Added more hints to sign-file

solokeys · Oct 25, 2021 · c7078c4 · c7078c4
1 parent a0a1686
commit c7078c4
Showing 1 changed file with 24 additions and 7 deletions.
diff --git a/solo/cli/key.py b/solo/cli/key.py
@@ -174,12 +174,6 @@ def make_credential(serial, host, default_sign_host, user, udp, prompt, pin,
         print("Error: Unknown algorithm(s): ", [a for a, aid in zip(alg.split(","), algs) if aid is None])
         return 1
 
-    # check for PIN
-    if not pin:
-        pin = getpass.getpass("PIN (leave empty for no PIN): ")
-    if not pin:
-        pin = None
-
     if default_sign_host:
         if host is not None:
             print("Error: Cannot specify both --host and --default-sign-host")
@@ -188,6 +182,12 @@ def make_credential(serial, host, default_sign_host, user, udp, prompt, pin,
     elif host is None:
         host = "solokeys.dev"
 
+    # check for PIN
+    if not pin:
+        pin = getpass.getpass("PIN (leave empty for no PIN): ")
+    if not pin:
+        pin = None
+
     cred_id, pk = solo.hmac_secret.make_credential(
         host=host,
         user_id=user,
@@ -745,6 +745,13 @@ def sign_file(pin, serial, udp, prompt, credential_id, host, filename, sig_file,
             if err.code == CtapError.ERR.INVALID_OPTION:
                 print("Got CTAP error 0x2C INVALID_OPTION. Are you sure you used an EdDSA credential with Minisign?")
                 return 1
+            elif err.code == CtapError.ERR.INVALID_CREDENTIAL:
+                print("Got CTAP error 0x22 INVALID_CREDENTIAL.")
+                if host.startswith("solo-sign-hash:"):
+                    print("Are you sure you created this credential using a 'solo-sign-hash:...' host?")
+                else:
+                    print("Host should start with 'solo-sign-hash:'")
+                return 1
             else:
                 raise
 
@@ -781,7 +788,17 @@ def sign_file(pin, serial, udp, prompt, credential_id, host, filename, sig_file,
             print(f"Signature using key {key_id_hex} written to {sig_file}")
 
     else:
-        ret = dev.sign_hash(credential_id, dgst.digest(), pin, host)
+        try:
+            ret = dev.sign_hash(credential_id, dgst.digest(), pin, host)
+        except CtapError as err:
+            if err.code == CtapError.ERR.INVALID_CREDENTIAL:
+                print("Got CTAP error 0x22 INVALID_CREDENTIAL.")
+                if host.startswith("solo-sign-hash:"):
+                    print("Are you sure you created this credential using a 'solo-sign-hash:...' host?")
+                else:
+                    print("Host should start with 'solo-sign-hash:'")
+                return 1
+
         signature = ret[1]
 
         print(f"Signature (Base64): {base64.b64encode(signature).decode()}")