async def run(self): # connect to, and maintain a connection to a single Coldcard logging.info("Connecting to Coldcard.") while 1: try: if not self.serial and os.path.exists(settings.SIMULATOR_SOCK): # if simulator is running, just use it. sn = settings.SIMULATOR_SOCK else: sn = self.serial d = ColdcardDevice(sn=sn) logging.info(f"Found Coldcard {d.serial}.") await asyncio.get_running_loop().run_in_executor( executor, d.check_mitm) async with self.lock: self.dev = d except: logging.error("Cannot connect to Coldcard (will retry)", exc_info=0) await asyncio.sleep(settings.RECONNECT_DELAY) continue # stay connected, and check we are working periodically logging.info(f"Connected to Coldcard {self.dev.serial}.") STATUS.connected = True # read static info about coldcard STATUS.xfp = xfp2str(self.dev.master_fingerprint) STATUS.serial_number = self.dev.serial STATUS.is_testnet = (self.dev.master_xpub[0] == 't') STATUS.hsm = {} STATUS.reset_pending_auth() STATUS.notify_watchers() await self.hsm_status() while 1: await asyncio.sleep(settings.PING_RATE) try: # use long timeout here, even tho simple command, because the CC may # we working on something else right now (thinking). h = await self.send_recv(CCProtocolPacker.hsm_status(), timeout=20000) logging.info("ping ok") await self.hsm_status(h) except MissingColdcard: self._conn_broken() break except: logging.error("Ping failed", exc_info=1)
async def activated_hsm(self): # just connected to a Coldcard w/ HSM active already # - ready storage locker, decrypt and use those settings logging.info("Coldcard now in HSM mode. Fetching storage locker.") try: sl = await self.get_storage_locker() except CCProtoError as exc: if 'consumed' in str(exc): import os, sys msg = "Coldcard refused access to storage locker. Reboot it and enter HSM again" logging.error(msg) print(msg, file=sys.stderr) sys.exit(1) else: raise try: import policy xk = policy.decode_sl(sl) except: logging.error("Unable to parse contents of storage locker: %r" % sl) return if BP.open(xk): # unable to read our settings specific to this CC? Go to defaults # or continue? logging.error( "Unable to read bunker settings for this Coldcard; forging on") else: STATUS.sl_loaded = True if BP.get( 'tor_enabled', False) and not (STATUS.force_local_mode or STATUS.setup_mode): # get onto Tor as a HS from torsion import TOR STATUS.tor_enabled = True logging.info(f"Starting hidden service: %s" % BP['onion_addr']) asyncio.create_task(TOR.start_tunnel()) h = STATUS.hsm if ('summary' in h) and h.summary and not BP.get( 'priv_over_ux') and not BP.get('summary'): logging.info("Captured CC's summary of the policy") BP['summary'] = h.summary BP.save() STATUS.reset_pending_auth() STATUS.notify_watchers()
def _conn_broken(self, setup_time=False): # our connection is lost, so clear/reset system state if self.dev: self.dev.close() self.dev = None STATUS.connected = False STATUS.xfp = None STATUS.serial_number = None STATUS.is_testnet = False STATUS.hsm = {} STATUS.reset_pending_auth() if not setup_time: BP.reset() STATUS.notify_watchers()
async def ws_api_handler(ses, send_json, req, orig_request): # handle_api # # Handle incoming requests over websocket; send back results. # req = already json parsed request coming in # send_json() = means to send the response back # action = req.action args = getattr(req, 'args', None) #logging.warn("API action=%s (%r)" % (action, args)) # MAJOR info leak XXX logging.debug(f"API action={action}") if action == '_connected': logging.info("Websocket connected: %r" % args) # can send special state update at this point, depending on the page elif action == 'start_hsm_btn': await Connection().hsm_start() await send_json(show_flash_msg=APPROVE_CTA) elif action == 'delete_user': name, = args assert 1 <= len(name) <= MAX_USERNAME_LEN, "bad username length" await Connection().delete_user(name.encode('utf8')) # assume it worked, so UX updates right away try: STATUS.hsm.users.remove(name) except ValueError: pass STATUS.notify_watchers() elif action == 'create_user': name, authmode, new_pw = args assert 1 <= len(name) <= MAX_USERNAME_LEN, "bad username length" assert ',' not in name, "no commas in names" if authmode == 'totp': mode = USER_AUTH_TOTP | USER_AUTH_SHOW_QR new_pw = '' elif authmode == 'rand_pw': mode = USER_AUTH_HMAC | USER_AUTH_SHOW_QR new_pw = '' elif authmode == 'give_pw': mode = USER_AUTH_HMAC else: raise ValueError(authmode) await Connection().create_user(name.encode('utf8'), mode, new_pw) # assume it worked, so UX updates right away try: STATUS.hsm.users = list(set(STATUS.hsm.users + [name])) except ValueError: pass STATUS.notify_watchers() elif action == 'submit_policy': # get some JSON w/ everything the user entered. p, save_copy = args proposed = policy.web_cleanup(json_loads(p)) policy.update_sl(proposed) await Connection().hsm_start(proposed) STATUS.notify_watchers() await send_json(show_flash_msg=APPROVE_CTA) if save_copy: d = policy.desensitize(proposed) await send_json(local_download=dict(data=json_dumps(d, indent=2), filename=f'hsm-policy-{STATUS.xfp}.json.txt')) elif action == 'download_policy': proposed = policy.web_cleanup(json_loads(args[0])) await send_json(local_download=dict(data=json_dumps(proposed, indent=2), filename=f'hsm-policy-{STATUS.xfp}.json.txt')) elif action == 'import_policy': # they are uploading a JSON capture, but need values we can load in Vue proposed = args[0] cooked = policy.web_cookup(proposed) await send_json(vue_app_cb=dict(update_policy=cooked), show_flash_msg="Policy file imported.") elif action == 'pick_onion_addr': from torsion import TOR addr, pk = await TOR.pick_onion_addr() await send_json(vue_app_cb=dict(new_onion_addr=[addr, pk])) elif action == 'pick_master_pw': pw = b64encode(os.urandom(12)).decode('ascii') pw = pw.replace('/', 'S').replace('+', 'p') assert '=' not in pw await send_json(vue_app_cb=dict(new_master_pw=pw)) elif action == 'new_bunker_config': from torsion import TOR # save and apply config values nv = json_loads(args[0]) assert 4 <= len(nv.master_pw) < 200, "Master password must be at least 4 chars long" # copy in simple stuff for fn in [ 'tor_enabled', 'master_pw', 'easy_captcha', 'allow_reboots']: if fn in nv: BP[fn] = nv[fn] # update onion stuff only if PK is known (ie. they changed it) if nv.get('onion_pk', False) or False: for fn in [ 'onion_addr', 'onion_pk']: if fn in nv: BP[fn] = nv[fn] BP.save() await send_json(show_flash_msg="Bunker settings encrypted and saved to disk.") STATUS.tor_enabled = BP['tor_enabled'] STATUS.notify_watchers() if not BP['tor_enabled']: await TOR.stop_tunnel() elif BP.get('onion_pk') and not (STATUS.force_local_mode or STATUS.setup_mode) \ and TOR.get_current_addr() != BP.get('onion_addr'): # disconnect/reconnect await TOR.start_tunnel() elif action == 'sign_message': # sign a short text message # - lots more checking could be done here, but CC does it anyway msg_text, path, addr_fmt = args addr_fmt = AF_P2WPKH if addr_fmt != 'classic' else AF_CLASSIC try: sig, addr = await Connection().sign_text_msg(msg_text, path, addr_fmt) except: # get the spinner to stop: error msg will be "refused by policy" typically await send_json(vue_app_cb=dict(msg_signing_result='(failed)')) raise sig = b64encode(sig).decode('ascii').replace('\n', '') await send_json(vue_app_cb=dict(msg_signing_result=f'{sig}\n{addr}')) elif action == 'upload_psbt': # receiving a PSBT for signing size, digest, contents = args psbt = b64decode(contents) assert len(psbt) == size, "truncated/padded in transit" assert sha256(psbt).hexdigest() == digest, "corrupted in transit" STATUS.import_psbt(psbt) STATUS.notify_watchers() elif action == 'clear_psbt': STATUS.clear_psbt() STATUS.notify_watchers() elif action == 'preview_psbt': STATUS.psbt_preview = 'Wait...' STATUS.notify_watchers() try: txt = await Connection().sign_psbt(STATUS._pending_psbt, flags=STXN_VISUALIZE) txt = txt.decode('ascii') # force some line splits, especially for bech32, 32-byte values (p2wsh) probs = re.findall(r'([a-zA-Z0-9]{36,})', txt) for p in probs: txt = txt.replace(p, p[0:30] + '\u22ef\n\u22ef' + p[30:]) STATUS.psbt_preview = txt except: # like if CC doesn't like the keys, whatever .. STATUS.psbt_preview = None raise finally: STATUS.notify_watchers() elif action == 'auth_set_name': idx, name = args assert 0 <= len(name) <= MAX_USERNAME_LEN assert 0 <= idx < len(STATUS.pending_auth) STATUS.pending_auth[idx].name = name STATUS.notify_watchers() elif action == 'auth_offer_guess': idx, ts, guess = args assert 0 <= idx < len(STATUS.pending_auth) STATUS.pending_auth[idx].totp = ts STATUS.pending_auth[idx].has_guess = 'x'*len(guess) STATUS._auth_guess[idx] = guess STATUS.notify_watchers() elif action == 'submit_psbt': # they want to sign it now expect_hash, send_immediately, finalize, wants_dl = args assert expect_hash == STATUS.psbt_hash, "hash mismatch" if send_immediately: assert finalize, "must finalize b4 send" logging.info("Starting to sign...") STATUS.busy_signing = True STATUS.notify_watchers() try: dev = Connection() # do auth steps first (no feedback given) for pa, guess in zip(STATUS.pending_auth, STATUS._auth_guess): if pa.name and guess: await dev.user_auth(pa.name, guess, int(pa.totp), a2b_hex(STATUS.psbt_hash)) STATUS.reset_pending_auth() try: result = await dev.sign_psbt(STATUS._pending_psbt, finalize=finalize) logging.info("Done signing") msg = "Transaction signed." if send_immediately: msg += '<br><br>' + broadcast_txn(result) await send_json(show_modal=True, html=Markup(msg), selector='.js-api-success') result = (b2a_hex(result) if finalize else b64encode(result)).decode('ascii') fname = 'transaction.txt' if finalize else ('signed-%s.psbt'%STATUS.psbt_hash[-6:]) if wants_dl: await send_json(local_download=dict(data=result, filename=fname, is_b64=(not finalize))) await dev.hsm_status() except CCUserRefused: logging.error("Coldcard refused to sign txn") await dev.hsm_status() r = STATUS.hsm.get('last_refusal', None) if not r: raise HTMLErroMsg('Refused by local user.') else: raise HTMLErrorMsg(f"Rejected by Coldcard.<br><br>{r}") finally: STATUS.busy_signing = False STATUS.notify_watchers() elif action == 'shutdown_bunker': await send_json(show_flash_msg="Bunker is shutdown.") await asyncio.sleep(0.25) logging.warn("User-initiated shutdown") asyncio.get_running_loop().stop() sys.exit(0) elif action == 'leave_setup_mode': # During setup process, they want to go Tor mode; which I consider leaving # setup mode ... in particular, logins are required. # - button label is "Start Tor" tho ... so user doesn't see it that way assert STATUS.setup_mode, 'not in setup mode?' assert BP['tor_enabled'], 'Tor not enabled (need to save?)' addr = BP['onion_addr'] assert addr and '.onion' in addr, "Bad address?" STATUS.setup_mode = False await send_json(show_flash_msg="Tor hidden service has been enabled. " "It may take a few minutes for the website to become available") STATUS.notify_watchers() from torsion import TOR logging.info(f"Starting hidden service: %s" % addr) asyncio.create_task(TOR.start_tunnel()) elif action == 'logout_everyone': # useful for running battles... # - changes crypto key for cookies, so they are all invalid immediately. from aiohttp_session.nacl_storage import NaClCookieStorage import nacl logging.warning("Logout of everyone!") # reset all session cookies storage = orig_request.get('aiohttp_session_storage') assert isinstance(storage, NaClCookieStorage) storage._secretbox = nacl.secret.SecretBox(os.urandom(32)) # kick everyone off (bonus step) for w in web_sockets: try: await send_json(redirect='/logout', _ws=w) await w.close() except: pass else: raise NotImplementedError(action)