From 8ca3b65faddb01b8c8c13332cde65bc2779d417f Mon Sep 17 00:00:00 2001
From: Ivan Socolsky <jungans@gmail.com>
Date: Thu, 19 Feb 2015 10:33:59 -0300
Subject: [PATCH] derive signingPubKey from correct xPub

---
 lib/client/Verifier.js             | 9 +++++++--
 test/integration/clientApi.js      | 2 ++
 test/integration/clienttestdata.js | 2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/lib/client/Verifier.js b/lib/client/Verifier.js
index b5d0369..ae2c1a3 100644
--- a/lib/client/Verifier.js
+++ b/lib/client/Verifier.js
@@ -54,8 +54,13 @@ Verifier.checkCopayers = function(copayers, walletPrivKey, myXPrivKey, n) {
 
 Verifier.checkTxProposal = function(data, txp) {
   var hash = WalletUtils.getProposalHash(txp.toAddress, txp.amount, txp.message);
-  var signingPubKey = Bitcore.PrivateKey.fromString(data.signingPrivKey).toPublicKey().toString();
-  if (!WalletUtils.verifyMessage(hash, txp.proposalSignature, signingPubKey)) return false;
+  var creatorXPubKey = _.find(data.publicKeyRing, function(xPubKey) {
+    if (WalletUtils.xPubToCopayerId(xPubKey) === txp.creatorId) return true;
+  });
+  if (!creatorXPubKey) return false;
+
+  var creatorSigningPubKey = (new Bitcore.HDPublicKey(creatorXPubKey)).derive('m/1/0').publicKey.toString();
+  if (!WalletUtils.verifyMessage(hash, txp.proposalSignature, creatorSigningPubKey)) return false;
 
   return Verifier.checkAddress(data, txp.changeAddress);
 };
diff --git a/test/integration/clientApi.js b/test/integration/clientApi.js
index 864069d..711e9f1 100644
--- a/test/integration/clientApi.js
+++ b/test/integration/clientApi.js
@@ -222,7 +222,9 @@ describe('client API ', function() {
     it.skip('should sign tx proposal', function(done) {});
 
     it('should detect fake tx proposal signature', function(done) {
+      client.storage.fs.readFile = sinon.stub().yields(null, JSON.stringify(TestData.storage.complete11));
       var txp = {
+        creatorId: '56cb00afd85f4f37fa900ac4e367676f2eb6189a773633eb9f119eb21a22ba44',
         toAddress: '2N3fA6wDtnebzywPkGuNK9KkFaEzgbPRRTq',
         amount: 100000,
         message: 'some message',
diff --git a/test/integration/clienttestdata.js b/test/integration/clienttestdata.js
index f209697..643371e 100644
--- a/test/integration/clienttestdata.js
+++ b/test/integration/clienttestdata.js
@@ -32,7 +32,7 @@ var storage = {
     "network": "livenet"
   },
   complete11: {
-    "copayerId": "036ed70f51adf14e3e55aba727d28adec1851aff6865552aa9ec9b9dbafecd4a87",
+    "copayerId": "56cb00afd85f4f37fa900ac4e367676f2eb6189a773633eb9f119eb21a22ba44",
     "xPrivKey": "tprv8ZgxMBicQKsPdjYWSKKh8SuMZAQ6K3J6v5H3A8ZVyyvXk4h1xft3qeRTmCZbxQB77n3ndfF6G4AevqgpiAVuCmZqYURH3wzSQviTvP1nkYN",
     "publicKeyRing": ["tpubD6NzVbkrYhZ4XCaJKxzHXrZU8Bv2UNV1VNspSeboQFivaYwnb4he293KwLPxnNNSBEj3RAE5EEaHqPWatzexGd613hGMLLQz5BEgjtpgWnZ"],
     "network": "testnet",