search

romanz / trezor-agent

Hardware-based SSH/GPG/age agent
GNU Lesser General Public License v3.0
563 stars 152 forks source link

Using trezor GPG on a webapplication #226

Open nmfarshad opened 6 years ago

nmfarshad commented 6 years ago

Hey Roman,

I have this question how can I implement the GPG feature to sign a text for example 1- I generate a GPG key on my trezor 2- My app displays a text on text box 3- I want to sign that text

the issue I have is the user is going to plug the trezor device on the client side not on to the server any advice on this issue I am facing ? can I use trezor.js and use GPG function ?

romanz commented 6 years ago

Great question :) Currently, most of the OpenPGP parsing/serialization related tasks are done by the GnuPG binary. TREZOR is responsible for signing the digest of the message using the SignIdentity API [1,2] as defined by SLIP-0013.

As you suggested, you'll need to call this API from client's browser, probably using the following API: https://github.com/trezor/trezor.js/blob/15c8f0a9c0386f360a30d2554cbc957e79ea45de/src/session.js#L322

You'd also need to use something like https://openpgpjs.org/ to format the actual signature according to the OpenPGP standard (as I did at https://github.com/romanz/trezor-agent/commit/4335740abebe7de0312c3a9fdacfe6458581287b, before integrating the tool with the GnuPG agent).

[1] https://github.com/trezor/trezor-mcu/blob/7fc58eb5db904f5f2de2873ab1d5e35ca157ad7e/firmware/fsm.c#L1027-L1039 [2] https://github.com/trezor/trezor-core/blob/5fc368e33008df9d5605dbdc0f2b2b7d881ddf70/src/apps/wallet/sign_identity.py#L33-L35

romanz commented 6 years ago

P.S. This feature would actually allow us to use the TREZOR device with end-to-end encrypted web-services, such as ProtonMail (who are actually developing OpenPGP.js) :)

@bartbutler What do you think?

romanz commented 6 years ago

cc: @sanjanarajan @AlexanderWillner @seancolyer (who may be interested in this feature).

AlexanderWillner commented 6 years ago

Thanks for the CC. I think it’s best the sync with the crew behind OpenPGP.js.

seancolyer commented 6 years ago

I'm unfortunately very inactive in openpgp.js these days, but just wanted to chip in it sounds like from what you're saying you're potentially looking to strictly do the armor concept which is exported via openpgp.js already, so you may be able to just plug these bits together.

romanz commented 6 years ago

Thanks for the information! I think this feature can be implemented as part of https://github.com/mailvelope/mailvelope/issues/238 (which also has a nice bounty).