github.com/ethereum/go-ethereum@v1.16.1/accounts/scwallet/wallet.go (about) 1 // Copyright 2018 The go-ethereum Authors 2 // This file is part of the go-ethereum library. 3 // 4 // The go-ethereum library is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU Lesser General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // The go-ethereum library is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU Lesser General Public License for more details. 13 // 14 // You should have received a copy of the GNU Lesser General Public License 15 // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>. 16 17 package scwallet 18 19 import ( 20 "bytes" 21 "context" 22 "crypto/hmac" 23 "crypto/sha256" 24 "crypto/sha512" 25 "encoding/asn1" 26 "encoding/binary" 27 "errors" 28 "fmt" 29 "math/big" 30 "regexp" 31 "sort" 32 "strings" 33 "sync" 34 "time" 35 36 "github.com/ethereum/go-ethereum" 37 "github.com/ethereum/go-ethereum/accounts" 38 "github.com/ethereum/go-ethereum/common" 39 "github.com/ethereum/go-ethereum/core/types" 40 "github.com/ethereum/go-ethereum/crypto" 41 "github.com/ethereum/go-ethereum/log" 42 pcsc "github.com/gballet/go-libpcsclite" 43 "github.com/status-im/keycard-go/derivationpath" 44 ) 45 46 // ErrPairingPasswordNeeded is returned if opening the smart card requires pairing with a pairing 47 // password. In this case, the calling application should request user input to enter 48 // the pairing password and send it back. 49 var ErrPairingPasswordNeeded = errors.New("smartcard: pairing password needed") 50 51 // ErrPINNeeded is returned if opening the smart card requires a PIN code. In 52 // this case, the calling application should request user input to enter the PIN 53 // and send it back. 54 var ErrPINNeeded = errors.New("smartcard: pin needed") 55 56 // ErrPINUnblockNeeded is returned if opening the smart card requires a PIN code, 57 // but all PIN attempts have already been exhausted. In this case the calling 58 // application should request user input for the PUK and a new PIN code to set 59 // fo the card. 60 var ErrPINUnblockNeeded = errors.New("smartcard: pin unblock needed") 61 62 // ErrAlreadyOpen is returned if the smart card is attempted to be opened, but 63 // there is already a paired and unlocked session. 64 var ErrAlreadyOpen = errors.New("smartcard: already open") 65 66 // ErrPubkeyMismatch is returned if the public key recovered from a signature 67 // does not match the one expected by the user. 68 var ErrPubkeyMismatch = errors.New("smartcard: recovered public key mismatch") 69 70 var ( 71 appletAID = []byte{0xA0, 0x00, 0x00, 0x08, 0x04, 0x00, 0x01, 0x01, 0x01} 72 // DerivationSignatureHash is used to derive the public key from the signature of this hash 73 DerivationSignatureHash = sha256.Sum256(common.Hash{}.Bytes()) 74 ) 75 76 var ( 77 // PinRegexp is the regular expression used to validate PIN codes. 78 pinRegexp = regexp.MustCompile(`^[0-9]{6,}$`) 79 80 // PukRegexp is the regular expression used to validate PUK codes. 81 pukRegexp = regexp.MustCompile(`^[0-9]{12,}$`) 82 ) 83 84 // List of APDU command-related constants 85 const ( 86 claISO7816 = 0 87 claSCWallet = 0x80 88 89 insSelect = 0xA4 90 insGetResponse = 0xC0 91 sw1GetResponse = 0x61 92 sw1Ok = 0x90 93 94 insVerifyPin = 0x20 95 insUnblockPin = 0x22 96 insExportKey = 0xC2 97 insSign = 0xC0 98 insLoadKey = 0xD0 99 insDeriveKey = 0xD1 100 insStatus = 0xF2 101 ) 102 103 // List of ADPU command parameters 104 const ( 105 P1DeriveKeyFromMaster = uint8(0x00) 106 P1DeriveKeyFromParent = uint8(0x01) 107 P1DeriveKeyFromCurrent = uint8(0x10) 108 statusP1WalletStatus = uint8(0x00) 109 statusP1Path = uint8(0x01) 110 signP1PrecomputedHash = uint8(0x00) 111 signP2OnlyBlock = uint8(0x00) 112 exportP1Any = uint8(0x00) 113 exportP2Pubkey = uint8(0x01) 114 ) 115 116 // Minimum time to wait between self derivation attempts, even it the user is 117 // requesting accounts like crazy. 118 const selfDeriveThrottling = time.Second 119 120 // Wallet represents a smartcard wallet instance. 121 type Wallet struct { 122 Hub *Hub // A handle to the Hub that instantiated this wallet. 123 PublicKey []byte // The wallet's public key (used for communication and identification, not signing!) 124 125 lock sync.Mutex // Lock that gates access to struct fields and communication with the card 126 card *pcsc.Card // A handle to the smartcard interface for the wallet. 127 session *Session // The secure communication session with the card 128 log log.Logger // Contextual logger to tag the base with its id 129 130 deriveNextPaths []accounts.DerivationPath // Next derivation paths for account auto-discovery (multiple bases supported) 131 deriveNextAddrs []common.Address // Next derived account addresses for auto-discovery (multiple bases supported) 132 deriveChain ethereum.ChainStateReader // Blockchain state reader to discover used account with 133 deriveReq chan chan struct{} // Channel to request a self-derivation on 134 deriveQuit chan chan error // Channel to terminate the self-deriver with 135 } 136 137 // NewWallet constructs and returns a new Wallet instance. 138 func NewWallet(hub *Hub, card *pcsc.Card) *Wallet { 139 wallet := &Wallet{ 140 Hub: hub, 141 card: card, 142 } 143 return wallet 144 } 145 146 // transmit sends an APDU to the smartcard and receives and decodes the response. 147 // It automatically handles requests by the card to fetch the return data separately, 148 // and returns an error if the response status code is not success. 149 func transmit(card *pcsc.Card, command *commandAPDU) (*responseAPDU, error) { 150 data, err := command.serialize() 151 if err != nil { 152 return nil, err 153 } 154 155 responseData, _, err := card.Transmit(data) 156 if err != nil { 157 return nil, err 158 } 159 160 response := new(responseAPDU) 161 if err = response.deserialize(responseData); err != nil { 162 return nil, err 163 } 164 165 // Are we being asked to fetch the response separately? 166 if response.Sw1 == sw1GetResponse && (command.Cla != claISO7816 || command.Ins != insGetResponse) { 167 return transmit(card, &commandAPDU{ 168 Cla: claISO7816, 169 Ins: insGetResponse, 170 P1: 0, 171 P2: 0, 172 Data: nil, 173 Le: response.Sw2, 174 }) 175 } 176 177 if response.Sw1 != sw1Ok { 178 return nil, fmt.Errorf("unexpected insecure response status Cla=%#x, Ins=%#x, Sw=%#x%x", command.Cla, command.Ins, response.Sw1, response.Sw2) 179 } 180 181 return response, nil 182 } 183 184 // applicationInfo encodes information about the smartcard application - its 185 // instance UID and public key. 186 type applicationInfo struct { 187 InstanceUID []byte `asn1:"tag:15"` 188 PublicKey []byte `asn1:"tag:0"` 189 } 190 191 // connect connects to the wallet application and establishes a secure channel with it. 192 // must be called before any other interaction with the wallet. 193 func (w *Wallet) connect() error { 194 w.lock.Lock() 195 defer w.lock.Unlock() 196 197 appinfo, err := w.doselect() 198 if err != nil { 199 return err 200 } 201 202 channel, err := NewSecureChannelSession(w.card, appinfo.PublicKey) 203 if err != nil { 204 return err 205 } 206 207 w.PublicKey = appinfo.PublicKey 208 w.log = log.New("url", w.URL()) 209 w.session = &Session{ 210 Wallet: w, 211 Channel: channel, 212 } 213 return nil 214 } 215 216 // doselect is an internal (unlocked) function to send a SELECT APDU to the card. 217 func (w *Wallet) doselect() (*applicationInfo, error) { 218 response, err := transmit(w.card, &commandAPDU{ 219 Cla: claISO7816, 220 Ins: insSelect, 221 P1: 4, 222 P2: 0, 223 Data: appletAID, 224 }) 225 if err != nil { 226 return nil, err 227 } 228 229 appinfo := new(applicationInfo) 230 if _, err := asn1.UnmarshalWithParams(response.Data, appinfo, "tag:4"); err != nil { 231 return nil, err 232 } 233 return appinfo, nil 234 } 235 236 // ping checks the card's status and returns an error if unsuccessful. 237 func (w *Wallet) ping() error { 238 w.lock.Lock() 239 defer w.lock.Unlock() 240 241 // We can't ping if not paired 242 if !w.session.paired() { 243 return nil 244 } 245 if _, err := w.session.walletStatus(); err != nil { 246 return err 247 } 248 return nil 249 } 250 251 // release releases any resources held by an open wallet instance. 252 func (w *Wallet) release() error { 253 if w.session != nil { 254 return w.session.release() 255 } 256 return nil 257 } 258 259 // pair is an internal (unlocked) function for establishing a new pairing 260 // with the wallet. 261 func (w *Wallet) pair(puk []byte) error { 262 if w.session.paired() { 263 return errors.New("wallet already paired") 264 } 265 pairing, err := w.session.pair(puk) 266 if err != nil { 267 return err 268 } 269 if err = w.Hub.setPairing(w, &pairing); err != nil { 270 return err 271 } 272 return w.session.authenticate(pairing) 273 } 274 275 // Unpair deletes an existing wallet pairing. 276 func (w *Wallet) Unpair(pin []byte) error { 277 w.lock.Lock() 278 defer w.lock.Unlock() 279 280 if !w.session.paired() { 281 return fmt.Errorf("wallet %x not paired", w.PublicKey) 282 } 283 if err := w.session.verifyPin(pin); err != nil { 284 return fmt.Errorf("failed to verify pin: %s", err) 285 } 286 if err := w.session.unpair(); err != nil { 287 return fmt.Errorf("failed to unpair: %s", err) 288 } 289 if err := w.Hub.setPairing(w, nil); err != nil { 290 return err 291 } 292 return nil 293 } 294 295 // URL retrieves the canonical path under which this wallet is reachable. It is 296 // user by upper layers to define a sorting order over all wallets from multiple 297 // backends. 298 func (w *Wallet) URL() accounts.URL { 299 return accounts.URL{ 300 Scheme: w.Hub.scheme, 301 Path: fmt.Sprintf("%x", w.PublicKey[1:5]), // Byte #0 isn't unique; 1:5 covers << 64K cards, bump to 1:9 for << 4M 302 } 303 } 304 305 // Status returns a textual status to aid the user in the current state of the 306 // wallet. It also returns an error indicating any failure the wallet might have 307 // encountered. 308 func (w *Wallet) Status() (string, error) { 309 w.lock.Lock() 310 defer w.lock.Unlock() 311 312 // If the card is not paired, we can only wait 313 if !w.session.paired() { 314 return "Unpaired, waiting for pairing password", nil 315 } 316 // Yay, we have an encrypted session, retrieve the actual status 317 status, err := w.session.walletStatus() 318 if err != nil { 319 return fmt.Sprintf("Failed: %v", err), err 320 } 321 switch { 322 case !w.session.verified && status.PinRetryCount == 0 && status.PukRetryCount == 0: 323 return "Bricked, waiting for full wipe", nil 324 case !w.session.verified && status.PinRetryCount == 0: 325 return fmt.Sprintf("Blocked, waiting for PUK (%d attempts left) and new PIN", status.PukRetryCount), nil 326 case !w.session.verified: 327 return fmt.Sprintf("Locked, waiting for PIN (%d attempts left)", status.PinRetryCount), nil 328 case !status.Initialized: 329 return "Empty, waiting for initialization", nil 330 default: 331 return "Online", nil 332 } 333 } 334 335 // Open initializes access to a wallet instance. It is not meant to unlock or 336 // decrypt account keys, rather simply to establish a connection to hardware 337 // wallets and/or to access derivation seeds. 338 // 339 // The passphrase parameter may or may not be used by the implementation of a 340 // particular wallet instance. The reason there is no passwordless open method 341 // is to strive towards a uniform wallet handling, oblivious to the different 342 // backend providers. 343 // 344 // Please note, if you open a wallet, you must close it to release any allocated 345 // resources (especially important when working with hardware wallets). 346 func (w *Wallet) Open(passphrase string) error { 347 w.lock.Lock() 348 defer w.lock.Unlock() 349 350 // If the session is already open, bail out 351 if w.session.verified { 352 return ErrAlreadyOpen 353 } 354 // If the smart card is not yet paired, attempt to do so either from a previous 355 // pairing key or form the supplied PUK code. 356 if !w.session.paired() { 357 // If a previous pairing exists, only ever try to use that 358 if pairing := w.Hub.pairing(w); pairing != nil { 359 if err := w.session.authenticate(*pairing); err != nil { 360 return fmt.Errorf("failed to authenticate card %x: %s", w.PublicKey[:4], err) 361 } 362 // Pairing still ok, fall through to PIN checks 363 } else { 364 // If no passphrase was supplied, request the PUK from the user 365 if passphrase == "" { 366 return ErrPairingPasswordNeeded 367 } 368 // Attempt to pair the smart card with the user supplied PUK 369 if err := w.pair([]byte(passphrase)); err != nil { 370 return err 371 } 372 // Pairing succeeded, fall through to PIN checks. This will of course fail, 373 // but we can't return ErrPINNeeded directly here because we don't know whether 374 // a PIN check or a PIN reset is needed. 375 passphrase = "" 376 } 377 } 378 // The smart card was successfully paired, retrieve its status to check whether 379 // PIN verification or unblocking is needed. 380 status, err := w.session.walletStatus() 381 if err != nil { 382 return err 383 } 384 // Request the appropriate next authentication data, or use the one supplied 385 switch { 386 case passphrase == "" && status.PinRetryCount > 0: 387 return ErrPINNeeded 388 case passphrase == "": 389 return ErrPINUnblockNeeded 390 case status.PinRetryCount > 0: 391 if !pinRegexp.MatchString(passphrase) { 392 w.log.Error("PIN needs to be at least 6 digits") 393 return ErrPINNeeded 394 } 395 if err := w.session.verifyPin([]byte(passphrase)); err != nil { 396 return err 397 } 398 default: 399 if !pukRegexp.MatchString(passphrase) { 400 w.log.Error("PUK needs to be at least 12 digits") 401 return ErrPINUnblockNeeded 402 } 403 if err := w.session.unblockPin([]byte(passphrase)); err != nil { 404 return err 405 } 406 } 407 // Smart card paired and unlocked, initialize and register 408 w.deriveReq = make(chan chan struct{}) 409 w.deriveQuit = make(chan chan error) 410 411 go w.selfDerive() 412 413 // Notify anyone listening for wallet events that a new device is accessible 414 go w.Hub.updateFeed.Send(accounts.WalletEvent{Wallet: w, Kind: accounts.WalletOpened}) 415 416 return nil 417 } 418 419 // Close stops and closes the wallet, freeing any resources. 420 func (w *Wallet) Close() error { 421 // Ensure the wallet was opened 422 w.lock.Lock() 423 dQuit := w.deriveQuit 424 w.lock.Unlock() 425 426 // Terminate the self-derivations 427 var derr error 428 if dQuit != nil { 429 errc := make(chan error) 430 dQuit <- errc 431 derr = <-errc // Save for later, we *must* close the USB 432 } 433 // Terminate the device connection 434 w.lock.Lock() 435 defer w.lock.Unlock() 436 437 w.deriveQuit = nil 438 w.deriveReq = nil 439 440 if err := w.release(); err != nil { 441 return err 442 } 443 return derr 444 } 445 446 // selfDerive is an account derivation loop that upon request attempts to find 447 // new non-zero accounts. 448 func (w *Wallet) selfDerive() { 449 w.log.Debug("Smart card wallet self-derivation started") 450 defer w.log.Debug("Smart card wallet self-derivation stopped") 451 452 // Execute self-derivations until termination or error 453 var ( 454 reqc chan struct{} 455 errc chan error 456 err error 457 ) 458 for errc == nil && err == nil { 459 // Wait until either derivation or termination is requested 460 select { 461 case errc = <-w.deriveQuit: 462 // Termination requested 463 continue 464 case reqc = <-w.deriveReq: 465 // Account discovery requested 466 } 467 // Derivation needs a chain and device access, skip if either unavailable 468 w.lock.Lock() 469 if w.session == nil || w.deriveChain == nil { 470 w.lock.Unlock() 471 reqc <- struct{}{} 472 continue 473 } 474 pairing := w.Hub.pairing(w) 475 476 // Device lock obtained, derive the next batch of accounts 477 var ( 478 paths []accounts.DerivationPath 479 nextAcc accounts.Account 480 481 nextPaths = append([]accounts.DerivationPath{}, w.deriveNextPaths...) 482 nextAddrs = append([]common.Address{}, w.deriveNextAddrs...) 483 484 context = context.Background() 485 ) 486 for i := 0; i < len(nextAddrs); i++ { 487 for empty := false; !empty; { 488 // Retrieve the next derived Ethereum account 489 if nextAddrs[i] == (common.Address{}) { 490 if nextAcc, err = w.session.derive(nextPaths[i]); err != nil { 491 w.log.Warn("Smartcard wallet account derivation failed", "err", err) 492 break 493 } 494 nextAddrs[i] = nextAcc.Address 495 } 496 // Check the account's status against the current chain state 497 var ( 498 balance *big.Int 499 nonce uint64 500 ) 501 balance, err = w.deriveChain.BalanceAt(context, nextAddrs[i], nil) 502 if err != nil { 503 w.log.Warn("Smartcard wallet balance retrieval failed", "err", err) 504 break 505 } 506 nonce, err = w.deriveChain.NonceAt(context, nextAddrs[i], nil) 507 if err != nil { 508 w.log.Warn("Smartcard wallet nonce retrieval failed", "err", err) 509 break 510 } 511 // If the next account is empty, stop self-derivation, but add for the last base path 512 if balance.Sign() == 0 && nonce == 0 { 513 empty = true 514 if i < len(nextAddrs)-1 { 515 break 516 } 517 } 518 // We've just self-derived a new account, start tracking it locally 519 path := make(accounts.DerivationPath, len(nextPaths[i])) 520 copy(path[:], nextPaths[i][:]) 521 paths = append(paths, path) 522 523 // Display a log message to the user for new (or previously empty accounts) 524 if _, known := pairing.Accounts[nextAddrs[i]]; !known || !empty || nextAddrs[i] != w.deriveNextAddrs[i] { 525 w.log.Info("Smartcard wallet discovered new account", "address", nextAddrs[i], "path", path, "balance", balance, "nonce", nonce) 526 } 527 pairing.Accounts[nextAddrs[i]] = path 528 529 // Fetch the next potential account 530 if !empty { 531 nextAddrs[i] = common.Address{} 532 nextPaths[i][len(nextPaths[i])-1]++ 533 } 534 } 535 } 536 // If there are new accounts, write them out 537 if len(paths) > 0 { 538 err = w.Hub.setPairing(w, pairing) 539 } 540 // Shift the self-derivation forward 541 w.deriveNextAddrs = nextAddrs 542 w.deriveNextPaths = nextPaths 543 544 // Self derivation complete, release device lock 545 w.lock.Unlock() 546 547 // Notify the user of termination and loop after a bit of time (to avoid trashing) 548 reqc <- struct{}{} 549 if err == nil { 550 select { 551 case errc = <-w.deriveQuit: 552 // Termination requested, abort 553 case <-time.After(selfDeriveThrottling): 554 // Waited enough, willing to self-derive again 555 } 556 } 557 } 558 // In case of error, wait for termination 559 if err != nil { 560 w.log.Debug("Smartcard wallet self-derivation failed", "err", err) 561 errc = <-w.deriveQuit 562 } 563 errc <- err 564 } 565 566 // Accounts retrieves the list of signing accounts the wallet is currently aware 567 // of. For hierarchical deterministic wallets, the list will not be exhaustive, 568 // rather only contain the accounts explicitly pinned during account derivation. 569 func (w *Wallet) Accounts() []accounts.Account { 570 // Attempt self-derivation if it's running 571 reqc := make(chan struct{}, 1) 572 select { 573 case w.deriveReq <- reqc: 574 // Self-derivation request accepted, wait for it 575 <-reqc 576 default: 577 // Self-derivation offline, throttled or busy, skip 578 } 579 580 w.lock.Lock() 581 defer w.lock.Unlock() 582 583 if pairing := w.Hub.pairing(w); pairing != nil { 584 ret := make([]accounts.Account, 0, len(pairing.Accounts)) 585 for address, path := range pairing.Accounts { 586 ret = append(ret, w.makeAccount(address, path)) 587 } 588 sort.Sort(accounts.AccountsByURL(ret)) 589 return ret 590 } 591 return nil 592 } 593 594 func (w *Wallet) makeAccount(address common.Address, path accounts.DerivationPath) accounts.Account { 595 return accounts.Account{ 596 Address: address, 597 URL: accounts.URL{ 598 Scheme: w.Hub.scheme, 599 Path: fmt.Sprintf("%x/%s", w.PublicKey[1:3], path.String()), 600 }, 601 } 602 } 603 604 // Contains returns whether an account is part of this particular wallet or not. 605 func (w *Wallet) Contains(account accounts.Account) bool { 606 if pairing := w.Hub.pairing(w); pairing != nil { 607 _, ok := pairing.Accounts[account.Address] 608 return ok 609 } 610 return false 611 } 612 613 // Initialize installs a keypair generated from the provided key into the wallet. 614 func (w *Wallet) Initialize(seed []byte) error { 615 go w.selfDerive() 616 // DO NOT lock at this stage, as the initialize 617 // function relies on Status() 618 return w.session.initialize(seed) 619 } 620 621 // Derive attempts to explicitly derive a hierarchical deterministic account at 622 // the specified derivation path. If requested, the derived account will be added 623 // to the wallet's tracked account list. 624 func (w *Wallet) Derive(path accounts.DerivationPath, pin bool) (accounts.Account, error) { 625 w.lock.Lock() 626 defer w.lock.Unlock() 627 628 account, err := w.session.derive(path) 629 if err != nil { 630 return accounts.Account{}, err 631 } 632 633 if pin { 634 pairing := w.Hub.pairing(w) 635 pairing.Accounts[account.Address] = path 636 if err := w.Hub.setPairing(w, pairing); err != nil { 637 return accounts.Account{}, err 638 } 639 } 640 641 return account, nil 642 } 643 644 // SelfDerive sets a base account derivation path from which the wallet attempts 645 // to discover non zero accounts and automatically add them to list of tracked 646 // accounts. 647 // 648 // Note, self derivation will increment the last component of the specified path 649 // opposed to descending into a child path to allow discovering accounts starting 650 // from non zero components. 651 // 652 // Some hardware wallets switched derivation paths through their evolution, so 653 // this method supports providing multiple bases to discover old user accounts 654 // too. Only the last base will be used to derive the next empty account. 655 // 656 // You can disable automatic account discovery by calling SelfDerive with a nil 657 // chain state reader. 658 func (w *Wallet) SelfDerive(bases []accounts.DerivationPath, chain ethereum.ChainStateReader) { 659 w.lock.Lock() 660 defer w.lock.Unlock() 661 662 w.deriveNextPaths = make([]accounts.DerivationPath, len(bases)) 663 for i, base := range bases { 664 w.deriveNextPaths[i] = make(accounts.DerivationPath, len(base)) 665 copy(w.deriveNextPaths[i][:], base[:]) 666 } 667 w.deriveNextAddrs = make([]common.Address, len(bases)) 668 w.deriveChain = chain 669 } 670 671 // SignData requests the wallet to sign the hash of the given data. 672 // 673 // It looks up the account specified either solely via its address contained within, 674 // or optionally with the aid of any location metadata from the embedded URL field. 675 // 676 // If the wallet requires additional authentication to sign the request (e.g. 677 // a password to decrypt the account, or a PIN code o verify the transaction), 678 // an AuthNeededError instance will be returned, containing infos for the user 679 // about which fields or actions are needed. The user may retry by providing 680 // the needed details via SignDataWithPassphrase, or by other means (e.g. unlock 681 // the account in a keystore). 682 func (w *Wallet) SignData(account accounts.Account, mimeType string, data []byte) ([]byte, error) { 683 return w.signHash(account, crypto.Keccak256(data)) 684 } 685 686 func (w *Wallet) signHash(account accounts.Account, hash []byte) ([]byte, error) { 687 w.lock.Lock() 688 defer w.lock.Unlock() 689 690 path, err := w.findAccountPath(account) 691 if err != nil { 692 return nil, err 693 } 694 695 return w.session.sign(path, hash) 696 } 697 698 // SignTx requests the wallet to sign the given transaction. 699 // 700 // It looks up the account specified either solely via its address contained within, 701 // or optionally with the aid of any location metadata from the embedded URL field. 702 // 703 // If the wallet requires additional authentication to sign the request (e.g. 704 // a password to decrypt the account, or a PIN code o verify the transaction), 705 // an AuthNeededError instance will be returned, containing infos for the user 706 // about which fields or actions are needed. The user may retry by providing 707 // the needed details via SignTxWithPassphrase, or by other means (e.g. unlock 708 // the account in a keystore). 709 func (w *Wallet) SignTx(account accounts.Account, tx *types.Transaction, chainID *big.Int) (*types.Transaction, error) { 710 signer := types.LatestSignerForChainID(chainID) 711 hash := signer.Hash(tx) 712 sig, err := w.signHash(account, hash[:]) 713 if err != nil { 714 return nil, err 715 } 716 return tx.WithSignature(signer, sig) 717 } 718 719 // SignDataWithPassphrase requests the wallet to sign the given hash with the 720 // given passphrase as extra authentication information. 721 // 722 // It looks up the account specified either solely via its address contained within, 723 // or optionally with the aid of any location metadata from the embedded URL field. 724 func (w *Wallet) SignDataWithPassphrase(account accounts.Account, passphrase, mimeType string, data []byte) ([]byte, error) { 725 return w.signHashWithPassphrase(account, passphrase, crypto.Keccak256(data)) 726 } 727 728 func (w *Wallet) signHashWithPassphrase(account accounts.Account, passphrase string, hash []byte) ([]byte, error) { 729 if !w.session.verified { 730 if err := w.Open(passphrase); err != nil { 731 return nil, err 732 } 733 } 734 735 return w.signHash(account, hash) 736 } 737 738 // SignText requests the wallet to sign the hash of a given piece of data, prefixed 739 // by the Ethereum prefix scheme 740 // It looks up the account specified either solely via its address contained within, 741 // or optionally with the aid of any location metadata from the embedded URL field. 742 // 743 // If the wallet requires additional authentication to sign the request (e.g. 744 // a password to decrypt the account, or a PIN code o verify the transaction), 745 // an AuthNeededError instance will be returned, containing infos for the user 746 // about which fields or actions are needed. The user may retry by providing 747 // the needed details via SignHashWithPassphrase, or by other means (e.g. unlock 748 // the account in a keystore). 749 func (w *Wallet) SignText(account accounts.Account, text []byte) ([]byte, error) { 750 return w.signHash(account, accounts.TextHash(text)) 751 } 752 753 // SignTextWithPassphrase implements accounts.Wallet, attempting to sign the 754 // given hash with the given account using passphrase as extra authentication 755 func (w *Wallet) SignTextWithPassphrase(account accounts.Account, passphrase string, text []byte) ([]byte, error) { 756 return w.signHashWithPassphrase(account, passphrase, crypto.Keccak256(accounts.TextHash(text))) 757 } 758 759 // SignTxWithPassphrase requests the wallet to sign the given transaction, with the 760 // given passphrase as extra authentication information. 761 // 762 // It looks up the account specified either solely via its address contained within, 763 // or optionally with the aid of any location metadata from the embedded URL field. 764 func (w *Wallet) SignTxWithPassphrase(account accounts.Account, passphrase string, tx *types.Transaction, chainID *big.Int) (*types.Transaction, error) { 765 if !w.session.verified { 766 if err := w.Open(passphrase); err != nil { 767 return nil, err 768 } 769 } 770 return w.SignTx(account, tx, chainID) 771 } 772 773 // findAccountPath returns the derivation path for the provided account. 774 // It first checks for the address in the list of pinned accounts, and if it is 775 // not found, attempts to parse the derivation path from the account's URL. 776 func (w *Wallet) findAccountPath(account accounts.Account) (accounts.DerivationPath, error) { 777 pairing := w.Hub.pairing(w) 778 if path, ok := pairing.Accounts[account.Address]; ok { 779 return path, nil 780 } 781 782 // Look for the path in the URL 783 if account.URL.Scheme != w.Hub.scheme { 784 return nil, fmt.Errorf("scheme %s does not match wallet scheme %s", account.URL.Scheme, w.Hub.scheme) 785 } 786 787 url, path, found := strings.Cut(account.URL.Path, "/") 788 if !found { 789 return nil, fmt.Errorf("invalid URL format: %s", account.URL) 790 } 791 792 if url != fmt.Sprintf("%x", w.PublicKey[1:3]) { 793 return nil, fmt.Errorf("URL %s is not for this wallet", account.URL) 794 } 795 796 return accounts.ParseDerivationPath(path) 797 } 798 799 // Session represents a secured communication session with the wallet. 800 type Session struct { 801 Wallet *Wallet // A handle to the wallet that opened the session 802 Channel *SecureChannelSession // A secure channel for encrypted messages 803 verified bool // Whether the pin has been verified in this session. 804 } 805 806 // pair establishes a new pairing over this channel, using the provided secret. 807 func (s *Session) pair(secret []byte) (smartcardPairing, error) { 808 err := s.Channel.Pair(secret) 809 if err != nil { 810 return smartcardPairing{}, err 811 } 812 813 return smartcardPairing{ 814 PublicKey: s.Wallet.PublicKey, 815 PairingIndex: s.Channel.PairingIndex, 816 PairingKey: s.Channel.PairingKey, 817 Accounts: make(map[common.Address]accounts.DerivationPath), 818 }, nil 819 } 820 821 // unpair deletes an existing pairing. 822 func (s *Session) unpair() error { 823 if !s.verified { 824 return errors.New("unpair requires that the PIN be verified") 825 } 826 return s.Channel.Unpair() 827 } 828 829 // verifyPin unlocks a wallet with the provided pin. 830 func (s *Session) verifyPin(pin []byte) error { 831 if _, err := s.Channel.transmitEncrypted(claSCWallet, insVerifyPin, 0, 0, pin); err != nil { 832 return err 833 } 834 s.verified = true 835 return nil 836 } 837 838 // unblockPin unblocks a wallet with the provided puk and resets the pin to the 839 // new one specified. 840 func (s *Session) unblockPin(pukpin []byte) error { 841 if _, err := s.Channel.transmitEncrypted(claSCWallet, insUnblockPin, 0, 0, pukpin); err != nil { 842 return err 843 } 844 s.verified = true 845 return nil 846 } 847 848 // release releases resources associated with the channel. 849 func (s *Session) release() error { 850 return s.Wallet.card.Disconnect(pcsc.LeaveCard) 851 } 852 853 // paired returns true if a valid pairing exists. 854 func (s *Session) paired() bool { 855 return s.Channel.PairingKey != nil 856 } 857 858 // authenticate uses an existing pairing to establish a secure channel. 859 func (s *Session) authenticate(pairing smartcardPairing) error { 860 if !bytes.Equal(s.Wallet.PublicKey, pairing.PublicKey) { 861 return fmt.Errorf("cannot pair using another wallet's pairing; %x != %x", s.Wallet.PublicKey, pairing.PublicKey) 862 } 863 s.Channel.PairingKey = pairing.PairingKey 864 s.Channel.PairingIndex = pairing.PairingIndex 865 return s.Channel.Open() 866 } 867 868 // walletStatus describes a smartcard wallet's status information. 869 type walletStatus struct { 870 PinRetryCount int // Number of remaining PIN retries 871 PukRetryCount int // Number of remaining PUK retries 872 Initialized bool // Whether the card has been initialized with a private key 873 } 874 875 // walletStatus fetches the wallet's status from the card. 876 func (s *Session) walletStatus() (*walletStatus, error) { 877 response, err := s.Channel.transmitEncrypted(claSCWallet, insStatus, statusP1WalletStatus, 0, nil) 878 if err != nil { 879 return nil, err 880 } 881 882 status := new(walletStatus) 883 if _, err := asn1.UnmarshalWithParams(response.Data, status, "tag:3"); err != nil { 884 return nil, err 885 } 886 return status, nil 887 } 888 889 // derivationPath fetches the wallet's current derivation path from the card. 890 // 891 //lint:ignore U1000 needs to be added to the console interface 892 func (s *Session) derivationPath() (accounts.DerivationPath, error) { 893 response, err := s.Channel.transmitEncrypted(claSCWallet, insStatus, statusP1Path, 0, nil) 894 if err != nil { 895 return nil, err 896 } 897 buf := bytes.NewReader(response.Data) 898 path := make(accounts.DerivationPath, len(response.Data)/4) 899 return path, binary.Read(buf, binary.BigEndian, &path) 900 } 901 902 // initializeData contains data needed to initialize the smartcard wallet. 903 type initializeData struct { 904 PublicKey []byte `asn1:"tag:0"` 905 PrivateKey []byte `asn1:"tag:1"` 906 ChainCode []byte `asn1:"tag:2"` 907 } 908 909 // initialize initializes the card with new key data. 910 func (s *Session) initialize(seed []byte) error { 911 // Check that the wallet isn't currently initialized, 912 // otherwise the key would be overwritten. 913 status, err := s.Wallet.Status() 914 if err != nil { 915 return err 916 } 917 if status == "Online" { 918 return errors.New("card is already initialized, cowardly refusing to proceed") 919 } 920 921 s.Wallet.lock.Lock() 922 defer s.Wallet.lock.Unlock() 923 924 // HMAC the seed to produce the private key and chain code 925 mac := hmac.New(sha512.New, []byte("Bitcoin seed")) 926 mac.Write(seed) 927 seed = mac.Sum(nil) 928 929 key, err := crypto.ToECDSA(seed[:32]) 930 if err != nil { 931 return err 932 } 933 934 id := initializeData{} 935 id.PublicKey = crypto.FromECDSAPub(&key.PublicKey) 936 id.PrivateKey = seed[:32] 937 id.ChainCode = seed[32:] 938 data, err := asn1.Marshal(id) 939 if err != nil { 940 return err 941 } 942 943 // Nasty hack to force the top-level struct tag to be context-specific 944 data[0] = 0xA1 945 946 _, err = s.Channel.transmitEncrypted(claSCWallet, insLoadKey, 0x02, 0, data) 947 return err 948 } 949 950 // derive derives a new HD key path on the card. 951 func (s *Session) derive(path accounts.DerivationPath) (accounts.Account, error) { 952 startingPoint, path, err := derivationpath.Decode(path.String()) 953 if err != nil { 954 return accounts.Account{}, err 955 } 956 957 var p1 uint8 958 switch startingPoint { 959 case derivationpath.StartingPointMaster: 960 p1 = P1DeriveKeyFromMaster 961 case derivationpath.StartingPointParent: 962 p1 = P1DeriveKeyFromParent 963 case derivationpath.StartingPointCurrent: 964 p1 = P1DeriveKeyFromCurrent 965 default: 966 return accounts.Account{}, fmt.Errorf("invalid startingPoint %d", startingPoint) 967 } 968 969 data := new(bytes.Buffer) 970 for _, segment := range path { 971 if err := binary.Write(data, binary.BigEndian, segment); err != nil { 972 return accounts.Account{}, err 973 } 974 } 975 976 _, err = s.Channel.transmitEncrypted(claSCWallet, insDeriveKey, p1, 0, data.Bytes()) 977 if err != nil { 978 return accounts.Account{}, err 979 } 980 981 response, err := s.Channel.transmitEncrypted(claSCWallet, insSign, 0, 0, DerivationSignatureHash[:]) 982 if err != nil { 983 return accounts.Account{}, err 984 } 985 986 sigdata := new(signatureData) 987 if _, err := asn1.UnmarshalWithParams(response.Data, sigdata, "tag:0"); err != nil { 988 return accounts.Account{}, err 989 } 990 rbytes, sbytes := sigdata.Signature.R.Bytes(), sigdata.Signature.S.Bytes() 991 sig := make([]byte, 65) 992 copy(sig[32-len(rbytes):32], rbytes) 993 copy(sig[64-len(sbytes):64], sbytes) 994 995 if err := confirmPublicKey(sig, sigdata.PublicKey); err != nil { 996 return accounts.Account{}, err 997 } 998 pub, err := crypto.UnmarshalPubkey(sigdata.PublicKey) 999 if err != nil { 1000 return accounts.Account{}, err 1001 } 1002 return s.Wallet.makeAccount(crypto.PubkeyToAddress(*pub), path), nil 1003 } 1004 1005 // keyExport contains information on an exported keypair. 1006 // 1007 //lint:ignore U1000 needs to be added to the console interface 1008 type keyExport struct { 1009 PublicKey []byte `asn1:"tag:0"` 1010 PrivateKey []byte `asn1:"tag:1,optional"` 1011 } 1012 1013 // publicKey returns the public key for the current derivation path. 1014 // 1015 //lint:ignore U1000 needs to be added to the console interface 1016 func (s *Session) publicKey() ([]byte, error) { 1017 response, err := s.Channel.transmitEncrypted(claSCWallet, insExportKey, exportP1Any, exportP2Pubkey, nil) 1018 if err != nil { 1019 return nil, err 1020 } 1021 keys := new(keyExport) 1022 if _, err := asn1.UnmarshalWithParams(response.Data, keys, "tag:1"); err != nil { 1023 return nil, err 1024 } 1025 return keys.PublicKey, nil 1026 } 1027 1028 // signatureData contains information on a signature - the signature itself and 1029 // the corresponding public key. 1030 type signatureData struct { 1031 PublicKey []byte `asn1:"tag:0"` 1032 Signature struct { 1033 R *big.Int 1034 S *big.Int 1035 } 1036 } 1037 1038 // sign asks the card to sign a message, and returns a valid signature after 1039 // recovering the v value. 1040 func (s *Session) sign(path accounts.DerivationPath, hash []byte) ([]byte, error) { 1041 startTime := time.Now() 1042 _, err := s.derive(path) 1043 if err != nil { 1044 return nil, err 1045 } 1046 deriveTime := time.Now() 1047 1048 response, err := s.Channel.transmitEncrypted(claSCWallet, insSign, signP1PrecomputedHash, signP2OnlyBlock, hash) 1049 if err != nil { 1050 return nil, err 1051 } 1052 sigdata := new(signatureData) 1053 if _, err := asn1.UnmarshalWithParams(response.Data, sigdata, "tag:0"); err != nil { 1054 return nil, err 1055 } 1056 // Serialize the signature 1057 rbytes, sbytes := sigdata.Signature.R.Bytes(), sigdata.Signature.S.Bytes() 1058 sig := make([]byte, 65) 1059 copy(sig[32-len(rbytes):32], rbytes) 1060 copy(sig[64-len(sbytes):64], sbytes) 1061 1062 // Recover the V value. 1063 sig, err = makeRecoverableSignature(hash, sig, sigdata.PublicKey) 1064 if err != nil { 1065 return nil, err 1066 } 1067 log.Debug("Signed using smartcard", "deriveTime", deriveTime.Sub(startTime), "signingTime", time.Since(deriveTime)) 1068 1069 return sig, nil 1070 } 1071 1072 // confirmPublicKey confirms that the given signature belongs to the specified key. 1073 func confirmPublicKey(sig, pubkey []byte) error { 1074 _, err := makeRecoverableSignature(DerivationSignatureHash[:], sig, pubkey) 1075 return err 1076 } 1077 1078 // makeRecoverableSignature uses a signature and an expected public key to 1079 // recover the v value and produce a recoverable signature. 1080 func makeRecoverableSignature(hash, sig, expectedPubkey []byte) ([]byte, error) { 1081 var libraryError error 1082 for v := 0; v < 2; v++ { 1083 sig[64] = byte(v) 1084 if pubkey, err := crypto.Ecrecover(hash, sig); err == nil { 1085 if bytes.Equal(pubkey, expectedPubkey) { 1086 return sig, nil 1087 } 1088 } else { 1089 libraryError = err 1090 } 1091 } 1092 if libraryError != nil { 1093 return nil, libraryError 1094 } 1095 return nil, ErrPubkeyMismatch 1096 }