test PIV cipher extension with Yubico piv tool

canokeys · May 21, 2024 · 9e724be · 9e724be
1 parent 609b490
commit 9e724be
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 6 deletions.
diff --git a/applets/piv/piv.c b/applets/piv/piv.c
@@ -41,10 +41,10 @@
 #define ALG_RSA_2048  0x07
 #define ALG_ECC_256   0x11
 #define ALG_ECC_384   0x14
-#define ALG_ED25519_DEFAULT   0x22 // defined in https://github.com/go-piv/piv-go/pull/69
+#define ALG_ED25519_DEFAULT   0xE0
 #define ALG_RSA_3072_DEFAULT  0x05 // defined in NIST SP 800-78-5 (Initial Public Draft)
-#define ALG_RSA_4096_DEFAULT  0x51
-#define ALG_X25519_DEFAULT    0x52
+#define ALG_RSA_4096_DEFAULT  0x16
+#define ALG_X25519_DEFAULT    0xE1
 #define ALG_SECP256K1_DEFAULT 0x53
 #define ALG_SM2_DEFAULT       0x54
 
@@ -1099,7 +1099,7 @@ static int piv_get_version(const CAPDU *capdu, RAPDU *rapdu) {
   if (P1 != 0x00 || P2 != 0x00) EXCEPT(SW_WRONG_P1P2);
   if (LC != 0) EXCEPT(SW_WRONG_LENGTH);
   RDATA[0] = 0x05;
-  RDATA[1] = 0x04;
+  RDATA[1] = 0x07;
   RDATA[2] = 0x00;
   LL = 3;
   return 0;

diff --git a/test-real/test-piv.sh b/test-real/test-piv.sh
@@ -86,8 +86,8 @@ test_ChangePin() {
     assertEquals 'set-mgm-key' 0 $?
 }
 
-test_RSA2048() {
-    for s in 9a 9c 9d 9e; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" RSA2048; done
+rsa_tests() {
+    for s in 9a 9c 9d 9e; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" $1; done
     YPT -a status
     PIVSignDec 9e # PIN not required for key 9e
     for s in 9a 9c 9d; do PIVSignDec $s 1; done
@@ -101,6 +101,18 @@ test_RSA2048() {
     assertEquals 'openssl dgst verify' 0 $?
 }
 
+test_RSA2048() {
+    rsa_tests RSA2048
+}
+
+test_RSA3072() {
+    rsa_tests RSA3072
+}
+
+test_RSA4096() {
+    rsa_tests RSA4096
+}
+
 test_ECC256() {
     for s in 9a 9c 9d 9e; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" ECCP256; done
     YPT -a status
@@ -119,6 +131,16 @@ test_ECC384() {
     assertContains 'CERT' "$out" 'CN = CertAtSlot9c'
 }
 
+test_25519() {
+    for s in 9a 9c 9e; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" ED25519; done
+    for s in 9d; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" X25519; done
+    YPT -a status
+    for s in 9a 9c 9e; do PIVSignDec $s 1 s; done # 9a/9c/9e only do the EDDSA
+    # PIVSignDec 9d 1 d # 9d only do the EDDH
+    # out=$(pkcs15-tool --reader "$RDID" --read-certificate 01 | openssl x509 -text)
+    # assertContains 'CERT' "$out" 'CN = CertAtSlot9a'
+}
+
 test_PinBlock() {
     out=$(YPT -a verify-pin -P 222222 2>&1)
     assertContains 'verify-pin' "$out" '2 tries left before pin is blocked.'