How to use the ledgerblue.ecWrapper.PrivateKey function in ledgerblue
To help you get started, we’ve selected a few ledgerblue examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
LedgerHQ / blue-loader-python / ledgerblue / loadApp.py View on Github 
printer.addArea(param_start, paramsSectionContent)
# account for added regions (install parameters, icon ...)
appLength = printer.maxAddr() - printer.minAddr()
loader.createAppNoInstallParams(args.appFlags, appLength, args.appName, None, path, 0, len(paramsSectionContent), string_to_bytes(args.appVersion))
else:
# account for added regions (install parameters, icon ...)
appLength = printer.maxAddr() - printer.minAddr()
loader.createAppNoInstallParams(args.appFlags, appLength, args.appName, args.icon, path, None, None, string_to_bytes(args.appVersion))
hash = loader.load(0x0, 0xF0, printer, targetId=args.targetId, targetVersion=args.targetVersion, doCRC=not (args.nocrc or NOCRC))
print("Application full hash : " + hash)
if (signature == None and args.signApp):
masterPrivate = PrivateKey(bytes(bytearray.fromhex(args.signPrivateKey)))
signature = masterPrivate.ecdsa_serialize(masterPrivate.ecdsa_sign(bytes(binascii.unhexlify(hash)), raw=True))
print("Application signature: " + str(binascii.hexlify(signature)))
if (args.tlv):
loader.commit(signature)
else:
loader.run(args.bootAddr-printer.minAddr(), signature)class SCP:
def __init__(self, dongle, targetId, rootPrivateKey):
secret = getDeployedSecretV2(dongle, rootPrivateKey, targetId)
self.loader = HexLoader(dongle, 0xe0, True, secret)
def encryptAES(self, data):
return self.loader.scpWrap(data);
def decryptAES(self, data):
return self.loader.scpUnwrap(data);
dongle = getDongle(args.apdu)
if args.scp:
if args.rootPrivateKey is None:
privateKey = PrivateKey()
publicKey = binascii.hexlify(privateKey.pubkey.serialize(compressed=False))
print("Generated random root public key : %s" % publicKey)
args.rootPrivateKey = privateKey.serialize()
scp = SCP(dongle, args.targetId, bytearray.fromhex(args.rootPrivateKey))
for data in file:
data = binascii.unhexlify(data.replace("\n", ""))
if len(data) < 5:
continue
if args.scp:
apduData = data[4:]
apduData = scp.encryptAES(bytes(apduData))
apdu = bytearray([data[0], data[1], data[2], data[3], len(apduData)]) + bytearray(apduData)
result = dongle.exchange(apdu)
result = scp.decryptAES((result))
else:def getDeployedSecretV2(dongle, masterPrivate, targetId, signerCertChain=None, ecdh_secret_format=None):
testMaster = PrivateKey(bytes(masterPrivate))
testMasterPublic = bytearray(testMaster.pubkey.serialize(compressed=False))
targetid = bytearray(struct.pack('>I', targetId))
if targetId&0xF < 2:
raise BaseException("Target ID does not support SCP V2")
# identify
apdu = bytearray([0xe0, 0x04, 0x00, 0x00]) + bytearray([len(targetid)]) + targetid
dongle.exchange(apdu)
# walk the chain
nonce = os.urandom(8)
apdu = bytearray([0xe0, 0x50, 0x00, 0x00]) + bytearray([len(nonce)]) + nonce
auth_info = dongle.exchange(apdu)
batch_signer_serial = auth_info[0:4]
deviceNonce = auth_info[4:12]def getDeployedSecretV1(dongle, masterPrivate, targetId):
testMaster = PrivateKey(bytes(masterPrivate))
testMasterPublic = bytearray(testMaster.pubkey.serialize(compressed=False))
targetid = bytearray(struct.pack('>I', targetId))
if targetId&0xF != 0x1:
raise BaseException("Target ID does not support SCP V1")
# identify
apdu = bytearray([0xe0, 0x04, 0x00, 0x00]) + bytearray([len(targetid)]) + targetid
dongle.exchange(apdu)
# walk the chain
batch_info = bytearray(dongle.exchange(bytearray.fromhex('E050000000')))
cardKey = batch_info[5:5 + batch_info[4]]
# if not found, get another pair
#if cardKey != testMasterPublic:def getDeployedSecretV2(dongle, masterPrivate, targetid, issuerKey):
testMaster = PrivateKey(bytes(masterPrivate))
testMasterPublic = bytearray(testMaster.pubkey.serialize(compressed=False))
targetid = bytearray(struct.pack('>I', targetid))
# identify
apdu = bytearray([0xe0, 0x04, 0x00, 0x00]) + bytearray([len(targetid)]) + targetid
dongle.exchange(apdu)
# walk the chain
nonce = os.urandom(8)
apdu = bytearray([0xe0, 0x50, 0x00, 0x00]) + bytearray([len(nonce)]) + nonce
auth_info = dongle.exchange(apdu)
batch_signer_serial = auth_info[0:4]
deviceNonce = auth_info[4:12]
# if not found, get another pair
#if cardKey != testMasterPublic:if (signerCertChain):
for cert in signerCertChain:
apdu = bytearray([0xE0, 0x51, 0x00, 0x00]) + bytearray([len(cert)]) + cert
dongle.exchange(apdu)
else:
print("Using test master key %s " % binascii.hexlify(testMasterPublic))
dataToSign = bytes(bytearray([0x01]) + testMasterPublic)
signature = testMaster.ecdsa_sign(bytes(dataToSign))
signature = testMaster.ecdsa_serialize(signature)
certificate = bytearray([len(testMasterPublic)]) + testMasterPublic + bytearray([len(signature)]) + signature
apdu = bytearray([0xE0, 0x51, 0x00, 0x00]) + bytearray([len(certificate)]) + certificate
dongle.exchange(apdu)
# provide the ephemeral certificate
ephemeralPrivate = PrivateKey()
ephemeralPublic = bytearray(ephemeralPrivate.pubkey.serialize(compressed=False))
print("Using ephemeral key %s" %binascii.hexlify(ephemeralPublic))
dataToSign = bytes(bytearray([0x11]) + nonce + deviceNonce + ephemeralPublic)
signature = testMaster.ecdsa_sign(bytes(dataToSign))
signature = testMaster.ecdsa_serialize(signature)
certificate = bytearray([len(ephemeralPublic)]) + ephemeralPublic + bytearray([len(signature)]) + signature
apdu = bytearray([0xE0, 0x51, 0x80, 0x00]) + bytearray([len(certificate)]) + certificate
dongle.exchange(apdu)
# walk the device certificates to retrieve the public key to use for authentication
index = 0
last_dev_pub_key = PublicKey(bytes(testMasterPublic), raw=True)
devicePublicKey = None
while True:
if index == 0:
certificate = bytearray(dongle.exchange(bytearray.fromhex('E052000000')))retry = 0
# di = sha256(i || retrycounter || ecdh secret)
while True:
sha256 = hashlib.new('sha256')
sha256.update(struct.pack(">IB", keyindex, retry))
sha256.update(ecdh_secret)
# compare di with order
CURVE_SECP256K1 = Curve.get_curve('secp256k1')
if int.from_bytes(sha256.digest(), 'big') < CURVE_SECP256K1.order:
break
#regenerate a new di satisfying order upper bound
retry+=1
# Pi = di*G
privkey = PrivateKey(bytes(sha256.digest()))
pubkey = bytearray(privkey.pubkey.serialize(compressed=False))
# ki = sha256(Pi)
sha256 = hashlib.new('sha256')
sha256.update(pubkey)
#print ("Key " + str (keyindex) + ": " + sha256.hexdigest())
return sha256.digest()batch_signer_serial = auth_info[0:4]
deviceNonce = auth_info[4:12]
# if not found, get another pair
#if cardKey != testMasterPublic:
# raise Exception("Invalid batch public key")
dataToSign = bytes(bytearray([0x01]) + testMasterPublic)
signature = testMaster.ecdsa_sign(bytes(dataToSign))
signature = testMaster.ecdsa_serialize(signature)
certificate = bytearray([len(testMasterPublic)]) + testMasterPublic + bytearray([len(signature)]) + signature
apdu = bytearray([0xE0, 0x51, 0x00, 0x00]) + bytearray([len(certificate)]) + certificate
dongle.exchange(apdu)
# provide the ephemeral certificate
ephemeralPrivate = PrivateKey()
ephemeralPublic = bytearray(ephemeralPrivate.pubkey.serialize(compressed=False))
dataToSign = bytes(bytearray([0x11]) + nonce + deviceNonce + ephemeralPublic)
signature = testMaster.ecdsa_sign(bytes(dataToSign))
signature = testMaster.ecdsa_serialize(signature)
certificate = bytearray([len(ephemeralPublic)]) + ephemeralPublic + bytearray([len(signature)]) + signature
apdu = bytearray([0xE0, 0x51, 0x80, 0x00]) + bytearray([len(certificate)]) + certificate
dongle.exchange(apdu)
# walk the device certificates to retrieve the public key to use for authentication
index = 0
last_pub_key = PublicKey(binascii.unhexlify(issuerKey), raw=True)
device_pub_key = None
while True:
if index == 0:
certificate = bytearray(dongle.exchange(bytearray.fromhex('E052000000')))
elif index == 1:args = get_argparser().parse_args()
if args.apilevel == None:
args.apilevel = 10
if args.targetId == None:
args.targetId = 0x31000002
if args.fileName == None:
raise Exception("Missing fileName")
if args.appName == None:
raise Exception("Missing appName")
if args.path_slip21 != None and args.apilevel < 10:
raise Exception("SLIP 21 path not supported using this API level")
if args.appFlags == None:
args.appFlags = 0
if args.rootPrivateKey == None:
privateKey = PrivateKey()
publicKey = binascii.hexlify(privateKey.pubkey.serialize(compressed=False))
print("Generated random root public key : %s" % publicKey)
args.rootPrivateKey = privateKey.serialize()
args.appName = string_to_bytes(args.appName)
parser = IntelHexParser(args.fileName)
if args.bootAddr == None:
args.bootAddr = parser.getBootAddr()
path = b""
curveMask = 0xff
if args.curve != None:
curveMask = 0x00
for curve in args.curve:
if curve == 'secp256k1':ledgerblue
Python library to communicate with Ledger devices
Package Health Score
61 / 100Popular ledgerblue functions
- ledgerblue.BlueHSMServer_pb2.Request
- ledgerblue.BlueHSMServer_pb2.Response
- ledgerblue.comm
- ledgerblue.comm.CommException
- ledgerblue.comm.Dongle
- ledgerblue.comm.getDongle
- ledgerblue.comm.HIDDongleHIDAPI
- ledgerblue.commException.CommException
- ledgerblue.commU2F.HIDDevice
- ledgerblue.commU2F.U2FHIDError
- ledgerblue.commU2F.U2FTunnelDongle
- ledgerblue.deployed.getDeployedSecretV1
- ledgerblue.deployed.getDeployedSecretV2
- ledgerblue.ecWrapper.PrivateKey
- ledgerblue.ecWrapper.PublicKey
- ledgerblue.hexLoader.HexLoader
- ledgerblue.hexParser.IntelHexArea
- ledgerblue.hexParser.IntelHexParser
- ledgerblue.ledgerWrapper.unwrapResponseAPDU
- ledgerblue.ledgerWrapper.wrapCommandAPDU