mirror
/
solo1
kopia lustrzana https://github.com/solokeys/solo1
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

run python black

pull/51/head^2
Conor Patrick 2019-02-12 18:45:01 -05:00
rodzic 23c140fd99
commit a2611fb013
5 zmienionych plików z 431 dodań i 448 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

26
tools/convert_log_to_c.py
Wyświetl plik

@ -1,26 +1,6 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Copyright (C) 2018 SoloKeys, Inc. <https://solokeys.com/>
#
# This file is part of Solo.
#
# Solo is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Solo is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Solo. If not, see <https://www.gnu.org/licenses/>
#
# This code is available under licenses for commercial use.
# Please contact SoloKeys for more information.
#
import sys
from sys import argv
@ -34,7 +14,7 @@ nums = []
for x in log:
parse = []
for i in x.split(' '):
for i in x.split(" "):
try:
n = int(i, 16)
parse.append(n)
@ -48,9 +28,9 @@ for x in log:
hexlines = []
for l in nums:
s = ''
s = ""
for x in l:
s += '\\x%02x' % x
s += "\\x%02x" % x
hexlines.append(s)
for x in hexlines:

472
tools/ctap_test.py
Wyświetl plik

@ -50,14 +50,14 @@ class Packet(object):
class Tester:
def __init__(self,):
self.origin = 'https://examplo.org'
self.host = 'examplo.org'
self.origin = "https://examplo.org"
self.host = "examplo.org"
def find_device(self,):
print(list(CtapHidDevice.list_devices()))
dev = next(CtapHidDevice.list_devices(), None)
if not dev:
raise RuntimeError('No FIDO device found')
raise RuntimeError("No FIDO device found")
self.dev = dev
self.client = Fido2Client(dev, self.origin)
self.ctap = self.client.ctap2
@ -66,23 +66,23 @@ class Tester:
# cmd,resp = self.recv_raw()
def send_data(self, cmd, data):
if type(data) != type(b''):
data = struct.pack('%dB' % len(data), *[ord(x) for x in data])
if type(data) != type(b""):
data = struct.pack("%dB" % len(data), *[ord(x) for x in data])
with Timeout(1.0) as event:
return self.dev.call(cmd, data, event)
def send_raw(self, data, cid=None):
if cid is None:
cid = self.dev._dev.cid
elif type(cid) != type(b''):
cid = struct.pack('%dB' % len(cid), *[ord(x) for x in cid])
if type(data) != type(b''):
data = struct.pack('%dB' % len(data), *[ord(x) for x in data])
elif type(cid) != type(b""):
cid = struct.pack("%dB" % len(cid), *[ord(x) for x in cid])
if type(data) != type(b""):
data = struct.pack("%dB" % len(data), *[ord(x) for x in data])
data = cid + data
l = len(data)
if l != 64:
pad = '\x00' * (64 - l)
pad = struct.pack('%dB' % len(pad), *[ord(x) for x in pad])
pad = "\x00" * (64 - l)
pad = struct.pack("%dB" % len(pad), *[ord(x) for x in pad])
data = data + pad
data = list(data)
assert len(data) == 64
@ -92,8 +92,8 @@ class Tester:
return self.dev._dev.cid
def set_cid(self, cid):
if type(cid) not in [type(b''), type(bytearray())]:
cid = struct.pack('%dB' % len(cid), *[ord(x) for x in cid])
if type(cid) not in [type(b""), type(bytearray())]:
cid = struct.pack("%dB" % len(cid), *[ord(x) for x in cid])
self.dev._dev.cid = cid
def recv_raw(self,):
@ -107,7 +107,7 @@ class Tester:
if data[0] != 0:
raise CtapError(data[0])
elif data[0] != err:
raise ValueError('Unexpected error: %02x' % data[0])
raise ValueError("Unexpected error: %02x" % data[0])
def test_long_ping(self):
amt = 1000
@ -120,48 +120,48 @@ class Tester:
# if (delt < 140 ):
# raise RuntimeError('Fob is too fast (%d ms)' % delt)
if delt > 555 * (amt / 1000):
raise RuntimeError('Fob is too slow (%d ms)' % delt)
raise RuntimeError("Fob is too slow (%d ms)" % delt)
if r != pingdata:
raise ValueError('Ping data not echo\'d')
print('1000 byte ping time: %s ms' % delt)
raise ValueError("Ping data not echo'd")
print("1000 byte ping time: %s ms" % delt)
except CtapError as e:
print('7609 byte Ping failed:', e)
raise RuntimeError('ping failed')
print('PASS: 7609 byte ping')
print("7609 byte Ping failed:", e)
raise RuntimeError("ping failed")
print("PASS: 7609 byte ping")
# sys.flush(sys.sto)
sys.stdout.flush()
def test_hid(self, check_timeouts=False):
if check_timeouts:
print('Test idle')
print("Test idle")
try:
cmd, resp = self.recv_raw()
except socket.timeout:
print('Pass: Idle')
print("Pass: Idle")
print('Test init')
r = self.send_data(CTAPHID.INIT, '\x11\x11\x11\x11\x11\x11\x11\x11')
print("Test init")
r = self.send_data(CTAPHID.INIT, "\x11\x11\x11\x11\x11\x11\x11\x11")
pingdata = os.urandom(100)
try:
r = self.send_data(CTAPHID.PING, pingdata)
if r != pingdata:
raise ValueError('Ping data not echo\'d')
raise ValueError("Ping data not echo'd")
except CtapError as e:
print('100 byte Ping failed:', e)
raise RuntimeError('ping failed')
print('PASS: 100 byte ping')
print("100 byte Ping failed:", e)
raise RuntimeError("ping failed")
print("PASS: 100 byte ping")
self.test_long_ping()
try:
r = self.send_data(CTAPHID.WINK, '')
r = self.send_data(CTAPHID.WINK, "")
print(hexlify(r))
# assert(len(r) == 0)
except CtapError as e:
print('wink failed:', e)
raise RuntimeError('wink failed')
print('PASS: wink')
print("wink failed:", e)
raise RuntimeError("wink failed")
print("PASS: wink")
# try:
# r = self.send_data(CTAPHID.WINK, 'we9gofrei8g')
@ -171,87 +171,87 @@ class Tester:
# print('PASS: malformed wink')
try:
r = self.send_data(CTAPHID.CBOR, '')
r = self.send_data(CTAPHID.CBOR, "")
if len(r) > 1 or r[0] == 0:
raise RuntimeError('Cbor is supposed to have payload')
raise RuntimeError("Cbor is supposed to have payload")
except CtapError as e:
assert e.code == CtapError.ERR.INVALID_LENGTH
print('PASS: no data cbor')
print("PASS: no data cbor")
try:
r = self.send_data(CTAPHID.MSG, '')
r = self.send_data(CTAPHID.MSG, "")
print(hexlify(r))
if len(r) > 2:
raise RuntimeError('MSG is supposed to have payload')
raise RuntimeError("MSG is supposed to have payload")
except CtapError as e:
assert e.code == CtapError.ERR.INVALID_LENGTH
print('PASS: no data msg')
print("PASS: no data msg")
try:
r = self.send_data(CTAPHID.INIT, '\x11\x22\x33\x44\x55\x66\x77\x88')
r = self.send_data(CTAPHID.INIT, "\x11\x22\x33\x44\x55\x66\x77\x88")
except CtapError as e:
raise RuntimeError('resync fail: ', e)
print('PASS: resync')
raise RuntimeError("resync fail: ", e)
print("PASS: resync")
try:
r = self.send_data(0x66, '')
raise RuntimeError('Invalid command did not return error')
r = self.send_data(0x66, "")
raise RuntimeError("Invalid command did not return error")
except CtapError as e:
assert e.code == CtapError.ERR.INVALID_COMMAND
print('PASS: invalid HID command')
print("PASS: invalid HID command")
print('Sending packet with too large of a length.')
self.send_raw('\x81\x1d\xba\x00')
print("Sending packet with too large of a length.")
self.send_raw("\x81\x1d\xba\x00")
cmd, resp = self.recv_raw()
self.check_error(resp, CtapError.ERR.INVALID_LENGTH)
print('PASS: invalid length')
print("PASS: invalid length")
r = self.send_data(CTAPHID.PING, '\x44' * 200)
print('Sending packets that skip a sequence number.')
self.send_raw('\x81\x04\x90')
self.send_raw('\x00')
self.send_raw('\x01')
r = self.send_data(CTAPHID.PING, "\x44" * 200)
print("Sending packets that skip a sequence number.")
self.send_raw("\x81\x04\x90")
self.send_raw("\x00")
self.send_raw("\x01")
# skip 2
self.send_raw('\x03')
self.send_raw("\x03")
cmd, resp = self.recv_raw()
self.check_error(resp, CtapError.ERR.INVALID_SEQ)
if check_timeouts:
cmd, resp = self.recv_raw()
assert cmd == 0xBF # timeout
print('PASS: invalid sequence')
print("PASS: invalid sequence")
print('Resync and send ping')
print("Resync and send ping")
try:
r = self.send_data(CTAPHID.INIT, '\x11\x22\x33\x44\x55\x66\x77\x88')
r = self.send_data(CTAPHID.INIT, "\x11\x22\x33\x44\x55\x66\x77\x88")
pingdata = os.urandom(100)
r = self.send_data(CTAPHID.PING, pingdata)
if r != pingdata:
raise ValueError('Ping data not echo\'d')
raise ValueError("Ping data not echo'd")
except CtapError as e:
raise RuntimeError('resync fail: ', e)
print('PASS: resync and ping')
raise RuntimeError("resync fail: ", e)
print("PASS: resync and ping")
print('Send ping and abort it')
self.send_raw('\x81\x04\x00')
self.send_raw('\x00')
self.send_raw('\x01')
print("Send ping and abort it")
self.send_raw("\x81\x04\x00")
self.send_raw("\x00")
self.send_raw("\x01")
try:
r = self.send_data(CTAPHID.INIT, '\x11\x22\x33\x44\x55\x66\x77\x88')
r = self.send_data(CTAPHID.INIT, "\x11\x22\x33\x44\x55\x66\x77\x88")
except CtapError as e:
raise RuntimeError('resync fail: ', e)
print('PASS: interrupt ping with resync')
raise RuntimeError("resync fail: ", e)
print("PASS: interrupt ping with resync")
print('Send ping and abort it with different cid, expect timeout')
print("Send ping and abort it with different cid, expect timeout")
oldcid = self.cid()
newcid = '\x11\x22\x33\x44'
self.send_raw('\x81\x10\x00')
self.send_raw('\x00')
self.send_raw('\x01')
newcid = "\x11\x22\x33\x44"
self.send_raw("\x81\x10\x00")
self.send_raw("\x00")
self.send_raw("\x01")
self.set_cid(newcid)
self.send_raw(
'\x86\x00\x08\x11\x22\x33\x44\x55\x66\x77\x88'
"\x86\x00\x08\x11\x22\x33\x44\x55\x66\x77\x88"
) # init from different cid
print('wait for init response')
print("wait for init response")
cmd, r = self.recv_raw() # init response
assert cmd == 0x86
self.set_cid(oldcid)
@ -260,51 +260,51 @@ class Tester:
cmd, r = self.recv_raw() # timeout response
assert cmd == 0xBF
print('PASS: resync and timeout')
print("PASS: resync and timeout")
print('Test timeout')
self.send_data(CTAPHID.INIT, '\x11\x22\x33\x44\x55\x66\x77\x88')
print("Test timeout")
self.send_data(CTAPHID.INIT, "\x11\x22\x33\x44\x55\x66\x77\x88")
t1 = time.time() * 1000
self.send_raw('\x81\x04\x00')
self.send_raw('\x00')
self.send_raw('\x01')
self.send_raw("\x81\x04\x00")
self.send_raw("\x00")
self.send_raw("\x01")
cmd, r = self.recv_raw() # timeout response
t2 = time.time() * 1000
delt = t2 - t1
assert cmd == 0xBF
assert r[0] == CtapError.ERR.TIMEOUT
assert delt < 1000 and delt > 400
print('Pass timeout')
print("Pass timeout")
print('Test not cont')
self.send_data(CTAPHID.INIT, '\x11\x22\x33\x44\x55\x66\x77\x88')
self.send_raw('\x81\x04\x00')
self.send_raw('\x00')
self.send_raw('\x01')
self.send_raw('\x81\x10\x00') # init packet
print("Test not cont")
self.send_data(CTAPHID.INIT, "\x11\x22\x33\x44\x55\x66\x77\x88")
self.send_raw("\x81\x04\x00")
self.send_raw("\x00")
self.send_raw("\x01")
self.send_raw("\x81\x10\x00") # init packet
cmd, r = self.recv_raw() # timeout response
assert cmd == 0xBF
assert r[0] == CtapError.ERR.INVALID_SEQ
print('PASS: Test not cont')
print("PASS: Test not cont")
if check_timeouts:
print('Check random cont ignored')
self.send_data(CTAPHID.INIT, '\x11\x22\x33\x44\x55\x66\x77\x88')
self.send_raw('\x01\x10\x00')
print("Check random cont ignored")
self.send_data(CTAPHID.INIT, "\x11\x22\x33\x44\x55\x66\x77\x88")
self.send_raw("\x01\x10\x00")
try:
cmd, r = self.recv_raw() # timeout response
except socket.timeout:
pass
print('PASS: random cont')
print("PASS: random cont")
print('Check busy')
print("Check busy")
t1 = time.time() * 1000
self.send_data(CTAPHID.INIT, '\x11\x22\x33\x44\x55\x66\x77\x88')
self.send_data(CTAPHID.INIT, "\x11\x22\x33\x44\x55\x66\x77\x88")
oldcid = self.cid()
newcid = '\x11\x22\x33\x44'
self.send_raw('\x81\x04\x00')
newcid = "\x11\x22\x33\x44"
self.send_raw("\x81\x04\x00")
self.set_cid(newcid)
self.send_raw('\x81\x04\x00')
self.send_raw("\x81\x04\x00")
cmd, r = self.recv_raw() # busy response
t2 = time.time() * 1000
assert t2 - t1 < 100
@ -315,25 +315,25 @@ class Tester:
cmd, r = self.recv_raw() # timeout response
assert cmd == 0xBF
assert r[0] == CtapError.ERR.TIMEOUT
print('PASS: busy')
print("PASS: busy")
print('Check busy interleaved')
cid1 = '\x11\x22\x33\x44'
cid2 = '\x01\x22\x33\x44'
print("Check busy interleaved")
cid1 = "\x11\x22\x33\x44"
cid2 = "\x01\x22\x33\x44"
self.set_cid(cid2)
self.send_data(CTAPHID.INIT, '\x11\x22\x33\x44\x55\x66\x77\x88')
self.send_data(CTAPHID.INIT, "\x11\x22\x33\x44\x55\x66\x77\x88")
self.set_cid(cid1)
self.send_data(CTAPHID.INIT, '\x11\x22\x33\x44\x55\x66\x77\x88')
self.send_raw('\x81\x00\x63') # echo 99 bytes first channel
self.send_data(CTAPHID.INIT, "\x11\x22\x33\x44\x55\x66\x77\x88")
self.send_raw("\x81\x00\x63") # echo 99 bytes first channel
self.set_cid(cid2) # send ping on 2nd channel
self.send_raw('\x81\x00\x63')
self.send_raw('\x00')
self.send_raw("\x81\x00\x63")
self.send_raw("\x00")
cmd, r = self.recv_raw() # busy response
self.set_cid(cid1) # finish 1st channel ping
self.send_raw('\x00')
self.send_raw("\x00")
self.set_cid(cid2)
@ -349,35 +349,35 @@ class Tester:
cmd, r = self.recv_raw() # timeout
assert cmd == 0xBF
assert r[0] == CtapError.ERR.TIMEOUT
print('PASS: busy interleaved')
print("PASS: busy interleaved")
if check_timeouts:
print('Test idle, wait for timeout')
print("Test idle, wait for timeout")
sys.stdout.flush()
try:
cmd, resp = self.recv_raw()
except socket.timeout:
print('Pass: Idle')
print("Pass: Idle")
print('Test cid 0 is invalid')
self.set_cid('\x00\x00\x00\x00')
print("Test cid 0 is invalid")
self.set_cid("\x00\x00\x00\x00")
self.send_raw(
'\x86\x00\x08\x11\x22\x33\x44\x55\x66\x77\x88', cid='\x00\x00\x00\x00'
"\x86\x00\x08\x11\x22\x33\x44\x55\x66\x77\x88", cid="\x00\x00\x00\x00"
)
cmd, r = self.recv_raw() # timeout
assert cmd == 0xBF
assert r[0] == CtapError.ERR.INVALID_CHANNEL
print('Pass: cid 0')
print("Pass: cid 0")
print('Test invalid broadcast cid use')
self.set_cid('\xff\xff\xff\xff')
print("Test invalid broadcast cid use")
self.set_cid("\xff\xff\xff\xff")
self.send_raw(
'\x81\x00\x08\x11\x22\x33\x44\x55\x66\x77\x88', cid='\xff\xff\xff\xff'
"\x81\x00\x08\x11\x22\x33\x44\x55\x66\x77\x88", cid="\xff\xff\xff\xff"
)
cmd, r = self.recv_raw() # timeout
assert cmd == 0xBF
assert r[0] == CtapError.ERR.INVALID_CHANNEL
print('Pass: cid broadcast')
print("Pass: cid broadcast")
def test_u2f(self,):
pass
@ -385,46 +385,46 @@ class Tester:
def test_fido2_simple(self, pin_token=None):
creds = []
exclude_list = []
rp = {'id': self.host, 'name': 'ExaRP'}
user = {'id': b'usee_od', 'name': 'AB User'}
challenge = 'Y2hhbGxlbmdl'
rp = {"id": self.host, "name": "ExaRP"}
user = {"id": b"usee_od", "name": "AB User"}
challenge = "Y2hhbGxlbmdl"
PIN = pin_token
fake_id1 = array.array('B', [randint(0, 255) for i in range(0, 150)]).tobytes()
fake_id2 = array.array('B', [randint(0, 255) for i in range(0, 73)]).tobytes()
fake_id1 = array.array("B", [randint(0, 255) for i in range(0, 150)]).tobytes()
fake_id2 = array.array("B", [randint(0, 255) for i in range(0, 73)]).tobytes()
exclude_list.append({'id': fake_id1, 'type': 'public-key'})
exclude_list.append({'id': fake_id2, 'type': 'public-key'})
exclude_list.append({"id": fake_id1, "type": "public-key"})
exclude_list.append({"id": fake_id2, "type": "public-key"})
print('MC')
print("MC")
t1 = time.time() * 1000
attest, data = self.client.make_credential(
rp, user, challenge, pin=PIN, exclude_list=[]
)
t2 = time.time() * 1000
attest.verify(data.hash)
print('Register valid (%d ms)' % (t2 - t1))
print("Register valid (%d ms)" % (t2 - t1))
cred = attest.auth_data.credential_data
creds.append(cred)
allow_list = [{'id': creds[0].credential_id, 'type': 'public-key'}]
allow_list = [{"id": creds[0].credential_id, "type": "public-key"}]
t1 = time.time() * 1000
assertions, client_data = self.client.get_assertion(
rp['id'], challenge, allow_list, pin=PIN
rp["id"], challenge, allow_list, pin=PIN
)
t2 = time.time() * 1000
assertions[0].verify(client_data.hash, creds[0].public_key)
print('Assertion valid (%d ms)' % (t2 - t1))
print("Assertion valid (%d ms)" % (t2 - t1))
def test_fido2_brute_force(self):
creds = []
exclude_list = []
rp = {'id': self.host, 'name': 'ExaRP'}
user = {'id': b'usee_od', 'name': 'AB User'}
rp = {"id": self.host, "name": "ExaRP"}
user = {"id": b"usee_od", "name": "AB User"}
PIN = None
abc = 'abcdefghijklnmopqrstuvwxyz'
abc = "abcdefghijklnmopqrstuvwxyz"
abc += abc.upper()
self.ctap.reset()
@ -432,17 +432,17 @@ class Tester:
for i in range(0, 2048 ** 2):
creds = []
challenge = ''.join([abc[randint(0, len(abc) - 1)] for x in range(0, 32)])
challenge = "".join([abc[randint(0, len(abc) - 1)] for x in range(0, 32)])
fake_id1 = array.array(
'B', [randint(0, 255) for i in range(0, 150)]
"B", [randint(0, 255) for i in range(0, 150)]
).tostring()
fake_id2 = array.array(
'B', [randint(0, 255) for i in range(0, 73)]
"B", [randint(0, 255) for i in range(0, 73)]
).tostring()
exclude_list.append({'id': fake_id1, 'type': 'public-key'})
exclude_list.append({'id': fake_id2, 'type': 'public-key'})
exclude_list.append({"id": fake_id1, "type": "public-key"})
exclude_list.append({"id": fake_id2, "type": "public-key"})
# for i in range(0,2048**2):
for i in range(0, 1):
@ -453,7 +453,7 @@ class Tester:
print(attest.auth_data.counter)
t2 = time.time() * 1000
attest.verify(data.hash)
print('Register valid (%d ms)' % (t2 - t1))
print("Register valid (%d ms)" % (t2 - t1))
sys.stdout.flush()
cred = attest.auth_data.credential_data
@ -461,39 +461,39 @@ class Tester:
# for i in range(0,2048**2):
for i in range(0, 1):
allow_list = [{'id': creds[0].credential_id, 'type': 'public-key'}]
allow_list = [{"id": creds[0].credential_id, "type": "public-key"}]
t1 = time.time() * 1000
assertions, client_data = self.client.get_assertion(
rp['id'], challenge, allow_list, pin=PIN
rp["id"], challenge, allow_list, pin=PIN
)
t2 = time.time() * 1000
assertions[0].verify(client_data.hash, creds[0].public_key)
print(assertions[0].auth_data.counter)
print('Assertion valid (%d ms)' % (t2 - t1))
print("Assertion valid (%d ms)" % (t2 - t1))
sys.stdout.flush()
def test_fido2(self):
def test(self, pincode=None):
creds = []
exclude_list = []
rp = {'id': self.host, 'name': 'ExaRP'}
user = {'id': b'usee_od', 'name': 'AB User'}
challenge = 'Y2hhbGxlbmdl'
rp = {"id": self.host, "name": "ExaRP"}
user = {"id": b"usee_od", "name": "AB User"}
challenge = "Y2hhbGxlbmdl"
PIN = pincode
fake_id1 = array.array(
'B', [randint(0, 255) for i in range(0, 150)]
"B", [randint(0, 255) for i in range(0, 150)]
).tostring()
fake_id2 = array.array(
'B', [randint(0, 255) for i in range(0, 73)]
"B", [randint(0, 255) for i in range(0, 73)]
).tostring()
exclude_list.append({'id': fake_id1, 'type': 'public-key'})
exclude_list.append({'id': fake_id2, 'type': 'public-key'})
exclude_list.append({"id": fake_id1, "type": "public-key"})
exclude_list.append({"id": fake_id2, "type": "public-key"})
# test make credential
print('make 3 credentials')
print("make 3 credentials")
for i in range(0, 3):
attest, data = self.client.make_credential(
rp, user, challenge, pin=PIN, exclude_list=[]
@ -502,149 +502,149 @@ class Tester:
cred = attest.auth_data.credential_data
creds.append(cred)
print(cred)
print('PASS')
print("PASS")
if PIN is not None:
print('make credential with wrong pin code')
print("make credential with wrong pin code")
try:
attest, data = self.client.make_credential(
rp, user, challenge, pin=PIN + ' ', exclude_list=[]
rp, user, challenge, pin=PIN + " ", exclude_list=[]
)
except CtapError as e:
assert e.code == CtapError.ERR.PIN_INVALID
except ClientError as e:
assert e.cause.code == CtapError.ERR.PIN_INVALID
print('PASS')
print("PASS")
print('make credential with exclude list')
print("make credential with exclude list")
attest, data = self.client.make_credential(
rp, user, challenge, pin=PIN, exclude_list=exclude_list
)
attest.verify(data.hash)
cred = attest.auth_data.credential_data
creds.append(cred)
print('PASS')
print("PASS")
print('make credential with exclude list including real credential')
real_excl = [{'id': cred.credential_id, 'type': 'public-key'}]
print("make credential with exclude list including real credential")
real_excl = [{"id": cred.credential_id, "type": "public-key"}]
try:
attest, data = self.client.make_credential(
rp, user, challenge, pin=PIN, exclude_list=exclude_list + real_excl
)
raise RuntimeError('Exclude list did not return expected error')
raise RuntimeError("Exclude list did not return expected error")
except CtapError as e:
assert e.code == CtapError.ERR.CREDENTIAL_EXCLUDED
except ClientError as e:
assert e.cause.code == CtapError.ERR.CREDENTIAL_EXCLUDED
print('PASS')
print("PASS")
for i, x in enumerate(creds):
print('get assertion %d' % i)
allow_list = [{'id': x.credential_id, 'type': 'public-key'}]
print("get assertion %d" % i)
allow_list = [{"id": x.credential_id, "type": "public-key"}]
assertions, client_data = self.client.get_assertion(
rp['id'], challenge, allow_list, pin=PIN
rp["id"], challenge, allow_list, pin=PIN
)
assertions[0].verify(client_data.hash, x.public_key)
print('PASS')
print("PASS")
if PIN is not None:
print('get assertion with wrong pin code')
print("get assertion with wrong pin code")
try:
assertions, client_data = self.client.get_assertion(
rp['id'], challenge, allow_list, pin=PIN + ' '
rp["id"], challenge, allow_list, pin=PIN + " "
)
except CtapError as e:
assert e.code == CtapError.ERR.PIN_INVALID
except ClientError as e:
assert e.cause.code == CtapError.ERR.PIN_INVALID
print('PASS')
print("PASS")
print('get multiple assertions')
allow_list = [{'id': x.credential_id, 'type': 'public-key'} for x in creds]
print("get multiple assertions")
allow_list = [{"id": x.credential_id, "type": "public-key"} for x in creds]
assertions, client_data = self.client.get_assertion(
rp['id'], challenge, allow_list, pin=PIN
rp["id"], challenge, allow_list, pin=PIN
)
for ass, cred in zip(assertions, creds):
i += 1
ass.verify(client_data.hash, cred.public_key)
print('%d verified' % i)
print('PASS')
print("%d verified" % i)
print("PASS")
print('Reset device')
print("Reset device")
try:
self.ctap.reset()
except CtapError as e:
print('Warning, reset failed: ', e)
print("Warning, reset failed: ", e)
pass
print('PASS')
print("PASS")
test(self, None)
print('Set a pin code')
PIN = '1122aabbwfg0h9g !@#=='
print("Set a pin code")
PIN = "1122aabbwfg0h9g !@#=="
self.client.pin_protocol.set_pin(PIN)
print('PASS')
print("PASS")
print('Illegally set pin code again')
print("Illegally set pin code again")
try:
self.client.pin_protocol.set_pin(PIN)
except CtapError as e:
assert e.code == CtapError.ERR.NOT_ALLOWED
print('PASS')
print("PASS")
print('Change pin code')
PIN2 = PIN + '_pin2'
print("Change pin code")
PIN2 = PIN + "_pin2"
self.client.pin_protocol.change_pin(PIN, PIN2)
PIN = PIN2
print('PASS')
print("PASS")
print('Change pin code using wrong pin')
print("Change pin code using wrong pin")
try:
self.client.pin_protocol.change_pin(PIN.replace('a', 'b'), '1234')
self.client.pin_protocol.change_pin(PIN.replace("a", "b"), "1234")
except CtapError as e:
assert e.code == CtapError.ERR.PIN_INVALID
print('PASS')
print("PASS")
print('MC using wrong pin')
print("MC using wrong pin")
try:
self.test_fido2_simple('abcd3')
self.test_fido2_simple("abcd3")
except ClientError as e:
assert e.cause.code == CtapError.ERR.PIN_INVALID
print('PASS')
print("PASS")
print('get info')
print("get info")
inf = self.ctap.get_info()
print('PASS')
print("PASS")
self.test_fido2_simple(PIN)
print('Re-run make_credential and get_assertion tests with pin code')
print("Re-run make_credential and get_assertion tests with pin code")
test(self, PIN)
print('Reset device')
print("Reset device")
try:
self.ctap.reset()
except CtapError as e:
print('Warning, reset failed: ', e)
print('PASS')
print("Warning, reset failed: ", e)
print("PASS")
def test_rk(self,):
creds = []
rp = {'id': self.host, 'name': 'ExaRP'}
user0 = {'id': b'first one', 'name': 'single User'}
rp = {"id": self.host, "name": "ExaRP"}
user0 = {"id": b"first one", "name": "single User"}
users = [
{'id': b'user' + os.urandom(16), 'name': 'AB User'} for i in range(0, 2)
{"id": b"user" + os.urandom(16), "name": "AB User"} for i in range(0, 2)
]
challenge = 'Y2hhbGxlbmdl'
challenge = "Y2hhbGxlbmdl"
PIN = None
print('reset')
print("reset")
self.ctap.reset()
# if PIN: self.client.pin_protocol.set_pin(PIN)
print('registering 1 user with RK')
print("registering 1 user with RK")
t1 = time.time() * 1000
attest, data = self.client.make_credential(
rp, user0, challenge, pin=PIN, exclude_list=[], rk=True
@ -652,20 +652,20 @@ class Tester:
t2 = time.time() * 1000
attest.verify(data.hash)
creds.append(attest.auth_data.credential_data)
print('Register valid (%d ms)' % (t2 - t1))
print("Register valid (%d ms)" % (t2 - t1))
print('1 assertion')
print("1 assertion")
t1 = time.time() * 1000
assertions, client_data = self.client.get_assertion(
rp['id'], challenge, pin=PIN
rp["id"], challenge, pin=PIN
)
t2 = time.time() * 1000
assertions[0].verify(client_data.hash, creds[0].public_key)
print('Assertion valid (%d ms)' % (t2 - t1))
print("Assertion valid (%d ms)" % (t2 - t1))
print(assertions[0], client_data)
print('registering %d users with RK' % len(users))
print("registering %d users with RK" % len(users))
for i in range(0, len(users)):
t1 = time.time() * 1000
attest, data = self.client.make_credential(
@ -673,22 +673,22 @@ class Tester:
)
t2 = time.time() * 1000
attest.verify(data.hash)
print('Register valid (%d ms)' % (t2 - t1))
print("Register valid (%d ms)" % (t2 - t1))
creds.append(attest.auth_data.credential_data)
t1 = time.time() * 1000
assertions, client_data = self.client.get_assertion(
rp['id'], challenge, pin=PIN
rp["id"], challenge, pin=PIN
)
t2 = time.time() * 1000
for x, y in zip(assertions, creds):
x.verify(client_data.hash, y.public_key)
print('Assertion(s) valid (%d ms)' % (t2 - t1))
print("Assertion(s) valid (%d ms)" % (t2 - t1))
print('registering a duplicate user ')
print("registering a duplicate user ")
t1 = time.time() * 1000
attest, data = self.client.make_credential(
@ -697,24 +697,24 @@ class Tester:
t2 = time.time() * 1000
attest.verify(data.hash)
creds = creds[:2] + creds[3:] + [attest.auth_data.credential_data]
print('Register valid (%d ms)' % (t2 - t1))
print("Register valid (%d ms)" % (t2 - t1))
t1 = time.time() * 1000
assertions, client_data = self.client.get_assertion(
rp['id'], challenge, pin=PIN
rp["id"], challenge, pin=PIN
)
t2 = time.time() * 1000
assert len(assertions) == len(users) + 1
for x, y in zip(assertions, creds):
x.verify(client_data.hash, y.public_key)
print('Assertion(s) valid (%d ms)' % (t2 - t1))
print("Assertion(s) valid (%d ms)" % (t2 - t1))
def test_responses(self,):
PIN = '1234'
PIN = "1234"
RPID = self.host
for dev in CtapHidDevice.list_devices():
print('dev', dev)
print("dev", dev)
client = Fido2Client(dev, RPID)
ctap = client.ctap2
# ctap.reset()
@ -726,17 +726,17 @@ class Tester:
inf = ctap.get_info()
# print (inf)
print('versions: ', inf.versions)
print('aaguid: ', inf.aaguid)
print('rk: ', inf.options['rk'])
print('clientPin: ', inf.options['clientPin'])
print('max_message_size: ', inf.max_msg_size)
print("versions: ", inf.versions)
print("aaguid: ", inf.aaguid)
print("rk: ", inf.options["rk"])
print("clientPin: ", inf.options["clientPin"])
print("max_message_size: ", inf.max_msg_size)
# rp = {'id': 'SelectDevice', 'name': 'SelectDevice'}
rp = {'id': RPID, 'name': 'ExaRP'}
user = {'id': os.urandom(10), 'name': 'SelectDevice'}
user = {'id': b'21first one', 'name': 'single User'}
challenge = 'Y2hhbGxlbmdl'
rp = {"id": RPID, "name": "ExaRP"}
user = {"id": os.urandom(10), "name": "SelectDevice"}
user = {"id": b"21first one", "name": "single User"}
challenge = "Y2hhbGxlbmdl"
if 1:
attest, data = client.make_credential(
@ -746,15 +746,15 @@ class Tester:
cred = attest.auth_data.credential_data
creds = [cred]
allow_list = [{'id': creds[0].credential_id, 'type': 'public-key'}]
allow_list = [{"id": creds[0].credential_id, "type": "public-key"}]
allow_list = []
assertions, client_data = client.get_assertion(
rp['id'], challenge, pin=PIN
rp["id"], challenge, pin=PIN
)
assertions[0].verify(client_data.hash, creds[0].public_key)
if 0:
print('registering 1 user with RK')
print("registering 1 user with RK")
t1 = time.time() * 1000
attest, data = client.make_credential(
rp, user, challenge, pin=PIN, exclude_list=[], rk=True
@ -762,23 +762,23 @@ class Tester:
t2 = time.time() * 1000
attest.verify(data.hash)
creds = [attest.auth_data.credential_data]
print('Register valid (%d ms)' % (t2 - t1))
print("Register valid (%d ms)" % (t2 - t1))
print('1 assertion')
print("1 assertion")
t1 = time.time() * 1000
assertions, client_data = client.get_assertion(
rp['id'], challenge, pin=PIN
rp["id"], challenge, pin=PIN
)
t2 = time.time() * 1000
assertions[0].verify(client_data.hash, creds[0].public_key)
print('Assertion valid (%d ms)' % (t2 - t1))
print("Assertion valid (%d ms)" % (t2 - t1))
# print('fmt:',attest.fmt)
# print('rp_id_hash',attest.auth_data.rp_id_hash)
# print('flags:', hex(attest.auth_data.flags))
# print('count:', hex(attest.auth_data.counter))
print('flags MC:', attest.auth_data)
print('flags GA:', assertions[0].auth_data)
print("flags MC:", attest.auth_data)
print("flags GA:", assertions[0].auth_data)
# print('cred_id:',attest.auth_data.credential_data.credential_id)
# print('pubkey:',attest.auth_data.credential_data.public_key)
# print('aaguid:',attest.auth_data.credential_data.aaguid)
@ -790,8 +790,8 @@ class Tester:
# print('x5c:',attest.att_statement['x5c'])
# print('data:',data)
print('assertion:', assertions[0])
print('clientData:', client_data)
print("assertion:", assertions[0])
print("clientData:", client_data)
print()
# break
@ -804,12 +804,12 @@ def test_find_brute_force():
t = Tester()
t.find_device()
t2 = time.time() * 1000
print('connected %d (%d ms)' % (i, t2 - t1))
print("connected %d (%d ms)" % (i, t2 - t1))
i += 1
time.sleep(0.01)
if __name__ == '__main__':
if __name__ == "__main__":
t = Tester()
t.find_device()
# t.test_hid()

44
tools/http2udb.py
Wyświetl plik

@ -24,7 +24,7 @@ from sign_firmware import *
httpport = 8080
udpport = 8111
HEX_FILE = '../efm32/GNU ARM v7.2.1 - Debug/EFM32.hex'
HEX_FILE = "../efm32/GNU ARM v7.2.1 - Debug/EFM32.hex"
def ForceU2F(client, device):
@ -34,13 +34,13 @@ def ForceU2F(client, device):
client._do_get_assertion = client._ctap1_get_assertion
if __name__ == '__main__':
if __name__ == "__main__":
try:
dev = next(CtapHidDevice.list_devices(), None)
print(dev)
if not dev:
raise RuntimeError('No FIDO device found')
client = Fido2Client(dev, 'https://example.com')
raise RuntimeError("No FIDO device found")
client = Fido2Client(dev, "https://example.com")
ForceU2F(client, dev)
ctap = client.ctap
except Exception as e:
@ -50,8 +50,8 @@ if __name__ == '__main__':
def write(data):
msg = from_websafe(data)
msg = base64.b64decode(msg)
chal = b'A' * 32
appid = b'A' * 32
chal = b"A" * 32
appid = b"A" * 32
# print (msg)
# print (msg.decode())
# print (str(msg))
@ -80,40 +80,40 @@ def read():
class UDPBridge(BaseHTTPRequestHandler):
def end_headers(self):
self.send_header('Access-Control-Allow-Origin', '*')
self.send_header("Access-Control-Allow-Origin", "*")
BaseHTTPRequestHandler.end_headers(self)
def do_POST(self):
content_len = int(self.headers.get('Content-Length', 0))
content_len = int(self.headers.get("Content-Length", 0))
post_body = self.rfile.read(content_len)
data = json.loads(post_body)['data']
data = json.loads(post_body)["data"]
print(data)
msg = from_websafe(data)
msg = base64.b64decode(msg)
chal = b"\xf6\xa2\x3c\xa4\x0a\xf9\xda\xd4\x5f\xdc\xba\x7d\xc9\xde\xcb\xed\xb5\x84\x64\x3a\x4c\x9f\x44\xc2\x04\xb0\x17\xd7\xf4\x3e\xe0\x3f"
appid = b'A' * 32
appid = b"A" * 32
s = ctap.authenticate(chal, appid, msg)
data = (
struct.pack('B', s.user_presence)
+ struct.pack('>L', s.counter)
struct.pack("B", s.user_presence)
+ struct.pack(">L", s.counter)
+ s.signature
)
data = base64.b64encode(data).decode('ascii')
data = base64.b64encode(data).decode("ascii")
data = to_websafe(data)
data = json.dumps({'data': data})
data = data.encode('ascii')
data = json.dumps({"data": data})
data = data.encode("ascii")
self.send_response(200)
self.send_header('Content-type', 'text/json')
self.send_header("Content-type", "text/json")
self.end_headers()
self.wfile.write(data)
def do_GET(self):
self.send_response(200)
self.send_header('Content-type', 'text/json')
self.send_header("Content-type", "text/json")
msg = get_firmware_object("signing_key.pem", HEX_FILE)
@ -123,19 +123,19 @@ class UDPBridge(BaseHTTPRequestHandler):
try:
server = HTTPServer(('', httpport), UDPBridge)
print('Started httpserver on port ', httpport)
server = HTTPServer(("", httpport), UDPBridge)
print("Started httpserver on port ", httpport)
server.socket = ssl.wrap_socket(
server.socket,
keyfile="../web/localhost.key",
certfile='../web/localhost.crt',
certfile="../web/localhost.crt",
server_side=True,
)
print('Saving signed firmware to firmware.json')
print("Saving signed firmware to firmware.json")
msg = get_firmware_object("signing_key.pem", HEX_FILE)
wfile = open('firmware.json', 'wb+')
wfile = open("firmware.json", "wb+")
wfile.write(json.dumps(msg).encode())
wfile.close()

6
tools/nfcmon.py
Wyświetl plik

@ -22,9 +22,9 @@ for p in Chameleon.Device.listDevices():
if p:
chameleon.connect(p)
else:
raise RuntimeError('No chameleon mini connected')
raise RuntimeError("No chameleon mini connected")
chameleon.execCmd('LOGMODE=LIVE')
chameleon.execCmd("LOGMODE=LIVE")
while 1:
b = chameleon.read(1, 20)
@ -33,4 +33,4 @@ while 1:
sys.stdout.write(h)
sys.stdout.flush()
chameleon.execCmd('LOGMODE=NONE')
chameleon.execCmd("LOGMODE=NONE")

331
tools/solotool.py
Wyświetl plik

@ -39,27 +39,27 @@ import serial
def to_websafe(data):
data = data.replace('+', '-')
data = data.replace('/', '_')
data = data.replace('=', '')
data = data.replace("+", "-")
data = data.replace("/", "_")
data = data.replace("=", "")
return data
def from_websafe(data):
data = data.replace('-', '+')
data = data.replace('_', '/')
return data + '=='[: (3 * len(data)) % 4]
data = data.replace("-", "+")
data = data.replace("_", "/")
return data + "=="[: (3 * len(data)) % 4]
def get_firmware_object(sk_name, hex_file):
from ecdsa import SigningKey, NIST256p
sk = SigningKey.from_pem(open(sk_name).read())
fw = open(hex_file, 'r').read()
fw = open(hex_file, "r").read()
fw = base64.b64encode(fw.encode())
fw = to_websafe(fw.decode())
ih = IntelHex()
ih.fromfile(hex_file, format='hex')
ih.fromfile(hex_file, format="hex")
# start of firmware and the size of the flash region allocated for it.
# TODO put this somewhere else.
START = ih.segments()[0][0]
@ -71,29 +71,31 @@ def get_firmware_object(sk_name, hex_file):
im_size = END - START
print('im_size: ', im_size)
print('firmware_size: ', len(arr))
print("im_size: ", im_size)
print("firmware_size: ", len(arr))
byts = (arr).tobytes() if hasattr(arr, 'tobytes') else (arr).tostring()
byts = (arr).tobytes() if hasattr(arr, "tobytes") else (arr).tostring()
h = sha256()
h.update(byts)
sig = binascii.unhexlify(h.hexdigest())
print('hash', binascii.hexlify(sig))
print("hash", binascii.hexlify(sig))
sig = sk.sign_digest(sig)
print('sig', binascii.hexlify(sig))
print("sig", binascii.hexlify(sig))
sig = base64.b64encode(sig)
sig = to_websafe(sig.decode())
# msg = {'data': read()}
msg = {'firmware': fw, 'signature': sig}
msg = {"firmware": fw, "signature": sig}
return msg
class SoloExtension:
version= 0x14
version = 0x14
rng = 0x15
class SoloBootloader:
write = 0x40
done = 0x41
@ -109,13 +111,13 @@ class SoloBootloader:
HIDCommandEnterSTBoot = 0x52
HIDCommandRNG = 0x60
TAG = b'\x8C\x27\x90\xf6'
TAG = b"\x8C\x27\x90\xf6"
class SoloClient:
def __init__(self,):
self.origin = 'https://example.org'
self.host = 'example.org'
self.origin = "https://example.org"
self.host = "example.org"
self.exchange = self.exchange_hid
self.do_reboot = True
@ -139,52 +141,52 @@ class SoloClient:
def find_device(self,):
dev = next(CtapHidDevice.list_devices(), None)
if not dev:
raise RuntimeError('No FIDO device found')
raise RuntimeError("No FIDO device found")
self.dev = dev
self.ctap1 = CTAP1(dev)
self.ctap2 = CTAP2(dev)
self.client = Fido2Client(dev, self.origin)
if self.exchange == self.exchange_hid:
self.send_data_hid(CTAPHID.INIT, '\x11\x11\x11\x11\x11\x11\x11\x11')
self.send_data_hid(CTAPHID.INIT, "\x11\x11\x11\x11\x11\x11\x11\x11")
@staticmethod
def format_request(cmd, addr=0, data=b'A' * 16):
arr = b'\x00' * 9
addr = struct.pack('<L', addr)
cmd = struct.pack('B', cmd)
length = struct.pack('>H', len(data))
def format_request(cmd, addr=0, data=b"A" * 16):
arr = b"\x00" * 9
addr = struct.pack("<L", addr)
cmd = struct.pack("B", cmd)
length = struct.pack(">H", len(data))
return cmd + addr[:3] + SoloBootloader.TAG + length + data
def send_only_hid(self, cmd, data):
if type(data) != type(b''):
data = struct.pack('%dB' % len(data), *[ord(x) for x in data])
if type(data) != type(b""):
data = struct.pack("%dB" % len(data), *[ord(x) for x in data])
self.dev._dev.InternalSend(0x80 | cmd, bytearray(data))
def send_data_hid(self, cmd, data):
if type(data) != type(b''):
data = struct.pack('%dB' % len(data), *[ord(x) for x in data])
if type(data) != type(b""):
data = struct.pack("%dB" % len(data), *[ord(x) for x in data])
with Timeout(1.0) as event:
return self.dev.call(cmd, data, event)
def exchange_hid(self, cmd, addr=0, data=b'A' * 16):
def exchange_hid(self, cmd, addr=0, data=b"A" * 16):
req = SoloClient.format_request(cmd, addr, data)
data = self.send_data_hid(SoloBootloader.HIDCommandBoot, req)
ret = data[0]
if ret != CtapError.ERR.SUCCESS:
str = ''
str = ""
if ret == CtapError.ERR.NOT_ALLOWED:
str = 'Out of bounds write'
raise RuntimeError('Device returned non-success code %02x: %s' % (ret, str))
str = "Out of bounds write"
raise RuntimeError("Device returned non-success code %02x: %s" % (ret, str))
return data[1:]
def exchange_u2f(self, cmd, addr=0, data=b'A' * 16):
appid = b'A' * 32
chal = b'B' * 32
def exchange_u2f(self, cmd, addr=0, data=b"A" * 16):
appid = b"A" * 32
chal = b"B" * 32
req = SoloClient.format_request(cmd, addr, data)
@ -192,28 +194,28 @@ class SoloClient:
ret = res.signature[0]
if ret != CtapError.ERR.SUCCESS:
str = ''
str = ""
if ret == CtapError.ERR.NOT_ALLOWED:
str = 'Out of bounds write'
raise RuntimeError('Device returned non-success code %02x: %s' % (ret, str))
str = "Out of bounds write"
raise RuntimeError("Device returned non-success code %02x: %s" % (ret, str))
return res.signature[1:]
def bootloader_version(self,):
data = self.exchange(SoloBootloader.version)
if len(data) > 2:
return (data[0],data[1],data[2])
return (data[0], data[1], data[2])
return data[0]
def solo_version(self,):
data = self.exchange_u2f(SoloExtension.version)
return (data[0],data[1],data[2])
return (data[0], data[1], data[2])
def write_flash(self, addr, data):
self.exchange(SoloBootloader.write, addr, data)
def get_rng(self, num=0):
ret = self.send_data_hid(SoloBootloader.HIDCommandRNG, struct.pack('B', num))
ret = self.send_data_hid(SoloBootloader.HIDCommandRNG, struct.pack("B", num))
return ret
def verify_flash(self, sig):
@ -225,34 +227,27 @@ class SoloClient:
self.exchange(SoloBootloader.done, 0, sig)
def wink(self,):
self.send_data_hid(CTAPHID.WINK, b'')
self.send_data_hid(CTAPHID.WINK, b"")
def reset(self,):
self.ctap2.reset()
def make_credential(self,):
rp = {'id': self.host, 'name': 'example site'}
user = {'id': b'abcdef', 'name': 'example user'}
challenge = 'Y2hhbGxlbmdl'
attest, data = self.client.make_credential(
rp, user, challenge, exclude_list=[]
)
rp = {"id": self.host, "name": "example site"}
user = {"id": b"abcdef", "name": "example user"}
challenge = "Y2hhbGxlbmdl"
attest, data = self.client.make_credential(rp, user, challenge, exclude_list=[])
try:
attest.verify(data.hash)
except AttributeError:
verifier = Attestation.for_type(attest.fmt)
verifier().verify(
attest.att_statement,
attest.auth_data,
data.hash
)
print('Register valid')
x5c = attest.att_statement['x5c'][0]
verifier().verify(attest.att_statement, attest.auth_data, data.hash)
print("Register valid")
x5c = attest.att_statement["x5c"][0]
cert = x509.load_der_x509_certificate(x5c, default_backend())
return cert
def enter_solo_bootloader(self,):
"""
If solo is configured as solo hacker or something similar,
@ -260,8 +255,8 @@ class SoloClient:
so it can be reprogrammed
"""
if self.exchange != self.exchange_hid:
self.send_data_hid(CTAPHID.INIT, '\x11\x11\x11\x11\x11\x11\x11\x11')
self.send_data_hid(SoloBootloader.HIDCommandEnterBoot, '')
self.send_data_hid(CTAPHID.INIT, "\x11\x11\x11\x11\x11\x11\x11\x11")
self.send_data_hid(SoloBootloader.HIDCommandEnterBoot, "")
def is_solo_bootloader(self,):
try:
@ -286,7 +281,7 @@ class SoloClient:
req = SoloClient.format_request(SoloBootloader.st_dfu)
self.send_only_hid(SoloBootloader.HIDCommandBoot, req)
else:
self.send_only_hid(SoloBootloader.HIDCommandEnterSTBoot, '')
self.send_only_hid(SoloBootloader.HIDCommandEnterSTBoot, "")
def disable_solo_bootloader(self,):
"""
@ -295,10 +290,10 @@ class SoloClient:
If you've started from a solo hacker, make you you've programmed a final/production build!
"""
ret = self.exchange(
SoloBootloader.disable, 0, b'\xcd\xde\xba\xaa'
SoloBootloader.disable, 0, b"\xcd\xde\xba\xaa"
) # magic number
if ret[0] != CtapError.ERR.SUCCESS:
print('Failed to disable bootloader')
print("Failed to disable bootloader")
return False
time.sleep(0.1)
self.exchange(SoloBootloader.do_reboot)
@ -306,22 +301,22 @@ class SoloClient:
def program_file(self, name):
if name.lower().endswith('.json'):
data = json.loads(open(name, 'r').read())
fw = base64.b64decode(from_websafe(data['firmware']).encode())
sig = base64.b64decode(from_websafe(data['signature']).encode())
if name.lower().endswith(".json"):
data = json.loads(open(name, "r").read())
fw = base64.b64decode(from_websafe(data["firmware"]).encode())
sig = base64.b64decode(from_websafe(data["signature"]).encode())
ih = IntelHex()
tmp = tempfile.NamedTemporaryFile(delete=False)
tmp.write(fw)
tmp.seek(0)
tmp.close()
ih.fromfile(tmp.name, format='hex')
ih.fromfile(tmp.name, format="hex")
else:
if not name.lower().endswith('.hex'):
if not name.lower().endswith(".hex"):
print('Warning, assuming "%s" is an Intel Hex file.' % name)
sig = None
ih = IntelHex()
ih.fromfile(name, format='hex')
ih.fromfile(name, format="hex")
if self.exchange == self.exchange_hid:
chunk = 2048
@ -332,7 +327,7 @@ class SoloClient:
size = seg[1] - seg[0]
total = 0
t1 = time.time() * 1000
print('erasing...')
print("erasing...")
for i in range(seg[0], seg[1], chunk):
s = i
e = min(i + chunk, seg[1])
@ -340,17 +335,17 @@ class SoloClient:
self.write_flash(i, data)
total += chunk
progress = total / float(size) * 100
sys.stdout.write('downloading %.2f%%...\r' % progress)
sys.stdout.write('downloaded 100% \r\n')
sys.stdout.write("downloading %.2f%%...\r" % progress)
sys.stdout.write("downloaded 100% \r\n")
t2 = time.time() * 1000
print('time: %.2f s' % ((t2 - t1) / 1000.0))
print("time: %.2f s" % ((t2 - t1) / 1000.0))
print('Verifying...')
print("Verifying...")
if self.do_reboot:
if sig is not None:
self.verify_flash(sig)
else:
self.verify_flash(b'A' * 64)
self.verify_flash(b"A" * 64)
class DFU:
@ -431,14 +426,14 @@ class DFUDevice:
devs = usb.core.find(idVendor=0x0483, idProduct=0xDF11, find_all=1)
for x in devs:
if ser == (usb.util.get_string(x, x.iSerialNumber)):
print('connecting to ', ser)
print("connecting to ", ser)
self.dev = x
break
else:
self.dev = usb.core.find(idVendor=0x0483, idProduct=0xDF11)
if self.dev is None:
raise RuntimeError('No ST DFU devices found.')
raise RuntimeError("No ST DFU devices found.")
self.dev.set_configuration()
for cfg in self.dev:
@ -449,7 +444,7 @@ class DFUDevice:
self.intNum = intf.bInterfaceNumber
return self.dev
raise RuntimeError('No ST DFU alternate-%d found.' % altsetting)
raise RuntimeError("No ST DFU alternate-%d found." % altsetting)
def init(self,):
if self.state() == DFU.state.ERROR:
@ -510,7 +505,7 @@ class DFUDevice:
self.clear_status()
self.clear_status()
if self.state() not in (DFU.state.IDLE, DFU.state.DOWNLOAD_IDLE):
raise RuntimeError('DFU device not in correct state for writing memory.')
raise RuntimeError("DFU device not in correct state for writing memory.")
oldaddr = addr
addr = DFUDevice.addr2block(addr, len(data))
@ -527,7 +522,7 @@ class DFUDevice:
self.clear_status()
self.clear_status()
if self.state() not in (DFU.state.IDLE, DFU.state.UPLOAD_IDLE):
raise RuntimeError('DFU device not in correct state for reading memory.')
raise RuntimeError("DFU device not in correct state for reading memory.")
return self.upload(addr, size)
@ -542,7 +537,7 @@ class DFUDevice:
self.clear_status()
self.clear_status()
if self.state() not in (DFU.state.IDLE, DFU.state.DOWNLOAD_IDLE):
raise RuntimeError('DFU device not in correct state for detaching.')
raise RuntimeError("DFU device not in correct state for detaching.")
# self.set_addr(0x08000000)
# self.block_on_state(DFU.state.DOWNLOAD_BUSY)
# assert(DFU.state.DOWNLOAD_IDLE == self.state())
@ -572,15 +567,15 @@ def attempt_to_boot_bootloader(p):
except CtapError as e:
if e.code == CtapError.ERR.INVALID_COMMAND:
print(
'Solo appears to not be a solo hacker. Try holding down the button for 2 while you plug token in.'
"Solo appears to not be a solo hacker. Try holding down the button for 2 while you plug token in."
)
sys.exit(1)
else:
raise (e)
print('Solo rebooted. Reconnecting...')
print("Solo rebooted. Reconnecting...")
time.sleep(0.500)
if not attempt_to_find_device(p):
raise RuntimeError('Failed to reconnect!')
raise RuntimeError("Failed to reconnect!")
def solo_main():
@ -588,11 +583,19 @@ def solo_main():
parser.add_argument(
"--rng",
action="store_true",
help='Continuously dump random numbers generated from Solo.',
help="Continuously dump random numbers generated from Solo.",
)
parser.add_argument("--wink", action="store_true", help="HID Wink command.")
parser.add_argument(
"--reset",
action="store_true",
help="Issue a FIDO2 reset command. Warning: your credentials will be lost.",
)
parser.add_argument(
"--verify-solo",
action="store_true",
help="Verify that the Solo firmware is from SoloKeys. Check firmware version.",
)
parser.add_argument("--wink", action="store_true", help='HID Wink command.')
parser.add_argument("--reset", action="store_true", help='Issue a FIDO2 reset command. Warning: your credentials will be lost.')
parser.add_argument("--verify-solo", action="store_true", help='Verify that the Solo firmware is from SoloKeys. Check firmware version.')
args = parser.parse_args()
p = SoloClient()
@ -614,26 +617,26 @@ def solo_main():
if args.verify_solo:
cert = p.make_credential()
solo_fingerprint = b'r\xd5\x831&\xac\xfc\xe9\xa8\xe8&`\x18\xe6AI4\xc8\xbeJ\xb8h_\x91\xb0\x99!\x13\xbb\xd42\x95'
solo_fingerprint = b"r\xd5\x831&\xac\xfc\xe9\xa8\xe8&`\x18\xe6AI4\xc8\xbeJ\xb8h_\x91\xb0\x99!\x13\xbb\xd42\x95"
hacker_fingerprint = b"\xd0ml\xcb\xda}\xe5j\x16'\xc2\xa7\x89\x9c5\xa2\xa3\x16\xc8Q\xb3j\xd8\xed~\xd7\x84y\xbbx~\xf7"
if (cert.fingerprint(hashes.SHA256()) == solo_fingerprint):
print('Valid SOLO firmware from SoloKeys')
elif (cert.fingerprint(hashes.SHA256()) == hacker_fingerprint):
print('Valid HACKER firmware')
if cert.fingerprint(hashes.SHA256()) == solo_fingerprint:
print("Valid SOLO firmware from SoloKeys")
elif cert.fingerprint(hashes.SHA256()) == hacker_fingerprint:
print("Valid HACKER firmware")
else:
print('Unknown fingerprint! ', cert.fingerprint(hashes.SHA256()))
print("Unknown fingerprint! ", cert.fingerprint(hashes.SHA256()))
try:
v = p.solo_version()
print('Version: ', v)
print("Version: ", v)
except ApduError:
print('Firmware is out of date.')
print("Firmware is out of date.")
def asked_for_help():
for i, v in enumerate(sys.argv):
if v == '-h' or v == '--help':
if v == "-h" or v == "--help":
return True
return False
@ -668,9 +671,9 @@ def monitor_main():
try:
d = ser.read(1)
except serial.SerialException:
print('reconnecting...')
print("reconnecting...")
ser = reconnect()
print('done')
print("done")
sys.stdout.buffer.write(d)
sys.stdout.flush()
@ -695,26 +698,26 @@ def genkey_main():
if len(sys.argv) > 2:
seed = sys.argv[2]
print('using input seed file ', seed)
rng = open(seed, 'rb').read()
print("using input seed file ", seed)
rng = open(seed, "rb").read()
secexp = randrange_from_seed__trytryagain(rng, NIST256p.order)
sk = SigningKey.from_secret_exponent(secexp, curve=NIST256p)
else:
sk = SigningKey.generate(curve=NIST256p)
sk_name = sys.argv[1]
print('Signing key for signing device firmware: ' + sk_name)
open(sk_name, 'wb+').write(sk.to_pem())
print("Signing key for signing device firmware: " + sk_name)
open(sk_name, "wb+").write(sk.to_pem())
vk = sk.get_verifying_key()
print('Public key in various formats:')
print("Public key in various formats:")
print()
print([c for c in vk.to_string()])
print()
print(''.join(['%02x' % c for c in vk.to_string()]))
print("".join(["%02x" % c for c in vk.to_string()]))
print()
print('"\\x' + '\\x'.join(['%02x' % c for c in vk.to_string()]) + '"')
print('"\\x' + "\\x".join(["%02x" % c for c in vk.to_string()]) + '"')
print()
@ -722,20 +725,20 @@ def sign_main():
if asked_for_help() or len(sys.argv) != 4:
print(
'Signs a firmware hex file, outputs a .json file that can be used for signed update.'
"Signs a firmware hex file, outputs a .json file that can be used for signed update."
)
print('usage: %s <signing-key.pem> <app.hex> <output.json> [-h]' % sys.argv[0])
print("usage: %s <signing-key.pem> <app.hex> <output.json> [-h]" % sys.argv[0])
print()
sys.exit(1)
msg = get_firmware_object(sys.argv[1], sys.argv[2])
print('Saving signed firmware to', sys.argv[3])
wfile = open(sys.argv[3], 'wb+')
print("Saving signed firmware to", sys.argv[3])
wfile = open(sys.argv[3], "wb+")
wfile.write(json.dumps(msg).encode())
wfile.close()
def use_dfu(args):
fw = args.__dict__['[firmware]']
fw = args.__dict__["[firmware]"]
for i in range(0, 8):
dfu = DFUDevice()
@ -746,15 +749,15 @@ def use_dfu(args):
dfu = None
if dfu is None:
print('No STU DFU device found. ')
print("No STU DFU device found. ")
if args.dfu_serial:
print('Serial number used: ', args.dfu_serial)
print("Serial number used: ", args.dfu_serial)
sys.exit(1)
dfu.init()
if fw:
ih = IntelHex()
ih.fromfile(fw, format='hex')
ih.fromfile(fw, format="hex")
chunk = 2048
seg = ih.segments()[0]
@ -762,11 +765,11 @@ def use_dfu(args):
total = 0
t1 = time.time() * 1000
print('erasing...')
print("erasing...")
try:
dfu.mass_erase()
except usb.core.USBError:
dfu.write_page(0x08000000 + 2048 * 10, 'ZZFF' * (2048 // 4))
dfu.write_page(0x08000000 + 2048 * 10, "ZZFF" * (2048 // 4))
dfu.mass_erase()
page = 0
@ -780,7 +783,7 @@ def use_dfu(args):
progress = total / float(size) * 100
sys.stdout.write(
'downloading %.2f%% %08x - %08x ... \r'
"downloading %.2f%% %08x - %08x ... \r"
% (progress, i, i + page)
)
# time.sleep(0.100)
@ -789,8 +792,8 @@ def use_dfu(args):
# print(dfu.read_mem(i,16))
t2 = time.time() * 1000
print()
print('time: %d ms' % (t2 - t1))
print('verifying...')
print("time: %d ms" % (t2 - t1))
print("verifying...")
progress = 0
for start, end in ih.segments():
for i in range(start, end, chunk):
@ -799,13 +802,13 @@ def use_dfu(args):
total += chunk
progress = total / float(size) * 100
sys.stdout.write(
'reading %.2f%% %08x - %08x ... \r'
"reading %.2f%% %08x - %08x ... \r"
% (progress, i, i + page)
)
if (end - start) == chunk:
assert data1 == data2
print()
print('firmware readback verified.')
print("firmware readback verified.")
if args.detach:
dfu.detach()
@ -815,71 +818,71 @@ def programmer_main():
parser = argparse.ArgumentParser()
parser.add_argument(
"[firmware]",
nargs='?',
default='',
help='firmware file. Either a JSON or hex file. JSON file contains signature while hex does not.',
nargs="?",
default="",
help="firmware file. Either a JSON or hex file. JSON file contains signature while hex does not.",
)
parser.add_argument(
"--use-hid",
action="store_true",
help='Programs using custom HID command (default). Quicker than using U2F authenticate which is what a browser has to use.',
help="Programs using custom HID command (default). Quicker than using U2F authenticate which is what a browser has to use.",
)
parser.add_argument(
"--use-u2f",
action="store_true",
help='Programs using U2F authenticate. This is what a web application will use.',
help="Programs using U2F authenticate. This is what a web application will use.",
)
parser.add_argument(
"--no-reset",
action="store_true",
help='Don\'t reset after writing firmware. Stay in bootloader mode.',
help="Don't reset after writing firmware. Stay in bootloader mode.",
)
parser.add_argument(
"--reset-only",
action="store_true",
help='Don\'t write anything, try to boot without a signature.',
help="Don't write anything, try to boot without a signature.",
)
parser.add_argument(
"--reboot", action="store_true", help='Tell bootloader to reboot.'
"--reboot", action="store_true", help="Tell bootloader to reboot."
)
parser.add_argument(
"--enter-bootloader",
action="store_true",
help='Don\'t write anything, try to enter bootloader. Typically only supported by Solo Hacker builds.',
help="Don't write anything, try to enter bootloader. Typically only supported by Solo Hacker builds.",
)
parser.add_argument(
"--st-dfu",
action="store_true",
help='Don\'t write anything, try to enter ST DFU. Warning, you could brick your Solo if you overwrite everything. You should reprogram the option bytes just to be safe (boot to Solo bootloader first, then run this command).',
help="Don't write anything, try to enter ST DFU. Warning, you could brick your Solo if you overwrite everything. You should reprogram the option bytes just to be safe (boot to Solo bootloader first, then run this command).",
)
parser.add_argument(
"--disable",
action="store_true",
help='Disable the Solo bootloader. Cannot be undone. No future updates can be applied.',
help="Disable the Solo bootloader. Cannot be undone. No future updates can be applied.",
)
parser.add_argument(
"--detach",
action="store_true",
help='Detach from ST DFU and boot from main flash. Must be in DFU mode.',
help="Detach from ST DFU and boot from main flash. Must be in DFU mode.",
)
parser.add_argument(
"--dfu-serial",
default='',
help='Specify a serial number for a specific DFU device to connect to.',
default="",
help="Specify a serial number for a specific DFU device to connect to.",
)
parser.add_argument(
"--use-dfu", action="store_true", help='Boot to ST-DFU before continuing.'
"--use-dfu", action="store_true", help="Boot to ST-DFU before continuing."
)
args = parser.parse_args()
fw = args.__dict__['[firmware]']
fw = args.__dict__["[firmware]"]
p = SoloClient()
try:
p.find_device()
if args.use_dfu:
print('entering dfu..')
print("entering dfu..")
try:
attempt_to_boot_bootloader(p)
p.enter_st_dfu()
@ -887,7 +890,7 @@ def programmer_main():
# already in DFU mode?
pass
except RuntimeError:
print('No Solo device detected.')
print("No Solo device detected.")
if fw or args.detach:
use_dfu(args)
sys.exit(0)
@ -905,7 +908,7 @@ def programmer_main():
p.set_reboot(False)
if args.enter_bootloader:
print('Attempting to boot into bootloader mode...')
print("Attempting to boot into bootloader mode...")
attempt_to_boot_bootloader(p)
sys.exit(0)
@ -914,7 +917,7 @@ def programmer_main():
sys.exit(0)
if args.st_dfu:
print('Sending command to boot into ST DFU...')
print("Sending command to boot into ST DFU...")
p.enter_st_dfu()
sys.exit(0)
@ -922,8 +925,8 @@ def programmer_main():
p.disable_solo_bootloader()
sys.exit(0)
if fw == '' and not args.reset_only:
print('Need to supply firmware filename, or see help for more options.')
if fw == "" and not args.reset_only:
print("Need to supply firmware filename, or see help for more options.")
parser.print_help()
sys.exit(1)
@ -931,16 +934,16 @@ def programmer_main():
p.bootloader_version()
except CtapError as e:
if e.code == CtapError.ERR.INVALID_COMMAND:
print('Bootloader not active. Attempting to boot into bootloader mode...')
print("Bootloader not active. Attempting to boot into bootloader mode...")
attempt_to_boot_bootloader(p)
else:
raise (e)
except ApduError:
print('Bootloader not active. Attempting to boot into bootloader mode...')
print("Bootloader not active. Attempting to boot into bootloader mode...")
attempt_to_boot_bootloader(p)
if args.reset_only:
p.exchange(SoloBootloader.done, 0, b'A' * 64)
p.exchange(SoloBootloader.done, 0, b"A" * 64)
else:
p.program_file(fw)
@ -948,7 +951,7 @@ def programmer_main():
def main_mergehex():
if len(sys.argv) < 3:
print(
'usage: %s <file1.hex> <file2.hex> [...] [-s <secret_attestation_key>] <output.hex>'
"usage: %s <file1.hex> <file2.hex> [...] [-s <secret_attestation_key>] <output.hex>"
)
sys.exit(1)
@ -964,7 +967,7 @@ def main_mergehex():
# user supplied, optional
for i, x in enumerate(args):
if x == '-s':
if x == "-s":
secret_attestation_key = args[i + 1]
args = args[:i] + args[i + 2 :]
break
@ -977,8 +980,8 @@ def main_mergehex():
first = IntelHex(args[1])
for i in range(2, len(args) - 1):
print('merging %s with ' % (args[1]), args[i])
first.merge(IntelHex(args[i]), overlap='replace')
print("merging %s with " % (args[1]), args[i])
first.merge(IntelHex(args[i]), overlap="replace")
first[flash_addr(APPLICATION_END_PAGE - 1)] = 0x41
first[flash_addr(APPLICATION_END_PAGE - 1) + 1] = 0x41
@ -1004,19 +1007,19 @@ def main_mergehex():
for i, x in enumerate(key):
first[ATTEST_ADDR + i] = x
first.tofile(args[len(args) - 1], format='hex')
first.tofile(args[len(args) - 1], format="hex")
if __name__ == '__main__':
if __name__ == "__main__":
if sys.version_info[0] < 3:
print('Sorry, python3 is required.')
print("Sorry, python3 is required.")
sys.exit(1)
if len(sys.argv) < 2 or (len(sys.argv) == 2 and asked_for_help()):
print('Diverse command line tool for working with Solo')
print('usage: %s <command> [options] [-h]' % sys.argv[0])
print('commands: program, solo, monitor, sign, genkey, mergehex')
print("Diverse command line tool for working with Solo")
print("usage: %s <command> [options] [-h]" % sys.argv[0])
print("commands: program, solo, monitor, sign, genkey, mergehex")
print(
"""
Examples:
@ -1039,19 +1042,19 @@ Examples:
c = sys.argv[1]
sys.argv = sys.argv[:1] + sys.argv[2:]
sys.argv[0] = sys.argv[0] + ' ' + c
sys.argv[0] = sys.argv[0] + " " + c
if c == 'program':
if c == "program":
programmer_main()
elif c == 'solo':
elif c == "solo":
solo_main()
elif c == 'monitor':
elif c == "monitor":
monitor_main()
elif c == 'sign':
elif c == "sign":
sign_main()
elif c == 'genkey':
elif c == "genkey":
genkey_main()
elif c == 'mergehex':
elif c == "mergehex":
main_mergehex()
else:
print('invalid command: %s' % c)
print("invalid command: %s" % c)