Filiprogrammer
diff --git a/‎README.md‎
Lines changed: 15 additions & 11 deletions b/‎README.md‎
Lines changed: 15 additions & 11 deletions
diff --git a/‎SimpleJadePinServer.py‎
Lines changed: 84 additions & 91 deletions b/‎SimpleJadePinServer.py‎
Lines changed: 84 additions & 91 deletions
diff --git a/‎docs/images/jade_scanning_step2.png‎
214 KB b/‎docs/images/jade_scanning_step2.png‎
214 KB
diff --git a/‎docs/images/webui.png‎
-2.67 KB b/‎docs/images/webui.png‎
-2.67 KB
diff --git a/‎docs/images/webui_step1.png‎
213 KB b/‎docs/images/webui_step1.png‎
213 KB
diff --git a/‎docs/images/webui_step2.png‎
-1.9 KB b/‎docs/images/webui_step2.png‎
-1.9 KB
diff --git a/‎docs/images/webui_step3.png‎
-51.5 KB b/‎docs/images/webui_step3.png‎
-51.5 KB
diff --git a/‎docs/images/webui_step4.png‎
-7.58 KB b/‎docs/images/webui_step4.png‎
-7.58 KB
@@ -3,6 +3,8 @@ SimpleJadePinServer
 
 A simple reimplementation of the [blind_pin_server](https://github.com/Blockstream/blind_pin_server) for the Blockstream Jade hardware wallet, along with a very basic web interface.
 
+Note: The newest version of `SimpleJadePinServer` requires Jade firmware that includes support for the shorter two-step blind oracle protocol, which was first implemented in version 1.0.28. If you need to use the old four-step protocol, you can revert to [v1](https://github.com/Filiprogrammer/SimpleJadePinServer/tree/v1).
+
 Running SimpleJadePinServer
 ---------------------------
 
@@ -91,7 +93,7 @@ Scan the the generated QR code and then confirm the details on screen.
 
 ![Jade Confirm Pin Server](docs/images/jade_confirm_pin_server.png)
 
-Note that it really does not matter where the URL is pointed to since the `SimpleJadePinServer` does not use the BCUR QR code from step 1/4. The only important parameter here is the public key of the pin server.
+Note that it really does not matter where the URL is pointed to. The only important parameter here is the public key of the pin server.
 
 <details>
 <summary>Alternative setup via USB</summary>
@@ -112,24 +114,26 @@ Using SimpleJadePinServer
 
 Once the Jade is configured to work with `SimpleJadePinServer`, initialize the wallet. When asked to select a connection, choose QR.
 
-1. After providing a six digit pin, the Jade will display Step 1/4 with a series of BC-UR QR codes. This step can be skipped.
+### Step 1/2
+
+After providing a six digit pin, the Jade will display Step 1/2 with a series of BC-UR QR codes. Click "Step 1/2 pin request - Jade &rarr; pin server" in the web interface. This will use the computer's camera to scan the QR codes displayed on the Jade.
 
-2. The Jade will then display Step 2/4 and ask you to scan a BC-UR QR code. Make sure that `SimpleJadePinServer` is running and navigate to https://127.0.0.1:4443 in your web browser. Click the button labelled "Step 2/4 start_handshake". This will show a series of BC-UR QR codes you can scan with your Jade.
+![Web UI Step 1/2](docs/images/webui_step1.png)
 
-![Step 2/4](docs/images/webui_step2.png)
+Once it is done scanning, the camera interface will automatically disappear.
 
-3. Once scanning is complete, the Jade will proceed to Step 3/4 and show a series of BC-UR QR codes on its screen. Click "Step 3/4 start_handshake reply" in the web interface. This will use the computer's camera to scan the QR codes displayed on the Jade.
+### Step 2/2
 
-![Step 3/4](docs/images/webui_step3.png)
+Next click the button labelled "Step 2/2 pin reply - pin server &rarr; Jade". This will show a series of BC-UR QR codes.
 
-Once it is done scanning, the camera interface will automatically disappear.
+![Web UI Step 2/2](docs/images/webui_step2.png)
 
-4. Continue to Step 4/4 on the Jade and click "set_pin" in the web interface. This will show another series of BC-UR QR codes which can be scanned by the Jade.
+On the Jade continue to Step 2/2 and scan the BC-UR QR codes.
 
-![Step 4/4](docs/images/webui_step4.png)
+![Jade scanning Step 2/2](docs/images/jade_scanning_step2.png)
 
-Once that is scanned, you are done and the wallet is ready to be used.
+Once scanning is complete, you are done and the wallet is ready to be used.
 
 ### Unlocking the wallet
 
-If you want to unlock the wallet at some later point, select "QR Mode" -> "QR PIN Unlock" on the Jade. Enter your PIN and perform the same steps as described before. The only difference being at step 4/4 where you will have to click "get_pin" instead of "set_pin" in the web interface.
+If you want to unlock the wallet at some later point, select "QR Mode" -> "QR PIN Unlock" on the Jade. Enter your PIN and perform the same steps as described before.
@@ -3,6 +3,7 @@
 from http.server import BaseHTTPRequestHandler, HTTPServer
 from hashlib import sha256
 import argparse
+import base64
 import os
 import wallycore as wally
 import urllib.parse
@@ -29,147 +30,130 @@ class MyServer(BaseHTTPRequestHandler):
     def do_GET(self):
         request = urllib.parse.urlparse(self.path)
 
-        if request.path == "/start_handshake":
-            print("start_handshake")
-            global private_key
-            private_key = generate_private_key()
-            ske = wally.ec_public_key_from_private_key(private_key)
-            public_key_hash = sha256(ske).digest()
-            sig = wally.ec_sig_from_bytes(STATIC_SERVER_PRIVATE_KEY, public_key_hash, wally.EC_FLAG_ECDSA)
-
-            self.send_response(200)
-            self.send_header("Content-type", "application/json")
-            self.end_headers()
-            self.wfile.write(bytes('{"id":"0","method":"handshake_init","params":{"sig":"' + bytes2hex(sig) + '","ske":"' + bytes2hex(ske) + '"}}', "utf-8"))
-        elif request.path == "/set_pin":
+        if request.path == "/set_pin":
             print("set_pin")
             params = urllib.parse.parse_qs(request.query)
 
-            if not ('ske' in params and 'cke' in params and 'encrypted_data' in params and 'hmac_encrypted_data' in params):
+            if not 'data' in params:
                 self.send_response(400)
                 self.send_header("Content-type", "text/html")
                 self.end_headers()
                 self.wfile.write(bytes("<html><head><title>Bad request</title></head><body>Bad request</body></html>", "utf-8"))
                 return
 
-            if not 'private_key' in globals():
-                self.send_response(409)
-                self.send_header("Content-type", "text/html")
-                self.end_headers()
-                self.wfile.write(bytes("<html><head><title>Conflict</title></head><body>You have to start_handshake first</body></html>", "utf-8"))
-                return
+            data = base64.b64decode(params['data'][0].replace(' ', '+'))
+            assert len(data) > 37
+            cke = data[:33]
+            replay_counter = data[33:37]
+            encrypted_data = data[37:]
 
-            ske = hex2bytes(params['ske'][0])
-            cke = hex2bytes(params['cke'][0])
-            encrypted_data = hex2bytes(params['encrypted_data'][0])
-            hmac_encrypted_data = hex2bytes(params['hmac_encrypted_data'][0])
+            private_key, public_key = generate_ec_key_pair(replay_counter, cke)
 
-            master_shared_key = wally.ecdh(cke, private_key)
-            request_encryption_key = wally.hmac_sha256(master_shared_key, bytearray([0]))
-            request_hmac_key = wally.hmac_sha256(master_shared_key, bytearray([1]))
-            response_encryption_key = wally.hmac_sha256(master_shared_key, bytearray([2]))
-            response_hmac_key = wally.hmac_sha256(master_shared_key, bytearray([3]))
-            hmac_calculated = wally.hmac_sha256(request_hmac_key, cke + encrypted_data)
-
-            iv = encrypted_data[:16]
-            payload = wally.aes_cbc(request_encryption_key, iv, encrypted_data[16:], wally.AES_FLAG_DECRYPT)
+            payload = wally.aes_cbc_with_ecdh_key(private_key, None, encrypted_data, cke, b'blind_oracle_request', wally.AES_FLAG_DECRYPT)
 
+            # set_pin requires client-passed entropy
+            assert len(payload) == 32 + 32 + 65
             pin_secret = payload[:32]
             entropy = payload[32:64]
             sig = payload[64:]
-            signed_msg = bytearray(sha256(cke + pin_secret + entropy).digest())
+            signed_msg = bytearray(sha256(cke + replay_counter + pin_secret + entropy).digest())
             pin_pubkey = wally.ec_sig_to_public_key(signed_msg, sig)
 
-            our_random = bytearray(os.urandom(32))
-            new_key = wally.hmac_sha256(our_random, entropy)
-
             pin_pubkey_hash = sha256(pin_pubkey).digest()
-            hash_pin_secret = sha256(pin_secret).digest()
 
-            save_pin_fields(pin_pubkey_hash, hash_pin_secret, new_key, pin_pubkey, 0)
+            replay_local = None
+            try:
+                _, _, _, replay_local = load_pin_fields(pin_pubkey_hash, pin_pubkey)
+
+                # Enforce anti replay (client counter must be greater than the server counter)
+                client_counter = int.from_bytes(replay_counter, byteorder='little', signed=False)
+                server_counter = int.from_bytes(replay_local, byteorder='little', signed=False)
+                assert client_counter > server_counter
+            except FileNotFoundError:
+                pass
+
+            our_random = os.urandom(32)
+            new_key = wally.hmac_sha256(our_random, entropy)
 
-            response = wally.hmac_sha256(new_key, pin_secret)
+            hash_pin_secret = sha256(pin_secret).digest()
+            replay_bytes = b'\x00\x00\x00\x00'
+            save_pin_fields(pin_pubkey_hash, hash_pin_secret, new_key, pin_pubkey, 0, replay_bytes)
+            aes_key = wally.hmac_sha256(new_key, pin_secret)
 
             iv = os.urandom(16)
-            encrypted_key = iv + wally.aes_cbc(response_encryption_key, iv, response, wally.AES_FLAG_ENCRYPT)
-            hmac = wally.hmac_sha256(response_hmac_key, encrypted_key)
+            encrypted_key = wally.aes_cbc_with_ecdh_key(private_key, iv, aes_key, cke, b'blind_oracle_response', wally.AES_FLAG_ENCRYPT)
 
             self.send_response(200)
             self.send_header("Content-type", "application/json")
             self.end_headers()
-            self.wfile.write(bytes('{"id":"0","method":"handshake_complete","params":{"encrypted_key":"' + bytes2hex(encrypted_key) + '","hmac":"' + bytes2hex(hmac) + '"}}', "utf-8"))
+            self.wfile.write(b'{"data":"' + base64.b64encode(encrypted_key) + b'"}')
         elif request.path == "/get_pin":
             print("get_pin")
             params = urllib.parse.parse_qs(request.query)
 
-            if not ('ske' in params and 'cke' in params and 'encrypted_data' in params and 'hmac_encrypted_data' in params):
+            if not 'data' in params:
                 self.send_response(400)
                 self.send_header("Content-type", "text/html")
                 self.end_headers()
                 self.wfile.write(bytes("<html><head><title>Bad request</title></head><body>Bad request</body></html>", "utf-8"))
                 return
 
-            if not 'private_key' in globals():
-                self.send_response(409)
-                self.send_header("Content-type", "text/html")
-                self.end_headers()
-                self.wfile.write(bytes("<html><head><title>Conflict</title></head><body>You have to start_handshake first</body></html>", "utf-8"))
-                return
-
-            ske = hex2bytes(params['ske'][0])
-            cke = hex2bytes(params['cke'][0])
-            encrypted_data = hex2bytes(params['encrypted_data'][0])
-            hmac_encrypted_data = hex2bytes(params['hmac_encrypted_data'][0])
+            data = base64.b64decode(params['data'][0].replace(' ', '+'))
+            assert len(data) > 37
+            cke = data[:33]
+            replay_counter = data[33:37]
+            encrypted_data = data[37:]
 
-            master_shared_key = wally.ecdh(cke, private_key)
-            request_encryption_key = wally.hmac_sha256(master_shared_key, bytearray([0]))
-            request_hmac_key = wally.hmac_sha256(master_shared_key, bytearray([1]))
-            response_encryption_key = wally.hmac_sha256(master_shared_key, bytearray([2]))
-            response_hmac_key = wally.hmac_sha256(master_shared_key, bytearray([3]))
-            hmac_calculated = wally.hmac_sha256(request_hmac_key, cke + encrypted_data)
+            private_key, public_key = generate_ec_key_pair(replay_counter, cke)
 
-            iv = encrypted_data[:16]
-            payload = wally.aes_cbc(request_encryption_key, iv, encrypted_data[16:], wally.AES_FLAG_DECRYPT)
+            payload = wally.aes_cbc_with_ecdh_key(private_key, None, encrypted_data, cke, b'blind_oracle_request', wally.AES_FLAG_DECRYPT)
 
+            # get_pin does not need client-passed entropy
+            assert len(payload) == 32 + 65
             pin_secret = payload[:32]
-            entropy = payload[32:64]
-            sig = payload[64:]
-            signed_msg = bytearray(sha256(cke + pin_secret + entropy).digest())
+            sig = payload[32:]
+            signed_msg = bytearray(sha256(cke + replay_counter + pin_secret).digest())
             pin_pubkey = wally.ec_sig_to_public_key(signed_msg, sig)
 
             pin_pubkey_hash = sha256(pin_pubkey).digest()
 
-            saved_hash_pin_secret, saved_key, counter = load_pin_fields(pin_pubkey_hash, pin_pubkey)
+            try:
+                saved_hash_pin_secret, saved_key, counter, replay_local = load_pin_fields(pin_pubkey_hash, pin_pubkey)
 
-            hash_pin_secret = sha256(pin_secret).digest()
-
-            if hash_pin_secret == saved_hash_pin_secret:
-                print("Correct pin on the " + str(counter + 1) + ". attempt")
-
-                if counter != 0:
-                    save_pin_fields(pin_pubkey_hash, hash_pin_secret, saved_key, pin_pubkey, 0)
+                # Enforce anti replay (client counter must be greater than the server counter)
+                client_counter = int.from_bytes(replay_counter, byteorder='little', signed=False)
+                server_counter = int.from_bytes(replay_local, byteorder='little', signed=False)
+                assert client_counter > server_counter
+            except FileNotFoundError:
+                # Return a random incorrect key to the Jade
+                saved_key = os.urandom(32)
             else:
-                print("Wrong pin (" + str(counter + 1) + ". attempt)")
+                hash_pin_secret = sha256(pin_secret).digest()
 
-                if counter >= 2:
-                    os.remove(pins_path + "/" + bytes2hex(pin_pubkey_hash) + ".pin")
-                    print("Too many wrong attempts")
+                if hash_pin_secret == saved_hash_pin_secret:
+                    print("Correct pin on the " + str(counter + 1) + ". attempt")
+                    save_pin_fields(pin_pubkey_hash, hash_pin_secret, saved_key, pin_pubkey, 0, replay_counter)
                 else:
-                    save_pin_fields(pin_pubkey_hash, saved_hash_pin_secret, saved_key, pin_pubkey, counter + 1)
+                    print("Wrong pin (" + str(counter + 1) + ". attempt)")
 
-                # Return a random incorrect key to the Jade
-                saved_key = os.urandom(32)
+                    if counter >= 2:
+                        os.remove(pins_path + "/" + bytes2hex(pin_pubkey_hash) + ".pin")
+                        print("Too many wrong attempts")
+                    else:
+                        save_pin_fields(pin_pubkey_hash, saved_hash_pin_secret, saved_key, pin_pubkey, counter + 1, replay_counter)
+
+                    # Return a random incorrect key to the Jade
+                    saved_key = os.urandom(32)
 
-            response = wally.hmac_sha256(saved_key, pin_secret)
+            aes_key = wally.hmac_sha256(saved_key, pin_secret)
 
             iv = os.urandom(16)
-            encrypted_key = iv + wally.aes_cbc(response_encryption_key, iv, response, wally.AES_FLAG_ENCRYPT)
-            hmac = wally.hmac_sha256(response_hmac_key, encrypted_key)
+            encrypted_key = wally.aes_cbc_with_ecdh_key(private_key, iv, aes_key, cke, b'blind_oracle_response', wally.AES_FLAG_ENCRYPT)
 
             self.send_response(200)
             self.send_header("Content-type", "application/json")
             self.end_headers()
-            self.wfile.write(bytes('{"id":"0","method":"handshake_complete","params":{"encrypted_key":"' + bytes2hex(encrypted_key) + '","hmac":"' + bytes2hex(hmac) + '"}}', "utf-8"))
+            self.wfile.write(b'{"data":"' + base64.b64encode(encrypted_key) + b'"}')
         elif request.path == "/qrcode.js":
             self.send_response(200)
             self.send_header("Content-type", "text/javascript")
@@ -199,14 +183,14 @@ def do_GET(self):
             self.end_headers()
             self.wfile.write(bytes("<html><head><title>Not found</title></head><body>Not found</body></html>", "utf-8"))
 
-def save_pin_fields(pin_pubkey_hash, hash_pin_secret, aes_key, pin_pubkey, counter):
+def save_pin_fields(pin_pubkey_hash, hash_pin_secret, aes_key, pin_pubkey, counter, replay_counter):
     storage_aes_key = wally.hmac_sha256(STATIC_SERVER_AES_PIN_DATA, pin_pubkey)
     count_bytes = counter.to_bytes(1)
-    plaintext = hash_pin_secret + aes_key + count_bytes
+    plaintext = hash_pin_secret + aes_key + count_bytes + replay_counter
     iv = os.urandom(16)
     encrypted = iv + wally.aes_cbc(storage_aes_key, iv, plaintext, wally.AES_FLAG_ENCRYPT)
     pin_auth_key = wally.hmac_sha256(STATIC_SERVER_AES_PIN_DATA, pin_pubkey_hash)
-    version_bytes = b'\x00'
+    version_bytes = b'\x01'
     hmac_payload = wally.hmac_sha256(pin_auth_key, version_bytes + encrypted)
 
     os.makedirs(pins_path, exist_ok=True)
@@ -220,7 +204,7 @@ def load_pin_fields(pin_pubkey_hash, pin_pubkey):
 
     assert len(data) == 129
     version_bytes = data[:1]
-    assert version_bytes[0] == 0
+    assert version_bytes[0] == 1
     hmac_received = data[1:33]
     encrypted = data[33:]
     pin_auth_key = wally.hmac_sha256(STATIC_SERVER_AES_PIN_DATA, pin_pubkey_hash)
@@ -230,20 +214,29 @@ def load_pin_fields(pin_pubkey_hash, pin_pubkey):
     storage_aes_key = wally.hmac_sha256(STATIC_SERVER_AES_PIN_DATA, pin_pubkey)
     iv = encrypted[:16]
     plaintext = wally.aes_cbc(storage_aes_key, iv, encrypted[16:], wally.AES_FLAG_DECRYPT)
-    assert len(plaintext) == 32 + 32 + 1
+    assert len(plaintext) == 32 + 32 + 1 + 4
 
     saved_hash_pin_secret = plaintext[:32]
     saved_key = plaintext[32:64]
     counter = plaintext[64]
+    replay_counter_persisted = plaintext[65:69]
 
-    return saved_hash_pin_secret, saved_key, counter
+    return saved_hash_pin_secret, saved_key, counter, replay_counter_persisted
 
 def bytes2hex(byte_array):
     return ''.join('{:02x}'.format(x) for x in byte_array)
 
 def hex2bytes(hex):
     return bytearray(bytes.fromhex(hex))
 
+def generate_ec_key_pair(replay_counter, cke):
+    tweak = sha256(wally.hmac_sha256(cke, replay_counter)).digest()
+    private_key = wally.ec_private_key_bip341_tweak(STATIC_SERVER_PRIVATE_KEY, tweak, 0)
+    wally.ec_private_key_verify(private_key)
+    public_key = wally.ec_public_key_from_private_key(private_key)
+
+    return private_key, public_key
+
 def generate_private_key():
     while True:
         private_key = bytearray(os.urandom(32))