Merge remote-tracking branch 'benma/rust-tests'

Author: benma

src/keystore.c

@@ -322,7 +322,17 @@ static void _free_string(char** str)
 
 USE_RESULT static keystore_error_t _retain_seed(const uint8_t* seed, size_t seed_len)
 {
+#ifdef TESTING
+    const uint8_t test_unstretched_retained_seed_encryption_key[32] =
+        "\xfe\x09\x76\x01\x14\x52\xa7\x22\x12\xe4\xb8\xbd\x57\x2b\x5b\xe3\x01\x41\xa3\x56\xf1\x13"
+        "\x37\xd2\x9d\x35\xea\x8f\xf9\x97\xbe\xfc";
+    memcpy(
+        _unstretched_retained_seed_encryption_key,
+        test_unstretched_retained_seed_encryption_key,
+        32);
+#else
     random_32_bytes(_unstretched_retained_seed_encryption_key);
+#endif
     uint8_t retained_seed_encryption_key[32] = {0};
     UTIL_CLEANUP_32(retained_seed_encryption_key);
     keystore_error_t result = _stretch_retained_seed_encryption_key(
@@ -344,7 +354,17 @@ USE_RESULT static keystore_error_t _retain_seed(const uint8_t* seed, size_t seed
 
 USE_RESULT static bool _retain_bip39_seed(const uint8_t* bip39_seed)
 {
+#ifdef TESTING
+    const uint8_t test_unstretched_retained_bip39_seed_encryption_key[32] =
+        "\x9b\x44\xc7\x04\x88\x93\xfa\xaf\x6e\x2d\x76\x25\xd1\x3d\x8f\x1c\xab\x07\x65\xfd\x61\xf1"
+        "\x59\xd9\x71\x3e\x08\x15\x5d\x06\x71\x7c";
+    memcpy(
+        _unstretched_retained_bip39_seed_encryption_key,
+        test_unstretched_retained_bip39_seed_encryption_key,
+        32);
+#else
     random_32_bytes(_unstretched_retained_bip39_seed_encryption_key);
+#endif
     uint8_t retained_bip39_seed_encryption_key[32] = {0};
     UTIL_CLEANUP_32(retained_bip39_seed_encryption_key);
     if (_stretch_retained_seed_encryption_key(

src/memory/memory.c

@@ -759,6 +759,17 @@ bool memory_get_salt_root(uint8_t* salt_root_out)
     return !MEMEQ(salt_root_out, empty, sizeof(empty));
 }
 
+#ifdef TESTING
+bool memory_set_salt_root(const uint8_t* salt_root)
+{
+    chunk_1_t chunk = {0};
+    CLEANUP_CHUNK(chunk);
+    _read_chunk(CHUNK_1, chunk_bytes);
+    memcpy(chunk.fields.salt_root, salt_root, 32);
+    return _write_chunk(CHUNK_1, chunk.bytes);
+}
+#endif
+
 bool memory_get_noise_static_private_key(uint8_t* private_key_out)
 {
     chunk_1_t chunk = {0};

src/memory/memory.h

@@ -219,6 +219,10 @@ USE_RESULT bool memory_bootloader_set_flags(auto_enter_t auto_enter, upside_down
  */
 USE_RESULT bool memory_get_salt_root(uint8_t* salt_root_out);
 
+#ifdef TESTING
+USE_RESULT bool memory_set_salt_root(const uint8_t* salt_root);
+#endif
+
 /**
  * @param[out] private_key_out must be 32 bytes.
  * @return false if the key has not been initialized (memory_setup() has not

src/rust/Cargo.lock

@@ -30,7 +30,9 @@ resolver = "2"
 
 [workspace.dependencies]
 bech32 = { version = "0.11.0", default-features = false }
-bitcoin = { version = "0.32.2", default-features = false }
+# The secp-recovery feature is currently only needed in tests to make use of `RecoverableSignature`.
+# Attempting to enable it conditionally only for tests somehow leads to linking errors (duplicate secp256k1 symbols).
+bitcoin = { version = "0.32.2", default-features = false, features = ["secp-recovery"] }
 hex = { version = "0.4", default-features = false, features = ["alloc"] }
 num-bigint = { version = "0.4.6", default-features = false }
 # force-soft-compact reduces the binary size by ~3kB. In future versions of sha2 this will change to

src/rust/Cargo.toml

@@ -63,6 +63,9 @@ version = "0.13.1"
 default-features = false
 features = ["derive"]
 
+[dev-dependencies]
+bitbox-aes = { path = "../bitbox-aes", features = ["use-wally-sha512"] }
+
 [features]
 ed25519 = [
   "dep:bip32-ed25519",

src/rust/bitbox02-rust/Cargo.toml

@@ -42,6 +42,7 @@ const ALLOWLIST_VARS: &[&str] = &[
     "MEMORY_PLATFORM_BITBOX02_PLUS",
     "MEMORY_SECURECHIP_TYPE_ATECC",
     "MEMORY_SECURECHIP_TYPE_OPTIGA",
+    "MAX_UNLOCK_ATTEMPTS",
 ];
 
 const ALLOWLIST_TYPES: &[&str] = &[
@@ -84,10 +85,13 @@ const ALLOWLIST_FNS: &[&str] = &[
     "keystore_unlock",
     "keystore_unlock_bip39",
     "keystore_bip39_mnemonic_from_seed",
+    "keystore_test_get_retained_seed_encrypted",
+    "keystore_test_get_retained_bip39_seed_encrypted",
     "label_create",
     "localtime",
     "lock_animation_start",
     "lock_animation_stop",
+    "memory_set_salt_root",
     "memory_add_noise_remote_static_pubkey",
     "memory_bootloader_hash",
     "memory_check_noise_remote_static_pubkey",
@@ -142,6 +146,8 @@ const ALLOWLIST_FNS: &[&str] = &[
     "securechip_model",
     "securechip_monotonic_increments_remaining",
     "securechip_u2f_counter_set",
+    "smarteeprom_is_enabled",
+    "smarteeprom_disable",
     "smarteeprom_bb02_config",
     "status_create",
     "trinary_choice_create",

src/rust/bitbox02-sys/build.rs

@@ -30,6 +30,7 @@ hex = { workspace = true }
 
 [dev-dependencies]
 hex = { workspace = true }
+bitbox-aes = { path = "../bitbox-aes" }
 
 [features]
 # Only to be enabled in unit tests.

src/rust/bitbox02/Cargo.toml

@@ -356,10 +356,51 @@ pub fn secp256k1_schnorr_sign(
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::testing::{mock_memory, mock_unlocked_using_mnemonic};
+    use bitcoin::secp256k1;
+
+    use crate::testing::{mock_memory, mock_unlocked, mock_unlocked_using_mnemonic};
     use alloc::string::ToString;
     use util::bip32::HARDENED;
 
+    #[test]
+    fn test_secp256k1_sign() {
+        lock();
+        let keypath = [44 + HARDENED, 0 + HARDENED, 0 + HARDENED, 0, 5];
+        let msg = [0x88u8; 32];
+        let host_nonce = [0x56u8; 32];
+
+        // Fails because keystore is locked.
+        assert!(secp256k1_sign(&keypath, &msg, &host_nonce).is_err());
+
+        mock_unlocked();
+        let sign_result = secp256k1_sign(&keypath, &msg, &host_nonce).unwrap();
+        // Verify signature against expected pubkey.
+
+        let secp = secp256k1::Secp256k1::new();
+        let expected_pubkey = {
+            let pubkey =
+                hex::decode("023ffb4a4e41444d40e4e1e4c6cc329bcba2be50d0ef380aea19d490c373be58fb")
+                    .unwrap();
+            secp256k1::PublicKey::from_slice(&pubkey).unwrap()
+        };
+        let msg = secp256k1::Message::from_digest_slice(&msg).unwrap();
+        // Test recid by recovering the public key from the signature and checking against the
+        // expected public key.
+        let recoverable_sig = secp256k1::ecdsa::RecoverableSignature::from_compact(
+            &sign_result.signature,
+            secp256k1::ecdsa::RecoveryId::from_i32(sign_result.recid as i32).unwrap(),
+        )
+        .unwrap();
+
+        let recovered_pubkey = secp.recover_ecdsa(&msg, &recoverable_sig).unwrap();
+        assert_eq!(recovered_pubkey, expected_pubkey);
+
+        // Verify signature.
+        assert!(secp
+            .verify_ecdsa(&msg, &recoverable_sig.to_standard(), &expected_pubkey)
+            .is_ok());
+    }
+
     #[test]
     fn test_bip39_mnemonic_to_seed() {
         assert!(bip39_mnemonic_to_seed("invalid").is_err());
@@ -509,6 +550,123 @@ mod tests {
         assert!(bip39_mnemonic_from_seed(b"foo").is_err());
     }
 
+    #[test]
+    fn test_unlock() {
+        mock_memory();
+        lock();
+
+        assert!(matches!(unlock("password"), Err(Error::Unseeded)));
+
+        let seed = hex::decode("cb33c20cea62a5c277527e2002da82e6e2b37450a755143a540a54cea8da9044")
+            .unwrap();
+
+        let mock_salt_root =
+            hex::decode("3333333333333333444444444444444411111111111111112222222222222222")
+                .unwrap();
+        crate::memory::set_salt_root(mock_salt_root.as_slice().try_into().unwrap()).unwrap();
+
+        assert!(encrypt_and_store_seed(&seed, "password").is_ok());
+        // Loop to check that unlocking works while unlocked.
+        for _ in 0..3 {
+            assert!(unlock("password").is_ok());
+        }
+
+        // Also check that the retained seed was encrypted with the expected encryption key.
+        let decrypted = {
+            let retained_seed_encrypted: &[u8] = unsafe {
+                let mut len = 0usize;
+                let ptr = bitbox02_sys::keystore_test_get_retained_seed_encrypted(&mut len);
+                core::slice::from_raw_parts(ptr, len)
+            };
+            let expected_retained_seed_secret =
+                hex::decode("b156be416530c6fc00018844161774a3546a53ac6dd4a0462608838e216008f7")
+                    .unwrap();
+            bitbox_aes::decrypt_with_hmac(&expected_retained_seed_secret, retained_seed_encrypted)
+                .unwrap()
+        };
+        assert_eq!(decrypted.as_slice(), seed.as_slice());
+
+        // First 9 wrong attempts.
+        for i in 1..bitbox02_sys::MAX_UNLOCK_ATTEMPTS {
+            assert!(matches!(
+                unlock("invalid password"),
+                Err(Error::IncorrectPassword { remaining_attempts }) if remaining_attempts
+                    == (bitbox02_sys::MAX_UNLOCK_ATTEMPTS  - i) as u8
+            ));
+            // Still seeded.
+            assert!(crate::memory::is_seeded());
+            // Wrong password does not lock the keystore again if already unlocked.
+            assert!(copy_seed().is_ok());
+        }
+        // Last attempt, triggers reset.
+        assert!(matches!(
+            unlock("invalid password"),
+            Err(Error::MaxAttemptsExceeded),
+        ));
+        // Last wrong attempt locks & resets. There is no more seed.
+        assert!(!crate::memory::is_seeded());
+        assert!(copy_seed().is_err());
+        assert!(matches!(unlock("password"), Err(Error::Unseeded)));
+    }
+
+    #[test]
+    fn test_unlock_bip39() {
+        mock_memory();
+        lock();
+
+        let seed = hex::decode("1111111111111111222222222222222233333333333333334444444444444444")
+            .unwrap();
+
+        let mock_salt_root =
+            hex::decode("3333333333333333444444444444444411111111111111112222222222222222")
+                .unwrap();
+        crate::memory::set_salt_root(mock_salt_root.as_slice().try_into().unwrap()).unwrap();
+
+        assert!(encrypt_and_store_seed(&seed, "password").is_ok());
+        assert!(unlock("password").is_ok());
+        assert!(is_locked()); // still locked, it is only unlocked after unlock_bip39.
+        assert!(unlock_bip39("foo").is_ok());
+
+        // Check that the retained bip39 seed was encrypted with the expected encryption key.
+        let decrypted = {
+            let retained_bip39_seed_encrypted: &[u8] = unsafe {
+                let mut len = 0usize;
+                let ptr = bitbox02_sys::keystore_test_get_retained_bip39_seed_encrypted(&mut len);
+                core::slice::from_raw_parts(ptr, len)
+            };
+            let expected_retained_bip39_seed_secret =
+                hex::decode("856d9a8c1ea42a69ae76324244ace674397ff1360a4ba4c85ffbd42cee8a7f29")
+                    .unwrap();
+            bitbox_aes::decrypt_with_hmac(
+                &expected_retained_bip39_seed_secret,
+                retained_bip39_seed_encrypted,
+            )
+            .unwrap()
+        };
+        let expected_bip39_seed = hex::decode("2b3c63de86f0f2b13cc6a36c1ba2314fbc1b40c77ab9cb64e96ba4d5c62fc204748ca6626a9f035e7d431bce8c9210ec0bdffc2e7db873dee56c8ac2153eee9a").unwrap();
+        assert_eq!(decrypted.as_slice(), expected_bip39_seed.as_slice());
+    }
+
+    // This tests that you can create a keystore, unlock it, and then do this again. This is an
+    // expected workflow for when the wallet setup process is restarted after seeding and unlocking,
+    // but before creating a backup, in which case a new seed is created.
+    #[test]
+    fn test_create_and_unlock_twice() {
+        mock_memory();
+        lock();
+
+        let seed = hex::decode("cb33c20cea62a5c277527e2002da82e6e2b37450a755143a540a54cea8da9044")
+            .unwrap();
+        let seed2 = hex::decode("c28135734876aff9ccf4f1d60df8d19a0a38fd02085883f65fc608eb769a635d")
+            .unwrap();
+        assert!(encrypt_and_store_seed(&seed, "password").is_ok());
+        assert!(unlock("password").is_ok());
+        // Create new (different) seed.
+        assert!(encrypt_and_store_seed(&seed2, "password").is_ok());
+        assert!(unlock("password").is_ok());
+        assert_eq!(copy_seed().unwrap().as_slice(), &seed2);
+    }
+
     // Functional test to store seeds, unlock, retrieve seed.
     #[test]
     fn test_seeds() {

src/rust/bitbox02/src/keystore.rs

@@ -217,6 +217,14 @@ pub fn ble_enable(enable: bool) -> Result<(), ()> {
     }
 }
 
+#[cfg(feature = "testing")]
+pub fn set_salt_root(salt_root: &[u8; 32]) -> Result<(), ()> {
+    match unsafe { bitbox02_sys::memory_set_salt_root(salt_root.as_ptr()) } {
+        true => Ok(()),
+        false => Err(()),
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;