arno/trezor-firmware
1
0
Fork 0
mirror of https://github.com/trezor/trezor-firmware.git synced 2025-06-09 17:48:47 +00:00
Code Issues Releases Wiki Activity

fixup! feat(core): allow credential issuance during encrypted transport phase

Browse Source
This commit is contained in:
M1nd3r 2025-05-06 10:56:16 +02:00
parent ad43218b6f
commit dda5478541
2 changed files with 41 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
core/src/apps/base.py
View File

@ -32,7 +32,7 @@ if TYPE_CHECKING:
Failure, Failure,
ThpCreateNewSession, ThpCreateNewSession,
ThpCredentialRequest, ThpCredentialRequest,
ThpPairingCredential, ThpCredentialResponse,
) )
if utils.USE_THP: if utils.USE_THP:
@ -283,10 +283,11 @@ if utils.USE_THP:
async def handle_ThpCredentialRequest( async def handle_ThpCredentialRequest(
message: ThpCredentialRequest, message: ThpCredentialRequest,
) -> ThpPairingCredential | Failure: ) -> ThpCredentialResponse | Failure:
from storage.cache_common import CHANNEL_HOST_STATIC_PUBKEY from storage.cache_common import CHANNEL_HOST_STATIC_PUBKEY
from trezor.messages import ThpCredentialMetadata from trezor.messages import ThpCredentialMetadata, ThpCredentialResponse
from trezor.wire.context import get_context from trezor.wire.context import get_context
from trezor.wire.thp import crypto
from trezor.wire.thp.session_context import GenericSessionContext from trezor.wire.thp.session_context import GenericSessionContext
from apps.thp.credential_manager import ( from apps.thp.credential_manager import (
@ -325,13 +326,19 @@ if utils.USE_THP:
await ui.show_autoconnect_credential_confirmation_screen( await ui.show_autoconnect_credential_confirmation_screen(
ctx, cred_metadata.host_name ctx, cred_metadata.host_name
) )
return issue_credential( new_cred = issue_credential(
host_static_pubkey=host_static_pubkey, host_static_pubkey=host_static_pubkey,
credential_metadata=cred_metadata, credential_metadata=cred_metadata,
) )
trezor_static_pubkey = crypto.get_trezor_static_pubkey()
return ThpCredentialResponse(
trezor_static_pubkey=trezor_static_pubkey, credential=new_cred
)
def _get_autoconnect_failure() -> Failure: def _get_autoconnect_failure() -> Failure:
from trezor.enums import FailureType from trezor.enums import FailureType
from trezor.messages import Failure
return Failure( return Failure(
code=FailureType.DataError, code=FailureType.DataError,

30
tests/device_tests/thp/test_pairing.py
View File

@ -426,6 +426,36 @@ def test_credential_phase(client: Client) -> None:
protocol._read_message(ThpEndResponse) protocol._read_message(ThpEndResponse)
def test_credential_request_in_encrypted_transport_phase(client: Client) -> None:
randomness_static = os.urandom(32)
protocol = prepare_protocol_for_pairing(client, randomness_static)
_nfc_pairing(client, protocol)
# Request credential with confirmation after pairing
host_static_privkey = curve25519.get_private_key(randomness_static)
host_static_pubkey = curve25519.get_public_key(host_static_privkey)
protocol._send_message(
ThpCredentialRequest(host_static_pubkey=host_static_pubkey, autoconnect=False)
)
credential_response = protocol._read_message(ThpCredentialResponse)
assert credential_response.credential is not None
credential = credential_response.credential
protocol._send_message(ThpEndRequest())
protocol._read_message(ThpEndResponse)
session = client.get_seedless_session()
session.call(
ThpCredentialRequest(
host_static_pubkey=host_static_pubkey,
autoconnect=True,
credential=credential,
),
expect=ThpCredentialResponse,
)
@pytest.mark.setup_client(passphrase=True) @pytest.mark.setup_client(passphrase=True)
def test_channel_replacement(client: Client) -> None: def test_channel_replacement(client: Client) -> None:
assert client.features.passphrase_protection is True assert client.features.passphrase_protection is True