Fix order of parameters in YubiHSM Auth CMD.

This also adds a test that verifies that the credential password works.
Yubico · Sep 21, 2023 · 880a7e2 · 880a7e2
1 parent cd22789
commit 880a7e2
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 5 deletions.
diff --git a/tests/device/cli/test_hsmauth.py b/tests/device/cli/test_hsmauth.py
@@ -4,12 +4,22 @@
 from cryptography.hazmat.primitives.asymmetric import ec
 
 from yubikit.management import CAPABILITY
+from yubikit.hsmauth import (
+    TAG_LABEL,
+    TAG_CONTEXT,
+    TAG_CREDENTIAL_PASSWORD,
+    INS_CALCULATE,
+    _parse_label,
+    _parse_credential_password,
+)
+from yubikit.core import Tlv
 from .. import condition
 
 import pytest
 import re
 import os
 import tempfile
+import struct
 
 DEFAULT_MANAGEMENT_KEY = "00000000000000000000000000000000"
 NON_DEFAULT_MANAGEMENT_KEY = "11111111111111111111111111111111"
@@ -49,13 +59,13 @@ def tmp_file():
 
 
 @pytest.fixture(autouse=True)
-@condition.capability(CAPABILITY.OATH)
+@condition.capability(CAPABILITY.HSMAUTH)
 @condition.min_version(5, 4, 3)
 def preconditions(ykman_cli):
     ykman_cli("hsmauth", "reset", "-f")
 
 
-class TestOATH:
+class TestHsmAuth:
     def test_hsmauth_info(self, ykman_cli):
         output = ykman_cli("hsmauth", "info").output
         assert "version:" in output
@@ -68,7 +78,27 @@ def test_hsmauth_reset(self, ykman_cli):
         )
 
 
+def calculate_session_keys_apdu(label, context, credential_password):
+    data = (
+        Tlv(TAG_LABEL, _parse_label(label))
+        + Tlv(TAG_CONTEXT, context)
+        + Tlv(TAG_CREDENTIAL_PASSWORD, _parse_credential_password(credential_password))
+    )
+
+    apdu = struct.pack("<BBBB", 0, INS_CALCULATE, 0, 0).hex()
+    apdu = apdu + ":" + data.hex() + "=9000"
+
+    return apdu
+
+
 class TestCredentials:
+    def verify_credential_password(self, ykman_cli, credential_password, label):
+        context = b"g\xfc\xf1\xfe\xb5\xf1\xd8\x83\xedv=\xbfI0\x90\xbb"
+        apdu = calculate_session_keys_apdu(label, context, credential_password)
+
+        # Try to calculate session keys using credential password
+        ykman_cli("apdu", "-a", "hsmauth", apdu)
+
     def test_import_credential_symmetric(self, ykman_cli):
         ykman_cli(
             "hsmauth",
@@ -84,6 +114,7 @@ def test_import_credential_symmetric(self, ykman_cli):
             "-m",
             DEFAULT_MANAGEMENT_KEY,
         )
+        self.verify_credential_password(ykman_cli, "123456", "test-name-sym")
         creds = ykman_cli("hsmauth", "credentials", "list").output
         assert "test-name-sym" in creds
 
@@ -99,7 +130,7 @@ def test_import_credential_symmetric_generate(self, ykman_cli):
             "-m",
             DEFAULT_MANAGEMENT_KEY,
         ).output
-
+        self.verify_credential_password(ykman_cli, "123456", "test-name-sym-gen")
         assert "Generated ENC and MAC keys" in output
 
     def test_import_credential_symmetric_derived(self, ykman_cli):
@@ -113,6 +144,7 @@ def test_import_credential_symmetric_derived(self, ykman_cli):
             "-d",
             "password",
         )
+        self.verify_credential_password(ykman_cli, "123456", "test-name-sym-derived")
         creds = ykman_cli("hsmauth", "credentials", "list").output
         assert "test-name-sym-derived" in creds
 

diff --git a/tests/device/test_hsmauth.py b/tests/device/test_hsmauth.py
@@ -96,6 +96,18 @@ def check_credential_in_list(self, session, credential: Credential):
         assert credential_retrieved.algorithm == credential.algorithm
         assert credential_retrieved.counter == INITIAL_RETRY_COUNTER
 
+    def verify_credential_password(
+        self, session, credential_password: str, credential: Credential
+    ):
+        context = b"g\xfc\xf1\xfe\xb5\xf1\xd8\x83\xedv=\xbfI0\x90\xbb"
+
+        # Try to calculate session keys using credential password
+        session.calculate_session_keys_symmetric(
+            label=credential.label,
+            context=context,
+            credential_password=credential_password,
+        )
+
     def test_import_credential_symmetric_wrong_management_key(self, session):
         with pytest.raises(InvalidPinError):
             import_key_derived(session, NON_DEFAULT_MANAGEMENT_KEY)
@@ -112,8 +124,9 @@ def test_import_credential_symmetric_exists(self, session):
             import_key_derived(session, DEFAULT_MANAGEMENT_KEY)
 
     def test_import_credential_symmetric_works(self, session):
-        credential = import_key_derived(session, DEFAULT_MANAGEMENT_KEY)
+        credential = import_key_derived(session, DEFAULT_MANAGEMENT_KEY, "1234")
 
+        self.verify_credential_password(session, "1234", credential)
         self.check_credential_in_list(session, credential)
 
         session.delete_credential(DEFAULT_MANAGEMENT_KEY, credential.label)

diff --git a/ykman/_cli/hsmauth.py b/ykman/_cli/hsmauth.py
@@ -529,7 +529,7 @@ def derive(ctx, label, derivation_password, credential_password, management_key,
 
     try:
         session.put_credential_derived(
-            management_key, label, credential_password, derivation_password, touch
+            management_key, label, derivation_password, credential_password, touch
         )
     except Exception as e:
         handle_credential_error(