Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conway #208

Merged
merged 20 commits into from
Jun 3, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 24 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,28 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/)
and this project adheres to [Semantic Versioning](http://semver.org/).


## [6.0.3](TBD) - [TBD]
## [7.0.2](TBD) - [TBD]

Conway era

### Added

- export of Conway-era keys (DReps, Constitutional Committee Hot and Cold keys)
- Conway era transaction body items (new certificates, voting procedures, treasury, donation)
- optional CBOR tag 258 in CDDL sets
- reduced features on Nano S (since Ledger app v7, due to memory limits)

### Changed

- updated list of native tokens recognized by the app with correct decimal places
- increased max. URL and DNS name length to 128

### Fixed

- bug in checking canonical ordering of withdrawals


## [6.1.2](/~https://github.com/LedgerHQ/app-cardano/compare/v5.0.0...LedgerHQ:nanos_2.1.0_6.1.2_sdk_2.1.0-12) - [October 25th 2023]

Support for CIP-36 voting

Expand All @@ -15,11 +36,13 @@ Support for CIP-36 voting
- export of vote keys (1694'/1815'/...)
- support for CIP-36 voting (signing of vote-cast fragments with 1694 keys)
- support for CIP-36 registrations (in transaction auxiliary data)
- support for the Stax device

### Changed

- API for Catalyst voting registration (it is still possible to use CIP-15 in auxiliary data)
- updated list of native tokens recognized by the app with correct decimal places
- multidelegation allowed (as used by Lace, i.e. stake keys do not need to end with 0 as address_index)


## [5.0.0](/~https://github.com/LedgerHQ/app-cardano/compare/4.1.2...LedgerHQ:nanos_2.1.0_5.0.0) - [October 11th 2022]
Expand Down
46 changes: 44 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,9 @@
#*******************************************************************************

APPNAME = "Cardano ADA"
APPVERSION_M = 6
APPVERSION_N = 1

APPVERSION_M = 7
APPVERSION_N = 0
APPVERSION_P = 2
APPVERSION = "$(APPVERSION_M).$(APPVERSION_N).$(APPVERSION_P)"

Expand Down Expand Up @@ -120,6 +121,31 @@ else
DEFINES += PRINTF\(...\)=
endif

# restricted features for Nano S
# but not in DEVEL mode where we usually want to test all features with HEADLESS
ifeq ($(TARGET_NAME), TARGET_NANOS)
ifneq ($(DEVEL), 1)
APP_XS = 1
else
APP_XS = 0
endif
else
APP_XS = 0
endif

ifeq ($(APP_XS), 1)
DEFINES += APP_XS
else
# features not included in the Nano S app
DEFINES += APP_FEATURE_OPCERT
DEFINES += APP_FEATURE_NATIVE_SCRIPT_HASH
DEFINES += APP_FEATURE_POOL_REGISTRATION
DEFINES += APP_FEATURE_POOL_RETIREMENT
DEFINES += APP_FEATURE_BYRON_ADDRESS_DERIVATION
DEFINES += APP_FEATURE_BYRON_PROTOCOL_MAGIC_CHECK
endif
# always include this, it's important for Plutus users
DEFINES += APP_FEATURE_TOKEN_MINTING

##################
# Dependencies #
Expand Down Expand Up @@ -196,5 +222,21 @@ format:
size: all
$(GCCPATH)arm-none-eabi-size --format=gnu bin/app.elf

##############
# Device-specific builds
##############

nanos: clean
BOLOS_SDK=$(NANOS_SDK) make

nanosp: clean
BOLOS_SDK=$(NANOSP_SDK) make

nanox: clean
BOLOS_SDK=$(NANOX_SDK) make

stax: clean
BOLOS_SDK=$(STAX_SDK) make

# import generic rules from the sdk
include $(BOLOS_SDK)/Makefile.rules
2 changes: 1 addition & 1 deletion doc/build.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
- Install Docker
- Pull the required containers as discussed in /~https://github.com/LedgerHQ/ledger-app-builder/ (lite container is sufficient for a C build):

`sudo docker pull ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-lite:latest`
`docker pull ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-lite:latest`

## Compiling the app

Expand Down
11 changes: 11 additions & 0 deletions doc/features.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Features (not) available on specific Ledger devices

Nano S has a very limited space for storing applications. It is not enough to fit all Cardano features there, so some of them are only available on Nano S+ and other more spacious Ledger devices (e.g. Nano X and Stax).

The features not supported on Nano S, Cardano app version 7 and above:
* pool registration and retirement
* signing of operational certificates
* computation of native script hashes
* details in Byron change outputs (only the address is shown)

Details can be found in [Makefile](../Makefile) and in the code (search for compilation flags beginning with `APP_FEATURE_`).
4 changes: 1 addition & 3 deletions doc/ins_get_public_keys.md
Original file line number Diff line number Diff line change
Expand Up @@ -80,8 +80,6 @@ Concatenation of `pub_key` and `chain_code` representing the extended public key
- Ledger might impose more restrictions, see implementation of `policyForGetExtendedPublicKey` in [src/securityPolicy.c](../src/securityPolicy.c) for details
- calculate extended public key
- respond with extended public key

**TODOs**
- ❓(IOHK): Should we also support BTC app like token validation? (Note: Token validation is to prevent concurrent access to the Ledger by two different host apps which could confuse user into performing wrong actions)
- ❓(IOHK): Should we support permanent app setting where Ledger forces user to acknowledge public key retrieval before sending it to host? (Note: probably not in the first version of the app)
- ❓(IOHK): Should there be an option to show the public key on display? Is it useful in any way? (Note: probably not)
6 changes: 3 additions & 3 deletions doc/ins_sign_stake_pool_registration.md
Original file line number Diff line number Diff line change
Expand Up @@ -157,12 +157,12 @@ P2 = `0x36`
|relay format | 1 | `RELAY_SINGLE_HOST_NAME=0x01` |
|isPortGiven | 1 | `ITEM_INCLUDED_NO=0x01` or `ITEM_INCLUDED_YES=0x02` |
|port | 2 | Big endian; included if and only if isPortGiven is `ITEM_INCLUDED_YES`
|dns name | variable | byte buffer, max size 64
|dns name | variable | byte buffer, max size 128

|Field| Length | Comments|
|-----|--------|---------|
|relay format | 1 | `RELAY_MULTIPLE_HOST_NAME=0x02` |
|dns name | variable | byte buffer, max size 64
|dns name | variable | byte buffer, max size 128


---
Expand All @@ -175,7 +175,7 @@ P2 = `0x37`
|-----|--------|---------|
|includeMetadata | 1 | `ITEM_INCLUDED_NO=0x01` or `ITEM_INCLUDED_YES=0x02` |
|metadata hash | 32 | byte buffer; only if includeMetadata is `ITEM_INCLUDED_YES`
|metadata url | variable | byte buffer, max size 64; only if includeMetadata is `ITEM_INCLUDED_YES`
|metadata url | variable | byte buffer, max size 128; only if includeMetadata is `ITEM_INCLUDED_YES`


---
Expand Down
42 changes: 30 additions & 12 deletions doc/ins_sign_tx.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,10 @@
# Sign Transaction

Note: this is somewhat incomplete (Babbage and Conway era elements are not described in detail) and some parts might be outdated. We strongly recommend to use [ledgerjs for Cardano](/~https://github.com/vacuumlabs/ledgerjs-cardano-shelley) for signing transactions. Check its latest API to find out what is supported.

**Description**

Given transaction inputs and transaction outputs, fee, ttl, staking certificates, reward withdrawals, metadata hash, validity interval start, and mint, construct and sign a transaction.
Given transaction inputs and transaction outputs, fee, ttl, staking certificates, reward withdrawals, metadata hash, validity interval start, mint, Plutus (Babbage) additional transaction body elements, and Conway additional elements, construct and sign a transaction.

Due to Ledger constraints and potential security implications (parsing errors), Cardano Ledger app uses a custom format for streaming the transaction to be signed. The main rationale behind not streaming directly the (CBOR-encoded) cardano raw transaction to Ledger is the following:
1) The app needs to support BIP44 change address outputs (Ledger should not display user's own change addresses to the user as this degrades UX).
Expand Down Expand Up @@ -233,7 +235,23 @@ Optional.

### Certificate

We support 4 types of certificates in ordinary transactions (signing mode `SIGN_TX_SIGNINGMODE_ORDINARY_TX` in the initial APDU message): stake key registration, stake key deregistration, stake delegation, and stake pool retirement. We support 3 types in multisig transactions (signing mode `SIGN_TX_SIGNINGMODE_MULTISIG_TX` in the initial APDU message): stake key registration, stake key deregistration, and stake delegation.
We support the following certificate types in ordinary transactions (signing mode `SIGN_TX_SIGNINGMODE_ORDINARY_TX` in the initial APDU message):
* CERTIFICATE_STAKE_REGISTRATION = 0,
* CERTIFICATE_STAKE_DEREGISTRATION = 1,
* CERTIFICATE_STAKE_DELEGATION = 2,
* CERTIFICATE_STAKE_POOL_RETIREMENT = 4,
* CERTIFICATE_STAKE_REGISTRATION_CONWAY = 7,
* CERTIFICATE_STAKE_DEREGISTRATION_CONWAY = 8,
* CERTIFICATE_VOTE_DELEGATION = 9,
* CERTIFICATE_AUTHORIZE_COMMITTEE_HOT = 14,
* CERTIFICATE_RESIGN_COMMITTEE_COLD = 15,
* CERTIFICATE_DREP_REGISTRATION = 16,
* CERTIFICATE_DREP_DEREGISTRATION = 17,
* CERTIFICATE_DREP_UPDATE = 18,

For signing mode `SIGN_TX_SIGNINGMODE_MULTISIG_TX`, everything from the above list except `CERTIFICATE_STAKE_POOL_RETIREMENT` is allowed.

For signing mode `SIGN_TX_SIGNINGMODE_PLUTUS_TX`, everything from the above list is allowed.

In addition, a transaction using `SIGN_TX_SIGNINGMODE_POOL_REGISTRATION_OPERATOR` or `SIGN_TX_SIGNINGMODE_POOL_REGISTRATION_OWNER` as the signing mode contains a single certificate for stake pool registration which must not be accompanied by other certificates or by withdrawals (due to security concerns about cross-witnessing data between them). This certificate is processed by a state sub-machine. Instructions for this sub-machine are given in P2; see [Stake Pool Registration](ins_sign_stake_pool_registration.md) for the details on accepted P2 values and additional APDU messages needed.

Expand All @@ -242,41 +260,41 @@ In addition, a transaction using `SIGN_TX_SIGNINGMODE_POOL_REGISTRATION_OPERATOR
| P1 | `0x06` |
| P2 | (unused / see [Stake Pool Registration](ins_sign_stake_pool_registration.md)) |

**Data for CERTIFICATE_TYPE_STAKE_REGISTRATION**
**Data for CERTIFICATE_STAKE_REGISTRATION**

|Field| Length | Comments|
|-----|--------|---------|
|Output type| 1 | `CERTIFICATE_TYPE_STAKE_REGISTRATION=0x00`|
|Output type| 1 | `CERTIFICATE_STAKE_REGISTRATION=0x00`|
|Stake credential| variable | See stake credential explained above|

**Data for CERTIFICATE_TYPE_STAKE_DEREGISTRATION**
**Data for CERTIFICATE_STAKE_DEREGISTRATION**

|Field| Length | Comments|
|-----|--------|---------|
|Output type| 1 | `CERTIFICATE_TYPE_STAKE_DEREGISTRATION=0x01`|
|Output type| 1 | `CERTIFICATE_STAKE_DEREGISTRATION=0x01`|
|Stake credential| variable | See stake credential explained above|

**Data for CERTIFICATE_TYPE_STAKE_DELEGATION**
**Data for CERTIFICATE_STAKE_DELEGATION**

|Field| Length | Comments|
|-----|--------|---------|
|Output type| 1 | `CERTIFICATE_TYPE_STAKE_DELEGATION=0x02`|
|Output type| 1 | `CERTIFICATE_STAKE_DELEGATION=0x02`|
|Stake credential| variable | See stake credential explained above|
|Pool key hash| 28 | Hash of staking pool public key|

**Data for CERTIFICATE_TYPE_STAKE_POOL_REGISTRATION**
**Data for CERTIFICATE_STAKE_POOL_REGISTRATION**

|Field| Length | Comments|
|-----|--------|---------|
|Output type| 1 | `CERTIFICATE_TYPE_STAKE_POOL_REGISTRATION=0x03`|
|Output type| 1 | `CERTIFICATE_STAKE_POOL_REGISTRATION=0x03`|

This only describes the initial certificate message. All the data for this certificate are obtained via a series of additional APDU messages; see [Stake Pool Registration](ins_sign_stake_pool_registration.md) for the details.

**Data for CERTIFICATE_TYPE_STAKE_POOL_RETIREMENT**
**Data for CERTIFICATE_STAKE_POOL_RETIREMENT**

|Field| Length | Comments|
|-----|--------|---------|
|Output type| 1 | `CERTIFICATE_TYPE_STAKE_POOL_RETIREMENT=0x04`|
|Output type| 1 | `CERTIFICATE_STAKE_POOL_RETIREMENT=0x04`|
|Stake key path| variable | BIP44 path. See [GetExtPubKey call](ins_get_public_keys.md) for a format example |
|Pool key hash| 28 | Hash of staking pool public key|

Expand Down
9 changes: 9 additions & 0 deletions fuzzing/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,15 @@ add_compile_definitions(
HAVE_HASH
HAVE_SHA256
HAVE_SHA3

# include all app features, incl. those removed from Nano S
APP_FEATURE_OPCERT
APP_FEATURE_NATIVE_SCRIPT_HASH
APP_FEATURE_POOL_REGISTRATION
APP_FEATURE_POOL_RETIREMENT
APP_FEATURE_BYRON_ADDRESS_DERIVATION
APP_FEATURE_BYRON_PROTOCOL_MAGIC_CHECK
APP_FEATURE_TOKEN_MINTING
)

set(SOURCE
Expand Down
5 changes: 5 additions & 0 deletions ledger_app.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[app]
build_directory = "./"
sdk = "C"
devices = ["nanos", "nanox", "nanos+", "stax"]

Loading
Loading