By replacing the direct rand::thread_rng() calls with an explicitly provided RngCore + CryptoRng source of randomness, this allows others to reuse this code without being tied to the rand crate directly.

This also updates the secp256k1 dependency to a more current version.

If backward compatibility is a concern, how would you feel about the un-parameterized version of ExtendedPrivKey::random to be available via a feature flag, so that the dependency on rand can be optional?

seed in:

https://github.com/jjyr/hdwallet/blob/c86ed6a2e35090cc8ca405bf26fd04fec89925ba/src/key.rs#L46-L55

is a 0-lenght Vec, rng.fill(seed.as_mut_slice()); is a noop (you get a mutable 0-size slice).

Proper approach is to use a zero-ed vector (vec![0; len]) or after creating a Vec with capacity to use the unsafe set_len (although you have to make sure the bytes aren't being read, as it opens you up to potential memory exploits if they are).

• I'm updating secp256k1 to "0.16" cause some other crates (such as https://crates.io/crates/bitcoin) use it and secp256k1 has c compiled code, so if I add distinct ones it fails linking them;
• I've removed the minor versions on Cargo.toml cause cargo can manage to get the last version.

Closes: #8

The actual version of the project is pointing to ring = "0.14.0" which has a dependency to spin = "0.5.0" and this version has a vulnerability problem. https://github.com/jjyr/hdwallet/blob/master/Cargo.toml#L20

It's possible to update the ring to ring = "0.16.9" which is using the spin = "0.5.2" https://github.com/briansmith/ring/blob/master/Cargo.toml#L307

error: Vulnerable crates found!

ID:	 RUSTSEC-2019-0013
Crate:	 spin
Version: 0.5.0
Date:	 2019-08-27
URL:	 https://github.com/mvdnes/spin-rs/issues/65
Title:	 Wrong memory orderings in RwLock potentially violates mutual exclusion
Solution: upgrade to: >= 0.5.2

The actual version of the project is pointing to ring = "0.14.0" which has a dependency to spin = "0.5.0" and this version has a vulnerability problem. https://github.com/jjyr/hdwallet/blob/master/Cargo.toml#L20

It's possible to update the ring to ring = "0.16.9" which is using the spin = "0.5.2" https://github.com/briansmith/ring/blob/master/Cargo.toml#L307

error: Vulnerable crates found!

ID:	 RUSTSEC-2019-0013
Crate:	 spin
Version: 0.5.0
Date:	 2019-08-27
URL:	 https://github.com/mvdnes/spin-rs/issues/65
Title:	 Wrong memory orderings in RwLock potentially violates mutual exclusion
Solution: upgrade to: >= 0.5.2

The key should be changed to extended_key. Otherwise, it will fail to compile. let (extended_key, derivation) = key_chain.derive_private_key("m/1H/0".into()).expect("derive ExtendedPrivKey"); let key = BitcoinPrivKey { network: BitcoinNetwork::MainNet, derivation, extended_key, };

The secp256k1 crate updated and has some more developed features, including using a much newer version of the rand crate. It would be nice if we could switch to that to avoid duplicating dependencies.