nitrokey / pynitrokey Goto Github PK
View Code? Open in Web Editor NEWPython client for Nitrokey devices
License: Apache License 2.0
Python client for Nitrokey devices
License: Apache License 2.0
Nitrokey FIDO2 update fails on fetching the binaries.
Tested commit: 0.3.2.nitrokey-44-g6384dbc (current tip of daringer/36-fido_08 branch);
178 DEBUG urllib3.connectionpool Starting new HTTPS connection (1): api.github.com:443
420 DEBUG urllib3.connectionpool https://api.github.com:443 "GET /repos/Nitrokey/nitrokey-fido2-firmware/releases/latest HTTP/1.1" 200 1808
422 DEBUG root print: Critical error:
422 DEBUG root print: Failed to determine latest release (url)
422 DEBUG root print: assets:
422 DEBUG root print: ('nitrokey-fido2-firmware-2.1.0-all-to_flash.hex', 'https://github.com/Nitrokey/nitrokey-fido2-firmware/releases/download/2.1.0.nitrokey/nitrokey-fido2-firmware-2.1.0-all-to_flash.hex')
422 DEBUG root print: ('nitrokey-fido2-firmware-2.1.0-app-to_sign.hex', 'https://github.com/Nitrokey/nitrokey-fido2-firmware/releases/download/2.1.0.nitrokey/nitrokey-fido2-firmware-2.1.0-app-to_sign.hex')
Following error message is shown, when user runs the tool inside directory without write access:
PermissionError: [Errno 13] Permission denied: '/usr/local/bin/upgrade.log'
PermissionError: [Errno 13] Permission denied: '/upgrade.log'
Edit: when run in home directory it works as advertised
Potential solution: on write error get random /tmp
file path, or set it unconditionally
Show KDF object details for Nitrokey Start
It looks like the util
submenu for commands is missing.
Current output (fbd309f):
*** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start
Usage: nitropy [OPTIONS] COMMAND [ARGS]...
Options:
--help Show this message and exit.
Commands:
fido2 Interact with Nitrokey keys, see subcommands.
genkey Generates key pair that can be used for Nitrokey signed
firmware...
ls List Nitrokey keys (in firmware or bootloader mode)
mergehex Merges hex files, and patches in the attestation key.
sign Signs a firmware hex file, outputs a .json file that can be
used...
start Interact with 'Nitrokey Start' keys, see subcommands.
version Version of python-solo library and tool.
It looks like the MSI build for Windows distribution is not always working.
To better describe setup process to avoid pitfalls. Ideally add to CI as well #15.
Hey hey,
recently got a Nitrokey FIDO2, eager to get lower level/devel access to the device I found this project, which caught my attention with the sub-title: Python client for Nitrokey FIDO2, based on Solo
Scrolled through the README and was triggered by "update firmware", instantly running:
solo key update
left me with the key stuck in bootloader-mode, as the command still tries to flash the solo firmware instead of the correct Nitrokey firmware.
As a micro documentation (btw. haven't found any for flashing), if someone is falling into the same hole How to flash Nitrokey FIDO2 firmware, my steps to revive the key:
solo
from this repo installedsolo program aux bootloader-version
solo program aux enter-bootloader
dmesg
will show either Nitrokey FIDO2
or Nitrokey FIDO2 Bootloader
)wget https://github.com/Nitrokey/nitrokey-fido2-firmware/releases/download/1.1.0.nitrokey/fido2-firmware-1.1.0.nitrokey-app-signed.json
# and program it through the bootloader:
solo program bootloader fido2-firmware-1.1.0.nitrokey-app-signed.json
solo program aux leave-bootloader
@szszszsz hope it's ok that I am abusing this issue for documentation. Had a strong urge to write this down and make it available to hopefully safe others from the same pity. Did I maybe oversee some documentation for all this?
Apart from this, as the issue title suggests: how do you think about an update for the README.md
to clarify what to expect from this project in this state, what's working and not using this tool. I could put some lines together and PR it if you'd like?
Several commands yields to the same error. Example make-credential
and reset
.
$ solo key make-credential
Touch your authenticator to generate a credential...
Traceback (most recent call last):
File "/home/jan/.local/lib/python3.6/site-packages/fido2/client.py", line 308, in make_credential
pin, timeout, on_keepalive
File "/home/jan/.local/lib/python3.6/site-packages/fido2/client.py", line 348, in _ctap2_make_credential
pin_protocol, timeout, on_keepalive)
File "/home/jan/.local/lib/python3.6/site-packages/fido2/ctap2.py", line 642, in make_credential
), timeout, AttestationObject, on_keepalive)
File "/home/jan/.local/lib/python3.6/site-packages/fido2/ctap2.py", line 606, in send_cbor
raise CtapError(status)
fido2.ctap.CtapError: CTAP error: 0x27 - OPERATION_DENIED
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/jan/.local/bin/solo", line 11, in <module>
sys.exit(solo_cli())
File "/home/jan/.local/lib/python3.6/site-packages/click/core.py", line 764, in __call__
return self.main(*args, **kwargs)
File "/home/jan/.local/lib/python3.6/site-packages/click/core.py", line 717, in main
rv = self.invoke(ctx)
File "/home/jan/.local/lib/python3.6/site-packages/click/core.py", line 1137, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/jan/.local/lib/python3.6/site-packages/click/core.py", line 1137, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/jan/.local/lib/python3.6/site-packages/click/core.py", line 956, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/jan/.local/lib/python3.6/site-packages/click/core.py", line 555, in invoke
return callback(*args, **kwargs)
File "/home/jan/.local/lib/python3.6/site-packages/solo/cli/key.py", line 151, in make_credential
host=host, user_id=user, serial=serial, output=True, prompt=prompt, udp=udp
File "/home/jan/.local/lib/python3.6/site-packages/solo/hmac_secret.py", line 44, in make_credential
rp, user, challenge, extensions=hmac_ext.create_dict(), pin=pin
File "/home/jan/.local/lib/python3.6/site-packages/fido2/client.py", line 311, in make_credential
raise _ctap2client_err(e)
fido2.client.ClientError: (<ERR.BAD_REQUEST: 2>, CtapError('CTAP error: 0x27 - OPERATION_DENIED',))
Run linting tools and apply suggested changes.
When looking at solo's documentation, it seems that an easier way to do pynitrokey would be to rely on solo as a library.
Is there a specific reason, why a fork was chosen instead? This seems to introduce a lot of overhead in developing this library/application and staying in sync with solo-python.
After installing in a fresh Docker container based on Ubuntu 20.10, nitropy
fails to run. Details below.
It looks like the fido2
dependency got updated recently, removing some internal symbols pynitrokey was using.
Potential solutions:
fido2
package dependency to previous one, 0.8.1;fido2
symbol.Error log:
Installing collected packages: cbor, six, pycparser, cffi, cryptography, pyserial, pygments, click, chardet, certifi, idna, urllib3, re
quests, fido2, ecdsa, intelhex, pyusb, pynitrokey
Successfully installed cbor-1.0.0 certifi-2020.12.5 cffi-1.14.4 chardet-4.0.0 click-7.1.2 cryptography-3.3.1 ecdsa-0.16.1 fido2-0.9.0 i
dna-2.10 intelhex-2.3.0 pycparser-2.20 pygments-2.7.4 pynitrokey-0.4.1 pyserial-3.5 pyusb-1.1.1 requests-2.25.1 six-1.15.0 urllib3-1.26
.2
(...)
Step 8/8 : RUN nitropy --version
---> Running in ea09abdc49b3
Traceback (most recent call last):
File "/usr/local/bin/nitropy", line 5, in <module>
from pynitrokey.cli import nitropy
File "/usr/local/lib/python3.8/dist-packages/pynitrokey/cli/__init__.py", line 15, in <module>
import pynitrokey.fido2.operations
File "/usr/local/lib/python3.8/dist-packages/pynitrokey/fido2/__init__.py", line 7, in <module>
import fido2._pyu2f
ModuleNotFoundError: No module named 'fido2._pyu2f'
Add guard for now so that #27 would not show up to user, but hidden behind friendly message, like "NK Start management is not supported on this platform at the moment".
Neither NK FIDO2 nor NK Start can be properly accessed as non-root user.
User reports failure in executing Nitrokey FIDO2 firmware update on macOS 10.16 macOS 11.0.1 (macOS Big Sur), with the latest update pynitrokey (v0.4.2).
Stack trace from the exception below.
❯ nitropy fido2 update
*** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start
Nitrokey FIDO2 firmware update tool
Platform: macOS-10.16-x86_64-i386-64bit
System: Darwin, is_linux: False
Python: 3.8.6
Saving run log to: /var/folders/69/4cm0rh_13g58xwdllrpcwmlc0000gn/T/nitropy.log.3ni78tyq
Starting update procedure for Nitrokey FIDO2...
Downloading latest firmware: 2.2.0.nitrokey (published at 2020-09-23T15:21:45Z)
Firmware saved to /var/folders/69/4cm0rh_13g58xwdllrpcwmlc0000gn/T/fido2_firmware.json
Downloaded firmware version: 2.2.0.nitrokey
Device connected:
204D3395344B: Nitrokey FIDO2 2.1.0
Firmware version: 2.1.0
This will update your Nitrokey FIDO2
Do you want to continue? [yes/no]: yes
Traceback (most recent call last):
File "/Users/billy/Library/Python/3.8/lib/python/site-packages/fido2/_pyu2f/macos.py", line 451, in Read
return self.read_queue.get(False)
File "/usr/local/Cellar/[email protected]/3.8.6_1/Frameworks/Python.framework/Versions/3.8/lib/python3.8/queue.py", line 167, in get
raise Empty
_queue.Empty
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/bin/nitropy", line 8, in <module>
sys.exit(nitropy())
File "/usr/local/lib/python3.8/site-packages/click/core.py", line 829, in __call__
return self.main(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python3.8/site-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python3.8/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/Users/billy/Library/Python/3.8/lib/python/site-packages/pynitrokey/cli/update.py", line 141, in update
if client.is_solo_bootloader():
File "/Users/billy/Library/Python/3.8/lib/python/site-packages/pynitrokey/fido2/client.py", line 234, in is_solo_bootloader
self.bootloader_version()
File "/Users/billy/Library/Python/3.8/lib/python/site-packages/pynitrokey/fido2/client.py", line 147, in bootloader_version
data = self.exchange(SoloBootloader.version)
File "/Users/billy/Library/Python/3.8/lib/python/site-packages/pynitrokey/fido2/client.py", line 122, in exchange_u2f
res = self.ctap1.authenticate(chal, appid, req)
File "/Users/billy/Library/Python/3.8/lib/python/site-packages/fido2/ctap1.py", line 273, in authenticate
response = self.send_apdu(ins=CTAP1.INS.AUTHENTICATE, p1=p1, data=data)
File "/Users/billy/Library/Python/3.8/lib/python/site-packages/fido2/ctap1.py", line 233, in send_apdu
response = self.device.call(CTAPHID.MSG, apdu)
File "/Users/billy/Library/Python/3.8/lib/python/site-packages/fido2/hid.py", line 89, in call
status, resp = self._dev.InternalRecv()
File "/Users/billy/Library/Python/3.8/lib/python/site-packages/fido2/_pyu2f/hidtransport.py", line 308, in InternalRecv
first_read = self.InternalReadFrame()
File "/Users/billy/Library/Python/3.8/lib/python/site-packages/fido2/_pyu2f/hidtransport.py", line 300, in InternalReadFrame
frame = self.hid_device.Read()
File "/Users/billy/Library/Python/3.8/lib/python/site-packages/fido2/_pyu2f/macos.py", line 453, in Read
raise OSError('Failed reading a response')
OSError: Failed reading a response
170 DEBUG _pyu2f.hidtransport payload: [76, 78, 92, 206, 240, 225, 235, 231]
170 DEBUG _pyu2f.hidtransport sending packet: [255, 255, 255, 255, 134, 0, 8, 76, 78, 92, 206, 240, 225, 235, 231, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
179 DEBUG _pyu2f.hidtransport recv: [255, 255, 255, 255, 134, 0, 17, 76, 78, 92, 206, 240, 225, 235, 231, 2, 0, 0, 0, 2, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
180 DEBUG _pyu2f.hidtransport sending packet: [2, 0, 0, 0, 144, 0, 1, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
186 DEBUG _pyu2f.hidtransport recv: [2, 0, 0, 0, 144, 0, 126, 0, 168, 1, 131, 102, 85, 50, 70, 95, 86, 50, 104, 70, 73, 68, 79, 95, 50, 95, 48, 108, 70, 73, 68, 79, 95, 50, 95, 49, 95, 80, 82, 69, 2, 130, 107, 104, 109, 97, 99, 45, 115, 101, 99, 114, 101, 116, 107, 99, 114, 101, 100, 80, 114, 111, 116, 101]
190 DEBUG _pyu2f.hidtransport recv: [2, 0, 0, 0, 0, 99, 116, 3, 80, 195, 158, 251, 166, 252, 244, 76, 62, 130, 139, 252, 74, 97, 21, 160, 255, 4, 165, 98, 114, 107, 245, 98, 117, 112, 245, 100, 112, 108, 97, 116, 244, 104, 99, 114, 101, 100, 77, 103, 109, 116, 245, 105, 99, 108, 105, 101, 110, 116, 80, 105, 110, 245, 5, 25]
194 DEBUG _pyu2f.hidtransport recv: [2, 0, 0, 0, 1, 4, 176, 6, 129, 1, 7, 20, 8, 24, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
Collect all USB connected devices with VID:PID of our devices in case of an update failure to see, whether these were working and recognized by the OS at all.
Edit: add this report to the final log
Nitropy cannot view USB devices out of the box. Instead an error is shown: usb.core.NoBackendError: No backend available
.
Stack trace:
PS C:\Windows\system32> nitropy ls
*** ←[31mNitrokey tool for Nitrokey FIDO2 & Nitrokey Start←[39;49;00m
:: 'Nitrokey FIDO2' keys
20873372344B: Nitrokey FIDO2 2.0.0
:: 'Nitrokey Start' keys:
Traceback (most recent call last):
File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\cx_Freeze\initscripts\__startup__.py", line 40, in run
File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\cx_Freeze\initscripts\Console.py", line 37, in run
File "nitropy.py", line 3, in <module>
File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\click\core.py", line 829, in __call__
File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\click\core.py", line 782, in main
File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\click\core.py", line 1259, in invoke
File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\click\core.py", line 1066, in invoke
File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\click\core.py", line 610, in invoke
File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\pynitrokey\cli\__init__.py", line 62, in ls
File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\pynitrokey\cli\start.py", line 37, in list
File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\pynitrokey\start\usb_strings.py", line 46, in get_devices
File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\pynitrokey\start\gnuk_token.py", line 637, in gnuk_devices_by_vidpid
File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\usb\legacy.py", line 353, in busses
File "C:\Users\Malli\Desktop\WPy64-3830\python-3.8.3.amd64\lib\site-packages\usb\core.py", line 1263, in find
usb.core.NoBackendError: No backend available
Tasks:
After installing the latest pynitrokey
v0.4, it cannot be called successfully:
$ nitropy
AttributeError: module 'pynitrokey' has no attribute 'fido2'
Rename package to nitrokey. Make sure the names do not clash with Solo-python.
Connected: #4
Hi! I would like to package pynitrokey for Arch Linux.
Unfortunately the tagging scheme is now broken with using v0.4 instead of v0.4.nitrokey
, as there are upstream solo-python related tags and nitrokey related tags in use in this repository and I am using a regular expression match against the nitrokey specific suffix.
Will tags from now on not have the suffixes anymore?
If not, please tag v0.4
also as v4.0.nitrokey
.
Thanks!
After installing the latest pynitrokey v0.4.1 for my Nitrokey Start, it cannot be called successfully:
$ nitropy
Traceback (most recent call last):
File "/home/ge/.local/bin/nitropy", line 5, in <module>
from pynitrokey.cli import nitropy
File "/home/ge/.local/lib/python3.6/site-packages/pynitrokey/cli/__init__.py", line 15, in <module>
import pynitrokey.fido2.operations
File "/home/ge/.local/lib/python3.6/site-packages/pynitrokey/fido2/__init__.py", line 10, in <module>
import pynitrokey.fido2.hmac_secret as hmac_secret
AttributeError: module 'pynitrokey' has no attribute 'fido2'
$
OS: openSUSE Leap 15.2
nitropy installed by
pip3 install --user pynitrokey
completed with message
Successfully installed cbor-1.0.0 click-7.1.2 ecdsa-0.16.0 fido2-0.8.1 intelhex-2.2.1 pygments-2.7.1 pynitrokey-0.4.1 pyserial-3.4 pyusb-1.1.0
What could be done? Thank you.
Hi! The sdist tarball for 0.4.2 is not available on pypi.org.
It would be nice, if you could upload it :)
Given last issues with dependencies #60 #57, it would be nice to have the final distribution either packaged to a single file (using some bundler), or allow it to be installed separately in a virtual environment (e.g. pipenv, poetry).
Edit: to clarify, single binary distribution includes AppImage and Flatpak. All major OSes should be supported (not necessarily by a single solution).
I tried to update the firmware of a Nitrokey FIDO2 using nitropy.
The update starts nicely, it detects the USB device, tries to enter bootloader mode, and asks for confirmation with the button on the key.
I press the button on the FIDO2 key, and directly after that the software returns a critical error, and says that no FIDO2 key could be found.
After that the Nitrokey shows a blinking (alternating?) red and blue light.
I will attach the log that was produced in /tmp.
as the python-fido2 library broke backwards compatibility with 0.9 there is some work to be done in order to make it work with it. Maybe even wait for 1.0 ?
Add improvements from the #48 case.
Tasks:
Configure CI for build test and code quality check
Nitrokey FIDO2 update with the latest version takes 60 seconds, while it is half of the time with previous version using bootloader upload directly. To investigate.
Potential cause: traffic logging (not enabled with previous version for via-bootloader update).
Ask user to send logs to support email on the update failure.
In v0.4.1 the challenge-response
feature is temporarily disabled. To activate it back.
Collect version of the pynitrokey in its own log, and get the most important dependencies versions' as well (e.g. fido2
package).
See log for details. Followed directions on website for updating firmware and now the nitrokey start is not found at all.
Thanks for any help.
Check and abort, if the execution priviliges are not at the level of the Administrator, while running on the Windows OS. This is required to run the Nitrokey FIDO2 update.
Hi! I'm currently baking a package for Arch Linux. Unfortunately I'm running into integration problems with the fido2 dependency.
The fido2 package has been on > 0.7.3 since November 2019 and on Arch Linux we're currently already shipping 0.8.1.
It would be most awesome to update this dependency so that this tool can be packaged.
Currently I'm helping the process along by using this patch:
diff --git i/pynitrokey/client.py w/pynitrokey/client.py
index ae7141d..ee59d9d 100644
--- i/pynitrokey/client.py
+++ w/pynitrokey/client.py
@@ -23,7 +23,6 @@ from fido2.ctap import CtapError
from fido2.ctap1 import CTAP1
from fido2.ctap2 import CTAP2
from fido2.hid import CTAPHID, CtapHidDevice
-from fido2.utils import Timeout
from intelhex import IntelHex
from pynitrokey import helpers
from pynitrokey.commands import SoloBootloader, SoloExtension
@@ -135,8 +134,7 @@ class SoloClient:
def send_data_hid(self, cmd, data):
if not isinstance(data, bytes):
data = struct.pack("%dB" % len(data), *[ord(x) for x in data])
- with Timeout(1.0) as event:
- return self.dev.call(cmd, data, event)
+ return self.dev.call(cmd, data)
def exchange_hid(self, cmd, addr=0, data=b"A" * 16):
req = SoloClient.format_request(cmd, addr, data)
However, I am not sure whether this is the right way to remove the dependency on the removed Timeout utility class or whether there are more inconsistencies.
Support CLI for the SafeKey firmware update:
Enable back and configure properly the update feature for the Nitrokey FIDO2.
It was removed in 6e7fa79 - code block start.
To decide, how to allow development access to the device - whether this would be realized by the upstream (with a requested change of custom VID:PID for connection), or by releasing this project to repository, with a renamed module (or both?).
Nitrokey Start update: improve connection process after bootloader upload:
Connected: Nitrokey/nitrokey-start-firmware#51
Details: https://support.nitrokey.com/t/nitrokey-start-update-funktioniert-nicht/2596/4
Integrate Nitrokey FIDO U2F commands. See the complete tool at:
At the moment CI fails with:
venv/bin/flit install --symlink
make: venv/bin/flit: Command not found
Makefile:60: recipe for target 'update-venv' failed
make: *** [update-venv] Error 127
The command "make init" failed and exited with 2 during .
Move the rest of the NK FIDO2 related commands under fido2.util
subcommand.
Related: #5
I think ideal organization would be:
Top:
The commands under fido2.util
:
Add support for Nitrokey certificate for the validate
command.
Utility: support quickly creating the Encrypted Volume partition for the Nitrokey Storage.
Update to the latest upstream if not done already.
Features:
Using nitropy 0.4.0 with NK FIDO2 2.2.0:
$ nitropy fido2 reset
*** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start
Warning: Your credentials will be lost!!! continue? [(y)es/(n)o]: y
choosing: yes
Press key to confirm -- again, your credentials will be lost!!!
Traceback (most recent call last):
File "/home/jan/.local/bin/nitropy", line 8, in <module>
sys.exit(nitropy())
File "/home/jan/.local/lib/python3.8/site-packages/click/core.py", line 829, in __call__
return self.main(*args, **kwargs)
File "/home/jan/.local/lib/python3.8/site-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/home/jan/.local/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/jan/.local/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/jan/.local/lib/python3.8/site-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/jan/.local/lib/python3.8/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/home/jan/.local/lib/python3.8/site-packages/pynitrokey/cli/fido2.py", line 394, in reset
nkfido2.find(serial).reset()
File "/home/jan/.local/lib/python3.8/site-packages/pynitrokey/fido2/client.py", line 183, in reset
self.ctap2.reset()
File "/home/jan/.local/lib/python3.8/site-packages/fido2/ctap2.py", line 795, in reset
self.send_cbor(CTAP2.CMD.RESET, event=event, on_keepalive=on_keepalive)
File "/home/jan/.local/lib/python3.8/site-packages/fido2/ctap2.py", line 645, in send_cbor
raise CtapError(status)
fido2.ctap.CtapError: CTAP error: 0x30 - NOT_ALLOWED
Nitrokey FIDO2 firmware update fails if not in bootloader, while trying to use local file as the firmware source. See below for details.
Most probably the response from the bootloader is unexpected and not handled by the pynitrokey.
Version: 0.4.1 (latest)
sz@stumpy ~/w/n/releases (master) [2]> nitropy fido2 util program bootloader ./nitrokey-fido2-firmware-2.3.0-app-signed.json
*** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start
erasing firmware...
Not in bootloader mode. Attempting to switch...
Please confirm with button on key!
Nitrokey rebooted. Reconnecting...
Not using FIDO2 interface.
Traceback (most recent call last):
File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/cli/program.py", line 67, in bootloader
p.program_file(firmware)
File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/fido2/client.py", line 353, in program_file
self.write_flash(i, data)
File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/fido2/client.py", line 160, in write_flash
self.exchange(SoloBootloader.write, addr, data)
File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/fido2/client.py", line 108, in exchange_hid
data = self.send_data_hid(SoloBootloader.HIDCommandBoot, req)
File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/fido2/client.py", line 103, in send_data_hid
return self.dev.call(cmd, data, event)
File "/home/sz/.local/lib/python3.8/site-packages/fido2/hid.py", line 94, in call
raise CtapError(resp[0])
fido2.ctap.CtapError: CTAP error: 0x01 - INVALID_COMMAND
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/sz/.local/bin/nitropy", line 8, in <module>
sys.exit(nitropy())
File "/usr/lib/python3.8/site-packages/click/core.py", line 829, in __call__
return self.main(*args, **kwargs)
File "/usr/lib/python3.8/site-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/usr/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
[Previous line repeated 1 more time]
File "/usr/lib/python3.8/site-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/lib/python3.8/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/cli/program.py", line 85, in bootloader
p.program_file(firmware)
File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/fido2/client.py", line 306, in program_file
current = self.bootloader_version()
File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/fido2/client.py", line 147, in bootloader_version
data = self.exchange(SoloBootloader.version)
File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/fido2/client.py", line 108, in exchange_hid
data = self.send_data_hid(SoloBootloader.HIDCommandBoot, req)
File "/home/sz/.local/lib/python3.8/site-packages/pynitrokey/fido2/client.py", line 103, in send_data_hid
return self.dev.call(cmd, data, event)
File "/home/sz/.local/lib/python3.8/site-packages/fido2/hid.py", line 86, in call
self._dev.InternalSend(TYPE_INIT | cmd, bytearray(data))
File "/home/sz/.local/lib/python3.8/site-packages/fido2/_pyu2f/hidtransport.py", line 277, in InternalSend
self.InternalSendPacket(first_packet)
File "/home/sz/.local/lib/python3.8/site-packages/fido2/_pyu2f/hidtransport.py", line 293, in InternalSendPacket
self.hid_device.Write(wire)
File "/home/sz/.local/lib/python3.8/site-packages/fido2/_pyu2f/linux.py", line 222, in Write
os.write(self.dev, out)
OSError: [Errno 19] No such device
Final branding corrections needed to be done:
Found excerpts:
pynitrokey/__init__.py:"""Python library for SoloKeys."""
pynitrokey/hmac_secret.py: host="solokeys.dev",
pynitrokey/hmac_secret.py: host="solokeys.dev",
pynitrokey/cli/__init__.py: "We suggest using: https://github.com/solokeys/solo/blob/master/udev/70-solokeys
-access.rules"
pynitrokey/cli/__init__.py: print("For more information, see: https://docs.solokeys.io/solo/udev/")
pynitrokey/cli/fido2.py: "--host", help="Relying party's host", default="solokeys.dev", show_default=True
pynitrokey/cli/fido2.py:@click.option("--host", help="Relying party's host", default="solokeys.dev")
Document better installation process, especially for the Raspberry PI case:
Hi! When trying to package pynitrokey 0.4 for Arch Linux I am running into several issues related to cryptographic authentication that prevent me from packaging pynitrokey:
4C1449F1C9804176
(@daringer) is not available on any known keyserverCC74B7120BFAA36FF42868724C1449F1C9804176
to all servers after retrieving it from github)D9BAE35991DE5B22
(@szszszsz ) and 4C1449F1C9804176
(@daringer). From a TOFU point-of-view one would trust @szszszsz key first and action from your side has to be taken so that outsiders can trust a new keyThe allowed release managers of this software should be noted in the README in a signed commit (signed by @szszszsz ).
Apart from that:
a) if you introduce a new key of your own, the new key needs to be signed by the old key and the change should be announced in a signed commit altering/extending the README
b) if you introduce someone else's key, the new key can be signed by the original author's/release maintainer's key and the change should be announced in a signed commit (signed by the original author/release manager) altering/extending the README
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.