feat(common): Add AuthenticateDevice message.

[no changelog]

common/protob/messages-management.proto

@@ -280,6 +280,25 @@ message FirmwareHash {
     required bytes hash = 1;
 }
 
+/**
+ * Request: Request a signature of the provided challenge.
+ * @start
+ * @next AuthenticityProof
+ * @next Failure
+ */
+message AuthenticateDevice {
+    required bytes challenge = 1;  // A random challenge to sign.
+}
+
+/**
+ * Response: Signature of the provided challenge along with a certificate issued by the Trezor company.
+ * @end
+ */
+message AuthenticityProof {
+    repeated bytes certificates = 1;  // A certificate chain starting with the device certificate, followed by intermediate CA certificates, the last of which is signed by Trezor company's root CA.
+    required bytes signature = 2;     // A DER-encoded signature of "\0x13AuthenticateDevice:" + length-prefixed challenge that should be verified using the device certificate.
+}
+
 /**
  * Request: Request device to wipe all sensitive data and settings
  * @start

common/protob/messages.proto

@@ -122,6 +122,8 @@ enum MessageType {
     MessageType_UnlockedPathRequest = 94 [(bitcoin_only) = true, (wire_out) = true];
     MessageType_ShowDeviceTutorial = 95 [(bitcoin_only) = true, (wire_in) = true];
     MessageType_UnlockBootloader = 96 [(bitcoin_only) = true, (wire_in) = true];
+    MessageType_AuthenticateDevice = 97 [(bitcoin_only) = true, (wire_out) = true];
+    MessageType_AuthenticityProof = 98 [(bitcoin_only) = true, (wire_in) = true];
 
     MessageType_SetU2FCounter = 63 [(wire_in) = true];
     MessageType_GetNextU2FCounter = 80 [(wire_in) = true];

core/src/trezor/enums/MessageType.py

@@ -48,6 +48,8 @@ UnlockPath = 93
 UnlockedPathRequest = 94
 ShowDeviceTutorial = 95
 UnlockBootloader = 96
+AuthenticateDevice = 97
+AuthenticityProof = 98
 FirmwareErase = 6
 FirmwareUpload = 7
 FirmwareRequest = 8

core/src/trezor/enums/__init__.py

@@ -65,6 +65,8 @@ if TYPE_CHECKING:
         UnlockedPathRequest = 94
         ShowDeviceTutorial = 95
         UnlockBootloader = 96
+        AuthenticateDevice = 97
+        AuthenticityProof = 98
         SetU2FCounter = 63
         GetNextU2FCounter = 80
         NextU2FCounter = 81

core/src/trezor/messages.py

@@ -2362,6 +2362,36 @@ if TYPE_CHECKING:
         def is_type_of(cls, msg: Any) -> TypeGuard["FirmwareHash"]:
             return isinstance(msg, cls)
 
+    class AuthenticateDevice(protobuf.MessageType):
+        challenge: "bytes"
+
+        def __init__(
+            self,
+            *,
+            challenge: "bytes",
+        ) -> None:
+            pass
+
+        @classmethod
+        def is_type_of(cls, msg: Any) -> TypeGuard["AuthenticateDevice"]:
+            return isinstance(msg, cls)
+
+    class AuthenticityProof(protobuf.MessageType):
+        certificates: "list[bytes]"
+        signature: "bytes"
+
+        def __init__(
+            self,
+            *,
+            signature: "bytes",
+            certificates: "list[bytes] | None" = None,
+        ) -> None:
+            pass
+
+        @classmethod
+        def is_type_of(cls, msg: Any) -> TypeGuard["AuthenticityProof"]:
+            return isinstance(msg, cls)
+
     class WipeDevice(protobuf.MessageType):
 
         @classmethod

legacy/firmware/protob/Makefile

@@ -8,7 +8,7 @@ SKIPPED_MESSAGES := Binance Cardano DebugMonero Eos Monero Ontology Ripple SdPro
 	TxAckInput TxAckOutput TxAckPrev TxAckPaymentRequest \
 	EthereumSignTypedData EthereumTypedDataStructRequest EthereumTypedDataStructAck \
 	EthereumTypedDataValueRequest EthereumTypedDataValueAck ShowDeviceTutorial \
-	UnlockBootloader
+	UnlockBootloader AuthenticateDevice AuthenticityProof
 
 ifeq ($(BITCOIN_ONLY), 1)
 SKIPPED_MESSAGES += Ethereum NEM Stellar

python/src/trezorlib/messages.py

@@ -73,6 +73,8 @@ class MessageType(IntEnum):
     UnlockedPathRequest = 94
     ShowDeviceTutorial = 95
     UnlockBootloader = 96
+    AuthenticateDevice = 97
+    AuthenticityProof = 98
     SetU2FCounter = 63
     GetNextU2FCounter = 80
     NextU2FCounter = 81
@@ -3466,6 +3468,37 @@ class FirmwareHash(protobuf.MessageType):
         self.hash = hash
 
 
+class AuthenticateDevice(protobuf.MessageType):
+    MESSAGE_WIRE_TYPE = 97
+    FIELDS = {
+        1: protobuf.Field("challenge", "bytes", repeated=False, required=True),
+    }
+
+    def __init__(
+        self,
+        *,
+        challenge: "bytes",
+    ) -> None:
+        self.challenge = challenge
+
+
+class AuthenticityProof(protobuf.MessageType):
+    MESSAGE_WIRE_TYPE = 98
+    FIELDS = {
+        1: protobuf.Field("certificates", "bytes", repeated=True, required=False, default=None),
+        2: protobuf.Field("signature", "bytes", repeated=False, required=True),
+    }
+
+    def __init__(
+        self,
+        *,
+        signature: "bytes",
+        certificates: Optional[Sequence["bytes"]] = None,
+    ) -> None:
+        self.certificates: Sequence["bytes"] = certificates if certificates is not None else []
+        self.signature = signature
+
+
 class WipeDevice(protobuf.MessageType):
     MESSAGE_WIRE_TYPE = 5