Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot list or create credentials on SoloKey with no pin set on the key #570

Open
filipkemuel opened this issue Sep 5, 2021 · 2 comments
Open

Cannot list or create credentials on SoloKey with no pin set on the key #570

filipkemuel opened this issue Sep 5, 2021 · 2 comments

Comments

@filipkemuel
Copy link

When I try to create or list credentials on my SoloKey it ask me to type a pin.
I have no pin set on the key so I leave it blank and just press enter.
The program then fails.

Firmware version: 4.1.2 locked
solo-python version: 0.0.30

Traceback (most recent call last):
  File "/usr/bin/solo", line 8, in <module>
    sys.exit(solo_cli())
  File "/usr/lib/python3.9/site-packages/click/core.py", line 1137, in __call__
    return self.main(*args, **kwargs)
  File "/usr/lib/python3.9/site-packages/click/core.py", line 1062, in main
    rv = self.invoke(ctx)
  File "/usr/lib/python3.9/site-packages/click/core.py", line 1668, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3.9/site-packages/click/core.py", line 1668, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3.9/site-packages/click/core.py", line 1668, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3.9/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/lib/python3.9/site-packages/click/core.py", line 763, in invoke
    return __callback(*args, **kwargs)
  File "/usr/lib/python3.9/site-packages/solo/cli/key.py", line 553, in cred_ls
    cm = client.cred_mgmt(pin)
  File "/usr/lib/python3.9/site-packages/solo/devices/base.py", line 116, in cred_mgmt
    token = client.client_pin.get_pin_token(pin)
  File "/usr/lib/python3.9/site-packages/fido2/ctap2/pin.py", line 256, in get_pin_token
    resp = self.ctap.client_pin(
  File "/usr/lib/python3.9/site-packages/fido2/ctap2/base.py", line 723, in client_pin
    return self.send_cbor(
  File "/usr/lib/python3.9/site-packages/fido2/ctap2/base.py", line 675, in send_cbor
    raise CtapError(status)
fido2.ctap.CtapError: CTAP error: 0x35 - PIN_NOT_SET
[1]    25362 exit 1     solo key credential ls

Traceback (most recent call last):
  File "/usr/bin/solo", line 8, in <module>
    sys.exit(solo_cli())
  File "/usr/lib/python3.9/site-packages/click/core.py", line 1137, in __call__
    return self.main(*args, **kwargs)
  File "/usr/lib/python3.9/site-packages/click/core.py", line 1062, in main
    rv = self.invoke(ctx)
  File "/usr/lib/python3.9/site-packages/click/core.py", line 1668, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3.9/site-packages/click/core.py", line 1668, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3.9/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/lib/python3.9/site-packages/click/core.py", line 763, in invoke
    return __callback(*args, **kwargs)
  File "/usr/lib/python3.9/site-packages/solo/cli/key.py", line 151, in make_credential
    solo.hmac_secret.make_credential(
  File "/usr/lib/python3.9/site-packages/solo/hmac_secret.py", line 42, in make_credential
    attestation_object = client.make_credential(
  File "/usr/lib/python3.9/site-packages/fido2/client.py", line 446, in make_credential
    self._verify_rp_id(options.rp.id)
  File "/usr/lib/python3.9/site-packages/fido2/client.py", line 305, in _verify_rp_id
    raise ClientError.ERR.BAD_REQUEST()
fido2.client.ClientError: (<ERR.BAD_REQUEST: 2>, None)
[1]    25681 exit 1     solo key make-credential --host [censored] --user [censored]
@filipkemuel
Copy link
Author

filipkemuel commented Sep 6, 2021
edited
Loading

I know setting a pin would make it work.. but then I would have to use the pin every time I use the key for 2FA on websites.. making it 3FA.. since I would then need both password, key and pin... and that would be quite annoying..

Should it not be possible to use the key without setting a pin?

@nuno0529
Copy link

nuno0529 commented Sep 7, 2021

ctap2 spec allows to create credential w/o using UV (e.g PIN here) and I don't see any problem on the solo key I have (fw v4.0.0) with actual ctap2 command. I think the error code in your log points to this line, https://github.com/Yubico/python-fido2/blob/142587b3e698ca0e253c78d75758fda635cac51a/fido2/client.py#L305

But for cred_mgmt, ctap2 spec does require w/ UV(e.g. PIN here).

@coelner coelner mentioned this issue Dec 27, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@filipkemuel @nuno0529