allow pool registration

vacuumlabs · Oct 19, 2020 · efcf6f3 · efcf6f3
1 parent 74228ae
commit efcf6f3
Show file tree

Hide file tree

Showing 16 changed files with 1,353 additions and 76 deletions.
diff --git a/src/addressUtilsShelley.c b/src/addressUtilsShelley.c
@@ -7,6 +7,12 @@
 #include "base58.h"
 #include "bech32.h"
 
+uint8_t getAddressHeader(uint8_t* addressBuffer, size_t addressSize)
+{
+	ASSERT(addressSize > 0);
+	return addressBuffer[0];
+}
+
 address_type_t getAddressType(uint8_t addressHeader)
 {
 	const uint8_t ADDRESS_TYPE_MASK = 0b11110000;

diff --git a/src/addressUtilsShelley.h b/src/addressUtilsShelley.h
@@ -16,6 +16,8 @@ typedef enum {
 	REWARD     = 0b1110,  // 0xE
 } address_type_t;
 
+uint8_t getAddressHeader(uint8_t* addressBuffer, size_t addressSize);
+
 address_type_t getAddressType(uint8_t addressHeader);
 bool isSupportedAddressType(uint8_t addressHeader);
 uint8_t constructShelleyAddressHeader(address_type_t type, uint8_t networkId);

diff --git a/src/hexUtils.c b/src/hexUtils.c
@@ -38,7 +38,7 @@ size_t decode_hex(const char* inStr, uint8_t* outBuffer, size_t outMaxSize)
 
 static const char HEX_ALPHABET[] = "0123456789abcdef";
 
-// returns length of the string written to out
+// returns the length of the string written to out
 size_t encode_hex(const uint8_t* bytes, size_t bytesLength, char* out, size_t outMaxSize)
 {
 	ASSERT(bytesLength < BUFFER_SIZE_PARANOIA);
@@ -53,7 +53,7 @@ size_t encode_hex(const uint8_t* bytes, size_t bytesLength, char* out, size_t ou
 	ASSERT(i == bytesLength);
 	out[2 * i] = '\0';
 
-	return 2 * bytesLength + 1;
+	return 2 * bytesLength;
 }
 
 

diff --git a/src/messageSigning.c b/src/messageSigning.c
@@ -37,7 +37,6 @@ void getTxWitness(bip44_path_t* pathSpec,
 	chain_code_t chainCode;
 	privateKey_t privateKey;
 
-	// TODO is this the proper key for both Byron and Shelley?
 	TRACE("derive private key");
 
 	BEGIN_TRY {

diff --git a/src/securityPolicy.c b/src/securityPolicy.c
@@ -1,9 +1,8 @@
 #include "addressUtilsShelley.h"
 #include "addressUtilsByron.h"
-#include "securityPolicy.h"
 #include "bip44.h"
 
-// Warning: following helper macros assume "pathSpec" in the context
+#include "securityPolicy.h"
 
 // Helper macros
 
@@ -63,6 +62,12 @@ static inline bool has_cardano_prefix_and_any_account(const bip44_path_t* pathSp
 	       bip44_containsAccount(pathSpec);
 }
 
+static inline bool is_valid_stake_pool_owner_path(const bip44_path_t* pathSpec)
+{
+	return bip44_isValidStakingKeyPath(pathSpec);
+}
+
+// general requirements on witnesses
 static inline bool is_valid_witness(const bip44_path_t* pathSpec)
 {
 	if (!bip44_hasValidCardanoPrefix(pathSpec))
@@ -154,10 +159,15 @@ security_policy_t policyForSignTxInput()
 
 // For each transaction (third-party) address output
 security_policy_t policyForSignTxOutputAddress(
+        bool isSigningPoolRegistrationAsOwner,
         const uint8_t* rawAddressBuffer, size_t rawAddressSize,
         const uint8_t networkId, const uint32_t protocolMagic
 )
 {
+	TRACE("isSigningPoolRegistrationAsOwner = %d", isSigningPoolRegistrationAsOwner);
+
+	ALLOW_IF(isSigningPoolRegistrationAsOwner);
+
 	ASSERT(rawAddressSize >= 1);
 	address_type_t addressType = getAddressType(rawAddressBuffer[0]);
 	if (addressType == BYRON) {
@@ -175,10 +185,13 @@ security_policy_t policyForSignTxOutputAddress(
 
 // For each output given by derivation path
 security_policy_t policyForSignTxOutputAddressParams(
+        bool isSigningPoolRegistrationAsOwner,
         const addressParams_t* params,
         const uint8_t networkId, const uint32_t protocolMagic
 )
 {
+	ALLOW_IF(isSigningPoolRegistrationAsOwner);
+
 	DENY_UNLESS(spending_path_is_consistent_with_address_type(params->type, &params->spendingKeyPath));
 	DENY_UNLESS(staking_info_is_valid(params));
 	DENY_IF(is_too_deep(&params->spendingKeyPath));
@@ -215,14 +228,79 @@ security_policy_t policyForSignTxTtl(uint32_t ttl)
 	SHOW_IF(true);
 }
 
-// For each certificate
-security_policy_t policyForSignTxCertificate(const uint8_t certificateType MARK_UNUSED, const bip44_path_t* stakingKeyPath)
+// a generic policy for all certificates
+// does not evaluate all aspects for specific certificates
+security_policy_t policyForSignTxCertificate(
+        const bool includeStakePoolRegistrationCertificate,
+        const uint8_t certificateType
+)
 {
+	if (includeStakePoolRegistrationCertificate) {
+		DENY_UNLESS(certificateType == CERTIFICATE_TYPE_STAKE_POOL_REGISTRATION);
+
+		ALLOW_IF(true);
+	} else {
+		DENY_IF(certificateType == CERTIFICATE_TYPE_STAKE_POOL_REGISTRATION);
+
+		ALLOW_IF(true);
+	}
+}
+
+// for certificates concerning staking keys and stake delegation
+security_policy_t policyForSignTxCertificateStaking(
+        const uint8_t certificateType,
+        const bip44_path_t* stakingKeyPath
+)
+{
+	switch (certificateType) {
+	case CERTIFICATE_TYPE_STAKE_REGISTRATION:
+	case CERTIFICATE_TYPE_STAKE_DEREGISTRATION:
+	case CERTIFICATE_TYPE_STAKE_DELEGATION:
+		break; // these are allowed
+
+	default:
+		ASSERT(false);
+	}
+
 	DENY_UNLESS(bip44_isValidStakingKeyPath(stakingKeyPath));
 
 	PROMPT_IF(true);
 }
 
+// for stake pool registration certificates
+security_policy_t policyForSignTxCertificateStakePoolRegistration(
+)
+{
+	PROMPT_IF(true);
+}
+
+security_policy_t policyForSignTxStakePoolRegistrationOwner(pool_owner_t* owner)
+{
+	switch (owner->ownerType) {
+	case SIGN_TX_POOL_OWNER_TYPE_KEY_HASH:
+		SHOW_IF(true);
+		break;
+
+	case SIGN_TX_POOL_OWNER_TYPE_PATH:
+		SHOW_IF(is_valid_stake_pool_owner_path(&owner->path));
+		break;
+
+	default:
+		ASSERT(false);
+	}
+	DENY_IF(true);
+}
+
+security_policy_t policyForSignTxStakePoolRegistrationMetadata()
+{
+	SHOW_IF(true);
+}
+
+security_policy_t policyForSignTxStakePoolRegistrationConfirm()
+{
+	PROMPT_IF(true);
+}
+
 // For each withdrawal
 security_policy_t policyForSignTxWithdrawal()
 {
@@ -233,15 +311,22 @@ security_policy_t policyForSignTxWithdrawal()
 // For each transaction witness
 // Note: witnesses reveal public key of an address
 // and Ledger *does not* check whether they correspond to previously declared UTxOs
-security_policy_t policyForSignTxWitness(const bip44_path_t* pathSpec)
+security_policy_t policyForSignTxWitness(
+        bool isSigningPoolRegistrationAsOwner,
+        const bip44_path_t* pathSpec
+)
 {
 	DENY_UNLESS(is_valid_witness(pathSpec));
 
-	// TODO Perhaps we can relax this?
-	WARN_UNLESS(has_reasonable_account_and_address(pathSpec))
+	if (isSigningPoolRegistrationAsOwner) {
+		DENY_UNLESS(is_valid_stake_pool_owner_path(pathSpec));
+	} else {
+		// TODO Perhaps we can relax this?
+		WARN_UNLESS(has_reasonable_account_and_address(pathSpec));
 
-	// TODO deny this? or check for depth in is_valid_witness?
-	WARN_IF(is_too_deep(pathSpec));
+		// TODO deny this? or check for depth in is_valid_witness?
+		WARN_IF(is_too_deep(pathSpec));
+	}
 
 	ALLOW_IF(true);
 }

diff --git a/src/securityPolicy.h b/src/securityPolicy.h
@@ -3,6 +3,7 @@
 
 #include "bip44.h"
 #include "addressUtilsShelley.h"
+#include "signTxPoolRegistration.h"
 
 typedef enum {
 	POLICY_DENY = 1,
@@ -24,10 +25,12 @@ security_policy_t policyForSignTxInit(uint8_t networkId, uint32_t protocolMagic)
 security_policy_t policyForSignTxInput();
 
 security_policy_t policyForSignTxOutputAddress(
+        bool isSigningPoolRegistrationAsOwner,
         const uint8_t* rawAddressBuffer, size_t rawAddressSize,
         const uint8_t networkId, const uint32_t protocolMagic
 );
 security_policy_t policyForSignTxOutputAddressParams(
+        bool isSigningPoolRegistrationAsOwner,
         const addressParams_t* params,
         const uint8_t networkId, const uint32_t protocolMagic
 );
@@ -37,14 +40,27 @@ security_policy_t policyForSignTxFee(uint64_t fee);
 security_policy_t policyForSignTxTtl(uint32_t ttl);
 
 security_policy_t policyForSignTxCertificate(
-        const uint8_t certificateType, const bip44_path_t* stakingKeyPath
+        const bool includeStakePoolRegistrationCertificate,
+        const uint8_t certificateType
 );
+security_policy_t policyForSignTxCertificateStaking(
+        const uint8_t certificateType,
+        const bip44_path_t* stakingKeyPath
+);
+security_policy_t policyForSignTxCertificateStakePoolRegistration(
+);
+security_policy_t policyForSignTxStakePoolRegistrationOwner(pool_owner_t* owner);
+security_policy_t policyForSignTxStakePoolRegistrationMetadata();
+security_policy_t policyForSignTxStakePoolRegistrationConfirm();
 
 security_policy_t policyForSignTxWithdrawal();
 
 security_policy_t policyForSignTxMetadata();
 
-security_policy_t policyForSignTxWitness(const bip44_path_t* pathSpec);
+security_policy_t policyForSignTxWitness(
+        bool isSigningPoolRegistrationAsOwner,
+        const bip44_path_t* pathSpec
+);
 
 security_policy_t policyForSignTxConfirm();