nem: encrypted payload

src/apps/nem/helpers.py

@@ -15,6 +15,10 @@ NEM_TRANSACTION_TYPE_PROVISION_NAMESPACE = const(0x2001)
 NEM_TRANSACTION_TYPE_MOSAIC_CREATION = const(0x4001)
 NEM_TRANSACTION_TYPE_MOSAIC_SUPPLY_CHANGE = const(0x4002)
 
+NEM_SALT_SIZE = const(32)
+AES_BLOCK_SIZE = const(16)
+NEM_HASH_ALG = 'keccak'
+
 
 def nem_validate_network(network):
     if network in (NEM_NETWORK_MAINNET, NEM_NETWORK_TESTNET, NEM_NETWORK_MIJIN):

src/apps/nem/signing.py

@@ -1,17 +1,25 @@
 from apps.nem.transaction import *
 from apps.nem.layout import *
+from apps.nem import helpers
+from apps.common import seed
 from trezor.messages.NEMSignTx import NEMSignTx
 from trezor.messages.NEMSignedTx import NEMSignedTx
+from trezor.crypto.curve import ed25519
+from trezor.crypto import random
 
 
 async def nem_sign_tx(ctx, msg: NEMSignTx):
-    from ..common import seed
-    from trezor.crypto.curve import ed25519
-
-    # if len(msg.transfer.public_key):
-        # todo encrypt
 
     node = await seed.derive_node(ctx, msg.transaction.address_n, NEM_CURVE)
+
+    payload = msg.transfer.payload
+    encrypted = False
+    if msg.transfer.public_key is not None:
+        if payload is None:
+            raise ValueError("Public key provided but no payload to encrypt")
+        payload = _nem_encrypt(node, msg.transfer.public_key, msg.transfer.payload)
+        encrypted = True
+
     # 0x01 prefix is not part of the actual public key, hence removed
     public_key = node.public_key()[1:]
 
@@ -23,21 +31,31 @@ async def nem_sign_tx(ctx, msg: NEMSignTx):
         msg.transaction.deadline,
         msg.transfer.recipient,
         msg.transfer.amount,
-        msg.transfer.payload,  # todo might require encryption
+        payload,
-        msg.transfer.public_key is not None,
+        encrypted,
         len(msg.transfer.mosaics)
     )
 
     for mosaic in msg.transfer.mosaics:
         nem_transaction_write_mosaic(tx, mosaic.namespace, mosaic.mosaic, mosaic.quantity)
 
-    await require_confirm_action(ctx)
+    if payload:  # confirm unencrypted
-    await require_confirm_fee(ctx, msg.transfer.amount, msg.transaction.fee)
+        # todo encrypted vs unencrypted
-    await require_confirm_tx(ctx, msg.transfer.recipient, msg.transfer.amount)
+        await require_confirm_action(ctx)  # todo
 
-    signature = ed25519.sign(node.private_key(), tx, 'keccak')
+    await require_confirm_fee(ctx, msg.transfer.amount, msg.transaction.fee)  # todo
+    await require_confirm_tx(ctx, msg.transfer.recipient, msg.transfer.amount)  # todo
+
+    signature = ed25519.sign(node.private_key(), tx, helpers.NEM_HASH_ALG)
 
     resp = NEMSignedTx()
     resp.data = tx
     resp.signature = signature
     return resp
+
+
+def _nem_encrypt(node, public_key: bytes, payload: bytes) -> bytes:
+    salt = random.bytes(helpers.NEM_SALT_SIZE)
+    iv = random.bytes(helpers.AES_BLOCK_SIZE)
+    encrypted = node.nem_encrypt(public_key, iv, salt, payload)
+    return iv + salt + encrypted

src/apps/nem/transaction.py

@@ -1,6 +1,7 @@
 
 from .helpers import *
 from .writers import *
+from ubinascii import hexlify
 
 
 def nem_transaction_create_transfer(network: int, timestamp: int, signer_public_key: bytes, fee: int, deadline: int,