def from_cred_id( cls, cred_id: bytes, rp_id_hash: Optional[bytes] ) -> "Fido2Credential": if len(cred_id) < CRED_ID_MIN_LENGTH or cred_id[0:4] != _CRED_ID_VERSION: raise ValueError # invalid length or version key = seed.derive_slip21_node_without_passphrase( [b"SLIP-0022", cred_id[0:4], b"Encryption key"] ).key() iv = cred_id[4:16] ciphertext = cred_id[16:-16] tag = cred_id[-16:] if rp_id_hash is None: ctx = chacha20poly1305(key, iv) data = ctx.decrypt(ciphertext) try: rp_id = cbor.decode(data)[_CRED_ID_RP_ID] except Exception as e: raise ValueError from e # CBOR decoding failed rp_id_hash = hashlib.sha256(rp_id).digest() ctx = chacha20poly1305(key, iv) ctx.auth(rp_id_hash) data = ctx.decrypt(ciphertext) if not utils.consteq(ctx.finish(), tag): raise ValueError # inauthentic ciphertext try: data = cbor.decode(data) except Exception as e: raise ValueError from e # CBOR decoding failed if not isinstance(data, dict): raise ValueError # invalid CBOR data cred = cls() cred.rp_id = data.get(_CRED_ID_RP_ID, None) cred.rp_id_hash = rp_id_hash cred.rp_name = data.get(_CRED_ID_RP_NAME, None) cred.user_id = data.get(_CRED_ID_USER_ID, None) cred.user_name = data.get(_CRED_ID_USER_NAME, None) cred.user_display_name = data.get(_CRED_ID_USER_DISPLAY_NAME, None) cred.creation_time = data.get(_CRED_ID_CREATION_TIME, 0) cred.hmac_secret = data.get(_CRED_ID_HMAC_SECRET, False) cred.use_sign_count = data.get(_CRED_ID_USE_SIGN_COUNT, False) cred.algorithm = data.get(_CRED_ID_ALGORITHM, _DEFAULT_ALGORITHM) cred.curve = data.get(_CRED_ID_CURVE, _DEFAULT_CURVE) cred.id = cred_id if ( (_CRED_ID_ALGORITHM in data) != (_CRED_ID_CURVE in data) or not cred.check_required_fields() or not cred.check_data_types() or hashlib.sha256(cred.rp_id).digest() != rp_id_hash ): raise ValueError # data consistency check failed return cred
def from_cred_id( cred_id: bytes, rp_id_hash: Optional[bytes]) -> Optional["Fido2Credential"]: if len(cred_id ) < _CRED_ID_MIN_LENGTH or cred_id[0:4] != _CRED_ID_VERSION: return None key = seed.derive_slip21_node_without_passphrase( [b"SLIP-0022", cred_id[0:4], b"Encryption key"]).key() iv = cred_id[4:16] ciphertext = cred_id[16:-16] tag = cred_id[-16:] if rp_id_hash is None: ctx = chacha20poly1305(key, iv) data = ctx.decrypt(ciphertext) try: rp_id = cbor.decode(data)[_CRED_ID_RP_ID] except Exception: return None rp_id_hash = hashlib.sha256(rp_id).digest() ctx = chacha20poly1305(key, iv) ctx.auth(rp_id_hash) data = ctx.decrypt(ciphertext) if not utils.consteq(ctx.finish(), tag): return None try: data = cbor.decode(data) except Exception: return None if not isinstance(data, dict): return None cred = Fido2Credential() cred.rp_id = data.get(_CRED_ID_RP_ID, None) cred.rp_id_hash = rp_id_hash cred.rp_name = data.get(_CRED_ID_RP_NAME, None) cred.user_id = data.get(_CRED_ID_USER_ID, None) cred.user_name = data.get(_CRED_ID_USER_NAME, None) cred.user_display_name = data.get(_CRED_ID_USER_DISPLAY_NAME, None) cred.creation_time = data.get(_CRED_ID_CREATION_TIME, 0) cred.hmac_secret = data.get(_CRED_ID_HMAC_SECRET, False) cred.use_sign_count = data.get(_CRED_ID_USE_SIGN_COUNT, False) cred.id = cred_id if (not cred.check_required_fields() or not cred.check_data_types() or hashlib.sha256(cred.rp_id).digest() != rp_id_hash): return None return cred
def generate_id(self) -> None: self.creation_time = storage.device.next_u2f_counter() or 0 if not self.check_required_fields(): raise AssertionError data = { key: value for key, value in ( (_CRED_ID_RP_ID, self.rp_id), (_CRED_ID_RP_NAME, self.rp_name), (_CRED_ID_USER_ID, self.user_id), (_CRED_ID_USER_NAME, self.user_name), (_CRED_ID_USER_DISPLAY_NAME, self.user_display_name), (_CRED_ID_CREATION_TIME, self.creation_time), (_CRED_ID_HMAC_SECRET, self.hmac_secret), (_CRED_ID_USE_SIGN_COUNT, self.use_sign_count), ) if value } if self.algorithm != _DEFAULT_ALGORITHM or self.curve != _DEFAULT_CURVE: data[_CRED_ID_ALGORITHM] = self.algorithm data[_CRED_ID_CURVE] = self.curve key = seed.derive_slip21_node_without_passphrase( [b"SLIP-0022", _CRED_ID_VERSION, b"Encryption key"]).key() iv = random.bytes(12) ctx = chacha20poly1305(key, iv) ctx.auth(self.rp_id_hash) ciphertext = ctx.encrypt(cbor.encode(data)) tag = ctx.finish() self.id = _CRED_ID_VERSION + iv + ciphertext + tag if len(self.id) > CRED_ID_MAX_LENGTH: raise AssertionError
def generate_id(self) -> None: self.creation_time = storage.device.next_u2f_counter() or 0 data = cbor.encode( { key: value for key, value in ( (_CRED_ID_RP_ID, self.rp_id), (_CRED_ID_RP_NAME, self.rp_name), (_CRED_ID_USER_ID, self.user_id), (_CRED_ID_USER_NAME, self.user_name), (_CRED_ID_USER_DISPLAY_NAME, self.user_display_name), (_CRED_ID_CREATION_TIME, self.creation_time), (_CRED_ID_HMAC_SECRET, self.hmac_secret), (_CRED_ID_USE_SIGN_COUNT, self.use_sign_count), ) if value } ) key = seed.derive_slip21_node_without_passphrase( [b"SLIP-0022", _CRED_ID_VERSION, b"Encryption key"] ).key() iv = random.bytes(12) ctx = chacha20poly1305(key, iv) ctx.auth(self.rp_id_hash) ciphertext = ctx.encrypt(data) tag = ctx.finish() self.id = _CRED_ID_VERSION + iv + ciphertext + tag
def test_chacha20poly1305_decrypt_mac(self): for plaintext, aad, key, nonce, ciphertext, tag in self.vectors: ctx = chacha20poly1305(unhexlify(key), unhexlify(nonce)) ctx.auth(unhexlify(aad)) out = ctx.decrypt(unhexlify(ciphertext)) self.assertEqual(out, unhexlify(plaintext)) out = ctx.finish() self.assertEqual(out, unhexlify(tag))
def test_sig_seal(self): mst = ubinascii.unhexlify( b"ca3bbe08a178a4508c3992a47ba775799e7626a365ed136e803fe5f2df2ce01c" ) st = State(None) st.last_step = st.STEP_SIGN st.opening_key = mst st.current_input_index = 3 mg_buff = [ '0b', '02fe9ee789007254215b41351109f186620624a3c1ad2ba89628194528672adf04f900ebf9ad3b0cc1ac9ae1f03167f74d6e04175df5001c91d09d29dbefd6bc0b', '021d46f6db8a349caca48a4dfee155b9dee927d0f25cdf5bcd724358c611b47906de6cedad47fd26070927f3954bcaf7a0e126699bf961ca4e8124abefe8aaeb05', '02ae933994effe2b348b09bfab783bf9adb58b09659d8f5bd058cca252d763b600541807dcb0ea9fe253e59f23ce36cc811d627acae5e2abdc00b7ed155f3e6b0f', '0203dd7138c7378444fe3c1b1572a351f88505aeab2d9f8ed4a8f67d66e76983072d8ae6e496b3953a8603543c2dc64749ee15fe3575e4505b502bfe696f06690e', '0287b572b6c096bc11a8c10fe1fc4ba2085633f8e1bdd2e39df8f46c9bf733ca068261d8006f22ee2bfaf4366e26d42b00befdddd9058a5c87a0f39c757f121909', '021e2ea38aa07601e07a3d7623a97e68d3251525304d2a748548c7b46d07c20b0c78506b19cae49d569d0a8c4979c74f7d8d19f7e595d307ddf00faf3d8f621c0d', '0214f758c8fb4a521a1e3d25b9fb535974f6aab1c1dda5988e986dda7e17140909a7b7bdb3d5e17a2ebd5deb3530d10c6f5d6966f525c1cbca408059949ff65304', '02f707c4a37066a692986ddfdd2ca71f68c6f45a956d45eaf6e8e7a2e5272ac3033eb26ca2b55bf86e90ab8ddcdbad88a82ded88deb552614190440169afcee004', '02edb8a5b8cc02a2e03b95ea068084ae2496f21d4dfd0842c63836137e37047b06d5a0160994396c98630d8b47878e9c18fea4fb824588c143e05c4b18bfea2301', '02aa59c2ef76ac97c261279a1c6ed3724d66a437fe8df0b85e8858703947a2b10f04e49912a0626c09849c3b4a3ea46166cd909b9fd561257730c91cbccf4abe07', '02c64a98c59c4a3d7c583de65404c5a54b350a25011dfca70cd84e3f6e570428026236028fce31bfd8d9fc5401867ab5349eb0859c65df05b380899a7bdfee9003', '03da465e27f7feec31353cb668f0e8965391f983b06c0684b35b00af38533603', ] mg_buff = [ubinascii.unhexlify(x) for x in mg_buff] mg_buff_b = list(mg_buff) mg_res = step_09_sign_input._protect_signature(st, mg_buff) iv = offloading_keys.key_signature(mst, st.current_input_index, True)[:12] key = offloading_keys.key_signature(mst, st.current_input_index, False) cipher = chacha20poly1305(key, iv) ciphertext = cipher.encrypt(b"".join(mg_buff_b)) ciphertext += cipher.finish() self.assertEqual(b"".join(mg_res), ciphertext) cipher = chacha20poly1305(key, iv) ciphertext = b"".join(mg_res) exp_tag, ciphertext = ciphertext[-16:], ciphertext[:-16] plaintext = cipher.decrypt(ciphertext) tag = cipher.finish() self.assertEqual(tag, exp_tag) self.assertEqual(plaintext, b"".join(mg_buff_b))
def test_chacha20_decrypt(self): for plaintext, _, key, nonce, ciphertext, _ in self.vectors: ctx = chacha20poly1305(unhexlify(key), unhexlify(nonce)) out = ctx.encrypt(unhexlify(ciphertext)) self.assertEqual(out, unhexlify(plaintext))
def _protect_signature(state: State, mg_buffer: list[bytes]) -> list[bytes]: """ Encrypts the signature with keys derived from state.opening_key. After protocol finishes without error, opening_key is sent to the host. """ from trezor.crypto import random from trezor.crypto import chacha20poly1305 from apps.monero.signing import offloading_keys if state.last_step != state.STEP_SIGN: state.opening_key = random.bytes(32) nonce = offloading_keys.key_signature(state.opening_key, state.current_input_index, True)[:12] key = offloading_keys.key_signature(state.opening_key, state.current_input_index, False) cipher = chacha20poly1305(key, nonce) # cipher.update() input has to be 512 bit long (besides the last block). # Thus we go over mg_buffer and buffer 512 bit input blocks before # calling cipher.update(). CHACHA_BLOCK = 64 # 512 bit chacha key-stream block size buff = bytearray(CHACHA_BLOCK) buff_len = 0 # valid bytes in the block buffer mg_len = 0 for data in mg_buffer: mg_len += len(data) # Preallocate array of ciphertext blocks, ceil, add tag block mg_res = [None] * (1 + (mg_len + CHACHA_BLOCK - 1) // CHACHA_BLOCK) mg_res_c = 0 for ix, data in enumerate(mg_buffer): data_ln = len(data) data_off = 0 while data_ln > 0: to_add = min(CHACHA_BLOCK - buff_len, data_ln) if to_add: buff[buff_len:buff_len + to_add] = data[data_off:data_off + to_add] data_ln -= to_add buff_len += to_add data_off += to_add if len(buff) != CHACHA_BLOCK or buff_len > CHACHA_BLOCK: raise ValueError("Invariant error") if buff_len == CHACHA_BLOCK: mg_res[mg_res_c] = cipher.encrypt(buff) mg_res_c += 1 buff_len = 0 mg_buffer[ix] = None if ix & 7 == 0: gc.collect() # The last block can be incomplete if buff_len: mg_res[mg_res_c] = cipher.encrypt(buff[:buff_len]) mg_res_c += 1 mg_res[mg_res_c] = cipher.finish() return mg_res
def _encrypt_derivation_path(path: list, hd_passphrase: bytes) -> bytes: serialized = cbor.encode(cbor.IndefiniteLengthArray(path)) ctx = chacha20poly1305(hd_passphrase, b"serokellfore") data = ctx.encrypt(serialized) tag = ctx.finish() return data + tag