nitrokey / pynitrokey Goto Github PK

View Code? Open in Web Editor NEW

93.0 8.0 27.0 2.78 MB

Python client for Nitrokey devices

License: Apache License 2.0

Makefile 0.50% Python 83.82% Dockerfile 0.02% Shell 0.48% C 15.11% Earthly 0.07%

pynitrokey's People

Contributors

Stargazers

Watchers

pynitrokey's Issues

Nitrokey FIDO2 update not working

Nitrokey FIDO2 update fails on fetching the binaries.
Tested commit: 0.3.2.nitrokey-44-g6384dbc (current tip of daringer/36-fido_08 branch);

178       DEBUG urllib3.connectionpool Starting new HTTPS connection (1): api.github.com:443
420       DEBUG urllib3.connectionpool https://api.github.com:443 "GET /repos/Nitrokey/nitrokey-fido2-firmware/releases/latest HTTP/1.1" 200 1808
422       DEBUG       root print: Critical error:
422       DEBUG       root print: Failed to determine latest release (url)
422       DEBUG       root print: assets:
422       DEBUG       root print: ('nitrokey-fido2-firmware-2.1.0-all-to_flash.hex', 'https://github.com/Nitrokey/nitrokey-fido2-firmware/releases/download/2.1.0.nitrokey/nitrokey-fido2-firmware-2.1.0-all-to_flash.hex')
422       DEBUG       root print: ('nitrokey-fido2-firmware-2.1.0-app-to_sign.hex', 'https://github.com/Nitrokey/nitrokey-fido2-firmware/releases/download/2.1.0.nitrokey/nitrokey-fido2-firmware-2.1.0-app-to_sign.hex')

Permission denied for log file

Following error message is shown, when user runs the tool inside directory without write access:

PermissionError: [Errno 13] Permission denied: '/usr/local/bin/upgrade.log'
PermissionError: [Errno 13] Permission denied: '/upgrade.log'

Edit: when run in home directory it works as advertised
Potential solution: on write error get random /tmp file path, or set it unconditionally

Show KDF object details

Show KDF object details for Nitrokey Start

Missing util subcommands

It looks like the util submenu for commands is missing.
Current output (fbd309f):

*** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start
Usage: nitropy [OPTIONS] COMMAND [ARGS]...

Options:
  --help  Show this message and exit.

Commands:
  fido2     Interact with Nitrokey keys, see subcommands.
  genkey    Generates key pair that can be used for Nitrokey signed
            firmware...

  ls        List Nitrokey keys (in firmware or bootloader mode)
  mergehex  Merges hex files, and patches in the attestation key.
  sign      Signs a firmware hex file, outputs a .json file that can be
            used...

  start     Interact with 'Nitrokey Start' keys, see subcommands.
  version   Version of python-solo library and tool.

Windows MSI build not always working

It looks like the MSI build for Windows distribution is not always working.
To better describe setup process to avoid pitfalls. Ideally add to CI as well #15.

update README.md for clarification about status?

Hey hey,

recently got a Nitrokey FIDO2, eager to get lower level/devel access to the device I found this project, which caught my attention with the sub-title: Python client for Nitrokey FIDO2, based on Solo

Scrolled through the README and was triggered by "update firmware", instantly running:

solo key update

left me with the key stuck in bootloader-mode, as the command still tries to flash the solo firmware instead of the correct Nitrokey firmware.

As a micro documentation (btw. haven't found any for flashing), if someone is falling into the same hole How to flash Nitrokey FIDO2 firmware, my steps to revive the key:

Make sure you have solo from this repo installed
Stuck in bootloader? You should be able to read the bootloader version:

solo program aux bootloader-version

If this fails, you might not be stuck in bootloader-mode (check LEDs).
Additionally, you can manually enter the bootloader

solo program aux enter-bootloader

Do not forget to confirm using the touch sensor, LEDs should now have changed to pulsing, purple (dmesg will show either Nitrokey FIDO2 or Nitrokey FIDO2 Bootloader)
Now to flash the firmware: (bootloader 1.1, using (signed) firmware 1.1)

wget https://github.com/Nitrokey/nitrokey-fido2-firmware/releases/download/1.1.0.nitrokey/fido2-firmware-1.1.0.nitrokey-app-signed.json
# and program it through the bootloader:
solo program bootloader fido2-firmware-1.1.0.nitrokey-app-signed.json

The stick will not reboot itself, be sure that you see "...pass" after programming, finally to reboot into the application:

solo program aux leave-bootloader

@szszszsz hope it's ok that I am abusing this issue for documentation. Had a strong urge to write this down and make it available to hopefully safe others from the same pity. Did I maybe oversee some documentation for all this?

Apart from this, as the issue title suggests: how do you think about an update for the README.md to clarify what to expect from this project in this state, what's working and not using this tool. I could put some lines together and PR it if you'd like?

CTAP error: 0x27 - OPERATION_DENIED

Several commands yields to the same error. Example make-credential and reset.

$ solo key make-credential
Touch your authenticator to generate a credential...
Traceback (most recent call last):
  File "/home/jan/.local/lib/python3.6/site-packages/fido2/client.py", line 308, in make_credential
    pin, timeout, on_keepalive
  File "/home/jan/.local/lib/python3.6/site-packages/fido2/client.py", line 348, in _ctap2_make_credential
    pin_protocol, timeout, on_keepalive)
  File "/home/jan/.local/lib/python3.6/site-packages/fido2/ctap2.py", line 642, in make_credential
    ), timeout, AttestationObject, on_keepalive)
  File "/home/jan/.local/lib/python3.6/site-packages/fido2/ctap2.py", line 606, in send_cbor
    raise CtapError(status)
fido2.ctap.CtapError: CTAP error: 0x27 - OPERATION_DENIED

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/jan/.local/bin/solo", line 11, in <module>
    sys.exit(solo_cli())
  File "/home/jan/.local/lib/python3.6/site-packages/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/home/jan/.local/lib/python3.6/site-packages/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/home/jan/.local/lib/python3.6/site-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/home/jan/.local/lib/python3.6/site-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/home/jan/.local/lib/python3.6/site-packages/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/home/jan/.local/lib/python3.6/site-packages/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/home/jan/.local/lib/python3.6/site-packages/solo/cli/key.py", line 151, in make_credential
    host=host, user_id=user, serial=serial, output=True, prompt=prompt, udp=udp
  File "/home/jan/.local/lib/python3.6/site-packages/solo/hmac_secret.py", line 44, in make_credential
    rp, user, challenge, extensions=hmac_ext.create_dict(), pin=pin
  File "/home/jan/.local/lib/python3.6/site-packages/fido2/client.py", line 311, in make_credential
    raise _ctap2client_err(e)
fido2.client.ClientError: (<ERR.BAD_REQUEST: 2>, CtapError('CTAP error: 0x27 - OPERATION_DENIED',))

Automatic code reformat

Run linting tools and apply suggested changes.

Evaluate using solo-python as a library instead of forking it

When looking at solo's documentation, it seems that an easier way to do pynitrokey would be to rely on solo as a library.

Is there a specific reason, why a fork was chosen instead? This seems to introduce a lot of overhead in developing this library/application and staying in sync with solo-python.

Fails to run on a fresh install

After installing in a fresh Docker container based on Ubuntu 20.10, nitropy fails to run. Details below.
It looks like the fido2 dependency got updated recently, removing some internal symbols pynitrokey was using.

Potential solutions:

pin fido2 package dependency to previous one, 0.8.1;
remove usage of the internal fido2 symbol.

Error log:

Installing collected packages: cbor, six, pycparser, cffi, cryptography, pyserial, pygments, click, chardet, certifi, idna, urllib3, re
quests, fido2, ecdsa, intelhex, pyusb, pynitrokey
Successfully installed cbor-1.0.0 certifi-2020.12.5 cffi-1.14.4 chardet-4.0.0 click-7.1.2 cryptography-3.3.1 ecdsa-0.16.1 fido2-0.9.0 i
dna-2.10 intelhex-2.3.0 pycparser-2.20 pygments-2.7.4 pynitrokey-0.4.1 pyserial-3.5 pyusb-1.1.1 requests-2.25.1 six-1.15.0 urllib3-1.26
.2
(...)
Step 8/8 : RUN nitropy --version
 ---> Running in ea09abdc49b3
Traceback (most recent call last):
  File "/usr/local/bin/nitropy", line 5, in <module>
    from pynitrokey.cli import nitropy
  File "/usr/local/lib/python3.8/dist-packages/pynitrokey/cli/__init__.py", line 15, in <module>
    import pynitrokey.fido2.operations
  File "/usr/local/lib/python3.8/dist-packages/pynitrokey/fido2/__init__.py", line 7, in <module>
    import fido2._pyu2f
ModuleNotFoundError: No module named 'fido2._pyu2f'

UI: guard for Windows for NK Start listing

Add guard for now so that #27 would not show up to user, but hidden behind friendly message, like "NK Start management is not supported on this platform at the moment".

ARM / Raspberry PI (4) compatibility

See https://support.nitrokey.com/t/nitokey-start-firmware-update-failed-device-or-firmware-missing/2855/3

Neither NK FIDO2 nor NK Start can be properly accessed as non-root user.

macOS: OSError - Failed reading a response

User reports failure in executing Nitrokey FIDO2 firmware update on ~~macOS 10.16~~ macOS 11.0.1 (macOS Big Sur), with the latest update pynitrokey (v0.4.2).
Stack trace from the exception below.

log (click to show)

❯ nitropy fido2 update
*** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start
Nitrokey FIDO2 firmware update tool
Platform: macOS-10.16-x86_64-i386-64bit
System: Darwin, is_linux: False
Python: 3.8.6
Saving run log to: /var/folders/69/4cm0rh_13g58xwdllrpcwmlc0000gn/T/nitropy.log.3ni78tyq

Starting update procedure for Nitrokey FIDO2...
Downloading latest firmware: 2.2.0.nitrokey (published at 2020-09-23T15:21:45Z)
Firmware saved to /var/folders/69/4cm0rh_13g58xwdllrpcwmlc0000gn/T/fido2_firmware.json
Downloaded firmware version: 2.2.0.nitrokey
Device connected:
204D3395344B: Nitrokey FIDO2 2.1.0
Firmware version: 2.1.0

This will update your Nitrokey FIDO2
Do you want to continue? [yes/no]: yes
Traceback (most recent call last):
  File "/Users/billy/Library/Python/3.8/lib/python/site-packages/fido2/_pyu2f/macos.py", line 451, in Read
    return self.read_queue.get(False)
  File "/usr/local/Cellar/[email protected]/3.8.6_1/Frameworks/Python.framework/Versions/3.8/lib/python3.8/queue.py", line 167, in get
    raise Empty
_queue.Empty

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/nitropy", line 8, in <module>
    sys.exit(nitropy())
  File "/usr/local/lib/python3.8/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.8/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.8/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/Users/billy/Library/Python/3.8/lib/python/site-packages/pynitrokey/cli/update.py", line 141, in update
    if client.is_solo_bootloader():
  File "/Users/billy/Library/Python/3.8/lib/python/site-packages/pynitrokey/fido2/client.py", line 234, in is_solo_bootloader
    self.bootloader_version()
  File "/Users/billy/Library/Python/3.8/lib/python/site-packages/pynitrokey/fido2/client.py", line 147, in bootloader_version
    data = self.exchange(SoloBootloader.version)
  File "/Users/billy/Library/Python/3.8/lib/python/site-packages/pynitrokey/fido2/client.py", line 122, in exchange_u2f
    res = self.ctap1.authenticate(chal, appid, req)
  File "/Users/billy/Library/Python/3.8/lib/python/site-packages/fido2/ctap1.py", line 273, in authenticate
    response = self.send_apdu(ins=CTAP1.INS.AUTHENTICATE, p1=p1, data=data)
  File "/Users/billy/Library/Python/3.8/lib/python/site-packages/fido2/ctap1.py", line 233, in send_apdu
    response = self.device.call(CTAPHID.MSG, apdu)
  File "/Users/billy/Library/Python/3.8/lib/python/site-packages/fido2/hid.py", line 89, in call
    status, resp = self._dev.InternalRecv()
  File "/Users/billy/Library/Python/3.8/lib/python/site-packages/fido2/_pyu2f/hidtransport.py", line 308, in InternalRecv
    first_read = self.InternalReadFrame()
  File "/Users/billy/Library/Python/3.8/lib/python/site-packages/fido2/_pyu2f/hidtransport.py", line 300, in InternalReadFrame
    frame = self.hid_device.Read()
  File "/Users/billy/Library/Python/3.8/lib/python/site-packages/fido2/_pyu2f/macos.py", line 453, in Read
    raise OSError('Failed reading a response')
OSError: Failed reading a response

tools' log (as received from user)

170       DEBUG _pyu2f.hidtransport payload: [76, 78, 92, 206, 240, 225, 235, 231]
170       DEBUG _pyu2f.hidtransport sending packet: [255, 255, 255, 255, 134, 0, 8, 76, 78, 92, 206, 240, 225, 235, 231, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
179       DEBUG _pyu2f.hidtransport recv: [255, 255, 255, 255, 134, 0, 17, 76, 78, 92, 206, 240, 225, 235, 231, 2, 0, 0, 0, 2, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
180       DEBUG _pyu2f.hidtransport sending packet: [2, 0, 0, 0, 144, 0, 1, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
186       DEBUG _pyu2f.hidtransport recv: [2, 0, 0, 0, 144, 0, 126, 0, 168, 1, 131, 102, 85, 50, 70, 95, 86, 50, 104, 70, 73, 68, 79, 95, 50, 95, 48, 108, 70, 73, 68, 79, 95, 50, 95, 49, 95, 80, 82, 69, 2, 130, 107, 104, 109, 97, 99, 45, 115, 101, 99, 114, 101, 116, 107, 99, 114, 101, 100, 80, 114, 111, 116, 101]
190       DEBUG _pyu2f.hidtransport recv: [2, 0, 0, 0, 0, 99, 116, 3, 80, 195, 158, 251, 166, 252, 244, 76, 62, 130, 139, 252, 74, 97, 21, 160, 255, 4, 165, 98, 114, 107, 245, 98, 117, 112, 245, 100, 112, 108, 97, 116, 244, 104, 99, 114, 101, 100, 77, 103, 109, 116, 245, 105, 99, 108, 105, 101, 110, 116, 80, 105, 110, 245, 5, 25]
194       DEBUG _pyu2f.hidtransport recv: [2, 0, 0, 0, 1, 4, 176, 6, 129, 1, 7, 20, 8, 24, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]

List all connected devices on update failure

Collect all USB connected devices with VID:PID of our devices in case of an update failure to see, whether these were working and recognized by the OS at all.

Edit: add this report to the final log

Windows: no backend available

Nitropy cannot view USB devices out of the box. Instead an error is shown: usb.core.NoBackendError: No backend available.
Stack trace:

(click me)

PS C:\Windows\system32> nitropy ls
*** ←[31mNitrokey tool for Nitrokey FIDO2 & Nitrokey Start←[39;49;00m
:: 'Nitrokey FIDO2' keys
20873372344B: Nitrokey FIDO2 2.0.0
:: 'Nitrokey Start' keys:
Traceback (most recent call last):
  File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\cx_Freeze\initscripts\__startup__.py", line 40, in run
  File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\cx_Freeze\initscripts\Console.py", line 37, in run
  File "nitropy.py", line 3, in <module>
  File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\click\core.py", line 829, in __call__
  File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\click\core.py", line 782, in main
  File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\click\core.py", line 1259, in invoke
  File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\click\core.py", line 1066, in invoke
  File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\click\core.py", line 610, in invoke
  File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\pynitrokey\cli\__init__.py", line 62, in ls
  File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\pynitrokey\cli\start.py", line 37, in list
  File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\pynitrokey\start\usb_strings.py", line 46, in get_devices
  File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\pynitrokey\start\gnuk_token.py", line 637, in gnuk_devices_by_vidpid
  File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\usb\legacy.py", line 353, in busses
  File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\usb\core.py", line 1263, in find
usb.core.NoBackendError: No backend available

Tasks:

Update libusb to 1.0.24
Update pyusb to 1.1.0

Problem with using v0.4 package

After installing the latest pynitrokey v0.4, it cannot be called successfully:

$ nitropy
AttributeError: module 'pynitrokey' has no attribute 'fido2'

correct
add CI check
check dependencies

Missing file for NK Start update

Details:

when i use start update i get "*** Found unexpected error: [Errno 2] No such file or directory: 'solo/start/rsa_example.key'".

Rename package to nitrokey

Rename package to nitrokey. Make sure the names do not clash with Solo-python.

Connected: #4

Tagging scheme broken

Hi! I would like to package pynitrokey for Arch Linux.
Unfortunately the tagging scheme is now broken with using v0.4 instead of v0.4.nitrokey, as there are upstream solo-python related tags and nitrokey related tags in use in this repository and I am using a regular expression match against the nitrokey specific suffix.

Will tags from now on not have the suffixes anymore?
If not, please tag v0.4 also as v4.0.nitrokey.
Thanks!

v0.4.1 too: "AttributeError: module 'pynitrokey' has no attribute 'fido2'"

After installing the latest pynitrokey v0.4.1 for my Nitrokey Start, it cannot be called successfully:

$ nitropy
Traceback (most recent call last):
  File "/home/ge/.local/bin/nitropy", line 5, in <module>
    from pynitrokey.cli import nitropy
  File "/home/ge/.local/lib/python3.6/site-packages/pynitrokey/cli/__init__.py", line 15, in <module>
    import pynitrokey.fido2.operations
  File "/home/ge/.local/lib/python3.6/site-packages/pynitrokey/fido2/__init__.py", line 10, in <module>
    import pynitrokey.fido2.hmac_secret as hmac_secret
AttributeError: module 'pynitrokey' has no attribute 'fido2'
$

OS: openSUSE Leap 15.2
nitropy installed by
pip3 install --user pynitrokey
completed with message
Successfully installed cbor-1.0.0 click-7.1.2 ecdsa-0.16.0 fido2-0.8.1 intelhex-2.2.1 pygments-2.7.1 pynitrokey-0.4.1 pyserial-3.4 pyusb-1.1.0

What could be done? Thank you.

0.4.2 not available as sdist on pypi.org

Hi! The sdist tarball for 0.4.2 is not available on pypi.org.

It would be nice, if you could upload it :)

Allow to install and run in standalone setup

Given last issues with dependencies #60 #57, it would be nice to have the final distribution either packaged to a single file (using some bundler), or allow it to be installed separately in a virtual environment (e.g. pipenv, poetry).

Edit: to clarify, single binary distribution includes AppImage and Flatpak. All major OSes should be supported (not necessarily by a single solution).

nitropy fido2 update fails with NoSoloFoundError('no Nitrokey FIDO2 found') <FIXED: usbguard>

I tried to update the firmware of a Nitrokey FIDO2 using nitropy.
The update starts nicely, it detects the USB device, tries to enter bootloader mode, and asks for confirmation with the button on the key.
I press the button on the FIDO2 key, and directly after that the software returns a critical error, and says that no FIDO2 key could be found.
After that the Nitrokey shows a blinking (alternating?) red and blue light.
I will attach the log that was produced in /tmp.

nitropy.log.l9gp9su2.txt

update to fido2 library version 0.9

as the python-fido2 library broke backwards compatibility with 0.9 there is some work to be done in order to make it work with it. Maybe even wait for 1.0 ?

Improve update process for NK Start

Add improvements from the #48 case.
Tasks:

document potential issues when using Docker
discuss Pip installation alternatives, e.g. using single Python bundled binary, or pipenv, or venv, etc.
ask users to rerun the update process if the bootloader cannot be found
document OpenOCD flashing on Arch Linux (see #48 last comments)
run factory reset over ccid

Set CI

Configure CI for build test and code quality check

Nitrokey FIDO2 update takes long time

Nitrokey FIDO2 update with the latest version takes 60 seconds, while it is half of the time with previous version using bootloader upload directly. To investigate.
Potential cause: traffic logging (not enabled with previous version for via-bootloader update).

Ask user to send logs on the update failure

Ask user to send logs to support email on the update failure.

Nitrokey Start
Nitrokey FIDO2

Enable challenge-response

In v0.4.1 the challenge-response feature is temporarily disabled. To activate it back.

Log: gather version of tool and its dependencies

Collect version of the pynitrokey in its own log, and get the most important dependencies versions' as well (e.g. fido2 package).

Nitrokey Start Update Went Badly - Critical error occurred, exiting now

nitropy.log

See log for details. Followed directions on website for updating firmware and now the nitrokey start is not found at all.

Thanks for any help.

Windows: check for privileged run during the update

Check and abort, if the execution priviliges are not at the level of the Administrator, while running on the Windows OS. This is required to run the Nitrokey FIDO2 update.

Pin used dependencies with PipLock

To introduce automatic pinning, e.g. with Pipenv tool.
@daringer : what do you think?

Update/unpin fido2 dependency

Hi! I'm currently baking a package for Arch Linux. Unfortunately I'm running into integration problems with the fido2 dependency.

The fido2 package has been on > 0.7.3 since November 2019 and on Arch Linux we're currently already shipping 0.8.1.
It would be most awesome to update this dependency so that this tool can be packaged.

Currently I'm helping the process along by using this patch:

diff --git i/pynitrokey/client.py w/pynitrokey/client.py
index ae7141d..ee59d9d 100644
--- i/pynitrokey/client.py
+++ w/pynitrokey/client.py
@@ -23,7 +23,6 @@ from fido2.ctap import CtapError
 from fido2.ctap1 import CTAP1
 from fido2.ctap2 import CTAP2
 from fido2.hid import CTAPHID, CtapHidDevice
-from fido2.utils import Timeout
 from intelhex import IntelHex
 from pynitrokey import helpers
 from pynitrokey.commands import SoloBootloader, SoloExtension
@@ -135,8 +134,7 @@ class SoloClient:
     def send_data_hid(self, cmd, data):
         if not isinstance(data, bytes):
             data = struct.pack("%dB" % len(data), *[ord(x) for x in data])
-        with Timeout(1.0) as event:
-            return self.dev.call(cmd, data, event)
+        return self.dev.call(cmd, data)

     def exchange_hid(self, cmd, addr=0, data=b"A" * 16):
         req = SoloClient.format_request(cmd, addr, data)

However, I am not sure whether this is the right way to remove the dependency on the removed Timeout utility class or whether there are more inconsistencies.

Support update for SafeKey

Support CLI for the SafeKey firmware update:

recognize device and list it
get proper firmware links for the update
execute update process

Automatic firmware update for Nitrokey FIDO2

Enable back and configure properly the update feature for the Nitrokey FIDO2.

It was removed in 6e7fa79 - code block start.

Allow development access to the device

To decide, how to allow development access to the device - whether this would be realized by the upstream (with a requested change of custom VID:PID for connection), or by releasing this project to repository, with a renamed module (or both?).

Bootloader connection improvements

Nitrokey Start update: improve connection process after bootloader upload:

repeat bootloader connection attempt
additional delay allowing for the bootloader to start
remove the misleading message about reinsertion for the bootloader connection failure

Connected: Nitrokey/nitrokey-start-firmware#51
Details: https://support.nitrokey.com/t/nitrokey-start-update-funktioniert-nicht/2596/4

Integrate Nitrokey FIDO U2F commands

Integrate Nitrokey FIDO U2F commands. See the complete tool at:

https://github.com/Nitrokey/nitrokey-fido-u2f-firmware/blob/master/tools/u2f_zero_client/client.py

Correct CI

At the moment CI fails with:

venv/bin/flit install --symlink
make: venv/bin/flit: Command not found
Makefile:60: recipe for target 'update-venv' failed
make: *** [update-venv] Error 127
The command "make init" failed and exited with 2 during .

To correct
Build MSI package for Windows #26

Move NK FIDO2 related commands under fido2

Move the rest of the NK FIDO2 related commands under fido2.util subcommand.
Related: #5

I think ideal organization would be:
Top:

fido2
start
ls
version

The commands under fido2.util:

genkey
mergehex
monitor
program
sign

Verify Nitrokey certificate

Add support for Nitrokey certificate for the validate command.

Utility: support quickly creating the Encrypted Volume partition

Utility: support quickly creating the Encrypted Volume partition for the Nitrokey Storage.

Update to the latest upstream

Update to the latest upstream if not done already.
Features:

PIN change command
corrections for subcommands
dependencies update

fido2 reset failed

Using nitropy 0.4.0 with NK FIDO2 2.2.0:

click to show log

$ nitropy fido2 reset
*** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start
Warning: Your credentials will be lost!!! continue? [(y)es/(n)o]: y
choosing: yes
Press key to confirm -- again, your credentials will be lost!!!
Traceback (most recent call last):
  File "/home/jan/.local/bin/nitropy", line 8, in <module>
    sys.exit(nitropy())
  File "/home/jan/.local/lib/python3.8/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/home/jan/.local/lib/python3.8/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/home/jan/.local/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/home/jan/.local/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/home/jan/.local/lib/python3.8/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/home/jan/.local/lib/python3.8/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/home/jan/.local/lib/python3.8/site-packages/pynitrokey/cli/fido2.py", line 394, in reset
    nkfido2.find(serial).reset()
  File "/home/jan/.local/lib/python3.8/site-packages/pynitrokey/fido2/client.py", line 183, in reset
    self.ctap2.reset()
  File "/home/jan/.local/lib/python3.8/site-packages/fido2/ctap2.py", line 795, in reset
    self.send_cbor(CTAP2.CMD.RESET, event=event, on_keepalive=on_keepalive)
  File "/home/jan/.local/lib/python3.8/site-packages/fido2/ctap2.py", line 645, in send_cbor
    raise CtapError(status)
fido2.ctap.CtapError: CTAP error: 0x30 - NOT_ALLOWED

NK FIDO2 update: correct bootloader execution description

Do not ask for inserting device with the button pressed for NK FIDO2 device update procedure.
This must be a leftover from the upstream.
Additionally, elaborate on what to expect and how long to press the device, similarly to the WebUpdate service.

Nitrokey FIDO2 firmware update fails when not in bootloader

Nitrokey FIDO2 firmware update fails if not in bootloader, while trying to use local file as the firmware source. See below for details.
Most probably the response from the bootloader is unexpected and not handled by the pynitrokey.

Version: 0.4.1 (latest)

logs (click to show)

sz@stumpy ~/w/n/releases (master) [2]> nitropy fido2 util program bootloader ./nitrokey-fido2-firmware-2.3.0-app-signed.json            
*** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start
erasing firmware...                                                                                                                     
Not in bootloader mode.  Attempting to switch...                 
Please confirm with button on key!                                                                                                      
Nitrokey rebooted.  Reconnecting...       
Not using FIDO2 interface.                                                                                                              
Traceback (most recent call last):                                                                                                      
  File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/cli/program.py", line 67, in bootloader                                  
    p.program_file(firmware)                                                                                                            
  File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/fido2/client.py", line 353, in program_file                              
    self.write_flash(i, data)                                                                                                           
  File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/fido2/client.py", line 160, in write_flash                               
    self.exchange(SoloBootloader.write, addr, data)                                                                                     
  File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/fido2/client.py", line 108, in exchange_hid
    data = self.send_data_hid(SoloBootloader.HIDCommandBoot, req)                                                                       
  File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/fido2/client.py", line 103, in send_data_hid
    return self.dev.call(cmd, data, event)                                                                                              
  File "/home/sz/.local/lib/python3.8/site-packages/fido2/hid.py", line 94, in call
    raise CtapError(resp[0])                            
fido2.ctap.CtapError: CTAP error: 0x01 - INVALID_COMMAND                                                                                
                                                                    
During handling of the above exception, another exception occurred:
                                                                    
Traceback (most recent call last):                       
  File "/home/sz/.local/bin/nitropy", line 8, in <module>
    sys.exit(nitropy())                                                                                                                 
  File "/usr/lib/python3.8/site-packages/click/core.py", line 829, in __call__                                                          
    return self.main(*args, **kwargs)                                                                                                   
  File "/usr/lib/python3.8/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)                                                                                                               
  File "/usr/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))                                                                             
  File "/usr/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))                                                                             
  File "/usr/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  [Previous line repeated 1 more time]                                                                                                  
  File "/usr/lib/python3.8/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)                                                                                      
  File "/usr/lib/python3.8/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)                                                                                                    
  File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/cli/program.py", line 85, in bootloader
    p.program_file(firmware)                                                                                                            
  File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/fido2/client.py", line 306, in program_file
    current = self.bootloader_version()                                                                                                 
  File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/fido2/client.py", line 147, in bootloader_version
    data = self.exchange(SoloBootloader.version)                                                                                        
  File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/fido2/client.py", line 108, in exchange_hid
    data = self.send_data_hid(SoloBootloader.HIDCommandBoot, req)                                                                       
  File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/fido2/client.py", line 103, in send_data_hid
    return self.dev.call(cmd, data, event)                                                                                              
  File "/home/sz/.local/lib/python3.8/site-packages/fido2/hid.py", line 86, in call
    self._dev.InternalSend(TYPE_INIT | cmd, bytearray(data))                                                                            
  File "/home/sz/.local/lib/python3.8/site-packages/fido2/_pyu2f/hidtransport.py", line 277, in InternalSend
    self.InternalSendPacket(first_packet)                                                                                               
  File "/home/sz/.local/lib/python3.8/site-packages/fido2/_pyu2f/hidtransport.py", line 293, in InternalSendPacket
    self.hid_device.Write(wire)                                                                                                         
  File "/home/sz/.local/lib/python3.8/site-packages/fido2/_pyu2f/linux.py", line 222, in Write
    os.write(self.dev, out)        
OSError: [Errno 19] No such device

Final branding corrections

Final branding corrections needed to be done:

udev rules message
hmac_secret host default value
description of the module

Found excerpts:

pynitrokey/__init__.py:"""Python library for SoloKeys."""                                                              
pynitrokey/hmac_secret.py:    host="solokeys.dev",                                                                     
pynitrokey/hmac_secret.py:    host="solokeys.dev",                                                                     
pynitrokey/cli/__init__.py:            "We suggest using: https://github.com/solokeys/solo/blob/master/udev/70-solokeys
-access.rules"                                                                                                         
pynitrokey/cli/__init__.py:        print("For more information, see: https://docs.solokeys.io/solo/udev/")             
pynitrokey/cli/fido2.py:    "--host", help="Relying party's host", default="solokeys.dev", show_default=True           
pynitrokey/cli/fido2.py:@click.option("--host", help="Relying party's host", default="solokeys.dev")

Document better installation process

Document better installation process, especially for the Raspberry PI case:

Udev rules;
avoiding using root;
Python packages installation (system- or user-wide?).
See:
https://support.nitrokey.com/t/nitokey-start-firmware-update-failed-device-or-firmware-missing/2855/5

broken chain of trust for releases

Hi! When trying to package pynitrokey 0.4 for Arch Linux I am running into several issues related to cryptographic authentication that prevent me from packaging pynitrokey:

~~the public key for 4C1449F1C9804176 (@daringer) is not available on any known keyserver~~ (I am currently force-uploading the public key for CC74B7120BFAA36FF42868724C1449F1C9804176 to all servers after retrieving it from github)
no chain of trust has been established between D9BAE35991DE5B22 (@szszszsz ) and 4C1449F1C9804176 (@daringer). From a TOFU point-of-view one would trust @szszszsz key first and action from your side has to be taken so that outsiders can trust a new key

The allowed release managers of this software should be noted in the README in a signed commit (signed by @szszszsz ).
Apart from that:

a) if you introduce a new key of your own, the new key needs to be signed by the old key and the change should be announced in a signed commit altering/extending the README
b) if you introduce someone else's key, the new key can be signed by the original author's/release maintainer's key and the change should be announced in a signed commit (signed by the original author/release manager) altering/extending the README

nitrokey / pynitrokey Goto Github PK

pynitrokey's People

Contributors

Stargazers

Watchers

Forkers

pynitrokey's Issues

Recommend Projects

Recommend Topics

Recommend Org