search

solokeys / solo1-cli

Solo 1 library and CLI in Python
https://pypi.org/project/solo-python
Apache License 2.0
185 stars 69 forks source link

solo key verify crashes instantly #26

Closed Vash63 closed 5 years ago

Vash63 commented 5 years ago

I've tested this on both a macos and archlinux system, both running python 3.7.4, and in both cases solo key verify causes an immediate crash. 

$ solo key verify
Please press the button on your Solo key
Traceback (most recent call last):
  File "/usr/bin/solo", line 10, in <module>
    sys.exit(solo_cli())
  File "/usr/lib/python3.7/site-packages/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/usr/lib/python3.7/site-packages/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/usr/lib/python3.7/site-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3.7/site-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3.7/site-packages/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/lib/python3.7/site-packages/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/usr/lib/python3.7/site-packages/solo/cli/key.py", line 219, in verify
    cert = solo.client.find(serial).make_credential()
  File "/usr/lib/python3.7/site-packages/solo/client.py", line 215, in make_credential
    attest, data = self.client.make_credential(rp, user, challenge, exclude_list=[])
  File "/usr/lib/python3.7/site-packages/fido2/client.py", line 308, in make_credential
    pin, timeout, on_keepalive
  File "/usr/lib/python3.7/site-packages/fido2/client.py", line 324, in _ctap2_make_credential
    raise ValueError('PIN required!')
ValueError: PIN required!

It crashes within a split second of me hitting enter before I have a chance to try and press the button on the key. My key is a Solo Secure running 2.4.2.

My1 commented 5 years ago

it does work when the solo has no pin set however. if you have no important accounts on your solo, you can reset then verify

if it runs this using fido2 they might wanna set userverification to discouraged.

nickray commented 5 years ago

Related: https://github.com/solokeys/solo-python/issues/20.

I will have to check (it's been a while) whether it's possible to use simultaneously "direct attestation" (since we want to "verify" the key) and no user verification. Is this what a "discouraged" UV does? In this particular case, would be helpful for sure.

My1 commented 5 years ago

user verification has 3 levels. preferred (iirc default):vverify the user if you can. if you cant (e.g. no pin set), no problem required: force user verification discouraged: do NOT use verification

more to read here: https://www.w3.org/TR/webauthn/#userVerificationRequirement

nickray commented 5 years ago

@My1 this is not quite applicable in this case. See https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorMakeCredential "If pinAuth parameter is not present and clientPin been set on the authenticator, return CTAP2_ERR_PIN_REQUIRED error."

nickray commented 5 years ago

@Vash63: I released a new version 0.0.13. Can you test by running pip3 install -U --user solo-python (or whatever update method makes sense in your setup), and then solo key verify --pin <your-PIN>?

Need to be a bit careful... After a few incorrect PINs, you can get yourself a few more tries by power cycling the key (pull out, put in again). After too many however, the key locks up fully and you have to solo key reset.

My1 commented 5 years ago

https://github.com/solokeys/solo-python/issues/26#issuecomment-522716534 does makecredential only create a resident credential or also a normal one? because normal credentials can apparently be generated without pin like for example on the yubico demo site with both a yubi5 and a solo which both have a pin set.

about your other post

Need to be a bit careful... After a few incorrect PINs, you can get yourself a few more tries by power cycling the key (pull out, put in again). After too many however, the key locks up fully and you have to solo key reset.

you can get more? how much do you get without? because fido2 spec says 8 max.

edit: okay scrolling further shows that there's also a 3 max per power cycle https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#gettingPinToken

but it says to prevent malware from doing stuff, but how can malware submit pins when every pin thing seems to also ask for a button press?

Vash63 commented 5 years ago

@nickray It's working now, thanks. There's still a rather ugly crash (instead of a formatted error) if you run it before inserting the key though, not sure how important that is.

nickray commented 5 years ago

Yes, right now click just passes through most errors as traceback. Pull requests welcome!