keystore: port _test_keystore_create_and_store_seed to Rust

Author: benma

src/rust/bitbox02-sys/build.rs

@@ -97,6 +97,7 @@ const ALLOWLIST_FNS: &[&str] = &[
     "memory_check_noise_remote_static_pubkey",
     "memory_get_attestation_bootloader_hash",
     "memory_get_attestation_pubkey_and_certificate",
+    "memory_get_encrypted_seed_and_hmac",
     "memory_get_device_name",
     "memory_get_noise_static_private_key",
     "memory_get_seed_birthdate",
@@ -125,6 +126,7 @@ const ALLOWLIST_FNS: &[&str] = &[
     "progress_create",
     "progress_set",
     "random_32_bytes_mcu",
+    "random_32_bytes",
     "random_mock_reset",
     "reboot_to_bootloader",
     "reset_reset",

src/rust/bitbox02/src/keystore.rs

@@ -724,6 +724,68 @@ mod tests {
         assert_eq!(decrypted.as_slice(), expected_bip39_seed.as_slice());
     }
 
+    #[test]
+    fn test_create_and_store_seed() {
+        let mock_salt_root =
+            hex::decode("3333333333333333444444444444444411111111111111112222222222222222")
+                .unwrap();
+
+        let host_entropy =
+            hex::decode("25569b9a11f9db6560459e8e48b4727a4c935300143d978989ed55db1d1b9cbe25569b9a11f9db6560459e8e48b4727a4c935300143d978989ed55db1d1b9cbe")
+                .unwrap();
+
+        // Invalid seed lengths
+        for size in [8, 24, 40] {
+            assert!(matches!(
+                create_and_store_seed("password", &host_entropy[..size]),
+                Err(Error::SeedSize)
+            ));
+        }
+
+        // Hack to get the random bytes that will be used.
+        let seed_random = {
+            crate::random::mock_reset();
+            crate::random::random_32_bytes()
+        };
+
+        // Derived from mock_salt_root and "password".
+        let password_salted_hashed =
+            hex::decode("e8c70a20d9108fbb9454b1b8e2d7373e78cbaf9de025ab2d4f4d3c7a6711694c")
+                .unwrap();
+
+        // expected_seed = seed_random ^ host_entropy ^ password_salted_hashed
+        let expected_seed: Vec<u8> = seed_random
+            .into_iter()
+            .zip(host_entropy.iter())
+            .zip(password_salted_hashed)
+            .map(|((a, &b), c)| a ^ b ^ c)
+            .collect();
+
+        for size in [16, 32] {
+            mock_memory();
+            crate::random::mock_reset();
+            crate::memory::set_salt_root(mock_salt_root.as_slice().try_into().unwrap()).unwrap();
+            lock();
+
+            assert!(create_and_store_seed("password", &host_entropy[..size]).is_ok());
+            assert!(unlock("password").is_ok());
+            assert_eq!(copy_seed().unwrap().as_slice(), &expected_seed[..size]);
+            // Check the seed has been stored encrypted with the expected encryption key.
+            // Decrypt and check seed.
+            let cipher = crate::memory::get_encrypted_seed_and_hmac().unwrap();
+
+            // Same as Python:
+            // import hmac, hashlib; hmac.digest(b"unit-test", b"password", hashlib.sha256).hex()
+            // See also: mock_securechip.c
+            let expected_encryption_key =
+                hex::decode("e56de448f5f1d29cdcc0e0099007309afe4d5a3ef2349e99dcc41840ad98409e")
+                    .unwrap();
+            let decrypted =
+                bitbox_aes::decrypt_with_hmac(&expected_encryption_key, &cipher).unwrap();
+            assert_eq!(decrypted.as_slice(), &expected_seed[..size]);
+        }
+    }
+
     // This tests that you can create a keystore, unlock it, and then do this again. This is an
     // expected workflow for when the wallet setup process is restarted after seeding and unlocking,
     // but before creating a backup, in which case a new seed is created.

src/rust/bitbox02/src/memory.rs

@@ -92,6 +92,19 @@ pub fn get_attestation_pubkey_and_certificate(
     }
 }
 
+#[cfg(feature = "testing")]
+pub fn get_encrypted_seed_and_hmac() -> Result<alloc::vec::Vec<u8>, ()> {
+    let mut out = vec![0u8; 96];
+    let mut len = 0u8;
+    match unsafe { bitbox02_sys::memory_get_encrypted_seed_and_hmac(out.as_mut_ptr(), &mut len) } {
+        true => {
+            out.truncate(len as _);
+            Ok(out)
+        }
+        false => Err(()),
+    }
+}
+
 pub fn get_noise_static_private_key() -> Result<zeroize::Zeroizing<[u8; 32]>, ()> {
     let mut out = zeroize::Zeroizing::new([0u8; 32]);
     match unsafe { bitbox02_sys::memory_get_noise_static_private_key(out.as_mut_ptr()) } {

src/rust/bitbox02/src/random.rs

@@ -29,6 +29,13 @@ pub fn mcu_32_bytes(out: &mut [u8; 32]) {
     }
 }
 
+#[cfg(feature = "testing")]
+pub fn random_32_bytes() -> alloc::boxed::Box<zeroize::Zeroizing<[u8; 32]>> {
+    let mut out = alloc::boxed::Box::new(zeroize::Zeroizing::new([0u8; 32]));
+    unsafe { bitbox02_sys::random_32_bytes(out.as_mut_ptr()) }
+    out
+}
+
 #[cfg(feature = "testing")]
 pub fn mock_reset() {
     unsafe {

test/unit-test/test_keystore.c

@@ -17,128 +17,10 @@
 #include <stddef.h>
 #include <cmocka.h>
 
-#include <cipher/cipher.h>
 #include <keystore.h>
-#include <memory/bitbox02_smarteeprom.h>
-#include <memory/memory.h>
-#include <memory/smarteeprom.h>
-#include <mock_memory.h>
-#include <secp256k1_ecdsa_s2c.h>
-#include <secp256k1_recovery.h>
 #include <secp256k1_schnorrsig.h>
-#include <securechip/securechip.h>
-#include <util.h>
 
 #include <stdint.h>
-#include <stdio.h>
-#include <string.h>
-
-#define PASSWORD ("password")
-
-static uint8_t _salt_root[KEYSTORE_MAX_SEED_LENGTH] = {
-    0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
-    0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
-};
-
-// Same as Python:
-// import hmac, hashlib; hmac.digest(b"unit-test", b"password", hashlib.sha256).hex()
-// See also: securechip_mock.c
-static uint8_t _expected_secret[32] =
-    "\xe5\x6d\xe4\x48\xf5\xf1\xd2\x9c\xdc\xc0\xe0\x09\x90\x07\x30\x9a\xfe\x4d\x5a\x3e\xf2\x34\x9e"
-    "\x99\xdc\xc4\x18\x40\xad\x98\x40\x9e";
-
-int __real_secp256k1_anti_exfil_sign(
-    const secp256k1_context* ctx,
-    secp256k1_ecdsa_signature* sig,
-    const unsigned char* msg32,
-    const unsigned char* seckey,
-    const unsigned char* host_data32,
-    int* recid);
-
-static const unsigned char* _sign_expected_msg = NULL;
-static const unsigned char* _sign_expected_seckey = NULL;
-int __wrap_secp256k1_anti_exfil_sign(
-    const secp256k1_context* ctx,
-    secp256k1_ecdsa_signature* sig,
-    const unsigned char* msg32,
-    const unsigned char* seckey,
-    const unsigned char* host_data32,
-    int* recid)
-{
-    if (_sign_expected_msg != NULL) {
-        assert_memory_equal(_sign_expected_msg, msg32, 32);
-        _sign_expected_msg = NULL;
-    }
-    if (_sign_expected_seckey != NULL) {
-        assert_memory_equal(_sign_expected_seckey, seckey, 32);
-        _sign_expected_seckey = NULL;
-    }
-    return __real_secp256k1_anti_exfil_sign(ctx, sig, msg32, seckey, host_data32, recid);
-}
-
-static bool _reset_reset_called = false;
-void __wrap_reset_reset(void)
-{
-    _reset_reset_called = true;
-}
-
-void __wrap_random_32_bytes(uint8_t* buf)
-{
-    memcpy(buf, (const void*)mock(), 32);
-}
-
-void _mock_unlocked(const uint8_t* seed, size_t seed_len, const uint8_t* bip39_seed)
-{
-    keystore_mock_unlocked(seed, seed_len, bip39_seed);
-}
-
-static void _expect_encrypt_and_store_seed(void)
-{
-    will_return(__wrap_memory_is_initialized, false);
-}
-
-static void _test_keystore_create_and_store_seed(void** state)
-{
-    const uint8_t seed_random[32] =
-        "\x98\xef\xa1\xb6\x0a\x83\x39\x16\x61\xa2\x4d\xc7\x4a\x80\x4f\x34\x36\xe8\x33\xe0\xaa\xbe"
-        "\x75\xe9\x71\x1e\x5d\xef\x3a\x8f\x9f\x7c";
-    const uint8_t host_entropy[32] =
-        "\x25\x56\x9b\x9a\x11\xf9\xdb\x65\x60\x45\x9e\x8e\x48\xb4\x72\x7a\x4c\x93\x53\x00\x14\x3d"
-        "\x97\x89\x89\xed\x55\xdb\x1d\x1b\x9c\xbe";
-    // expected_seed = seed_random ^ host_entropy ^ password_salted_hashed
-    const uint8_t expected_seed[32] =
-        "\x55\x7e\x30\x0c\xc2\x6a\x6d\xc8\x95\xb3\x62\xf1\xe0\xe3\x0a\x70\x02\xb0\xcf\x7d\x5e\xa6"
-        "\x49\x4d\xb7\xbe\x34\x4e\x40\x85\x6a\x8e";
-
-    // Invalid seed lengths.
-    assert_int_equal(
-        keystore_create_and_store_seed(PASSWORD, host_entropy, 8), KEYSTORE_ERR_SEED_SIZE);
-    assert_int_equal(
-        keystore_create_and_store_seed(PASSWORD, host_entropy, 24), KEYSTORE_ERR_SEED_SIZE);
-    assert_int_equal(
-        keystore_create_and_store_seed(PASSWORD, host_entropy, 40), KEYSTORE_ERR_SEED_SIZE);
-
-    size_t test_sizes[2] = {16, 32};
-    for (size_t i = 0; i < sizeof(test_sizes) / sizeof(test_sizes[0]); i++) {
-        size_t seed_len = test_sizes[i];
-        // Seed random is xored with host entropy and the salted/hashed user password.
-        will_return(__wrap_random_32_bytes, seed_random);
-        _expect_encrypt_and_store_seed();
-        assert_int_equal(
-            keystore_create_and_store_seed(PASSWORD, host_entropy, seed_len), KEYSTORE_OK);
-
-        // Decrypt and check seed.
-        uint8_t encrypted_seed_and_hmac[96] = {0};
-        uint8_t len = 0;
-        assert_true(memory_get_encrypted_seed_and_hmac(encrypted_seed_and_hmac, &len));
-        size_t decrypted_len = len - 48;
-        uint8_t out[decrypted_len];
-        assert_true(cipher_aes_hmac_decrypt(
-            encrypted_seed_and_hmac, len, out, &decrypted_len, _expected_secret));
-        assert_int_equal(decrypted_len, seed_len);
-        assert_memory_equal(expected_seed, out, seed_len);
-    }
-}
 
 // This tests that `secp256k1_schnorrsig_sign()` is the correct function to be used for schnorr sigs
 // in taproot. It is a separate test because there are test vectors available for this which cannot
@@ -200,10 +82,7 @@ static void _test_secp256k1_schnorr_sign(void** state)
 
 int main(void)
 {
-    mock_memory_set_salt_root(_salt_root);
-
     const struct CMUnitTest tests[] = {
-        cmocka_unit_test(_test_keystore_create_and_store_seed),
         cmocka_unit_test(_test_secp256k1_schnorr_sign),
     };
     return cmocka_run_group_tests(tests, NULL, NULL);