1 #!/bin/sh -ex 2 3 # Copyright (c) 2021-2022 Yubico AB. All rights reserved. 4 # Use of this source code is governed by a BSD-style 5 # license that can be found in the LICENSE file. 6 # SPDX-License-Identifier: BSD-2-Clause 7 8 # usage: ./test.sh "$(mktemp -d fido2test-XXXXXXXX)" device 9 10 # Please note that this test script: 11 # - is incomplete; 12 # - assumes CTAP 2.1-like hmac-secret; 13 # - should pass as-is on a YubiKey with a PIN set; 14 # - may otherwise require set +e above; 15 # - can be executed with UV=1 to run additional UV tests; 16 # - was last tested on 2024-06-15 with firmware 5.7.1. 17 18 cd "$1" 19 DEV="$2" 20 TYPE="es256" 21 #TYPE="es384" 22 #TYPE="eddsa" 23 24 make_cred() { 25 sed /^$/d > cred_param << EOF 26 $(dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64) 27 $1 28 some user name 29 $(dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64) 30 EOF 31 fido2-cred -M "$2" "${DEV}" "${TYPE}" > "$3" < cred_param 32 } 33 34 verify_cred() { 35 fido2-cred -V "$1" "${TYPE}" > cred_out < "$2" || return 1 36 head -1 cred_out > "$3" 37 tail -n +2 cred_out > "$4" 38 } 39 40 get_assert() { 41 sed /^$/d > assert_param << EOF 42 $(dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64) 43 $1 44 $(cat "$3") 45 $(cat "$4") 46 EOF 47 # we want to expand $2 48 # shellcheck disable=SC2086 49 fido2-assert -G $2 "${DEV}" > "$5" < assert_param 50 } 51 52 verify_assert() { 53 fido2-assert -V "$1" "$2" "${TYPE}" < "$3" 54 } 55 56 dd if=/dev/urandom bs=32 count=1 | base64 > hmac-salt 57 58 # u2f 59 if [ "${TYPE}" = "es256" ]; then 60 make_cred no.tld "-u" u2f 61 make_cred no.tld "-ru" /dev/null && exit 1 62 make_cred no.tld "-uc1" /dev/null && exit 1 63 make_cred no.tld "-uc2" /dev/null && exit 1 64 verify_cred "--" u2f u2f-cred u2f-pubkey 65 verify_cred "-h" u2f /dev/null /dev/null && exit 1 66 verify_cred "-v" u2f /dev/null /dev/null && exit 1 67 verify_cred "-c0" u2f /dev/null /dev/null 68 verify_cred "-c1" u2f /dev/null /dev/null && exit 1 69 verify_cred "-c2" u2f /dev/null /dev/null && exit 1 70 verify_cred "-c3" u2f /dev/null /dev/null && exit 1 71 fi 72 73 # wrap (non-resident) 74 make_cred no.tld "--" wrap 75 verify_cred "--" wrap wrap-cred wrap-pubkey 76 verify_cred "-h" wrap /dev/null /dev/null && exit 1 77 verify_cred "-v" wrap /dev/null /dev/null && exit 1 78 verify_cred "-c0" wrap /dev/null /dev/null 79 verify_cred "-c1" wrap /dev/null /dev/null && exit 1 80 verify_cred "-c2" wrap /dev/null /dev/null && exit 1 81 verify_cred "-c3" wrap /dev/null /dev/null && exit 1 82 83 # wrap (non-resident) + hmac-secret 84 make_cred no.tld "-h" wrap-hs 85 verify_cred "--" wrap-hs /dev/null /dev/null && exit 1 86 verify_cred "-h" wrap-hs wrap-hs-cred wrap-hs-pubkey 87 verify_cred "-v" wrap-hs /dev/null /dev/null && exit 1 88 verify_cred "-hv" wrap-hs /dev/null /dev/null && exit 1 89 verify_cred "-hc0" wrap-hs /dev/null /dev/null 90 verify_cred "-c0" wrap-hs /dev/null /dev/null && exit 1 91 verify_cred "-c1" wrap-hs /dev/null /dev/null && exit 1 92 verify_cred "-c2" wrap-hs /dev/null /dev/null && exit 1 93 verify_cred "-c3" wrap-hs /dev/null /dev/null && exit 1 94 95 # resident 96 make_cred no.tld "-r" rk 97 verify_cred "--" rk rk-cred rk-pubkey 98 verify_cred "-h" rk /dev/null /dev/null && exit 1 99 verify_cred "-v" rk /dev/null /dev/null 100 verify_cred "-hv" rk /dev/null /dev/null && exit 1 101 verify_cred "-c0" rk /dev/null /dev/null 102 verify_cred "-c1" rk /dev/null /dev/null && exit 1 103 verify_cred "-c2" rk /dev/null /dev/null && exit 1 104 verify_cred "-c3" rk /dev/null /dev/null && exit 1 105 106 # resident + hmac-secret 107 make_cred no.tld "-hr" rk-hs 108 verify_cred "--" rk-hs rk-hs-cred rk-hs-pubkey && exit 1 109 verify_cred "-h" rk-hs /dev/null /dev/null 110 verify_cred "-v" rk-hs /dev/null /dev/null && exit 1 111 verify_cred "-hv" rk-hs /dev/null /dev/null 112 verify_cred "-hc0" rk-hs /dev/null /dev/null 113 verify_cred "-c0" rk-hs /dev/null /dev/null && exit 1 114 verify_cred "-c1" rk-hs /dev/null /dev/null && exit 1 115 verify_cred "-c2" rk-hs /dev/null /dev/null && exit 1 116 verify_cred "-c3" rk-hs /dev/null /dev/null && exit 1 117 118 # u2f 119 if [ "${TYPE}" = "es256" ]; then 120 get_assert no.tld "-u" u2f-cred /dev/null u2f-assert 121 get_assert no.tld "-u -t up=false" u2f-cred /dev/null /dev/null && exit 1 122 verify_assert "--" u2f-pubkey u2f-assert 123 verify_assert "-p" u2f-pubkey u2f-assert 124 fi 125 126 # wrap (non-resident) 127 get_assert no.tld "--" wrap-cred /dev/null wrap-assert 128 verify_assert "--" wrap-pubkey wrap-assert 129 get_assert no.tld "-t pin=true" wrap-cred /dev/null wrap-assert 130 verify_assert "--" wrap-pubkey wrap-assert 131 verify_assert "-v" wrap-pubkey wrap-assert 132 get_assert no.tld "-t pin=false" wrap-cred /dev/null wrap-assert 133 verify_assert "--" wrap-pubkey wrap-assert 134 get_assert no.tld "-t up=true" wrap-cred /dev/null wrap-assert 135 verify_assert "-p" wrap-pubkey wrap-assert 136 get_assert no.tld "-t up=true -t pin=true" wrap-cred /dev/null wrap-assert 137 verify_assert "--" wrap-pubkey wrap-assert 138 verify_assert "-p" wrap-pubkey wrap-assert 139 verify_assert "-v" wrap-pubkey wrap-assert 140 verify_assert "-pv" wrap-pubkey wrap-assert 141 get_assert no.tld "-t up=true -t pin=false" wrap-cred /dev/null wrap-assert 142 verify_assert "--" wrap-pubkey wrap-assert 143 verify_assert "-p" wrap-pubkey wrap-assert 144 get_assert no.tld "-t up=false" wrap-cred /dev/null wrap-assert 145 verify_assert "--" wrap-pubkey wrap-assert 146 verify_assert "-p" wrap-pubkey wrap-assert && exit 1 147 get_assert no.tld "-t up=false -t pin=true" wrap-cred /dev/null wrap-assert 148 verify_assert "-p" wrap-pubkey wrap-assert && exit 1 149 verify_assert "-v" wrap-pubkey wrap-assert 150 verify_assert "-pv" wrap-pubkey wrap-assert && exit 1 151 get_assert no.tld "-t up=false -t pin=false" wrap-cred /dev/null wrap-assert 152 verify_assert "-p" wrap-pubkey wrap-assert && exit 1 153 get_assert no.tld "-h" wrap-cred hmac-salt wrap-assert 154 verify_assert "--" wrap-pubkey wrap-assert && exit 1 155 verify_assert "-h" wrap-pubkey wrap-assert 156 get_assert no.tld "-h -t pin=true" wrap-cred hmac-salt wrap-assert 157 verify_assert "--" wrap-pubkey wrap-assert && exit 1 158 verify_assert "-h" wrap-pubkey wrap-assert 159 verify_assert "-hv" wrap-pubkey wrap-assert 160 get_assert no.tld "-h -t pin=false" wrap-cred hmac-salt wrap-assert 161 verify_assert "--" wrap-pubkey wrap-assert && exit 1 162 verify_assert "-h" wrap-pubkey wrap-assert 163 get_assert no.tld "-h -t up=true" wrap-cred hmac-salt wrap-assert 164 verify_assert "--" wrap-pubkey wrap-assert && exit 1 165 verify_assert "-h" wrap-pubkey wrap-assert 166 verify_assert "-hp" wrap-pubkey wrap-assert 167 get_assert no.tld "-h -t up=true -t pin=true" wrap-cred hmac-salt wrap-assert 168 verify_assert "--" wrap-pubkey wrap-assert && exit 1 169 verify_assert "-h" wrap-pubkey wrap-assert 170 verify_assert "-hp" wrap-pubkey wrap-assert 171 verify_assert "-hv" wrap-pubkey wrap-assert 172 verify_assert "-hpv" wrap-pubkey wrap-assert 173 get_assert no.tld "-h -t up=true -t pin=false" wrap-cred hmac-salt wrap-assert 174 verify_assert "--" wrap-pubkey wrap-assert && exit 1 175 verify_assert "-h" wrap-pubkey wrap-assert 176 verify_assert "-hp" wrap-pubkey wrap-assert 177 get_assert no.tld "-h -t up=false" wrap-cred hmac-salt wrap-assert && exit 1 178 get_assert no.tld "-h -t up=false -t pin=true" wrap-cred hmac-salt wrap-assert && exit 1 179 get_assert no.tld "-h -t up=false -t pin=false" wrap-cred hmac-salt wrap-assert && exit 1 180 181 if [ "x${UV}" != "x" ]; then 182 get_assert no.tld "-t uv=true" wrap-cred /dev/null wrap-assert 183 verify_assert "-v" wrap-pubkey wrap-assert 184 get_assert no.tld "-t uv=true -t pin=true" wrap-cred /dev/null wrap-assert 185 verify_assert "-v" wrap-pubkey wrap-assert 186 get_assert no.tld "-t uv=true -t pin=false" wrap-cred /dev/null wrap-assert 187 verify_assert "-v" wrap-pubkey wrap-assert 188 get_assert no.tld "-t uv=false" wrap-cred /dev/null wrap-assert 189 verify_assert "--" wrap-pubkey wrap-assert 190 get_assert no.tld "-t uv=false -t pin=true" wrap-cred /dev/null wrap-assert 191 verify_assert "-v" wrap-pubkey wrap-assert 192 get_assert no.tld "-t uv=false -t pin=false" wrap-cred /dev/null wrap-assert 193 verify_assert "--" wrap-pubkey wrap-assert 194 get_assert no.tld "-t up=true -t uv=true" wrap-cred /dev/null wrap-assert 195 verify_assert "-pv" wrap-pubkey wrap-assert 196 get_assert no.tld "-t up=true -t uv=true -t pin=true" wrap-cred /dev/null wrap-assert 197 verify_assert "-pv" wrap-pubkey wrap-assert 198 get_assert no.tld "-t up=true -t uv=true -t pin=false" wrap-cred /dev/null wrap-assert 199 verify_assert "-pv" wrap-pubkey wrap-assert 200 get_assert no.tld "-t up=true -t uv=false" wrap-cred /dev/null wrap-assert 201 verify_assert "-p" wrap-pubkey wrap-assert 202 get_assert no.tld "-t up=true -t uv=false -t pin=true" wrap-cred /dev/null wrap-assert 203 verify_assert "-pv" wrap-pubkey wrap-assert 204 get_assert no.tld "-t up=true -t uv=false -t pin=false" wrap-cred /dev/null wrap-assert 205 verify_assert "-p" wrap-pubkey wrap-assert 206 get_assert no.tld "-t up=false -t uv=true" wrap-cred /dev/null wrap-assert 207 verify_assert "-v" wrap-pubkey wrap-assert 208 get_assert no.tld "-t up=false -t uv=true -t pin=true" wrap-cred /dev/null wrap-assert 209 verify_assert "-v" wrap-pubkey wrap-assert 210 get_assert no.tld "-t up=false -t uv=true -t pin=false" wrap-cred /dev/null wrap-assert 211 verify_assert "-v" wrap-pubkey wrap-assert 212 get_assert no.tld "-t up=false -t uv=false" wrap-cred /dev/null wrap-assert 213 verify_assert "--" wrap-pubkey wrap-assert && exit 1 214 get_assert no.tld "-t up=false -t uv=false -t pin=true" wrap-cred /dev/null wrap-assert 215 verify_assert "-v" wrap-pubkey wrap-assert 216 get_assert no.tld "-t up=false -t uv=false -t pin=false" wrap-cred /dev/null wrap-assert 217 verify_assert "--" wrap-pubkey wrap-assert && exit 1 218 get_assert no.tld "-h -t uv=true" wrap-cred hmac-salt wrap-assert 219 verify_assert "-hv" wrap-pubkey wrap-assert 220 get_assert no.tld "-h -t uv=true -t pin=true" wrap-cred hmac-salt wrap-assert 221 verify_assert "-hv" wrap-pubkey wrap-assert 222 get_assert no.tld "-h -t uv=true -t pin=false" wrap-cred hmac-salt wrap-assert 223 verify_assert "-hv" wrap-pubkey wrap-assert 224 get_assert no.tld "-h -t uv=false" wrap-cred hmac-salt wrap-assert 225 verify_assert "-h" wrap-pubkey wrap-assert 226 get_assert no.tld "-h -t uv=false -t pin=true" wrap-cred hmac-salt wrap-assert 227 verify_assert "-hv" wrap-pubkey wrap-assert 228 get_assert no.tld "-h -t uv=false -t pin=false" wrap-cred hmac-salt wrap-assert 229 verify_assert "-h" wrap-pubkey wrap-assert 230 get_assert no.tld "-h -t up=true -t uv=true" wrap-cred hmac-salt wrap-assert 231 verify_assert "-hpv" wrap-pubkey wrap-assert 232 get_assert no.tld "-h -t up=true -t uv=true -t pin=true" wrap-cred hmac-salt wrap-assert 233 verify_assert "-hpv" wrap-pubkey wrap-assert 234 get_assert no.tld "-h -t up=true -t uv=true -t pin=false" wrap-cred hmac-salt wrap-assert 235 verify_assert "-hpv" wrap-pubkey wrap-assert 236 get_assert no.tld "-h -t up=true -t uv=false" wrap-cred hmac-salt wrap-assert 237 verify_assert "-hp" wrap-pubkey wrap-assert 238 get_assert no.tld "-h -t up=true -t uv=false -t pin=true" wrap-cred hmac-salt wrap-assert 239 verify_assert "-hpv" wrap-pubkey wrap-assert 240 get_assert no.tld "-h -t up=true -t uv=false -t pin=false" wrap-cred hmac-salt wrap-assert 241 verify_assert "-hp" wrap-pubkey wrap-assert 242 get_assert no.tld "-h -t up=false -t uv=true" wrap-cred hmac-salt wrap-assert && exit 1 243 get_assert no.tld "-h -t up=false -t uv=true -t pin=true" wrap-cred hmac-salt wrap-assert && exit 1 244 get_assert no.tld "-h -t up=false -t uv=true -t pin=false" wrap-cred hmac-salt wrap-assert && exit 1 245 get_assert no.tld "-h -t up=false -t uv=false" wrap-cred hmac-salt wrap-assert && exit 1 246 get_assert no.tld "-h -t up=false -t uv=false -t pin=true" wrap-cred hmac-salt wrap-assert && exit 1 247 get_assert no.tld "-h -t up=false -t uv=false -t pin=false" wrap-cred hmac-salt wrap-assert && exit 1 248 fi 249 250 # resident 251 get_assert no.tld "-r" /dev/null /dev/null wrap-assert 252 get_assert no.tld "-r -t pin=true" /dev/null /dev/null wrap-assert 253 get_assert no.tld "-r -t pin=false" /dev/null /dev/null wrap-assert 254 get_assert no.tld "-r -t up=true" /dev/null /dev/null wrap-assert 255 get_assert no.tld "-r -t up=true -t pin=true" /dev/null /dev/null wrap-assert 256 get_assert no.tld "-r -t up=true -t pin=false" /dev/null /dev/null wrap-assert 257 get_assert no.tld "-r -t up=false" /dev/null /dev/null wrap-assert 258 get_assert no.tld "-r -t up=false -t pin=true" /dev/null /dev/null wrap-assert 259 get_assert no.tld "-r -t up=false -t pin=false" /dev/null /dev/null wrap-assert 260 get_assert no.tld "-r -h" /dev/null hmac-salt wrap-assert 261 get_assert no.tld "-r -h -t pin=true" /dev/null hmac-salt wrap-assert 262 get_assert no.tld "-r -h -t pin=false" /dev/null hmac-salt wrap-assert 263 get_assert no.tld "-r -h -t up=true" /dev/null hmac-salt wrap-assert 264 get_assert no.tld "-r -h -t up=true -t pin=true" /dev/null hmac-salt wrap-assert 265 get_assert no.tld "-r -h -t up=true -t pin=false" /dev/null hmac-salt wrap-assert 266 get_assert no.tld "-r -h -t up=false" /dev/null hmac-salt wrap-assert && exit 1 267 get_assert no.tld "-r -h -t up=false -t pin=true" /dev/null hmac-salt wrap-assert && exit 1 268 get_assert no.tld "-r -h -t up=false -t pin=false" /dev/null hmac-salt wrap-assert && exit 1 269 270 if [ "x${UV}" != "x" ]; then 271 get_assert no.tld "-r -t uv=true" /dev/null /dev/null wrap-assert 272 get_assert no.tld "-r -t uv=true -t pin=true" /dev/null /dev/null wrap-assert 273 get_assert no.tld "-r -t uv=true -t pin=false" /dev/null /dev/null wrap-assert 274 get_assert no.tld "-r -t uv=false" /dev/null /dev/null wrap-assert 275 get_assert no.tld "-r -t uv=false -t pin=true" /dev/null /dev/null wrap-assert 276 get_assert no.tld "-r -t uv=false -t pin=false" /dev/null /dev/null wrap-assert 277 get_assert no.tld "-r -t up=true -t uv=true" /dev/null /dev/null wrap-assert 278 get_assert no.tld "-r -t up=true -t uv=true -t pin=true" /dev/null /dev/null wrap-assert 279 get_assert no.tld "-r -t up=true -t uv=true -t pin=false" /dev/null /dev/null wrap-assert 280 get_assert no.tld "-r -t up=true -t uv=false" /dev/null /dev/null wrap-assert 281 get_assert no.tld "-r -t up=true -t uv=false -t pin=true" /dev/null /dev/null wrap-assert 282 get_assert no.tld "-r -t up=true -t uv=false -t pin=false" /dev/null /dev/null wrap-assert 283 get_assert no.tld "-r -t up=false -t uv=true" /dev/null /dev/null wrap-assert 284 get_assert no.tld "-r -t up=false -t uv=true -t pin=true" /dev/null /dev/null wrap-assert 285 get_assert no.tld "-r -t up=false -t uv=true -t pin=false" /dev/null /dev/null wrap-assert 286 get_assert no.tld "-r -t up=false -t uv=false" /dev/null /dev/null wrap-assert 287 get_assert no.tld "-r -t up=false -t uv=false -t pin=true" /dev/null /dev/null wrap-assert 288 get_assert no.tld "-r -t up=false -t uv=false -t pin=false" /dev/null /dev/null wrap-assert 289 get_assert no.tld "-r -h -t uv=true" /dev/null hmac-salt wrap-assert 290 get_assert no.tld "-r -h -t uv=true -t pin=true" /dev/null hmac-salt wrap-assert 291 get_assert no.tld "-r -h -t uv=true -t pin=false" /dev/null hmac-salt wrap-assert 292 get_assert no.tld "-r -h -t uv=false" /dev/null hmac-salt wrap-assert 293 get_assert no.tld "-r -h -t uv=false -t pin=true" /dev/null hmac-salt wrap-assert 294 get_assert no.tld "-r -h -t uv=false -t pin=false" /dev/null hmac-salt wrap-assert 295 get_assert no.tld "-r -h -t up=true -t uv=true" /dev/null hmac-salt wrap-assert 296 get_assert no.tld "-r -h -t up=true -t uv=true -t pin=true" /dev/null hmac-salt wrap-assert 297 get_assert no.tld "-r -h -t up=true -t uv=true -t pin=false" /dev/null hmac-salt wrap-assert 298 get_assert no.tld "-r -h -t up=true -t uv=false" /dev/null hmac-salt wrap-assert 299 get_assert no.tld "-r -h -t up=true -t uv=false -t pin=true" /dev/null hmac-salt wrap-assert 300 get_assert no.tld "-r -h -t up=true -t uv=false -t pin=false" /dev/null hmac-salt wrap-assert 301 get_assert no.tld "-r -h -t up=false -t uv=true" /dev/null hmac-salt wrap-assert && exit 1 302 get_assert no.tld "-r -h -t up=false -t uv=true -t pin=true" /dev/null hmac-salt wrap-assert && exit 1 303 get_assert no.tld "-r -h -t up=false -t uv=true -t pin=false" /dev/null hmac-salt wrap-assert && exit 1 304 get_assert no.tld "-r -h -t up=false -t uv=false" /dev/null hmac-salt wrap-assert && exit 1 305 get_assert no.tld "-r -h -t up=false -t uv=false -t pin=true" /dev/null hmac-salt wrap-assert && exit 1 306 get_assert no.tld "-r -h -t up=false -t uv=false -t pin=false" /dev/null hmac-salt wrap-assert && exit 1 307 fi 308 309 exit 0 310
Indexes created Sat Feb 28 05:31:39 UTC 2026