Support Signify-based signatures

http://www.openbsd.org/papers/bsdcan-signify.html

libagent/signify/__init__.py

@@ -0,0 +1,110 @@
+"""TREZOR support for Ed25519 signify signatures."""
+
+import argparse
+import binascii
+import contextlib
+import functools
+import hashlib
+import logging
+import os
+import re
+import struct
+import subprocess
+import sys
+import time
+
+import pkg_resources
+import semver
+
+
+from .. import formats, server, util
+from ..device import interface, ui
+
+log = logging.getLogger(__name__)
+
+
+def _create_identity(user_id):
+    result = interface.Identity(identity_str='signify://', curve_name='ed25519')
+    result.identity_dict['host'] = user_id
+    return result
+
+
+class Client:
+    """Sign messages and get public keys from a hardware device."""
+
+    def __init__(self, device):
+        """C-tor."""
+        self.device = device
+
+    def pubkey(self, identity):
+        """Return public key as VerifyingKey object."""
+        with self.device:
+            return bytes(self.device.pubkey(ecdh=False, identity=identity))
+
+    def sign_with_pubkey(self, identity, data):
+        """Sign the data and return a signature."""
+        log.info('please confirm Signify signature on %s for "%s"...',
+                 self.device, identity.to_string())
+        log.debug('signing data: %s', util.hexlify(data))
+        with self.device:
+            sig, pubkey = self.device.sign_with_pubkey(blob=data, identity=identity)
+            assert len(sig) == 64
+            assert len(pubkey) == 33
+            assert pubkey[:1] == b"\x00"
+            return sig, pubkey[1:]
+
+
+def format_payload(pubkey, data):
+    """See http://www.openbsd.org/papers/bsdcan-signify.html for details."""
+    keynum = hashlib.sha256(pubkey).digest()[:8]
+    return binascii.b2a_base64(b"Ed" + keynum + data).decode("ascii")
+
+
+def run_pubkey(device_type, args):
+    """Export hardware-based Signify public key."""
+    util.setup_logging(verbosity=args.verbose)
+    log.warning('This Signify tool is still in EXPERIMENTAL mode, '
+                'so please note that the key derivation, API, and features '
+                'may change without backwards compatibility!')
+
+    identity = _create_identity(user_id=args.user_id)
+    pubkey = Client(device=device_type()).pubkey(identity=identity)
+    comment = f'untrusted comment: identity {identity.to_string()}\n'
+    result = comment + format_payload(pubkey=pubkey, data=pubkey)
+    print(result, end="")
+
+
+def run_sign(device_type, args):
+    """Sign an input blob using Ed25519."""
+    util.setup_logging(verbosity=args.verbose)
+    identity = _create_identity(user_id=args.user_id)
+    data = sys.stdin.buffer.read()
+    sig, pubkey = Client(device=device_type()).sign_with_pubkey(identity, data)
+    pubkey_str = format_payload(pubkey=pubkey, data=pubkey)
+    comment = f'untrusted comment: pubkey {pubkey_str}'
+    result = comment + format_payload(pubkey=pubkey, data=sig)
+    print(result, end="")
+
+
+def main(device_type):
+    """Parse command-line arguments."""
+    parser = argparse.ArgumentParser()
+
+    subparsers = parser.add_subparsers(title='Action', dest='action')
+    subparsers.required = True
+
+    p = subparsers.add_parser('pubkey')
+    p.add_argument('user_id')
+    p.add_argument('-v', '--verbose', default=0, action='count')
+    p.set_defaults(func=run_pubkey)
+
+    p = subparsers.add_parser('sign')
+    p.add_argument('user_id')
+    p.add_argument('-v', '--verbose', default=0, action='count')
+    p.set_defaults(func=run_sign)
+
+    args = parser.parse_args()
+    device_type.ui = ui.UI(device_type=device_type, config=vars(args))
+    device_type.ui.cached_passphrase_ack = util.ExpiringCache(seconds=float(60))
+
+    return args.func(device_type=device_type, args=args)