Skip to content

Commit

Permalink
Fix tests
Browse files Browse the repository at this point in the history
  • Loading branch information
dainnilsson committed Jun 18, 2024
1 parent c5c8b80 commit 5cce3a4
Show file tree
Hide file tree
Showing 5 changed files with 130 additions and 128 deletions.
4 changes: 4 additions & 0 deletions tests/device/cli/conftest.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,17 @@
from click.testing import CliRunner
from functools import partial
import pytest
import logging

logger = logging.getLogger(__name__)


@pytest.fixture()
def ykman_cli(capsys, device, info):
def _ykman_cli(*argv, **kwargs):
runner = CliRunner(mix_stderr=False)
with capsys.disabled():
logger.debug("CLI: ykman %r", argv)
result = runner.invoke(cli, argv, obj={}, **kwargs)
if result.exit_code != 0:
if isinstance(result.exception, CliFail):
Expand Down
8 changes: 4 additions & 4 deletions tests/device/cli/test_hsmauth.py
Original file line number Diff line number Diff line change
Expand Up @@ -336,7 +336,7 @@ def test_change_management_password(self, ykman_cli, management_key):
"-m",
management_key,
"-n",
management_key,
NON_DEFAULT_MANAGEMENT_KEY,
)

# Should succeed
Expand All @@ -347,10 +347,10 @@ def test_change_management_password(self, ykman_cli, management_key):
"-m",
NON_DEFAULT_MANAGEMENT_KEY,
"-n",
management_key,
NON_DEFAULT_MANAGEMENT_KEY,
)

@condition.check(lambda info: not info.pin_complexity)
@condition.check(lambda info: not info.pin_complexity, "PIN complexity")
def test_change_management_key_generate(self, ykman_cli, management_key):
if len(management_key) != 32:
pytest.skip("string management key")
Expand All @@ -373,5 +373,5 @@ def test_change_management_key_generate(self, ykman_cli, management_key):
"-m",
gen_key,
"-n",
management_key,
NON_DEFAULT_MANAGEMENT_KEY,
)
231 changes: 115 additions & 116 deletions tests/device/cli/test_securitydomain.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from yubikit.management import CAPABILITY
from yubikit.core import TRANSPORT
from yubikit.core.smartcard import ApduError
from ykman.util import parse_certificates
from .. import condition
Expand All @@ -9,128 +9,127 @@


@pytest.fixture(autouse=True)
@condition.capability(CAPABILITY.HSMAUTH)
@condition.min_version(5, 7, 2)
def preconditions(ykman_cli):
def preconditions(info, transport, ykman_cli):
if info.is_fips and transport != TRANSPORT.USB:
pytest.skip("SCP management on YK FIPS over NFC")
ykman_cli("sd", "reset", "-f")


def test_replace_kvn(ykman_cli):
key = "01" * 16
keys = f"{key}:{key}:{key}"
class TestKeyManagement:
def test_replace_kvn(self, ykman_cli):
key = "01" * 16
keys = f"{key}:{key}:{key}"

# Replace default SCP03 keyset
ykman_cli("--scp-sd", "1", "0", "sd", "keys", "import", "scp03", "2", keys)
# Replace default SCP03 keyset
ykman_cli("--scp-sd", "1", "0", "sd", "keys", "import", "scp03", "2", keys)

# Generate new SCP11a key
ykman_cli("--scp", keys, "sd", "keys", "generate", "scp11a", "3", "-")
# Generate new SCP11a key
ykman_cli("--scp", keys, "sd", "keys", "generate", "scp11a", "3", "-")

for i in range(3, 8):
ykman_cli(
"--scp",
keys,
"sd",
"keys",
"generate",
"scp11a",
str(i + 1),
"-r",
str(i),
"-",
)
for i in range(3, 8):
ykman_cli(
"--scp",
keys,
"sd",
"keys",
"generate",
"scp11a",
str(i + 1),
"-r",
str(i),
"-",
)

def test_scp11a(self, ykman_cli):
with pytest.raises(ValueError):
with open_file("scp/oce.pfx") as f:
ykman_cli("--scp", f.name, "--scp-password", "password", "sd", "info")

def test_scp11a(ykman_cli):
with pytest.raises(ValueError):
key = "01" * 16
keys = f"{key}:{key}:{key}"

# Replace default SCP03 keyset
ykman_cli("--scp-sd", "1", "0", "sd", "keys", "import", "scp03", "2", keys)

# Delete SCP11b key, generate SCP11a key
ykman_cli("--scp", keys, "sd", "keys", "delete", "--force", "scp11b", "0")
ykman_cli("--scp", keys, "sd", "keys", "generate", "scp11a", "3", "-")

# Import OCE CA
with open_file("scp/cert.ca-kloc.ecdsa.pem") as f:
ykman_cli("--scp", keys, "sd", "keys", "import", "0x10", "3", f.name)

# Authenticate
with open_file("scp/oce.pfx") as f:
ykman_cli("--scp", f.name, "--scp-password", "password", "sd", "info")

key = "01" * 16
keys = f"{key}:{key}:{key}"

# Replace default SCP03 keyset
ykman_cli("--scp-sd", "1", "0", "sd", "keys", "import", "scp03", "2", keys)

# Delete SCP11b key, generate SCP11a key
ykman_cli("--scp", keys, "sd", "keys", "delete", "--force", "scp11b", "0")
ykman_cli("--scp", keys, "sd", "keys", "generate", "scp11a", "3", "-")

# Import OCE CA
with open_file("scp/cert.ca-kloc.ecdsa.pem") as f:
ykman_cli("--scp", keys, "sd", "keys", "import", "0x10", "3", f.name)

# Authenticate
with open_file("scp/oce.pfx") as f:
certificates = parse_certificates(f.read(), b"password")
serials = [c.serial_number for c in certificates]

# Set to ok allowlist
ykman_cli(
"--scp",
f.name,
"--scp-password",
"password",
"sd",
"keys",
"set-allowlist",
"0x10",
"3",
*(str(s) for s in serials),
)

# Set bad allowlist
ykman_cli(
"--scp",
f.name,
"--scp-password",
"password",
"sd",
"keys",
"set-allowlist",
"0x10",
"3",
"123456789",
)

with pytest.raises(ApduError):
ykman_cli("--scp", f.name, "--scp-password", "password", "sd", "info")

# Remove allowlist
ykman_cli(
"--scp",
keys,
"sd",
"keys",
"set-allowlist",
"0x10",
"3",
)

ykman_cli(
"--scp",
f.name,
"--scp-password",
"password",
"--scp-oce",
"0x10",
"3",
"sd",
"keys",
"delete",
"--force",
"0x10",
"3",
)


def test_scp11b_specify_kvn(ykman_cli):
ykman_cli("--scp-sd", "1", "0", "sd", "keys", "generate", "scp11b", "2", "-")
ykman_cli("--scp-sd", "0x13", "1", "sd", "info")
ykman_cli("--scp-sd", "0x13", "2", "sd", "info")


def test_scp11b_export(ykman_cli):
ykman_cli("--scp-sd", "1", "0", "sd", "keys", "generate", "scp11b", "2", "-")
pem = ykman_cli("sd", "keys", "export", "scp11b", "2", "-").output.encode()

x509.load_pem_x509_certificate(pem)
certificates = parse_certificates(f.read(), b"password")
serials = [c.serial_number for c in certificates]

# Set to ok allowlist
ykman_cli(
"--scp",
f.name,
"--scp-password",
"password",
"sd",
"keys",
"set-allowlist",
"0x10",
"3",
*(str(s) for s in serials),
)

# Set bad allowlist
ykman_cli(
"--scp",
f.name,
"--scp-password",
"password",
"sd",
"keys",
"set-allowlist",
"0x10",
"3",
"123456789",
)

with pytest.raises(ApduError):
ykman_cli("--scp", f.name, "--scp-password", "password", "sd", "info")

# Remove allowlist
ykman_cli(
"--scp",
keys,
"sd",
"keys",
"set-allowlist",
"0x10",
"3",
)

ykman_cli(
"--scp",
f.name,
"--scp-password",
"password",
"--scp-oce",
"0x10",
"3",
"sd",
"keys",
"delete",
"--force",
"0x10",
"3",
)

def test_scp11b_specify_kvn(self, ykman_cli):
ykman_cli("--scp-sd", "1", "0", "sd", "keys", "generate", "scp11b", "2", "-")
ykman_cli("--scp-sd", "0x13", "1", "sd", "info")
ykman_cli("--scp-sd", "0x13", "2", "sd", "info")

def test_scp11b_export(self, ykman_cli):
ykman_cli("--scp-sd", "1", "0", "sd", "keys", "generate", "scp11b", "2", "-")
pem = ykman_cli("sd", "keys", "export", "scp11b", "2", "-").output.encode()

x509.load_pem_x509_certificate(pem)
3 changes: 1 addition & 2 deletions tests/device/test_hsmauth.py
Original file line number Diff line number Diff line change
Expand Up @@ -232,10 +232,9 @@ def test_change_management_key(self, session, management_key):
with pytest.raises(InvalidPinError):
import_key_derived(session, management_key)

session.put_management_key(NON_DEFAULT_MANAGEMENT_KEY, management_key)
import_key_derived(session, NON_DEFAULT_MANAGEMENT_KEY)

def test_management_key_retries(self, session, management_key):
session.put_management_key(management_key, management_key)
initial_retries = session.get_management_key_retries()
assert initial_retries == 8

Expand Down
12 changes: 6 additions & 6 deletions tests/device/test_securitydomain.py
Original file line number Diff line number Diff line change
Expand Up @@ -46,9 +46,9 @@ def _verify_auth(sd):

class TestScp03:
@pytest.fixture(autouse=True)
@condition.transport(TRANSPORT.USB)
def preconditions(self):
pass
def preconditions(self, info, transport):
if info.is_fips and transport != TRANSPORT.USB:
pytest.skip("SCP management on YK FIPS over NFC")

def test_ok(self, session):
session.authenticate(Scp03KeyParams())
Expand Down Expand Up @@ -111,9 +111,9 @@ def _load_scp11_keys(session, kid, kvn):

class TestScp11:
@pytest.fixture(autouse=True)
@condition.transport(TRANSPORT.USB)
def preconditions(self):
pass
def preconditions(self, info, transport):
if info.is_fips and transport != TRANSPORT.USB:
pytest.skip("SCP management on YK FIPS over NFC")

def test_scp11b_ok(self, session):
ref = KeyRef(0x13, 0x1)
Expand Down

0 comments on commit 5cce3a4

Please sign in to comment.