From 81ff60c3e1a2cd512bdc5956c944692a26933331 Mon Sep 17 00:00:00 2001
From: Pavol Rusnak <stick@gk2.sk>
Date: Mon, 29 Jan 2018 15:02:32 +0100
Subject: [PATCH] tools: drop combine_sign; rework keyctl into 3 tools

---
 SConscript.bootloader    |   4 +-
 SConscript.firmware      |   4 +-
 SConscript.prodtest      |   4 +-
 SConscript.reflash       |   4 +-
 tools/combine_sign       |  27 ---------
 tools/keyctl             | 121 ++++++++-------------------------------
 tools/keyctl-coordinator |  76 ++++++++++++++++++++++++
 tools/keyctl-proxy       |  67 ++++++++++++++++++++++
 8 files changed, 176 insertions(+), 131 deletions(-)
 delete mode 100755 tools/combine_sign
 create mode 100755 tools/keyctl-coordinator
 create mode 100755 tools/keyctl-proxy

diff --git a/SConscript.bootloader b/SConscript.bootloader
index a84f9dee6..bae9718e3 100644
--- a/SConscript.bootloader
+++ b/SConscript.bootloader
@@ -156,7 +156,7 @@ env.Replace(
 
 env.Replace(
     BINCTL='tools/binctl',
-    COMBINE_SIGN='tools/combine_sign',
+    KEYCTL='tools/keyctl',
 )
 
 #
@@ -182,5 +182,5 @@ program_bin = env.Command(
     action=[
         '$OBJCOPY -O binary -j .header -j .flash -j .data $SOURCE $TARGET',
         '$BINCTL $TARGET -h',
-        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN bootloader $TARGET 4141414141414141414141414141414141414141414141414141414141414141 4242424242424242424242424242424242424242424242424242424242424242`',
+        '$BINCTL $TARGET -s 1:2 `$KEYCTL sign bootloader $TARGET 4141414141414141414141414141414141414141414141414141414141414141 4242424242424242424242424242424242424242424242424242424242424242`',
     ], )
diff --git a/SConscript.firmware b/SConscript.firmware
index 039bf9860..da1ddb1ef 100644
--- a/SConscript.firmware
+++ b/SConscript.firmware
@@ -336,7 +336,7 @@ env.Replace(
 
 env.Replace(
     BINCTL='tools/binctl',
-    COMBINE_SIGN='tools/combine_sign',
+    KEYCTL='tools/keyctl',
     PYTHON='python',
     MAKEQSTRDATA='$PYTHON vendor/micropython/py/makeqstrdata.py',
     MAKEVERSIONHDR='$PYTHON vendor/micropython/py/makeversionhdr.py',
@@ -418,5 +418,5 @@ program_bin = env.Command(
     action=[
         '$OBJCOPY -O binary -j .vendorheader -j .header -j .flash -j .data $SOURCE $TARGET',
         '$BINCTL $TARGET -h',
-        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
+        '$BINCTL $TARGET -s 1:2 `$KEYCTL sign firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
     ], )
diff --git a/SConscript.prodtest b/SConscript.prodtest
index eea4b4e91..a5c719e28 100644
--- a/SConscript.prodtest
+++ b/SConscript.prodtest
@@ -120,7 +120,7 @@ env.Replace(
 
 env.Replace(
     BINCTL='tools/binctl',
-    COMBINE_SIGN='tools/combine_sign',
+    KEYCTL='tools/keyctl',
 )
 
 #
@@ -154,5 +154,5 @@ program_bin = env.Command(
     action=[
         '$OBJCOPY -O binary -j .vendorheader -j .header -j .flash -j .data $SOURCE $TARGET',
         '$BINCTL $TARGET -h',
-        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
+        '$BINCTL $TARGET -s 1:2 `$KEYCTL sign firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
     ], )
diff --git a/SConscript.reflash b/SConscript.reflash
index baa81d2a3..0a0558c4f 100644
--- a/SConscript.reflash
+++ b/SConscript.reflash
@@ -120,7 +120,7 @@ env.Replace(
 
 env.Replace(
     BINCTL='tools/binctl',
-    COMBINE_SIGN='tools/combine_sign',
+    KEYCTL='tools/keyctl',
 )
 
 #
@@ -154,5 +154,5 @@ program_bin = env.Command(
     action=[
         '$OBJCOPY -O binary -j .vendorheader -j .header -j .flash -j .data $SOURCE $TARGET',
         '$BINCTL $TARGET -h',
-        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
+        '$BINCTL $TARGET -s 1:2 `$KEYCTL sign firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
     ], )
diff --git a/tools/combine_sign b/tools/combine_sign
deleted file mode 100755
index e71fc717a..000000000
--- a/tools/combine_sign
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/bash
-
-TOOLDIR=$(dirname $0)
-
-TYPE=$1
-FILE=$2
-shift
-shift
-SECKEYS=$*
-
-COMMITS=""
-
-for seckey in $SECKEYS; do
-    commit=$( $TOOLDIR/keyctl commit $TYPE $FILE $seckey )
-    COMMITS="$COMMITS $commit"
-done
-
-global_commit=$( $TOOLDIR/keyctl global_commit $COMMITS )
-
-SIGS=""
-
-for seckey in $SECKEYS; do
-    sig=$( $TOOLDIR/keyctl sign $TYPE $FILE $global_commit $seckey )
-    SIGS="$SIGS $sig"
-done
-
-$TOOLDIR/keyctl global_sign $TYPE $FILE $global_commit $SIGS
diff --git a/tools/keyctl b/tools/keyctl
index c9155f096..b2d0130be 100755
--- a/tools/keyctl
+++ b/tools/keyctl
@@ -1,13 +1,10 @@
 #!/usr/bin/env python3
-
 import binascii
+import struct
 import click
 import pyblake2
-import struct
-
 from trezorlib import ed25519raw, ed25519cosi
 
-
 indexmap = {
     'bootloader': 0,
     'vendorheader': 1,
@@ -15,31 +12,19 @@ indexmap = {
 }
 
 
-def get_trezor():
-    from trezorlib.client import TrezorClient
-    from trezorlib.transport_hid import HidTransport
-    devices = HidTransport.enumerate()
-    if len(devices) > 0:
-        return TrezorClient(devices[0])
-    else:
-        raise Exception('No TREZOR found')
-
-
-def header_to_sign(index, data):
+def header_digest(index, filename):
+    data = open(filename, 'rb').read()
     z = bytes(65 * [0x00])
     if index == 'bootloader':
-        return data[:0x03BF] + z
+        header = data[:0x03BF] + z
     elif index == 'vendorheader':
-        return data[:-65] + z
+        header = data[:-65] + z
     elif index == 'firmware':
         vhdrlen = struct.unpack('<I', data[4:8])[0]
-        return data[vhdrlen:vhdrlen + 0x03BF] + z
+        header = data[vhdrlen:vhdrlen + 0x03BF] + z
     else:
         raise ValueError('Unknown index "%s"' % index)
-
-
-def get_path(index):
-    return "10018'/%d'" % indexmap[index]
+    return pyblake2.blake2s(header).digest()
 
 
 @click.group()
@@ -47,65 +32,27 @@ def cli():
     pass
 
 
-@cli.command(help='')
-@click.argument('index', type=click.Choice(indexmap.keys()))
-def getkey(index):
-    t = get_trezor()
-    path = get_path(index)
-    node = t.get_public_node(t.expand_path(path), ecdsa_curve_name='ed25519').node
-    print('%s' % (binascii.hexlify(node.public_key[1:]).decode()))
-
-
 @cli.command(help='')
 @click.argument('index', type=click.Choice(indexmap.keys()))
 @click.argument('filename')
-@click.argument('seckey', required=False)
-def commit(index, filename, seckey):
-    data = open(filename, 'rb').read()
-    data = header_to_sign(index, data)
-    digest = pyblake2.blake2s(data).digest()
-    ctr = 0
-    if seckey:
+@click.argument('seckeys', nargs=-1)
+def sign(index, filename, seckeys):
+    # compute header digest
+    digest = header_digest(index, filename)
+    # collect commits
+    pks, Rs = [], []
+    for ctr, seckey in enumerate(seckeys):
         sk = binascii.unhexlify(seckey)
         pk = ed25519raw.publickey(sk)
         _, R = ed25519cosi.get_nonce(sk, digest, ctr)
-    else:
-        t = get_trezor()
-        path = get_path(index)
-        print('commiting to hash %s with path %s' % (binascii.hexlify(digest).decode(), path))
-        commit = t.cosi_commit(t.expand_path(path), digest)
-        pk = commit.pubkey
-        R = commit.commitment
-    print('%s+%s' % (binascii.hexlify(pk).decode(), binascii.hexlify(R).decode()))
-
-
-@cli.command(help='')
-@click.argument('commits', nargs=-1)
-def global_commit(commits):
-    if len(commits) < 1:
-        raise Exception('Need to provide at least one commit')
-    pk, R = [], []
-    for c in commits:
-        a, b = c.split('+')
-        pk.append(binascii.unhexlify(a))
-        R.append(binascii.unhexlify(b))
-    global_pk = ed25519cosi.combine_keys(pk)
-    global_R = ed25519cosi.combine_keys(R)
-    print('%s+%s' % (binascii.hexlify(global_pk).decode(), binascii.hexlify(global_R).decode()))
-
-
-@cli.command(help='')
-@click.argument('index', type=click.Choice(indexmap.keys()))
-@click.argument('filename')
-@click.argument('global_commit')
-@click.argument('seckey', required=False)
-def sign(index, filename, global_commit, seckey):
-    data = open(filename, 'rb').read()
-    data = header_to_sign(index, data)
-    digest = pyblake2.blake2s(data).digest()
-    global_pk, global_R = [binascii.unhexlify(x) for x in global_commit.split('+')]
-    ctr = 0
-    if seckey:
+        pks.append(pk)
+        Rs.append(R)
+    # compute global commit
+    global_pk = ed25519cosi.combine_keys(pks)
+    global_R = ed25519cosi.combine_keys(Rs)
+    # collect signatures
+    sigs = []
+    for ctr, seckey in enumerate(seckeys):
         sk = binascii.unhexlify(seckey)
         r, _ = ed25519cosi.get_nonce(sk, digest, ctr)
         h = ed25519raw.H(sk)
@@ -113,27 +60,9 @@ def sign(index, filename, global_commit, seckey):
         a = 2 ** (b - 2) + sum(2 ** i * ed25519raw.bit(h, i) for i in range(3, b - 2))
         S = (r + ed25519raw.Hint(global_R + global_pk + digest) * a) % ed25519raw.l
         sig = ed25519raw.encodeint(S)
-    else:
-        t = get_trezor()
-        path = get_path(index)
-        print('signing hash %s with path %s' % (binascii.hexlify(digest).decode(), path))
-        signature = t.cosi_sign(t.expand_path(path), digest, global_R, global_pk)
-        sig = signature.signature
-    print(binascii.hexlify(sig).decode())
-
-
-@cli.command(help='')
-@click.argument('index', type=click.Choice(indexmap.keys()))
-@click.argument('filename')
-@click.argument('global_commit')
-@click.argument('signatures', nargs=-1)
-def global_sign(index, filename, global_commit, signatures):
-    data = open(filename, 'rb').read()
-    data = header_to_sign(index, data)
-    digest = pyblake2.blake2s(data).digest()
-    global_pk, global_R = [binascii.unhexlify(x) for x in global_commit.split('+')]
-    signatures = [binascii.unhexlify(x) for x in signatures]
-    sig = ed25519cosi.combine_sig(global_R, signatures)
+        sigs.append(sig)
+    # compute global signature
+    sig = ed25519cosi.combine_sig(global_R, sigs)
     ed25519raw.checkvalid(sig, digest, global_pk)
     print(binascii.hexlify(sig).decode())
 
diff --git a/tools/keyctl-coordinator b/tools/keyctl-coordinator
new file mode 100755
index 000000000..d59f03603
--- /dev/null
+++ b/tools/keyctl-coordinator
@@ -0,0 +1,76 @@
+#!/usr/bin/env python3
+import binascii
+import struct
+import click
+import pyblake2
+import Pyro4
+import serpent
+from trezorlib import ed25519raw, ed25519cosi
+
+PORT = 5001
+indexmap = {
+    'bootloader': 0,
+    'vendorheader': 1,
+    'firmware': 2,
+}
+
+
+def header_digest(index, filename):
+    data = open(filename, 'rb').read()
+    z = bytes(65 * [0x00])
+    if index == 'bootloader':
+        header = data[:0x03BF] + z
+    elif index == 'vendorheader':
+        header = data[:-65] + z
+    elif index == 'firmware':
+        vhdrlen = struct.unpack('<I', data[4:8])[0]
+        header = data[vhdrlen:vhdrlen + 0x03BF] + z
+    else:
+        raise ValueError('Unknown index "%s"' % index)
+    return pyblake2.blake2s(header).digest()
+
+
+@click.group()
+def cli():
+    pass
+
+
+@cli.command(help='')
+@click.argument('index', type=click.Choice(indexmap.keys()))
+@click.argument('filename')
+@click.argument('participants', nargs=-1)
+def sign(index, filename, participants):
+    # compute header digest
+    digest = header_digest(index, filename)
+    # create participant proxies
+    if len(participants) < 1:
+        raise ValueError('Not enough participants')
+    print('connecting to %d participants:' % len(participants))
+    proxy = []
+    for p in participants:
+        uri = 'PYRO:keyctl@%s:%d' % (p, PORT)
+        proxy.append(Pyro4.Proxy(uri))
+    # collect commits
+    pks, Rs = [], []
+    for p in proxy:
+        pk, R = p.get_commit(index, digest)
+        pk, R = serpent.tobytes(pk), serpent.tobytes(R)
+        pks.append(pk)
+        Rs.append(R)
+    # compute global commit
+    global_pk = ed25519cosi.combine_keys(pks)
+    global_R = ed25519cosi.combine_keys(Rs)
+    # collect signatures
+    sigs = []
+    for p in proxy:
+        sig = p.get_signature(index, digest, global_R, global_pk)
+        sig = serpent.tobytes(sig)
+        sigs.append(sig)
+    # compute global signature
+    sig = ed25519cosi.combine_sig(global_R, sigs)
+    ed25519raw.checkvalid(sig, digest, global_pk)
+    print(binascii.hexlify(sig).decode())
+
+
+if __name__ == '__main__':
+    cli()
diff --git a/tools/keyctl-proxy b/tools/keyctl-proxy
new file mode 100755
index 000000000..857360b44
--- /dev/null
+++ b/tools/keyctl-proxy
@@ -0,0 +1,67 @@
+#!/usr/bin/env python3
+import binascii
+import sys
+import netifaces
+import Pyro4
+import serpent
+
+PORT = 5001
+indexmap = {
+    'bootloader': 0,
+    'vendorheader': 1,
+    'firmware': 2,
+}
+
+
+def get_trezor():
+    from trezorlib.client import TrezorClient
+    from trezorlib.transport_hid import HidTransport
+    devices = HidTransport.enumerate()
+    if len(devices) > 0:
+        return TrezorClient(devices[0])
+    else:
+        raise Exception('No TREZOR found')
+
+
+def get_path(index):
+    return "10018'/%d'" % indexmap[index]
+
+
+@Pyro4.expose
+class KeyctlProxy(object):
+
+    def __init__(self):
+        super(KeyctlProxy, self).__init__()
+
+    def get_commit(self, index, digest):
+        digest = serpent.tobytes(digest)
+        t = get_trezor()
+        path = get_path(index)
+        print('commiting to hash %s with path %s' % (binascii.hexlify(digest).decode(), path))
+        commit = t.cosi_commit(t.expand_path(path), digest)
+        pk = commit.pubkey
+        R = commit.commitment
+        return (pk, R)
+
+    def get_signature(self, index, digest, global_R, global_pk):
+        digest, global_R, global_pk = serpent.tobytes(digest), serpent.tobytes(global_R), serpent.tobytes(global_pk)
+        t = get_trezor()
+        path = get_path(index)
+        print('signing hash %s with path %s' % (binascii.hexlify(digest).decode(), path))
+        signature = t.cosi_sign(t.expand_path(path), digest, global_R, global_pk)
+        sig = signature.signature
+        return sig
+
+
+if __name__ == '__main__':
+    if len(sys.argv) > 1:
+        iface = sys.argv[1]
+    else:
+        print('Usage: keyctl-proxy interface')
+        sys.exit(1)
+    host = netifaces.ifaddresses(iface)[netifaces.AF_INET][0]['addr']
+    daemon = Pyro4.Daemon(host=host, port=PORT)
+    proxy = KeyctlProxy()
+    uri = daemon.register(proxy, 'keyctl')
+    print('keyctl-proxy running at URI: "%s"' % uri)
+    daemon.requestLoop()