Fix solo key {set-pin,change-pin,verify} and solo key credential info

innir · innir · commit 26b0fd485528 · 2023-10-17T21:49:49.000+02:00
diff --git a/solo/cli/key.py b/solo/cli/key.py
@@ -349,18 +349,9 @@ def verify(pin, serial, udp):
 
     key = solo.client.find(serial, udp=udp)
 
-    if (
-        key.client
-        and ("clientPin" in key.client.info.options)
-        and key.client.info.options["clientPin"]
-        and not pin
-    ):
-        pin = getpass.getpass("PIN: ")
-
     # Any longer and this needs to go in a submodule
-    print("Please press the button on your Solo key")
     try:
-        cert = key.make_credential(pin=pin)
+        cert = key.make_credential()
     except Fido2ClientError as e:
         cause = str(e.cause)
         if "PIN required" in cause:
diff --git a/solo/devices/base.py b/solo/devices/base.py
@@ -4,6 +4,7 @@
 from cryptography.hazmat.backends import default_backend
 from fido2.attestation import Attestation
 from fido2.ctap2 import Ctap2, CredentialManagement
+from fido2.ctap2.pin import ClientPin
 from fido2.hid import CTAPHID
 from fido2.utils import hmac_sha256
 from fido2.webauthn import PublicKeyCredentialCreationOptions
@@ -79,12 +80,12 @@ def reset(
         Ctap2(self.get_current_hid_device()).reset()
 
     def change_pin(self, old_pin, new_pin):
-        client = self.get_current_fido_client()
-        client.client_pin.change_pin(old_pin, new_pin)
+        client = ClientPin(self.ctap2)
+        client.change_pin(old_pin, new_pin)
 
     def set_pin(self, new_pin):
-        client = self.get_current_fido_client()
-        client.client_pin.set_pin(new_pin)
+        client = ClientPin(self.ctap2)
+        client.set_pin(new_pin)
 
     def make_credential(self, pin=None):
         client = self.get_current_fido_client()
@@ -97,25 +98,24 @@ def make_credential(self, pin=None):
             challenge,
             [{"type": "public-key", "alg": -8}, {"type": "public-key", "alg": -7}],
         )
-        result = client.make_credential(options, pin=pin)
+        result = client.make_credential(options)
         attest = result.attestation_object
         data = result.client_data
         try:
             attest.verify(data.hash)
         except AttributeError:
             verifier = Attestation.for_type(attest.fmt)
-            verifier().verify(attest.att_statement, attest.auth_data, data.hash)
+            verifier().verify(attest.att_stmt, attest.auth_data, data.hash)
         print("Register valid")
-        x5c = attest.att_statement["x5c"][0]
+        x5c = attest.att_stmt["x5c"][0]
         cert = x509.load_der_x509_certificate(x5c, default_backend())
 
         return cert
 
     def cred_mgmt(self, pin):
-        client = self.get_current_fido_client()
-        token = client.client_pin.get_pin_token(pin)
-        return CredentialManagement(ctap2, client.client_pin.protocol, token)
-        ctap2 = Ctap2(self.get_current_hid_device())
+        client = ClientPin(self.ctap2)
+        token = client.get_pin_token(pin)
+        return CredentialManagement(self.ctap2, client.protocol, token)
 
     def enter_solo_bootloader(
         self,
@@ -144,7 +144,7 @@ def sign_hash(self, credential_id, dgst, pin):
         ctap2 = Ctap2(self.get_current_hid_device())
         client = self.get_current_fido_client()
         if pin:
-            pin_token = client.client_pin.get_pin_token(pin)
+            pin_token = client.ClientPin.get_pin_token(pin)
             pin_auth = hmac_sha256(pin_token, dgst)[:16]
             return ctap2.send_cbor(
                 0x50,
diff --git a/solo/devices/solo_v1.py b/solo/devices/solo_v1.py
@@ -6,17 +6,29 @@
 import time
 from threading import Event
 
-from fido2.client import Fido2Client
+from fido2.client import Fido2Client, UserInteraction
 from fido2.ctap import CtapError
 from fido2.ctap1 import Ctap1
 from fido2.ctap2 import Ctap2
 from fido2.hid import CTAPHID, CtapHidDevice
 from intelhex import IntelHex
+from getpass import getpass
 
 from .. import exceptions, helpers
 from ..commands import SoloBootloader, SoloExtension
 from .base import SoloClient
 
+# Handle user interaction
+class CliInteraction(UserInteraction):
+    def prompt_up(self):
+        print("\nTouch your authenticator device now...\n")
+
+    def request_pin(self, permissions, rd_id):
+        return getpass("Enter PIN: ")
+
+    def request_uv(self, permissions, rd_id):
+        print("User Verification required.")
+        return True
 
 class Client(SoloClient):
     def __init__(
@@ -71,7 +83,7 @@ def find_device(self, dev=None, solo_serial=None):
             self.ctap2 = None
 
         try:
-            self.client = Fido2Client(dev, self.origin)
+            self.client = Fido2Client(dev, self.origin, user_interaction=CliInteraction())
         except CtapError:
             print("Not using FIDO2 interface.")
             self.client = None
