Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

solo key verify crashes instantly #26

Closed
Vash63 opened this issue Aug 15, 2019 · 8 comments
Closed

solo key verify crashes instantly #26

Vash63 opened this issue Aug 15, 2019 · 8 comments

Comments

@Vash63
Copy link

Vash63 commented Aug 15, 2019

I've tested this on both a macos and archlinux system, both running python 3.7.4, and in both cases solo key verify causes an immediate crash.

$ solo key verify
Please press the button on your Solo key
Traceback (most recent call last):
  File "/usr/bin/solo", line 10, in <module>
    sys.exit(solo_cli())
  File "/usr/lib/python3.7/site-packages/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/usr/lib/python3.7/site-packages/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/usr/lib/python3.7/site-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3.7/site-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3.7/site-packages/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/lib/python3.7/site-packages/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/usr/lib/python3.7/site-packages/solo/cli/key.py", line 219, in verify
    cert = solo.client.find(serial).make_credential()
  File "/usr/lib/python3.7/site-packages/solo/client.py", line 215, in make_credential
    attest, data = self.client.make_credential(rp, user, challenge, exclude_list=[])
  File "/usr/lib/python3.7/site-packages/fido2/client.py", line 308, in make_credential
    pin, timeout, on_keepalive
  File "/usr/lib/python3.7/site-packages/fido2/client.py", line 324, in _ctap2_make_credential
    raise ValueError('PIN required!')
ValueError: PIN required!

It crashes within a split second of me hitting enter before I have a chance to try and press the button on the key. My key is a Solo Secure running 2.4.2.
@My1
Copy link
Contributor

My1 commented Aug 16, 2019
edited
Loading

it does work when the solo has no pin set however. if you have no important accounts on your solo, you can reset then verify

if it runs this using fido2 they might wanna set userverification to discouraged.

@nickray
Copy link
Member

nickray commented Aug 16, 2019

Related: #20.

I will have to check (it's been a while) whether it's possible to use simultaneously "direct attestation" (since we want to "verify" the key) and no user verification. Is this what a "discouraged" UV does? In this particular case, would be helpful for sure.

@My1
Copy link
Contributor

My1 commented Aug 17, 2019
edited
Loading

user verification has 3 levels.
preferred (iirc default):vverify the user if you can. if you cant (e.g. no pin set), no problem
required: force user verification
discouraged: do NOT use verification

more to read here:
https://www.w3.org/TR/webauthn/#userVerificationRequirement

@nickray nickray mentioned this issue Aug 19, 2019
Merged
@nickray
Copy link
Member

nickray commented Aug 19, 2019
edited
Loading

@My1 this is not quite applicable in this case. See https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorMakeCredential "If pinAuth parameter is not present and clientPin been set on the authenticator, return CTAP2_ERR_PIN_REQUIRED error."

@nickray
Copy link
Member

nickray commented Aug 19, 2019
edited
Loading

@Vash63: I released a new version 0.0.13. Can you test by running pip3 install -U --user solo-python (or whatever update method makes sense in your setup), and then solo key verify --pin <your-PIN>?

Need to be a bit careful... After a few incorrect PINs, you can get yourself a few more tries by power cycling the key (pull out, put in again). After too many however, the key locks up fully and you have to solo key reset.

@My1
Copy link
Contributor

My1 commented Aug 19, 2019
edited
Loading

#26 (comment) does makecredential only create a resident credential or also a normal one? because normal credentials can apparently be generated without pin like for example on the yubico demo site with both a yubi5 and a solo which both have a pin set.

about your other post

Need to be a bit careful... After a few incorrect PINs, you can get yourself a few more tries by power cycling the key (pull out, put in again). After too many however, the key locks up fully and you have to solo key reset.

you can get more? how much do you get without? because fido2 spec says 8 max.

edit: okay scrolling further shows that there's also a 3 max per power cycle
https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#gettingPinToken

but it says to prevent malware from doing stuff, but how can malware submit pins when every pin thing seems to also ask for a button press?

@Vash63
Copy link
Author

Vash63 commented Aug 22, 2019
edited
Loading

@nickray It's working now, thanks. There's still a rather ugly crash (instead of a formatted error) if you run it before inserting the key though, not sure how important that is.

@nickray
Copy link
Member

nickray commented Aug 22, 2019

Yes, right now click just passes through most errors as traceback. Pull requests welcome!

@nickray nickray closed this as completed Aug 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nickray @Vash63 @My1