@ -175,7 +175,9 @@ _U2FHID_IF_VERSION = const(2) # interface version
_U2F_REGISTER_ID = const ( 0x05 ) # version 2 registration identifier
_U2F_ATT_PRIV_KEY = b " q& \xac + \xf6 D \xdc a \x86 \xad \x83 \xef \x1f \xcd \xf1 *W \xb5 \xcf \xa2 \x00 \x0b \x8a \xd0 ' \xe9 V \xe8 T \xc5 \n \x8b "
_U2F_ATT_CERT = b " 0 \x82 \x01 \x18 0 \x81 \xc0 \x02 \t \x00 \xb1 \xd9 \x8f Bdr \xd3 ,0 \n \x06 \x08 * \x86 H \xce = \x04 \x03 \x02 0 \x15 1 \x13 0 \x11 \x06 \x03 U \x04 \x03 \x0c \n Trezor U2F0 \x1e \x17 \r 160429133153Z \x17 \r 260427133153Z0 \x15 1 \x13 0 \x11 \x06 \x03 U \x04 \x03 \x0c \n Trezor U2F0Y0 \x13 \x06 \x07 * \x86 H \xce = \x02 \x01 \x06 \x08 * \x86 H \xce = \x03 \x01 \x07 \x03 B \x00 \x04 \xd9 \x18 \xbd \xfa \x8a T \xac \x92 \xe9 \r \xa9 \x1f \xca z \xa2 dT \xc0 \xd1 s61M \xde \x83 \xa5 K \x86 \xb5 \xdf N \xf0 Re \x9a \x1d o \xfc \xb7 F \x7f \x1a \xcd \xdb \x8a 3 \x08 \x0b ^ \xed \x91 \x89 \x13 \xf4 C \xa5 & \x1b \xc7 { h`o \xc1 0 \n \x06 \x08 * \x86 H \xce = \x04 \x03 \x02 \x03 G \x00 0D \x02 $ \x1e \x81 \xff \xd2 \xe5 \xe6 \x15 6 \x94 \xc3 U. \x8f \xeb \xd7 \x1e \x89 5 \x92 \x1c \xb4 \x83 ACq \x1c v \xea \xee \xf3 \x95 \x02 _ \x80 \xeb \x10 \xf2 \\ \xcc 9 \x8b < \xa8 \xa9 \xad \xa4 \x02 \x7f \x93 \x13 w \xb7 \xab \xce wFZ ' \xf5 =3 \xa1 \x1d "
_BOGUS_APPID = b " AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "
_BOGUS_APPID_CHROME = b " A " * 32
_BOGUS_APPID_FIREFOX = b " \0 " * 32
_BOGUS_APPIDS = ( _BOGUS_APPID_CHROME , _BOGUS_APPID_FIREFOX )
_AAGUID = b " \xd6 \xd0 \xbd \xc3 b \xee \xc4 \xdb \xde \x8d zenJD \x87 " # First 16 bytes of SHA-256("TREZOR 2")
_BOGUS_PRIV_KEY = b " \xAA " * 32
@ -218,6 +220,9 @@ _USE_BASIC_ATTESTATION = False
# The CID of the last WINK command. Used to ensure that we do only one WINK at a time on any given CID.
_last_wink_cid = 0
# The CID of the last successful U2F_AUTHENTICATE check-only request.
_last_good_auth_check_cid = 0
class CborError ( Exception ) :
def __init__ ( self , code : int ) :
@ -615,13 +620,20 @@ class U2fConfirmRegister(U2fState):
super ( ) . __init__ ( cid , iface , req_data , cred )
async def confirm_dialog ( self ) - > bool :
if self . _cred . rp_id_hash == _BOGUS_APPID :
if self . _cred . rp_id_hash in _BOGUS_APPIDS :
text = Text ( " U2F " , ui . ICON_WRONG , ui . RED )
text . bold ( " Not registered. " )
text . br_half ( )
text . normal (
" Another U2F device " , " was used to register " , " in this application. "
)
if self . cid == _last_good_auth_check_cid :
text . bold ( " Already registered. " )
text . br_half ( )
text . normal (
" This device is already " , " registered with this " , " application. "
)
else :
text . bold ( " Not registered. " )
text . br_half ( )
text . normal (
" This device is not " , " registered with this " , " application. "
)
return await Popup ( text , _POPUP_TIMEOUT_MS )
else :
content = ConfirmContent ( self )
@ -1199,6 +1211,8 @@ def msg_authenticate(req: Msg, dialog_mgr: DialogManager) -> Cmd:
if req . p1 == _AUTH_CHECK_ONLY :
if __debug__ :
log . info ( __name__ , " _AUTH_CHECK_ONLY " )
global _last_good_auth_check_cid
_last_good_auth_check_cid = req . cid
return msg_error ( req . cid , _SW_CONDITIONS_NOT_SATISFIED )
# from now on, only _AUTH_ENFORCE is supported