1#!/bin/sh -ex 2 3# Copyright (c) 2021-2022 Yubico AB. All rights reserved. 4# Use of this source code is governed by a BSD-style 5# license that can be found in the LICENSE file. 6# SPDX-License-Identifier: BSD-2-Clause 7 8# usage: ./test.sh "$(mktemp -d fido2test-XXXXXXXX)" device 9 10# Please note that this test script: 11# - is incomplete; 12# - assumes CTAP 2.1-like hmac-secret; 13# - should pass as-is on a YubiKey with a PIN set; 14# - may otherwise require set +e above; 15# - can be executed with UV=1 to run additional UV tests; 16# - was last tested on 2022-01-11 with firmware 5.4.3. 17 18cd "$1" 19DEV="$2" 20TYPE="es256" 21#TYPE="es384" 22#TYPE="eddsa" 23 24make_cred() { 25 sed /^$/d > cred_param << EOF 26$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64) 27$1 28some user name 29$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64) 30EOF 31 fido2-cred -M $2 "${DEV}" "${TYPE}" > "$3" < cred_param 32} 33 34verify_cred() { 35 fido2-cred -V $1 "${TYPE}" > cred_out < "$2" 36 head -1 cred_out > "$3" 37 tail -n +2 cred_out > "$4" 38} 39 40get_assert() { 41 sed /^$/d > assert_param << EOF 42$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64) 43$1 44$(cat $3) 45$(cat $4) 46EOF 47 fido2-assert -G $2 "${DEV}" > "$5" < assert_param 48} 49 50verify_assert() { 51 fido2-assert -V $1 "$2" "${TYPE}" < "$3" 52} 53 54dd if=/dev/urandom bs=32 count=1 | base64 > hmac-salt 55 56# u2f 57if [ "x${TYPE}" = "xes256" ]; then 58 make_cred no.tld "-u" u2f 59 ! make_cred no.tld "-ru" /dev/null 60 ! make_cred no.tld "-uc1" /dev/null 61 ! make_cred no.tld "-uc2" /dev/null 62 verify_cred "--" u2f u2f-cred u2f-pubkey 63 ! verify_cred "-h" u2f /dev/null /dev/null 64 ! verify_cred "-v" u2f /dev/null /dev/null 65 verify_cred "-c0" u2f /dev/null /dev/null 66 ! verify_cred "-c1" u2f /dev/null /dev/null 67 ! verify_cred "-c2" u2f /dev/null /dev/null 68 ! verify_cred "-c3" u2f /dev/null /dev/null 69fi 70 71# wrap (non-resident) 72make_cred no.tld "--" wrap 73verify_cred "--" wrap wrap-cred wrap-pubkey 74! verify_cred "-h" wrap /dev/null /dev/null 75! verify_cred "-v" wrap /dev/null /dev/null 76verify_cred "-c0" wrap /dev/null /dev/null 77! verify_cred "-c1" wrap /dev/null /dev/null 78! verify_cred "-c2" wrap /dev/null /dev/null 79! verify_cred "-c3" wrap /dev/null /dev/null 80 81# wrap (non-resident) + hmac-secret 82make_cred no.tld "-h" wrap-hs 83! verify_cred "--" wrap-hs /dev/null /dev/null 84verify_cred "-h" wrap-hs wrap-hs-cred wrap-hs-pubkey 85! verify_cred "-v" wrap-hs /dev/null /dev/null 86verify_cred "-hc0" wrap-hs /dev/null /dev/null 87! verify_cred "-c0" wrap-hs /dev/null /dev/null 88! verify_cred "-c1" wrap-hs /dev/null /dev/null 89! verify_cred "-c2" wrap-hs /dev/null /dev/null 90! verify_cred "-c3" wrap-hs /dev/null /dev/null 91 92# resident 93make_cred no.tld "-r" rk 94verify_cred "--" rk rk-cred rk-pubkey 95! verify_cred "-h" rk /dev/null /dev/null 96! verify_cred "-v" rk /dev/null /dev/null 97verify_cred "-c0" rk /dev/null /dev/null 98! verify_cred "-c1" rk /dev/null /dev/null 99! verify_cred "-c2" rk /dev/null /dev/null 100! verify_cred "-c3" rk /dev/null /dev/null 101 102# resident + hmac-secret 103make_cred no.tld "-hr" rk-hs 104! verify_cred "--" rk-hs rk-hs-cred rk-hs-pubkey 105verify_cred "-h" rk-hs /dev/null /dev/null 106! verify_cred "-v" rk-hs /dev/null /dev/null 107verify_cred "-hc0" rk-hs /dev/null /dev/null 108! verify_cred "-c0" rk-hs /dev/null /dev/null 109! verify_cred "-c1" rk-hs /dev/null /dev/null 110! verify_cred "-c2" rk-hs /dev/null /dev/null 111! verify_cred "-c3" rk-hs /dev/null /dev/null 112 113# u2f 114if [ "x${TYPE}" = "xes256" ]; then 115 get_assert no.tld "-u" u2f-cred /dev/null u2f-assert 116 ! get_assert no.tld "-u -t up=false" u2f-cred /dev/null /dev/null 117 verify_assert "--" u2f-pubkey u2f-assert 118 verify_assert "-p" u2f-pubkey u2f-assert 119fi 120 121# wrap (non-resident) 122get_assert no.tld "--" wrap-cred /dev/null wrap-assert 123verify_assert "--" wrap-pubkey wrap-assert 124get_assert no.tld "-t pin=true" wrap-cred /dev/null wrap-assert 125verify_assert "--" wrap-pubkey wrap-assert 126verify_assert "-v" wrap-pubkey wrap-assert 127get_assert no.tld "-t pin=false" wrap-cred /dev/null wrap-assert 128verify_assert "--" wrap-pubkey wrap-assert 129get_assert no.tld "-t up=true" wrap-cred /dev/null wrap-assert 130verify_assert "-p" wrap-pubkey wrap-assert 131get_assert no.tld "-t up=true -t pin=true" wrap-cred /dev/null wrap-assert 132verify_assert "--" wrap-pubkey wrap-assert 133verify_assert "-p" wrap-pubkey wrap-assert 134verify_assert "-v" wrap-pubkey wrap-assert 135verify_assert "-pv" wrap-pubkey wrap-assert 136get_assert no.tld "-t up=true -t pin=false" wrap-cred /dev/null wrap-assert 137verify_assert "--" wrap-pubkey wrap-assert 138verify_assert "-p" wrap-pubkey wrap-assert 139get_assert no.tld "-t up=false" wrap-cred /dev/null wrap-assert 140verify_assert "--" wrap-pubkey wrap-assert 141! verify_assert "-p" wrap-pubkey wrap-assert 142get_assert no.tld "-t up=false -t pin=true" wrap-cred /dev/null wrap-assert 143! verify_assert "-p" wrap-pubkey wrap-assert 144verify_assert "-v" wrap-pubkey wrap-assert 145! verify_assert "-pv" wrap-pubkey wrap-assert 146get_assert no.tld "-t up=false -t pin=false" wrap-cred /dev/null wrap-assert 147! verify_assert "-p" wrap-pubkey wrap-assert 148get_assert no.tld "-h" wrap-cred hmac-salt wrap-assert 149! verify_assert "--" wrap-pubkey wrap-assert 150verify_assert "-h" wrap-pubkey wrap-assert 151get_assert no.tld "-h -t pin=true" wrap-cred hmac-salt wrap-assert 152! verify_assert "--" wrap-pubkey wrap-assert 153verify_assert "-h" wrap-pubkey wrap-assert 154verify_assert "-hv" wrap-pubkey wrap-assert 155get_assert no.tld "-h -t pin=false" wrap-cred hmac-salt wrap-assert 156! verify_assert "--" wrap-pubkey wrap-assert 157verify_assert "-h" wrap-pubkey wrap-assert 158get_assert no.tld "-h -t up=true" wrap-cred hmac-salt wrap-assert 159! verify_assert "--" wrap-pubkey wrap-assert 160verify_assert "-h" wrap-pubkey wrap-assert 161verify_assert "-hp" wrap-pubkey wrap-assert 162get_assert no.tld "-h -t up=true -t pin=true" wrap-cred hmac-salt wrap-assert 163! verify_assert "--" wrap-pubkey wrap-assert 164verify_assert "-h" wrap-pubkey wrap-assert 165verify_assert "-hp" wrap-pubkey wrap-assert 166verify_assert "-hv" wrap-pubkey wrap-assert 167verify_assert "-hpv" wrap-pubkey wrap-assert 168get_assert no.tld "-h -t up=true -t pin=false" wrap-cred hmac-salt wrap-assert 169! verify_assert "--" wrap-pubkey wrap-assert 170verify_assert "-h" wrap-pubkey wrap-assert 171verify_assert "-hp" wrap-pubkey wrap-assert 172! get_assert no.tld "-h -t up=false" wrap-cred hmac-salt wrap-assert 173! get_assert no.tld "-h -t up=false -t pin=true" wrap-cred hmac-salt wrap-assert 174! get_assert no.tld "-h -t up=false -t pin=false" wrap-cred hmac-salt wrap-assert 175 176if [ "x${UV}" != "x" ]; then 177 get_assert no.tld "-t uv=true" wrap-cred /dev/null wrap-assert 178 verify_assert "-v" wrap-pubkey wrap-assert 179 get_assert no.tld "-t uv=true -t pin=true" wrap-cred /dev/null wrap-assert 180 verify_assert "-v" wrap-pubkey wrap-assert 181 get_assert no.tld "-t uv=true -t pin=false" wrap-cred /dev/null wrap-assert 182 verify_assert "-v" wrap-pubkey wrap-assert 183 get_assert no.tld "-t uv=false" wrap-cred /dev/null wrap-assert 184 verify_assert "--" wrap-pubkey wrap-assert 185 get_assert no.tld "-t uv=false -t pin=true" wrap-cred /dev/null wrap-assert 186 verify_assert "-v" wrap-pubkey wrap-assert 187 get_assert no.tld "-t uv=false -t pin=false" wrap-cred /dev/null wrap-assert 188 verify_assert "--" wrap-pubkey wrap-assert 189 get_assert no.tld "-t up=true -t uv=true" wrap-cred /dev/null wrap-assert 190 verify_assert "-pv" wrap-pubkey wrap-assert 191 get_assert no.tld "-t up=true -t uv=true -t pin=true" wrap-cred /dev/null wrap-assert 192 verify_assert "-pv" wrap-pubkey wrap-assert 193 get_assert no.tld "-t up=true -t uv=true -t pin=false" wrap-cred /dev/null wrap-assert 194 verify_assert "-pv" wrap-pubkey wrap-assert 195 get_assert no.tld "-t up=true -t uv=false" wrap-cred /dev/null wrap-assert 196 verify_assert "-p" wrap-pubkey wrap-assert 197 get_assert no.tld "-t up=true -t uv=false -t pin=true" wrap-cred /dev/null wrap-assert 198 verify_assert "-pv" wrap-pubkey wrap-assert 199 get_assert no.tld "-t up=true -t uv=false -t pin=false" wrap-cred /dev/null wrap-assert 200 verify_assert "-p" wrap-pubkey wrap-assert 201 get_assert no.tld "-t up=false -t uv=true" wrap-cred /dev/null wrap-assert 202 verify_assert "-v" wrap-pubkey wrap-assert 203 get_assert no.tld "-t up=false -t uv=true -t pin=true" wrap-cred /dev/null wrap-assert 204 verify_assert "-v" wrap-pubkey wrap-assert 205 get_assert no.tld "-t up=false -t uv=true -t pin=false" wrap-cred /dev/null wrap-assert 206 verify_assert "-v" wrap-pubkey wrap-assert 207 get_assert no.tld "-t up=false -t uv=false" wrap-cred /dev/null wrap-assert 208 ! verify_assert "--" wrap-pubkey wrap-assert 209 get_assert no.tld "-t up=false -t uv=false -t pin=true" wrap-cred /dev/null wrap-assert 210 verify_assert "-v" wrap-pubkey wrap-assert 211 get_assert no.tld "-t up=false -t uv=false -t pin=false" wrap-cred /dev/null wrap-assert 212 ! verify_assert "--" wrap-pubkey wrap-assert 213 get_assert no.tld "-h -t uv=true" wrap-cred hmac-salt wrap-assert 214 verify_assert "-hv" wrap-pubkey wrap-assert 215 get_assert no.tld "-h -t uv=true -t pin=true" wrap-cred hmac-salt wrap-assert 216 verify_assert "-hv" wrap-pubkey wrap-assert 217 get_assert no.tld "-h -t uv=true -t pin=false" wrap-cred hmac-salt wrap-assert 218 verify_assert "-hv" wrap-pubkey wrap-assert 219 get_assert no.tld "-h -t uv=false" wrap-cred hmac-salt wrap-assert 220 verify_assert "-h" wrap-pubkey wrap-assert 221 get_assert no.tld "-h -t uv=false -t pin=true" wrap-cred hmac-salt wrap-assert 222 verify_assert "-hv" wrap-pubkey wrap-assert 223 get_assert no.tld "-h -t uv=false -t pin=false" wrap-cred hmac-salt wrap-assert 224 verify_assert "-h" wrap-pubkey wrap-assert 225 get_assert no.tld "-h -t up=true -t uv=true" wrap-cred hmac-salt wrap-assert 226 verify_assert "-hpv" wrap-pubkey wrap-assert 227 get_assert no.tld "-h -t up=true -t uv=true -t pin=true" wrap-cred hmac-salt wrap-assert 228 verify_assert "-hpv" wrap-pubkey wrap-assert 229 get_assert no.tld "-h -t up=true -t uv=true -t pin=false" wrap-cred hmac-salt wrap-assert 230 verify_assert "-hpv" wrap-pubkey wrap-assert 231 get_assert no.tld "-h -t up=true -t uv=false" wrap-cred hmac-salt wrap-assert 232 verify_assert "-hp" wrap-pubkey wrap-assert 233 get_assert no.tld "-h -t up=true -t uv=false -t pin=true" wrap-cred hmac-salt wrap-assert 234 verify_assert "-hpv" wrap-pubkey wrap-assert 235 get_assert no.tld "-h -t up=true -t uv=false -t pin=false" wrap-cred hmac-salt wrap-assert 236 verify_assert "-hp" wrap-pubkey wrap-assert 237 ! get_assert no.tld "-h -t up=false -t uv=true" wrap-cred hmac-salt wrap-assert 238 ! get_assert no.tld "-h -t up=false -t uv=true -t pin=true" wrap-cred hmac-salt wrap-assert 239 ! get_assert no.tld "-h -t up=false -t uv=true -t pin=false" wrap-cred hmac-salt wrap-assert 240 ! get_assert no.tld "-h -t up=false -t uv=false" wrap-cred hmac-salt wrap-assert 241 ! get_assert no.tld "-h -t up=false -t uv=false -t pin=true" wrap-cred hmac-salt wrap-assert 242 ! get_assert no.tld "-h -t up=false -t uv=false -t pin=false" wrap-cred hmac-salt wrap-assert 243fi 244 245# resident 246get_assert no.tld "-r" /dev/null /dev/null wrap-assert 247get_assert no.tld "-r -t pin=true" /dev/null /dev/null wrap-assert 248get_assert no.tld "-r -t pin=false" /dev/null /dev/null wrap-assert 249get_assert no.tld "-r -t up=true" /dev/null /dev/null wrap-assert 250get_assert no.tld "-r -t up=true -t pin=true" /dev/null /dev/null wrap-assert 251get_assert no.tld "-r -t up=true -t pin=false" /dev/null /dev/null wrap-assert 252get_assert no.tld "-r -t up=false" /dev/null /dev/null wrap-assert 253get_assert no.tld "-r -t up=false -t pin=true" /dev/null /dev/null wrap-assert 254get_assert no.tld "-r -t up=false -t pin=false" /dev/null /dev/null wrap-assert 255get_assert no.tld "-r -h" /dev/null hmac-salt wrap-assert 256get_assert no.tld "-r -h -t pin=true" /dev/null hmac-salt wrap-assert 257get_assert no.tld "-r -h -t pin=false" /dev/null hmac-salt wrap-assert 258get_assert no.tld "-r -h -t up=true" /dev/null hmac-salt wrap-assert 259get_assert no.tld "-r -h -t up=true -t pin=true" /dev/null hmac-salt wrap-assert 260get_assert no.tld "-r -h -t up=true -t pin=false" /dev/null hmac-salt wrap-assert 261! get_assert no.tld "-r -h -t up=false" /dev/null hmac-salt wrap-assert 262! get_assert no.tld "-r -h -t up=false -t pin=true" /dev/null hmac-salt wrap-assert 263! get_assert no.tld "-r -h -t up=false -t pin=false" /dev/null hmac-salt wrap-assert 264 265if [ "x${UV}" != "x" ]; then 266 get_assert no.tld "-r -t uv=true" /dev/null /dev/null wrap-assert 267 get_assert no.tld "-r -t uv=true -t pin=true" /dev/null /dev/null wrap-assert 268 get_assert no.tld "-r -t uv=true -t pin=false" /dev/null /dev/null wrap-assert 269 get_assert no.tld "-r -t uv=false" /dev/null /dev/null wrap-assert 270 get_assert no.tld "-r -t uv=false -t pin=true" /dev/null /dev/null wrap-assert 271 get_assert no.tld "-r -t uv=false -t pin=false" /dev/null /dev/null wrap-assert 272 get_assert no.tld "-r -t up=true -t uv=true" /dev/null /dev/null wrap-assert 273 get_assert no.tld "-r -t up=true -t uv=true -t pin=true" /dev/null /dev/null wrap-assert 274 get_assert no.tld "-r -t up=true -t uv=true -t pin=false" /dev/null /dev/null wrap-assert 275 get_assert no.tld "-r -t up=true -t uv=false" /dev/null /dev/null wrap-assert 276 get_assert no.tld "-r -t up=true -t uv=false -t pin=true" /dev/null /dev/null wrap-assert 277 get_assert no.tld "-r -t up=true -t uv=false -t pin=false" /dev/null /dev/null wrap-assert 278 get_assert no.tld "-r -t up=false -t uv=true" /dev/null /dev/null wrap-assert 279 get_assert no.tld "-r -t up=false -t uv=true -t pin=true" /dev/null /dev/null wrap-assert 280 get_assert no.tld "-r -t up=false -t uv=true -t pin=false" /dev/null /dev/null wrap-assert 281 get_assert no.tld "-r -t up=false -t uv=false" /dev/null /dev/null wrap-assert 282 get_assert no.tld "-r -t up=false -t uv=false -t pin=true" /dev/null /dev/null wrap-assert 283 get_assert no.tld "-r -t up=false -t uv=false -t pin=false" /dev/null /dev/null wrap-assert 284 get_assert no.tld "-r -h -t uv=true" /dev/null hmac-salt wrap-assert 285 get_assert no.tld "-r -h -t uv=true -t pin=true" /dev/null hmac-salt wrap-assert 286 get_assert no.tld "-r -h -t uv=true -t pin=false" /dev/null hmac-salt wrap-assert 287 get_assert no.tld "-r -h -t uv=false" /dev/null hmac-salt wrap-assert 288 get_assert no.tld "-r -h -t uv=false -t pin=true" /dev/null hmac-salt wrap-assert 289 get_assert no.tld "-r -h -t uv=false -t pin=false" /dev/null hmac-salt wrap-assert 290 get_assert no.tld "-r -h -t up=true -t uv=true" /dev/null hmac-salt wrap-assert 291 get_assert no.tld "-r -h -t up=true -t uv=true -t pin=true" /dev/null hmac-salt wrap-assert 292 get_assert no.tld "-r -h -t up=true -t uv=true -t pin=false" /dev/null hmac-salt wrap-assert 293 get_assert no.tld "-r -h -t up=true -t uv=false" /dev/null hmac-salt wrap-assert 294 get_assert no.tld "-r -h -t up=true -t uv=false -t pin=true" /dev/null hmac-salt wrap-assert 295 get_assert no.tld "-r -h -t up=true -t uv=false -t pin=false" /dev/null hmac-salt wrap-assert 296 ! get_assert no.tld "-r -h -t up=false -t uv=true" /dev/null hmac-salt wrap-assert 297 ! get_assert no.tld "-r -h -t up=false -t uv=true -t pin=true" /dev/null hmac-salt wrap-assert 298 ! get_assert no.tld "-r -h -t up=false -t uv=true -t pin=false" /dev/null hmac-salt wrap-assert 299 ! get_assert no.tld "-r -h -t up=false -t uv=false" /dev/null hmac-salt wrap-assert 300 ! get_assert no.tld "-r -h -t up=false -t uv=false -t pin=true" /dev/null hmac-salt wrap-assert 301 ! get_assert no.tld "-r -h -t up=false -t uv=false -t pin=false" /dev/null hmac-salt wrap-assert 302fi 303 304exit 0 305