def preimage_hash(self, tx: SignTx, txi: TxInputType, pubkeyhash: bytes, sighash: int) -> bytes: h_preimage = HashWriter(sha256) write_uint32(h_preimage, tx.version) # nVersion write_bytes(h_preimage, bytearray(self.get_prevouts_hash())) # hashPrevouts write_bytes(h_preimage, bytearray(self.get_sequence_hash())) # hashSequence write_bytes_rev(h_preimage, txi.prev_hash) # outpoint write_uint32(h_preimage, txi.prev_index) # outpoint script_code = self.derive_script_code(txi, pubkeyhash) write_varint(h_preimage, len(script_code)) # scriptCode length write_bytes(h_preimage, script_code) # scriptCode write_uint64(h_preimage, txi.amount) # amount write_uint32(h_preimage, txi.sequence) # nSequence write_bytes(h_preimage, bytearray(self.get_outputs_hash())) # hashOutputs write_uint32(h_preimage, tx.lock_time) # nLockTime write_uint32(h_preimage, sighash) # nHashType return get_tx_hash(h_preimage, True)
def message_digest(coin, message): h = HashWriter(sha256) write_varint(h, len(coin.signed_message_header)) h.extend(coin.signed_message_header) write_varint(h, len(message)) h.extend(message) return sha256(h.get_digest()).digest()
def message_digest(message): from apps.wallet.sign_tx.signing import write_varint from trezor.crypto.hashlib import sha3_256 from apps.common.hash_writer import HashWriter h = HashWriter(sha3_256) signed_message_header = 'Ethereum Signed Message:\n' write_varint(h, len(signed_message_header)) h.extend(signed_message_header) write_varint(h, len(message)) h.extend(message) return h.get_digest(True)
async def get_prevtx_output_value(tx_req: TxRequest, prev_hash: bytes, prev_index: int) -> int: total_out = 0 # sum of output amounts # STAGE_REQUEST_2_PREV_META tx = await request_tx_meta(tx_req, prev_hash) txh = HashWriter(sha256) write_uint32(txh, tx.version) write_varint(txh, tx.inputs_cnt) for i in range(tx.inputs_cnt): # STAGE_REQUEST_2_PREV_INPUT txi = await request_tx_input(tx_req, i, prev_hash) write_tx_input(txh, txi) write_varint(txh, tx.outputs_cnt) for o in range(tx.outputs_cnt): # STAGE_REQUEST_2_PREV_OUTPUT txo_bin = await request_tx_output(tx_req, o, prev_hash) write_tx_output(txh, txo_bin) if o == prev_index: total_out += txo_bin.amount write_uint32(txh, tx.lock_time) ofs = 0 while ofs < tx.extra_data_len: size = min(1024, tx.extra_data_len - ofs) data = await request_tx_extra_data(tx_req, ofs, size, prev_hash) write_bytes(txh, data) ofs += len(data) if get_tx_hash(txh, True, True) != prev_hash: raise SigningError(FailureType.ProcessError, 'Encountered invalid prev_hash') return total_out
async def ethereum_sign_tx(ctx, msg): from trezor.crypto.hashlib import sha3_256 msg = sanitize(msg) check(msg) data_total = msg.data_length # detect ERC - 20 token token = None if len(msg.to) == 20 and \ len(msg.value) == 0 and \ data_total == 68 and \ len(msg.data_initial_chunk) == 68 and \ msg.data_initial_chunk[:16] == b'\xa9\x05\x9c\xbb\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00': token = tokens.token_by_chain_address(msg.chain_id, msg.to) if token is None: await layout.confirm_tx(ctx, msg.to, msg.value, msg.chain_id, token) else: await layout.confirm_tx(ctx, msg.data_initial_chunk[16:36], msg.data_initial_chunk.bytes[36:68], msg.chain_id, token) if token is None and msg.data_length > 0: await layout.confirm_data(ctx, msg.data_initial_chunk, data_total) await layout.confirm_fee(ctx, msg.value, msg.gas_price, msg.gas_limit, msg.chain_id, token) data = bytearray() data += msg.data_initial_chunk data_left = data_total - len(msg.data_initial_chunk) total_length = get_total_length(msg, data_total) sha = HashWriter(sha3_256) sha.extend(rlp.encode_length(total_length, True)) # total length for field in [msg.nonce, msg.gas_price, msg.gas_limit, msg.to, msg.value]: sha.extend(rlp.encode(field)) if data_left == 0: sha.extend(rlp.encode(data)) else: sha.extend(rlp.encode_length(data_total, False)) sha.extend(rlp.encode(data, False)) while data_left > 0: resp = await send_request_chunk(ctx, data_left) data_left -= len(resp.data_chunk) sha.extend(resp.data_chunk) # eip 155 replay protection if msg.chain_id: sha.extend(rlp.encode(msg.chain_id)) sha.extend(rlp.encode(0)) sha.extend(rlp.encode(0)) digest = sha.get_digest(True) # True -> use keccak mode return await send_signature(ctx, msg, digest)
async def check_tx_fee(tx: SignTx, root): coin = coins.by_name(tx.coin_name) # h_first is used to make sure the inputs and outputs streamed in Phase 1 # are the same as in Phase 2. it is thus not required to fully hash the # tx, as the SignTx info is streamed only once h_first = HashWriter(sha256) # not a real tx hash bip143 = Bip143() weight = TxWeightCalculator(tx.inputs_count, tx.outputs_count) txo_bin = TxOutputBinType() tx_req = TxRequest() tx_req.details = TxRequestDetailsType() total_in = 0 # sum of input amounts segwit_in = 0 # sum of segwit input amounts total_out = 0 # sum of output amounts change_out = 0 # change output amount wallet_path = [] # common prefix of input paths segwit = {} # dict of booleans stating if input is segwit for i in range(tx.inputs_count): # STAGE_REQUEST_1_INPUT txi = await request_tx_input(tx_req, i) wallet_path = input_extract_wallet_path(txi, wallet_path) write_tx_input_check(h_first, txi) weight.add_input(txi) bip143.add_prevouts(txi) bip143.add_sequence(txi) is_segwit = (txi.script_type == InputScriptType.SPENDWITNESS or txi.script_type == InputScriptType.SPENDP2SHWITNESS) if is_segwit: if not coin.segwit: raise SigningError(FailureType.DataError, 'Segwit not enabled on this coin') if not txi.amount: raise SigningError(FailureType.DataError, 'Segwit input without amount') segwit[i] = True segwit_in += txi.amount total_in += txi.amount elif txi.script_type == InputScriptType.SPENDADDRESS: segwit[i] = False total_in += await get_prevtx_output_value(tx_req, txi.prev_hash, txi.prev_index) else: raise SigningError(FailureType.DataError, 'Wrong input script type') for o in range(tx.outputs_count): # STAGE_REQUEST_3_OUTPUT txo = await request_tx_output(tx_req, o) txo_bin.amount = txo.amount txo_bin.script_pubkey = output_derive_script(txo, coin, root) weight.add_output(txo_bin.script_pubkey) if output_is_change(txo, wallet_path, segwit_in): if change_out != 0: raise SigningError(FailureType.ProcessError, 'Only one change output is valid') change_out = txo.amount elif not await confirm_output(txo, coin): raise SigningError(FailureType.ActionCancelled, 'Output cancelled') write_tx_output(h_first, txo_bin) bip143.add_output(txo_bin) total_out += txo_bin.amount fee = total_in - total_out if fee < 0: raise SigningError(FailureType.NotEnoughFunds, 'Not enough funds') # fee > (coin.maxfee per byte * tx size) if fee > (coin.maxfee_kb / 1000) * (weight.get_total() / 4): if not await confirm_feeoverthreshold(fee, coin): raise SigningError(FailureType.ActionCancelled, 'Signing cancelled') if not await confirm_total(total_out - change_out, fee, coin): raise SigningError(FailureType.ActionCancelled, 'Total cancelled') return h_first, bip143, segwit, total_in, wallet_path
async def sign_tx(tx: SignTx, root): tx = sanitize_sign_tx(tx) # Phase 1 h_first, bip143, segwit, authorized_in, wallet_path = await check_tx_fee( tx, root) # Phase 2 # - sign inputs # - check that nothing changed coin = coins.by_name(tx.coin_name) tx_ser = TxRequestSerializedType() txo_bin = TxOutputBinType() tx_req = TxRequest() tx_req.details = TxRequestDetailsType() tx_req.serialized = None for i_sign in range(tx.inputs_count): txi_sign = None key_sign = None key_sign_pub = None if segwit[i_sign]: # STAGE_REQUEST_SEGWIT_INPUT txi_sign = await request_tx_input(tx_req, i_sign) is_segwit = (txi_sign.script_type == InputScriptType.SPENDWITNESS or txi_sign.script_type == InputScriptType.SPENDP2SHWITNESS) if not is_segwit: raise SigningError(FailureType.ProcessError, 'Transaction has changed during signing') input_check_wallet_path(txi_sign, wallet_path) key_sign = node_derive(root, txi_sign.address_n) key_sign_pub = key_sign.public_key() txi_sign.script_sig = input_derive_script(txi_sign, key_sign_pub) w_txi = bytearray_with_cap(7 + len(txi_sign.prev_hash) + 4 + len(txi_sign.script_sig) + 4) if i_sign == 0: # serializing first input => prepend headers write_bytes(w_txi, get_tx_header(tx, True)) write_tx_input(w_txi, txi_sign) tx_ser.serialized_tx = w_txi tx_req.serialized = tx_ser else: # hash of what we are signing with this input h_sign = HashWriter(sha256) # same as h_first, checked before signing the digest h_second = HashWriter(sha256) write_uint32(h_sign, tx.version) write_varint(h_sign, tx.inputs_count) for i in range(tx.inputs_count): # STAGE_REQUEST_4_INPUT txi = await request_tx_input(tx_req, i) input_check_wallet_path(txi, wallet_path) write_tx_input_check(h_second, txi) if i == i_sign: txi_sign = txi key_sign = node_derive(root, txi.address_n) key_sign_pub = key_sign.public_key() txi_sign.script_sig = output_script_p2pkh( ecdsa_hash_pubkey(key_sign_pub)) else: txi.script_sig = bytes() write_tx_input(h_sign, txi) write_varint(h_sign, tx.outputs_count) for o in range(tx.outputs_count): # STAGE_REQUEST_4_OUTPUT txo = await request_tx_output(tx_req, o) txo_bin.amount = txo.amount txo_bin.script_pubkey = output_derive_script(txo, coin, root) write_tx_output(h_second, txo_bin) write_tx_output(h_sign, txo_bin) write_uint32(h_sign, tx.lock_time) write_uint32(h_sign, 0x00000001) # SIGHASH_ALL hash_type # check the control digests if get_tx_hash(h_first, False) != get_tx_hash(h_second, False): raise SigningError(FailureType.ProcessError, 'Transaction has changed during signing') # compute the signature from the tx digest signature = ecdsa_sign(key_sign, get_tx_hash(h_sign, True)) tx_ser.signature_index = i_sign tx_ser.signature = signature # serialize input with correct signature txi_sign.script_sig = input_derive_script(txi_sign, key_sign_pub, signature) w_txi_sign = bytearray_with_cap(5 + len(txi_sign.prev_hash) + 4 + len(txi_sign.script_sig) + 4) if i_sign == 0: # serializing first input => prepend headers write_bytes(w_txi_sign, get_tx_header(tx)) write_tx_input(w_txi_sign, txi_sign) tx_ser.serialized_tx = w_txi_sign tx_req.serialized = tx_ser for o in range(tx.outputs_count): # STAGE_REQUEST_5_OUTPUT txo = await request_tx_output(tx_req, o) txo_bin.amount = txo.amount txo_bin.script_pubkey = output_derive_script(txo, coin, root) # serialize output w_txo_bin = bytearray_with_cap(5 + 8 + 5 + len(txo_bin.script_pubkey) + 4) if o == 0: # serializing first output => prepend outputs count write_varint(w_txo_bin, tx.outputs_count) write_tx_output(w_txo_bin, txo_bin) tx_ser.signature_index = None tx_ser.signature = None tx_ser.serialized_tx = w_txo_bin tx_req.serialized = tx_ser any_segwit = True in segwit.values() for i in range(tx.inputs_count): if segwit[i]: # STAGE_REQUEST_SEGWIT_WITNESS txi = await request_tx_input(tx_req, i) input_check_wallet_path(txi, wallet_path) is_segwit = (txi.script_type == InputScriptType.SPENDWITNESS or txi.script_type == InputScriptType.SPENDP2SHWITNESS) if not is_segwit or txi.amount > authorized_in: raise SigningError(FailureType.ProcessError, 'Transaction has changed during signing') authorized_in -= txi.amount key_sign = node_derive(root, txi.address_n) key_sign_pub = key_sign.public_key() bip143_hash = bip143.preimage_hash(tx, txi, ecdsa_hash_pubkey(key_sign_pub)) signature = ecdsa_sign(key_sign, bip143_hash) witness = get_p2wpkh_witness(signature, key_sign_pub) tx_ser.serialized_tx = witness tx_ser.signature_index = i tx_ser.signature = signature elif any_segwit: tx_ser.serialized_tx = bytearray( 1) # empty witness for non-segwit inputs tx_ser.signature_index = None tx_ser.signature = None tx_req.serialized = tx_ser write_uint32(tx_ser.serialized_tx, tx.lock_time) await request_tx_finish(tx_req)
def __init__(self): self.h_prevouts = HashWriter(sha256) self.h_sequence = HashWriter(sha256) self.h_outputs = HashWriter(sha256)