async def _finish_recovery_dry_run(ctx: wire.GenericContext, secret: bytes, backup_type: BackupType) -> Success: if backup_type is None: raise RuntimeError digest_input = sha256(secret).digest() stored = mnemonic.get_secret() digest_stored = sha256(stored).digest() result = utils.consteq(digest_stored, digest_input) is_slip39 = backup_types.is_slip39_backup_type(backup_type) # Check that the identifier and iteration exponent match as well if is_slip39: result &= (storage.device.get_slip39_identifier() == storage.recovery.get_slip39_identifier()) result &= (storage.device.get_slip39_iteration_exponent() == storage.recovery.get_slip39_iteration_exponent()) storage.recovery.end_progress() await layout.show_dry_run_result(ctx, result, is_slip39) if result: return Success( message="The seed is valid and matches the one in the device") else: raise wire.ProcessError( "The seed does not match the one in the device")
async def recovery_device(ctx, msg): """ Recover BIP39 seed into empty device. 1. Ask for the number of words in recovered seed. 2. Let user type in the mnemonic words one by one. 3. Optionally check the seed validity. 4. Optionally ask for the PIN, with confirmation. 5. Save into storage. """ if not msg.dry_run and storage.is_initialized(): raise wire.UnexpectedMessage("Already initialized") text = Text("Device recovery", ui.ICON_RECOVERY) text.normal("Do you really want to", "recover the device?", "") await require_confirm(ctx, text, code=ProtectCall) if msg.dry_run and config.has_pin(): curpin = await request_pin_ack(ctx, "Enter PIN", config.get_pin_rem()) if not config.check_pin(pin_to_int(curpin)): raise wire.PinInvalid("PIN invalid") # ask for the number of words wordcount = await request_wordcount(ctx) # ask for mnemonic words one by one mnemonic = await request_mnemonic(ctx, wordcount) # check mnemonic validity if msg.enforce_wordlist or msg.dry_run: if not bip39.check(mnemonic): raise wire.ProcessError("Mnemonic is not valid") # ask for pin repeatedly if msg.pin_protection: newpin = await request_pin_confirm(ctx, cancellable=False) # dry run if msg.dry_run: digest_input = sha256(mnemonic).digest() digest_stored = sha256(storage.get_mnemonic()).digest() if consteq(digest_stored, digest_input): return Success( message="The seed is valid and matches the one in the device") else: raise wire.ProcessError( "The seed is valid but does not match the one in the device") # save into storage if msg.pin_protection: config.change_pin(pin_to_int(""), pin_to_int(newpin)) storage.set_u2f_counter(msg.u2f_counter) storage.load_settings(label=msg.label, use_passphrase=msg.passphrase_protection) storage.load_mnemonic(mnemonic=mnemonic, needs_backup=False, no_backup=False) return Success(message="Device recovered")
async def _finish_recovery_dry_run( ctx: wire.Context, secret: bytes, mnemonic_type: int ) -> Success: digest_input = sha256(secret).digest() stored = mnemonic.get_secret() digest_stored = sha256(stored).digest() result = utils.consteq(digest_stored, digest_input) # Check that the identifier and iteration exponent match as well if mnemonic_type == mnemonic.TYPE_SLIP39: result &= ( storage.device.get_slip39_identifier() == storage.recovery.get_slip39_identifier() ) result &= ( storage.device.get_slip39_iteration_exponent() == storage.recovery.get_slip39_iteration_exponent() ) await layout.show_dry_run_result(ctx, result, mnemonic_type) storage.recovery.end_progress() if result: return Success("The seed is valid and matches the one in the device") else: raise wire.ProcessError("The seed does not match the one in the device")
def _node_from_key_handle(rp_id_hash: bytes, keyhandle: bytes, pathformat: str) -> Optional[bip32.HDNode]: # unpack the keypath from the first half of keyhandle keypath = keyhandle[:32] path = ustruct.unpack(pathformat, keypath) # check high bit for hardened keys for i in path: if not i & HARDENED: if __debug__: log.warning(__name__, "invalid key path") return None # derive the signing key nodepath = [_U2F_KEY_PATH] + list(path) node = seed.derive_node_without_passphrase(nodepath, "nist256p1") # second half of keyhandle is a hmac of rp_id_hash and keypath mac = hmac.Hmac(node.private_key(), rp_id_hash, hashlib.sha256) mac.update(keypath) # verify the hmac if not utils.consteq(mac.digest(), keyhandle[32:]): if __debug__: log.warning(__name__, "invalid key handle") return None return node
def from_cred_id( cls, cred_id: bytes, rp_id_hash: Optional[bytes] ) -> "Fido2Credential": if len(cred_id) < CRED_ID_MIN_LENGTH or cred_id[0:4] != _CRED_ID_VERSION: raise ValueError # invalid length or version key = seed.derive_slip21_node_without_passphrase( [b"SLIP-0022", cred_id[0:4], b"Encryption key"] ).key() iv = cred_id[4:16] ciphertext = cred_id[16:-16] tag = cred_id[-16:] if rp_id_hash is None: ctx = chacha20poly1305(key, iv) data = ctx.decrypt(ciphertext) try: rp_id = cbor.decode(data)[_CRED_ID_RP_ID] except Exception as e: raise ValueError from e # CBOR decoding failed rp_id_hash = hashlib.sha256(rp_id).digest() ctx = chacha20poly1305(key, iv) ctx.auth(rp_id_hash) data = ctx.decrypt(ciphertext) if not utils.consteq(ctx.finish(), tag): raise ValueError # inauthentic ciphertext try: data = cbor.decode(data) except Exception as e: raise ValueError from e # CBOR decoding failed if not isinstance(data, dict): raise ValueError # invalid CBOR data cred = cls() cred.rp_id = data.get(_CRED_ID_RP_ID, None) cred.rp_id_hash = rp_id_hash cred.rp_name = data.get(_CRED_ID_RP_NAME, None) cred.user_id = data.get(_CRED_ID_USER_ID, None) cred.user_name = data.get(_CRED_ID_USER_NAME, None) cred.user_display_name = data.get(_CRED_ID_USER_DISPLAY_NAME, None) cred.creation_time = data.get(_CRED_ID_CREATION_TIME, 0) cred.hmac_secret = data.get(_CRED_ID_HMAC_SECRET, False) cred.use_sign_count = data.get(_CRED_ID_USE_SIGN_COUNT, False) cred.algorithm = data.get(_CRED_ID_ALGORITHM, _DEFAULT_ALGORITHM) cred.curve = data.get(_CRED_ID_CURVE, _DEFAULT_CURVE) cred.id = cred_id if ( (_CRED_ID_ALGORITHM in data) != (_CRED_ID_CURVE in data) or not cred.check_required_fields() or not cred.check_data_types() or hashlib.sha256(cred.rp_id).digest() != rp_id_hash ): raise ValueError # data consistency check failed return cred
def dry_run(secret: bytes) -> None: digest_input = sha256(secret).digest() stored, _ = get() digest_stored = sha256(stored).digest() if consteq(digest_stored, digest_input): return Success(message="The seed is valid and matches the one in the device") else: raise wire.ProcessError( "The seed is valid but does not match the one in the device" )
def from_cred_id( cred_id: bytes, rp_id_hash: Optional[bytes]) -> Optional["Fido2Credential"]: if len(cred_id ) < _CRED_ID_MIN_LENGTH or cred_id[0:4] != _CRED_ID_VERSION: return None key = seed.derive_slip21_node_without_passphrase( [b"SLIP-0022", cred_id[0:4], b"Encryption key"]).key() iv = cred_id[4:16] ciphertext = cred_id[16:-16] tag = cred_id[-16:] if rp_id_hash is None: ctx = chacha20poly1305(key, iv) data = ctx.decrypt(ciphertext) try: rp_id = cbor.decode(data)[_CRED_ID_RP_ID] except Exception: return None rp_id_hash = hashlib.sha256(rp_id).digest() ctx = chacha20poly1305(key, iv) ctx.auth(rp_id_hash) data = ctx.decrypt(ciphertext) if not utils.consteq(ctx.finish(), tag): return None try: data = cbor.decode(data) except Exception: return None if not isinstance(data, dict): return None cred = Fido2Credential() cred.rp_id = data.get(_CRED_ID_RP_ID, None) cred.rp_id_hash = rp_id_hash cred.rp_name = data.get(_CRED_ID_RP_NAME, None) cred.user_id = data.get(_CRED_ID_USER_ID, None) cred.user_name = data.get(_CRED_ID_USER_NAME, None) cred.user_display_name = data.get(_CRED_ID_USER_DISPLAY_NAME, None) cred.creation_time = data.get(_CRED_ID_CREATION_TIME, 0) cred.hmac_secret = data.get(_CRED_ID_HMAC_SECRET, False) cred.use_sign_count = data.get(_CRED_ID_USE_SIGN_COUNT, False) cred.id = cred_id if (not cred.check_required_fields() or not cred.check_data_types() or hashlib.sha256(cred.rp_id).digest() != rp_id_hash): return None return cred
def _load_salt(auth_key: bytes, path: str) -> Optional[bytearray]: # Load the salt file if it exists. try: with fatfs.open(path, "r") as f: salt = bytearray(SD_SALT_LEN_BYTES) stored_tag = bytearray(SD_SALT_AUTH_TAG_LEN_BYTES) f.read(salt) f.read(stored_tag) except fatfs.FatFSError: return None # Check the salt's authentication tag. computed_tag = compute_auth_tag(salt, auth_key) if not consteq(computed_tag, stored_tag): return None return salt
def verify_nonownership( proof: bytes, script_pubkey: bytes, commitment_data: bytes | None, keychain: Keychain, coin: CoinInfo, ) -> bool: try: r = utils.BufferReader(proof) if r.read_memoryview(4) != _VERSION_MAGIC: raise wire.DataError("Unknown format of proof of ownership") flags = r.get() if flags & 0b1111_1110: raise wire.DataError("Unknown flags in proof of ownership") # Determine whether our ownership ID appears in the proof. id_count = read_bitcoin_varint(r) ownership_id = get_identifier(script_pubkey, keychain) not_owned = True for _ in range(id_count): if utils.consteq(ownership_id, r.read_memoryview(_OWNERSHIP_ID_LEN)): not_owned = False # Verify the BIP-322 SignatureProof. proof_body = memoryview(proof)[:r.offset] if commitment_data is None: commitment_data = bytes() sighash = HashWriter(sha256(proof_body)) write_bytes_prefixed(sighash, script_pubkey) write_bytes_prefixed(sighash, commitment_data) script_sig, witness = read_bip322_signature_proof(r) # We don't call verifier.ensure_hash_type() to avoid possible compatibility # issues between implementations, because the hash type doesn't influence # the digest and the value to use is not defined in BIP-322. verifier = SignatureVerifier(script_pubkey, script_sig, witness, coin) verifier.verify(sighash.get_digest()) except (ValueError, EOFError): raise wire.DataError("Invalid proof of ownership") return not_owned
def _load_salt(fs: io.FatFS, auth_key: bytes, path: str) -> Optional[bytearray]: # Load the salt file if it exists. try: with fs.open(path, "r") as f: salt = bytearray(SD_SALT_LEN_BYTES) stored_tag = bytearray(SD_SALT_AUTH_TAG_LEN_BYTES) f.read(salt) f.read(stored_tag) except OSError: return None # Check the salt's authentication tag. computed_tag = hmac.new(auth_key, salt, sha256).digest()[ :SD_SALT_AUTH_TAG_LEN_BYTES ] if not consteq(computed_tag, stored_tag): return None return salt
async def request_sd_salt(ctx: Optional[wire.Context], salt_auth_key: bytes) -> bytearray: salt_path = _get_salt_path() new_salt_path = _get_salt_path(True) sd = io.SDCard() fs = io.FatFS() if not sd.power(True): await _insert_card_dialog(ctx) raise SdProtectCancelled try: fs.mount() # Load salt if it exists. try: with fs.open(salt_path, "r") as f: salt = bytearray( SD_SALT_LEN_BYTES) # type: Optional[bytearray] salt_tag = bytearray(SD_SALT_AUTH_TAG_LEN_BYTES) f.read(salt) f.read(salt_tag) except OSError: salt = None if salt is not None and consteq( hmac.new(salt_auth_key, salt, sha256).digest()[:SD_SALT_AUTH_TAG_LEN_BYTES], salt_tag, ): return salt # Load salt.new if it exists. try: with fs.open(new_salt_path, "r") as f: new_salt = bytearray( SD_SALT_LEN_BYTES) # type: Optional[bytearray] new_salt_tag = bytearray(SD_SALT_AUTH_TAG_LEN_BYTES) f.read(new_salt) f.read(new_salt_tag) except OSError: new_salt = None if new_salt is not None and consteq( hmac.new(salt_auth_key, new_salt, sha256).digest()[:SD_SALT_AUTH_TAG_LEN_BYTES], new_salt_tag, ): # SD salt regeneration was interrupted earlier. Bring into consistent state. # TODO Possibly overwrite salt file with random data. try: fs.unlink(salt_path) except OSError: pass fs.rename(new_salt_path, salt_path) return new_salt finally: fs.unmount() sd.power(False) await _wrong_card_dialog(ctx) raise SdProtectCancelled
def check_address_mac(address: str, mac: bytes, slip44: int, keychain: Keychain) -> None: expected_mac = get_address_mac(address, slip44, keychain) if len(mac) != hashlib.sha256.digest_size or not utils.consteq( expected_mac, mac): raise wire.DataError("Invalid address MAC.")