fix: authenticate signatureR in DKLS DSG round 4 messages

mrdanish26 · mrdanish26 · commit f135d5e01bf0 · 2026-04-14T15:44:45.000-07:00
diff --git a/modules/abstract-lightning/package.json b/modules/abstract-lightning/package.json
@@ -39,7 +39,7 @@
     ]
   },
   "dependencies": {
-    "@bitgo/public-types": "5.76.1",
+    "@bitgo/public-types": "5.92.0",
     "@bitgo/sdk-core": "^36.40.0",
     "@bitgo/statics": "^58.35.0",
     "@bitgo/utxo-lib": "^11.22.0",
diff --git a/modules/bitgo/package.json b/modules/bitgo/package.json
@@ -138,7 +138,7 @@
     "superagent": "^9.0.1"
   },
   "devDependencies": {
-    "@bitgo/public-types": "5.76.1",
+    "@bitgo/public-types": "5.92.0",
     "@bitgo/sdk-opensslbytes": "^2.1.0",
     "@bitgo/sdk-test": "^9.1.38",
     "@openpgp/web-stream-tools": "0.0.14",
diff --git a/modules/express/package.json b/modules/express/package.json
@@ -60,7 +60,7 @@
     "superagent": "^9.0.1"
   },
   "devDependencies": {
-    "@bitgo/public-types": "5.76.1",
+    "@bitgo/public-types": "5.92.0",
     "@bitgo/sdk-lib-mpc": "^10.10.2",
     "@bitgo/sdk-test": "^9.1.38",
     "@types/argparse": "^1.0.36",
diff --git a/modules/express/test/unit/clientRoutes/externalSign.ts b/modules/express/test/unit/clientRoutes/externalSign.ts
@@ -1046,16 +1046,22 @@ async function signBitgoMPCv2Round3(
   userGPGPubKey: string
 ): Promise<{ userMsg4: MPCv2SignatureShareRound3Input }> {
   const parsedSignatureShare = JSON.parse(userShare.share) as MPCv2SignatureShareRound3Input;
+  const msg4 = parsedSignatureShare.data.msg4;
+  const signatureRAuthMessage =
+    msg4.signatureR && msg4.signatureRSignature
+      ? { message: msg4.signatureR, signature: msg4.signatureRSignature }
+      : undefined;
   const serializedMessages = await DklsComms.decryptAndVerifyIncomingMessages(
     {
       p2pMessages: [],
       broadcastMessages: [
         {
-          from: parsedSignatureShare.data.msg4.from,
+          from: msg4.from,
           payload: {
-            message: parsedSignatureShare.data.msg4.message,
-            signature: parsedSignatureShare.data.msg4.signature,
+            message: msg4.message,
+            signature: msg4.signature,
           },
+          signatureR: signatureRAuthMessage,
         },
       ],
     },
diff --git a/modules/sdk-coin-flrp/package.json b/modules/sdk-coin-flrp/package.json
@@ -47,7 +47,7 @@
     "@bitgo/sdk-test": "^9.1.38"
   },
   "dependencies": {
-    "@bitgo/public-types": "5.76.1",
+    "@bitgo/public-types": "5.92.0",
     "@bitgo/sdk-core": "^36.40.0",
     "@bitgo/secp256k1": "^1.11.0",
     "@bitgo/statics": "^58.35.0",
diff --git a/modules/sdk-coin-sol/package.json b/modules/sdk-coin-sol/package.json
@@ -57,7 +57,7 @@
   },
   "dependencies": {
     "@bitgo/logger": "^1.4.0",
-    "@bitgo/public-types": "5.76.1",
+    "@bitgo/public-types": "5.92.0",
     "@bitgo/sdk-core": "^36.40.0",
     "@bitgo/sdk-lib-mpc": "^10.10.2",
     "@bitgo/statics": "^58.35.0",
diff --git a/modules/sdk-core/package.json b/modules/sdk-core/package.json
@@ -40,7 +40,7 @@
     ]
   },
   "dependencies": {
-    "@bitgo/public-types": "5.76.1",
+    "@bitgo/public-types": "5.92.0",
     "@bitgo/sdk-lib-mpc": "^10.10.2",
     "@bitgo/secp256k1": "^1.11.0",
     "@bitgo/sjcl": "^1.1.0",
diff --git a/modules/sdk-core/src/bitgo/tss/ecdsa/ecdsaMPCv2.ts b/modules/sdk-core/src/bitgo/tss/ecdsa/ecdsaMPCv2.ts
@@ -126,17 +126,22 @@ export async function getSignatureShareRoundThree(
     [getUserPartyGpgKey(userGpgKey, partyId)]
   );
   assert(MPCv2PartyFromStringOrNumber.is(userToBitGoEncryptedMsg4.broadcastMessages[0].from));
-  if (!userToBitGoEncryptedMsg4.broadcastMessages[0].signatureR?.message) {
+  const signatureR = userToBitGoEncryptedMsg4.broadcastMessages[0].signatureR;
+  if (!signatureR?.message) {
     throw Error('signatureR should be defined');
   }
+  if (!signatureR.signature) {
+    throw Error('signatureR signature should be defined');
+  }
   const share: MPCv2SignatureShareRound3Input = {
     type: 'round3Input',
     data: {
       msg4: {
         from: userToBitGoEncryptedMsg4.broadcastMessages[0].from,
         message: userToBitGoEncryptedMsg4.broadcastMessages[0].payload.message,
         signature: userToBitGoEncryptedMsg4.broadcastMessages[0].payload.signature,
-        signatureR: userToBitGoEncryptedMsg4.broadcastMessages[0].signatureR.message,
+        signatureR: signatureR.message,
+        signatureRSignature: signatureR.signature,
       },
     },
   };
diff --git a/modules/sdk-lib-mpc/src/tss/ecdsa-dkls/commsLayer.ts b/modules/sdk-lib-mpc/src/tss/ecdsa-dkls/commsLayer.ts
@@ -188,9 +188,15 @@ export async function decryptAndVerifyIncomingMessages(
         if (!(await verifySignedData(m.payload, pubGpgKey.gpgKey))) {
           throw Error(`Failed to authenticate broadcast message from party: ${m.from}`);
         }
+        if (m.signatureR !== undefined) {
+          if (!(await verifySignedData(m.signatureR, pubGpgKey.gpgKey))) {
+            throw Error(`Failed to authenticate signatureR in broadcast message from party: ${m.from}`);
+          }
+        }
         return {
           from: m.from,
           payload: m.payload.message,
+          signatureR: m.signatureR?.message,
         };
       })
     ),
@@ -233,15 +239,16 @@ export async function encryptAndAuthOutgoingMessages(
         if (!prvGpgKey) {
           throw Error(`No private key provided for sender with ID: ${m.from}`);
         }
+        const [signedPayload, signedSignatureR] = await Promise.all([
+          detachSignData(Buffer.from(m.payload, 'base64'), prvGpgKey.gpgKey),
+          m.signatureR
+            ? detachSignData(Buffer.from(m.signatureR, 'base64'), prvGpgKey.gpgKey)
+            : Promise.resolve(undefined),
+        ]);
         return {
           from: m.from,
-          payload: await detachSignData(Buffer.from(m.payload, 'base64'), prvGpgKey.gpgKey),
-          signatureR: m.signatureR
-            ? {
-                message: m.signatureR,
-                signature: '',
-              }
-            : undefined,
+          payload: signedPayload,
+          signatureR: signedSignatureR,
         };
       })
     ),
diff --git a/modules/sdk-lib-mpc/test/unit/tss/ecdsa/dklsComms.ts b/modules/sdk-lib-mpc/test/unit/tss/ecdsa/dklsComms.ts
@@ -1,6 +1,8 @@
 import {
   decryptAndVerifySignedData,
   encryptAndDetachSignData,
+  decryptAndVerifyIncomingMessages,
+  encryptAndAuthOutgoingMessages,
   verifySignedData,
   SIGNATURE_DATE_TOLERANCE_MS,
 } from '../../../../src/tss/ecdsa-dkls/commsLayer';
@@ -165,3 +167,184 @@ describe('DKLS Communication Layer', function () {
     });
   });
 });
+
+describe('DKLS encryptAndAuthOutgoingMessages / decryptAndVerifyIncomingMessages', function () {
+  let partyAKey: { publicKey: string; privateKey: string };
+  let partyBKey: { publicKey: string; privateKey: string };
+  let tampererKey: { publicKey: string; privateKey: string };
+
+  before(async function () {
+    openpgp.config.rejectCurves = new Set();
+    partyAKey = await openpgp.generateKey({
+      userIDs: [{ name: 'partyA', email: 'a@test.com' }],
+      curve: 'secp256k1',
+    });
+    partyBKey = await openpgp.generateKey({
+      userIDs: [{ name: 'partyB', email: 'b@test.com' }],
+      curve: 'secp256k1',
+    });
+    tampererKey = await openpgp.generateKey({
+      userIDs: [{ name: 'tamperer', email: 'evil@test.com' }],
+      curve: 'secp256k1',
+    });
+  });
+
+  const partyAId = 0;
+  const partyBId = 2;
+
+  it('should sign signatureR and verify it on receive', async function () {
+    const payload = Buffer.from('deadbeef', 'hex').toString('base64');
+    const signatureRBytes = Buffer.from('cafebabe', 'hex').toString('base64');
+
+    const encrypted = await encryptAndAuthOutgoingMessages(
+      {
+        p2pMessages: [],
+        broadcastMessages: [{ from: partyAId, payload, signatureR: signatureRBytes }],
+      },
+      [{ partyId: partyBId, gpgKey: partyBKey.publicKey }],
+      [{ partyId: partyAId, gpgKey: partyAKey.privateKey }]
+    );
+
+    const broadcastMsg = encrypted.broadcastMessages[0];
+    broadcastMsg.signatureR!.message.should.equal(signatureRBytes);
+    broadcastMsg.signatureR!.signature.should.not.equal('');
+
+    const decrypted = await decryptAndVerifyIncomingMessages(
+      {
+        p2pMessages: [],
+        broadcastMessages: [broadcastMsg],
+      },
+      [{ partyId: partyAId, gpgKey: partyAKey.publicKey }],
+      [{ partyId: partyBId, gpgKey: partyBKey.privateKey }]
+    );
+
+    decrypted.broadcastMessages[0].signatureR!.should.equal(signatureRBytes);
+  });
+
+  it('should reject a tampered signatureR on receive', async function () {
+    const payload = Buffer.from('deadbeef', 'hex').toString('base64');
+    const signatureRBytes = Buffer.from('cafebabe', 'hex').toString('base64');
+
+    const encrypted = await encryptAndAuthOutgoingMessages(
+      {
+        p2pMessages: [],
+        broadcastMessages: [{ from: partyAId, payload, signatureR: signatureRBytes }],
+      },
+      [{ partyId: partyBId, gpgKey: partyBKey.publicKey }],
+      [{ partyId: partyAId, gpgKey: partyAKey.privateKey }]
+    );
+
+    const tampered = {
+      ...encrypted.broadcastMessages[0],
+      signatureR: {
+        message: Buffer.from('00000000', 'hex').toString('base64'),
+        signature: encrypted.broadcastMessages[0].signatureR!.signature,
+      },
+    };
+
+    await decryptAndVerifyIncomingMessages(
+      { p2pMessages: [], broadcastMessages: [tampered] },
+      [{ partyId: partyAId, gpgKey: partyAKey.publicKey }],
+      [{ partyId: partyBId, gpgKey: partyBKey.privateKey }]
+    ).should.be.rejectedWith(`Failed to authenticate signatureR in broadcast message from party: ${partyAId}`);
+  });
+
+  it('should reject a signatureR signed by a different key', async function () {
+    const payload = Buffer.from('deadbeef', 'hex').toString('base64');
+    const signatureRBytes = Buffer.from('cafebabe', 'hex').toString('base64');
+
+    const encrypted = await encryptAndAuthOutgoingMessages(
+      {
+        p2pMessages: [],
+        broadcastMessages: [{ from: partyAId, payload, signatureR: signatureRBytes }],
+      },
+      [{ partyId: partyBId, gpgKey: partyBKey.publicKey }],
+      [{ partyId: partyAId, gpgKey: tampererKey.privateKey }]
+    );
+
+    await decryptAndVerifyIncomingMessages(
+      { p2pMessages: [], broadcastMessages: [encrypted.broadcastMessages[0]] },
+      [{ partyId: partyAId, gpgKey: partyAKey.publicKey }],
+      [{ partyId: partyBId, gpgKey: partyBKey.privateKey }]
+    ).should.be.rejectedWith(`Failed to authenticate broadcast message from party: ${partyAId}`);
+  });
+
+  it('should handle broadcast messages without signatureR unchanged', async function () {
+    const payload = Buffer.from('deadbeef', 'hex').toString('base64');
+
+    const encrypted = await encryptAndAuthOutgoingMessages(
+      {
+        p2pMessages: [],
+        broadcastMessages: [{ from: partyAId, payload }],
+      },
+      [{ partyId: partyBId, gpgKey: partyBKey.publicKey }],
+      [{ partyId: partyAId, gpgKey: partyAKey.privateKey }]
+    );
+
+    (encrypted.broadcastMessages[0].signatureR === undefined).should.equal(true);
+
+    const decrypted = await decryptAndVerifyIncomingMessages(
+      { p2pMessages: [], broadcastMessages: [encrypted.broadcastMessages[0]] },
+      [{ partyId: partyAId, gpgKey: partyAKey.publicKey }],
+      [{ partyId: partyBId, gpgKey: partyBKey.privateKey }]
+    );
+
+    (decrypted.broadcastMessages[0].signatureR === undefined).should.equal(true);
+  });
+
+  it('should skip signatureR verification when signatureR field is omitted (soft downgrade)', async function () {
+    const payload = Buffer.from('deadbeef', 'hex').toString('base64');
+    const signatureRBytes = Buffer.from('cafebabe', 'hex').toString('base64');
+
+    const encrypted = await encryptAndAuthOutgoingMessages(
+      {
+        p2pMessages: [],
+        broadcastMessages: [{ from: partyAId, payload, signatureR: signatureRBytes }],
+      },
+      [{ partyId: partyBId, gpgKey: partyBKey.publicKey }],
+      [{ partyId: partyAId, gpgKey: partyAKey.privateKey }]
+    );
+
+    const broadcastWithoutAuthR = {
+      from: encrypted.broadcastMessages[0].from,
+      payload: encrypted.broadcastMessages[0].payload,
+    };
+
+    const decrypted = await decryptAndVerifyIncomingMessages(
+      { p2pMessages: [], broadcastMessages: [broadcastWithoutAuthR] },
+      [{ partyId: partyAId, gpgKey: partyAKey.publicKey }],
+      [{ partyId: partyBId, gpgKey: partyBKey.privateKey }]
+    );
+
+    (decrypted.broadcastMessages[0].signatureR === undefined).should.equal(true);
+  });
+
+  it('should reject when signatureR message is present but signature is empty string', async function () {
+    const payload = Buffer.from('deadbeef', 'hex').toString('base64');
+    const signatureRBytes = Buffer.from('cafebabe', 'hex').toString('base64');
+
+    const encrypted = await encryptAndAuthOutgoingMessages(
+      {
+        p2pMessages: [],
+        broadcastMessages: [{ from: partyAId, payload, signatureR: signatureRBytes }],
+      },
+      [{ partyId: partyBId, gpgKey: partyBKey.publicKey }],
+      [{ partyId: partyAId, gpgKey: partyAKey.privateKey }]
+    );
+
+    const strippedSig = {
+      ...encrypted.broadcastMessages[0],
+      signatureR: {
+        message: encrypted.broadcastMessages[0].signatureR!.message,
+        signature: '',
+      },
+    };
+
+    // Empty armor: OpenPGP fails parsing before verifySignedData returns false.
+    await decryptAndVerifyIncomingMessages(
+      { p2pMessages: [], broadcastMessages: [strippedSig] },
+      [{ partyId: partyAId, gpgKey: partyAKey.publicKey }],
+      [{ partyId: partyBId, gpgKey: partyBKey.privateKey }]
+    ).should.be.rejected();
+  });
+});
diff --git a/yarn.lock b/yarn.lock

Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@`
`39`	`39`	`]`
`40`	`40`	`},`
`41`	`41`	`"dependencies": {`
`42`		`- "@bitgo/public-types": "5.76.1",`
	`42`	`+ "@bitgo/public-types": "5.92.0",`
`43`	`43`	`"@bitgo/sdk-core": "^36.40.0",`
`44`	`44`	`"@bitgo/statics": "^58.35.0",`
`45`	`45`	`"@bitgo/utxo-lib": "^11.22.0",`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@`
`40`	`40`	`]`
`41`	`41`	`},`
`42`	`42`	`"dependencies": {`
`43`		`- "@bitgo/public-types": "5.76.1",`
	`43`	`+ "@bitgo/public-types": "5.92.0",`
`44`	`44`	`"@bitgo/sdk-lib-mpc": "^10.10.2",`
`45`	`45`	`"@bitgo/secp256k1": "^1.11.0",`
`46`	`46`	`"@bitgo/sjcl": "^1.1.0",`