1#!/bin/sh -ex 2 3# Copyright (c) 2021 Yubico AB. All rights reserved. 4# Use of this source code is governed by a BSD-style 5# license that can be found in the LICENSE file. 6 7# usage: ./test.sh "$(mktemp -d fido2test-XXXXXXXX)" device 8 9# Please note that this test script: 10# - is incomplete; 11# - assumes CTAP 2.1-like hmac-secret; 12# - should pass as-is on a YubiKey with a PIN set; 13# - may otherwise require set +e above; 14# - can be executed with UV=1 to run additional UV tests; 15# - was last tested on 2022-01-11 with firmware 5.4.3. 16 17cd "$1" 18DEV="$2" 19 20make_cred() { 21 sed /^$/d > cred_param << EOF 22$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64) 23$1 24some user name 25$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64) 26EOF 27 fido2-cred -M $2 "${DEV}" > "$3" < cred_param 28} 29 30verify_cred() { 31 fido2-cred -V $1 > cred_out < "$2" 32 head -1 cred_out > "$3" 33 tail -n +2 cred_out > "$4" 34} 35 36get_assert() { 37 sed /^$/d > assert_param << EOF 38$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64) 39$1 40$(cat $3) 41$(cat $4) 42EOF 43 fido2-assert -G $2 "${DEV}" > "$5" < assert_param 44} 45 46verify_assert() { 47 fido2-assert -V $1 "$2" < "$3" 48} 49 50dd if=/dev/urandom bs=32 count=1 | base64 > hmac-salt 51 52# u2f 53make_cred no.tld "-u" u2f 54! make_cred no.tld "-ru" /dev/null 55! make_cred no.tld "-uc1" /dev/null 56! make_cred no.tld "-uc2" /dev/null 57verify_cred "--" u2f u2f-cred u2f-pubkey 58! verify_cred "-h" u2f /dev/null /dev/null 59! verify_cred "-v" u2f /dev/null /dev/null 60verify_cred "-c0" u2f /dev/null /dev/null 61! verify_cred "-c1" u2f /dev/null /dev/null 62! verify_cred "-c2" u2f /dev/null /dev/null 63! verify_cred "-c3" u2f /dev/null /dev/null 64 65# wrap (non-resident) 66make_cred no.tld "--" wrap 67verify_cred "--" wrap wrap-cred wrap-pubkey 68! verify_cred "-h" wrap /dev/null /dev/null 69! verify_cred "-v" wrap /dev/null /dev/null 70verify_cred "-c0" wrap /dev/null /dev/null 71! verify_cred "-c1" wrap /dev/null /dev/null 72! verify_cred "-c2" wrap /dev/null /dev/null 73! verify_cred "-c3" wrap /dev/null /dev/null 74 75# wrap (non-resident) + hmac-secret 76make_cred no.tld "-h" wrap-hs 77! verify_cred "--" wrap-hs /dev/null /dev/null 78verify_cred "-h" wrap-hs wrap-hs-cred wrap-hs-pubkey 79! verify_cred "-v" wrap-hs /dev/null /dev/null 80verify_cred "-hc0" wrap-hs /dev/null /dev/null 81! verify_cred "-c0" wrap-hs /dev/null /dev/null 82! verify_cred "-c1" wrap-hs /dev/null /dev/null 83! verify_cred "-c2" wrap-hs /dev/null /dev/null 84! verify_cred "-c3" wrap-hs /dev/null /dev/null 85 86# resident 87make_cred no.tld "-r" rk 88verify_cred "--" rk rk-cred rk-pubkey 89! verify_cred "-h" rk /dev/null /dev/null 90! verify_cred "-v" rk /dev/null /dev/null 91verify_cred "-c0" rk /dev/null /dev/null 92! verify_cred "-c1" rk /dev/null /dev/null 93! verify_cred "-c2" rk /dev/null /dev/null 94! verify_cred "-c3" rk /dev/null /dev/null 95 96# resident + hmac-secret 97make_cred no.tld "-hr" rk-hs 98! verify_cred "--" rk-hs rk-hs-cred rk-hs-pubkey 99verify_cred "-h" rk-hs /dev/null /dev/null 100! verify_cred "-v" rk-hs /dev/null /dev/null 101verify_cred "-hc0" rk-hs /dev/null /dev/null 102! verify_cred "-c0" rk-hs /dev/null /dev/null 103! verify_cred "-c1" rk-hs /dev/null /dev/null 104! verify_cred "-c2" rk-hs /dev/null /dev/null 105! verify_cred "-c3" rk-hs /dev/null /dev/null 106 107# u2f 108get_assert no.tld "-u" u2f-cred /dev/null u2f-assert 109! get_assert no.tld "-u -t up=false" u2f-cred /dev/null /dev/null 110verify_assert "--" u2f-pubkey u2f-assert 111verify_assert "-p" u2f-pubkey u2f-assert 112 113# wrap (non-resident) 114get_assert no.tld "--" wrap-cred /dev/null wrap-assert 115verify_assert "--" wrap-pubkey wrap-assert 116get_assert no.tld "-t pin=true" wrap-cred /dev/null wrap-assert 117verify_assert "--" wrap-pubkey wrap-assert 118verify_assert "-v" wrap-pubkey wrap-assert 119get_assert no.tld "-t pin=false" wrap-cred /dev/null wrap-assert 120verify_assert "--" wrap-pubkey wrap-assert 121get_assert no.tld "-t up=true" wrap-cred /dev/null wrap-assert 122verify_assert "-p" wrap-pubkey wrap-assert 123get_assert no.tld "-t up=true -t pin=true" wrap-cred /dev/null wrap-assert 124verify_assert "--" wrap-pubkey wrap-assert 125verify_assert "-p" wrap-pubkey wrap-assert 126verify_assert "-v" wrap-pubkey wrap-assert 127verify_assert "-pv" wrap-pubkey wrap-assert 128get_assert no.tld "-t up=true -t pin=false" wrap-cred /dev/null wrap-assert 129verify_assert "--" wrap-pubkey wrap-assert 130verify_assert "-p" wrap-pubkey wrap-assert 131get_assert no.tld "-t up=false" wrap-cred /dev/null wrap-assert 132verify_assert "--" wrap-pubkey wrap-assert 133! verify_assert "-p" wrap-pubkey wrap-assert 134get_assert no.tld "-t up=false -t pin=true" wrap-cred /dev/null wrap-assert 135! verify_assert "-p" wrap-pubkey wrap-assert 136verify_assert "-v" wrap-pubkey wrap-assert 137! verify_assert "-pv" wrap-pubkey wrap-assert 138get_assert no.tld "-t up=false -t pin=false" wrap-cred /dev/null wrap-assert 139! verify_assert "-p" wrap-pubkey wrap-assert 140get_assert no.tld "-h" wrap-cred hmac-salt wrap-assert 141! verify_assert "--" wrap-pubkey wrap-assert 142verify_assert "-h" wrap-pubkey wrap-assert 143get_assert no.tld "-h -t pin=true" wrap-cred hmac-salt wrap-assert 144! verify_assert "--" wrap-pubkey wrap-assert 145verify_assert "-h" wrap-pubkey wrap-assert 146verify_assert "-hv" wrap-pubkey wrap-assert 147get_assert no.tld "-h -t pin=false" wrap-cred hmac-salt wrap-assert 148! verify_assert "--" wrap-pubkey wrap-assert 149verify_assert "-h" wrap-pubkey wrap-assert 150get_assert no.tld "-h -t up=true" wrap-cred hmac-salt wrap-assert 151! verify_assert "--" wrap-pubkey wrap-assert 152verify_assert "-h" wrap-pubkey wrap-assert 153verify_assert "-hp" wrap-pubkey wrap-assert 154get_assert no.tld "-h -t up=true -t pin=true" wrap-cred hmac-salt wrap-assert 155! verify_assert "--" wrap-pubkey wrap-assert 156verify_assert "-h" wrap-pubkey wrap-assert 157verify_assert "-hp" wrap-pubkey wrap-assert 158verify_assert "-hv" wrap-pubkey wrap-assert 159verify_assert "-hpv" wrap-pubkey wrap-assert 160get_assert no.tld "-h -t up=true -t pin=false" wrap-cred hmac-salt wrap-assert 161! verify_assert "--" wrap-pubkey wrap-assert 162verify_assert "-h" wrap-pubkey wrap-assert 163verify_assert "-hp" wrap-pubkey wrap-assert 164! get_assert no.tld "-h -t up=false" wrap-cred hmac-salt wrap-assert 165! get_assert no.tld "-h -t up=false -t pin=true" wrap-cred hmac-salt wrap-assert 166! get_assert no.tld "-h -t up=false -t pin=false" wrap-cred hmac-salt wrap-assert 167 168if [ "x${UV}" != "x" ]; then 169 get_assert no.tld "-t uv=true" wrap-cred /dev/null wrap-assert 170 verify_assert "-v" wrap-pubkey wrap-assert 171 get_assert no.tld "-t uv=true -t pin=true" wrap-cred /dev/null wrap-assert 172 verify_assert "-v" wrap-pubkey wrap-assert 173 get_assert no.tld "-t uv=true -t pin=false" wrap-cred /dev/null wrap-assert 174 verify_assert "-v" wrap-pubkey wrap-assert 175 get_assert no.tld "-t uv=false" wrap-cred /dev/null wrap-assert 176 verify_assert "--" wrap-pubkey wrap-assert 177 get_assert no.tld "-t uv=false -t pin=true" wrap-cred /dev/null wrap-assert 178 verify_assert "-v" wrap-pubkey wrap-assert 179 get_assert no.tld "-t uv=false -t pin=false" wrap-cred /dev/null wrap-assert 180 verify_assert "--" wrap-pubkey wrap-assert 181 get_assert no.tld "-t up=true -t uv=true" wrap-cred /dev/null wrap-assert 182 verify_assert "-pv" wrap-pubkey wrap-assert 183 get_assert no.tld "-t up=true -t uv=true -t pin=true" wrap-cred /dev/null wrap-assert 184 verify_assert "-pv" wrap-pubkey wrap-assert 185 get_assert no.tld "-t up=true -t uv=true -t pin=false" wrap-cred /dev/null wrap-assert 186 verify_assert "-pv" wrap-pubkey wrap-assert 187 get_assert no.tld "-t up=true -t uv=false" wrap-cred /dev/null wrap-assert 188 verify_assert "-p" wrap-pubkey wrap-assert 189 get_assert no.tld "-t up=true -t uv=false -t pin=true" wrap-cred /dev/null wrap-assert 190 verify_assert "-pv" wrap-pubkey wrap-assert 191 get_assert no.tld "-t up=true -t uv=false -t pin=false" wrap-cred /dev/null wrap-assert 192 verify_assert "-p" wrap-pubkey wrap-assert 193 get_assert no.tld "-t up=false -t uv=true" wrap-cred /dev/null wrap-assert 194 verify_assert "-v" wrap-pubkey wrap-assert 195 get_assert no.tld "-t up=false -t uv=true -t pin=true" wrap-cred /dev/null wrap-assert 196 verify_assert "-v" wrap-pubkey wrap-assert 197 get_assert no.tld "-t up=false -t uv=true -t pin=false" wrap-cred /dev/null wrap-assert 198 verify_assert "-v" wrap-pubkey wrap-assert 199 get_assert no.tld "-t up=false -t uv=false" wrap-cred /dev/null wrap-assert 200 ! verify_assert "--" wrap-pubkey wrap-assert 201 get_assert no.tld "-t up=false -t uv=false -t pin=true" wrap-cred /dev/null wrap-assert 202 verify_assert "-v" wrap-pubkey wrap-assert 203 get_assert no.tld "-t up=false -t uv=false -t pin=false" wrap-cred /dev/null wrap-assert 204 ! verify_assert "--" wrap-pubkey wrap-assert 205 get_assert no.tld "-h -t uv=true" wrap-cred hmac-salt wrap-assert 206 verify_assert "-hv" wrap-pubkey wrap-assert 207 get_assert no.tld "-h -t uv=true -t pin=true" wrap-cred hmac-salt wrap-assert 208 verify_assert "-hv" wrap-pubkey wrap-assert 209 get_assert no.tld "-h -t uv=true -t pin=false" wrap-cred hmac-salt wrap-assert 210 verify_assert "-hv" wrap-pubkey wrap-assert 211 get_assert no.tld "-h -t uv=false" wrap-cred hmac-salt wrap-assert 212 verify_assert "-h" wrap-pubkey wrap-assert 213 get_assert no.tld "-h -t uv=false -t pin=true" wrap-cred hmac-salt wrap-assert 214 verify_assert "-hv" wrap-pubkey wrap-assert 215 get_assert no.tld "-h -t uv=false -t pin=false" wrap-cred hmac-salt wrap-assert 216 verify_assert "-h" wrap-pubkey wrap-assert 217 get_assert no.tld "-h -t up=true -t uv=true" wrap-cred hmac-salt wrap-assert 218 verify_assert "-hpv" wrap-pubkey wrap-assert 219 get_assert no.tld "-h -t up=true -t uv=true -t pin=true" wrap-cred hmac-salt wrap-assert 220 verify_assert "-hpv" wrap-pubkey wrap-assert 221 get_assert no.tld "-h -t up=true -t uv=true -t pin=false" wrap-cred hmac-salt wrap-assert 222 verify_assert "-hpv" wrap-pubkey wrap-assert 223 get_assert no.tld "-h -t up=true -t uv=false" wrap-cred hmac-salt wrap-assert 224 verify_assert "-hp" wrap-pubkey wrap-assert 225 get_assert no.tld "-h -t up=true -t uv=false -t pin=true" wrap-cred hmac-salt wrap-assert 226 verify_assert "-hpv" wrap-pubkey wrap-assert 227 get_assert no.tld "-h -t up=true -t uv=false -t pin=false" wrap-cred hmac-salt wrap-assert 228 verify_assert "-hp" wrap-pubkey wrap-assert 229 ! get_assert no.tld "-h -t up=false -t uv=true" wrap-cred hmac-salt wrap-assert 230 ! get_assert no.tld "-h -t up=false -t uv=true -t pin=true" wrap-cred hmac-salt wrap-assert 231 ! get_assert no.tld "-h -t up=false -t uv=true -t pin=false" wrap-cred hmac-salt wrap-assert 232 ! get_assert no.tld "-h -t up=false -t uv=false" wrap-cred hmac-salt wrap-assert 233 ! get_assert no.tld "-h -t up=false -t uv=false -t pin=true" wrap-cred hmac-salt wrap-assert 234 ! get_assert no.tld "-h -t up=false -t uv=false -t pin=false" wrap-cred hmac-salt wrap-assert 235fi 236 237# resident 238get_assert no.tld "-r" /dev/null /dev/null wrap-assert 239get_assert no.tld "-r -t pin=true" /dev/null /dev/null wrap-assert 240get_assert no.tld "-r -t pin=false" /dev/null /dev/null wrap-assert 241get_assert no.tld "-r -t up=true" /dev/null /dev/null wrap-assert 242get_assert no.tld "-r -t up=true -t pin=true" /dev/null /dev/null wrap-assert 243get_assert no.tld "-r -t up=true -t pin=false" /dev/null /dev/null wrap-assert 244get_assert no.tld "-r -t up=false" /dev/null /dev/null wrap-assert 245get_assert no.tld "-r -t up=false -t pin=true" /dev/null /dev/null wrap-assert 246get_assert no.tld "-r -t up=false -t pin=false" /dev/null /dev/null wrap-assert 247get_assert no.tld "-r -h" /dev/null hmac-salt wrap-assert 248get_assert no.tld "-r -h -t pin=true" /dev/null hmac-salt wrap-assert 249get_assert no.tld "-r -h -t pin=false" /dev/null hmac-salt wrap-assert 250get_assert no.tld "-r -h -t up=true" /dev/null hmac-salt wrap-assert 251get_assert no.tld "-r -h -t up=true -t pin=true" /dev/null hmac-salt wrap-assert 252get_assert no.tld "-r -h -t up=true -t pin=false" /dev/null hmac-salt wrap-assert 253! get_assert no.tld "-r -h -t up=false" /dev/null hmac-salt wrap-assert 254! get_assert no.tld "-r -h -t up=false -t pin=true" /dev/null hmac-salt wrap-assert 255! get_assert no.tld "-r -h -t up=false -t pin=false" /dev/null hmac-salt wrap-assert 256 257if [ "x${UV}" != "x" ]; then 258 get_assert no.tld "-r -t uv=true" /dev/null /dev/null wrap-assert 259 get_assert no.tld "-r -t uv=true -t pin=true" /dev/null /dev/null wrap-assert 260 get_assert no.tld "-r -t uv=true -t pin=false" /dev/null /dev/null wrap-assert 261 get_assert no.tld "-r -t uv=false" /dev/null /dev/null wrap-assert 262 get_assert no.tld "-r -t uv=false -t pin=true" /dev/null /dev/null wrap-assert 263 get_assert no.tld "-r -t uv=false -t pin=false" /dev/null /dev/null wrap-assert 264 get_assert no.tld "-r -t up=true -t uv=true" /dev/null /dev/null wrap-assert 265 get_assert no.tld "-r -t up=true -t uv=true -t pin=true" /dev/null /dev/null wrap-assert 266 get_assert no.tld "-r -t up=true -t uv=true -t pin=false" /dev/null /dev/null wrap-assert 267 get_assert no.tld "-r -t up=true -t uv=false" /dev/null /dev/null wrap-assert 268 get_assert no.tld "-r -t up=true -t uv=false -t pin=true" /dev/null /dev/null wrap-assert 269 get_assert no.tld "-r -t up=true -t uv=false -t pin=false" /dev/null /dev/null wrap-assert 270 get_assert no.tld "-r -t up=false -t uv=true" /dev/null /dev/null wrap-assert 271 get_assert no.tld "-r -t up=false -t uv=true -t pin=true" /dev/null /dev/null wrap-assert 272 get_assert no.tld "-r -t up=false -t uv=true -t pin=false" /dev/null /dev/null wrap-assert 273 get_assert no.tld "-r -t up=false -t uv=false" /dev/null /dev/null wrap-assert 274 get_assert no.tld "-r -t up=false -t uv=false -t pin=true" /dev/null /dev/null wrap-assert 275 get_assert no.tld "-r -t up=false -t uv=false -t pin=false" /dev/null /dev/null wrap-assert 276 get_assert no.tld "-r -h -t uv=true" /dev/null hmac-salt wrap-assert 277 get_assert no.tld "-r -h -t uv=true -t pin=true" /dev/null hmac-salt wrap-assert 278 get_assert no.tld "-r -h -t uv=true -t pin=false" /dev/null hmac-salt wrap-assert 279 get_assert no.tld "-r -h -t uv=false" /dev/null hmac-salt wrap-assert 280 get_assert no.tld "-r -h -t uv=false -t pin=true" /dev/null hmac-salt wrap-assert 281 get_assert no.tld "-r -h -t uv=false -t pin=false" /dev/null hmac-salt wrap-assert 282 get_assert no.tld "-r -h -t up=true -t uv=true" /dev/null hmac-salt wrap-assert 283 get_assert no.tld "-r -h -t up=true -t uv=true -t pin=true" /dev/null hmac-salt wrap-assert 284 get_assert no.tld "-r -h -t up=true -t uv=true -t pin=false" /dev/null hmac-salt wrap-assert 285 get_assert no.tld "-r -h -t up=true -t uv=false" /dev/null hmac-salt wrap-assert 286 get_assert no.tld "-r -h -t up=true -t uv=false -t pin=true" /dev/null hmac-salt wrap-assert 287 get_assert no.tld "-r -h -t up=true -t uv=false -t pin=false" /dev/null hmac-salt wrap-assert 288 ! get_assert no.tld "-r -h -t up=false -t uv=true" /dev/null hmac-salt wrap-assert 289 ! get_assert no.tld "-r -h -t up=false -t uv=true -t pin=true" /dev/null hmac-salt wrap-assert 290 ! get_assert no.tld "-r -h -t up=false -t uv=true -t pin=false" /dev/null hmac-salt wrap-assert 291 ! get_assert no.tld "-r -h -t up=false -t uv=false" /dev/null hmac-salt wrap-assert 292 ! get_assert no.tld "-r -h -t up=false -t uv=false -t pin=true" /dev/null hmac-salt wrap-assert 293 ! get_assert no.tld "-r -h -t up=false -t uv=false -t pin=false" /dev/null hmac-salt wrap-assert 294fi 295 296exit 0 297