Merge branch 'port-antiklepto-test'

benma · benma · commit 6f234ba38707 · 2025-11-03T13:57:18.000+01:00
diff --git a/src/keystore.c b/src/keystore.c
@@ -78,8 +78,7 @@ bool keystore_copy_seed(uint8_t* seed_out, size_t* length_out)
             "keystore_retained_seed_access_in",
             "keystore_retained_seed_access_out",
             rust_util_bytes_mut(
-                retained_seed_encryption_key,
-                sizeof(retained_seed_encryption_key)))) {
+                retained_seed_encryption_key, sizeof(retained_seed_encryption_key)))) {
         return false;
     }
     size_t len = _retained_seed_encrypted_len - 48;
@@ -112,8 +111,7 @@ bool keystore_copy_bip39_seed(uint8_t* bip39_seed_out)
             "keystore_retained_bip39_seed_access_in",
             "keystore_retained_bip39_seed_access_out",
             rust_util_bytes_mut(
-                retained_bip39_seed_encryption_key,
-                sizeof(retained_bip39_seed_encryption_key)))) {
+                retained_bip39_seed_encryption_key, sizeof(retained_bip39_seed_encryption_key)))) {
         return false;
     }
     size_t len = _retained_bip39_seed_encrypted_len - 48;
@@ -295,8 +293,7 @@ USE_RESULT static bool _retain_bip39_seed(const uint8_t* bip39_seed)
             "keystore_retained_bip39_seed_access_in",
             "keystore_retained_bip39_seed_access_out",
             rust_util_bytes_mut(
-                retained_bip39_seed_encryption_key,
-                sizeof(retained_bip39_seed_encryption_key)))) {
+                retained_bip39_seed_encryption_key, sizeof(retained_bip39_seed_encryption_key)))) {
         return false;
     }
     size_t len = sizeof(_retained_bip39_seed_encrypted);
@@ -542,20 +539,15 @@ bool keystore_secp256k1_sign(
 }
 
 #ifdef TESTING
-void keystore_mock_unlocked(const uint8_t* seed, size_t seed_len, const uint8_t* bip39_seed)
+void keystore_mock_unlocked(const uint8_t* seed, size_t seed_len)
 {
     _is_unlocked_device = seed != NULL;
     if (seed != NULL) {
         if (_retain_seed(seed, seed_len) != KEYSTORE_OK) {
             Abort("couldn't retain seed");
         }
     }
-    _is_unlocked_bip39 = bip39_seed != NULL;
-    if (bip39_seed != NULL) {
-        if (!_retain_bip39_seed(bip39_seed)) {
-            Abort("couldn't retain bip39 seed");
-        }
-    }
+    _is_unlocked_bip39 = false;
 }
 
 const uint8_t* keystore_test_get_retained_seed_encrypted(size_t* len_out)
diff --git a/src/keystore.h b/src/keystore.h
@@ -188,7 +188,7 @@ USE_RESULT bool keystore_secp256k1_sign(
 /**
  * convenience to mock the keystore state (locked, seed) in tests.
  */
-void keystore_mock_unlocked(const uint8_t* seed, size_t seed_len, const uint8_t* bip39_seed);
+void keystore_mock_unlocked(const uint8_t* seed, size_t seed_len);
 
 const uint8_t* keystore_test_get_retained_seed_encrypted(size_t* len_out);
 const uint8_t* keystore_test_get_retained_bip39_seed_encrypted(size_t* len_out);
diff --git a/src/rust/bitbox02-rust/src/hww/api/bitcoin/signtx.rs b/src/rust/bitbox02-rust/src/hww/api/bitcoin/signtx.rs
@@ -2695,8 +2695,8 @@ mod tests {
         let host_nonce = hex!("abababababababababababababababababababababababababababababababab");
         // The host nonce commitment value does not impact this test, but an invalid commitment
         // would fail the antiklepto signature check on the host. The host check is skipped here and
-        // tested in test_keystore_antiklepto.c. That the host nonce was included in the sig is
-        // tested by the siganture fixture test below.x
+        // tested in keystore::tests::test_secp256k1_antiklepto_protocol. That the host nonce was included in the sig is
+        // tested by the signature fixture test below.
         let host_nonce_commitment = pb::AntiKleptoHostNonceCommitment {
             commitment: bitbox02::secp256k1::ecdsa_anti_exfil_host_commit(SECP256K1, &host_nonce)
                 .unwrap(),
diff --git a/src/rust/bitbox02-rust/src/keystore.rs b/src/rust/bitbox02-rust/src/keystore.rs
@@ -1207,6 +1207,67 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_secp256k1_antiklepto_protocol() {
+        mock_unlocked();
+
+        let mut keypath = [84 + HARDENED, 1 + HARDENED, 0 + HARDENED, 0, 0];
+        let mut msg = [0x23u8; 32];
+        let mut host_nonce = [0x55u8; 32];
+
+        for index in 0..3 {
+            keypath[4] = index;
+            msg[0] = index as u8;
+            host_nonce[0] = index as u8;
+
+            // Protocol steps are described in secp256k1/include/secp256k1_ecdsa_s2c.h under
+            // "ECDSA Anti-Klepto Protocol".
+
+            // Protocol step 1.
+            let host_commitment_vec =
+                bitbox02::secp256k1::ecdsa_anti_exfil_host_commit(SECP256K1, &host_nonce).unwrap();
+            let host_commitment: [u8; 32] = host_commitment_vec.try_into().unwrap();
+
+            // Get pubkey at keypath.
+            let private_key = secp256k1_get_private_key(&keypath).unwrap();
+            let private_key_bytes: [u8; 32] = private_key.as_slice().try_into().unwrap();
+            let secret_key = secp256k1::SecretKey::from_slice(&private_key_bytes).unwrap();
+            let public_key = secret_key.public_key(SECP256K1);
+
+            // Commit - protocol step 2.
+            let signer_commitment =
+                secp256k1_nonce_commit(&private_key_bytes, &msg, &host_commitment).unwrap();
+            // Protocol step 3: host_nonce sent from host to signer to be used in step 4.
+            // Sign - protocol step 4.
+            let sign_result = secp256k1_sign(&private_key_bytes, &msg, &host_nonce).unwrap();
+
+            let signature =
+                secp256k1::ecdsa::Signature::from_compact(&sign_result.signature).unwrap();
+            // Protocol step 5: host verification.
+            bitbox02::secp256k1::anti_exfil_host_verify(
+                SECP256K1,
+                &signature,
+                &msg,
+                &public_key,
+                &host_nonce,
+                &signer_commitment,
+            )
+            .unwrap();
+
+            let message = secp256k1::Message::from_digest_slice(&msg).unwrap();
+            let recoverable_sig = secp256k1::ecdsa::RecoverableSignature::from_compact(
+                &sign_result.signature,
+                secp256k1::ecdsa::RecoveryId::from_i32(sign_result.recid as i32).unwrap(),
+            )
+            .unwrap();
+            assert!(
+                SECP256K1
+                    .verify_ecdsa(&message, &recoverable_sig.to_standard(), &public_key)
+                    .is_ok()
+            );
+        }
+    }
+
     #[test]
     fn test_secp256k1_schnorr_sign() {
         mock_unlocked_using_mnemonic(
diff --git a/src/rust/bitbox02-sys/build.rs b/src/rust/bitbox02-sys/build.rs
@@ -51,6 +51,9 @@ const ALLOWLIST_TYPES: &[&str] = &[
     "confirm_params_t",
     "trinary_input_string_params_t",
     "securechip_error_t",
+    "secp256k1_ecdsa_s2c_opening",
+    "secp256k1_ecdsa_signature",
+    "secp256k1_pubkey",
 ];
 
 const ALLOWLIST_FNS: &[&str] = &[
@@ -141,6 +144,8 @@ const ALLOWLIST_FNS: &[&str] = &[
     "sd_write_bin",
     "sdcard_create",
     "secp256k1_ecdsa_anti_exfil_host_commit",
+    "secp256k1_ecdsa_s2c_opening_parse",
+    "secp256k1_anti_exfil_host_verify",
     "securechip_attestation_sign",
     "securechip_kdf",
     "securechip_model",
diff --git a/src/rust/bitbox02/src/keystore.rs b/src/rust/bitbox02/src/keystore.rs
@@ -225,7 +225,5 @@ pub fn _encrypt_and_store_seed(seed: &[u8], password: &str) -> Result<(), Error>
 
 #[cfg(feature = "testing")]
 pub fn mock_unlocked(seed: &[u8]) {
-    unsafe {
-        bitbox02_sys::keystore_mock_unlocked(seed.as_ptr(), seed.len() as _, core::ptr::null())
-    }
+    unsafe { bitbox02_sys::keystore_mock_unlocked(seed.as_ptr(), seed.len() as _) }
 }
diff --git a/src/rust/bitbox02/src/secp256k1.rs b/src/rust/bitbox02/src/secp256k1.rs
@@ -32,6 +32,40 @@ pub fn ecdsa_anti_exfil_host_commit(secp: &Secp256k1<All>, rand32: &[u8]) -> Res
     }
 }
 
+#[cfg(feature = "testing")]
+pub fn anti_exfil_host_verify(
+    secp: &Secp256k1<All>,
+    signature: &bitcoin::secp256k1::ecdsa::Signature,
+    msg: &[u8; 32],
+    pubkey: &bitcoin::secp256k1::PublicKey,
+    host_nonce: &[u8; 32],
+    signer_commitment: &[u8; 33],
+) -> Result<(), ()> {
+    let mut opening = core::mem::MaybeUninit::<bitbox02_sys::secp256k1_ecdsa_s2c_opening>::uninit();
+    let parse_res = unsafe {
+        bitbox02_sys::secp256k1_ecdsa_s2c_opening_parse(
+            secp.ctx().as_ptr().cast(),
+            opening.as_mut_ptr(),
+            signer_commitment.as_ptr(),
+        )
+    };
+    if parse_res != 1 {
+        return Err(());
+    }
+    let opening = unsafe { opening.assume_init() };
+    let verify_res = unsafe {
+        bitbox02_sys::secp256k1_anti_exfil_host_verify(
+            secp.ctx().as_ptr().cast(),
+            signature.as_c_ptr() as *const bitbox02_sys::secp256k1_ecdsa_signature,
+            msg.as_ptr(),
+            pubkey.as_c_ptr() as *const bitbox02_sys::secp256k1_pubkey,
+            host_nonce.as_ptr(),
+            &opening,
+        )
+    };
+    if verify_res == 1 { Ok(()) } else { Err(()) }
+}
+
 pub fn dleq_prove(
     secp: &Secp256k1<All>,
     sk: &[u8; 32],
diff --git a/test/unit-test/CMakeLists.txt b/test/unit-test/CMakeLists.txt
@@ -49,8 +49,6 @@ target_include_directories(mocks
 set(TEST_LIST
    cleanup
    "-Wl,--wrap=util_cleanup_32"
-   keystore_antiklepto
-   ""
    gestures
    ""
    random
diff --git a/test/unit-test/test_keystore_antiklepto.c b/test/unit-test/test_keystore_antiklepto.c

Original file line number	Diff line number	Diff line change
`@@ -225,7 +225,5 @@ pub fn _encrypt_and_store_seed(seed: &[u8], password: &str) -> Result<(), Error>`
`225`	`225`
`226`	`226`	`#[cfg(feature = "testing")]`
`227`	`227`	`pub fn mock_unlocked(seed: &[u8]) {`
`228`		`- unsafe {`
`229`		`- bitbox02_sys::keystore_mock_unlocked(seed.as_ptr(), seed.len() as _, core::ptr::null())`
`230`		`- }`
	`228`	`+ unsafe { bitbox02_sys::keystore_mock_unlocked(seed.as_ptr(), seed.len() as _) }`
`231`	`229`	`}`