From 2dc585733613df1809f697cc952c2bb0d511519a Mon Sep 17 00:00:00 2001 From: Andrew Kozlik Date: Wed, 23 Aug 2023 09:59:52 +0200 Subject: [PATCH] feat(common): Add AuthenticateDevice message. [no changelog] --- common/protob/messages-management.proto | 19 ++++++++++++++ common/protob/messages.proto | 2 ++ core/src/trezor/enums/MessageType.py | 2 ++ core/src/trezor/enums/__init__.py | 2 ++ core/src/trezor/messages.py | 30 ++++++++++++++++++++++ legacy/firmware/protob/Makefile | 2 +- python/src/trezorlib/messages.py | 33 +++++++++++++++++++++++++ 7 files changed, 89 insertions(+), 1 deletion(-) diff --git a/common/protob/messages-management.proto b/common/protob/messages-management.proto index 4656ebd5d..e3fd7bb67 100644 --- a/common/protob/messages-management.proto +++ b/common/protob/messages-management.proto @@ -280,6 +280,25 @@ message FirmwareHash { required bytes hash = 1; } +/** + * Request: Request a signature of the provided challenge. + * @start + * @next AuthenticityProof + * @next Failure + */ +message AuthenticateDevice { + required bytes challenge = 1; // A random challenge to sign. +} + +/** + * Response: Signature of the provided challenge along with a certificate issued by the Trezor company. + * @end + */ +message AuthenticityProof { + repeated bytes certificates = 1; // A certificate chain starting with the device certificate, followed by intermediate CA certificates, the last of which is signed by Trezor company's root CA. + required bytes signature = 2; // A DER-encoded signature of "\0x13AuthenticateDevice:" + length-prefixed challenge that should be verified using the device certificate. +} + /** * Request: Request device to wipe all sensitive data and settings * @start diff --git a/common/protob/messages.proto b/common/protob/messages.proto index 632c733c0..ae9637e06 100644 --- a/common/protob/messages.proto +++ b/common/protob/messages.proto @@ -122,6 +122,8 @@ enum MessageType { MessageType_UnlockedPathRequest = 94 [(bitcoin_only) = true, (wire_out) = true]; MessageType_ShowDeviceTutorial = 95 [(bitcoin_only) = true, (wire_in) = true]; MessageType_UnlockBootloader = 96 [(bitcoin_only) = true, (wire_in) = true]; + MessageType_AuthenticateDevice = 97 [(bitcoin_only) = true, (wire_out) = true]; + MessageType_AuthenticityProof = 98 [(bitcoin_only) = true, (wire_in) = true]; MessageType_SetU2FCounter = 63 [(wire_in) = true]; MessageType_GetNextU2FCounter = 80 [(wire_in) = true]; diff --git a/core/src/trezor/enums/MessageType.py b/core/src/trezor/enums/MessageType.py index 205e64875..e010a34b1 100644 --- a/core/src/trezor/enums/MessageType.py +++ b/core/src/trezor/enums/MessageType.py @@ -48,6 +48,8 @@ UnlockPath = 93 UnlockedPathRequest = 94 ShowDeviceTutorial = 95 UnlockBootloader = 96 +AuthenticateDevice = 97 +AuthenticityProof = 98 FirmwareErase = 6 FirmwareUpload = 7 FirmwareRequest = 8 diff --git a/core/src/trezor/enums/__init__.py b/core/src/trezor/enums/__init__.py index b2b3981f7..d2c31237c 100644 --- a/core/src/trezor/enums/__init__.py +++ b/core/src/trezor/enums/__init__.py @@ -65,6 +65,8 @@ if TYPE_CHECKING: UnlockedPathRequest = 94 ShowDeviceTutorial = 95 UnlockBootloader = 96 + AuthenticateDevice = 97 + AuthenticityProof = 98 SetU2FCounter = 63 GetNextU2FCounter = 80 NextU2FCounter = 81 diff --git a/core/src/trezor/messages.py b/core/src/trezor/messages.py index 095c04e94..d8b8631b0 100644 --- a/core/src/trezor/messages.py +++ b/core/src/trezor/messages.py @@ -2362,6 +2362,36 @@ if TYPE_CHECKING: def is_type_of(cls, msg: Any) -> TypeGuard["FirmwareHash"]: return isinstance(msg, cls) + class AuthenticateDevice(protobuf.MessageType): + challenge: "bytes" + + def __init__( + self, + *, + challenge: "bytes", + ) -> None: + pass + + @classmethod + def is_type_of(cls, msg: Any) -> TypeGuard["AuthenticateDevice"]: + return isinstance(msg, cls) + + class AuthenticityProof(protobuf.MessageType): + certificates: "list[bytes]" + signature: "bytes" + + def __init__( + self, + *, + signature: "bytes", + certificates: "list[bytes] | None" = None, + ) -> None: + pass + + @classmethod + def is_type_of(cls, msg: Any) -> TypeGuard["AuthenticityProof"]: + return isinstance(msg, cls) + class WipeDevice(protobuf.MessageType): @classmethod diff --git a/legacy/firmware/protob/Makefile b/legacy/firmware/protob/Makefile index 911296422..ae8d95fc0 100644 --- a/legacy/firmware/protob/Makefile +++ b/legacy/firmware/protob/Makefile @@ -8,7 +8,7 @@ SKIPPED_MESSAGES := Binance Cardano DebugMonero Eos Monero Ontology Ripple SdPro TxAckInput TxAckOutput TxAckPrev TxAckPaymentRequest \ EthereumSignTypedData EthereumTypedDataStructRequest EthereumTypedDataStructAck \ EthereumTypedDataValueRequest EthereumTypedDataValueAck ShowDeviceTutorial \ - UnlockBootloader + UnlockBootloader AuthenticateDevice AuthenticityProof ifeq ($(BITCOIN_ONLY), 1) SKIPPED_MESSAGES += Ethereum NEM Stellar diff --git a/python/src/trezorlib/messages.py b/python/src/trezorlib/messages.py index e1b90f79a..ca4991736 100644 --- a/python/src/trezorlib/messages.py +++ b/python/src/trezorlib/messages.py @@ -73,6 +73,8 @@ class MessageType(IntEnum): UnlockedPathRequest = 94 ShowDeviceTutorial = 95 UnlockBootloader = 96 + AuthenticateDevice = 97 + AuthenticityProof = 98 SetU2FCounter = 63 GetNextU2FCounter = 80 NextU2FCounter = 81 @@ -3466,6 +3468,37 @@ class FirmwareHash(protobuf.MessageType): self.hash = hash +class AuthenticateDevice(protobuf.MessageType): + MESSAGE_WIRE_TYPE = 97 + FIELDS = { + 1: protobuf.Field("challenge", "bytes", repeated=False, required=True), + } + + def __init__( + self, + *, + challenge: "bytes", + ) -> None: + self.challenge = challenge + + +class AuthenticityProof(protobuf.MessageType): + MESSAGE_WIRE_TYPE = 98 + FIELDS = { + 1: protobuf.Field("certificates", "bytes", repeated=True, required=False, default=None), + 2: protobuf.Field("signature", "bytes", repeated=False, required=True), + } + + def __init__( + self, + *, + signature: "bytes", + certificates: Optional[Sequence["bytes"]] = None, + ) -> None: + self.certificates: Sequence["bytes"] = certificates if certificates is not None else [] + self.signature = signature + + class WipeDevice(protobuf.MessageType): MESSAGE_WIRE_TYPE = 5