workflow: default to digits in password entry when using Optiga

The Optiga securechip implementation limits password unlock attempts
to 10 at the secure chip config level, whereas in the ATECC, the
securechip-imposed limit is ~700k. For this reason, when using the
Optiga, users can safely use passwords consisting only of digits, so
we default to the digits keyboard in that case. Letters are still
available through the keyboard switcher.

Author: benma

src/rust/bitbox02-rust/src/hww/api/error.rs

@@ -48,17 +48,23 @@ impl core::convert::From<crate::workflow::cancel::Error> for Error {
     }
 }
 
+impl core::convert::From<crate::workflow::password::EnterError> for Error {
+    fn from(error: crate::workflow::password::EnterError) -> Self {
+        match error {
+            crate::workflow::password::EnterError::Memory => Error::Memory,
+            crate::workflow::password::EnterError::Cancelled => Error::UserAbort,
+        }
+    }
+}
+
 impl core::convert::From<crate::workflow::password::EnterTwiceError> for Error {
     fn from(error: crate::workflow::password::EnterTwiceError) -> Self {
         match error {
             crate::workflow::password::EnterTwiceError::DoNotMatch => {
                 // For backwards compatibility.
                 Error::Generic
             }
-            crate::workflow::password::EnterTwiceError::Cancelled => {
-                // Added in v9.13.0.
-                Error::UserAbort
-            }
+            crate::workflow::password::EnterTwiceError::EnterError(err) => err.into(),
         }
     }
 }
@@ -108,6 +114,7 @@ impl core::convert::From<UnlockError> for Error {
     fn from(error: UnlockError) -> Self {
         match error {
             UnlockError::UserAbort => Error::UserAbort,
+            UnlockError::Memory => Error::Memory,
             UnlockError::IncorrectPassword | UnlockError::Generic => Error::Generic,
         }
     }

src/rust/bitbox02-rust/src/hww/api/restore.rs

@@ -140,7 +140,7 @@ pub async fn from_mnemonic(
                     })
                     .await?;
             }
-            Err(password::EnterTwiceError::Cancelled) => return Err(Error::UserAbort),
+            Err(err @ password::EnterTwiceError::EnterError(_)) => return Err(err.into()),
             Ok(password) => break password,
         }
     };

src/rust/bitbox02-rust/src/workflow/password.rs

@@ -34,6 +34,12 @@ pub enum PasswordType {
     Bip39Passphrase,
 }
 
+#[derive(Debug)]
+pub enum EnterError {
+    Memory,
+    Cancelled,
+}
+
 /// If `can_cancel` is `Yes`, the workflow can be cancelled.
 /// If it is no, the result is always `Ok(())`.
 ///
@@ -47,7 +53,7 @@ pub async fn enter(
     title: &str,
     password_type: PasswordType,
     can_cancel: CanCancel,
-) -> Result<zeroize::Zeroizing<String>, Error> {
+) -> Result<zeroize::Zeroizing<String>, EnterError> {
     let params = trinary_input_string::Params {
         title,
         hide: true,
@@ -56,14 +62,23 @@ pub async fn enter(
             PasswordType::Bip39Passphrase => true,
         },
         longtouch: true,
+        default_to_digits: match password_type {
+            PasswordType::DevicePassword => {
+                match bitbox02::memory::get_securechip_type().map_err(|_| EnterError::Memory)? {
+                    bitbox02::memory::SecurechipType::Atecc => false,
+                    bitbox02::memory::SecurechipType::Optiga => true,
+                }
+            }
+            PasswordType::Bip39Passphrase => false,
+        },
         ..Default::default()
     };
 
     loop {
         match hal.ui().enter_string(&params, can_cancel, "").await {
-            o @ Ok(_) => return o,
+            Ok(pw) => return Ok(pw),
             Err(Error::Cancelled) => match prompt_cancel(hal).await {
-                Ok(()) => return Err(Error::Cancelled),
+                Ok(()) => return Err(EnterError::Cancelled),
                 Err(confirm::UserAbort) => {}
             },
         }
@@ -72,14 +87,12 @@ pub async fn enter(
 
 pub enum EnterTwiceError {
     DoNotMatch,
-    Cancelled,
+    EnterError(EnterError),
 }
 
-impl core::convert::From<Error> for EnterTwiceError {
-    fn from(error: Error) -> Self {
-        match error {
-            Error::Cancelled => EnterTwiceError::Cancelled,
-        }
+impl core::convert::From<EnterError> for EnterTwiceError {
+    fn from(error: EnterError) -> Self {
+        EnterTwiceError::EnterError(error)
     }
 }
 
@@ -126,7 +139,7 @@ pub async fn enter_twice(
             {
                 Ok(()) => break,
                 Err(confirm::UserAbort) => match prompt_cancel(hal).await {
-                    Ok(()) => return Err(EnterTwiceError::Cancelled),
+                    Ok(()) => return Err(EnterTwiceError::EnterError(EnterError::Cancelled)),
                     Err(confirm::UserAbort) => {}
                 },
             }

src/rust/bitbox02-rust/src/workflow/unlock.rs

@@ -55,12 +55,16 @@ async fn confirm_mnemonic_passphrase(
 pub enum UnlockError {
     UserAbort,
     IncorrectPassword,
+    Memory,
     Generic,
 }
 
-impl core::convert::From<super::cancel::Error> for UnlockError {
-    fn from(_error: super::cancel::Error) -> Self {
-        UnlockError::UserAbort
+impl core::convert::From<password::EnterError> for UnlockError {
+    fn from(error: password::EnterError) -> Self {
+        match error {
+            password::EnterError::Cancelled => UnlockError::UserAbort,
+            password::EnterError::Memory => UnlockError::Memory,
+        }
     }
 }
 
@@ -119,7 +123,7 @@ pub async fn unlock_bip39(hal: &mut impl crate::hal::Hal) {
                 password::CanCancel::No,
             )
             .await
-            .expect("not cancelable");
+            .expect("not cancelable and does not call memory functions");
 
             if let Ok(()) = confirm_mnemonic_passphrase(hal, mnemonic_passphrase.as_str()).await {
                 break;

src/rust/bitbox02/src/ui/types.rs

@@ -107,6 +107,7 @@ pub struct TrinaryInputStringParams<'a> {
     pub special_chars: bool,
     pub longtouch: bool,
     pub cancel_is_backbutton: bool,
+    pub default_to_digits: bool,
 }
 
 impl<'a> TrinaryInputStringParams<'a> {
@@ -138,6 +139,7 @@ impl<'a> TrinaryInputStringParams<'a> {
             special_chars: self.special_chars,
             longtouch: self.longtouch,
             cancel_is_backbutton: self.cancel_is_backbutton,
+            default_to_digits: self.default_to_digits,
         })
     }
 }

src/ui/components/keyboard_switch.c

@@ -152,6 +152,7 @@ static component_functions_t _component_functions = {
 component_t* keyboard_switch_create(
     slider_location_t location,
     bool special_chars,
+    bool default_to_digits,
     component_t* parent)
 {
     component_t* keyboard_switch = malloc(sizeof(component_t));
@@ -167,7 +168,7 @@ component_t* keyboard_switch_create(
     memset(ks_data, 0, sizeof(keyboard_switch_data_t));
 
     ks_data->location = location;
-    ks_data->mode = LOWER_CASE;
+    ks_data->mode = default_to_digits ? DIGITS : LOWER_CASE;
     ks_data->active = false;
     ks_data->special_chars = special_chars;
 

src/ui/components/keyboard_switch.h

@@ -25,12 +25,14 @@ typedef enum { LOWER_CASE, UPPER_CASE, DIGITS, SPECIAL_CHARS } keyboard_mode_t;
 /**
  * Creates a keyboard switch component.
  * @param[in] location The slider location.
- * @param[in] make special chars keyboard mode available.
+ * @param[in] special_chars make special chars keyboard mode available.
+ * @param[in] default_to_digits start with the digits keyboard instead of the lowercase keyboard.
  * @param[in] parent The parent component.
  */
 component_t* keyboard_switch_create(
     slider_location_t location,
     bool special_chars,
+    bool default_to_digits,
     component_t* parent);
 
 /**

src/ui/components/trinary_input_string.c

@@ -490,8 +490,8 @@ component_t* trinary_input_string_create(
     ui_util_add_sub_component(component, data->confirm_component);
 
     if (params->wordlist == NULL && !params->number_input) {
-        data->keyboard_switch_component =
-            keyboard_switch_create(top_slider, params->special_chars, component);
+        data->keyboard_switch_component = keyboard_switch_create(
+            top_slider, params->special_chars, params->default_to_digits, component);
         ui_util_add_sub_component(component, data->keyboard_switch_component);
     }
 

src/ui/components/trinary_input_string.h

@@ -38,6 +38,8 @@ typedef struct {
     bool longtouch;
     // whether the cancel button should be rendered as a back button instead of as a cross.
     bool cancel_is_backbutton;
+    // start with the digits keyboard instead of the lowercase keyboard.
+    bool default_to_digits;
 } trinary_input_string_params_t;
 
 /********************************** Create Instance **********************************/

test/unit-test/test_ui_components.c

@@ -130,7 +130,7 @@ static void test_ui_components_keyboard_switch(void** state)
 {
     component_t* mock_component = mock_component_create();
 
-    component_t* keyboard_switch = keyboard_switch_create(top_slider, true, mock_component);
+    component_t* keyboard_switch = keyboard_switch_create(top_slider, true, false, mock_component);
     assert_non_null(keyboard_switch);
     assert_ui_component_functions(keyboard_switch);
     keyboard_switch->f->cleanup(keyboard_switch);