github.com/fff-chain/go-fff@v0.0.0-20220726032732-1c84420b8a99/accounts/scwallet/securechannel.go (about) 1 // Copyright 2018 The go-ethereum Authors 2 // This file is part of the go-ethereum library. 3 // 4 // The go-ethereum library is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU Lesser General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // The go-ethereum library is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU Lesser General Public License for more details. 13 // 14 // You should have received a copy of the GNU Lesser General Public License 15 // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>. 16 17 package scwallet 18 19 import ( 20 "bytes" 21 "crypto/aes" 22 "crypto/cipher" 23 "crypto/elliptic" 24 "crypto/rand" 25 "crypto/sha256" 26 "crypto/sha512" 27 "fmt" 28 29 "github.com/fff-chain/go-fff/crypto" 30 pcsc "github.com/gballet/go-libpcsclite" 31 "golang.org/x/crypto/pbkdf2" 32 "golang.org/x/text/unicode/norm" 33 ) 34 35 const ( 36 maxPayloadSize = 223 37 pairP1FirstStep = 0 38 pairP1LastStep = 1 39 40 scSecretLength = 32 41 scBlockSize = 16 42 43 insOpenSecureChannel = 0x10 44 insMutuallyAuthenticate = 0x11 45 insPair = 0x12 46 insUnpair = 0x13 47 48 pairingSalt = "Keycard Pairing Password Salt" 49 ) 50 51 // SecureChannelSession enables secure communication with a hardware wallet. 52 type SecureChannelSession struct { 53 card *pcsc.Card // A handle to the smartcard for communication 54 secret []byte // A shared secret generated from our ECDSA keys 55 publicKey []byte // Our own ephemeral public key 56 PairingKey []byte // A permanent shared secret for a pairing, if present 57 sessionEncKey []byte // The current session encryption key 58 sessionMacKey []byte // The current session MAC key 59 iv []byte // The current IV 60 PairingIndex uint8 // The pairing index 61 } 62 63 // NewSecureChannelSession creates a new secure channel for the given card and public key. 64 func NewSecureChannelSession(card *pcsc.Card, keyData []byte) (*SecureChannelSession, error) { 65 // Generate an ECDSA keypair for ourselves 66 key, err := crypto.GenerateKey() 67 if err != nil { 68 return nil, err 69 } 70 cardPublic, err := crypto.UnmarshalPubkey(keyData) 71 if err != nil { 72 return nil, fmt.Errorf("could not unmarshal public key from card: %v", err) 73 } 74 secret, _ := key.Curve.ScalarMult(cardPublic.X, cardPublic.Y, key.D.Bytes()) 75 return &SecureChannelSession{ 76 card: card, 77 secret: secret.Bytes(), 78 publicKey: elliptic.Marshal(crypto.S256(), key.PublicKey.X, key.PublicKey.Y), 79 }, nil 80 } 81 82 // Pair establishes a new pairing with the smartcard. 83 func (s *SecureChannelSession) Pair(pairingPassword []byte) error { 84 secretHash := pbkdf2.Key(norm.NFKD.Bytes(pairingPassword), norm.NFKD.Bytes([]byte(pairingSalt)), 50000, 32, sha256.New) 85 86 challenge := make([]byte, 32) 87 if _, err := rand.Read(challenge); err != nil { 88 return err 89 } 90 91 response, err := s.pair(pairP1FirstStep, challenge) 92 if err != nil { 93 return err 94 } 95 96 md := sha256.New() 97 md.Write(secretHash[:]) 98 md.Write(challenge) 99 100 expectedCryptogram := md.Sum(nil) 101 cardCryptogram := response.Data[:32] 102 cardChallenge := response.Data[32:64] 103 104 if !bytes.Equal(expectedCryptogram, cardCryptogram) { 105 return fmt.Errorf("invalid card cryptogram %v != %v", expectedCryptogram, cardCryptogram) 106 } 107 108 md.Reset() 109 md.Write(secretHash[:]) 110 md.Write(cardChallenge) 111 response, err = s.pair(pairP1LastStep, md.Sum(nil)) 112 if err != nil { 113 return err 114 } 115 116 md.Reset() 117 md.Write(secretHash[:]) 118 md.Write(response.Data[1:]) 119 s.PairingKey = md.Sum(nil) 120 s.PairingIndex = response.Data[0] 121 122 return nil 123 } 124 125 // Unpair disestablishes an existing pairing. 126 func (s *SecureChannelSession) Unpair() error { 127 if s.PairingKey == nil { 128 return fmt.Errorf("cannot unpair: not paired") 129 } 130 131 _, err := s.transmitEncrypted(claSCWallet, insUnpair, s.PairingIndex, 0, []byte{}) 132 if err != nil { 133 return err 134 } 135 s.PairingKey = nil 136 // Close channel 137 s.iv = nil 138 return nil 139 } 140 141 // Open initializes the secure channel. 142 func (s *SecureChannelSession) Open() error { 143 if s.iv != nil { 144 return fmt.Errorf("session already opened") 145 } 146 147 response, err := s.open() 148 if err != nil { 149 return err 150 } 151 152 // Generate the encryption/mac key by hashing our shared secret, 153 // pairing key, and the first bytes returned from the Open APDU. 154 md := sha512.New() 155 md.Write(s.secret) 156 md.Write(s.PairingKey) 157 md.Write(response.Data[:scSecretLength]) 158 keyData := md.Sum(nil) 159 s.sessionEncKey = keyData[:scSecretLength] 160 s.sessionMacKey = keyData[scSecretLength : scSecretLength*2] 161 162 // The IV is the last bytes returned from the Open APDU. 163 s.iv = response.Data[scSecretLength:] 164 165 return s.mutuallyAuthenticate() 166 } 167 168 // mutuallyAuthenticate is an internal method to authenticate both ends of the 169 // connection. 170 func (s *SecureChannelSession) mutuallyAuthenticate() error { 171 data := make([]byte, scSecretLength) 172 if _, err := rand.Read(data); err != nil { 173 return err 174 } 175 176 response, err := s.transmitEncrypted(claSCWallet, insMutuallyAuthenticate, 0, 0, data) 177 if err != nil { 178 return err 179 } 180 if response.Sw1 != 0x90 || response.Sw2 != 0x00 { 181 return fmt.Errorf("got unexpected response from MUTUALLY_AUTHENTICATE: 0x%x%x", response.Sw1, response.Sw2) 182 } 183 184 if len(response.Data) != scSecretLength { 185 return fmt.Errorf("response from MUTUALLY_AUTHENTICATE was %d bytes, expected %d", len(response.Data), scSecretLength) 186 } 187 188 return nil 189 } 190 191 // open is an internal method that sends an open APDU. 192 func (s *SecureChannelSession) open() (*responseAPDU, error) { 193 return transmit(s.card, &commandAPDU{ 194 Cla: claSCWallet, 195 Ins: insOpenSecureChannel, 196 P1: s.PairingIndex, 197 P2: 0, 198 Data: s.publicKey, 199 Le: 0, 200 }) 201 } 202 203 // pair is an internal method that sends a pair APDU. 204 func (s *SecureChannelSession) pair(p1 uint8, data []byte) (*responseAPDU, error) { 205 return transmit(s.card, &commandAPDU{ 206 Cla: claSCWallet, 207 Ins: insPair, 208 P1: p1, 209 P2: 0, 210 Data: data, 211 Le: 0, 212 }) 213 } 214 215 // transmitEncrypted sends an encrypted message, and decrypts and returns the response. 216 func (s *SecureChannelSession) transmitEncrypted(cla, ins, p1, p2 byte, data []byte) (*responseAPDU, error) { 217 if s.iv == nil { 218 return nil, fmt.Errorf("channel not open") 219 } 220 221 data, err := s.encryptAPDU(data) 222 if err != nil { 223 return nil, err 224 } 225 meta := [16]byte{cla, ins, p1, p2, byte(len(data) + scBlockSize)} 226 if err = s.updateIV(meta[:], data); err != nil { 227 return nil, err 228 } 229 230 fulldata := make([]byte, len(s.iv)+len(data)) 231 copy(fulldata, s.iv) 232 copy(fulldata[len(s.iv):], data) 233 234 response, err := transmit(s.card, &commandAPDU{ 235 Cla: cla, 236 Ins: ins, 237 P1: p1, 238 P2: p2, 239 Data: fulldata, 240 }) 241 if err != nil { 242 return nil, err 243 } 244 245 rmeta := [16]byte{byte(len(response.Data))} 246 rmac := response.Data[:len(s.iv)] 247 rdata := response.Data[len(s.iv):] 248 plainData, err := s.decryptAPDU(rdata) 249 if err != nil { 250 return nil, err 251 } 252 253 if err = s.updateIV(rmeta[:], rdata); err != nil { 254 return nil, err 255 } 256 if !bytes.Equal(s.iv, rmac) { 257 return nil, fmt.Errorf("invalid MAC in response") 258 } 259 260 rapdu := &responseAPDU{} 261 rapdu.deserialize(plainData) 262 263 if rapdu.Sw1 != sw1Ok { 264 return nil, fmt.Errorf("unexpected response status Cla=0x%x, Ins=0x%x, Sw=0x%x%x", cla, ins, rapdu.Sw1, rapdu.Sw2) 265 } 266 267 return rapdu, nil 268 } 269 270 // encryptAPDU is an internal method that serializes and encrypts an APDU. 271 func (s *SecureChannelSession) encryptAPDU(data []byte) ([]byte, error) { 272 if len(data) > maxPayloadSize { 273 return nil, fmt.Errorf("payload of %d bytes exceeds maximum of %d", len(data), maxPayloadSize) 274 } 275 data = pad(data, 0x80) 276 277 ret := make([]byte, len(data)) 278 279 a, err := aes.NewCipher(s.sessionEncKey) 280 if err != nil { 281 return nil, err 282 } 283 crypter := cipher.NewCBCEncrypter(a, s.iv) 284 crypter.CryptBlocks(ret, data) 285 return ret, nil 286 } 287 288 // pad applies message padding to a 16 byte boundary. 289 func pad(data []byte, terminator byte) []byte { 290 padded := make([]byte, (len(data)/16+1)*16) 291 copy(padded, data) 292 padded[len(data)] = terminator 293 return padded 294 } 295 296 // decryptAPDU is an internal method that decrypts and deserializes an APDU. 297 func (s *SecureChannelSession) decryptAPDU(data []byte) ([]byte, error) { 298 a, err := aes.NewCipher(s.sessionEncKey) 299 if err != nil { 300 return nil, err 301 } 302 303 ret := make([]byte, len(data)) 304 305 crypter := cipher.NewCBCDecrypter(a, s.iv) 306 crypter.CryptBlocks(ret, data) 307 return unpad(ret, 0x80) 308 } 309 310 // unpad strips padding from a message. 311 func unpad(data []byte, terminator byte) ([]byte, error) { 312 for i := 1; i <= 16; i++ { 313 switch data[len(data)-i] { 314 case 0: 315 continue 316 case terminator: 317 return data[:len(data)-i], nil 318 default: 319 return nil, fmt.Errorf("expected end of padding, got %d", data[len(data)-i]) 320 } 321 } 322 return nil, fmt.Errorf("expected end of padding, got 0") 323 } 324 325 // updateIV is an internal method that updates the initialization vector after 326 // each message exchanged. 327 func (s *SecureChannelSession) updateIV(meta, data []byte) error { 328 data = pad(data, 0) 329 a, err := aes.NewCipher(s.sessionMacKey) 330 if err != nil { 331 return err 332 } 333 crypter := cipher.NewCBCEncrypter(a, make([]byte, 16)) 334 crypter.CryptBlocks(meta, meta) 335 crypter.CryptBlocks(data, data) 336 // The first 16 bytes of the last block is the MAC 337 s.iv = data[len(data)-32 : len(data)-16] 338 return nil 339 }