-
Notifications
You must be signed in to change notification settings - Fork 37
566 lines (535 loc) · 26.8 KB
/
tests.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
name: tests
on: [push, pull_request, workflow_dispatch]
jobs:
build_opensc:
name: Build opensc package
#if: github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
steps:
- name: Cache deb files
uses: actions/cache@v4
env:
cache-name: tools-deb
with:
path: |
opensc*.deb
yubico-piv-tool*.deb
key: ${{ runner.os }}-${{ env.cache-name }}
- name: Check file existence
id: check_opensc
uses: andstor/file-existence-action@v1
with:
files: "opensc*.deb"
- name: Check file existence
id: check_yubico_piv
uses: andstor/file-existence-action@v1
with:
files: "yubico-piv-tool*.deb"
- name: Package Install
if: steps.check_opensc.outputs.files_exists == 'false' || steps.check_yubico_piv.outputs.files_exists == 'false'
run: |
sudo sed -i 's/^# deb-src/deb-src/' /etc/apt/sources.list
sudo apt-get update
sudo apt-get install -q -y curl git gcc g++ cmake swig psmisc procps debian-keyring devscripts libpcsclite-dev check gengetopt help2man openssl zlib1g-dev
sudo apt-get build-dep -q -y opensc
sudo rm -f /usr/bin/clang-tidy
- name: Build opensc package
if: steps.check_opensc.outputs.files_exists == 'false'
run: |
dget http://archive.ubuntu.com/ubuntu/pool/universe/o/opensc/opensc_0.23.0-0.1ubuntu1.dsc
cd opensc-0.23.0
curl https://github.com/OpenSC/OpenSC/commit/a0aef25c7f2ce0ec2c7e1014f959f0fe86ff0479.diff | patch -p1
dch --local ppa~jammy --distribution jammy "Apply a patch. Backports to Jammy."
DEB_BUILD_OPTIONS='parallel=2' debuild --no-sign -b
- name: Build yubico-piv-tool package
if: steps.check_yubico_piv.outputs.files_exists == 'false'
run: |
set -x
git clone https://github.com/z4yx/yubico-piv-tool.git
cd yubico-piv-tool
mkdir build_dir;
pushd build_dir; cmake -DCMAKE_INSTALL_PREFIX=../debian/tmp/usr .. -B .; popd
make -C build_dir
pushd build_dir; cmake -P cmake_install.cmake; popd
mkdir debian/tmp/DEBIAN
dpkg-gencontrol -pyubico-piv-tool
dpkg --build debian/tmp build_dir/
mv build_dir/yubico-piv-tool_*_amd64.deb ..
sudo apt install ../yubico-piv-tool_*_amd64.deb
- name: Upload package files
uses: actions/upload-artifact@v4
with:
name: tools-deb
path: |
opensc*.deb
yubico-piv-tool*.deb
build_test:
name: Build and Test
runs-on: ubuntu-latest
needs: build_opensc
steps:
- name: Download backport OpenSC package
uses: actions/download-artifact@v4
with:
name: tools-deb
- name: Package Install
run: |
sudo apt-add-repository ppa:yubico/stable
sudo apt-get update
sudo apt-get install -q -y git gcc g++ cmake swig psmisc procps pcscd pcsc-tools libhidapi-dev libassuan-dev libgcrypt20-dev libksba-dev libnpth0-dev libssl3 zlib1g libglib2.0-0 openssl openssh-server libpcsclite-dev libudev-dev libcmocka-dev python3-pip python3-setuptools python3-wheel lcov yubikey-manager libcbor-dev
sudo dpkg -i opensc*.deb yubico-piv-tool*.deb
pip3 install --upgrade pip
- name: Set up Go 1.16
uses: actions/setup-go@v5
with:
go-version: "^1.16.1"
id: go
- name: Check out code
uses: actions/checkout@v4
with:
submodules: recursive
- name: Check out piv-go
uses: actions/checkout@v4
with:
repository: canokeys/piv-go
path: piv-go
- name: Cache GO Modules
uses: actions/cache@v4
env:
cache-name: go_mod
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-${{ env.cache-name }}-${{ hashFiles('./go.mod') }}
- name: Cache Patched GPG
uses: actions/cache@v4
env:
cache-name: cache_gpg_binary
with:
path: gnupg
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('./test-via-pcsc/build_gpg.sh') }}
- name: Cache FIDO Tools
uses: actions/cache@v4
env:
cache-name: cache_fido_tools
with:
path: |
u2f-ref-code
libfido2
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('./test-via-pcsc/build_fido_tests.sh') }}
- name: Build Patched GPG
run: |
./test-via-pcsc/build_gpg.sh
gpg --version
- name: Build FIDO Tests
run: |
./test-via-pcsc/build_fido_tests.sh
sudo ldconfig
which fido2-token
ldd $(which fido2-token)
- name: Build for Test
run: |
mkdir build && pushd build
cmake .. -DENABLE_TESTS=ON -DENABLE_DEBUG_OUTPUT=ON -DCMAKE_BUILD_TYPE=Debug
make -j2
- name: Setup a SSH Server
run: |
cat >/tmp/sshd_config <<EOF
StrictModes no
UsePAM no
Port 2200
EOF
sudo /usr/sbin/sshd -f /tmp/sshd_config
- name: Smoking Tests
run: |
cd build
./test/test_apdu
./test/test_openpgp
./test/test_oath
./test/test_piv
- name: Start the pcscd
run: |
echo 0 >/tmp/canokey-test-up && echo 0 >/tmp/canokey-test-nfc # Emulate the USB mode
sudo killall -9 pcscd || true
sudo cp build/libu2f-virt-card.so /usr/local/lib/
sudo cp test-via-pcsc/pcscd-reader.conf /etc/reader.conf.d/
bash -c 'sudo LD_PRELOAD="$(gcc -print-file-name=libasan.so) $(gcc -print-file-name=libubsan.so)" pcscd -a -f >/tmp/pcscd.log &'
sleep 12
timeout 1s pcsc_scan || true
go env -w GO111MODULE=on
sudo chmod 777 /tmp/canokey-*
sudo chown root:root /tmp/canokey-*
ls -l /tmp
- name: Test the Admin
run: go test -v test-via-pcsc/admin_test.go
- name: Test the NDEF
run: go test -v test-via-pcsc/ndef_test.go
- name: Test the FIDO2
run: |
#echo 1 >/tmp/canokey-test-nfc # Emulate the NFC mode
#pushd test-real && ./test-libfido2.sh && popd
cd fido2-tests
#../build/fido-hid-over-udp &
git pull
~/.local/bin/pytest --color=yes --vendor canokeys --nfc tests/standard/
~/.local/bin/pytest --color=yes --vendor canokeys --nfc tests/vendor/canokeys/
#kill %1
- name: Test the U2F
run: |
echo 0 | ./u2f-ref-code/u2f-tests/NFC/u2f_nfc_test -v | tee /tmp/u2f_nfc_test.log
test $(grep -c 'PASS(signCheckSignature(regReq, regRsp, authReq, authRsp, rapduLen))' /tmp/u2f_nfc_test.log) -eq 6
- name: Test the ckman Utility
run: |
pip3 install canokey-manager
ckman --log-level DEBUG info
ckman oath accounts add steam1 HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ -i Steam
ckman oath accounts code
ckman openpgp info
ckman piv info
#ckman fido credentials list --pin 123456
- name: Test the OATH
run: go test -v test-via-pcsc/oath_test.go
- name: Test the OpenPGP
# GPG requires a tty to work
shell: |
script -e -c "bash --noprofile --norc -eo pipefail {0}"
run: |
set -o xtrace
go test -v test-via-pcsc/openpgp_test.go
pkill gpg-agent || true
#echo 'enable-ssh-support' > ~/.gnupg/gpg-agent.conf
export SSH_AUTH_SOCK=`gpgconf --list-dirs agent-ssh-socket`
mkdir -p ~/.ssh /tmp/mock
python3 -c "import string;import random;print(''.join([random.choice(string.ascii_letters + string.digits) for n in range(1152)]),end='')" > /tmp/random.txt
echo 9876543210 >"/tmp/mock/Reset Code"
echo 12345678 >"/tmp/mock/Passphrase:"
echo 12345678 >"/tmp/mock/Admin PIN"
echo 123456 >"/tmp/mock/PIN"
echo -e 'Key-Type: 1\nKey-Length: 2048\nSubkey-Type: 1\nSubkey-Length: 2048\nName-Real: Someone\nName-Email: [email protected]\nPassphrase: 12345678\n%commit\n%echo done' | gpg --batch --gen-key
KEYID=$(gpg -K --with-colons |grep -P '^sec'|grep -oP '\w{16}')
Addkey() { echo -e "addkey\n$1\n$2\n0\nsave" | gpg --yes --expert --command-fd 0 --edit-key $KEYID; }
Key2card() { echo -e "key $1\nkeytocard\n$2\nsave" | gpg --yes --command-fd 0 --edit-key $KEYID; gpg --card-status; }
Addcardkey() { echo -e "addcardkey\n$1\n0\nsave\n" | gpg --expert --command-fd 0 --yes --edit-key $KEYID; }
ChangeUsage() {
SUBKEY=$(gpg -K --with-colons|awk -F: '$1~/ssb/ && $12~/a/ {print $5}'|tail -n 1)
echo -e "key $SUBKEY\nchange-usage\nS\nQ\ncross-certify\nsave" | gpg --yes --expert --command-fd 0 --edit-key $KEYID
}
GPGSign() { date -Iseconds | gpg --armor --default-key $(gpg -K --with-colons|awk -F: '$1~/ssb/ && $12~/s|a/ {print $5}'|tail -n 1)! -s|gpg; }
GPGEnc() { date -Iseconds | gpg --yes --armor --recipient $(gpg -K --with-colons | awk -F: '$1~/ssb/ && $12~/e/ {print $5}'|tail -n 1) --encrypt|gpg; }
GPGAuth() {
gpg -K --with-colons | awk -F: '$1~/ssb/ && $12~/s/{lg=NR+2} NR==lg{grip=$10} END{print grip}' >~/.gnupg/sshcontrol
ssh-add -L >~/.ssh/authorized_keys
ssh -v -p 2200 -o StrictHostKeyChecking=no -o PasswordAuthentication=no localhost id
}
SetUIF() { echo -e "admin\nuif $1 $2\nq" | gpg --yes --command-fd 0 --edit-card; }
UserChecked() { cnt=$((`cat /tmp/canokey-test-up`)); echo 0 >/tmp/canokey-test-up; [ $1 == $cnt ]; }
GPGReset() { echo -e 'admin\nfactory-reset\ny\nyes' | gpg --command-fd 0 --edit-card; } # clear all keys, no pin verification at all
echo 0 >/tmp/canokey-test-up && echo 0 >/tmp/canokey-test-nfc # Emulate the USB mode
gpg --card-status |grep -E 'UIF setting.+Sign=off Decrypt=off Auth=off'
echo -e 'admin\npasswd\n1\n3\n4\nq\nforcesig\nq' | gpg --yes --command-fd 0 --edit-card # change PIN,Admin PIN,Reset Code
Key2card 1 1 # key[1] to Signature key
echo 0 >/tmp/canokey-test-up
GPGSign
UserChecked 0
SetUIF 1 on
gpg --card-status |grep -E 'UIF setting.+Sign=on Decrypt=off Auth=off'
GPGSign
UserChecked 1
Addkey 12 3 # [2] ECDH P-256 encrypt key
Addkey 10 3 # [3] ECDSA P-256 sign key
Key2card 2 2 # key[2] to Encryption key
Key2card 3 3 # key[3] to Authentication key
echo 0 >/tmp/canokey-test-up
GPGAuth
UserChecked 0
GPGEnc
UserChecked 0
SetUIF 2 on
gpg --card-status |grep -E 'UIF setting.+Sign=on Decrypt=on Auth=off'
GPGEnc
UserChecked 1
SetUIF 3 on
gpg --card-status |grep -E 'UIF setting.+Sign=on Decrypt=on Auth=on'
GPGAuth
UserChecked 1
SetUIF 1 off
gpg --card-status |grep -E 'UIF setting.+Sign=off Decrypt=on Auth=on'
SetUIF 2 off
gpg --card-status |grep -E 'UIF setting.+Sign=off Decrypt=off Auth=on'
SetUIF 3 off
gpg --card-status |grep -E 'UIF setting.+Sign=off Decrypt=off Auth=off'
echo 0 >/tmp/canokey-test-up
GPGEnc
UserChecked 0
SetUIF 1 permanent
gpg --card-status |grep -E 'UIF setting.+Sign=on Decrypt=off Auth=off'
SetUIF 2 permanent
gpg --card-status |grep -E 'UIF setting.+Sign=on Decrypt=on Auth=off'
SetUIF 3 permanent
gpg --card-status |grep -E 'UIF setting.+Sign=on Decrypt=on Auth=on'
SetUIF 3 off || true # can not revert a permanent setting
SetUIF 2 off || true # can not revert a permanent setting
SetUIF 1 off || true # can not revert a permanent setting
gpg --card-status |grep -E 'UIF setting.+Sign=on Decrypt=on Auth=on'
GPGEnc
UserChecked 1
echo 1 >/tmp/canokey-test-nfc
GPGReset
gpg --card-status |grep -E 'Signature key.+none'
Addkey 4 2048 # [4] gen RSA2048 key
Key2card 4 3 # key[4] to Authentication key
Addkey 6 2048 # [5] gen RSA2048 key
Key2card 5 2 # key[5] to Encryption key
GPGAuth
GPGEnc
Addkey 10 3 # [6] gen ECDSA P-256 key
Key2card 6 1 # key[6] to Signature key
GPGSign
GPGReset
## 25519 key import
Addkey 12 1 # [7] cv25519 encrypt key
Addkey 10 1 # [8] ed25519 sign key
Key2card 7 2 # key[7] to Encryption key
Key2card 8 3 # key[8] to Authentication key
GPGAuth
GPGEnc
Addkey 10 1 # [9] ed25519 sign key
Key2card 9 1 # key[9] to Signature key
GPGSign
GPGReset
## RSA4096 key import
Addkey 4 4096 # [10] gen RSA4096 key
Key2card 10 3 # key[10] to Authentication key
Addkey 6 4096 # [11] gen RSA4096 key
Key2card 11 2 # key[11] to Encryption key
GPGAuth
GPGEnc
Addkey 4 4096 # [12] gen RSA4096 key
Key2card 12 1 # key[12] to Signature key
GPGSign
GPGReset
echo -e 'admin\nkey-attr\n2\n1\n2\n1\n2\n1\n' | gpg --command-fd 0 --yes --expert --edit-card
## RSA2048 generation on card
echo -e 'admin\nkey-attr\n1\n2048\n1\n2048\n1\n2048\n' | gpg --command-fd 0 --yes --expert --edit-card # key-attr set to RSA2048
Addcardkey 1 # generate Signature key on card
Addcardkey 2 # generate Encryption key on card
GPGEnc
GPGSign
Addcardkey 3 # generate Authentication key on card
ChangeUsage
GPGAuth
GPGReset
## 25519 generation on card
echo -e 'admin\nkey-attr\n2\n1\n2\n1\n2\n1\n' | gpg --command-fd 0 --yes --expert --edit-card # key-attr set to 25519
Addcardkey 1 # generate Signature key on card
Addcardkey 2 # generate Encryption key on card
GPGEnc
GPGSign
Addcardkey 3 # generate Authentication key on card
ChangeUsage
GPGAuth
GPGReset
## NIST P-256 generation on card
echo -e 'admin\nkey-attr\n2\n3\n2\n3\n2\n3\n' | gpg --command-fd 0 --yes --expert --edit-card # key-attr set to ECC P-256
Addcardkey 1 # generate Signature key on card
Addcardkey 2 # generate Encryption key on card
GPGEnc
GPGSign
Addcardkey 3 # generate Authentication key on card
ChangeUsage
GPGAuth
echo -e 'admin\nwritecert 3 </tmp/random.txt\nquit' | gpg --yes --command-fd 0 --edit-card
gpgconf --kill gpg-agent # restart agent to clear cached info
echo -e 'readcert 3 >/tmp/random-read.txt\nquit' | gpg --yes --command-fd 0 --edit-card
diff /tmp/random-read.txt /tmp/random.txt
GPGReset
## NIST P-384 generation on card
echo -e 'admin\nkey-attr\n2\n4\n2\n4\n2\n4\n' | gpg --command-fd 0 --yes --expert --edit-card # key-attr set to ECC P-384
Addcardkey 1 # generate Signature key on card
Addcardkey 2 # generate Encryption key on card
GPGEnc
GPGSign
Addcardkey 3 # generate Authentication key on card
ChangeUsage
GPGAuth
echo -e 'admin\nwritecert 3 </tmp/random.txt\nquit' | gpg --yes --command-fd 0 --edit-card
gpgconf --kill gpg-agent # restart agent to clear cached info
echo -e 'readcert 3 >/tmp/random-read.txt\nquit' | gpg --yes --command-fd 0 --edit-card
diff /tmp/random-read.txt /tmp/random.txt
GPGReset
## secp256k1 generation on card
echo -e 'admin\nkey-attr\n2\n9\n2\n9\n2\n9\n' | gpg --command-fd 0 --yes --expert --edit-card # key-attr set to ECC secp256k1
Addcardkey 1 # generate Signature key on card
Addcardkey 2 # generate Encryption key on card
GPGEnc
GPGSign
Addcardkey 3 # generate Authentication key on card
ChangeUsage
# GPGAuth # ssh does not support secp256k1
echo -e 'admin\nwritecert 3 </tmp/random.txt\nquit' | gpg --yes --command-fd 0 --edit-card
gpgconf --kill gpg-agent # restart agent to clear cached info
echo -e 'readcert 3 >/tmp/random-read.txt\nquit' | gpg --yes --command-fd 0 --edit-card
diff /tmp/random-read.txt /tmp/random.txt
GPGReset
# Fill this applet as much as possible
echo -e 'admin\nname\nTheFirstNameQQQQQQ\nTheLastNamePPPPPPPP\nlang\nlanguage\nsex\nm\nquit' | gpg --yes --command-fd 0 --edit-card
echo -e 'admin\nurl\nexample.com/111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\nquit' | gpg --yes --command-fd 0 --edit-card
echo -e 'admin\nlogin\naaaaaaaaaaaa000000000000000000000001111111111111111122222222222\nquit' | gpg --yes --command-fd 0 --edit-card
echo -e 'admin\ncafpr 2\n9914 B3B0 BF7E 3B12 DB72 8AC7 3695 10EC DF14 672E\ncafpr 1\nEC17 49B4 C512 6CD3 080C 85CA 0088 068F 1016 5897\ncafpr 3\nAC4D DD51 6C35 D8E2 7153 BB3B 4BD8 4023 BC79 46F0\nquit' | gpg --yes --command-fd 0 --edit-card
# Private DO 1/2 is not implemented
gpgconf --kill gpg-agent
go test -v test-via-pcsc/openpgp_test.go -run TestOpenPGPCerts
- name: Test the PIV
run: |
set -o xtrace
go test -v test-via-pcsc/piv_test.go
RDID="Canokey [OpenPGP PIV OATH] 00 00"
export PIV_EXT_AUTH_KEY=$PWD/test-via-pcsc/PIV_EXT_AUTH_KEY.txt
yubico-piv-tool -r "$RDID" -a status -a set-ccc -a set-chuid -a status
opensc-tool -r "$RDID" -s '00 F8 00 00' | grep 'SW1=0x90, SW2=0x00' # PIV_INS_GET_SERIAL, Yubico
opensc-tool -r "$RDID" -s '00 FD 00 00' | grep 'SW1=0x90, SW2=0x00' # PIV_INS_GET_VERSION, Yubico
pkcs15-tool --reader "$RDID" -D
# change the algorithm identifier of ED25519
piv-tool --admin M:9B:03 -s '00 EE 02 00 07 01 22 05 51 52 53 54' | grep 'SW1=0x90, SW2=0x00' # PIV_INS_ALGORITHM_EXTENSION, Yubico
cd piv-go; go test -v ./piv --wipe-yubikey; cd -
piv-tool --admin M:9B:03 -s '00 EE 02 00 07 01 E0 05 16 E1 53 54' | grep 'SW1=0x90, SW2=0x00' # PIV_INS_ALGORITHM_EXTENSION, Yubico
yubico-piv-tool -r "$RDID" -a verify-pin -P 123456
yubico-piv-tool -r "$RDID" -a change-pin -P 123456 -N 654321
yubico-piv-tool -r "$RDID" -a verify-pin -P 654321
yubico-piv-tool -r "$RDID" -a verify-pin -P 123456 2>&1 | grep '2 tries left before pin is blocked.'
yubico-piv-tool -r "$RDID" -a verify-pin -P 123456 2>&1 | grep '1 tries left before pin is blocked.'
yubico-piv-tool -r "$RDID" -a verify-pin -P 654321
yubico-piv-tool -r "$RDID" -a set-mgm-key -n F1F2F3F4F5F6F7F8F1F2F3F4F5F6F7F8F1F2F3F4F5F6F7F8
yubico-piv-tool -r "$RDID" -a set-mgm-key --key=F1F2F3F4F5F6F7F8F1F2F3F4F5F6F7F8F1F2F3F4F5F6F7F8 -n 010203040506070801020304050607080102030405060708
# opensc 0.22.0~0.23.0 has a bug on External Auth. See opensc commit: a0aef25c7f2ce0ec2c7e1014f959f0fe86ff0479
piv-tool --reader "$RDID" --admin A:9B:03 # External Auth
piv-tool --reader "$RDID" --admin M:9B:03 # Mutual Auth
## Key generation
PIVGenKeyCert() {
key=$1
subject="$2"
algo="$3"
yubico-piv-tool -r "$RDID" -a generate -A $algo -s $key >/tmp/pubkey-$key.pem # generate key at $key
if [[ "$algo" == "X25519" ]]; then return; fi
yubico-piv-tool -r "$RDID" -P 654321 -a verify-pin -a selfsign-certificate -s $key -S "$subject" < /tmp/pubkey-$key.pem >/tmp/cert-$key.pem
yubico-piv-tool -r "$RDID" -a import-certificate -s $key < /tmp/cert-$key.pem
}
PIVSignDec() {
key=$1
pinArgs=
op=$3
algoArgs=
inp_file=/tmp/cert-$key.pem
if [[ -n "$2" ]]; then pinArgs="-P 654321 -a verify-pin"; fi
if [[ -n "$4" ]]; then algoArgs="-A $4"; fi
if [[ "$4" == X25519 ]]; then inp_file=/tmp/pubkey-$key.pem; fi
if [[ -z "$op" || s = "$op" ]]; then yubico-piv-tool -r "$RDID" $pinArgs -a test-signature -s $key < /tmp/cert-$key.pem; fi
if [[ -z "$op" || d = "$op" ]]; then yubico-piv-tool -r "$RDID" $pinArgs -a test-decipher -s $key $algoArgs < $inp_file; fi
}
## ED25519 tests
for s in 9a 9c 9d 9e 82 83; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" ED25519; done
yubico-piv-tool -r "$RDID" -a status
for s in 9a 9c 9d 9e 82 83; do PIVSignDec $s 1 s; done
## X25519 tests
for s in 9a 9c 9d 9e 82 83; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" X25519; done
yubico-piv-tool -r "$RDID" -a status
for s in 9a 9c 9d 9e 82 83; do PIVSignDec $s 1 d X25519; done
## RSA tests
for s in 9a 9c 9d 9e 82 83; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" RSA3072; done
for s in 9a 9c 9d 9e 82 83; do PIVSignDec $s 1; done
for s in 9a 9c 9d 9e 82 83; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" RSA4096; done
for s in 9a 9c 9d 9e 82 83; do PIVSignDec $s 1; done
for s in 9a 9c 9d 9e 82 83; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" RSA2048; done
yubico-piv-tool -r "$RDID" -a status
PIVSignDec 9e # PIN not required for key 9e
for s in 9a 9c 9d 82 83; do PIVSignDec $s 1; done
pkcs15-tool --reader "$RDID" --read-certificate 04 | openssl x509 -text | grep 'CN = CertAtSlot9e'
echo -n hello >/tmp/hello.txt
pkcs11-tool --slot "$RDID" -d 04 -s -m SHA256-RSA-PKCS -i /tmp/hello.txt -o /tmp/hello-signed --pin 654321
openssl dgst -sha256 -verify /tmp/pubkey-9e.pem -signature /tmp/hello-signed /tmp/hello.txt
## ECC256 tests
for s in 9a 9c 9d 9e 82 83; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" ECCP256; done
yubico-piv-tool -r "$RDID" -a status
for s in 9a 9c 9d 9e 82 83; do PIVSignDec $s 1 s;PIVSignDec $s 1 d; done
## ECC384 tests
for s in 9a 9c 9d 9e; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" ECCP384; done
yubico-piv-tool -r "$RDID" -a status
for s in 9a 9c 9d 9e 82 83; do PIVSignDec $s 1 s;PIVSignDec $s 1 d; done
## PIN unblock
yubico-piv-tool -r "$RDID" -P 654321 -a verify-pin -a test-signature -s 9a < /tmp/cert-9a.pem
yubico-piv-tool -r "$RDID" -P 654321 -a verify-pin -a test-signature -s 9c < /tmp/cert-9c.pem
yubico-piv-tool -r "$RDID" -P 654321 -a verify-pin -a test-decipher -s 9d < /tmp/cert-9d.pem
yubico-piv-tool -r "$RDID" -a verify-pin -P 222222 2>&1 | grep '2 tries left before pin is blocked.'
yubico-piv-tool -r "$RDID" -a verify-pin -P 222222 2>&1 | grep '1 tries left before pin is blocked.'
yubico-piv-tool -r "$RDID" -a verify-pin -P 222222 2>&1 | grep 'Pin code blocked'
yubico-piv-tool -r "$RDID" -a verify-pin -P 654321 2>&1 | grep 'Pin code blocked'
yubico-piv-tool -r "$RDID" -a unblock-pin -P 12345678 -N 999999 2>&1 | grep 'Successfully unblocked the pin code'
yubico-piv-tool -r "$RDID" -a change-puk -P 12345678 -N 87654321 2>&1 | grep 'Successfully changed the puk code'
yubico-piv-tool -r "$RDID" -a unblock-pin -P 87654321 -N 654321 2>&1 | grep 'Successfully unblocked the pin code'
## Key import
openssl ecparam -name prime256v1 -out p256.pem
openssl req -x509 -newkey ec:p256.pem -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=www.example.com"
for s in 9a 9d 82 83; do
yubico-piv-tool -r "$RDID" -a import-key -s $s -i key.pem
yubico-piv-tool -r "$RDID" -a import-certificate -s $s -i cert.pem
yubico-piv-tool -r "$RDID" -P 654321 -a verify-pin -a test-signature -s $s <cert.pem
done
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=www.example.com"
for s in 9c 9d 82 83; do
yubico-piv-tool -r "$RDID" -a import-key -s $s -i key.pem
yubico-piv-tool -r "$RDID" -a import-certificate -s $s -i cert.pem
yubico-piv-tool -r "$RDID" -P 654321 -a verify-pin -a test-signature -s $s <cert.pem
done
## Factory reset
yubico-piv-tool -r "$RDID" -a change-puk -P 12345678 -N 11111111 2>&1 | grep 'Failed verifying puk code, now 2 tries left before blocked'
yubico-piv-tool -r "$RDID" -a change-puk -P 12345678 -N 11111111 2>&1 | grep 'Failed verifying puk code, now 1 tries left before blocked'
yubico-piv-tool -r "$RDID" -a change-puk -P 12345678 -N 11111111 2>&1 | grep 'The puk code is blocked'
yubico-piv-tool -r "$RDID" -a change-puk -P 87654321 -N 11111111 2>&1 | grep 'The puk code is blocked'
yubico-piv-tool -r "$RDID" -a verify-pin -P 222222 2>&1 | grep '2 tries left before pin is blocked.'
yubico-piv-tool -r "$RDID" -a verify-pin -P 222222 2>&1 | grep '1 tries left before pin is blocked.'
yubico-piv-tool -r "$RDID" -a verify-pin -P 222222 2>&1 | grep 'Pin code blocked'
yubico-piv-tool -r "$RDID" -a reset
yubico-piv-tool -r "$RDID" -a unblock-pin -P 12345678 -N 654321 2>&1 | grep 'Successfully unblocked the pin code'
## Test long data object
yubico-piv-tool -r "$RDID" -a set-ccc -a set-chuid -a status
for s in 9a 9c 9d 9e 82 83; do
PIVGenKeyCert $s "/CN=CertAtSlot$s/" RSA4096
yubico-piv-tool -r "$RDID" -a import-certificate -s $s -i test-via-pcsc/long-cert.pem
done
openssl rand -base64 -out /tmp/rand-pi 242
openssl rand -base64 -out /tmp/rand-fig 508
openssl rand -base64 -out /tmp/rand-face 508
yubico-piv-tool -r "$RDID" -a write-object --id 0x5fc109 -i /tmp/rand-pi -f base64
yubico-piv-tool -r "$RDID" -a read-object --id 0x5fc109 -o /tmp/read-pi 2>&1 | grep 'Failed fetching'
yubico-piv-tool -r "$RDID" -a write-object --id 0x5fc108 -i /tmp/rand-face -f base64
yubico-piv-tool -r "$RDID" -a write-object --id 0x5fc103 -i /tmp/rand-fig -f base64
yubico-piv-tool -r "$RDID" -a verify-pin -P 654321 -a read-object --id 0x5fc103 -o /tmp/read-fig -f base64
yubico-piv-tool -r "$RDID" -a verify-pin -P 654321 -a read-object --id 0x5fc109 -o /tmp/read-pi -f base64
yubico-piv-tool -r "$RDID" -a verify-pin -P 654321 -a read-object --id 0x5fc108 -o /tmp/read-face -f base64
diff -s /tmp/rand-pi /tmp/read-pi
diff -s /tmp/rand-face /tmp/read-face
diff -s /tmp/rand-fig /tmp/read-fig
- name: Prepare the Test Coverage Report
run: |
go test test-via-pcsc/admin_test.go -v -run TestFSUsage
sudo killall pcscd || true # To flush the cov files
ls /tmp
sleep 2
mkdir coverage
find build/ -name '*.gcda' | grep -P '/(canokey-crypto|virt-card|tinycbor|littlefs|interface)/' | xargs rm
lcov --base-directory . --directory . -c -o ./coverage/lcov.info
- name: Coveralls
uses: coverallsapp/github-action@master
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Upload log files
if: ${{ always() }}
uses: actions/upload-artifact@v4
with:
name: logs
path: /tmp/*.log
- name: Upload data files
if: ${{ always() }}
uses: actions/upload-artifact@v4
with:
name: data
path: /tmp/[lc][fe]*