Skip to content

Commit

Permalink
Initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
jake-b committed Jan 2, 2018
1 parent 0887d33 commit 33f1e44
Show file tree
Hide file tree
Showing 32 changed files with 4,662 additions and 0 deletions.
5 changes: 5 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -50,3 +50,8 @@ modules.order
Module.symvers
Mkfile.old
dkms.conf

# Project-level stuff
debug/
.DS_Store
*.pyc
92 changes: 92 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
#*******************************************************************************
# Ledger Blue
# (c) 2016 Ledger
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#*******************************************************************************

ifeq ($(BOLOS_SDK),)
$(error BOLOS_SDK is not set)
endif
include $(BOLOS_SDK)/Makefile.defines

# Main app configuration

APPNAME = "Burstcoin"
APPVERSION = 1.0.0
ICONNAME = nanos_app_burst.gif
APP_LOAD_PARAMS = --appFlags 0x40 --path "44'/30'" --curve secp256k1 --curve ed25519 $(COMMON_LOAD_PARAMS)

# Build configuration

APP_SOURCE_PATH += src
SDK_SOURCE_PATH += lib_stusb # lib_stusb_impl # - not included here because we're overriding

DEFINES += APPVERSION=\"$(APPVERSION)\"

DEFINES += OS_IO_SEPROXYHAL IO_SEPROXYHAL_BUFFER_SIZE_B=128
DEFINES += HAVE_BAGL HAVE_SPRINTF
DEFINES += PRINTF\(...\)=

DEFINES += HAVE_IO_USB HAVE_L4_USBLIB IO_USB_MAX_ENDPOINTS=7 IO_HID_EP_LENGTH=64 HAVE_USB_APDU

# U2F Support
DEFINES += HAVE_U2F
DEFINES += USB_SEGMENT_SIZE=64
DEFINES += BLE_SEGMENT_SIZE=32 #max MTU, min 20
DEFINES += U2F_MAX_MESSAGE_SIZE=264 #257+5+2
DEFINES += UNUSED\(x\)=\(void\)x
DEFINES += APPVERSION=\"$(APPVERSION)\"

# Compiler, assembler, and linker

ifneq ($(BOLOS_ENV),)
$(info BOLOS_ENV=$(BOLOS_ENV))
CLANGPATH := $(BOLOS_ENV)/clang-arm-fropi/bin/
GCCPATH := $(BOLOS_ENV)/gcc-arm-none-eabi-5_3-2016q1/bin/
else
$(info BOLOS_ENV is not set: falling back to CLANGPATH and GCCPATH)
endif
ifeq ($(CLANGPATH),)
$(info CLANGPATH is not set: clang will be used from PATH)
endif
ifeq ($(GCCPATH),)
$(info GCCPATH is not set: arm-none-eabi-* will be used from PATH)
endif

CC := $(CLANGPATH)clang
CFLAGS += -O3 -Os

AS := $(GCCPATH)arm-none-eabi-gcc
AFLAGS +=

LD := $(GCCPATH)arm-none-eabi-gcc
LDFLAGS += -O3 -Os
LDLIBS += -lm -lgcc -lc

# Main rules

all: default

load: all
python -m ledgerblue.loadApp $(APP_LOAD_PARAMS)

delete:
python -m ledgerblue.deleteApp $(COMMON_DELETE_PARAMS)

glyphs:
include $(BOLOS_SDK)/Makefile.glyphs

# Import generic rules from the SDK

include $(BOLOS_SDK)/Makefile.rules
133 changes: 133 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,2 +1,135 @@
# nanos-app-burst
Burstcoin wallet application for Ledger Nano S

# Introduction
This is a proof-of concept Ledger Nano S wallet app for Burstcoin. I say that
it is proof of concept for a few reasons:

- I am not a cryptography or crypto-currency expert, and I could have introduced
errors or security flaws into the code unintentionally.

- I am knowingly using an ED25519 seed function to generate a Curve25519 keypair
I think this is okay, and I'll discuss it more below, but I'm not sure. See
"technical details" section below.

- Just in general, you shouldn't trust others with your crypto-currency.

As such, you agree to use this code AT YOUR OWN RISK:

The author provides the Work (and each Contributor provides its Contributions) on
an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions of TITLE,
NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are
solely responsible for determining the appropriateness of using or redistributing
the Work and assume any risks associated with Your exercise of permissions under
this License.

In no event and under no legal theory, whether in tort (including negligence),
contract, or otherwise, unless required by applicable law (such as deliberate
and grossly negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special, incidental,
or consequential damages of any character arising as a result of this License or
out of the use or inability to use the Work (including but not limited to damages
for loss of goodwill, work stoppage, computer failure or malfunction, or any and
all other commercial damages or losses), even if such Contributor has been
advised of the possibility of such damages.

# License

Copyright (c) 2017-2018 Jake B.

This application is based on example sources from Ledger that were released under
the Apache License, Version 2.0 and I have maintained this license for this app.

Other public domain materials, such as the Curve25519 sources, or implementations
of known algorithms are also included.

# Building

You'll need a Ledger Nano S development environment. More information can be
found here: https://github.com/LedgerHQ/blue-devenv/

A modification to the current version of the python loader app may be required
depending on whether Ledger has released a new version or not. More on this here:
https://github.com/lenondupe/ledger-app-stellar#troubleshooting

# Technical Details

## Why I used a curve25519 library rather than internal functions

I spent some time trying to get the Ledger-provided keypair generation and curve
multiplication functions to do the necessary cryptographic singing necessary
for Burstcoin.

After some time, I gave up and just went with a library known to work. I'm not
sure why the internal functions didn't work properly. I tried all sorts of
combinations and endianess but never got a keypair that worked. Possibilities
include:

- I was just doing something wrong, misunderstanding the SDK or the cryptography
- Keys and signatures may have been in a different format than Burst expects...
Possibly endianness or key format, I'm not an expert.
- Possibly Curve25519 is not fully implemented in the Ledger SDK
- Possible Burst uses a specific variant or dialect of Curve25519, and I'm not
aware.

## Why do I use the ED25519 key data generation function instead of Curve25519?

The Ledger smartly uses a system of entitlements for apps. At load time, you
need to declare which BIP39 keypaths and algorithms your app exepects to
generate.

This prevents a malicious or poorly secured app from generating keys or signing
transactions for a crypto-coin outside of the declared BIP39 keypath or for an
algorithm that is not explicitly needed by the Ledger app.

The function involved is called os_perso_derive_node_bip32:

os_perso_derive_node_bip32(CX_CURVE_Ed25519, path, 5, privateKeyData, NULL);

I use CX_CURVE_Ed25519 because the entitlement system doesn't apparently
support the CX_CURVE_Curve25519 flag.

I think both ED25519 and Curve25591 expect the key data 'secret' to be a
265-byte integer... so I think this is okay... but I'm not an expert as to
whether this introduces security or cryptography problems. Hence, I recommend
this for use on the testnet only at this time.

## Web Integration

Modifications to the PoCC Web Wallet for interfacing with the Ledger Nano S
can be found here: https://github.com/jake-b/burstcoin/tree/ledger

Note you need to enable "Web Browser" support in the app on the Ledger device
in order to switch from the standard communication protocol to the U2F
protocol.

# Room for improvement

Lots of room to grow here. I make no promises to move this forward. I would
like to move my Ledger Nano from "Development" to "Production use" and that
would halt my ability to develop. I may get another unit for development
eventually.

Some ideas for improvement:

- Peer review to make sure this is cryptographically sound and secure.
- Progress indicators on the device -- "Please Wait" screens etc, so the
user knows something is going on.
- Support for other types of transactions on the "Confirm Transaction" screen
currently it is very "Send Money" focused.
- A web developer should really look at the desktop/web stuff to fix and
improve the experience.
- Support for multiple wallets (derived wallets/addresses)

# Videos

Some videos on this project

[![Proof of Concept Hardware Wallet for Burstcoin Video](http://img.youtube.com/vi/8i87n5fAvWU/0.jpg)](http://www.youtube.com/watch?v=8i87n5fAvWU "Proof of Concept Hardware Wallet for Burstcoin")
[![Proof of Concept Burstcoin Ledger Web Wallet Integration Video](http://img.youtube.com/vi/7TjjhTY0eDU/0.jpg)](http://www.youtube.com/watch?v=7TjjhTY0eDU "Proof of Concept Burstcoin Ledger Web Wallet Integration")

# Support

Support this project by sending some BURST to: BURST-ZGEK-VQ86-M9FV-7SDWY
Again, no promises to future support or development, but thanks are appreciated.
Binary file added glyphs/icon_back.gif
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added glyphs/icon_burst.gif
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added glyphs/icon_dashboard.gif
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added nanos_app_burst.gif
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading

0 comments on commit 33f1e44

Please sign in to comment.