Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/piv extension #89

Merged
merged 4 commits into from
Jun 30, 2024
Merged

Feature/piv extension #89

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9e724be
test PIV cipher extension with Yubico piv tool
May 21, 2024
0339e3e
test algorithm extension
Jun 25, 2024
69495fc
fix tests with piv-go
Jun 28, 2024
82d16ab
skip reseting algorithm extensions ID
z4yx Jun 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions applets/piv/piv.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,10 @@
#define ALG_RSA_2048 0x07
#define ALG_ECC_256 0x11
#define ALG_ECC_384 0x14
#define ALG_ED25519_DEFAULT 0x22 // defined in https://github.com/go-piv/piv-go/pull/69
#define ALG_ED25519_DEFAULT 0xE0
#define ALG_RSA_3072_DEFAULT 0x05 // defined in NIST SP 800-78-5 (Initial Public Draft)
#define ALG_RSA_4096_DEFAULT 0x51
#define ALG_X25519_DEFAULT 0x52
#define ALG_RSA_4096_DEFAULT 0x16
#define ALG_X25519_DEFAULT 0xE1
#define ALG_SECP256K1_DEFAULT 0x53
#define ALG_SM2_DEFAULT 0x54

Expand Down Expand Up @@ -1099,7 +1099,7 @@ static int piv_get_version(const CAPDU *capdu, RAPDU *rapdu) {
if (P1 != 0x00 || P2 != 0x00) EXCEPT(SW_WRONG_P1P2);
if (LC != 0) EXCEPT(SW_WRONG_LENGTH);
RDATA[0] = 0x05;
RDATA[1] = 0x04;
RDATA[1] = 0x07;
RDATA[2] = 0x00;
LL = 3;
return 0;
Expand Down
57 changes: 41 additions & 16 deletions test-real/test-piv.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ PIVGenKeyCert() {
algo="$3"
YPT -a generate -A $algo -s $key >$TEST_TMP_DIR/pubkey-$key.pem # generate key at $key
assertEquals 'yubico-piv-tool generate' 0 $?
if [[ $algo == "X25519" ]]; then return; fi
YPT -P 654321 -a verify-pin -a selfsign-certificate -s $key -S "$subject" < $TEST_TMP_DIR/pubkey-$key.pem >$TEST_TMP_DIR/cert-$key.pem
assertEquals 'yubico-piv-tool selfsign-certificate' 0 $?
YPT -a import-certificate -s $key < $TEST_TMP_DIR/cert-$key.pem
Expand All @@ -36,13 +37,15 @@ PIVSignDec() {
key=$1
pinArgs=
op=$3
inp_file=$TEST_TMP_DIR/cert-$key.pem
if [[ $key == X25519 ]]; then inp_file=$TEST_TMP_DIR/pubkey-$key.pem; fi
if [[ -n "$2" ]]; then pinArgs="-P 654321 -a verify-pin"; fi
if [[ -z "$op" || s = "$op" ]]; then
YPT $pinArgs -a test-signature -s $key < $TEST_TMP_DIR/cert-$key.pem;
YPT $pinArgs -a test-signature -s $key < $inp_file;
assertEquals 'yubico-piv-tool test-signature' 0 $?
fi
if [[ -z "$op" || d = "$op" ]]; then
YPT $pinArgs -a test-decipher -s $key < $TEST_TMP_DIR/cert-$key.pem;
YPT $pinArgs -a test-decipher -s $key < $inp_file;
assertEquals 'yubico-piv-tool test-decipher' 0 $?
fi
}
Expand Down Expand Up @@ -86,8 +89,8 @@ test_ChangePin() {
assertEquals 'set-mgm-key' 0 $?
}

test_RSA2048() {
for s in 9a 9c 9d 9e; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" RSA2048; done
rsa_tests() {
for s in 9a 9c 9d 9e; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" $1; done
YPT -a status
PIVSignDec 9e # PIN not required for key 9e
for s in 9a 9c 9d; do PIVSignDec $s 1; done
Expand All @@ -101,22 +104,44 @@ test_RSA2048() {
assertEquals 'openssl dgst verify' 0 $?
}

test_ECC256() {
for s in 9a 9c 9d 9e; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" ECCP256; done
test_RSA2048() {
rsa_tests RSA2048
}

test_RSA3072() {
rsa_tests RSA3072
}

test_RSA4096() {
rsa_tests RSA4096
}

ec_tests() {
for s in 9a 9c 9d 9e; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" $1; done
YPT -a status
for s in 9a 9c 9e; do PIVSignDec $s 1 s; done # 9a/9c/9e only do the ECDSA
PIVSignDec 9d 1 d # 9d only do the ECDH
out=$(pkcs15-tool --reader "$RDID" --read-certificate 01 | openssl x509 -text)
assertContains 'CERT' "$out" 'CN = CertAtSlot9a'
for s in 9a 9c 9d 9e; do
if [[ $1 != "X25519" ]]; then PIVSignDec $s 1 s; fi
if [[ $1 != "ED25519" ]]; then PIVSignDec $s 1 d; fi
done
if [[ $1 != *25519 ]]; then
out=$(pkcs15-tool --reader "$RDID" --read-certificate 01 | openssl x509 -text)
assertContains 'CERT' "$out" 'CN = CertAtSlot9a'
out=$(pkcs15-tool --reader "$RDID" --read-certificate 02 | openssl x509 -text)
assertContains 'CERT' "$out" 'CN = CertAtSlot9c'
fi
}

test_ECC256() {
ec_tests ECCP256
}

test_ECC384() {
for s in 9a 9c 9d 9e; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" ECCP384; done
YPT -a status
for s in 9a 9c 9e; do PIVSignDec $s 1 s; done # 9a/9c/9e only do the ECDSA
PIVSignDec 9d 1 d # 9d only do the ECDH
out=$(pkcs15-tool --reader "$RDID" --read-certificate 02 | openssl x509 -text)
assertContains 'CERT' "$out" 'CN = CertAtSlot9c'
ec_tests ECCP384
}

test_25519() {
ec_tests ED25519
ec_tests X25519
}

test_PinBlock() {
Expand Down
Loading