Comments (9)
Are you using the same TREZOR with the same seed? Didn't you change the domain by any chance?
It would be best to see what arguments were used during the registration and during the login (verification). They NEED to be the same (protocol, username, host, port, etc.)
from connect.
Hmm, interesting. I might have re-seeded my Trezor at some point after testing this the first time.
I'm developing on my local machine so the URL is just http://localhost
Could the Trezor be signing internally with an old private key derived from http://localhost with the old seed but returning a response containing a new (and thus non-matching) public key generated from the new seed? It's a bit far-fetched, I know - but that would explain the weird behavior.
from connect.
I just tried changing the port of my web server and capturing the values returned in the js result object:
result.public_key = 036912ed761b60d27921cd27f3e18be90d46e1e9173fa42503ab020ac4f7531bf5
result.signature = 202095dd2575f61af5b1944df159ba7e337939a82c6cf5bec286af5ce3f0694cc81d14f79ea30787b6a74537b5e8c1b4e135917aba9b5a30060235a01f7c17334a
The message being signed is: 995da3cf545787d65f9ced52674e92ee8171c87c7a4008aa4349ec47d21609a78d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
With the new port I now get this new public key in the result object, and a different signature from before (the message is the same since I'm testing with static hidden and visual challenges to minimize moving parts). But when I run the two through coinig.com I still get
"Failure: ('vmB', 'Bad address. Signing: 1EMCEBxuYgzHH1D2e7rwjgyVwSsgvkhBNQ, received: 1LzgJgDAdvnLA1HuhtznDPxskq2qb6amy7')"
So the signing key and returned public key still don't match for some reason.
from connect.
Ok one more try. Set up my hosts file so that aaaaa.com points to 127.0.0.1.
So the web site is at http://aaaaa.com/
Visual Challenge : 123456
Hidden Challenge : abcdef
Message : 995da3cf545787d65f9ced52674e92ee8171c87c7a4008aa4349ec47d21609a78d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
result.public_key : 02cb59433aebebc5898761093ea087e5efc726dae2a6842e36a434c7c4be892923
result.signature : 1fa0927f5c3016d078c7aae20a7b4e6c1ea3a2dbbbde151fe24d40f3eff2169e7c211058ec282dc197a2d851d9765ef23190c64d44fee420c07ffeb92812bbed9e
Still the same result, it looks like result.public_key doesn't correspond to the private key used to sign the message.
coinig.com gives me:
Failure: ('vmB', 'Bad address. Signing: 1PjBbhR1HpmsVojjmRHM7zyZLiJ6mEZqms, received: 19YriNx1vV4TnAHgiGRFQakJKGMAjwTspU')
And just to be clear, what I'm doing on my side is:
- Click TREZOR login
- Enter PIN if required
- Verify the visual challenge on the Trezor
- Click "Confirm" button on Trezor to sign in
- Trezor returns with above info in the result object
from connect.
I guess you need to convert the message from hex to ascii first, before trying the coinig.com verifier thingie.
from connect.
Isn't the message just the concatenated digests of the visual and hidden challenges? That's what I gather from the example code in the repo here?
I tested with the example Python code and my C# code generates the exact same message as that, before passing it to the bitcoin signature verification method.
from connect.
Here's pretty much all the code I'm using, just so we're on the same page.
Server-side:
if (Request.HttpMethod == "GET" && Request.QueryString["trezor"] == "login")
{
string visual_challenge = Session["visualChallenge"].ToString();
string hidden_challenge = Session["hiddenChallenge"].ToString();
string publicKey = Request.QueryString["public_key"];
string signature = Request.QueryString["signature"];
SHA256 sha = SHA256Managed.Create();
var hiddenChallenge_Sha = BitConverter.ToString((sha.ComputeHash(TrezorUtils.HexStringToByteArray(hidden_challenge)))).Replace("-", "").ToLower();
var visualChallenge_Sha = BitConverter.ToString((sha.ComputeHash(new ASCIIEncoding().GetBytes(visual_challenge)))).Replace("-", "").ToLower();
string message = hiddenChallenge_Sha + visualChallenge_Sha;
PubKey pubKey = new PubKey(ConfigurationManager.AppSettings["TrezorPublicKey"]);
bool verified = pubKey.VerifyMessage(message, TrezorUtils.HexStringToBase64(signature));
if (verified)
{
// do stuff
}
}
And the two static methods from my TrezorUtils class:
public static byte[] HexStringToByteArray(String hex)
{
int NumberChars = hex.Length;
byte[] bytes = new byte[NumberChars / 2];
for (int i = 0; i < NumberChars; i += 2)
bytes[i / 2] = Convert.ToByte(hex.Substring(i, 2), 16);
return bytes;
}
public static string HexStringToBase64(string hexString)
{
byte[] buffer = new byte[hexString.Length / 2];
for (int i = 0; i < hexString.Length; i++)
{
buffer[i / 2] = Convert.ToByte(Convert.ToInt32(hexString.Substring(i, 2), 16));
i += 1;
}
string res = Convert.ToBase64String(buffer);
return res;
}
The public key stored in the configuration is the same as what's returned in the login result object.
The hidden and visual challenges are hard-coded and stored in session variables as stated previously.
The login button is defined as follows:
<trezor:login callback="trezorLoginCallback"
challenge_hidden="@Session["hiddenChallenge"]"
challenge_visual="@Session["visualChallenge"]"
text="Sign in with TREZOR">
</trezor:login>
The trezorLoginCallback function is here:
function trezorLoginCallback(result) {
if (result.success) {
var url = '?trezor=login'
+ '&public_key=' + encodeURIComponent(result.public_key)
+ '&signature=' + encodeURIComponent(result.signature)
+ '&version=' + encodeURIComponent(result.version);
window.location.href = url;
} else {
console.error('Error:', result.error);
}
}
from connect.
string message = hiddenChallenge_Sha + visualChallenge_Sha;
This should be raw bytes (e.g. "\x42\xef"), not hexa "42ef", like I said in the comment above. Are you doing this correctly?
So I guess you should be using this instead:
byte[] message = TrezorUtils.HexStringToByteArray(hiddenChallenge_Sha + visualChallenge_Sha);
from connect.
I just updated the NBitcoin library locally to support verifying raw byte messages instead of just text and it works. Thanks for the pointer!
from connect.
Related Issues (20)
- Webusb does not work when in Google chrome incognito mode HOT 2
- pop up confirmation screen disappears in a few seconds - transaction fails HOT 3
- Unknown addresses returned from getAccountInfo advanced HOT 3
- coins: Correct decred block time. HOT 2
- Soluisi yang terbaik HOT 1
- Cardano Catalyst registration documentation HOT 2
- DER format HOT 3
- Accessing transaction history for active addresses HOT 1
- Access account that was generated using derivation path HOT 5
- Does Trezor support Goerli? HOT 3
- Problems connecting to Ronin Wallet HOT 1
- Can not sign transactions, fw 2.4.2 HOT 2
- Ethereum breaking changes 2.4.1 - 2.4.2 HOT 1
- SignMessage updates
- Failed Transaction: Error: Device Call In Progress HOT 2
- v8.2.3-extended failing with "Transport is missing" HOT 6
- stellarSignTransaction did not return the correct signature HOT 24
- Code cleanup
- EthereumGetAddress checksum HOT 6
- Trezor Authorization error HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from connect.