xpub validation bug

I have identified a validation bug with BIP32 extended keys. The regular expressions used by this plugin to validate BIP32 extended keys is overly restrictive and will only validate extended keys with a depth 0 despite the fact that extended keys with depths 1 and higher are perfectly valid.

Electrum v2.0 can make use of any BIP32 extended key, even children keys that are derived from a root. Despite this flexibility of Electrum, this plugin does not allow child keys.

The cause of this incompatibility has been identified as an overly-restrictive regular expression found in bwwc-bitcoin-gateway.php on line 130, and in bwwc-utils.php on line 1098.

Both of these lines are currently identical:
else if (!preg_match ('/^[a-f0-9]{128}$/', $mpk) && !preg_match ('/^xpub661[a-zA-Z0-9]{104}$/', $mpk))

The second regular expression requires that all BIP32 extended keys begin with the characters “xpub661” however according to the BIP32 serialization formatting standard outlined at https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#serialization-format, the values “661” are not required for BIP32 extended keys. These characters represent two values in the underlying structure: child depth, and fingerprint. Extended Keys that are root keys will always have a 0 child depth and 0000 fingerprint which results in the “xpub661” prefix, however it’s completely valid to have extended keys that have child depths > 0 and fingerprints that are non-0.

I recommend the following change be made to both bwwc-bitcoin-gateway.php on line 130, and bwwc-utils.php on line 1098:
else if (!preg_match ('/^[a-f0-9]{128}$/', $mpk) && !preg_match ('/^xpub[a-zA-Z0-9]{107}$/', $mpk))

This code will still validate root BIP32 extended keys, but will also validate child keys as well, successfully conforming to Electrum v2’s behaviour.

Thank you for making a great plugin. I hope my bug report helps make it even better.

–Michael Perklin

https://ww.wp.xz.cn/plugins/bitcoin-payments-for-woocommerce/