157 lines
6.5 KiB
Bash
Executable File
157 lines
6.5 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Copyright (c) 2014-2016 Yubico AB
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions are
|
|
# met:
|
|
#
|
|
# * Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
#
|
|
# * Redistributions in binary form must reproduce the above
|
|
# copyright notice, this list of conditions and the following
|
|
# disclaimer in the documentation and/or other materials provided
|
|
# with the distribution.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
# This is a _very_ simple test shell script, really only verifying
|
|
# that we managed to build a binary and it can execute.
|
|
|
|
set -e
|
|
|
|
BIN="../yubico-piv-tool${EXEEXT}"
|
|
ROOT_MAKEFILE="../../Makefile"
|
|
|
|
HELP_OUTPUT=$($BIN --help)
|
|
|
|
expected="yubico-piv-tool $VERSION"
|
|
VERSION_OUTPUT=$($BIN --version | sed 's/\r//')
|
|
if [ "x$VERSION_OUTPUT" != "x$expected" ]; then
|
|
echo "Version ($VERSION_OUTPUT) not matching expected output $expected."
|
|
exit 1
|
|
fi
|
|
|
|
|
|
################################################################################
|
|
################################################################################
|
|
# HARDWARE TESTS
|
|
################################################################################
|
|
################################################################################
|
|
#
|
|
# Tests below here require a Yubikey to be connected.
|
|
# These tests are destructive.
|
|
#
|
|
################################################################################
|
|
################################################################################
|
|
|
|
# Verify that --enable-hardware-tests was a build flag.
|
|
! $(set -e && cat "$ROOT_MAKEFILE" |grep "^DEFS =" | grep -- "-DHW_TESTS" >/dev/null)
|
|
HW_TESTS=$?
|
|
if [[ $HW_TESTS -eq 0 ]]; then
|
|
exit 0
|
|
fi
|
|
|
|
|
|
#
|
|
# Run basic import/validation tests on included keys/certs. Test keys generated
|
|
# with the following commands:
|
|
#
|
|
# $ openssl genrsa -out private.pem 2048
|
|
# $ openssl rsa -in private.pem -outform PEM -pubout -out public.pem
|
|
# $ openssl req -x509 -key private.pem -out cert.pem -subj "/CN=YubicoTest/OU=YubicoTestUnit/O=yubico.com/" -new
|
|
#
|
|
echo >&0
|
|
echo "Hardware tests enabled!" >&0
|
|
echo >&0
|
|
echo "******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* *******" >&0
|
|
echo "WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING" >&0
|
|
echo "WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING" >&0
|
|
echo >&0
|
|
echo "******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* *******" >&0
|
|
echo >&0
|
|
echo " ALL DATA WILL BE ERASED ON CONNECTED YUBIKEYS " >&0
|
|
echo >&0
|
|
echo "******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* *******" >&0
|
|
echo >&0
|
|
echo "WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING" >&0
|
|
echo "WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING" >&0
|
|
echo "******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* *******" >&0
|
|
echo >&0
|
|
echo -n "Are you SURE you wish to proceed? If so, type 'CONFIRM': " >&0
|
|
|
|
read CONFIRM
|
|
if [[ "x$CONFIRM" != "xCONFIRM" ]]; then
|
|
exit 1
|
|
fi
|
|
|
|
# Reset
|
|
$BIN -averify-pin -P000000 || true
|
|
$BIN -averify-pin -P000000 || true
|
|
$BIN -averify-pin -P000000 || true
|
|
$BIN -averify-pin -P000000 || true
|
|
$BIN -averify-pin -P000000 || true
|
|
$BIN -achange-puk -P000000 -N00000000 || true
|
|
$BIN -achange-puk -P000000 -N00000000 || true
|
|
$BIN -achange-puk -P000000 -N00000000 || true
|
|
$BIN -achange-puk -P000000 -N00000000 || true
|
|
$BIN -achange-puk -P000000 -N00000000 || true
|
|
$BIN -areset
|
|
|
|
# Generate key on-board, issue certificate, and verify it
|
|
$BIN -agenerate -s9a -AECCP384 -o key_9a.pub
|
|
$BIN -averify -P123456 -s9a -S'/CN=YubicoTest/OU=YubicoGenerated/O=yubico.com/' -aselfsign -i key_9a.pub -o cert_9a.pem
|
|
$BIN -averify -P123456 -s9a -atest-signature -i cert_9a.pem
|
|
$BIN -aimport-certificate -P123456 -s9a -i cert_9a.pem
|
|
|
|
# Import key, generate self-signed certificate, and verify it
|
|
$BIN -aimport-key -P123456 -s9e -iprivate.pem
|
|
$BIN -arequest-certificate -s9e -S"/CN=bar/OU=test/O=example.com/" -i public.pem -o req_9e.pem
|
|
$BIN -averify -P123456 -s9e -S'/CN=bar/OU=test/O=example.com/' -aselfsign -i public.pem -o cert_9e.pem
|
|
$BIN -atest-decipher -s9e -i cert_9e.pem
|
|
$BIN -aimport-certificate -P123456 -s9e -i cert.pem
|
|
|
|
|
|
# Read status and validate fields
|
|
STATUS=$($BIN -astatus)
|
|
echo "$STATUS"
|
|
ALGO_9A=$(echo "$STATUS" |grep "Slot 9a" -A 6 |grep "Algorithm" |tr -d "[:blank:]")
|
|
if [[ "x$ALGO_9A" != "xAlgorithm:ECCP384" ]]; then
|
|
echo "$ALGO_9A"
|
|
echo "Generated algorithm incorrect." >/dev/stderr
|
|
exit 1
|
|
fi
|
|
|
|
ALGO_9E=$(echo "$STATUS" |grep "Slot 9e" -A 6 |grep "Algorithm" |tr -d "[:blank:]")
|
|
if [[ "x$ALGO_9E" != "xAlgorithm:RSA2048" ]]; then
|
|
echo "$ALGO_9E"
|
|
echo "Generated algorithm incorrect." >/dev/stderr
|
|
exit 1
|
|
fi
|
|
|
|
SUBJECT_9A=$(echo "$STATUS" |grep "Slot 9a" -A 6 |grep "Subject DN" |tr -d "[:blank:]")
|
|
if [[ "x$SUBJECT_9A" != "xSubjectDN:CN=YubicoTest,OU=YubicoGenerated,O=yubico.com" ]]; then
|
|
echo "$SUBJECT_9A"
|
|
echo "Certificate subject incorrect." >/dev/stderr
|
|
exit 1
|
|
fi
|
|
|
|
SUBJECT_9E=$(echo "$STATUS" |grep "Slot 9e" -A 6 |grep "Subject DN" |tr -d "[:blank:]")
|
|
if [[ "x$SUBJECT_9E" != "xSubjectDN:CN=YubicoTest,OU=YubicoTestUnit,O=yubico.com" ]]; then
|
|
echo "$SUBJECT_9E"
|
|
echo "Certificate subject incorrect." >/dev/stderr
|
|
exit 1
|
|
fi
|