From 309c09b599ca479d959b955c3ab24bc13924d09a Mon Sep 17 00:00:00 2001
From: Alexandre Paillier <alexandre.paillier@ledger.fr>
Date: Wed, 16 Nov 2022 13:50:17 +0100
Subject: [PATCH 1/5] Added new public CAL testing key in app

---
 Makefile     | 12 ++++++++----
 src/tokens.h | 26 ++++++++++++++++++--------
 2 files changed, 26 insertions(+), 12 deletions(-)

diff --git a/Makefile b/Makefile
index b0dfbb5..81da667 100644
--- a/Makefile
+++ b/Makefile
@@ -147,10 +147,14 @@ ifneq ($(TARGET_NAME),TARGET_NANOS)
 DEFINES	+= HAVE_EIP712_FULL_SUPPORT
 endif
 
-# CryptoAssetsList testing key
-CAL_TESTING_KEY:=0
-ifneq ($(CAL_TESTING_KEY),0)
-DEFINES += HAVE_CAL_TESTING_KEY
+# CryptoAssetsList key
+CAL_TEST_KEY:=0
+CAL_CI_KEY:=0
+ifneq ($(CAL_TEST_KEY),0)
+DEFINES += HAVE_CAL_TEST_KEY
+endif
+ifneq ($(CAL_CI_KEY),0)
+DEFINES += HAVE_CAL_CI_KEY
 endif
 
 # Enabling debug PRINTF
diff --git a/src/tokens.h b/src/tokens.h
index 7aa38f6..0a10125 100644
--- a/src/tokens.h
+++ b/src/tokens.h
@@ -43,21 +43,31 @@ extern tokenDefinition_t const TOKENS_EXTRA[NUM_TOKENS_EXTRA];
 
 #ifndef HAVE_TOKENS_LIST
 
+#if defined(HAVE_CAL_TEST_KEY) && defined(HAVE_CAL_CI_KEY)
+#error "CAL key contradiction, two alternative keys selected at once"
+#endif
+
 static const uint8_t LEDGER_SIGNATURE_PUBLIC_KEY[] = {
-#ifndef HAVE_CAL_TESTING_KEY
-    // production key 2019-01-11 03:07PM (erc20signer)
-    0x04, 0x5e, 0x6c, 0x10, 0x20, 0xc1, 0x4d, 0xc4, 0x64, 0x42, 0xfe, 0x89, 0xf9, 0x7c,
-    0x0b, 0x68, 0xcd, 0xb1, 0x59, 0x76, 0xdc, 0x24, 0xf2, 0x4c, 0x31, 0x6e, 0x7b, 0x30,
-    0xfe, 0x4e, 0x8c, 0xc7, 0x6b, 0x14, 0x89, 0x15, 0x0c, 0x21, 0x51, 0x4e, 0xbf, 0x44,
-    0x0f, 0xf5, 0xde, 0xa5, 0x39, 0x3d, 0x83, 0xde, 0x53, 0x58, 0xcd, 0x09, 0x8f, 0xce,
-    0x8f, 0xd0, 0xf8, 0x1d, 0xaa, 0x94, 0x97, 0x91, 0x83
-#else
+#if defined(HAVE_CAL_TEST_KEY)
     // test key 2019-01-11 03:07PM (erc20signer)
     0x04, 0x20, 0xda, 0x62, 0x00, 0x3c, 0x0c, 0xe0, 0x97, 0xe3, 0x36, 0x44, 0xa1, 0x0f,
     0xe4, 0xc3, 0x04, 0x54, 0x06, 0x9a, 0x44, 0x54, 0xf0, 0xfa, 0x9d, 0x4e, 0x84, 0xf4,
     0x50, 0x91, 0x42, 0x9b, 0x52, 0x20, 0xaf, 0x9e, 0x35, 0xc0, 0xb2, 0xd9, 0x28, 0x93,
     0x80, 0x13, 0x73, 0x07, 0xde, 0x4d, 0xd1, 0xd4, 0x18, 0x42, 0x8c, 0xf2, 0x1a, 0x93,
     0xb3, 0x35, 0x61, 0xbb, 0x09, 0xd8, 0x8f, 0xe5, 0x79
+#elif defined(HAVE_CAL_CI_KEY)
+    0x04, 0x4c, 0xca, 0x8f, 0xad, 0x49, 0x6a, 0xa5, 0x04, 0x0a, 0x00, 0xa7, 0xeb, 0x2f,
+    0x5c, 0xc3, 0xb8, 0x53, 0x76, 0xd8, 0x8b, 0xa1, 0x47, 0xa7, 0xd7, 0x05, 0x4a, 0x99,
+    0xc6, 0x40, 0x56, 0x18, 0x87, 0xfe, 0x17, 0xa0, 0x96, 0xe3, 0x6c, 0x3b, 0x52, 0x3b,
+    0x24, 0x4f, 0x3e, 0x2f, 0xf7, 0xf8, 0x40, 0xae, 0x26, 0xc4, 0xe7, 0x7a, 0xd3, 0xbc,
+    0x73, 0x9a, 0xf5, 0xde, 0x6f, 0x2d, 0x77, 0xa7, 0xb6
+#else
+    // production key 2019-01-11 03:07PM (erc20signer)
+    0x04, 0x5e, 0x6c, 0x10, 0x20, 0xc1, 0x4d, 0xc4, 0x64, 0x42, 0xfe, 0x89, 0xf9, 0x7c,
+    0x0b, 0x68, 0xcd, 0xb1, 0x59, 0x76, 0xdc, 0x24, 0xf2, 0x4c, 0x31, 0x6e, 0x7b, 0x30,
+    0xfe, 0x4e, 0x8c, 0xc7, 0x6b, 0x14, 0x89, 0x15, 0x0c, 0x21, 0x51, 0x4e, 0xbf, 0x44,
+    0x0f, 0xf5, 0xde, 0xa5, 0x39, 0x3d, 0x83, 0xde, 0x53, 0x58, 0xcd, 0x09, 0x8f, 0xce,
+    0x8f, 0xd0, 0xf8, 0x1d, 0xaa, 0x94, 0x97, 0x91, 0x83
 #endif
 };
 

From b1d6e9851d14da68c35b78661144a780a28151cb Mon Sep 17 00:00:00 2001
From: Alexandre Paillier <alexandre.paillier@ledger.fr>
Date: Wed, 16 Nov 2022 14:20:13 +0100
Subject: [PATCH 2/5] Now compiles the app with the new CAL key for Ragger
 tests

---
 .github/workflows/ci-workflow.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci-workflow.yml b/.github/workflows/ci-workflow.yml
index 490928d..ff7c218 100644
--- a/.github/workflows/ci-workflow.yml
+++ b/.github/workflows/ci-workflow.yml
@@ -177,13 +177,13 @@ jobs:
 
       - name: Build test binaries
         run: |
-          make -j BOLOS_SDK=$NANOS_SDK CAL_TESTING_KEY=1
+          make -j BOLOS_SDK=$NANOS_SDK CAL_CI_KEY=1
           mv bin/app.elf app-nanos.elf
           make clean
-          make -j BOLOS_SDK=$NANOX_SDK CAL_TESTING_KEY=1
+          make -j BOLOS_SDK=$NANOX_SDK CAL_CI_KEY=1
           mv bin/app.elf app-nanox.elf
           make clean
-          make -j BOLOS_SDK=$NANOSP_SDK CAL_TESTING_KEY=1
+          make -j BOLOS_SDK=$NANOSP_SDK CAL_CI_KEY=1
           mv bin/app.elf app-nanosp.elf
 
       - name: Upload app binaries

From bbe1723b25b25607a7b35ed24428ce048a8110b2 Mon Sep 17 00:00:00 2001
From: Alexandre Paillier <alexandre.paillier@ledger.fr>
Date: Wed, 16 Nov 2022 15:08:06 +0100
Subject: [PATCH 3/5] Added new private CAL key file for CI

---
 tests/ragger/cal/key.pem | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 tests/ragger/cal/key.pem

diff --git a/tests/ragger/cal/key.pem b/tests/ragger/cal/key.pem
new file mode 100644
index 0000000..338e49f
--- /dev/null
+++ b/tests/ragger/cal/key.pem
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQACg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHQCAQEEIHoMkoRaNq0neb1TxRBor4WouV8PQqJf02sg4eh768LpoAcGBSuBBAAK
+oUQDQgAETMqPrUlqpQQKAKfrL1zDuFN22IuhR6fXBUqZxkBWGIf+F6CW42w7Ujsk
+Tz4v9/hAribE53rTvHOa9d5vLXentg==
+-----END EC PRIVATE KEY-----

From 2300bb9d008dc241f70b04d9cc62dc46d08ab4f7 Mon Sep 17 00:00:00 2001
From: Alexandre Paillier <alexandre.paillier@ledger.fr>
Date: Wed, 16 Nov 2022 15:16:44 +0100
Subject: [PATCH 4/5] Updated Ragger tests to use the new private CAL key

---
 .github/workflows/ci-workflow.yml |  2 --
 tests/ragger/cal/cal.py           | 18 ++++++++++++++++++
 tests/ragger/eip712/InputData.py  | 12 +++---------
 3 files changed, 21 insertions(+), 11 deletions(-)
 create mode 100644 tests/ragger/cal/cal.py

diff --git a/.github/workflows/ci-workflow.yml b/.github/workflows/ci-workflow.yml
index ff7c218..b846efa 100644
--- a/.github/workflows/ci-workflow.yml
+++ b/.github/workflows/ci-workflow.yml
@@ -270,8 +270,6 @@ jobs:
           sudo apt install -y qemu-user-static
 
       - name: Run tests
-        env:
-          CAL_SIGNATURE_TEST_KEY: ${{ secrets.CAL_SIGNATURE_TEST_KEY }}
         run: |
           cd tests/ragger
           . ./venv/bin/activate
diff --git a/tests/ragger/cal/cal.py b/tests/ragger/cal/cal.py
new file mode 100644
index 0000000..e75fcab
--- /dev/null
+++ b/tests/ragger/cal/cal.py
@@ -0,0 +1,18 @@
+import os
+import hashlib
+from ecdsa.util import sigencode_der
+from ecdsa import SigningKey
+
+_key: SigningKey = None
+
+def _init_key():
+    global _key
+    with open(os.path.dirname(__file__) + "/key.pem") as pem_file:
+        _key = SigningKey.from_pem(pem_file.read(), hashlib.sha256)
+    assert _key != None
+
+def sign(data: bytes) -> bytes:
+    global _key
+    if not _key:
+        _init_key()
+    return _key.sign_deterministic(data, sigencode=sigencode_der)
diff --git a/tests/ragger/eip712/InputData.py b/tests/ragger/eip712/InputData.py
index 89e877c..01e0c6e 100644
--- a/tests/ragger/eip712/InputData.py
+++ b/tests/ragger/eip712/InputData.py
@@ -1,14 +1,11 @@
 #!/usr/bin/env python3
 
-import os
 import json
 import sys
 import re
 import hashlib
-from ecdsa import SigningKey
-from ecdsa.util import sigencode_der
 from ethereum_client.client import EthereumClient, EIP712FieldType
-import base64
+from cal import cal
 
 # global variables
 app_client: EthereumClient = None
@@ -254,7 +251,7 @@ def send_filtering_message_info(display_name: str, filters_count: int):
     for char in display_name:
         to_sign.append(ord(char))
 
-    sig = sig_ctx["key"].sign_deterministic(to_sign, sigencode=sigencode_der)
+    sig = cal.sign(to_sign)
     app_client.eip712_filtering_message_info(display_name, filters_count, sig)
 
 # ledgerjs doesn't actually sign anything, and instead uses already pre-computed signatures
@@ -272,7 +269,7 @@ def send_filtering_show_field(display_name):
         to_sign.append(ord(char))
     for char in display_name:
         to_sign.append(ord(char))
-    sig = sig_ctx["key"].sign_deterministic(to_sign, sigencode=sigencode_der)
+    sig = cal.sign(to_sign)
     app_client.eip712_filtering_show_field(display_name, sig)
 
 def read_filtering_file(domain, message, filtering_file_path):
@@ -299,9 +296,6 @@ def init_signature_context(types, domain):
     global sig_ctx
 
     handle_optional_domain_values(domain)
-    env_key = os.environ["CAL_SIGNATURE_TEST_KEY"]
-    key = base64.b64decode(env_key).decode() # base 64 string -> decode bytes -> string
-    sig_ctx["key"] = SigningKey.from_pem(key, hashlib.sha256)
     caddr = domain["verifyingContract"]
     if caddr.startswith("0x"):
         caddr = caddr[2:]

From 32161b94325f18c5c56c1048c842b750bf47c9c8 Mon Sep 17 00:00:00 2001
From: Alexandre Paillier <alexandre.paillier@ledger.fr>
Date: Wed, 16 Nov 2022 15:30:12 +0100
Subject: [PATCH 5/5] Shorter Python tracebacks for Ragger tests

---
 .github/workflows/ci-workflow.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci-workflow.yml b/.github/workflows/ci-workflow.yml
index b846efa..23b1679 100644
--- a/.github/workflows/ci-workflow.yml
+++ b/.github/workflows/ci-workflow.yml
@@ -273,4 +273,4 @@ jobs:
         run: |
           cd tests/ragger
           . ./venv/bin/activate
-          pytest --path ./elfs --model ${{ matrix.model }} -s -v
+          pytest --path ./elfs --model ${{ matrix.model }} -s -v --tb=short