arno/trezor-firmware
1
0
Fork 0
mirror of https://github.com/trezor/trezor-firmware.git synced 2025-03-12 14:16:06 +00:00
Code Issues Releases Wiki Activity

feat(python): add certificate whitelist for device authentication

Browse Source
This commit is contained in:
matejcik 2024-06-20 15:26:33 +02:00
parent d3bdedf421
commit f6924c1ad4
1 changed files with 22 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
python/src/trezorlib/cli/device.py
View File

@ -20,6 +20,7 @@ import sys
from typing import TYPE_CHECKING, BinaryIO, Optional, Sequence, Tuple from typing import TYPE_CHECKING, BinaryIO, Optional, Sequence, Tuple
import click import click
import requests
from .. import debuglink, device, exceptions, messages, ui from .. import debuglink, device, exceptions, messages, ui
from . import ChoiceType, with_client from . import ChoiceType, with_client
@ -348,6 +349,11 @@ def set_busy(
return device.set_busy(client, expiry * 1000) return device.set_busy(client, expiry * 1000)
PUBKEY_WHITELIST_URL_TEMPLATE = (
"https://data.trezor.io/firmware/{model}/authenticity.json"
)
@cli.command() @cli.command()
@click.argument("hex_challenge", required=False) @click.argument("hex_challenge", required=False)
@click.option("-R", "--root", type=click.File("rb"), help="Custom root certificate.") @click.option("-R", "--root", type=click.File("rb"), help="Custom root certificate.")
@ -373,9 +379,9 @@ def authenticate(
Use the --raw option to get the raw challenge, signature, and certificate data. Use the --raw option to get the raw challenge, signature, and certificate data.
Otherwise, trezorctl will attempt to decode the signatures and check their Otherwise, trezorctl will attempt to decode the signatures and check their
authenticity. By default, it will also check the public keys against a built-in authenticity. By default, it will also check the public keys against a whitelist
whitelist, and in the future also against a whitelist downloaded from Trezor downloaded from Trezor servers. You can skip this check with the --skip-whitelist
servers. You can skip this check with the --skip-whitelist option. option.
\b \b
When not using --raw, 'cryptography' library is required. You can install it via: When not using --raw, 'cryptography' library is required. You can install it via:
@ -430,8 +436,20 @@ def authenticate(
authentication.LOG.addHandler(handler) authentication.LOG.addHandler(handler)
authentication.LOG.setLevel(logging.DEBUG) authentication.LOG.setLevel(logging.DEBUG)
if skip_whitelist:
whitelist = None
else:
whitelist_json = requests.get(
PUBKEY_WHITELIST_URL_TEMPLATE.format(
model=client.model.internal_name.lower()
)
).json()
whitelist = [bytes.fromhex(pk) for pk in whitelist_json["ca_pubkeys"]]
try: try:
authentication.authenticate_device(client, challenge, root_pubkey=root_bytes) authentication.authenticate_device(
client, challenge, root_pubkey=root_bytes, whitelist=whitelist
)
except authentication.DeviceNotAuthentic: except authentication.DeviceNotAuthentic:
click.echo("Device is not authentic.") click.echo("Device is not authentic.")
sys.exit(5) sys.exit(5)