Skip to content

Commit

Permalink
Added more hints to sign-file
Browse files Browse the repository at this point in the history
  • Loading branch information
stevenwdv committed Oct 25, 2021
1 parent a0a1686 commit bb56c5e
Showing 1 changed file with 29 additions and 12 deletions.
41 changes: 29 additions & 12 deletions solo/cli/key.py
Original file line number Diff line number Diff line change
Expand Up @@ -172,22 +172,22 @@ def make_credential(serial, host, default_sign_host, user, udp, prompt, pin,
algs = [fido2.cose.CoseKey.for_name(a).ALGORITHM for a in alg.split(",")]
if None in algs:
print("Error: Unknown algorithm(s): ", [a for a, aid in zip(alg.split(","), algs) if aid is None])
return 1

# check for PIN
if not pin:
pin = getpass.getpass("PIN (leave empty for no PIN): ")
if not pin:
pin = None
exit(1)

if default_sign_host:
if host is not None:
print("Error: Cannot specify both --host and --default-sign-host")
return 1
exit(1)
host = "solo-sign-hash:"
elif host is None:
host = "solokeys.dev"

# check for PIN
if not pin:
pin = getpass.getpass("PIN (leave empty for no PIN): ")
if not pin:
pin = None

cred_id, pk = solo.hmac_secret.make_credential(
host=host,
user_id=user,
Expand All @@ -204,7 +204,7 @@ def make_credential(serial, host, default_sign_host, user, udp, prompt, pin,
if minisign:
if pk.ALGORITHM != fido2.cose.EdDSA.ALGORITHM:
print(f"Error: Minisign only supports EdDSA keys but this credential was created using {type(pk).__name__}")
return 1
exit(1)

if key_id is not None:
key_id_hex = key_id
Expand Down Expand Up @@ -744,14 +744,21 @@ def sign_file(pin, serial, udp, prompt, credential_id, host, filename, sig_file,
except CtapError as err:
if err.code == CtapError.ERR.INVALID_OPTION:
print("Got CTAP error 0x2C INVALID_OPTION. Are you sure you used an EdDSA credential with Minisign?")
return 1
exit(1)
elif err.code == CtapError.ERR.INVALID_CREDENTIAL:
print("Got CTAP error 0x22 INVALID_CREDENTIAL.")
if host.startswith("solo-sign-hash:"):
print("Are you sure you created this credential using a 'solo-sign-hash:...' host?")
else:
print("Host should start with 'solo-sign-hash:'")
exit(1)
else:
raise

file_signature = ret[1]
if ret[2] is None:
print("Authenticator does not support Minisign")
return 1
exit(1)
global_signature = ret[2]

print(f"File signature (Base64): {base64.b64encode(file_signature).decode()}")
Expand Down Expand Up @@ -781,7 +788,17 @@ def sign_file(pin, serial, udp, prompt, credential_id, host, filename, sig_file,
print(f"Signature using key {key_id_hex} written to {sig_file}")

else:
ret = dev.sign_hash(credential_id, dgst.digest(), pin, host)
try:
ret = dev.sign_hash(credential_id, dgst.digest(), pin, host)
except CtapError as err:
if err.code == CtapError.ERR.INVALID_CREDENTIAL:
print("Got CTAP error 0x22 INVALID_CREDENTIAL.")
if host.startswith("solo-sign-hash:"):
print("Are you sure you created this credential using a 'solo-sign-hash:...' host?")
else:
print("Host should start with 'solo-sign-hash:'")
exit(1)

signature = ret[1]

print(f"Signature (Base64): {base64.b64encode(signature).decode()}")
Expand Down

0 comments on commit bb56c5e

Please sign in to comment.