firmware/eth: add option to disable antiklepto in ETHSignTypedMessage

Author: benma

api/firmware/eth.go

@@ -574,24 +574,37 @@ func getValue(what *messages.ETHTypedMessageValueResponse, msg map[string]interf
 }
 
 // ETHSignTypedMessage signs an Ethereum EIP-712 typed message. 27 is added to the recID to denote
-// an uncompressed pubkey.
+// an uncompressed pubkey. If useAntiklepto is false, signing is deterministic and requires
+// firmware >= 9.26.0.
 func (device *Device) ETHSignTypedMessage(
 	chainID uint64,
 	keypath []uint32,
 	jsonMsg []byte,
+	useAntiklepto bool,
 ) ([]byte, error) {
 	if !device.version.AtLeast(semver.NewSemVer(9, 12, 0)) {
 		return nil, UnsupportedError("9.12.0")
 	}
+	if !useAntiklepto && !device.version.AtLeast(semver.NewSemVer(9, 26, 0)) {
+		return nil, UnsupportedError("9.26.0")
+	}
 
 	var msg map[string]interface{}
 	if err := json.Unmarshal(jsonMsg, &msg); err != nil {
 		return nil, errp.WithStack(err)
 	}
 
-	hostNonce, err := generateHostNonce()
-	if err != nil {
-		return nil, err
+	var hostNonce []byte
+	var hostNonceCommitment *messages.AntiKleptoHostNonceCommitment
+	if useAntiklepto {
+		var err error
+		hostNonce, err = generateHostNonce()
+		if err != nil {
+			return nil, err
+		}
+		hostNonceCommitment = &messages.AntiKleptoHostNonceCommitment{
+			Commitment: antikleptoHostCommit(hostNonce),
+		}
 	}
 
 	types := msg["types"].(map[string]interface{})
@@ -617,13 +630,11 @@ func (device *Device) ETHSignTypedMessage(
 	request := &messages.ETHRequest{
 		Request: &messages.ETHRequest_SignTypedMsg{
 			SignTypedMsg: &messages.ETHSignTypedMessageRequest{
-				ChainId:     chainID,
-				Keypath:     keypath,
-				Types:       parsedTypes,
-				PrimaryType: msg["primaryType"].(string),
-				HostNonceCommitment: &messages.AntiKleptoHostNonceCommitment{
-					Commitment: antikleptoHostCommit(hostNonce),
-				},
+				ChainId:             chainID,
+				Keypath:             keypath,
+				Types:               parsedTypes,
+				PrimaryType:         msg["primaryType"].(string),
+				HostNonceCommitment: hostNonceCommitment,
 			},
 		},
 	}
@@ -651,34 +662,45 @@ func (device *Device) ETHSignTypedMessage(
 		typedMsgValueResponse, ok = response.Response.(*messages.ETHResponse_TypedMsgValue)
 	}
 
-	signerCommitment, ok := response.Response.(*messages.ETHResponse_AntikleptoSignerCommitment)
-	if !ok {
-		return nil, errp.New("unexpected response")
-	}
-	response, err = device.queryETH(&messages.ETHRequest{
-		Request: &messages.ETHRequest_AntikleptoSignature{
-			AntikleptoSignature: &messages.AntiKleptoSignatureRequest{
-				HostNonce: hostNonce,
+	if useAntiklepto {
+		signerCommitment, ok := response.Response.(*messages.ETHResponse_AntikleptoSignerCommitment)
+		if !ok {
+			return nil, errp.New("unexpected response")
+		}
+		response, err = device.queryETH(&messages.ETHRequest{
+			Request: &messages.ETHRequest_AntikleptoSignature{
+				AntikleptoSignature: &messages.AntiKleptoSignatureRequest{
+					HostNonce: hostNonce,
+				},
 			},
-		},
-	})
-	if err != nil {
-		return nil, err
+		})
+		if err != nil {
+			return nil, err
+		}
+
+		signResponse, ok := response.Response.(*messages.ETHResponse_Sign)
+		if !ok {
+			return nil, errp.New("unexpected response")
+		}
+		signature := signResponse.Sign.Signature
+		err = antikleptoVerify(
+			hostNonce,
+			signerCommitment.AntikleptoSignerCommitment.Commitment,
+			signature[:64],
+		)
+		if err != nil {
+			return nil, err
+		}
+		// 27 is the magic constant to add to the recoverable ID to denote an uncompressed pubkey.
+		signature[64] += 27
+		return signature, nil
 	}
 
 	signResponse, ok := response.Response.(*messages.ETHResponse_Sign)
 	if !ok {
 		return nil, errp.New("unexpected response")
 	}
 	signature := signResponse.Sign.Signature
-	err = antikleptoVerify(
-		hostNonce,
-		signerCommitment.AntikleptoSignerCommitment.Commitment,
-		signature[:64],
-	)
-	if err != nil {
-		return nil, err
-	}
 	// 27 is the magic constant to add to the recoverable ID to denote an uncompressed pubkey.
 	signature[64] += 27
 	return signature, nil

api/firmware/eth_test.go

@@ -8,6 +8,7 @@ import (
 	"testing"
 
 	"github.com/BitBoxSwiss/bitbox02-api-go/api/firmware/messages"
+	"github.com/BitBoxSwiss/bitbox02-api-go/util/semver"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/crypto/sha3"
 )
@@ -18,6 +19,53 @@ func hashKeccak(b []byte) []byte {
 	return h.Sum(nil)
 }
 
+var eip712Msg = []byte(`
+{
+    "types": {
+        "EIP712Domain": [
+            { "name": "name", "type": "string" },
+            { "name": "version", "type": "string" },
+            { "name": "chainId", "type": "uint256" },
+            { "name": "verifyingContract", "type": "address" }
+        ],
+        "Attachment": [
+            { "name": "contents", "type": "string" }
+        ],
+        "Person": [
+            { "name": "name", "type": "string" },
+            { "name": "wallet", "type": "address" },
+            { "name": "age", "type": "uint8" }
+        ],
+        "Mail": [
+            { "name": "from", "type": "Person" },
+            { "name": "to", "type": "Person" },
+            { "name": "contents", "type": "string" },
+            { "name": "attachments", "type": "Attachment[]" }
+        ]
+    },
+    "primaryType": "Mail",
+    "domain": {
+        "name": "Ether Mail",
+        "version": "1",
+        "chainId": 1,
+        "verifyingContract": "0xCcCCccccCCCCcCCCCCCcCcCccCcCCCcCcccccccC"
+    },
+    "message": {
+        "from": {
+            "name": "Cow",
+            "wallet": "0xCD2a3d9F938E13CD947Ec05AbC7FE734Df8DD826",
+            "age": 20
+        },
+        "to": {
+            "name": "Bob",
+            "wallet": "0xbBbBBBBbbBBBbbbBbbBbbbbBBbBbbbbBbBbbBBbB",
+            "age": "0x1e"
+        },
+        "contents": "Hello, Bob!",
+        "attachments": [{ "contents": "attachment1" }, { "contents": "attachment2" }]
+    }
+}`)
+
 func parseTypeNoErr(t *testing.T, typ string, types map[string]interface{}) *messages.ETHSignTypedMessageRequest_MemberType {
 	t.Helper()
 	parsed, err := parseType(typ, types)
@@ -306,53 +354,6 @@ func TestSimulatorETHSignMessage(t *testing.T) {
 func TestSimulatorETHSignTypedMessage(t *testing.T) {
 	testInitializedSimulators(t, func(t *testing.T, device *Device, stdOut *bytes.Buffer) {
 		t.Helper()
-		msg := []byte(`
-{
-    "types": {
-        "EIP712Domain": [
-            { "name": "name", "type": "string" },
-            { "name": "version", "type": "string" },
-            { "name": "chainId", "type": "uint256" },
-            { "name": "verifyingContract", "type": "address" }
-        ],
-        "Attachment": [
-            { "name": "contents", "type": "string" }
-        ],
-        "Person": [
-            { "name": "name", "type": "string" },
-            { "name": "wallet", "type": "address" },
-            { "name": "age", "type": "uint8" }
-        ],
-        "Mail": [
-            { "name": "from", "type": "Person" },
-            { "name": "to", "type": "Person" },
-            { "name": "contents", "type": "string" },
-            { "name": "attachments", "type": "Attachment[]" }
-        ]
-    },
-    "primaryType": "Mail",
-    "domain": {
-        "name": "Ether Mail",
-        "version": "1",
-        "chainId": 1,
-        "verifyingContract": "0xCcCCccccCCCCcCCCCCCcCcCccCcCCCcCcccccccC"
-    },
-    "message": {
-        "from": {
-            "name": "Cow",
-            "wallet": "0xCD2a3d9F938E13CD947Ec05AbC7FE734Df8DD826",
-            "age": 20
-        },
-        "to": {
-            "name": "Bob",
-            "wallet": "0xbBbBBBBbbBBBbbbBbbBbbbbBBbBbbbbBbBbbBBbB",
-            "age": "0x1e"
-        },
-        "contents": "Hello, Bob!",
-        "attachments": [{ "contents": "attachment1" }, { "contents": "attachment2" }]
-    }
-}`)
-
 		sig, err := device.ETHSignTypedMessage(
 			1,
 			[]uint32{
@@ -362,13 +363,64 @@ func TestSimulatorETHSignTypedMessage(t *testing.T) {
 				0,
 				10,
 			},
-			msg,
+			eip712Msg,
+			true,
 		)
 		require.NoError(t, err)
 		require.Len(t, sig, 65)
 	})
 }
 
+func TestSimulatorETHSignTypedMessageAntikleptoEnabled(t *testing.T) {
+	testInitializedSimulators(t, func(t *testing.T, device *Device, stdOut *bytes.Buffer) {
+		t.Helper()
+		keypath := []uint32{
+			44 + hardenedKeyStart,
+			60 + hardenedKeyStart,
+			0 + hardenedKeyStart,
+			0,
+			10,
+		}
+
+		sig1, err := device.ETHSignTypedMessage(1, keypath, eip712Msg, true)
+		require.NoError(t, err)
+		sig2, err := device.ETHSignTypedMessage(1, keypath, eip712Msg, true)
+		require.NoError(t, err)
+
+		require.Len(t, sig1, 65)
+		require.Len(t, sig2, 65)
+		require.NotEqual(t, sig1, sig2)
+	})
+}
+
+func TestSimulatorETHSignTypedMessageAntikleptoDisabled(t *testing.T) {
+	testInitializedSimulators(t, func(t *testing.T, device *Device, stdOut *bytes.Buffer) {
+		t.Helper()
+		keypath := []uint32{
+			44 + hardenedKeyStart,
+			60 + hardenedKeyStart,
+			0 + hardenedKeyStart,
+			0,
+			10,
+		}
+
+		if device.Version().AtLeast(semver.NewSemVer(9, 26, 0)) {
+			sig1, err := device.ETHSignTypedMessage(1, keypath, eip712Msg, false)
+			require.NoError(t, err)
+			sig2, err := device.ETHSignTypedMessage(1, keypath, eip712Msg, false)
+			require.NoError(t, err)
+
+			require.Len(t, sig1, 65)
+			require.Len(t, sig2, 65)
+			require.Equal(t, sig1, sig2)
+			return
+		}
+
+		_, err := device.ETHSignTypedMessage(1, keypath, eip712Msg, false)
+		require.EqualError(t, err, UnsupportedError("9.26.0").Error())
+	})
+}
+
 func TestSimulatorETHSign(t *testing.T) {
 	testInitializedSimulators(t, func(t *testing.T, device *Device, stdOut *bytes.Buffer) {
 		t.Helper()

cmd/playground/main.go

@@ -267,6 +267,7 @@ func main() {
         "attachments": [{ "contents": "attachment1" }, { "contents": "attachment2" }]
     }
 }`),
+		true,
 	)
 	errpanic(err)
 	fmt.Println(sig)