Fix unit tests for NEO: use ECCP256 and detect attestation errors
This commit is contained in:
+18
-3
@@ -409,8 +409,15 @@ START_TEST(test_import_key) {
|
|||||||
{
|
{
|
||||||
unsigned char attest[2048];
|
unsigned char attest[2048];
|
||||||
size_t attest_len = sizeof(attest);
|
size_t attest_len = sizeof(attest);
|
||||||
|
ykpiv_devmodel model;
|
||||||
|
model = ykpiv_util_devicemodel(g_state);
|
||||||
res = ykpiv_attest(g_state, 0x9e, attest, &attest_len);
|
res = ykpiv_attest(g_state, 0x9e, attest, &attest_len);
|
||||||
ck_assert_int_eq(res, YKPIV_GENERIC_ERROR);
|
if (model == DEVTYPE_YK4) {
|
||||||
|
ck_assert_int_eq(res, YKPIV_GENERIC_ERROR);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
ck_assert_int_eq(res, YKPIV_NOT_SUPPORTED);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
END_TEST
|
END_TEST
|
||||||
@@ -440,11 +447,19 @@ START_TEST(test_generate_key) {
|
|||||||
|
|
||||||
// Verify that imported key can be attested
|
// Verify that imported key can be attested
|
||||||
{
|
{
|
||||||
|
ykpiv_devmodel model;
|
||||||
unsigned char attest[2048];
|
unsigned char attest[2048];
|
||||||
size_t attest_len = sizeof(attest);
|
size_t attest_len = sizeof(attest);
|
||||||
|
model = ykpiv_util_devicemodel(g_state);
|
||||||
res = ykpiv_attest(g_state, YKPIV_KEY_AUTHENTICATION, attest, &attest_len);
|
res = ykpiv_attest(g_state, YKPIV_KEY_AUTHENTICATION, attest, &attest_len);
|
||||||
ck_assert_int_eq(res, YKPIV_OK);
|
// Only works with YK4. NEO should error.
|
||||||
ck_assert_int_gt(attest_len, 0);
|
if (model == DEVTYPE_YK4) {
|
||||||
|
ck_assert_int_eq(res, YKPIV_OK);
|
||||||
|
ck_assert_int_gt(attest_len, 0);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
ck_assert_int_eq(res, YKPIV_NOT_SUPPORTED);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
END_TEST
|
END_TEST
|
||||||
|
|||||||
@@ -1346,6 +1346,9 @@ ykpiv_rc ykpiv_attest(ykpiv_state *state, const unsigned char key, unsigned char
|
|||||||
return res;
|
return res;
|
||||||
}
|
}
|
||||||
else if(SW_SUCCESS != sw) {
|
else if(SW_SUCCESS != sw) {
|
||||||
|
if (sw == SW_ERR_NOT_SUPPORTED) {
|
||||||
|
return YKPIV_NOT_SUPPORTED;
|
||||||
|
}
|
||||||
return YKPIV_GENERIC_ERROR;
|
return YKPIV_GENERIC_ERROR;
|
||||||
}
|
}
|
||||||
if (data[0] != 0x30) {
|
if (data[0] != 0x30) {
|
||||||
|
|||||||
+3
-1
@@ -61,7 +61,8 @@ extern "C"
|
|||||||
YKPIV_PIN_LOCKED = -13,
|
YKPIV_PIN_LOCKED = -13,
|
||||||
|
|
||||||
YKPIV_ARGUMENT_ERROR = -14, //i.e. invalid input argument
|
YKPIV_ARGUMENT_ERROR = -14, //i.e. invalid input argument
|
||||||
YKPIV_RANGE_ERROR = -15 //i.e. value range error
|
YKPIV_RANGE_ERROR = -15, //i.e. value range error
|
||||||
|
YKPIV_NOT_SUPPORTED = -16
|
||||||
} ykpiv_rc;
|
} ykpiv_rc;
|
||||||
|
|
||||||
typedef void* (*ykpiv_pfn_alloc)(void* alloc_data, size_t size);
|
typedef void* (*ykpiv_pfn_alloc)(void* alloc_data, size_t size);
|
||||||
@@ -217,6 +218,7 @@ extern "C"
|
|||||||
#define SW_ERR_INCORRECT_PARAM 0x6a80
|
#define SW_ERR_INCORRECT_PARAM 0x6a80
|
||||||
/* this is a custom sw for yubikey */
|
/* this is a custom sw for yubikey */
|
||||||
#define SW_ERR_INCORRECT_SLOT 0x6b00
|
#define SW_ERR_INCORRECT_SLOT 0x6b00
|
||||||
|
#define SW_ERR_NOT_SUPPORTED 0x6d00
|
||||||
|
|
||||||
/* Yubico vendor specific instructions */
|
/* Yubico vendor specific instructions */
|
||||||
#define YKPIV_INS_SET_MGMKEY 0xff
|
#define YKPIV_INS_SET_MGMKEY 0xff
|
||||||
|
|||||||
+2
-2
@@ -111,7 +111,7 @@ $BIN -achange-puk -P000000 -N00000000 || true
|
|||||||
$BIN -areset
|
$BIN -areset
|
||||||
|
|
||||||
# Generate key on-board, issue certificate, and verify it
|
# Generate key on-board, issue certificate, and verify it
|
||||||
$BIN -agenerate -s9a -AECCP384 -o key_9a.pub
|
$BIN -agenerate -s9a -AECCP256 -o key_9a.pub
|
||||||
$BIN -averify -P123456 -s9a -S'/CN=YubicoTest/OU=YubicoGenerated/O=yubico.com/' -aselfsign -i key_9a.pub -o cert_9a.pem
|
$BIN -averify -P123456 -s9a -S'/CN=YubicoTest/OU=YubicoGenerated/O=yubico.com/' -aselfsign -i key_9a.pub -o cert_9a.pem
|
||||||
$BIN -averify -P123456 -s9a -atest-signature -i cert_9a.pem
|
$BIN -averify -P123456 -s9a -atest-signature -i cert_9a.pem
|
||||||
$BIN -aimport-certificate -P123456 -s9a -i cert_9a.pem
|
$BIN -aimport-certificate -P123456 -s9a -i cert_9a.pem
|
||||||
@@ -128,7 +128,7 @@ $BIN -aimport-certificate -P123456 -s9e -i cert.pem
|
|||||||
STATUS=$($BIN -astatus)
|
STATUS=$($BIN -astatus)
|
||||||
echo "$STATUS"
|
echo "$STATUS"
|
||||||
ALGO_9A=$(echo "$STATUS" |grep "Slot 9a" -A 6 |grep "Algorithm" |tr -d "[:blank:]")
|
ALGO_9A=$(echo "$STATUS" |grep "Slot 9a" -A 6 |grep "Algorithm" |tr -d "[:blank:]")
|
||||||
if [[ "x$ALGO_9A" != "xAlgorithm:ECCP384" ]]; then
|
if [[ "x$ALGO_9A" != "xAlgorithm:ECCP256" ]]; then
|
||||||
echo "$ALGO_9A"
|
echo "$ALGO_9A"
|
||||||
echo "Generated algorithm incorrect." >/dev/stderr
|
echo "Generated algorithm incorrect." >/dev/stderr
|
||||||
exit 1
|
exit 1
|
||||||
|
|||||||
Reference in New Issue
Block a user