Merge pull request #103 from canokeys/feature/nfc_status_without_pin #1075
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: tests | |
on: [push, pull_request, workflow_dispatch] | |
jobs: | |
build_opensc: | |
name: Build opensc package | |
#if: github.event_name == 'workflow_dispatch' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Cache deb files | |
uses: actions/cache@v4 | |
env: | |
cache-name: tools-deb | |
with: | |
path: | | |
opensc*.deb | |
yubico-piv-tool*.deb | |
key: ${{ runner.os }}-${{ env.cache-name }} | |
- name: Check file existence | |
id: check_opensc | |
uses: andstor/file-existence-action@v1 | |
with: | |
files: "opensc*.deb" | |
- name: Check file existence | |
id: check_yubico_piv | |
uses: andstor/file-existence-action@v1 | |
with: | |
files: "yubico-piv-tool*.deb" | |
- name: Package Install | |
if: steps.check_opensc.outputs.files_exists == 'false' || steps.check_yubico_piv.outputs.files_exists == 'false' | |
run: | | |
sudo sed -i 's/^# deb-src/deb-src/' /etc/apt/sources.list | |
sudo apt-get update | |
sudo apt-get install -q -y curl git gcc g++ cmake swig psmisc procps debian-keyring devscripts libpcsclite-dev check gengetopt help2man openssl zlib1g-dev | |
sudo apt-get build-dep -q -y opensc | |
sudo rm -f /usr/bin/clang-tidy | |
- name: Build opensc package | |
if: steps.check_opensc.outputs.files_exists == 'false' | |
run: | | |
dget http://archive.ubuntu.com/ubuntu/pool/universe/o/opensc/opensc_0.23.0-0.1ubuntu1.dsc | |
cd opensc-0.23.0 | |
curl https://github.com/OpenSC/OpenSC/commit/a0aef25c7f2ce0ec2c7e1014f959f0fe86ff0479.diff | patch -p1 | |
dch --local ppa~jammy --distribution jammy "Apply a patch. Backports to Jammy." | |
DEB_BUILD_OPTIONS='parallel=2' debuild --no-sign -b | |
- name: Build yubico-piv-tool package | |
if: steps.check_yubico_piv.outputs.files_exists == 'false' | |
run: | | |
set -x | |
git clone https://github.com/z4yx/yubico-piv-tool.git | |
cd yubico-piv-tool | |
mkdir build_dir; | |
pushd build_dir; cmake -DCMAKE_INSTALL_PREFIX=../debian/tmp/usr .. -B .; popd | |
make -C build_dir | |
pushd build_dir; cmake -P cmake_install.cmake; popd | |
mkdir debian/tmp/DEBIAN | |
dpkg-gencontrol -pyubico-piv-tool | |
dpkg --build debian/tmp build_dir/ | |
mv build_dir/yubico-piv-tool_*_amd64.deb .. | |
sudo apt install ../yubico-piv-tool_*_amd64.deb | |
- name: Upload package files | |
uses: actions/upload-artifact@v4 | |
with: | |
name: tools-deb | |
path: | | |
opensc*.deb | |
yubico-piv-tool*.deb | |
build_test: | |
name: Build and Test | |
runs-on: ubuntu-latest | |
needs: build_opensc | |
steps: | |
- name: Download backport OpenSC package | |
uses: actions/download-artifact@v4 | |
with: | |
name: tools-deb | |
- name: Package Install | |
run: | | |
sudo apt-add-repository ppa:yubico/stable | |
sudo apt-get update | |
sudo apt-get install -q -y git gcc g++ cmake swig psmisc procps pcscd pcsc-tools libhidapi-dev libassuan-dev libgcrypt20-dev libksba-dev libnpth0-dev libssl3 zlib1g libglib2.0-0 openssl openssh-server libpcsclite-dev libudev-dev libcmocka-dev python3-pip python3-setuptools python3-wheel lcov yubikey-manager libcbor-dev | |
sudo dpkg -i opensc*.deb yubico-piv-tool*.deb | |
pip3 install --upgrade pip | |
- name: Set up Go 1.16 | |
uses: actions/setup-go@v5 | |
with: | |
go-version: "^1.16.1" | |
id: go | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Check out piv-go | |
uses: actions/checkout@v4 | |
with: | |
repository: canokeys/piv-go | |
path: piv-go | |
- name: Cache GO Modules | |
uses: actions/cache@v4 | |
env: | |
cache-name: go_mod | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-${{ env.cache-name }}-${{ hashFiles('./go.mod') }} | |
- name: Cache Patched GPG | |
uses: actions/cache@v4 | |
env: | |
cache-name: cache_gpg_binary | |
with: | |
path: gnupg | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('./test-via-pcsc/build_gpg.sh') }} | |
- name: Cache FIDO Tools | |
uses: actions/cache@v4 | |
env: | |
cache-name: cache_fido_tools | |
with: | |
path: | | |
u2f-ref-code | |
libfido2 | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('./test-via-pcsc/build_fido_tests.sh') }} | |
- name: Build Patched GPG | |
run: | | |
./test-via-pcsc/build_gpg.sh | |
gpg --version | |
- name: Build FIDO Tests | |
run: | | |
./test-via-pcsc/build_fido_tests.sh | |
sudo ldconfig | |
which fido2-token | |
ldd $(which fido2-token) | |
- name: Build for Test | |
run: | | |
mkdir build && pushd build | |
cmake .. -DENABLE_TESTS=ON -DENABLE_DEBUG_OUTPUT=ON -DCMAKE_BUILD_TYPE=Debug | |
make -j2 | |
- name: Setup a SSH Server | |
run: | | |
cat >/tmp/sshd_config <<EOF | |
StrictModes no | |
UsePAM no | |
Port 2200 | |
EOF | |
sudo /usr/sbin/sshd -f /tmp/sshd_config | |
- name: Smoking Tests | |
run: | | |
cd build | |
./test/test_apdu | |
./test/test_openpgp | |
./test/test_oath | |
./test/test_piv | |
- name: Start the pcscd | |
run: | | |
echo 0 >/tmp/canokey-test-up && echo 0 >/tmp/canokey-test-nfc # Emulate the USB mode | |
sudo killall -9 pcscd || true | |
sudo cp build/libu2f-virt-card.so /usr/local/lib/ | |
sudo cp test-via-pcsc/pcscd-reader.conf /etc/reader.conf.d/ | |
bash -c 'sudo LD_PRELOAD="$(gcc -print-file-name=libasan.so) $(gcc -print-file-name=libubsan.so)" pcscd -a -f >/tmp/pcscd.log &' | |
sleep 12 | |
timeout 1s pcsc_scan || true | |
go env -w GO111MODULE=on | |
sudo chmod 777 /tmp/canokey-* | |
sudo chown root:root /tmp/canokey-* | |
ls -l /tmp | |
- name: Test the Admin | |
run: go test -v test-via-pcsc/admin_test.go | |
- name: Test the NDEF | |
run: go test -v test-via-pcsc/ndef_test.go | |
- name: Test the FIDO2 | |
run: | | |
#echo 1 >/tmp/canokey-test-nfc # Emulate the NFC mode | |
#pushd test-real && ./test-libfido2.sh && popd | |
cd fido2-tests | |
#../build/fido-hid-over-udp & | |
git pull | |
~/.local/bin/pytest --color=yes --vendor canokeys --nfc tests/standard/ | |
~/.local/bin/pytest --color=yes --vendor canokeys --nfc tests/vendor/canokeys/ | |
#kill %1 | |
- name: Test the U2F | |
run: | | |
echo 0 | ./u2f-ref-code/u2f-tests/NFC/u2f_nfc_test -v | tee /tmp/u2f_nfc_test.log | |
test $(grep -c 'PASS(signCheckSignature(regReq, regRsp, authReq, authRsp, rapduLen))' /tmp/u2f_nfc_test.log) -eq 6 | |
- name: Test the ckman Utility | |
run: | | |
pip3 install canokey-manager | |
ckman --log-level DEBUG info | |
ckman oath accounts add steam1 HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ -i Steam | |
ckman oath accounts code | |
ckman openpgp info | |
ckman piv info | |
#ckman fido credentials list --pin 123456 | |
- name: Test the OATH | |
run: go test -v test-via-pcsc/oath_test.go | |
- name: Test the OpenPGP | |
# GPG requires a tty to work | |
shell: | | |
script -e -c "bash --noprofile --norc -eo pipefail {0}" | |
run: | | |
set -o xtrace | |
go test -v test-via-pcsc/openpgp_test.go | |
pkill gpg-agent || true | |
#echo 'enable-ssh-support' > ~/.gnupg/gpg-agent.conf | |
export SSH_AUTH_SOCK=`gpgconf --list-dirs agent-ssh-socket` | |
mkdir -p ~/.ssh /tmp/mock | |
python3 -c "import string;import random;print(''.join([random.choice(string.ascii_letters + string.digits) for n in range(1152)]),end='')" > /tmp/random.txt | |
echo 9876543210 >"/tmp/mock/Reset Code" | |
echo 12345678 >"/tmp/mock/Passphrase:" | |
echo 12345678 >"/tmp/mock/Admin PIN" | |
echo 123456 >"/tmp/mock/PIN" | |
echo -e 'Key-Type: 1\nKey-Length: 2048\nSubkey-Type: 1\nSubkey-Length: 2048\nName-Real: Someone\nName-Email: [email protected]\nPassphrase: 12345678\n%commit\n%echo done' | gpg --batch --gen-key | |
KEYID=$(gpg -K --with-colons |grep -P '^sec'|grep -oP '\w{16}') | |
Addkey() { echo -e "addkey\n$1\n$2\n0\nsave" | gpg --yes --expert --command-fd 0 --edit-key $KEYID; } | |
Key2card() { echo -e "key $1\nkeytocard\n$2\nsave" | gpg --yes --command-fd 0 --edit-key $KEYID; gpg --card-status; } | |
Addcardkey() { echo -e "addcardkey\n$1\n0\nsave\n" | gpg --expert --command-fd 0 --yes --edit-key $KEYID; } | |
ChangeUsage() { | |
SUBKEY=$(gpg -K --with-colons|awk -F: '$1~/ssb/ && $12~/a/ {print $5}'|tail -n 1) | |
echo -e "key $SUBKEY\nchange-usage\nS\nQ\ncross-certify\nsave" | gpg --yes --expert --command-fd 0 --edit-key $KEYID | |
} | |
GPGSign() { date -Iseconds | gpg --armor --default-key $(gpg -K --with-colons|awk -F: '$1~/ssb/ && $12~/s|a/ {print $5}'|tail -n 1)! -s|gpg; } | |
GPGEnc() { date -Iseconds | gpg --yes --armor --recipient $(gpg -K --with-colons | awk -F: '$1~/ssb/ && $12~/e/ {print $5}'|tail -n 1) --encrypt|gpg; } | |
GPGAuth() { | |
gpg -K --with-colons | awk -F: '$1~/ssb/ && $12~/s/{lg=NR+2} NR==lg{grip=$10} END{print grip}' >~/.gnupg/sshcontrol | |
ssh-add -L >~/.ssh/authorized_keys | |
ssh -v -p 2200 -o StrictHostKeyChecking=no -o PasswordAuthentication=no localhost id | |
} | |
SetUIF() { echo -e "admin\nuif $1 $2\nq" | gpg --yes --command-fd 0 --edit-card; } | |
UserChecked() { cnt=$((`cat /tmp/canokey-test-up`)); echo 0 >/tmp/canokey-test-up; [ $1 == $cnt ]; } | |
GPGReset() { echo -e 'admin\nfactory-reset\ny\nyes' | gpg --command-fd 0 --edit-card; } # clear all keys, no pin verification at all | |
echo 0 >/tmp/canokey-test-up && echo 0 >/tmp/canokey-test-nfc # Emulate the USB mode | |
gpg --card-status |grep -E 'UIF setting.+Sign=off Decrypt=off Auth=off' | |
echo -e 'admin\npasswd\n1\n3\n4\nq\nforcesig\nq' | gpg --yes --command-fd 0 --edit-card # change PIN,Admin PIN,Reset Code | |
Key2card 1 1 # key[1] to Signature key | |
echo 0 >/tmp/canokey-test-up | |
GPGSign | |
UserChecked 0 | |
SetUIF 1 on | |
gpg --card-status |grep -E 'UIF setting.+Sign=on Decrypt=off Auth=off' | |
GPGSign | |
UserChecked 1 | |
Addkey 12 3 # [2] ECDH P-256 encrypt key | |
Addkey 10 3 # [3] ECDSA P-256 sign key | |
Key2card 2 2 # key[2] to Encryption key | |
Key2card 3 3 # key[3] to Authentication key | |
echo 0 >/tmp/canokey-test-up | |
GPGAuth | |
UserChecked 0 | |
GPGEnc | |
UserChecked 0 | |
SetUIF 2 on | |
gpg --card-status |grep -E 'UIF setting.+Sign=on Decrypt=on Auth=off' | |
GPGEnc | |
UserChecked 1 | |
SetUIF 3 on | |
gpg --card-status |grep -E 'UIF setting.+Sign=on Decrypt=on Auth=on' | |
GPGAuth | |
UserChecked 1 | |
SetUIF 1 off | |
gpg --card-status |grep -E 'UIF setting.+Sign=off Decrypt=on Auth=on' | |
SetUIF 2 off | |
gpg --card-status |grep -E 'UIF setting.+Sign=off Decrypt=off Auth=on' | |
SetUIF 3 off | |
gpg --card-status |grep -E 'UIF setting.+Sign=off Decrypt=off Auth=off' | |
echo 0 >/tmp/canokey-test-up | |
GPGEnc | |
UserChecked 0 | |
SetUIF 1 permanent | |
gpg --card-status |grep -E 'UIF setting.+Sign=on Decrypt=off Auth=off' | |
SetUIF 2 permanent | |
gpg --card-status |grep -E 'UIF setting.+Sign=on Decrypt=on Auth=off' | |
SetUIF 3 permanent | |
gpg --card-status |grep -E 'UIF setting.+Sign=on Decrypt=on Auth=on' | |
SetUIF 3 off || true # can not revert a permanent setting | |
SetUIF 2 off || true # can not revert a permanent setting | |
SetUIF 1 off || true # can not revert a permanent setting | |
gpg --card-status |grep -E 'UIF setting.+Sign=on Decrypt=on Auth=on' | |
GPGEnc | |
UserChecked 1 | |
echo 1 >/tmp/canokey-test-nfc | |
GPGReset | |
gpg --card-status |grep -E 'Signature key.+none' | |
Addkey 4 2048 # [4] gen RSA2048 key | |
Key2card 4 3 # key[4] to Authentication key | |
Addkey 6 2048 # [5] gen RSA2048 key | |
Key2card 5 2 # key[5] to Encryption key | |
GPGAuth | |
GPGEnc | |
Addkey 10 3 # [6] gen ECDSA P-256 key | |
Key2card 6 1 # key[6] to Signature key | |
GPGSign | |
GPGReset | |
## 25519 key import | |
Addkey 12 1 # [7] cv25519 encrypt key | |
Addkey 10 1 # [8] ed25519 sign key | |
Key2card 7 2 # key[7] to Encryption key | |
Key2card 8 3 # key[8] to Authentication key | |
GPGAuth | |
GPGEnc | |
Addkey 10 1 # [9] ed25519 sign key | |
Key2card 9 1 # key[9] to Signature key | |
GPGSign | |
GPGReset | |
## RSA4096 key import | |
Addkey 4 4096 # [10] gen RSA4096 key | |
Key2card 10 3 # key[10] to Authentication key | |
Addkey 6 4096 # [11] gen RSA4096 key | |
Key2card 11 2 # key[11] to Encryption key | |
GPGAuth | |
GPGEnc | |
Addkey 4 4096 # [12] gen RSA4096 key | |
Key2card 12 1 # key[12] to Signature key | |
GPGSign | |
GPGReset | |
echo -e 'admin\nkey-attr\n2\n1\n2\n1\n2\n1\n' | gpg --command-fd 0 --yes --expert --edit-card | |
## RSA2048 generation on card | |
echo -e 'admin\nkey-attr\n1\n2048\n1\n2048\n1\n2048\n' | gpg --command-fd 0 --yes --expert --edit-card # key-attr set to RSA2048 | |
Addcardkey 1 # generate Signature key on card | |
Addcardkey 2 # generate Encryption key on card | |
GPGEnc | |
GPGSign | |
Addcardkey 3 # generate Authentication key on card | |
ChangeUsage | |
GPGAuth | |
GPGReset | |
## 25519 generation on card | |
echo -e 'admin\nkey-attr\n2\n1\n2\n1\n2\n1\n' | gpg --command-fd 0 --yes --expert --edit-card # key-attr set to 25519 | |
Addcardkey 1 # generate Signature key on card | |
Addcardkey 2 # generate Encryption key on card | |
GPGEnc | |
GPGSign | |
Addcardkey 3 # generate Authentication key on card | |
ChangeUsage | |
GPGAuth | |
GPGReset | |
## NIST P-256 generation on card | |
echo -e 'admin\nkey-attr\n2\n3\n2\n3\n2\n3\n' | gpg --command-fd 0 --yes --expert --edit-card # key-attr set to ECC P-256 | |
Addcardkey 1 # generate Signature key on card | |
Addcardkey 2 # generate Encryption key on card | |
GPGEnc | |
GPGSign | |
Addcardkey 3 # generate Authentication key on card | |
ChangeUsage | |
GPGAuth | |
echo -e 'admin\nwritecert 3 </tmp/random.txt\nquit' | gpg --yes --command-fd 0 --edit-card | |
gpgconf --kill gpg-agent # restart agent to clear cached info | |
echo -e 'readcert 3 >/tmp/random-read.txt\nquit' | gpg --yes --command-fd 0 --edit-card | |
diff /tmp/random-read.txt /tmp/random.txt | |
GPGReset | |
## NIST P-384 generation on card | |
echo -e 'admin\nkey-attr\n2\n4\n2\n4\n2\n4\n' | gpg --command-fd 0 --yes --expert --edit-card # key-attr set to ECC P-384 | |
Addcardkey 1 # generate Signature key on card | |
Addcardkey 2 # generate Encryption key on card | |
GPGEnc | |
GPGSign | |
Addcardkey 3 # generate Authentication key on card | |
ChangeUsage | |
GPGAuth | |
echo -e 'admin\nwritecert 3 </tmp/random.txt\nquit' | gpg --yes --command-fd 0 --edit-card | |
gpgconf --kill gpg-agent # restart agent to clear cached info | |
echo -e 'readcert 3 >/tmp/random-read.txt\nquit' | gpg --yes --command-fd 0 --edit-card | |
diff /tmp/random-read.txt /tmp/random.txt | |
GPGReset | |
## secp256k1 generation on card | |
echo -e 'admin\nkey-attr\n2\n9\n2\n9\n2\n9\n' | gpg --command-fd 0 --yes --expert --edit-card # key-attr set to ECC secp256k1 | |
Addcardkey 1 # generate Signature key on card | |
Addcardkey 2 # generate Encryption key on card | |
GPGEnc | |
GPGSign | |
Addcardkey 3 # generate Authentication key on card | |
ChangeUsage | |
# GPGAuth # ssh does not support secp256k1 | |
echo -e 'admin\nwritecert 3 </tmp/random.txt\nquit' | gpg --yes --command-fd 0 --edit-card | |
gpgconf --kill gpg-agent # restart agent to clear cached info | |
echo -e 'readcert 3 >/tmp/random-read.txt\nquit' | gpg --yes --command-fd 0 --edit-card | |
diff /tmp/random-read.txt /tmp/random.txt | |
GPGReset | |
# Fill this applet as much as possible | |
echo -e 'admin\nname\nTheFirstNameQQQQQQ\nTheLastNamePPPPPPPP\nlang\nlanguage\nsex\nm\nquit' | gpg --yes --command-fd 0 --edit-card | |
echo -e 'admin\nurl\nexample.com/111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\nquit' | gpg --yes --command-fd 0 --edit-card | |
echo -e 'admin\nlogin\naaaaaaaaaaaa000000000000000000000001111111111111111122222222222\nquit' | gpg --yes --command-fd 0 --edit-card | |
echo -e 'admin\ncafpr 2\n9914 B3B0 BF7E 3B12 DB72 8AC7 3695 10EC DF14 672E\ncafpr 1\nEC17 49B4 C512 6CD3 080C 85CA 0088 068F 1016 5897\ncafpr 3\nAC4D DD51 6C35 D8E2 7153 BB3B 4BD8 4023 BC79 46F0\nquit' | gpg --yes --command-fd 0 --edit-card | |
# Private DO 1/2 is not implemented | |
gpgconf --kill gpg-agent | |
go test -v test-via-pcsc/openpgp_test.go -run TestOpenPGPCerts | |
- name: Test the PIV | |
run: | | |
set -o xtrace | |
go test -v test-via-pcsc/piv_test.go | |
RDID="Canokey [OpenPGP PIV OATH] 00 00" | |
export PIV_EXT_AUTH_KEY=$PWD/test-via-pcsc/PIV_EXT_AUTH_KEY.txt | |
yubico-piv-tool -r "$RDID" -a status -a set-ccc -a set-chuid -a status | |
opensc-tool -r "$RDID" -s '00 F8 00 00' | grep 'SW1=0x90, SW2=0x00' # PIV_INS_GET_SERIAL, Yubico | |
opensc-tool -r "$RDID" -s '00 FD 00 00' | grep 'SW1=0x90, SW2=0x00' # PIV_INS_GET_VERSION, Yubico | |
pkcs15-tool --reader "$RDID" -D | |
# change the algorithm identifier of ED25519 | |
piv-tool --admin M:9B:03 -s '00 EE 02 00 07 01 22 05 51 52 53 54' | grep 'SW1=0x90, SW2=0x00' # PIV_INS_ALGORITHM_EXTENSION, Yubico | |
cd piv-go; go test -v ./piv --wipe-yubikey; cd - | |
piv-tool --admin M:9B:03 -s '00 EE 02 00 07 01 E0 05 16 E1 53 54' | grep 'SW1=0x90, SW2=0x00' # PIV_INS_ALGORITHM_EXTENSION, Yubico | |
yubico-piv-tool -r "$RDID" -a verify-pin -P 123456 | |
yubico-piv-tool -r "$RDID" -a change-pin -P 123456 -N 654321 | |
yubico-piv-tool -r "$RDID" -a verify-pin -P 654321 | |
yubico-piv-tool -r "$RDID" -a verify-pin -P 123456 2>&1 | grep '2 tries left before pin is blocked.' | |
yubico-piv-tool -r "$RDID" -a verify-pin -P 123456 2>&1 | grep '1 tries left before pin is blocked.' | |
yubico-piv-tool -r "$RDID" -a verify-pin -P 654321 | |
yubico-piv-tool -r "$RDID" -a set-mgm-key -n F1F2F3F4F5F6F7F8F1F2F3F4F5F6F7F8F1F2F3F4F5F6F7F8 | |
yubico-piv-tool -r "$RDID" -a set-mgm-key --key=F1F2F3F4F5F6F7F8F1F2F3F4F5F6F7F8F1F2F3F4F5F6F7F8 -n 010203040506070801020304050607080102030405060708 | |
# opensc 0.22.0~0.23.0 has a bug on External Auth. See opensc commit: a0aef25c7f2ce0ec2c7e1014f959f0fe86ff0479 | |
piv-tool --reader "$RDID" --admin A:9B:03 # External Auth | |
piv-tool --reader "$RDID" --admin M:9B:03 # Mutual Auth | |
## Key generation | |
PIVGenKeyCert() { | |
key=$1 | |
subject="$2" | |
algo="$3" | |
yubico-piv-tool -r "$RDID" -a generate -A $algo -s $key >/tmp/pubkey-$key.pem # generate key at $key | |
if [[ "$algo" == "X25519" ]]; then return; fi | |
yubico-piv-tool -r "$RDID" -P 654321 -a verify-pin -a selfsign-certificate -s $key -S "$subject" < /tmp/pubkey-$key.pem >/tmp/cert-$key.pem | |
yubico-piv-tool -r "$RDID" -a import-certificate -s $key < /tmp/cert-$key.pem | |
} | |
PIVSignDec() { | |
key=$1 | |
pinArgs= | |
op=$3 | |
algoArgs= | |
inp_file=/tmp/cert-$key.pem | |
if [[ -n "$2" ]]; then pinArgs="-P 654321 -a verify-pin"; fi | |
if [[ -n "$4" ]]; then algoArgs="-A $4"; fi | |
if [[ "$4" == X25519 ]]; then inp_file=/tmp/pubkey-$key.pem; fi | |
if [[ -z "$op" || s = "$op" ]]; then yubico-piv-tool -r "$RDID" $pinArgs -a test-signature -s $key < /tmp/cert-$key.pem; fi | |
if [[ -z "$op" || d = "$op" ]]; then yubico-piv-tool -r "$RDID" $pinArgs -a test-decipher -s $key $algoArgs < $inp_file; fi | |
} | |
## ED25519 tests | |
for s in 9a 9c 9d 9e 82 83; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" ED25519; done | |
yubico-piv-tool -r "$RDID" -a status | |
for s in 9a 9c 9d 9e 82 83; do PIVSignDec $s 1 s; done | |
## X25519 tests | |
for s in 9a 9c 9d 9e 82 83; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" X25519; done | |
yubico-piv-tool -r "$RDID" -a status | |
for s in 9a 9c 9d 9e 82 83; do PIVSignDec $s 1 d X25519; done | |
## RSA tests | |
for s in 9a 9c 9d 9e 82 83; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" RSA3072; done | |
for s in 9a 9c 9d 9e 82 83; do PIVSignDec $s 1; done | |
for s in 9a 9c 9d 9e 82 83; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" RSA4096; done | |
for s in 9a 9c 9d 9e 82 83; do PIVSignDec $s 1; done | |
for s in 9a 9c 9d 9e 82 83; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" RSA2048; done | |
yubico-piv-tool -r "$RDID" -a status | |
PIVSignDec 9e # PIN not required for key 9e | |
for s in 9a 9c 9d 82 83; do PIVSignDec $s 1; done | |
pkcs15-tool --reader "$RDID" --read-certificate 04 | openssl x509 -text | grep 'CN = CertAtSlot9e' | |
echo -n hello >/tmp/hello.txt | |
pkcs11-tool --slot "$RDID" -d 04 -s -m SHA256-RSA-PKCS -i /tmp/hello.txt -o /tmp/hello-signed --pin 654321 | |
openssl dgst -sha256 -verify /tmp/pubkey-9e.pem -signature /tmp/hello-signed /tmp/hello.txt | |
## ECC256 tests | |
for s in 9a 9c 9d 9e 82 83; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" ECCP256; done | |
yubico-piv-tool -r "$RDID" -a status | |
for s in 9a 9c 9d 9e 82 83; do PIVSignDec $s 1 s;PIVSignDec $s 1 d; done | |
## ECC384 tests | |
for s in 9a 9c 9d 9e; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" ECCP384; done | |
yubico-piv-tool -r "$RDID" -a status | |
for s in 9a 9c 9d 9e 82 83; do PIVSignDec $s 1 s;PIVSignDec $s 1 d; done | |
## PIN unblock | |
yubico-piv-tool -r "$RDID" -P 654321 -a verify-pin -a test-signature -s 9a < /tmp/cert-9a.pem | |
yubico-piv-tool -r "$RDID" -P 654321 -a verify-pin -a test-signature -s 9c < /tmp/cert-9c.pem | |
yubico-piv-tool -r "$RDID" -P 654321 -a verify-pin -a test-decipher -s 9d < /tmp/cert-9d.pem | |
yubico-piv-tool -r "$RDID" -a verify-pin -P 222222 2>&1 | grep '2 tries left before pin is blocked.' | |
yubico-piv-tool -r "$RDID" -a verify-pin -P 222222 2>&1 | grep '1 tries left before pin is blocked.' | |
yubico-piv-tool -r "$RDID" -a verify-pin -P 222222 2>&1 | grep 'Pin code blocked' | |
yubico-piv-tool -r "$RDID" -a verify-pin -P 654321 2>&1 | grep 'Pin code blocked' | |
yubico-piv-tool -r "$RDID" -a unblock-pin -P 12345678 -N 999999 2>&1 | grep 'Successfully unblocked the pin code' | |
yubico-piv-tool -r "$RDID" -a change-puk -P 12345678 -N 87654321 2>&1 | grep 'Successfully changed the puk code' | |
yubico-piv-tool -r "$RDID" -a unblock-pin -P 87654321 -N 654321 2>&1 | grep 'Successfully unblocked the pin code' | |
## Key import | |
openssl ecparam -name prime256v1 -out p256.pem | |
openssl req -x509 -newkey ec:p256.pem -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=www.example.com" | |
for s in 9a 9d 82 83; do | |
yubico-piv-tool -r "$RDID" -a import-key -s $s -i key.pem | |
yubico-piv-tool -r "$RDID" -a import-certificate -s $s -i cert.pem | |
yubico-piv-tool -r "$RDID" -P 654321 -a verify-pin -a test-signature -s $s <cert.pem | |
done | |
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=www.example.com" | |
for s in 9c 9d 82 83; do | |
yubico-piv-tool -r "$RDID" -a import-key -s $s -i key.pem | |
yubico-piv-tool -r "$RDID" -a import-certificate -s $s -i cert.pem | |
yubico-piv-tool -r "$RDID" -P 654321 -a verify-pin -a test-signature -s $s <cert.pem | |
done | |
## Factory reset | |
yubico-piv-tool -r "$RDID" -a change-puk -P 12345678 -N 11111111 2>&1 | grep 'Failed verifying puk code, now 2 tries left before blocked' | |
yubico-piv-tool -r "$RDID" -a change-puk -P 12345678 -N 11111111 2>&1 | grep 'Failed verifying puk code, now 1 tries left before blocked' | |
yubico-piv-tool -r "$RDID" -a change-puk -P 12345678 -N 11111111 2>&1 | grep 'The puk code is blocked' | |
yubico-piv-tool -r "$RDID" -a change-puk -P 87654321 -N 11111111 2>&1 | grep 'The puk code is blocked' | |
yubico-piv-tool -r "$RDID" -a verify-pin -P 222222 2>&1 | grep '2 tries left before pin is blocked.' | |
yubico-piv-tool -r "$RDID" -a verify-pin -P 222222 2>&1 | grep '1 tries left before pin is blocked.' | |
yubico-piv-tool -r "$RDID" -a verify-pin -P 222222 2>&1 | grep 'Pin code blocked' | |
yubico-piv-tool -r "$RDID" -a reset | |
yubico-piv-tool -r "$RDID" -a unblock-pin -P 12345678 -N 654321 2>&1 | grep 'Successfully unblocked the pin code' | |
## Test long data object | |
yubico-piv-tool -r "$RDID" -a set-ccc -a set-chuid -a status | |
for s in 9a 9c 9d 9e 82 83; do | |
PIVGenKeyCert $s "/CN=CertAtSlot$s/" RSA4096 | |
yubico-piv-tool -r "$RDID" -a import-certificate -s $s -i test-via-pcsc/long-cert.pem | |
done | |
openssl rand -base64 -out /tmp/rand-pi 242 | |
openssl rand -base64 -out /tmp/rand-fig 508 | |
openssl rand -base64 -out /tmp/rand-face 508 | |
yubico-piv-tool -r "$RDID" -a write-object --id 0x5fc109 -i /tmp/rand-pi -f base64 | |
yubico-piv-tool -r "$RDID" -a read-object --id 0x5fc109 -o /tmp/read-pi 2>&1 | grep 'Failed fetching' | |
yubico-piv-tool -r "$RDID" -a write-object --id 0x5fc108 -i /tmp/rand-face -f base64 | |
yubico-piv-tool -r "$RDID" -a write-object --id 0x5fc103 -i /tmp/rand-fig -f base64 | |
yubico-piv-tool -r "$RDID" -a verify-pin -P 654321 -a read-object --id 0x5fc103 -o /tmp/read-fig -f base64 | |
yubico-piv-tool -r "$RDID" -a verify-pin -P 654321 -a read-object --id 0x5fc109 -o /tmp/read-pi -f base64 | |
yubico-piv-tool -r "$RDID" -a verify-pin -P 654321 -a read-object --id 0x5fc108 -o /tmp/read-face -f base64 | |
diff -s /tmp/rand-pi /tmp/read-pi | |
diff -s /tmp/rand-face /tmp/read-face | |
diff -s /tmp/rand-fig /tmp/read-fig | |
- name: Prepare the Test Coverage Report | |
run: | | |
go test test-via-pcsc/admin_test.go -v -run TestFSUsage | |
sudo killall pcscd || true # To flush the cov files | |
ls /tmp | |
sleep 2 | |
mkdir coverage | |
find build/ -name '*.gcda' | grep -P '/(canokey-crypto|virt-card|tinycbor|littlefs|interface)/' | xargs rm | |
lcov --base-directory . --directory . -c -o ./coverage/lcov.info | |
- name: Coveralls | |
uses: coverallsapp/github-action@master | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Upload log files | |
if: ${{ always() }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs | |
path: /tmp/*.log | |
- name: Upload data files | |
if: ${{ always() }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: data | |
path: /tmp/[lc][fe]* |