Merge pull request Nitrokey#29 from solokeys/pass-pin-in-verify

Pass pin in verify
sgued · Aug 19, 2019 · 84cee7f · 84cee7f
2 parents ce2bac9 + fde45dc
commit 84cee7f
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.0.13] - 2019-08-19
+### Changed
+- implement passing PIN to `solo key verify`
+
 ## [0.0.12] - 2019-08-08
 ### Changed
 - update fido2 to 0.7.0

diff --git a/solo/VERSION b/solo/VERSION
@@ -1 +1 @@
-0.0.12
+0.0.13
diff --git a/solo/cli/key.py b/solo/cli/key.py
@@ -203,11 +203,12 @@ def reset(serial):
 
 
 @click.command()
+@click.option("--pin", help="PIN for to access key")
 @click.option("-s", "--serial", help="Serial number of Solo to use")
 @click.option(
     "--udp", is_flag=True, default=False, help="Communicate over UDP with software key"
 )
-def verify(serial, udp):
+def verify(pin, serial, udp):
     """Verify key is valid Solo Secure or Solo Hacker."""
 
     if udp:
@@ -216,8 +217,38 @@ def verify(serial, udp):
     # Any longer and this needs to go in a submodule
     print("Please press the button on your Solo key")
     try:
-        cert = solo.client.find(serial).make_credential()
-    except Fido2ClientError:
+        cert = solo.client.find(serial).make_credential(pin=pin)
+    except ValueError as e:
+        # python-fido2 library pre-emptively returns `ValueError('PIN required!')`
+        # instead of trying, and returning  `CTAP error: 0x36 - PIN_REQUIRED`
+        if "PIN required" in str(e):
+            print("Your key has a PIN set. Please pass it using `--pin <your PIN>`")
+            sys.exit(1)
+
+    except Fido2ClientError as e:
+        cause = str(e.cause)
+        # error 0x31
+        if "PIN_INVALID" in cause:
+            print("Your key has a different PIN. Please try to remember it :)")
+            sys.exit(1)
+        # error 0x34 (power cycle helps)
+        if "PIN_AUTH_BLOCKED" in cause:
+            print(
+                "Your key's PIN authentication is blocked due to too many incorrect attempts."
+            )
+            print("Please plug it out and in again, then again!")
+            print(
+                "Please be careful, after too many incorrect attempts, the key will fully block."
+            )
+            sys.exit(1)
+        # error 0x32 (only reset helps)
+        if "PIN_BLOCKED" in cause:
+            print(
+                "Your key's PIN is blocked. To use it again, you need to fully reset it."
+            )
+            print("You can do this using: `solo key reset`")
+            sys.exit(1)
+
         print("Error getting credential, is your key in bootloader mode?")
         print("Try: `solo program aux leave-bootloader`")
         sys.exit(1)

diff --git a/solo/client.py b/solo/client.py
@@ -208,11 +208,13 @@ def wink(self,):
     def reset(self,):
         self.ctap2.reset()
 
-    def make_credential(self,):
+    def make_credential(self, pin=None):
         rp = {"id": self.host, "name": "example site"}
         user = {"id": b"abcdef", "name": "example user"}
         challenge = "Y2hhbGxlbmdl"
-        attest, data = self.client.make_credential(rp, user, challenge, exclude_list=[])
+        attest, data = self.client.make_credential(
+            rp, user, challenge, exclude_list=[], pin=pin
+        )
         try:
             attest.verify(data.hash)
         except AttributeError: