-
Notifications
You must be signed in to change notification settings - Fork 1
/
auth_test.go
146 lines (114 loc) · 4.05 KB
/
auth_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
// SPDX-FileCopyrightText: 2020 Google LLC
// SPDX-License-Identifier: Apache-2.0
package piv
import (
"io"
"math/bits"
"testing"
iso "cunicu.li/go-iso7816"
"cunicu.li/go-iso7816/devices/yubikey"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestLoginNeeded(t *testing.T) {
v, _ := iso.ParseVersion("4.3.0")
withCard(t, false, false, yubikey.HasVersion(v), func(t *testing.T, c *Card) {
assert.True(t, loginNeeded(c.tx), "Expected login needed")
err := login(c.tx, DefaultPIN)
require.NoError(t, err, "Failed to login")
needed := loginNeeded(c.tx)
require.False(t, needed, "Expected no login needed")
})
}
func TestPINRetries(t *testing.T) {
withCard(t, false, false, nil, func(t *testing.T, c *Card) {
retries, err := c.Retries()
require.NoError(t, err, "Failed to get retries")
require.Less(t, retries, 15, "Invalid number of retries: %d", retries)
require.LessOrEqual(t, 0, retries, "Invalid number of retries: %d", retries)
})
}
func TestLogin(t *testing.T) {
withCard(t, false, false, nil, func(t *testing.T, c *Card) {
err := c.VerifyPIN(DefaultPIN)
require.NoError(t, err, "Failed to login")
})
}
func TestAuthenticate(t *testing.T) {
withCard(t, false, false, nil, func(t *testing.T, c *Card) {
err := c.authenticate(DefaultManagementKey)
assert.NoError(t, err, "Failed to authenticate")
})
}
func TestSetManagementKey(t *testing.T) {
withCard(t, false, false, nil, func(t *testing.T, c *Card) {
var mgmtKey ManagementKey
_, err := io.ReadFull(c.Rand, mgmtKey[:])
require.NoError(t, err, "Failed to generate management key")
err = c.SetManagementKey(DefaultManagementKey, mgmtKey)
require.NoError(t, err, "Failed to set management key")
err = c.authenticate(mgmtKey)
assert.NoError(t, err, "Failed to authenticate with new management key")
err = c.SetManagementKey(mgmtKey, DefaultManagementKey)
require.NoError(t, err, "Failed to reset management key")
})
}
func TestUnblockPIN(t *testing.T) {
withCard(t, false, false, nil, func(t *testing.T, c *Card) {
badPIN := "0"
for {
err := login(c.tx, badPIN)
require.Error(t, err, "Login with bad pin succeeded")
var e AuthError
require.ErrorAs(t, err, &e, "Error returned was not a wrong pin error")
if e.Retries == 0 {
break
}
}
err := c.Unblock(DefaultPUK, DefaultPIN)
require.NoError(t, err, "Failed to unblock PIN")
err = login(c.tx, DefaultPIN)
assert.NoError(t, err, "Failed to login with pin after unblock")
})
}
func TestChangePIN(t *testing.T) {
withCard(t, false, false, nil, func(t *testing.T, c *Card) {
newPIN := "654321"
err := c.SetPIN(newPIN, newPIN)
assert.Error(t, err, "Successfully changed pin with invalid pin, expected error")
err = c.SetPIN(DefaultPIN, newPIN)
require.NoError(t, err, "Failed to change PIN")
err = c.SetPIN(newPIN, DefaultPIN)
require.NoError(t, err, "Failed to reset PIN")
})
}
func TestChangePUK(t *testing.T) {
withCard(t, false, false, nil, func(t *testing.T, c *Card) {
newPUK := "87654321"
err := c.SetPUK(newPUK, newPUK)
assert.Error(t, err, "Successfully changed puk with invalid puk, expected error")
err = c.SetPUK(DefaultPUK, newPUK)
require.NoError(t, err, "Failed to changing PUK")
err = c.SetPUK(newPUK, DefaultPUK)
require.NoError(t, err, "Failed to reset PUK")
})
}
func TestChangeManagementKey(t *testing.T) {
withCard(t, false, false, nil, func(t *testing.T, c *Card) {
var newKey ManagementKey
_, err := io.ReadFull(c.Rand, newKey[:])
require.NoError(t, err, "Failed to generate new management key")
// Apply odd-parity
for i, b := range newKey {
if bits.OnesCount8(b)%2 == 0 {
newKey[i] = b ^ 1 // flip least significant bit
}
}
err = c.SetManagementKey(newKey, newKey)
assert.Error(t, err, "Successfully changed management key with invalid key, expected error")
err = c.SetManagementKey(DefaultManagementKey, newKey)
require.NoError(t, err, "Failed to change management key")
err = c.SetManagementKey(newKey, DefaultManagementKey)
require.NoError(t, err, "Failed to reset management key")
})
}