feat(common): Add AuthenticateDevice message.

[no changelog]
10 months ago · 2dc5857336
parent b221f128ec
commit 2dc5857336
7 changed files with 89 additions and 1 deletions
--- a/common/protob/messages-management.proto
+++ b/common/protob/messages-management.proto
@ -280,6 +280,25 @@ message FirmwareHash {
    required bytes hash = 1;
 }

+/**
+ * Request: Request a signature of the provided challenge.
+ * @start
+ * @next AuthenticityProof
+ * @next Failure
+ */
+message AuthenticateDevice {
+    required bytes challenge = 1;  // A random challenge to sign.
+}
+
+/**
+ * Response: Signature of the provided challenge along with a certificate issued by the Trezor company.
+ * @end
+ */
+message AuthenticityProof {
+    repeated bytes certificates = 1;  // A certificate chain starting with the device certificate, followed by intermediate CA certificates, the last of which is signed by Trezor company's root CA.
+    required bytes signature = 2;     // A DER-encoded signature of "\0x13AuthenticateDevice:" + length-prefixed challenge that should be verified using the device certificate.
+}
+
 /**
 * Request: Request device to wipe all sensitive data and settings
 * @start
--- a/common/protob/messages.proto
+++ b/common/protob/messages.proto
@ -122,6 +122,8 @@ enum MessageType {
    MessageType_UnlockedPathRequest = 94 [(bitcoin_only) = true, (wire_out) = true];
    MessageType_ShowDeviceTutorial = 95 [(bitcoin_only) = true, (wire_in) = true];
    MessageType_UnlockBootloader = 96 [(bitcoin_only) = true, (wire_in) = true];
+    MessageType_AuthenticateDevice = 97 [(bitcoin_only) = true, (wire_out) = true];
+    MessageType_AuthenticityProof = 98 [(bitcoin_only) = true, (wire_in) = true];

    MessageType_SetU2FCounter = 63 [(wire_in) = true];
    MessageType_GetNextU2FCounter = 80 [(wire_in) = true];
--- a/core/src/trezor/enums/MessageType.py
+++ b/core/src/trezor/enums/MessageType.py
@ -48,6 +48,8 @@ UnlockPath = 93
 UnlockedPathRequest = 94
 ShowDeviceTutorial = 95
 UnlockBootloader = 96
+AuthenticateDevice = 97
+AuthenticityProof = 98
 FirmwareErase = 6
 FirmwareUpload = 7
 FirmwareRequest = 8
--- a/core/src/trezor/enums/init.py
+++ b/core/src/trezor/enums/init.py
@ -65,6 +65,8 @@ if TYPE_CHECKING:
        UnlockedPathRequest = 94
        ShowDeviceTutorial = 95
        UnlockBootloader = 96
+        AuthenticateDevice = 97
+        AuthenticityProof = 98
        SetU2FCounter = 63
        GetNextU2FCounter = 80
        NextU2FCounter = 81
--- a/core/src/trezor/messages.py
+++ b/core/src/trezor/messages.py
@ -2362,6 +2362,36 @@ if TYPE_CHECKING:
        def is_type_of(cls, msg: Any) -> TypeGuard["FirmwareHash"]:
            return isinstance(msg, cls)

+    class AuthenticateDevice(protobuf.MessageType):
+        challenge: "bytes"
+
+        def __init__(
+            self,
+            *,
+            challenge: "bytes",
+        ) -> None:
+            pass
+
+        @classmethod
+        def is_type_of(cls, msg: Any) -> TypeGuard["AuthenticateDevice"]:
+            return isinstance(msg, cls)
+
+    class AuthenticityProof(protobuf.MessageType):
+        certificates: "list[bytes]"
+        signature: "bytes"
+
+        def __init__(
+            self,
+            *,
+            signature: "bytes",
+            certificates: "list[bytes] | None" = None,
+        ) -> None:
+            pass
+
+        @classmethod
+        def is_type_of(cls, msg: Any) -> TypeGuard["AuthenticityProof"]:
+            return isinstance(msg, cls)
+
    class WipeDevice(protobuf.MessageType):

        @classmethod
--- a/legacy/firmware/protob/Makefile
+++ b/legacy/firmware/protob/Makefile
@ -8,7 +8,7 @@ SKIPPED_MESSAGES := Binance Cardano DebugMonero Eos Monero Ontology Ripple SdPro
 	TxAckInput TxAckOutput TxAckPrev TxAckPaymentRequest \
 	EthereumSignTypedData EthereumTypedDataStructRequest EthereumTypedDataStructAck \
 	EthereumTypedDataValueRequest EthereumTypedDataValueAck ShowDeviceTutorial \
-	UnlockBootloader
+	UnlockBootloader AuthenticateDevice AuthenticityProof

 ifeq ($(BITCOIN_ONLY), 1)
 SKIPPED_MESSAGES += Ethereum NEM Stellar
--- a/python/src/trezorlib/messages.py
+++ b/python/src/trezorlib/messages.py
@ -73,6 +73,8 @@ class MessageType(IntEnum):
    UnlockedPathRequest = 94
    ShowDeviceTutorial = 95
    UnlockBootloader = 96
+    AuthenticateDevice = 97
+    AuthenticityProof = 98
    SetU2FCounter = 63
    GetNextU2FCounter = 80
    NextU2FCounter = 81
@ -3466,6 +3468,37 @@ class FirmwareHash(protobuf.MessageType):
        self.hash = hash


+class AuthenticateDevice(protobuf.MessageType):
+    MESSAGE_WIRE_TYPE = 97
+    FIELDS = {
+        1: protobuf.Field("challenge", "bytes", repeated=False, required=True),
+    }
+
+    def __init__(
+        self,
+        *,
+        challenge: "bytes",
+    ) -> None:
+        self.challenge = challenge
+
+
+class AuthenticityProof(protobuf.MessageType):
+    MESSAGE_WIRE_TYPE = 98
+    FIELDS = {
+        1: protobuf.Field("certificates", "bytes", repeated=True, required=False, default=None),
+        2: protobuf.Field("signature", "bytes", repeated=False, required=True),
+    }
+
+    def __init__(
+        self,
+        *,
+        signature: "bytes",
+        certificates: Optional[Sequence["bytes"]] = None,
+    ) -> None:
+        self.certificates: Sequence["bytes"] = certificates if certificates is not None else []
+        self.signature = signature
+
+
 class WipeDevice(protobuf.MessageType):
    MESSAGE_WIRE_TYPE = 5