mirror of
https://github.com/trezor/trezor-firmware.git
synced 2024-12-26 00:08:10 +00:00
54f1599a5a
This clarifies the intent: the project is licenced under terms of LGPL version 3 only, but the standard headers cover only "3 or later", so we had to rewrite them. In the same step, we removed author information from individual files in favor of "SatoshiLabs and contributors", and include an AUTHORS file that lists the contributors. Apologies to those whose names are missing; please contact us if you wish to add your info to the AUTHORS file.
141 lines
5.3 KiB
Python
141 lines
5.3 KiB
Python
# This file is part of the Trezor project.
|
|
#
|
|
# Copyright (C) 2012-2018 SatoshiLabs and contributors
|
|
#
|
|
# This library is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Lesser General Public License version 3
|
|
# as published by the Free Software Foundation.
|
|
#
|
|
# This library is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Lesser General Public License for more details.
|
|
#
|
|
# You should have received a copy of the License along with this library.
|
|
# If not, see <https://www.gnu.org/licenses/lgpl-3.0.html>.
|
|
|
|
import binascii
|
|
import hashlib
|
|
import pytest
|
|
|
|
from trezorlib import cosi
|
|
|
|
# These tests calculate Ed25519 signatures in pure Python.
|
|
# In addition to being Python, this is also DJB's proof-of-concept, unoptimized code.
|
|
# As a result, it is actually very noticeably slow. On a gen8 Core i5, this takes around 40 seconds.
|
|
# To skip the test, run `pytest -m "not slow_cosi"`.
|
|
|
|
# Therefore, the tests are skipped by default.
|
|
# Run `pytest -m slow_cosi` to explicitly enable.
|
|
|
|
pytestmark = pytest.mark.slow_cosi
|
|
if "slow_cosi" not in pytest.config.getoption("-m"):
|
|
pytestmark = pytest.mark.skip("Skipping slow CoSi tests. 'pytest -m slow_cosi' to run.")
|
|
|
|
|
|
RFC8032_VECTORS = (
|
|
( # test 1
|
|
# privkey
|
|
binascii.unhexlify("9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60"),
|
|
# pubkey
|
|
binascii.unhexlify("d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a"),
|
|
# message
|
|
binascii.unhexlify(""),
|
|
# signature
|
|
binascii.unhexlify("e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e06522490155"
|
|
"5fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b"),
|
|
),
|
|
( # test 2
|
|
# privkey
|
|
binascii.unhexlify("4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb"),
|
|
# pubkey
|
|
binascii.unhexlify("3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c"),
|
|
# message
|
|
binascii.unhexlify("72"),
|
|
# signature
|
|
binascii.unhexlify("92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da"
|
|
"085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00"),
|
|
),
|
|
( # test 3
|
|
# privkey
|
|
binascii.unhexlify("c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7"),
|
|
# pubkey
|
|
binascii.unhexlify("fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025"),
|
|
# message
|
|
binascii.unhexlify("af82"),
|
|
# signature
|
|
binascii.unhexlify("6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac"
|
|
"18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a"),
|
|
),
|
|
( # test SHA(abc)
|
|
# privkey
|
|
binascii.unhexlify("833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42"),
|
|
# pubkey
|
|
binascii.unhexlify("ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf"),
|
|
# message
|
|
hashlib.sha512(b"abc").digest(),
|
|
# signature
|
|
binascii.unhexlify("dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b589"
|
|
"09351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704"),
|
|
),
|
|
)
|
|
|
|
COMBINED_KEY = binascii.unhexlify("283967b1c19ff93d2924cdcba95e586547cafef509ea402963ceefe96ccb44f2")
|
|
GLOBAL_COMMIT = binascii.unhexlify("75bd5806c6366e0374a1c6e020c53feb0791d6cc07560d27d8c158f886ecf389")
|
|
|
|
|
|
@pytest.mark.parametrize("privkey, pubkey, message, signature",
|
|
RFC8032_VECTORS)
|
|
def test_single_eddsa_vector(privkey, pubkey, message, signature):
|
|
my_pubkey = cosi.pubkey_from_privkey(privkey)
|
|
assert my_pubkey == pubkey
|
|
try:
|
|
cosi.verify(signature, message, pubkey)
|
|
except ValueError:
|
|
pytest.fail("Signature does not verify.")
|
|
|
|
fake_signature = b'\xf1' + signature[1:]
|
|
with pytest.raises(ValueError):
|
|
cosi.verify(fake_signature, message, pubkey)
|
|
|
|
|
|
def test_combine_keys():
|
|
pubkeys = [pubkey for _, pubkey, _, _ in RFC8032_VECTORS]
|
|
assert cosi.combine_keys(pubkeys) == COMBINED_KEY
|
|
|
|
Rs = [cosi.get_nonce(privkey, message)[1] for privkey, _, message, _ in RFC8032_VECTORS]
|
|
assert cosi.combine_keys(Rs) == GLOBAL_COMMIT
|
|
|
|
|
|
@pytest.mark.parametrize("keyset", [
|
|
(0,),
|
|
(0, 1),
|
|
(0, 1, 2),
|
|
(0, 1, 2, 3),
|
|
(1, 3),
|
|
])
|
|
def test_cosi_combination(keyset):
|
|
message = hashlib.sha512(b"You all have to sign this.").digest()
|
|
selection = [RFC8032_VECTORS[i] for i in keyset]
|
|
|
|
# zip(*iterable) turns a list of tuples to a tuple of lists
|
|
privkeys, pubkeys, _, _ = zip(*selection)
|
|
nonce_pairs = [cosi.get_nonce(pk, message) for pk in privkeys]
|
|
nonces, commits = zip(*nonce_pairs)
|
|
|
|
# calculate global pubkey and commitment
|
|
global_pk = cosi.combine_keys(pubkeys)
|
|
global_commit = cosi.combine_keys(commits)
|
|
|
|
# generate individual signatures
|
|
signatures = [cosi.sign_with_privkey(message, privkey, global_pk, nonce, global_commit)
|
|
for privkey, nonce in zip(privkeys, nonces)]
|
|
|
|
# combine signatures
|
|
global_sig = cosi.combine_sig(global_commit, signatures)
|
|
|
|
try:
|
|
cosi.verify(global_sig, message, global_pk)
|
|
except ValueError:
|
|
pytest.fail("Failed to validate global signature")
|