fix(sdk-core): use async decrypt and getUserPrv at v2 call sites

- fix getUserPrv -> getUserPrvAsync in EVM hop and inscription builder
- fix decryptKeychainPrivateKey -> decryptKeychainPrivateKeyAsync in verifyKey
- add EdDSA v2 signing dispatch tests
- fix validateAdata test to use 3-arg domain separator signature

WCN-32

Author: pranavjain97

modules/abstract-eth/src/abstractEthLikeNewCoins.ts

@@ -2554,7 +2554,7 @@ export abstract class AbstractEthLikeNewCoins extends AbstractEthLikeCoin {
     const walletPassphrase = buildParams.walletPassphrase;
 
     const userKeychain = await this.keychains().get({ id: wallet.keyIds()[0] });
-    const userPrv = await wallet.getUserPrv({ keychain: userKeychain, walletPassphrase });
+    const userPrv = await wallet.getUserPrvAsync({ keychain: userKeychain, walletPassphrase });
     const userPrvBuffer = bip32.fromBase58(userPrv).privateKey;
     if (!userPrvBuffer) {
       throw new Error('invalid userPrv');

modules/abstract-utxo/src/impl/btc/inscriptionBuilder.ts

@@ -262,7 +262,7 @@ export class InscriptionBuilder implements IInscriptionBuilder {
     inscriptionData: Buffer
   ): Promise<SubmitTransactionResponse> {
     const userKeychain = await this.wallet.baseCoin.keychains().get({ id: this.wallet.keyIds()[KeyIndices.USER] });
-    const xprv = await this.wallet.getUserPrv({ keychain: userKeychain, walletPassphrase });
+    const xprv = await this.wallet.getUserPrvAsync({ keychain: userKeychain, walletPassphrase });
 
     const halfSignedCommitTransaction = (await this.wallet.signTransaction({
       prv: xprv,
@@ -302,7 +302,7 @@ export class InscriptionBuilder implements IInscriptionBuilder {
     txPrebuild: PrebuildTransactionResult
   ): Promise<SubmitTransactionResponse> {
     const userKeychain = await this.wallet.baseCoin.keychains().get({ id: this.wallet.keyIds()[KeyIndices.USER] });
-    const prv = await this.wallet.getUserPrv({ keychain: userKeychain, walletPassphrase });
+    const prv = await this.wallet.getUserPrvAsync({ keychain: userKeychain, walletPassphrase });
 
     const halfSigned = (await this.wallet.signTransaction({ prv, txPrebuild })) as HalfSignedUtxoTransaction;
     return this.wallet.submitTransaction({ halfSigned });

modules/abstract-utxo/src/verifyKey.ts

@@ -7,7 +7,7 @@ import assert from 'assert';
 
 import buildDebug from 'debug';
 import { BIP32, message } from '@bitgo/wasm-utxo';
-import { BitGoBase, decryptKeychainPrivateKey, KeyIndices } from '@bitgo/sdk-core';
+import { BitGoBase, decryptKeychainPrivateKeyAsync, KeyIndices } from '@bitgo/sdk-core';
 
 import { VerifyKeySignaturesOptions, VerifyUserPublicKeyOptions } from './abstractUtxoCoin';
 import { ParsedTransaction } from './transaction/types';
@@ -94,7 +94,7 @@ export async function verifyUserPublicKey(bitgo: BitGoBase, params: VerifyUserPu
 
   let userPrv = userKeychain.prv;
   if (!userPrv && txParams.walletPassphrase) {
-    userPrv = await decryptKeychainPrivateKey(bitgo, userKeychain, txParams.walletPassphrase);
+    userPrv = await decryptKeychainPrivateKeyAsync(bitgo, userKeychain, txParams.walletPassphrase);
   }
 
   if (!userPrv) {

modules/bitgo/test/v2/unit/internal/tssUtils/ecdsaMPCv2/signTxRequest.ts

@@ -269,34 +269,31 @@ describe('signTxRequest:', function () {
       const userShare = fs.readFileSync(shareFiles[vector.party1]);
       const userPrvBase64 = Buffer.from(userShare).toString('base64');
 
-      // Encrypt the prv with v2 to trigger the v2 path
       const encryptedPrv = await bitgo.encryptAsync({
         input: userPrvBase64,
         password: walletPassphrase,
         encryptionVersion: 2,
       });
       JSON.parse(encryptedPrv).v.should.equal(2);
 
-      // Round 1: encrypt session + GPG key with v2 + adata (purely local, no server call)
       const round1Result = await tssUtils.createOfflineRound1Share({
         txRequest,
         prv: userPrvBase64,
         walletPassphrase,
         encryptedPrv,
       });
 
-      // Verify round 1 output has v2 envelopes with adata
       const r1SessionEnvelope = JSON.parse(round1Result.encryptedRound1Session);
       r1SessionEnvelope.v.should.equal(2);
       r1SessionEnvelope.should.have.property('adata');
       r1SessionEnvelope.should.have.property('hkdfSalt');
+      r1SessionEnvelope.adata.should.containEql('DKLS23_SIGNING_ROUND1_STATE');
 
       const r1GpgEnvelope = JSON.parse(round1Result.encryptedUserGpgPrvKey);
       r1GpgEnvelope.v.should.equal(2);
       r1GpgEnvelope.should.have.property('adata');
-      r1SessionEnvelope.adata.should.equal(r1GpgEnvelope.adata);
+      r1GpgEnvelope.adata.should.containEql('DKLS23_SIGNING_USER_GPG_KEY');
 
-      // Nock BitGo round 1 response and submit
       await nockTxRequestResponseSignatureShareRoundOne(bitgoParty, txRequest, bitgoGpgKey);
       const transactions = getRoute('ecdsa');
       const round1TxRequestResponse = await bitgo
@@ -307,7 +304,6 @@ describe('signTxRequest:', function () {
         })
         .result();
 
-      // Merge server response with original txRequest (server only returns signatureShares)
       const round1TxReq: TxRequest = {
         ...txRequest,
         transactions: [
@@ -318,7 +314,6 @@ describe('signTxRequest:', function () {
         ],
       };
 
-      // Round 2: decrypt v2 round 1 session (validates adata), encrypt round 2 session
       const round2Result = await tssUtils.createOfflineRound2Share({
         txRequest: round1TxReq,
         prv: userPrvBase64,
@@ -328,13 +323,11 @@ describe('signTxRequest:', function () {
         encryptedRound1Session: round1Result.encryptedRound1Session,
       });
 
-      // Verify round 2 output has v2 envelope with adata
       const r2Envelope = JSON.parse(round2Result.encryptedRound2Session);
       r2Envelope.v.should.equal(2);
       r2Envelope.should.have.property('adata');
-      r2Envelope.adata.should.equal(r1SessionEnvelope.adata);
+      r2Envelope.adata.should.containEql('DKLS23_SIGNING_ROUND2_STATE');
 
-      // Nock BitGo round 2 response and submit
       await nockTxRequestResponseSignatureShareRoundTwo(bitgoParty, txRequest, bitgoGpgKey);
       const round2TxRequestResponse = await bitgo
         .post(bitgo.url(`/wallet/${txRequest.walletId}/txrequests/${txRequest.txRequestId + transactions}/sign`, 2))
@@ -354,7 +347,6 @@ describe('signTxRequest:', function () {
         ],
       };
 
-      // Round 3: decrypt v2 round 2 session (validates adata), produce final signature share
       const round3Result = await tssUtils.createOfflineRound3Share({
         txRequest: round2TxReq,
         prv: userPrvBase64,
@@ -367,15 +359,29 @@ describe('signTxRequest:', function () {
       round3Result.should.have.property('signatureShareRound3');
     });
 
+    it('validateAdata accepts v2 envelopes with matching adata and domain separator', async function () {
+      const adata = 'txhash:m/0/1';
+      const domainSep = 'DKLS23_SIGNING_ROUND1_STATE';
+      const ct = await bitgo.encryptAsync({
+        input: 'test-data',
+        password: 'testpass',
+        encryptionVersion: 2,
+        adata: `${domainSep}:${adata}`,
+      });
+
+      (tssUtils as any).validateAdata(adata, ct, domainSep);
+    });
+
     it('validateAdata rejects v2 envelopes with mismatched adata', async function () {
+      const domainSep = 'DKLS23_SIGNING_ROUND1_STATE';
       const ct = await bitgo.encryptAsync({
         input: 'test-data',
         password: 'testpass',
         encryptionVersion: 2,
-        adata: 'context-A',
+        adata: `${domainSep}:context-A`,
       });
 
-      (() => (tssUtils as any).validateAdata('context-B', ct)).should.throw(/Adata does not match/);
+      (() => (tssUtils as any).validateAdata('context-B', ct, domainSep)).should.throw(/Adata does not match/);
     });
   });
 

modules/bitgo/test/v2/unit/internal/tssUtils/eddsa.ts

@@ -592,6 +592,64 @@ describe('TSS Utils:', async function () {
     });
   });
 
+  describe('v2 encryption (EdDSA signing dispatch)', function () {
+    const signingTxRequest: TxRequest = {
+      txRequestId: 'v2-signing-test',
+      unsignedTxs: [
+        {
+          serializedTxHex: 'test-payload',
+          signableHex: 'deadbeef',
+          derivationPath: 'm/0',
+        },
+      ],
+      date: new Date().toISOString(),
+      intent: { intentType: 'payment' },
+      latest: true,
+      state: 'pendingUserSignature',
+      walletType: 'hot',
+      walletId: 'walletId',
+      policiesChecked: true,
+      version: 1,
+      userId: 'userId',
+    };
+
+    it('v2 R-share round-trip: encrypt via commitment, verify envelope, decrypt via createRShare', async function () {
+      const passphrase = 'test-passphrase';
+      const prv = JSON.stringify(validUserSigningMaterial);
+
+      // 1. Encrypt prv with v2
+      const encryptedPrv = await bitgo.encryptAsync({
+        input: prv,
+        password: passphrase,
+        encryptionVersion: 2,
+      });
+      JSON.parse(encryptedPrv).v.should.equal(2);
+
+      // 2. Create commitment -- R-share should be a v2 envelope
+      const commitResult = await tssUtils.createCommitmentShareFromTxRequest({
+        txRequest: signingTxRequest,
+        prv,
+        walletPassphrase: passphrase,
+        bitgoGpgPubKey: bitgoGpgKey.publicKey,
+        encryptedPrv,
+      });
+
+      const rShareEnvelope = JSON.parse(commitResult.encryptedUserToBitgoRShare.share);
+      rShareEnvelope.v.should.equal(2);
+      rShareEnvelope.should.have.property('hkdfSalt');
+
+      // 3. Round-trip: decrypt the v2 R-share
+      const { rShare } = await tssUtils.createRShareFromTxRequest({
+        txRequest: signingTxRequest,
+        walletPassphrase: passphrase,
+        encryptedUserToBitgoRShare: commitResult.encryptedUserToBitgoRShare,
+      });
+
+      should.exist(rShare.xShare);
+      should.exist(rShare.rShares);
+    });
+  });
+
   describe('signTxRequest:', function () {
     const txRequestId = 'randomid';
     const txRequest: TxRequest = {

modules/bitgo/test/v2/unit/wallet.ts

@@ -352,7 +352,7 @@ describe('V2 Wallet:', function () {
         prv,
         coldDerivationSeed: '123',
       };
-      (await wallet.getUserPrv(userPrvOptions)).should.eql(derivedPrv);
+      wallet.getUserPrv(userPrvOptions).should.eql(derivedPrv);
     });
 
     it('should use the user keychain derivedFromParentWithSeed as the cold derivation seed if none is provided', async () => {
@@ -365,7 +365,7 @@ describe('V2 Wallet:', function () {
           type: 'independent',
         },
       };
-      (await wallet.getUserPrv(userPrvOptions)).should.eql(derivedPrv);
+      wallet.getUserPrv(userPrvOptions).should.eql(derivedPrv);
     });
 
     it('should prefer the explicit cold derivation seed to the user keychain derivedFromParentWithSeed', async () => {
@@ -379,7 +379,7 @@ describe('V2 Wallet:', function () {
           type: 'independent',
         },
       };
-      (await wallet.getUserPrv(userPrvOptions)).should.eql(derivedPrv);
+      wallet.getUserPrv(userPrvOptions).should.eql(derivedPrv);
     });
 
     it('should return the prv provided for TSS SMC', async () => {
@@ -407,7 +407,7 @@ describe('V2 Wallet:', function () {
         prv,
         keychain,
       };
-      (await wallet.getUserPrv(userPrvOptions)).should.eql(prv);
+      wallet.getUserPrv(userPrvOptions).should.eql(prv);
     });
   });
 

modules/bitgo/test/v2/unit/wallets.ts

@@ -19,7 +19,7 @@ import {
   Wallet,
   isWalletWithKeychains,
   OptionalKeychainEncryptedKey,
-  decryptKeychainPrivateKey,
+  decryptKeychainPrivateKeyAsync,
   makeRandomKey,
   getSharedSecret,
   BulkWalletShareOptions,
@@ -2566,7 +2566,7 @@ describe('V2 Wallets:', function () {
         const keychainTest: OptionalKeychainEncryptedKey = {
           encryptedPrv: bitgo.encrypt({ input: fromUserPrv.toString(), password: walletPassphrase }),
         };
-        const userPrv = await decryptKeychainPrivateKey(bitgo, keychainTest, walletPassphrase);
+        const userPrv = await decryptKeychainPrivateKeyAsync(bitgo, keychainTest, walletPassphrase);
         if (!userPrv) {
           throw new Error('Unable to decrypt user keychain');
         }
@@ -2638,7 +2638,7 @@ describe('V2 Wallets:', function () {
         const keychainTest: OptionalKeychainEncryptedKey = {
           encryptedPrv: bitgo.encrypt({ input: fromUserPrv.toString(), password: walletPassphrase }),
         };
-        const userPrv = await decryptKeychainPrivateKey(bitgo, keychainTest, walletPassphrase);
+        const userPrv = await decryptKeychainPrivateKeyAsync(bitgo, keychainTest, walletPassphrase);
         if (!userPrv) {
           throw new Error('Unable to decrypt user keychain');
         }
@@ -2717,7 +2717,7 @@ describe('V2 Wallets:', function () {
         const keychainTest: OptionalKeychainEncryptedKey = {
           encryptedPrv: bitgo.encrypt({ input: fromUserPrv.toString(), password: walletPassphrase }),
         };
-        const userPrv = await decryptKeychainPrivateKey(bitgo, keychainTest, walletPassphrase);
+        const userPrv = await decryptKeychainPrivateKeyAsync(bitgo, keychainTest, walletPassphrase);
         if (!userPrv) {
           throw new Error('Unable to decrypt user keychain');
         }
@@ -2785,7 +2785,7 @@ describe('V2 Wallets:', function () {
         const keychainTest: OptionalKeychainEncryptedKey = {
           encryptedPrv: bitgo.encrypt({ input: fromUserPrv.toString(), password: walletPassphrase }),
         };
-        const userPrv = await decryptKeychainPrivateKey(bitgo, keychainTest, walletPassphrase);
+        const userPrv = await decryptKeychainPrivateKeyAsync(bitgo, keychainTest, walletPassphrase);
         if (!userPrv) {
           throw new Error('Unable to decrypt user keychain');
         }
@@ -2886,7 +2886,7 @@ describe('V2 Wallets:', function () {
         const keychainTest: OptionalKeychainEncryptedKey = {
           encryptedPrv: bitgo.encrypt({ input: fromUserPrv.toString(), password: walletPassphrase }),
         };
-        const userPrv = await decryptKeychainPrivateKey(bitgo, keychainTest, walletPassphrase);
+        const userPrv = await decryptKeychainPrivateKeyAsync(bitgo, keychainTest, walletPassphrase);
         if (!userPrv) {
           throw new Error('Unable to decrypt user keychain');
         }
@@ -2988,7 +2988,7 @@ describe('V2 Wallets:', function () {
         const keychainTest: OptionalKeychainEncryptedKey = {
           encryptedPrv: bitgo.encrypt({ input: fromUserPrv.toString(), password: walletPassphrase }),
         };
-        const userPrv = await decryptKeychainPrivateKey(bitgo, keychainTest, walletPassphrase);
+        const userPrv = await decryptKeychainPrivateKeyAsync(bitgo, keychainTest, walletPassphrase);
         if (!userPrv) {
           throw new Error('Unable to decrypt user keychain');
         }

modules/sdk-core/src/bitgo/wallet/iWallets.ts

@@ -107,6 +107,7 @@ export const GenerateLightningWalletOptionsCodec = t.intersection(
     }),
     t.partial({
       lightningProvider: t.union([t.literal('amboss'), t.literal('voltage')]),
+      // Codec intentionally accepts only 2: v1 is the implicit default and never sent on the wire.
       encryptionVersion: t.literal(2),
     }),
   ],
@@ -124,6 +125,7 @@ export const GenerateGoAccountWalletOptionsCodec = t.intersection(
       type: t.literal('trading'),
     }),
     t.partial({
+      // Codec intentionally accepts only 2: v1 is the implicit default and never sent on the wire.
       encryptionVersion: t.literal(2),
     }),
   ],