keyfork-shard: base64 encode content instead of base16

keyfork-shard: shorten length and pad inside encrypted block
bump mio and iana-time-zone
2024-04-14 21:19:57 -04:00 · 2024-04-14 21:19:56 -04:00 · 2024-04-14 21:19:54 -04:00 · 2024-04-14 21:19:52 -04:00 · 2024-04-12 16:23:24 -04:00 · 2024-04-12 16:14:41 -04:00
20 changed files with 181 additions and 126 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -341,6 +341,12 @@ version = "0.21.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567"

+[[package]]
+name = "base64"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9475866fec1451be56a3c2400fd081ff546538961565ccb5b7142cbd22bc7a51"
+
 [[package]]
 name = "base64ct"
 version = "1.6.0"
@ -1497,9 +1503,9 @@ dependencies = [

 [[package]]
 name = "iana-time-zone"
-version = "0.1.59"
+version = "0.1.60"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b6a67363e2aa4443928ce15e57ebae94fd8949958fd1223c4cfc0cd473ad7539"
+checksum = "e7ffbb5a1b541ea2561f8c41c087286cc091e21e556a4f09a8f6cbf17b69b141"
 dependencies = [
 "android_system_properties",
 "core-foundation-sys",
@ -1758,7 +1764,7 @@ dependencies = [

 [[package]]
 name = "keyfork-derive-util"
-version = "0.1.0"
+version = "0.1.1"
 dependencies = [
 "digest",
 "ed25519-dalek",
@ -1776,7 +1782,7 @@ dependencies = [

 [[package]]
 name = "keyfork-entropy"
-version = "0.1.0"
+version = "0.1.1"
 dependencies = [
 "keyfork-bug",
 "smex",
@ -1818,7 +1824,7 @@ dependencies = [

 [[package]]
 name = "keyfork-qrcode"
-version = "0.1.0"
+version = "0.1.1"
 dependencies = [
 "image",
 "keyfork-bug",
@ -1830,10 +1836,11 @@ dependencies = [

 [[package]]
 name = "keyfork-shard"
-version = "0.1.0"
+version = "0.2.0"
 dependencies = [
 "aes-gcm",
 "anyhow",
+ "base64 0.22.0",
 "card-backend",
 "card-backend-pcsc",
 "hkdf",
@ -1879,7 +1886,7 @@ dependencies = [

 [[package]]
 name = "keyforkd"
-version = "0.1.0"
+version = "0.1.1"
 dependencies = [
 "bincode",
 "hex-literal",
@ -2103,9 +2110,9 @@ dependencies = [

 [[package]]
 name = "mio"
-version = "0.8.10"
+version = "0.8.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f3d0b296e374a4e6f3c7b0a1f5a51d748a0d34c85e7dc48fc3fa9a87657fe09"
+checksum = "a4a650543ca06a924e8b371db273b2756685faae30f8487da1b56505a8f78b0c"
 dependencies = [
 "libc",
 "log",
@ -2886,7 +2893,7 @@ dependencies = [
 "aes",
 "aes-gcm",
 "anyhow",
- "base64",
+ "base64 0.21.7",
 "block-padding",
 "blowfish",
 "buffered-reader",
--- a/crates/daemon/keyforkd-client/src/tests.rs
+++ b/crates/daemon/keyforkd-client/src/tests.rs
@ -25,6 +25,9 @@ fn secp256k1_test_suite() {
                if chain_len < 2 {
                    continue;
                }
+                if chain.iter().take(2).any(|index| !index.is_hardened()) {
+                    continue;
+                }
                // Consistency check: ensure the server and the client can each derive the same
                // key using an XPrv, for all but the last XPrv, which is verified after this
                for i in 2..chain_len {
--- a/crates/daemon/keyforkd-models/src/lib.rs
+++ b/crates/daemon/keyforkd-models/src/lib.rs
@ -43,6 +43,10 @@ pub enum DerivationError {
    #[error("Invalid derivation length: Expected at least 2, actual: {0}")]
    InvalidDerivationLength(usize),

+    /// The derivation request did not use hardened derivation on the 2 highest indexes.
+    #[error("Invalid derivation paths: expected index #{0} (1) to be hardened")]
+    InvalidDerivationPath(usize, u32),
+
    /// An error occurred while deriving data.
    #[error("Derivation error: {0}")]
    Derivation(String),
--- a/crates/daemon/keyforkd/Cargo.toml
+++ b/crates/daemon/keyforkd/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "keyforkd"
-version = "0.1.0"
+version = "0.1.1"
 edition = "2021"
 license = "AGPL-3.0-only"

--- a/crates/daemon/keyforkd/src/service.rs
+++ b/crates/daemon/keyforkd/src/service.rs
@ -69,6 +69,18 @@ impl Service<Request> for Keyforkd {
                    return Err(DerivationError::InvalidDerivationLength(len).into());
                }

+                if let Some((i, unhardened_index)) = req
+                    .path()
+                    .iter()
+                    .take(2)
+                    .enumerate()
+                    .find(|(_, index)| {
+                        !index.is_hardened()
+                    })
+                {
+                    return Err(DerivationError::InvalidDerivationPath(i, unhardened_index.inner()).into())
+                }
+
                #[cfg(feature = "tracing")]
                if let Some(target) = guess_target(req.path()) {
                    info!("Deriving path: {target}");
@ -110,6 +122,9 @@ mod tests {
                if chain.len() < 2 {
                    continue;
                }
+                if chain.iter().take(2).any(|index| !index.is_hardened()) {
+                    continue;
+                }
                let req = DerivationRequest::new(DerivationAlgorithm::Secp256k1, &chain);
                let response: DerivationResponse = keyforkd
                    .ready()
--- a/crates/daemon/keyforkd/src/test_util.rs
+++ b/crates/daemon/keyforkd/src/test_util.rs
@ -61,7 +61,7 @@ where
        ));
    let socket_dir = tempfile::tempdir().expect(bug!("can't create tempdir"));
    let socket_path = socket_dir.path().join("keyforkd.sock");
-    rt.block_on(async move {
+    let result = rt.block_on(async move {
        let (tx, mut rx) = tokio::sync::mpsc::channel(1);
        let server_handle = tokio::spawn({
            let socket_path = socket_path.clone();
@ -87,8 +87,13 @@ where
        let result = test_handle.await;
        server_handle.abort();
        result
-    })
-    .expect(bug!("runtime could not join all threads"))
+    });
+    if let Err(e) = result {
+        if e.is_panic() {
+            std::panic::resume_unwind(e.into_panic());
+        }
+    }
+    Ok(())
 }

 #[cfg(test)]
--- a/crates/derive/keyfork-derive-util/Cargo.toml
+++ b/crates/derive/keyfork-derive-util/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "keyfork-derive-util"
-version = "0.1.0"
+version = "0.1.1"
 edition = "2021"
 license = "MIT"

--- a/crates/derive/keyfork-derive-util/src/extended_key/public_key.rs
+++ b/crates/derive/keyfork-derive-util/src/extended_key/public_key.rs
@ -11,8 +11,8 @@ const KEY_SIZE: usize = 256;
 /// Errors associated with creating or deriving Extended Public Keys.
 #[derive(Error, Clone, Debug)]
 pub enum Error {
-    /// BIP-0032 does not support deriving public keys from hardened private keys.
-    #[error("Public keys may not be derived when hardened")]
+    /// BIP-0032 does not support hardened public key derivation from parent public keys.
+    #[error("Hardened child public keys may not be derived from parent public keys")]
    HardenedIndex,

    /// The maximum depth for key derivation has been reached. The supported maximum depth is 255.
--- a/crates/derive/keyfork-derive-util/src/private_key.rs
+++ b/crates/derive/keyfork-derive-util/src/private_key.rs
@ -85,7 +85,7 @@ pub trait PrivateKey: Sized {
    /// # Errors
    ///
    /// An error may be returned if:
-    /// * A nonzero `other` is provided.
+    /// * An all-zero `other` is provided.
    /// * An error specific to the given algorithm was encountered.
    fn derive_child(&self, other: &PrivateKeyBytes) -> Result<Self, Self::Err>;

@ -180,7 +180,6 @@ impl PrivateKey for ed25519_dalek::SigningKey {

 use crate::public_key::TestPublicKey;

-#[doc(hidden)]
 #[derive(Clone, Debug, PartialEq, Eq)]
 pub struct TestPrivateKey {
    key: [u8; 32],
--- a/crates/derive/keyfork-derive-util/src/public_key.rs
+++ b/crates/derive/keyfork-derive-util/src/public_key.rs
@ -42,7 +42,7 @@ pub trait PublicKey: Sized {
    /// # Errors
    ///
    /// An error may be returned if:
-    /// * A nonzero `other` is provided.
+    /// * An all-zero `other` is provided.
    /// * An error specific to the given algorithm was encountered.
    fn derive_child(&self, other: PrivateKeyBytes) -> Result<Self, Self::Err>;

@ -142,7 +142,6 @@ impl PublicKey for VerifyingKey {
    }
 }

-#[doc(hidden)]
 #[derive(Clone)]
 pub struct TestPublicKey {
    pub(crate) key: [u8; 33],
--- a/crates/derive/keyfork-derive-util/src/request.rs
+++ b/crates/derive/keyfork-derive-util/src/request.rs
@ -57,7 +57,7 @@ pub enum DerivationAlgorithm {
    #[allow(missing_docs)]
    Secp256k1,
    #[doc(hidden)]
-    Internal,
+    TestAlgorithm,
 }

 impl DerivationAlgorithm {
@ -86,7 +86,7 @@ impl DerivationAlgorithm {
                    &derived_key,
                ))
            }
-            Self::Internal => {
+            Self::TestAlgorithm => {
                let key = ExtendedPrivateKey::<TestPrivateKey>::new(seed);
                let derived_key = key.derive_path(path)?;
                Ok(DerivationResponse::with_algo_and_xprv(
@ -120,7 +120,7 @@ pub trait AsAlgorithm: PrivateKey {

 impl AsAlgorithm for TestPrivateKey {
    fn as_algorithm() -> DerivationAlgorithm {
-        DerivationAlgorithm::Internal
+        DerivationAlgorithm::TestAlgorithm
    }
 }

@ -144,7 +144,7 @@ impl DerivationRequest {
    /// # };
    /// # fn main() -> Result<(), Box<dyn std::error::Error>> {
    /// let algo: DerivationAlgorithm = //
-    /// #   DerivationAlgorithm::Internal;
+    /// #   DerivationAlgorithm::TestAlgorithm;
    /// let path: DerivationPath = //
    /// #   DerivationPath::default();
    /// let request = DerivationRequest::new(algo, &path);
@ -169,7 +169,7 @@ impl DerivationRequest {
    /// # };
    /// # fn main() -> Result<(), Box<dyn std::error::Error>> {
    /// let algo: DerivationAlgorithm = //
-    /// #   DerivationAlgorithm::Internal;
+    /// #   DerivationAlgorithm::TestAlgorithm;
    /// let path: DerivationPath = //
    /// #   DerivationPath::default();
    /// let request = DerivationRequest::new(algo, &path);
@ -199,7 +199,7 @@ impl DerivationRequest {
    /// #   b"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
    /// #   )?;
    /// let algo: DerivationAlgorithm = //
-    /// #   DerivationAlgorithm::Internal;
+    /// #   DerivationAlgorithm::TestAlgorithm;
    /// let path: DerivationPath = //
    /// #   DerivationPath::default();
    /// let request = DerivationRequest::new(algo, &path);
@ -228,7 +228,7 @@ impl DerivationRequest {
    /// let seed: &[u8; 64] = //
    /// #   b"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
    /// let algo: DerivationAlgorithm = //
-    /// #   DerivationAlgorithm::Internal;
+    /// #   DerivationAlgorithm::TestAlgorithm;
    /// let path: DerivationPath = //
    /// #   DerivationPath::default();
    /// let request = DerivationRequest::new(algo, &path);
--- a/crates/keyfork-shard/Cargo.toml
+++ b/crates/keyfork-shard/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "keyfork-shard"
-version = "0.1.0"
+version = "0.2.0"
 edition = "2021"
 license = "AGPL-3.0-only"

@ -37,3 +37,4 @@ card-backend-pcsc = { version = "0.5.0", optional = true }
 openpgp-card-sequoia = { version = "0.2.0", optional = true, default-features = false }
 openpgp-card = { version = "0.4.0", optional = true }
 sequoia-openpgp = { version = "1.17.0", optional = true, default-features = false }
+base64 = "0.22.0"
--- a/crates/keyfork-shard/src/lib.rs
+++ b/crates/keyfork-shard/src/lib.rs
@ -7,22 +7,28 @@ use std::{
 };

 use aes_gcm::{
-    aead::{consts::U12, Aead, AeadCore, OsRng},
+    aead::{consts::U12, Aead},
    Aes256Gcm, KeyInit, Nonce,
 };
 use hkdf::Hkdf;
 use keyfork_bug::{bug, POISONED_MUTEX};
 use keyfork_mnemonic_util::{English, Mnemonic};
 use keyfork_prompt::{
-    validators::{mnemonic::MnemonicSetValidator, Validator},
+    validators::{
+        mnemonic::{MnemonicSetValidator, MnemonicValidator, WordLength},
+        Validator,
+    },
    Message as PromptMessage, PromptHandler, Terminal,
 };
 use sha2::Sha256;
 use sharks::{Share, Sharks};
 use x25519_dalek::{EphemeralSecret, PublicKey};
+use base64::prelude::{BASE64_STANDARD, Engine};

-// 256 bit share encrypted is 49 bytes, couple more bytes before we reach max size
-const ENC_LEN: u8 = 4 * 16;
+// 32-byte share, 1-byte index, 1-byte threshold, 1-byte version == 36 bytes
+// Encrypted, is 52 bytes
+const PLAINTEXT_LENGTH: u8 = 36;
+const ENCRYPTED_LENGTH: u8 = PLAINTEXT_LENGTH + 16;

 #[cfg(feature = "openpgp")]
 pub mod openpgp;
@ -194,7 +200,6 @@ pub trait Format {
        let encrypted_messages = self.parse_shard_file(reader)?;

        // establish AES-256-GCM key via ECDH
-        let mut nonce_data: Option<[u8; 12]> = None;
        let mut pubkey_data: Option<[u8; 32]> = None;

        // receive remote data via scanning QR code from camera
@ -204,12 +209,11 @@ pub trait Format {
                .lock()
                .expect(bug!(POISONED_MUTEX))
                .prompt_message(PromptMessage::Text(QRCODE_PROMPT.to_string()))?;
-            if let Ok(Some(hex)) =
+            if let Ok(Some(qrcode_content)) =
                keyfork_qrcode::scan_camera(std::time::Duration::from_secs(30), 0)
            {
-                let decoded_data = smex::decode(&hex)?;
-                nonce_data = Some(decoded_data[..12].try_into().map_err(|_| InvalidData)?);
-                pubkey_data = Some(decoded_data[12..].try_into().map_err(|_| InvalidData)?)
+                let decoded_data = BASE64_STANDARD.decode(qrcode_content).unwrap();
+                pubkey_data = Some(decoded_data.try_into().map_err(|_| InvalidData)?)
            } else {
                prompt
                    .lock()
@ -219,30 +223,23 @@ pub trait Format {
        }

        // if QR code scanning failed or was unavailable, read from a set of mnemonics
-        let (nonce, their_pubkey) = match (nonce_data, pubkey_data) {
-            (Some(nonce), Some(pubkey)) => (nonce, pubkey),
-            _ => {
-                let validator = MnemonicSetValidator {
-                    word_lengths: [9, 24],
+        let their_pubkey = match pubkey_data {
+            Some(pubkey) => pubkey,
+            None => {
+                let validator = MnemonicValidator {
+                    word_length: Some(WordLength::Count(24)),
                };
-                let [nonce_mnemonic, pubkey_mnemonic] = prompt
+                prompt
                    .lock()
                    .expect(bug!(POISONED_MUTEX))
                    .prompt_validated_wordlist::<English, _>(
                        QRCODE_COULDNT_READ,
                        3,
                        validator.to_fn(),
-                    )?;
-
-                let nonce = nonce_mnemonic
+                    )?
                    .as_bytes()
                    .try_into()
-                    .map_err(|_| InvalidData)?;
-                let pubkey = pubkey_mnemonic
-                    .as_bytes()
-                    .try_into()
-                    .map_err(|_| InvalidData)?;
-                (nonce, pubkey)
+                    .map_err(|_| InvalidData)?
            }
        };

@ -253,9 +250,14 @@ pub trait Format {
            .diffie_hellman(&PublicKey::from(their_pubkey))
            .to_bytes();
        let hkdf = Hkdf::<Sha256>::new(None, &shared_secret);
-        let mut hkdf_output = [0u8; 256 / 8];
-        hkdf.expand(&[], &mut hkdf_output)?;
-        let shared_key = Aes256Gcm::new_from_slice(&hkdf_output)?;
+
+        let mut shared_key_data = [0u8; 256 / 8];
+        hkdf.expand(b"key", &mut shared_key_data)?;
+        let shared_key = Aes256Gcm::new_from_slice(&shared_key_data)?;
+
+        let mut nonce_data = [0u8; 12];
+        hkdf.expand(b"nonce", &mut nonce_data)?;
+        let nonce = Nonce::<U12>::from_slice(&nonce_data);

        // decrypt a single shard and create the payload
        let (share, threshold) =
@ -264,49 +266,41 @@ pub trait Format {
        payload.insert(0, HUNK_VERSION);
        payload.insert(1, threshold);
        assert!(
-            payload.len() <= ENC_LEN as usize,
-            "invalid share length (too long, max {ENC_LEN} bytes)"
+            payload.len() < PLAINTEXT_LENGTH as usize,
+            "invalid share length (too long, max {PLAINTEXT_LENGTH} bytes)"
        );

-        // encrypt data
-        let nonce = Nonce::<U12>::from_slice(&nonce);
-        let payload_bytes = shared_key.encrypt(nonce, payload.as_slice())?;
-
-        // convert data to a static-size payload
-        // NOTE: Padding length is less than u8::MAX because ENC_LEN < u8::MAX
+        // convert plaintext to static-size payload
        #[allow(clippy::assertions_on_constants)]
        {
-            assert!(ENC_LEN < u8::MAX, "padding byte can be u8");
+            assert!(PLAINTEXT_LENGTH < u8::MAX, "length byte can be u8");
        }
-        #[allow(clippy::cast_possible_truncation)]
-        let mut out_bytes = [payload_bytes.len() as u8; ENC_LEN as usize];
-        assert!(
-            payload_bytes.len() < out_bytes.len(),
-            "encrypted payload larger than acceptable limit"
-        );
-        out_bytes[..payload_bytes.len()].clone_from_slice(&payload_bytes);

-        // NOTE: This previously used a single repeated value as the padding byte, but resulted in
-        // difficulty when entering in prompts manually, as one's place could be lost due to
-        // repeated keywords. This is resolved below by having sequentially increasing numbers up to
-        // but not including the last byte.
+        // NOTE: Previous versions of Keyfork Shard would modify the padding bytes to avoid
+        // duplicate mnemonic words. This version does not include that, and instead uses a
+        // repeated length byte.
        #[allow(clippy::cast_possible_truncation)]
-        for (i, byte) in (out_bytes[payload_bytes.len()..(ENC_LEN as usize - 1)])
-            .iter_mut()
-            .enumerate()
-        {
-            *byte = (i % u8::MAX as usize) as u8;
-        }
+        let mut plaintext_bytes = [u8::try_from(payload.len()).expect(bug!(
+            "previously asserted length must be < {PLAINTEXT_LENGTH}",
+            PLAINTEXT_LENGTH = PLAINTEXT_LENGTH
+        )); PLAINTEXT_LENGTH as usize];
+        plaintext_bytes[..payload.len()].clone_from_slice(&payload);
+
+        // encrypt data
+        let encrypted_bytes = shared_key.encrypt(nonce, plaintext_bytes.as_slice())?;
+
+        assert_eq!(encrypted_bytes.len(), ENCRYPTED_LENGTH as usize);

        // safety: size of out_bytes is constant and always % 4 == 0
-        let payload_mnemonic = unsafe { Mnemonic::from_raw_bytes(&out_bytes) };
+        let payload_mnemonic = unsafe { Mnemonic::from_raw_bytes(&encrypted_bytes) };
+        dbg!(payload_mnemonic.words().len());

        #[cfg(feature = "qrcode")]
        {
            use keyfork_qrcode::{qrencode, ErrorCorrection};
            let mut qrcode_data = our_pubkey_mnemonic.to_bytes();
            qrcode_data.extend(payload_mnemonic.as_bytes());
-            if let Ok(qrcode) = qrencode(&smex::encode(&qrcode_data), ErrorCorrection::Highest) {
+            if let Ok(qrcode) = qrencode(&BASE64_STANDARD.encode(qrcode_data), ErrorCorrection::Highest) {
                prompt
                    .lock()
                    .expect(bug!(POISONED_MUTEX))
@ -401,7 +395,7 @@ pub struct InvalidData;
 /// 1 byte: Version
 /// 1 byte: Threshold
 /// Data: &[u8]
-pub(crate) const HUNK_VERSION: u8 = 1;
+pub(crate) const HUNK_VERSION: u8 = 2;
 pub(crate) const HUNK_OFFSET: usize = 2;

 const QRCODE_PROMPT: &str = "Press enter, then present QR code to camera.";
@ -432,17 +426,14 @@ pub fn remote_decrypt(w: &mut impl Write) -> Result<(), Box<dyn std::error::Erro

    while iter_count.is_none() || iter_count.is_some_and(|i| i > 0) {
        iter += 1;
-        let nonce = Aes256Gcm::generate_nonce(&mut OsRng);
-        let nonce_mnemonic = unsafe { Mnemonic::from_raw_bytes(nonce.as_slice()) };
        let our_key = EphemeralSecret::random();
        let key_mnemonic = Mnemonic::from_bytes(PublicKey::from(&our_key).as_bytes())?;

        #[cfg(feature = "qrcode")]
        {
            use keyfork_qrcode::{qrencode, ErrorCorrection};
-            let mut qrcode_data = nonce_mnemonic.to_bytes();
-            qrcode_data.extend(key_mnemonic.as_bytes());
-            if let Ok(qrcode) = qrencode(&smex::encode(&qrcode_data), ErrorCorrection::Highest) {
+            let qrcode_data = key_mnemonic.to_bytes();
+            if let Ok(qrcode) = qrencode(&BASE64_STANDARD.encode(qrcode_data), ErrorCorrection::Highest) {
                pm.prompt_message(PromptMessage::Text(format!(
                    concat!(
                        "A QR code will be displayed after this prompt. ",
@ -458,10 +449,9 @@ pub fn remote_decrypt(w: &mut impl Write) -> Result<(), Box<dyn std::error::Erro
        pm.prompt_message(PromptMessage::Text(format!(
            concat!(
                "Upon request, these words should be sent to shardholder {iter}: ",
-                "{nonce_mnemonic} {key_mnemonic}"
+                "{key_mnemonic}"
            ),
            iter = iter,
-            nonce_mnemonic = nonce_mnemonic,
            key_mnemonic = key_mnemonic,
        )))?;

@ -471,10 +461,10 @@ pub fn remote_decrypt(w: &mut impl Write) -> Result<(), Box<dyn std::error::Erro
        #[cfg(feature = "qrcode")]
        {
            pm.prompt_message(PromptMessage::Text(QRCODE_PROMPT.to_string()))?;
-            if let Ok(Some(hex)) =
+            if let Ok(Some(qrcode_content)) =
                keyfork_qrcode::scan_camera(std::time::Duration::from_secs(QRCODE_TIMEOUT), 0)
            {
-                let decoded_data = smex::decode(&hex)?;
+                let decoded_data = BASE64_STANDARD.decode(qrcode_content).unwrap();
                let _ = pubkey_data.insert(decoded_data[..32].try_into().map_err(|_| InvalidData)?);
                let _ = payload_data.insert(decoded_data[32..].to_vec());
            } else {
@ -486,7 +476,7 @@ pub fn remote_decrypt(w: &mut impl Write) -> Result<(), Box<dyn std::error::Erro
            (Some(pubkey), Some(payload)) => (pubkey, payload),
            _ => {
                let validator = MnemonicSetValidator {
-                    word_lengths: [24, 48],
+                    word_lengths: [24, 39],
                };

                let [pubkey_mnemonic, payload_mnemonic] = pm
@ -504,14 +494,24 @@ pub fn remote_decrypt(w: &mut impl Write) -> Result<(), Box<dyn std::error::Erro
            }
        };

+        assert_eq!(
+            payload.len(),
+            ENCRYPTED_LENGTH as usize,
+            bug!("invalid payload data")
+        );
+
        let shared_secret = our_key.diffie_hellman(&PublicKey::from(pubkey)).to_bytes();
        let hkdf = Hkdf::<Sha256>::new(None, &shared_secret);
-        let mut hkdf_output = [0u8; 256 / 8];
-        hkdf.expand(&[], &mut hkdf_output)?;
-        let shared_key = Aes256Gcm::new_from_slice(&hkdf_output)?;

-        let payload =
-            shared_key.decrypt(&nonce, &payload[..payload[payload.len() - 1] as usize])?;
+        let mut shared_key_data = [0u8; 256 / 8];
+        hkdf.expand(b"key", &mut shared_key_data)?;
+        let shared_key = Aes256Gcm::new_from_slice(&shared_key_data)?;
+
+        let mut nonce_data = [0u8; 12];
+        hkdf.expand(b"nonce", &mut nonce_data)?;
+        let nonce = Nonce::<U12>::from_slice(&nonce_data);
+
+        let payload = shared_key.decrypt(nonce, payload.as_slice())?;
        assert_eq!(HUNK_VERSION, payload[0], "Incompatible hunk version");

        match &mut iter_count {
@ -526,7 +526,8 @@ pub fn remote_decrypt(w: &mut impl Write) -> Result<(), Box<dyn std::error::Erro
            }
        }

-        shares.push(payload[HUNK_OFFSET..].to_vec());
+        let payload_len = payload.last().expect(bug!("payload should not be empty"));
+        shares.push(payload[HUNK_OFFSET..usize::from(*payload_len)].to_vec());
    }

    let shares = shares
--- a/crates/keyfork-shard/src/openpgp/keyring.rs
+++ b/crates/keyfork-shard/src/openpgp/keyring.rs
@ -84,13 +84,23 @@ impl<P: PromptHandler> VerificationHelper for &mut Keyring<P> {
                    aead_algo,
                } => {}
                MessageLayer::SignatureGroup { results } => {
-                    for result in results {
-                        if let Err(e) = result {
+                    match &results[..] {
+                        [Ok(_)] => {
+                            return Ok(());
+                        }
+                        _ => {
                            // FIXME: anyhow leak: VerificationError impl std::error::Error
                            // return Err(e.context("Invalid signature"));
+                            return Err(anyhow::anyhow!("Error validating signature; either multiple signatures were passed or the single signature was not valid"));
+                        }
+                    }
+                    /*
+                    for result in results {
+                        if let Err(e) = result {
                            return Err(anyhow::anyhow!("Invalid signature: {e}"));
                        }
                    }
+                    */
                }
            }
        }
--- a/crates/keyfork-shard/src/openpgp/smartcard.rs
+++ b/crates/keyfork-shard/src/openpgp/smartcard.rs
@ -193,12 +193,23 @@ impl<P: PromptHandler> VerificationHelper for &mut SmartcardManager<P> {
                    aead_algo,
                } => {}
                MessageLayer::SignatureGroup { results } => {
-                    for result in results {
-                        if let Err(e) = result {
-                            // FIXME: anyhow leak
-                            return Err(anyhow::anyhow!("Verification error: {}", e.to_string()));
+                    match &results[..] {
+                        [Ok(_)] => {
+                            return Ok(());
+                        }
+                        _ => {
+                            // FIXME: anyhow leak: VerificationError impl std::error::Error
+                            // return Err(e.context("Invalid signature"));
+                            return Err(anyhow::anyhow!("Error validating signature; either multiple signatures were passed or the single signature was not valid"));
                        }
                    }
+                    /*
+                    for result in results {
+                        if let Err(e) = result {
+                            return Err(anyhow::anyhow!("Invalid signature: {e}"));
+                        }
+                    }
+                    */
                }
            }
        }
@ -264,11 +275,11 @@ impl<P: PromptHandler> DecryptionHelper for &mut SmartcardManager<P> {
            } else {
                format!("Unlock card {card_id} ({cardholder_name})\n{rpea}: {attempts}\n\nPIN: ")
            };
-            let temp_pin =
-                self.pm
-                    .lock()
-                    .expect(bug!(POISONED_MUTEX))
-                    .prompt_validated_passphrase(&message, 3, &pin_validator)?;
+            let temp_pin = self
+                .pm
+                .lock()
+                .expect(bug!(POISONED_MUTEX))
+                .prompt_validated_passphrase(&message, 3, &pin_validator)?;
            let verification_status = transaction.verify_user_pin(temp_pin.as_str().trim());
            match verification_status {
                #[allow(clippy::ignored_unit_patterns)]
--- a/crates/keyfork/Cargo.toml
+++ b/crates/keyfork/Cargo.toml
@ -32,7 +32,7 @@ keyfork-entropy = { version = "0.1.0", path = "../util/keyfork-entropy", registr
 keyfork-mnemonic-util = { version = "0.2.0", path = "../util/keyfork-mnemonic-util", registry = "distrust" }
 keyfork-prompt = { version = "0.1.0", path = "../util/keyfork-prompt", registry = "distrust" }
 keyfork-qrcode = { version = "0.1.0", path = "../qrcode/keyfork-qrcode", default-features = false, registry = "distrust" }
-keyfork-shard = { version = "0.1.0", path = "../keyfork-shard", default-features = false, features = ["openpgp", "openpgp-card", "qrcode"], registry = "distrust" }
+keyfork-shard = { version = "0.2.0", path = "../keyfork-shard", default-features = false, features = ["openpgp", "openpgp-card", "qrcode"], registry = "distrust" }
 smex = { version = "0.1.0", path = "../util/smex", registry = "distrust" }

 clap = { version = "4.4.2", features = ["derive", "env", "wrap_help"] }
--- a/crates/qrcode/keyfork-qrcode/Cargo.toml
+++ b/crates/qrcode/keyfork-qrcode/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "keyfork-qrcode"
-version = "0.1.0"
+version = "0.1.1"
 repository = "https://git.distrust.co/public/keyfork"
 edition = "2021"
 license = "MIT"
--- a/crates/qrcode/keyfork-qrcode/src/lib.rs
+++ b/crates/qrcode/keyfork-qrcode/src/lib.rs
@ -5,7 +5,7 @@ use keyfork_bug as bug;
 use image::io::Reader as ImageReader;
 use std::{
    io::{Cursor, Write},
-    time::{Duration, SystemTime},
+    time::{Duration, Instant},
    process::{Command, Stdio},
 };
 use v4l::{
@ -110,11 +110,10 @@ pub fn scan_camera(timeout: Duration, index: usize) -> Result<Option<String>, QR
    fmt.fourcc = FourCC::new(b"MPG1");
    device.set_format(&fmt)?;
    let mut stream = Stream::with_buffers(&device, Type::VideoCapture, 4)?;
-    let start = SystemTime::now();
+    let start = Instant::now();

-    while SystemTime::now()
+    while Instant::now()
        .duration_since(start)
-        .unwrap_or(Duration::from_secs(0))
        < timeout
    {
        let (buffer, _) = stream.next()?;
@ -141,12 +140,11 @@ pub fn scan_camera(timeout: Duration, index: usize) -> Result<Option<String>, QR
    fmt.fourcc = FourCC::new(b"MPG1");
    device.set_format(&fmt)?;
    let mut stream = Stream::with_buffers(&device, Type::VideoCapture, 4)?;
-    let start = SystemTime::now();
+    let start = Instant::now();
    let mut scanner = keyfork_zbar::image_scanner::ImageScanner::new();

-    while SystemTime::now()
+    while Instant::now()
        .duration_since(start)
-        .unwrap_or(Duration::from_secs(0))
        < timeout
    {
        let (buffer, _) = stream.next()?;
--- a/crates/util/keyfork-entropy/Cargo.toml
+++ b/crates/util/keyfork-entropy/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "keyfork-entropy"
-version = "0.1.0"
+version = "0.1.1"
 edition = "2021"
 license = "MIT"

--- a/crates/util/keyfork-entropy/src/main.rs
+++ b/crates/util/keyfork-entropy/src/main.rs
@ -10,10 +10,12 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
        bit_size % 8 == 0,
        "Bit size must be divisible by 8, got: {bit_size}"
    );
-    assert!(
-        bit_size <= 256,
-        "Maximum supported bit size is 256, got: {bit_size}"
-    );
+    match bit_size {
+        128 | 256 | 512 => {}
+        _ => {
+            eprintln!("reading entropy of uncommon size: {bit_size}");
+        }
+    }

    let entropy = keyfork_entropy::generate_entropy_of_size(bit_size / 8)?;
    println!("{}", smex::encode(entropy));
Author	SHA1	Message	Date
Ryan Heywood	08a66e2365	keyfork-shard: base64 encode content instead of base16	2024-04-14 21:19:57 -04:00
Ryan Heywood	6fa434e89c	keyfork-shard: shorten length and pad inside encrypted block	2024-04-14 21:19:56 -04:00
Ryan Heywood	68f07f6f02	bump mio and iana-time-zone	2024-04-14 21:19:54 -04:00
Ryan Heywood	9394500f2f	keyfork-shard: generate nonce using hkdf	2024-04-14 21:19:52 -04:00
Ryan Heywood	2bca0a1580	keyfork-derive-util: make Test{Public,Private}Key public, rename Internal algorithm	2024-04-12 16:23:24 -04:00
Ryan Heywood	5438f4e111	keyfork-entropy: downgrade entropy size limit to warning	2024-04-12 16:14:41 -04:00
Ryan Heywood	71b6e4ed0c	Merge branch 'ryan/use-instant-time-qrcode'	2024-04-10 15:35:50 -04:00
Ryan Heywood	4f4e3cfc65	Merge branch 'ryan/harden-derivation-on-highest-level-keys'	2024-04-10 15:35:40 -04:00
Ryan Heywood	194d475d59	keyfork-shard: validate signatures using shard-specific validation requirements	2024-04-10 15:17:30 -04:00
Ryan Heywood	40551a5c26	keyforkd: require hardened derivation on two highest indexes	2024-04-09 20:14:59 -04:00
Ryan Heywood	fa125e7cbe	keyfork-qrcode: prefer Instant over SystemTime for infallible time comparison	2024-04-09 19:54:11 -04:00