How do you store credentials on the key?

[atoponce]

According to:

% solo key credential info
PIN: 
Existing resident keys: 0
Remaining resident keys: 50

I have 50 slots for resident keys. I'm assuming I need to use the make-credential subcommand, but it doesn't appear to store it on the device, only output hex:

% solo key make-credential
PIN (leave empty for no PIN): 
<hex output>
% solo key credential info
PIN: 
Existing resident keys: 0
Remaining resident keys: 50

How are credentials stored on the key so it could be used for things like signing files?

% solo key sign-file --help
Usage: solo key sign-file [OPTIONS] CREDENTIAL_ID FILENAME

  Sign the specified file using the given credential-id

Options:
  --pin TEXT         PIN for to access key
  -s, --serial TEXT  Serial number of Solo to use
  --help             Show this message and exit.

[nickray]

I don't think we have any command in solo that generates a resident key, which is what solo key credential info outputs.

What make-credential does is create a non-resident key, meaning the credential ID (the hex-output you see) encodes everything the token needs to reconstruct the key. This is the original idea behind U2F (use the "server" to store the key, by sending it an encrypted version as credential ID). So far, so good!

You'd then pass that credential ID to solo key sign-file.

However, signing files is not part of the official firmware on secure keys (you'd get a CTAP error: 0x01 - INVALID_COMMAND). This is implemented in solokeys/solo1#397 which I don't think we ever merged.

[atoponce]

I probably should have mentioned that I am using a Solo Hacker. However I get the same CTAP error: 0x01 - INVALID_COMMAND error when attempting to sign a file:

% solo key make-credential
PIN (leave empty for no PIN): 
Touch your authenticator to generate a credential...
<hex_output>
% solo key sign-file $hex_output file.bin
<other_hex_output>  file.bin
Please press the button on your Solo key
Traceback (most recent call last):
  File "/home/aaron/.local/bin/solo", line 8, in <module>
    sys.exit(solo_cli())
  File "/usr/lib/python3/dist-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/usr/lib/python3/dist-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3/dist-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3/dist-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/lib/python3/dist-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/home/aaron/.local/lib/python3.9/site-packages/solo/cli/key.py", line 612, in sign_file
    ret = dev.sign_hash(base64.b64decode(credential_id), dgst.digest(), pin)
  File "/home/aaron/.local/lib/python3.9/site-packages/solo/client.py", line 337, in sign_hash
    return self.ctap2.send_cbor(
  File "/home/aaron/.local/lib/python3.9/site-packages/fido2/ctap2.py", line 645, in send_cbor
    raise CtapError(status)
fido2.ctap.CtapError: CTAP error: 0x01 - INVALID_COMMAND

I'll keep an eye on the PR and watch for new firmware updates. Thanks.

[cst-art]

Hi
I not using a Solo Hacker, I try it with my solokey and take this:
root@3a-rpi01:/home/pi# solo key make-credential
THIS COMMAND SHOULD NOT BE RUN AS ROOT!

Please install udev rules and run solo as regular user (without sudo).
For more information, see: https://docs.solokeys.io/solo/udev
PIN (leave empty for no PIN):
Touch your authenticator to generate a credential...
Traceback (most recent call last):
File "/usr/local/bin/solo", line 10, in
sys.exit(solo_cli())
File "/root/.local/lib/python3.7/site-packages/click/core.py", line 829, in call
return self.main(*args, **kwargs)
File "/root/.local/lib/python3.7/site-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/root/.local/lib/python3.7/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/root/.local/lib/python3.7/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/root/.local/lib/python3.7/site-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/root/.local/lib/python3.7/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python3.7/dist-packages/solo/cli/key.py", line 158, in make_credential
pin=pin,
File "/usr/local/lib/python3.7/dist-packages/solo/hmac_secret.py", line 51, in make_credential
"extensions": {"hmacCreateSecret": True},
AttributeError: 'tuple' object has no attribute 'attestation_object'

If I verify it:
root@3a-rpi01:/home/pi# solo key verify
THIS COMMAND SHOULD NOT BE RUN AS ROOT!

Please install udev rules and run solo as regular user (without sudo).
For more information, see: https://docs.solokeys.io/solo/udev
Please press the button on your Solo key
Traceback (most recent call last):
File "/usr/local/bin/solo", line 10, in
sys.exit(solo_cli())
File "/root/.local/lib/python3.7/site-packages/click/core.py", line 829, in call
return self.main(*args, **kwargs)
File "/root/.local/lib/python3.7/site-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/root/.local/lib/python3.7/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/root/.local/lib/python3.7/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/root/.local/lib/python3.7/site-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/root/.local/lib/python3.7/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python3.7/dist-packages/solo/cli/key.py", line 363, in verify
cert = key.make_credential(pin=pin)
File "/usr/local/lib/python3.7/dist-packages/solo/devices/base.py", line 101, in make_credential
attest = result.attestation_object
AttributeError: 'tuple' object has no attribute 'attestation_object'

root@3a-rpi01:/home/pi# solo version
THIS COMMAND SHOULD NOT BE RUN AS ROOT!

Please install udev rules and run solo as regular user (without sudo).
For more information, see: https://docs.solokeys.io/solo/udev
0.0.30

Does this not work with a standard key?

best regards chris