0xBlockPay
commented
3 months ago Maybe, it can help: Detail description is https://source.android.com/docs/security/features/trusty
For sign ED25519 in Android trust enclave can be use rust with openssl-rust crate.
1) First dependency should be put to: trusty api application's rules.mk
MODULE_LIBRARY_DEPS += \ trusty/user/base/lib/openssl-rust \
2) In trusty/user/base/lib/openssl-rust folder should be rules.mk file, with dependencies for openssl-rust https://android.googlesource.com/trusty/lib/+/refs/heads/main/lib/openssl-rust/rules.mk
3) Folder with openssl-rust dep is https://android.googlesource.com/platform/external/rust/crates/openssl/+/refs/heads/main
Thanks this is possible use openssl-rust precompile dependencies in trusty application:
Example with openssl in trusty -rust: https://android.googlesource.com/trusty/app/sample/+/refs/heads/main/hwcryptohal/server/platform_functions.rs
For sign tx can be use this template: https://android.googlesource.com/trusty/app/sample/+/refs/heads/main/rust-hello-world/lib.rs
fn on_message(
&self,
_connection: &Self::Connection,
handle: &Handle,
msg: Self::Message,) -> tipc::Result<MessageResult> {}In function on_message as a msg's can be tx params for signing,
and then code for signing with pure openssl-rust
use openssl::pkey::PKey;
use openssl::sign::Signer;
fn main() {
println!("Sign transaction in Android Trusty API");
// ED25519 private key generation. Private Key should be load from trust store.
let private_key = PKey::generate_ed25519().unwrap();
let public_key = private_key.raw_public_key().unwrap();
let mut signer = Signer::new_without_digest(&private_key).unwrap();
let tx = hex::decode("914bf4f22ccdedf00950d01020065b233ff0afa0753cd53baa5175827707aa75").unwrap();
let signature = signer.sign_oneshot_to_vec(&tx).unwrap();
assert_eq!(signature.len(), 64);
println!("Signature: {:?}", hex::encode(&signature));
let public_key_result =PKey::public_key_from_raw_bytes(&public_key, openssl::pkey::Id::ED25519);
let binding = public_key_result.unwrap();
let mut verifier = openssl::sign::Verifier::new_without_digest(&binding).unwrap();
let verify_result = verifier.verify_oneshot(&signature, &tx);
println!("Signature is: {:?}", verify_result.unwrap());
println!("Signature verification end");
}
It is not an issue but an idea for security improvement. SAGA 2.0 will be on the Snapdragon Gen1 CPU with Qualcomm TEE. TEE is based on ARM TrustZone technology. Thanks to Trusty TEE (Trusty TEE | Android Open Source Project) is possible to run code in the security enclave. Moving code dedicated for signing transactions to enclave can have a positive influence on security.