From 5cce3a49b9b8169db23c31fbda0b1b00afff5c48 Mon Sep 17 00:00:00 2001 From: Dain Nilsson Date: Tue, 18 Jun 2024 11:50:13 +0200 Subject: [PATCH] Fix tests --- tests/device/cli/conftest.py | 4 + tests/device/cli/test_hsmauth.py | 8 +- tests/device/cli/test_securitydomain.py | 231 ++++++++++++------------ tests/device/test_hsmauth.py | 3 +- tests/device/test_securitydomain.py | 12 +- 5 files changed, 130 insertions(+), 128 deletions(-) diff --git a/tests/device/cli/conftest.py b/tests/device/cli/conftest.py index c66e1fa8..532874e8 100644 --- a/tests/device/cli/conftest.py +++ b/tests/device/cli/conftest.py @@ -4,6 +4,9 @@ from click.testing import CliRunner from functools import partial import pytest +import logging + +logger = logging.getLogger(__name__) @pytest.fixture() @@ -11,6 +14,7 @@ def ykman_cli(capsys, device, info): def _ykman_cli(*argv, **kwargs): runner = CliRunner(mix_stderr=False) with capsys.disabled(): + logger.debug("CLI: ykman %r", argv) result = runner.invoke(cli, argv, obj={}, **kwargs) if result.exit_code != 0: if isinstance(result.exception, CliFail): diff --git a/tests/device/cli/test_hsmauth.py b/tests/device/cli/test_hsmauth.py index 025c25da..fa46fd58 100644 --- a/tests/device/cli/test_hsmauth.py +++ b/tests/device/cli/test_hsmauth.py @@ -336,7 +336,7 @@ def test_change_management_password(self, ykman_cli, management_key): "-m", management_key, "-n", - management_key, + NON_DEFAULT_MANAGEMENT_KEY, ) # Should succeed @@ -347,10 +347,10 @@ def test_change_management_password(self, ykman_cli, management_key): "-m", NON_DEFAULT_MANAGEMENT_KEY, "-n", - management_key, + NON_DEFAULT_MANAGEMENT_KEY, ) - @condition.check(lambda info: not info.pin_complexity) + @condition.check(lambda info: not info.pin_complexity, "PIN complexity") def test_change_management_key_generate(self, ykman_cli, management_key): if len(management_key) != 32: pytest.skip("string management key") @@ -373,5 +373,5 @@ def test_change_management_key_generate(self, ykman_cli, management_key): "-m", gen_key, "-n", - management_key, + NON_DEFAULT_MANAGEMENT_KEY, ) diff --git a/tests/device/cli/test_securitydomain.py b/tests/device/cli/test_securitydomain.py index 046c7ef1..8e5eb843 100644 --- a/tests/device/cli/test_securitydomain.py +++ b/tests/device/cli/test_securitydomain.py @@ -1,4 +1,4 @@ -from yubikit.management import CAPABILITY +from yubikit.core import TRANSPORT from yubikit.core.smartcard import ApduError from ykman.util import parse_certificates from .. import condition @@ -9,128 +9,127 @@ @pytest.fixture(autouse=True) -@condition.capability(CAPABILITY.HSMAUTH) @condition.min_version(5, 7, 2) -def preconditions(ykman_cli): +def preconditions(info, transport, ykman_cli): + if info.is_fips and transport != TRANSPORT.USB: + pytest.skip("SCP management on YK FIPS over NFC") ykman_cli("sd", "reset", "-f") -def test_replace_kvn(ykman_cli): - key = "01" * 16 - keys = f"{key}:{key}:{key}" +class TestKeyManagement: + def test_replace_kvn(self, ykman_cli): + key = "01" * 16 + keys = f"{key}:{key}:{key}" - # Replace default SCP03 keyset - ykman_cli("--scp-sd", "1", "0", "sd", "keys", "import", "scp03", "2", keys) + # Replace default SCP03 keyset + ykman_cli("--scp-sd", "1", "0", "sd", "keys", "import", "scp03", "2", keys) - # Generate new SCP11a key - ykman_cli("--scp", keys, "sd", "keys", "generate", "scp11a", "3", "-") + # Generate new SCP11a key + ykman_cli("--scp", keys, "sd", "keys", "generate", "scp11a", "3", "-") - for i in range(3, 8): - ykman_cli( - "--scp", - keys, - "sd", - "keys", - "generate", - "scp11a", - str(i + 1), - "-r", - str(i), - "-", - ) + for i in range(3, 8): + ykman_cli( + "--scp", + keys, + "sd", + "keys", + "generate", + "scp11a", + str(i + 1), + "-r", + str(i), + "-", + ) + def test_scp11a(self, ykman_cli): + with pytest.raises(ValueError): + with open_file("scp/oce.pfx") as f: + ykman_cli("--scp", f.name, "--scp-password", "password", "sd", "info") -def test_scp11a(ykman_cli): - with pytest.raises(ValueError): + key = "01" * 16 + keys = f"{key}:{key}:{key}" + + # Replace default SCP03 keyset + ykman_cli("--scp-sd", "1", "0", "sd", "keys", "import", "scp03", "2", keys) + + # Delete SCP11b key, generate SCP11a key + ykman_cli("--scp", keys, "sd", "keys", "delete", "--force", "scp11b", "0") + ykman_cli("--scp", keys, "sd", "keys", "generate", "scp11a", "3", "-") + + # Import OCE CA + with open_file("scp/cert.ca-kloc.ecdsa.pem") as f: + ykman_cli("--scp", keys, "sd", "keys", "import", "0x10", "3", f.name) + + # Authenticate with open_file("scp/oce.pfx") as f: - ykman_cli("--scp", f.name, "--scp-password", "password", "sd", "info") - - key = "01" * 16 - keys = f"{key}:{key}:{key}" - - # Replace default SCP03 keyset - ykman_cli("--scp-sd", "1", "0", "sd", "keys", "import", "scp03", "2", keys) - - # Delete SCP11b key, generate SCP11a key - ykman_cli("--scp", keys, "sd", "keys", "delete", "--force", "scp11b", "0") - ykman_cli("--scp", keys, "sd", "keys", "generate", "scp11a", "3", "-") - - # Import OCE CA - with open_file("scp/cert.ca-kloc.ecdsa.pem") as f: - ykman_cli("--scp", keys, "sd", "keys", "import", "0x10", "3", f.name) - - # Authenticate - with open_file("scp/oce.pfx") as f: - certificates = parse_certificates(f.read(), b"password") - serials = [c.serial_number for c in certificates] - - # Set to ok allowlist - ykman_cli( - "--scp", - f.name, - "--scp-password", - "password", - "sd", - "keys", - "set-allowlist", - "0x10", - "3", - *(str(s) for s in serials), - ) - - # Set bad allowlist - ykman_cli( - "--scp", - f.name, - "--scp-password", - "password", - "sd", - "keys", - "set-allowlist", - "0x10", - "3", - "123456789", - ) - - with pytest.raises(ApduError): - ykman_cli("--scp", f.name, "--scp-password", "password", "sd", "info") - - # Remove allowlist - ykman_cli( - "--scp", - keys, - "sd", - "keys", - "set-allowlist", - "0x10", - "3", - ) - - ykman_cli( - "--scp", - f.name, - "--scp-password", - "password", - "--scp-oce", - "0x10", - "3", - "sd", - "keys", - "delete", - "--force", - "0x10", - "3", - ) - - -def test_scp11b_specify_kvn(ykman_cli): - ykman_cli("--scp-sd", "1", "0", "sd", "keys", "generate", "scp11b", "2", "-") - ykman_cli("--scp-sd", "0x13", "1", "sd", "info") - ykman_cli("--scp-sd", "0x13", "2", "sd", "info") - - -def test_scp11b_export(ykman_cli): - ykman_cli("--scp-sd", "1", "0", "sd", "keys", "generate", "scp11b", "2", "-") - pem = ykman_cli("sd", "keys", "export", "scp11b", "2", "-").output.encode() - - x509.load_pem_x509_certificate(pem) + certificates = parse_certificates(f.read(), b"password") + serials = [c.serial_number for c in certificates] + + # Set to ok allowlist + ykman_cli( + "--scp", + f.name, + "--scp-password", + "password", + "sd", + "keys", + "set-allowlist", + "0x10", + "3", + *(str(s) for s in serials), + ) + + # Set bad allowlist + ykman_cli( + "--scp", + f.name, + "--scp-password", + "password", + "sd", + "keys", + "set-allowlist", + "0x10", + "3", + "123456789", + ) + + with pytest.raises(ApduError): + ykman_cli("--scp", f.name, "--scp-password", "password", "sd", "info") + + # Remove allowlist + ykman_cli( + "--scp", + keys, + "sd", + "keys", + "set-allowlist", + "0x10", + "3", + ) + + ykman_cli( + "--scp", + f.name, + "--scp-password", + "password", + "--scp-oce", + "0x10", + "3", + "sd", + "keys", + "delete", + "--force", + "0x10", + "3", + ) + + def test_scp11b_specify_kvn(self, ykman_cli): + ykman_cli("--scp-sd", "1", "0", "sd", "keys", "generate", "scp11b", "2", "-") + ykman_cli("--scp-sd", "0x13", "1", "sd", "info") + ykman_cli("--scp-sd", "0x13", "2", "sd", "info") + + def test_scp11b_export(self, ykman_cli): + ykman_cli("--scp-sd", "1", "0", "sd", "keys", "generate", "scp11b", "2", "-") + pem = ykman_cli("sd", "keys", "export", "scp11b", "2", "-").output.encode() + + x509.load_pem_x509_certificate(pem) diff --git a/tests/device/test_hsmauth.py b/tests/device/test_hsmauth.py index 7df4fbfe..e780f386 100644 --- a/tests/device/test_hsmauth.py +++ b/tests/device/test_hsmauth.py @@ -232,10 +232,9 @@ def test_change_management_key(self, session, management_key): with pytest.raises(InvalidPinError): import_key_derived(session, management_key) - session.put_management_key(NON_DEFAULT_MANAGEMENT_KEY, management_key) + import_key_derived(session, NON_DEFAULT_MANAGEMENT_KEY) def test_management_key_retries(self, session, management_key): - session.put_management_key(management_key, management_key) initial_retries = session.get_management_key_retries() assert initial_retries == 8 diff --git a/tests/device/test_securitydomain.py b/tests/device/test_securitydomain.py index 49d43c35..bbd6cce5 100644 --- a/tests/device/test_securitydomain.py +++ b/tests/device/test_securitydomain.py @@ -46,9 +46,9 @@ def _verify_auth(sd): class TestScp03: @pytest.fixture(autouse=True) - @condition.transport(TRANSPORT.USB) - def preconditions(self): - pass + def preconditions(self, info, transport): + if info.is_fips and transport != TRANSPORT.USB: + pytest.skip("SCP management on YK FIPS over NFC") def test_ok(self, session): session.authenticate(Scp03KeyParams()) @@ -111,9 +111,9 @@ def _load_scp11_keys(session, kid, kvn): class TestScp11: @pytest.fixture(autouse=True) - @condition.transport(TRANSPORT.USB) - def preconditions(self): - pass + def preconditions(self, info, transport): + if info.is_fips and transport != TRANSPORT.USB: + pytest.skip("SCP management on YK FIPS over NFC") def test_scp11b_ok(self, session): ref = KeyRef(0x13, 0x1)