Merge branch 'rust-tests'

Author: benma

src/rust/bitbox02-sys/build.rs

@@ -97,6 +97,7 @@ const ALLOWLIST_FNS: &[&str] = &[
     "memory_check_noise_remote_static_pubkey",
     "memory_get_attestation_bootloader_hash",
     "memory_get_attestation_pubkey_and_certificate",
+    "memory_get_encrypted_seed_and_hmac",
     "memory_get_device_name",
     "memory_get_noise_static_private_key",
     "memory_get_seed_birthdate",
@@ -125,6 +126,7 @@ const ALLOWLIST_FNS: &[&str] = &[
     "progress_create",
     "progress_set",
     "random_32_bytes_mcu",
+    "random_32_bytes",
     "random_mock_reset",
     "reboot_to_bootloader",
     "reset_reset",

src/rust/bitbox02/src/keystore.rs

@@ -401,6 +401,68 @@ mod tests {
             .is_ok());
     }
 
+    #[test]
+    fn test_secp256k1_schnorr_sign() {
+        mock_unlocked_using_mnemonic("abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about", "");
+        let keypath = [86 + HARDENED, 0 + HARDENED, 0 + HARDENED, 0, 0];
+        let msg = [0x88u8; 32];
+
+        let expected_pubkey = {
+            let pubkey =
+                hex::decode("cc8a4bc64d897bddc5fbc2f670f7a8ba0b386779106cf1223c6fc5d7cd6fc115")
+                    .unwrap();
+            secp256k1::XOnlyPublicKey::from_slice(&pubkey).unwrap()
+        };
+
+        // Test without tweak
+        crate::random::mock_reset();
+        let sig = secp256k1_schnorr_sign(&keypath, &msg, None).unwrap();
+        let secp = secp256k1::Secp256k1::new();
+        assert!(secp
+            .verify_schnorr(
+                &secp256k1::schnorr::Signature::from_slice(&sig).unwrap(),
+                &secp256k1::Message::from_digest_slice(&msg).unwrap(),
+                &expected_pubkey
+            )
+            .is_ok());
+
+        // Test with tweak
+        crate::random::mock_reset();
+        let tweak = {
+            let tweak =
+                hex::decode("a39fb163dbd9b5e0840af3cc1ee41d5b31245c5dd8d6bdc3d026d09b8964997c")
+                    .unwrap();
+            secp256k1::Scalar::from_be_bytes(tweak.try_into().unwrap()).unwrap()
+        };
+        let (tweaked_pubkey, _) = expected_pubkey.add_tweak(&secp, &tweak).unwrap();
+        let sig = secp256k1_schnorr_sign(&keypath, &msg, Some(&tweak.to_be_bytes())).unwrap();
+        assert!(secp
+            .verify_schnorr(
+                &secp256k1::schnorr::Signature::from_slice(&sig).unwrap(),
+                &secp256k1::Message::from_digest_slice(&msg).unwrap(),
+                &tweaked_pubkey
+            )
+            .is_ok());
+    }
+
+    #[test]
+    fn test_secp256k1_nonce_commit() {
+        lock();
+        let keypath = [44 + HARDENED, 0 + HARDENED, 0 + HARDENED, 0, 5];
+        let msg = [0x88u8; 32];
+        let host_commitment = [0xabu8; 32];
+
+        // Fails because keystore is locked.
+        assert!(secp256k1_nonce_commit(&keypath, &msg, &host_commitment).is_err());
+
+        mock_unlocked();
+        let client_commitment = secp256k1_nonce_commit(&keypath, &msg, &host_commitment).unwrap();
+        assert_eq!(
+            hex::encode(client_commitment),
+            "0381e4136251c87f2947b735159c6dd644a7b58d35b437e20c878e5129f1320e5e",
+        );
+    }
+
     #[test]
     fn test_bip39_mnemonic_to_seed() {
         assert!(bip39_mnemonic_to_seed("invalid").is_err());
@@ -550,6 +612,22 @@ mod tests {
         assert!(bip39_mnemonic_from_seed(b"foo").is_err());
     }
 
+    #[test]
+    fn test_lock() {
+        lock();
+        assert!(is_locked());
+
+        let seed = hex::decode("cb33c20cea62a5c277527e2002da82e6e2b37450a755143a540a54cea8da9044")
+            .unwrap();
+        assert!(encrypt_and_store_seed(&seed, "password").is_ok());
+        assert!(unlock("password").is_ok());
+        assert!(is_locked()); // still locked, it is only unlocked after unlock_bip39.
+        assert!(unlock_bip39("foo").is_ok());
+        assert!(!is_locked());
+        lock();
+        assert!(is_locked());
+    }
+
     #[test]
     fn test_unlock() {
         mock_memory();
@@ -624,7 +702,6 @@ mod tests {
 
         assert!(encrypt_and_store_seed(&seed, "password").is_ok());
         assert!(unlock("password").is_ok());
-        assert!(is_locked()); // still locked, it is only unlocked after unlock_bip39.
         assert!(unlock_bip39("foo").is_ok());
 
         // Check that the retained bip39 seed was encrypted with the expected encryption key.
@@ -647,6 +724,68 @@ mod tests {
         assert_eq!(decrypted.as_slice(), expected_bip39_seed.as_slice());
     }
 
+    #[test]
+    fn test_create_and_store_seed() {
+        let mock_salt_root =
+            hex::decode("3333333333333333444444444444444411111111111111112222222222222222")
+                .unwrap();
+
+        let host_entropy =
+            hex::decode("25569b9a11f9db6560459e8e48b4727a4c935300143d978989ed55db1d1b9cbe25569b9a11f9db6560459e8e48b4727a4c935300143d978989ed55db1d1b9cbe")
+                .unwrap();
+
+        // Invalid seed lengths
+        for size in [8, 24, 40] {
+            assert!(matches!(
+                create_and_store_seed("password", &host_entropy[..size]),
+                Err(Error::SeedSize)
+            ));
+        }
+
+        // Hack to get the random bytes that will be used.
+        let seed_random = {
+            crate::random::mock_reset();
+            crate::random::random_32_bytes()
+        };
+
+        // Derived from mock_salt_root and "password".
+        let password_salted_hashed =
+            hex::decode("e8c70a20d9108fbb9454b1b8e2d7373e78cbaf9de025ab2d4f4d3c7a6711694c")
+                .unwrap();
+
+        // expected_seed = seed_random ^ host_entropy ^ password_salted_hashed
+        let expected_seed: Vec<u8> = seed_random
+            .into_iter()
+            .zip(host_entropy.iter())
+            .zip(password_salted_hashed)
+            .map(|((a, &b), c)| a ^ b ^ c)
+            .collect();
+
+        for size in [16, 32] {
+            mock_memory();
+            crate::random::mock_reset();
+            crate::memory::set_salt_root(mock_salt_root.as_slice().try_into().unwrap()).unwrap();
+            lock();
+
+            assert!(create_and_store_seed("password", &host_entropy[..size]).is_ok());
+            assert!(unlock("password").is_ok());
+            assert_eq!(copy_seed().unwrap().as_slice(), &expected_seed[..size]);
+            // Check the seed has been stored encrypted with the expected encryption key.
+            // Decrypt and check seed.
+            let cipher = crate::memory::get_encrypted_seed_and_hmac().unwrap();
+
+            // Same as Python:
+            // import hmac, hashlib; hmac.digest(b"unit-test", b"password", hashlib.sha256).hex()
+            // See also: mock_securechip.c
+            let expected_encryption_key =
+                hex::decode("e56de448f5f1d29cdcc0e0099007309afe4d5a3ef2349e99dcc41840ad98409e")
+                    .unwrap();
+            let decrypted =
+                bitbox_aes::decrypt_with_hmac(&expected_encryption_key, &cipher).unwrap();
+            assert_eq!(decrypted.as_slice(), &expected_seed[..size]);
+        }
+    }
+
     // This tests that you can create a keystore, unlock it, and then do this again. This is an
     // expected workflow for when the wallet setup process is restarted after seeding and unlocking,
     // but before creating a backup, in which case a new seed is created.

src/rust/bitbox02/src/memory.rs

@@ -92,6 +92,19 @@ pub fn get_attestation_pubkey_and_certificate(
     }
 }
 
+#[cfg(feature = "testing")]
+pub fn get_encrypted_seed_and_hmac() -> Result<alloc::vec::Vec<u8>, ()> {
+    let mut out = vec![0u8; 96];
+    let mut len = 0u8;
+    match unsafe { bitbox02_sys::memory_get_encrypted_seed_and_hmac(out.as_mut_ptr(), &mut len) } {
+        true => {
+            out.truncate(len as _);
+            Ok(out)
+        }
+        false => Err(()),
+    }
+}
+
 pub fn get_noise_static_private_key() -> Result<zeroize::Zeroizing<[u8; 32]>, ()> {
     let mut out = zeroize::Zeroizing::new([0u8; 32]);
     match unsafe { bitbox02_sys::memory_get_noise_static_private_key(out.as_mut_ptr()) } {

src/rust/bitbox02/src/random.rs

@@ -29,6 +29,13 @@ pub fn mcu_32_bytes(out: &mut [u8; 32]) {
     }
 }
 
+#[cfg(feature = "testing")]
+pub fn random_32_bytes() -> alloc::boxed::Box<zeroize::Zeroizing<[u8; 32]>> {
+    let mut out = alloc::boxed::Box::new(zeroize::Zeroizing::new([0u8; 32]));
+    unsafe { bitbox02_sys::random_32_bytes(out.as_mut_ptr()) }
+    out
+}
+
 #[cfg(feature = "testing")]
 pub fn mock_reset() {
     unsafe {

test/unit-test/CMakeLists.txt

@@ -228,8 +228,6 @@ target_link_libraries(u2f-util PUBLIC ${HIDAPI_LDFLAGS})
 set(TEST_LIST
    cleanup
    "-Wl,--wrap=util_cleanup_32"
-   keystore
-   "-Wl,--wrap=secp256k1_anti_exfil_sign,--wrap=memory_is_initialized,--wrap=memory_is_seeded,--wrap=memory_get_failed_unlock_attempts,--wrap=memory_reset_failed_unlock_attempts,--wrap=memory_increment_failed_unlock_attempts,--wrap=memory_set_encrypted_seed_and_hmac,--wrap=memory_get_encrypted_seed_and_hmac,--wrap=memory_get_salt_root,--wrap=reset_reset,--wrap=random_32_bytes"
    keystore_antiklepto
    ""
    gestures