Merge branch 'eip1559'

Author: benma

CHANGELOG.md

@@ -13,6 +13,7 @@ customers cannot upgrade their bootloader, its changes are recorded separately.
 - Verifiable seed generation: when restoring from 12 or 18 recovery words, for the final word, restrict input to the valid candidate words which result in a valid checksum.
   For 24 words, this feature was already introduced in 9.4.0.
 - Bitcoin: don't warn about "unusual" sequence numbers in transactions anymore
+- Add EIP-1559 transaction support for Ethereum
 
 ### 9.15.0
 - Security bugfix: check index of an input's previous output to prevent the fee attack originally

CMakeLists.txt

@@ -88,8 +88,8 @@ endif()
 #
 # Versions MUST contain three parts and start with lowercase 'v'.
 # Example 'v1.0.0'. They MUST not contain a pre-release label such as '-beta'.
-set(FIRMWARE_VERSION "v9.15.0")
-set(FIRMWARE_BTC_ONLY_VERSION "v9.15.0")
+set(FIRMWARE_VERSION "v9.16.0")
+set(FIRMWARE_BTC_ONLY_VERSION "v9.16.0")
 set(BOOTLOADER_VERSION "v1.0.5")
 
 find_package(PythonInterp 3.6 REQUIRED)

messages/eth.proto

@@ -42,6 +42,7 @@ message ETHPubRequest {
   uint64 chain_id = 6;
 }
 
+// TX payload for "legacy" (EIP-155) transactions: https://eips.ethereum.org/EIPS/eip-155
 message ETHSignRequest {
   // Deprecated: use chain_id instead.
   ETHCoin coin = 1;
@@ -57,6 +58,20 @@ message ETHSignRequest {
   uint64 chain_id = 10;
 }
 
+// TX payload for an EIP-1559 (type 2) transaction: https://eips.ethereum.org/EIPS/eip-1559
+message ETHSignEIP1559Request {
+  uint64 chain_id = 1;
+  repeated uint32 keypath = 2;
+  bytes nonce = 3; // smallest big endian serialization, max. 16 bytes
+  bytes max_priority_fee_per_gas = 4; // smallest big endian serialization, max. 16 bytes
+  bytes max_fee_per_gas = 5; // smallest big endian serialization, max. 16 bytes
+  bytes gas_limit = 6; // smallest big endian serialization, max. 16 bytes
+  bytes recipient = 7; // 20 byte recipient
+  bytes value = 8; // smallest big endian serialization, max. 32 bytes
+  bytes data = 9;
+  AntiKleptoHostNonceCommitment host_nonce_commitment = 10;
+}
+
 message ETHSignMessageRequest {
   // Deprecated: use chain_id instead.
   ETHCoin coin = 1;
@@ -130,6 +145,7 @@ message ETHRequest {
     AntiKleptoSignatureRequest antiklepto_signature = 4;
     ETHSignTypedMessageRequest sign_typed_msg = 5;
     ETHTypedMessageValueRequest typed_msg_value = 6;
+    ETHSignEIP1559Request sign_eip1559 = 7;
   }
 }
 

py/bitbox02/CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+## [Unreleased]
+- Accept EIP1559 transactions in `eth_sign()` - requires BitBox02 firmware v9.16.0
+
 ## 6.2.0
 - btc_sign: allow displaying BTC values in the 'sat' unit
 - require hidapi 0.14.0 to fix a bug on macOS 13.3 which lists two BitBox02s instead of one

py/bitbox02/bitbox02/bitbox02/bitbox02.py

@@ -757,28 +757,17 @@ def eth_sign(self, transaction: bytes, keypath: Sequence[int], chain_id: int = 1
         """
         transaction should be given as a full rlp encoded eth transaction.
         """
-        nonce, gas_price, gas_limit, recipient, value, data, _, _, _ = rlp.decode(transaction)
-        request = eth.ETHRequest()
-        # pylint: disable=no-member
-        request.sign.CopyFrom(
-            eth.ETHSignRequest(
-                coin=self._eth_coin(chain_id),
-                chain_id=chain_id,
-                keypath=keypath,
-                nonce=nonce,
-                gas_price=gas_price,
-                gas_limit=gas_limit,
-                recipient=recipient,
-                value=value,
-                data=data,
-            )
-        )
+        is_eip1559 = transaction.startswith(b"\x02")
 
-        supports_antiklepto = self.version >= semver.VersionInfo(9, 5, 0)
-        if supports_antiklepto:
+        def handle_antiklepto(request: eth.ETHRequest) -> bytes:
             host_nonce = os.urandom(32)
+            if is_eip1559:
+                request.sign_eip1559.host_nonce_commitment.commitment = antiklepto_host_commit(
+                    host_nonce
+                )
+            else:
+                request.sign.host_nonce_commitment.commitment = antiklepto_host_commit(host_nonce)
 
-            request.sign.host_nonce_commitment.commitment = antiklepto_host_commit(host_nonce)
             signer_commitment = self._eth_msg_query(
                 request, expected_response="antiklepto_signer_commitment"
             ).antiklepto_signer_commitment.commitment
@@ -796,6 +785,64 @@ def eth_sign(self, transaction: bytes, keypath: Sequence[int], chain_id: int = 1
 
             return signature
 
+        if is_eip1559:
+            self._require_atleast(semver.VersionInfo(9, 16, 0))
+            (
+                decoded_chain_id,
+                nonce,
+                priority_fee,
+                max_fee,
+                gas_limit,
+                recipient,
+                value,
+                data,
+                _,
+                _,
+                _,
+            ) = rlp.decode(transaction[1:])
+            decoded_chain_id_int = int.from_bytes(decoded_chain_id, byteorder="big")
+            if decoded_chain_id_int != chain_id:
+                raise Exception(
+                    f"chainID argument ({chain_id}) does not match chainID encoded in transaction ({decoded_chain_id_int})"
+                )
+            request = eth.ETHRequest()
+            # pylint: disable=no-member
+            request.sign_eip1559.CopyFrom(
+                eth.ETHSignEIP1559Request(
+                    chain_id=chain_id,
+                    keypath=keypath,
+                    nonce=nonce,
+                    max_priority_fee_per_gas=priority_fee,
+                    max_fee_per_gas=max_fee,
+                    gas_limit=gas_limit,
+                    recipient=recipient,
+                    value=value,
+                    data=data,
+                )
+            )
+            return handle_antiklepto(request)
+
+        nonce, gas_price, gas_limit, recipient, value, data, _, _, _ = rlp.decode(transaction)
+        request = eth.ETHRequest()
+        # pylint: disable=no-member
+        request.sign.CopyFrom(
+            eth.ETHSignRequest(
+                coin=self._eth_coin(chain_id),
+                chain_id=chain_id,
+                keypath=keypath,
+                nonce=nonce,
+                gas_price=gas_price,
+                gas_limit=gas_limit,
+                recipient=recipient,
+                value=value,
+                data=data,
+            )
+        )
+
+        supports_antiklepto = self.version >= semver.VersionInfo(9, 5, 0)
+        if supports_antiklepto:
+            return handle_antiklepto(request)
+
         return self._eth_msg_query(request, expected_response="sign").sign.signature
 
     def eth_sign_msg(self, msg: bytes, keypath: Sequence[int], chain_id: int = 1) -> bytes:

py/bitbox02/bitbox02/communication/generated/btc_pb2.pyi

@@ -104,7 +104,7 @@ class BTCScriptConfig(google.protobuf.message.Message):
         threshold: builtins.int
         @property
         def xpubs(self) -> google.protobuf.internal.containers.RepeatedCompositeFieldContainer[common_pb2.XPub]:
-            """xpubs are acount-level xpubs. Addresses are going to be derived from it using: m/<change>/<receive>.
+            """xpubs are acount-level xpubs. Addresses are going to be derived from it using: `m/<change>/<receive>`.
             The number of xpubs defines the number of cosigners.
             """
             pass
@@ -460,7 +460,9 @@ class BTCScriptConfigRegistration(google.protobuf.message.Message):
     @property
     def script_config(self) -> global___BTCScriptConfig: ...
     @property
-    def keypath(self) -> google.protobuf.internal.containers.RepeatedScalarFieldContainer[builtins.int]: ...
+    def keypath(self) -> google.protobuf.internal.containers.RepeatedScalarFieldContainer[builtins.int]:
+        """Unused for policy registrations."""
+        pass
     def __init__(self,
         *,
         coin: global___BTCCoin.ValueType = ...,