Merge pull request #26 from alephium/verify-token-metadata

Verify token metadata

Author: polarker

.github/workflows/misspellings_checks.yml

@@ -27,4 +27,4 @@ jobs:
         builtin: clear,rare
         check_filenames: true
         ignore_words_list: crate,Crate,alph,ALPH
-        exclude_file: js/package-lock.json
+        exclude_file: js/package-lock.json,js/merkle-tree/token.json

Makefile

@@ -28,7 +28,9 @@ check:
 			cargo fmt --all -- --check && \
 			echo 'Cargo clippy' && \
 			cargo +nightly-2023-11-10 clippy --target=nanos && \
-			cargo +nightly-2023-11-10 clippy --target=stax \
+			cargo +nightly-2023-11-10 clippy --target=stax && \
+			cargo install cargo-audit && cargo audit && \
+			cargo install --locked cargo-deny && cargo +nightly-2023-11-10 deny check \
 		"
 
 _run-speculos:

app/Cargo.toml

@@ -3,6 +3,7 @@ name = "alephium"
 version = "0.4.0"
 authors = ["alephium devs"]
 edition = "2021"
+license = "MIT"
 
 [dependencies]
 ledger_device_sdk = "=1.12.0"

app/deny.toml

@@ -0,0 +1,5 @@
+[bans]
+multiple-versions = "allow"
+
+[licenses]
+allow = [ "MIT", "Apache-2.0", "Unicode-DFS-2016", "ISC", "BSD-3-Clause" ]

app/src/blake2b_hasher.rs

@@ -2,6 +2,7 @@ use crate::error_code::ErrorCode;
 use ledger_secure_sdk_sys::*;
 
 pub const BLAKE2B_HASH_SIZE: usize = 32;
+pub type Blake2bHash = [u8; BLAKE2B_HASH_SIZE];
 pub struct Blake2bHasher(cx_blake2b_s);
 
 // A wrapper around the Ledger SDK's blake2b implementation
@@ -12,7 +13,7 @@ impl Blake2bHasher {
         Self(v)
     }
 
-    pub fn hash(input: &[u8]) -> Result<[u8; BLAKE2B_HASH_SIZE], ErrorCode> {
+    pub fn hash(input: &[u8]) -> Result<Blake2bHash, ErrorCode> {
         let mut hasher = Blake2bHasher::new();
         hasher.update(input)?;
         hasher.finalize()
@@ -37,7 +38,7 @@ impl Blake2bHasher {
         }
     }
 
-    pub fn finalize(&mut self) -> Result<[u8; BLAKE2B_HASH_SIZE], ErrorCode> {
+    pub fn finalize(&mut self) -> Result<Blake2bHash, ErrorCode> {
         let mut result = [0u8; BLAKE2B_HASH_SIZE];
         let rc = unsafe {
             cx_hash_final(

app/src/error_code.rs

@@ -18,6 +18,8 @@ pub enum ErrorCode {
     DerivingPublicKeyFailed = 0xE005,
     InvalidTokenSize = 0xE006,
     InvalidMetadataVersion = 0xE007,
+    InvalidTokenProofSize = 0xE008,
+    InvalidTokenMetadata = 0xE009,
     InternalError = 0xEF00,
 }
 

app/src/handler.rs

@@ -6,19 +6,16 @@ use crate::{
     error_code::ErrorCode,
     public_key::derive_pub_key,
     sign_tx_context::{check_blind_signing, SignTxContext},
-    ui::{
-        review_address, sign_hash_ui,
-        tx_reviewer::{TxReviewer, TOKEN_METADATA_SIZE},
-    },
+    ui::{review_address, sign_hash_ui, tx_reviewer::TxReviewer},
 };
 
 const MAX_TOKEN_SIZE: u8 = 5;
 const PATH_LENGTH: usize = 20;
 const HASH_LENGTH: usize = 32;
 const PATH_HEX_LENGTH: usize = PATH_LENGTH * 2;
-const FIRST_FRAME_PREFIX_LENGTH: usize = PATH_LENGTH + 1; // path + 1 byte token size
 const CALL_CONTRACT_FLAG: u8 = 0x01;
 const SCRIPT_OFFSET: usize = 3; // the encoded script offset in the tx
+pub const TOKEN_METADATA_SIZE: usize = 46;
 
 #[repr(u8)]
 pub enum Ins {
@@ -110,7 +107,13 @@ pub fn handle_apdu(
             }
         }
         Ins::SignTx => {
-            let data = comm.get_data()?;
+            let data = match comm.get_data() {
+                Ok(data) => data,
+                Err(code) => {
+                    reset(sign_tx_context, tx_reviewer);
+                    return Err(code.into());
+                }
+            };
             match handle_sign_tx(apdu_header, data, sign_tx_context, tx_reviewer) {
                 Ok(()) if !sign_tx_context.is_complete() => {
                     return Ok(());
@@ -128,9 +131,11 @@ pub fn handle_apdu(
                         }
                         Err(code) => Err(code.into()),
                     };
+                    reset(sign_tx_context, tx_reviewer);
                     return result;
                 }
                 Err(code) => {
+                    reset(sign_tx_context, tx_reviewer);
                     return Err(code.into());
                 }
             }
@@ -139,55 +144,66 @@ pub fn handle_apdu(
     Ok(())
 }
 
-// The transaction is split into multiple APDU commands
-// The first APDU command contains the path and token metadata
-// The subsequent APDU commands contain the transaction data
-// The transaction data is processed in chunks
+// The transaction is split into multiple APDU commands, consisting of token metadata APDU and tx APDU commands
+// We use `p1` and `p2` to distinguish between APDUs:
+// * `p1` = 0 and `p2` = 0 indicates the first token metadata APDU frame
+// * `p1` = 0 and `p2` = 1 indicates a new token metadata APDU frame
+// * `p1` = 0 and `p2` = 2 indicates the remaining token proof APDU frame
+// * `p1` = 1 and `p2` = 0 indicates the first tx APDU frame
+// * `p1` = 1 and `p2` = 1 indicates subsequent tx APDU frames
 fn handle_sign_tx(
     apdu_header: &ApduHeader,
     data: &[u8],
     sign_tx_context: &mut SignTxContext,
     tx_reviewer: &mut TxReviewer,
 ) -> Result<(), ErrorCode> {
-    match apdu_header.p1 {
-        0 if data.len() < FIRST_FRAME_PREFIX_LENGTH => Err(ErrorCode::BadLen),
-        0 => {
-            // handle the path
-            sign_tx_context.init(&data[..PATH_LENGTH])?;
-
-            // handle the token metadata
-            let token_size = data[FIRST_FRAME_PREFIX_LENGTH - 1];
-            if token_size > MAX_TOKEN_SIZE {
-                return Err(ErrorCode::InvalidTokenSize);
+    match (apdu_header.p1, apdu_header.p2) {
+        (0, 0) => {
+            // the first frame
+            if data.is_empty() {
+                return Err(ErrorCode::BadLen);
+            }
+            let token_size = data[0]; // the first byte is the token size
+            check_token_size(token_size)?;
+            tx_reviewer.init(token_size)?;
+            if token_size == 0 {
+                return Ok(());
             }
-            let tx_data_index: usize =
-                FIRST_FRAME_PREFIX_LENGTH + TOKEN_METADATA_SIZE * (token_size as usize);
-            if data.len() < tx_data_index + SCRIPT_OFFSET {
+            tx_reviewer.handle_token_metadata(&data[1..])
+        }
+        (0, 1) => tx_reviewer.handle_token_metadata(data), // token metadata and proof frame
+        (0, 2) => tx_reviewer.handle_token_proof(data),    // the following token proof frame
+        (1, 0) => {
+            // the first unsigned tx frame
+            if data.len() < PATH_LENGTH + SCRIPT_OFFSET {
                 return Err(ErrorCode::BadLen);
             }
-            let tx_data = &data[tx_data_index..];
+            let tx_data = &data[PATH_LENGTH..];
             let is_tx_execute_script = tx_data[SCRIPT_OFFSET - 1] == CALL_CONTRACT_FLAG;
             if is_tx_execute_script {
                 check_blind_signing()?;
             }
-            let token_metadata = &data[FIRST_FRAME_PREFIX_LENGTH..tx_data_index];
-            check_token_metadata(token_size, token_metadata)?;
-            tx_reviewer.init(is_tx_execute_script, token_metadata)?;
-            sign_tx_context.handle_data(apdu_header, tx_data, tx_reviewer)
+            tx_reviewer.set_tx_execute_script(is_tx_execute_script);
+
+            sign_tx_context.init(&data[..PATH_LENGTH])?;
+            sign_tx_context.handle_tx_data(apdu_header, tx_data, tx_reviewer)
         }
-        1 => sign_tx_context.handle_data(apdu_header, data, tx_reviewer),
+        (1, 1) => sign_tx_context.handle_tx_data(apdu_header, data, tx_reviewer), // the following unsigned tx frame
         _ => Err(ErrorCode::BadP1P2),
     }
 }
 
-// Check the token metadata version
-// The token metadata version should be 0 for now
-fn check_token_metadata(token_size: u8, token_metadata: &[u8]) -> Result<(), ErrorCode> {
-    for i in 0..token_size {
-        let version_index = (i as usize) * TOKEN_METADATA_SIZE;
-        if token_metadata[version_index] != 0 {
-            return Err(ErrorCode::InvalidMetadataVersion);
-        }
+#[inline]
+fn check_token_size(size: u8) -> Result<(), ErrorCode> {
+    if size > MAX_TOKEN_SIZE {
+        Err(ErrorCode::InvalidTokenSize)
+    } else {
+        Ok(())
     }
-    Ok(())
+}
+
+#[inline]
+fn reset(sign_tx_context: &mut SignTxContext, tx_reviewer: &mut TxReviewer) {
+    sign_tx_context.reset();
+    tx_reviewer.reset();
 }

app/src/main.rs

@@ -22,6 +22,7 @@ mod ledger_sdk_stub;
 mod public_key;
 mod settings;
 mod sign_tx_context;
+mod token_verifier;
 mod ui;
 
 ledger_device_sdk::set_panic!(ledger_device_sdk::exiting_panic);

app/src/sign_tx_context.rs

@@ -29,7 +29,7 @@ enum DecodeStep {
 // It keeps track of the current step, the transaction decoder, the path, and the device address
 // A streaming decoder is used to decode the transaction in chunks so that it can handle large transactions
 pub struct SignTxContext {
-    pub path: [u32; 5],
+    pub path: [u32; PATH_LENGTH],
     tx_decoder: StreamingDecoder<UnsignedTx>,
     current_step: DecodeStep,
     hasher: Blake2bHasher,
@@ -49,10 +49,9 @@ impl SignTxContext {
         }
     }
 
-    // Initialize the context with the path
+    // Initialize the context
     pub fn init(&mut self, data: &[u8]) -> Result<(), ErrorCode> {
         deserialize_path(data, &mut self.path, ErrorCode::HDPathDecodingFailed)?;
-
         self.tx_decoder.reset();
         self.current_step = DecodeStep::Init;
         self.hasher.reset();
@@ -61,6 +60,15 @@ impl SignTxContext {
         Ok(())
     }
 
+    pub fn reset(&mut self) {
+        self.path = [0; PATH_LENGTH];
+        self.tx_decoder.reset();
+        self.current_step = DecodeStep::Init;
+        self.hasher.reset();
+        self.temp_data.reset(0);
+        self.device_address = None;
+    }
+
     pub fn is_complete(&self) -> bool {
         self.current_step == DecodeStep::Complete
     }
@@ -124,7 +132,7 @@ impl SignTxContext {
     }
 
     // Handle a transaction data chunk
-    pub fn handle_data(
+    pub fn handle_tx_data(
         &mut self,
         apdu_header: &ApduHeader,
         tx_data_chunk: &[u8],
@@ -134,7 +142,7 @@ impl SignTxContext {
             DecodeStep::Complete => Err(ErrorCode::InternalError),
             DecodeStep::Init => {
                 // The first chunk of the transaction
-                if apdu_header.p1 == 0 {
+                if apdu_header.p1 == 1 && apdu_header.p2 == 0 {
                     self.current_step = DecodeStep::DecodingTx;
                     self.decode_tx(tx_data_chunk, tx_reviewer)
                 } else {
@@ -143,7 +151,7 @@ impl SignTxContext {
             }
             DecodeStep::DecodingTx => {
                 // The subsequent chunks of the transaction
-                if apdu_header.p1 == 1 {
+                if apdu_header.p1 == 1 && apdu_header.p2 == 1 {
                     self.decode_tx(tx_data_chunk, tx_reviewer)
                 } else {
                     Err(ErrorCode::BadP1P2)

app/src/token_verifier.rs

@@ -0,0 +1,90 @@
+use crate::{
+    blake2b_hasher::{Blake2bHash, Blake2bHasher, BLAKE2B_HASH_SIZE},
+    error_code::ErrorCode,
+    handler::TOKEN_METADATA_SIZE,
+};
+
+// b3380866c595544781e9da0ccd79399de8878abfb0bf40545b57a287387d419d
+const TOKEN_MERKLE_ROOT: Blake2bHash = [
+    0xb3, 0x38, 0x08, 0x66, 0xc5, 0x95, 0x54, 0x47, 0x81, 0xe9, 0xda, 0x0c, 0xcd, 0x79, 0x39, 0x9d,
+    0xe8, 0x87, 0x8a, 0xbf, 0xb0, 0xbf, 0x40, 0x54, 0x5b, 0x57, 0xa2, 0x87, 0x38, 0x7d, 0x41, 0x9d,
+];
+const PROOF_PREFIX_LENGTH: usize = 2;
+
+// `TokenVerifier` is a streaming token proof verifier that receives proof data and calculates the hash
+// After receiving all the proof data, it compares the hash with the `TOKEN_MERKLE_ROOT` to verify if the token is valid
+#[derive(Default, Copy, Clone)]
+pub struct TokenVerifier {
+    remaining_proof_size: usize,
+    hash: Blake2bHash,
+}
+
+pub fn hash_pair(a: &[u8], b: &[u8]) -> Result<Blake2bHash, ErrorCode> {
+    assert!(a.len() == BLAKE2B_HASH_SIZE && b.len() == BLAKE2B_HASH_SIZE);
+    let mut hasher = Blake2bHasher::new();
+    if a < b {
+        hasher.update(a)?;
+        hasher.update(b)?;
+    } else {
+        hasher.update(b)?;
+        hasher.update(a)?;
+    }
+    hasher.finalize()
+}
+
+impl TokenVerifier {
+    pub fn new(data: &[u8]) -> Result<TokenVerifier, ErrorCode> {
+        let prefix_length = TOKEN_METADATA_SIZE + PROOF_PREFIX_LENGTH;
+        if data.len() < prefix_length {
+            return Err(ErrorCode::BadLen);
+        }
+
+        let encoded_token = &data[..TOKEN_METADATA_SIZE];
+        let proof_size =
+            ((data[TOKEN_METADATA_SIZE] as usize) << 8) | (data[TOKEN_METADATA_SIZE + 1] as usize);
+        check_proof_size(proof_size)?;
+
+        let mut verifier = TokenVerifier {
+            remaining_proof_size: proof_size,
+            hash: Blake2bHasher::hash(encoded_token)?,
+        };
+        let proof = &data[prefix_length..];
+        verifier.on_proof(proof)?;
+        Ok(verifier)
+    }
+
+    // update the hash when receiving token proof data
+    pub fn on_proof(&mut self, proof: &[u8]) -> Result<(), ErrorCode> {
+        check_proof_size(proof.len())?;
+        if self.remaining_proof_size < proof.len() {
+            return Err(ErrorCode::InvalidTokenProofSize);
+        }
+
+        let mut index: usize = 0;
+        while index < proof.len() {
+            let sibling = &proof[index..(index + BLAKE2B_HASH_SIZE)];
+            self.hash = hash_pair(&self.hash, sibling)?;
+            index += BLAKE2B_HASH_SIZE
+        }
+        self.remaining_proof_size -= proof.len();
+        Ok(())
+    }
+
+    pub fn is_complete(&self) -> bool {
+        self.remaining_proof_size == 0
+    }
+
+    #[inline]
+    pub fn is_token_valid(&self) -> bool {
+        assert!(self.is_complete());
+        self.hash == TOKEN_MERKLE_ROOT
+    }
+}
+
+fn check_proof_size(size: usize) -> Result<(), ErrorCode> {
+    if size % BLAKE2B_HASH_SIZE != 0 {
+        Err(ErrorCode::InvalidTokenProofSize)
+    } else {
+        Ok(())
+    }
+}