-                        ChildNumber::from_hardened_idx(79).unwrap(),
-                        ChildNumber::from_hardened_idx(256).unwrap(),
-                        ChildNumber::from_hardened_idx(0).unwrap(),
-                    ],
-                )
+                .derive_priv(SECP256K1, &WOTS_IKM_256_PATH)
                 .unwrap()
                 .private_key
                 .secret_bytes(),