Add RSA/ECC key loading, backup restore, backup passphrase, and firmware loading#86
Open
0c-coder wants to merge 2 commits intotrustcrypto:masterfrom
Open
Add RSA/ECC key loading, backup restore, backup passphrase, and firmware loading#860c-coder wants to merge 2 commits intotrustcrypto:masterfrom
0c-coder wants to merge 2 commits intotrustcrypto:masterfrom
Conversation
…ssphrase Port three features from the OnlyKey-App (JavaScript) to python-onlykey: 1. loadkey - Parse OpenPGP armored private keys (RSA 1024-4096, Ed25519, NIST P-256, secp256k1, Curve25519), extract key material (p/q for RSA, scalar s for ECC), and load onto the OnlyKey device. Supports auto-slot assignment (slot 99) matching the OnlyKey App behavior where signing and decryption subkeys are assigned to slots automatically. 2. restore - Parse OnlyKey backup files (base64-encoded with SHA256 hash verification), and send restore data to the device in 57-byte chunks using the OKRESTORE (0xF1) protocol message. Verifies backup file integrity before sending. 3. backuppassphrase - Set the backup encryption passphrase by computing its SHA256 hash and storing as a backup decryption key on slot 131 with type 161 (backup + decryption flags). All three features are available as both CLI commands (onlykey-cli loadkey, onlykey-cli restore, onlykey-cli backuppassphrase) and interactive mode commands. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Port the firmware update feature from the OnlyKey-App to python-onlykey: - Add OKFWUPDATE (0xF4) message type to Message enum - Parse signed firmware files (-----BEGIN SIGNED FIRMWARE----- format) - Transition device from config mode to bootloader via initial dummy packet - Send firmware blocks in 57-byte chunks with per-chunk acknowledgment - Wait for NEXT BLOCK between blocks and SUCCESSFULLY LOADED FW on completion - Handle device reconnection after bootloader reboot - Add loadfirmware CLI command with safety confirmation prompt - Works in both command-line and interactive modes Usage: onlykey-cli loadfirmware <firmware_file> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
0c-coder
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Port four features from the OnlyKey-App (JavaScript) to python-onlykey:
loadkey— Parse OpenPGP armored private keys (RSA 1024-4096, Ed25519, NIST P-256, secp256k1, Curve25519), extract key material (p/q for RSA, scalar s for ECC), and load onto the OnlyKey device. Supports auto-slot assignment (slot 99) matching the OnlyKey App behavior where signing and decryption subkeys are assigned to slots automatically.restore— Parse OnlyKey backup files (base64-encoded with SHA256 hash verification), and send restore data to the device in 57-byte chunks using the OKRESTORE (0xF1) protocol message. Verifies backup file integrity before sending.backuppassphrase— Set the backup encryption passphrase by computing its SHA256 hash and storing as a backup decryption key on slot 131 with type 161 (backup + decryption flags).loadfirmware— Parse signed firmware files, transition the device from config mode to bootloader, and send firmware blocks in 57-byte chunks via the OKFWUPDATE (0xF4) protocol message with per-block signature verification and acknowledgment.All four features are available as both CLI commands and interactive mode commands.
Usage
Test plan
loadkeywith RSA 2048/4096 PGP keysloadkeywith Ed25519 PGP keysloadkeyauto-slot assignment (slot 99)restoreparses and verifies backup file SHA256 hashrestoresends correct 57-byte chunks via OKRESTOREbackuppassphraserejects passphrases under 25 charsloadfirmwareparses signed firmware file formatloadfirmwaretransitions device to bootloader modeloadfirmwaresends blocks with NEXT BLOCK acknowledgment