test.sh revision 1.1.1.4
1 #!/bin/sh -ex 2 3 # Copyright (c) 2021-2022 Yubico AB. All rights reserved. 4 # Use of this source code is governed by a BSD-style 5 # license that can be found in the LICENSE file. 6 # SPDX-License-Identifier: BSD-2-Clause 7 8 # usage: ./test.sh "$(mktemp -d fido2test-XXXXXXXX)" device 9 10 # Please note that this test script: 11 # - is incomplete; 12 # - assumes CTAP 2.1-like hmac-secret; 13 # - should pass as-is on a YubiKey with a PIN set; 14 # - may otherwise require set +e above; 15 # - can be executed with UV=1 to run additional UV tests; 16 # - was last tested on 2022-01-11 with firmware 5.4.3. 17 18 cd "$1" 19 DEV="$2" 20 TYPE="es256" 21 #TYPE="es384" 22 #TYPE="eddsa" 23 24 make_cred() { 25 sed /^$/d > cred_param << EOF 26 $(dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64) 27 $1 28 some user name 29 $(dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64) 30 EOF 31 fido2-cred -M $2 "${DEV}" "${TYPE}" > "$3" < cred_param 32 } 33 34 verify_cred() { 35 fido2-cred -V $1 "${TYPE}" > cred_out < "$2" 36 head -1 cred_out > "$3" 37 tail -n +2 cred_out > "$4" 38 } 39 40 get_assert() { 41 sed /^$/d > assert_param << EOF 42 $(dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64) 43 $1 44 $(cat $3) 45 $(cat $4) 46 EOF 47 fido2-assert -G $2 "${DEV}" > "$5" < assert_param 48 } 49 50 verify_assert() { 51 fido2-assert -V $1 "$2" "${TYPE}" < "$3" 52 } 53 54 dd if=/dev/urandom bs=32 count=1 | base64 > hmac-salt 55 56 # u2f 57 if [ "x${TYPE}" = "xes256" ]; then 58 make_cred no.tld "-u" u2f 59 ! make_cred no.tld "-ru" /dev/null 60 ! make_cred no.tld "-uc1" /dev/null 61 ! make_cred no.tld "-uc2" /dev/null 62 verify_cred "--" u2f u2f-cred u2f-pubkey 63 ! verify_cred "-h" u2f /dev/null /dev/null 64 ! verify_cred "-v" u2f /dev/null /dev/null 65 verify_cred "-c0" u2f /dev/null /dev/null 66 ! verify_cred "-c1" u2f /dev/null /dev/null 67 ! verify_cred "-c2" u2f /dev/null /dev/null 68 ! verify_cred "-c3" u2f /dev/null /dev/null 69 fi 70 71 # wrap (non-resident) 72 make_cred no.tld "--" wrap 73 verify_cred "--" wrap wrap-cred wrap-pubkey 74 ! verify_cred "-h" wrap /dev/null /dev/null 75 ! verify_cred "-v" wrap /dev/null /dev/null 76 verify_cred "-c0" wrap /dev/null /dev/null 77 ! verify_cred "-c1" wrap /dev/null /dev/null 78 ! verify_cred "-c2" wrap /dev/null /dev/null 79 ! verify_cred "-c3" wrap /dev/null /dev/null 80 81 # wrap (non-resident) + hmac-secret 82 make_cred no.tld "-h" wrap-hs 83 ! verify_cred "--" wrap-hs /dev/null /dev/null 84 verify_cred "-h" wrap-hs wrap-hs-cred wrap-hs-pubkey 85 ! verify_cred "-v" wrap-hs /dev/null /dev/null 86 verify_cred "-hc0" wrap-hs /dev/null /dev/null 87 ! verify_cred "-c0" wrap-hs /dev/null /dev/null 88 ! verify_cred "-c1" wrap-hs /dev/null /dev/null 89 ! verify_cred "-c2" wrap-hs /dev/null /dev/null 90 ! verify_cred "-c3" wrap-hs /dev/null /dev/null 91 92 # resident 93 make_cred no.tld "-r" rk 94 verify_cred "--" rk rk-cred rk-pubkey 95 ! verify_cred "-h" rk /dev/null /dev/null 96 ! verify_cred "-v" rk /dev/null /dev/null 97 verify_cred "-c0" rk /dev/null /dev/null 98 ! verify_cred "-c1" rk /dev/null /dev/null 99 ! verify_cred "-c2" rk /dev/null /dev/null 100 ! verify_cred "-c3" rk /dev/null /dev/null 101 102 # resident + hmac-secret 103 make_cred no.tld "-hr" rk-hs 104 ! verify_cred "--" rk-hs rk-hs-cred rk-hs-pubkey 105 verify_cred "-h" rk-hs /dev/null /dev/null 106 ! verify_cred "-v" rk-hs /dev/null /dev/null 107 verify_cred "-hc0" rk-hs /dev/null /dev/null 108 ! verify_cred "-c0" rk-hs /dev/null /dev/null 109 ! verify_cred "-c1" rk-hs /dev/null /dev/null 110 ! verify_cred "-c2" rk-hs /dev/null /dev/null 111 ! verify_cred "-c3" rk-hs /dev/null /dev/null 112 113 # u2f 114 if [ "x${TYPE}" = "xes256" ]; then 115 get_assert no.tld "-u" u2f-cred /dev/null u2f-assert 116 ! get_assert no.tld "-u -t up=false" u2f-cred /dev/null /dev/null 117 verify_assert "--" u2f-pubkey u2f-assert 118 verify_assert "-p" u2f-pubkey u2f-assert 119 fi 120 121 # wrap (non-resident) 122 get_assert no.tld "--" wrap-cred /dev/null wrap-assert 123 verify_assert "--" wrap-pubkey wrap-assert 124 get_assert no.tld "-t pin=true" wrap-cred /dev/null wrap-assert 125 verify_assert "--" wrap-pubkey wrap-assert 126 verify_assert "-v" wrap-pubkey wrap-assert 127 get_assert no.tld "-t pin=false" wrap-cred /dev/null wrap-assert 128 verify_assert "--" wrap-pubkey wrap-assert 129 get_assert no.tld "-t up=true" wrap-cred /dev/null wrap-assert 130 verify_assert "-p" wrap-pubkey wrap-assert 131 get_assert no.tld "-t up=true -t pin=true" wrap-cred /dev/null wrap-assert 132 verify_assert "--" wrap-pubkey wrap-assert 133 verify_assert "-p" wrap-pubkey wrap-assert 134 verify_assert "-v" wrap-pubkey wrap-assert 135 verify_assert "-pv" wrap-pubkey wrap-assert 136 get_assert no.tld "-t up=true -t pin=false" wrap-cred /dev/null wrap-assert 137 verify_assert "--" wrap-pubkey wrap-assert 138 verify_assert "-p" wrap-pubkey wrap-assert 139 get_assert no.tld "-t up=false" wrap-cred /dev/null wrap-assert 140 verify_assert "--" wrap-pubkey wrap-assert 141 ! verify_assert "-p" wrap-pubkey wrap-assert 142 get_assert no.tld "-t up=false -t pin=true" wrap-cred /dev/null wrap-assert 143 ! verify_assert "-p" wrap-pubkey wrap-assert 144 verify_assert "-v" wrap-pubkey wrap-assert 145 ! verify_assert "-pv" wrap-pubkey wrap-assert 146 get_assert no.tld "-t up=false -t pin=false" wrap-cred /dev/null wrap-assert 147 ! verify_assert "-p" wrap-pubkey wrap-assert 148 get_assert no.tld "-h" wrap-cred hmac-salt wrap-assert 149 ! verify_assert "--" wrap-pubkey wrap-assert 150 verify_assert "-h" wrap-pubkey wrap-assert 151 get_assert no.tld "-h -t pin=true" wrap-cred hmac-salt wrap-assert 152 ! verify_assert "--" wrap-pubkey wrap-assert 153 verify_assert "-h" wrap-pubkey wrap-assert 154 verify_assert "-hv" wrap-pubkey wrap-assert 155 get_assert no.tld "-h -t pin=false" wrap-cred hmac-salt wrap-assert 156 ! verify_assert "--" wrap-pubkey wrap-assert 157 verify_assert "-h" wrap-pubkey wrap-assert 158 get_assert no.tld "-h -t up=true" wrap-cred hmac-salt wrap-assert 159 ! verify_assert "--" wrap-pubkey wrap-assert 160 verify_assert "-h" wrap-pubkey wrap-assert 161 verify_assert "-hp" wrap-pubkey wrap-assert 162 get_assert no.tld "-h -t up=true -t pin=true" wrap-cred hmac-salt wrap-assert 163 ! verify_assert "--" wrap-pubkey wrap-assert 164 verify_assert "-h" wrap-pubkey wrap-assert 165 verify_assert "-hp" wrap-pubkey wrap-assert 166 verify_assert "-hv" wrap-pubkey wrap-assert 167 verify_assert "-hpv" wrap-pubkey wrap-assert 168 get_assert no.tld "-h -t up=true -t pin=false" wrap-cred hmac-salt wrap-assert 169 ! verify_assert "--" wrap-pubkey wrap-assert 170 verify_assert "-h" wrap-pubkey wrap-assert 171 verify_assert "-hp" wrap-pubkey wrap-assert 172 ! get_assert no.tld "-h -t up=false" wrap-cred hmac-salt wrap-assert 173 ! get_assert no.tld "-h -t up=false -t pin=true" wrap-cred hmac-salt wrap-assert 174 ! get_assert no.tld "-h -t up=false -t pin=false" wrap-cred hmac-salt wrap-assert 175 176 if [ "x${UV}" != "x" ]; then 177 get_assert no.tld "-t uv=true" wrap-cred /dev/null wrap-assert 178 verify_assert "-v" wrap-pubkey wrap-assert 179 get_assert no.tld "-t uv=true -t pin=true" wrap-cred /dev/null wrap-assert 180 verify_assert "-v" wrap-pubkey wrap-assert 181 get_assert no.tld "-t uv=true -t pin=false" wrap-cred /dev/null wrap-assert 182 verify_assert "-v" wrap-pubkey wrap-assert 183 get_assert no.tld "-t uv=false" wrap-cred /dev/null wrap-assert 184 verify_assert "--" wrap-pubkey wrap-assert 185 get_assert no.tld "-t uv=false -t pin=true" wrap-cred /dev/null wrap-assert 186 verify_assert "-v" wrap-pubkey wrap-assert 187 get_assert no.tld "-t uv=false -t pin=false" wrap-cred /dev/null wrap-assert 188 verify_assert "--" wrap-pubkey wrap-assert 189 get_assert no.tld "-t up=true -t uv=true" wrap-cred /dev/null wrap-assert 190 verify_assert "-pv" wrap-pubkey wrap-assert 191 get_assert no.tld "-t up=true -t uv=true -t pin=true" wrap-cred /dev/null wrap-assert 192 verify_assert "-pv" wrap-pubkey wrap-assert 193 get_assert no.tld "-t up=true -t uv=true -t pin=false" wrap-cred /dev/null wrap-assert 194 verify_assert "-pv" wrap-pubkey wrap-assert 195 get_assert no.tld "-t up=true -t uv=false" wrap-cred /dev/null wrap-assert 196 verify_assert "-p" wrap-pubkey wrap-assert 197 get_assert no.tld "-t up=true -t uv=false -t pin=true" wrap-cred /dev/null wrap-assert 198 verify_assert "-pv" wrap-pubkey wrap-assert 199 get_assert no.tld "-t up=true -t uv=false -t pin=false" wrap-cred /dev/null wrap-assert 200 verify_assert "-p" wrap-pubkey wrap-assert 201 get_assert no.tld "-t up=false -t uv=true" wrap-cred /dev/null wrap-assert 202 verify_assert "-v" wrap-pubkey wrap-assert 203 get_assert no.tld "-t up=false -t uv=true -t pin=true" wrap-cred /dev/null wrap-assert 204 verify_assert "-v" wrap-pubkey wrap-assert 205 get_assert no.tld "-t up=false -t uv=true -t pin=false" wrap-cred /dev/null wrap-assert 206 verify_assert "-v" wrap-pubkey wrap-assert 207 get_assert no.tld "-t up=false -t uv=false" wrap-cred /dev/null wrap-assert 208 ! verify_assert "--" wrap-pubkey wrap-assert 209 get_assert no.tld "-t up=false -t uv=false -t pin=true" wrap-cred /dev/null wrap-assert 210 verify_assert "-v" wrap-pubkey wrap-assert 211 get_assert no.tld "-t up=false -t uv=false -t pin=false" wrap-cred /dev/null wrap-assert 212 ! verify_assert "--" wrap-pubkey wrap-assert 213 get_assert no.tld "-h -t uv=true" wrap-cred hmac-salt wrap-assert 214 verify_assert "-hv" wrap-pubkey wrap-assert 215 get_assert no.tld "-h -t uv=true -t pin=true" wrap-cred hmac-salt wrap-assert 216 verify_assert "-hv" wrap-pubkey wrap-assert 217 get_assert no.tld "-h -t uv=true -t pin=false" wrap-cred hmac-salt wrap-assert 218 verify_assert "-hv" wrap-pubkey wrap-assert 219 get_assert no.tld "-h -t uv=false" wrap-cred hmac-salt wrap-assert 220 verify_assert "-h" wrap-pubkey wrap-assert 221 get_assert no.tld "-h -t uv=false -t pin=true" wrap-cred hmac-salt wrap-assert 222 verify_assert "-hv" wrap-pubkey wrap-assert 223 get_assert no.tld "-h -t uv=false -t pin=false" wrap-cred hmac-salt wrap-assert 224 verify_assert "-h" wrap-pubkey wrap-assert 225 get_assert no.tld "-h -t up=true -t uv=true" wrap-cred hmac-salt wrap-assert 226 verify_assert "-hpv" wrap-pubkey wrap-assert 227 get_assert no.tld "-h -t up=true -t uv=true -t pin=true" wrap-cred hmac-salt wrap-assert 228 verify_assert "-hpv" wrap-pubkey wrap-assert 229 get_assert no.tld "-h -t up=true -t uv=true -t pin=false" wrap-cred hmac-salt wrap-assert 230 verify_assert "-hpv" wrap-pubkey wrap-assert 231 get_assert no.tld "-h -t up=true -t uv=false" wrap-cred hmac-salt wrap-assert 232 verify_assert "-hp" wrap-pubkey wrap-assert 233 get_assert no.tld "-h -t up=true -t uv=false -t pin=true" wrap-cred hmac-salt wrap-assert 234 verify_assert "-hpv" wrap-pubkey wrap-assert 235 get_assert no.tld "-h -t up=true -t uv=false -t pin=false" wrap-cred hmac-salt wrap-assert 236 verify_assert "-hp" wrap-pubkey wrap-assert 237 ! get_assert no.tld "-h -t up=false -t uv=true" wrap-cred hmac-salt wrap-assert 238 ! get_assert no.tld "-h -t up=false -t uv=true -t pin=true" wrap-cred hmac-salt wrap-assert 239 ! get_assert no.tld "-h -t up=false -t uv=true -t pin=false" wrap-cred hmac-salt wrap-assert 240 ! get_assert no.tld "-h -t up=false -t uv=false" wrap-cred hmac-salt wrap-assert 241 ! get_assert no.tld "-h -t up=false -t uv=false -t pin=true" wrap-cred hmac-salt wrap-assert 242 ! get_assert no.tld "-h -t up=false -t uv=false -t pin=false" wrap-cred hmac-salt wrap-assert 243 fi 244 245 # resident 246 get_assert no.tld "-r" /dev/null /dev/null wrap-assert 247 get_assert no.tld "-r -t pin=true" /dev/null /dev/null wrap-assert 248 get_assert no.tld "-r -t pin=false" /dev/null /dev/null wrap-assert 249 get_assert no.tld "-r -t up=true" /dev/null /dev/null wrap-assert 250 get_assert no.tld "-r -t up=true -t pin=true" /dev/null /dev/null wrap-assert 251 get_assert no.tld "-r -t up=true -t pin=false" /dev/null /dev/null wrap-assert 252 get_assert no.tld "-r -t up=false" /dev/null /dev/null wrap-assert 253 get_assert no.tld "-r -t up=false -t pin=true" /dev/null /dev/null wrap-assert 254 get_assert no.tld "-r -t up=false -t pin=false" /dev/null /dev/null wrap-assert 255 get_assert no.tld "-r -h" /dev/null hmac-salt wrap-assert 256 get_assert no.tld "-r -h -t pin=true" /dev/null hmac-salt wrap-assert 257 get_assert no.tld "-r -h -t pin=false" /dev/null hmac-salt wrap-assert 258 get_assert no.tld "-r -h -t up=true" /dev/null hmac-salt wrap-assert 259 get_assert no.tld "-r -h -t up=true -t pin=true" /dev/null hmac-salt wrap-assert 260 get_assert no.tld "-r -h -t up=true -t pin=false" /dev/null hmac-salt wrap-assert 261 ! get_assert no.tld "-r -h -t up=false" /dev/null hmac-salt wrap-assert 262 ! get_assert no.tld "-r -h -t up=false -t pin=true" /dev/null hmac-salt wrap-assert 263 ! get_assert no.tld "-r -h -t up=false -t pin=false" /dev/null hmac-salt wrap-assert 264 265 if [ "x${UV}" != "x" ]; then 266 get_assert no.tld "-r -t uv=true" /dev/null /dev/null wrap-assert 267 get_assert no.tld "-r -t uv=true -t pin=true" /dev/null /dev/null wrap-assert 268 get_assert no.tld "-r -t uv=true -t pin=false" /dev/null /dev/null wrap-assert 269 get_assert no.tld "-r -t uv=false" /dev/null /dev/null wrap-assert 270 get_assert no.tld "-r -t uv=false -t pin=true" /dev/null /dev/null wrap-assert 271 get_assert no.tld "-r -t uv=false -t pin=false" /dev/null /dev/null wrap-assert 272 get_assert no.tld "-r -t up=true -t uv=true" /dev/null /dev/null wrap-assert 273 get_assert no.tld "-r -t up=true -t uv=true -t pin=true" /dev/null /dev/null wrap-assert 274 get_assert no.tld "-r -t up=true -t uv=true -t pin=false" /dev/null /dev/null wrap-assert 275 get_assert no.tld "-r -t up=true -t uv=false" /dev/null /dev/null wrap-assert 276 get_assert no.tld "-r -t up=true -t uv=false -t pin=true" /dev/null /dev/null wrap-assert 277 get_assert no.tld "-r -t up=true -t uv=false -t pin=false" /dev/null /dev/null wrap-assert 278 get_assert no.tld "-r -t up=false -t uv=true" /dev/null /dev/null wrap-assert 279 get_assert no.tld "-r -t up=false -t uv=true -t pin=true" /dev/null /dev/null wrap-assert 280 get_assert no.tld "-r -t up=false -t uv=true -t pin=false" /dev/null /dev/null wrap-assert 281 get_assert no.tld "-r -t up=false -t uv=false" /dev/null /dev/null wrap-assert 282 get_assert no.tld "-r -t up=false -t uv=false -t pin=true" /dev/null /dev/null wrap-assert 283 get_assert no.tld "-r -t up=false -t uv=false -t pin=false" /dev/null /dev/null wrap-assert 284 get_assert no.tld "-r -h -t uv=true" /dev/null hmac-salt wrap-assert 285 get_assert no.tld "-r -h -t uv=true -t pin=true" /dev/null hmac-salt wrap-assert 286 get_assert no.tld "-r -h -t uv=true -t pin=false" /dev/null hmac-salt wrap-assert 287 get_assert no.tld "-r -h -t uv=false" /dev/null hmac-salt wrap-assert 288 get_assert no.tld "-r -h -t uv=false -t pin=true" /dev/null hmac-salt wrap-assert 289 get_assert no.tld "-r -h -t uv=false -t pin=false" /dev/null hmac-salt wrap-assert 290 get_assert no.tld "-r -h -t up=true -t uv=true" /dev/null hmac-salt wrap-assert 291 get_assert no.tld "-r -h -t up=true -t uv=true -t pin=true" /dev/null hmac-salt wrap-assert 292 get_assert no.tld "-r -h -t up=true -t uv=true -t pin=false" /dev/null hmac-salt wrap-assert 293 get_assert no.tld "-r -h -t up=true -t uv=false" /dev/null hmac-salt wrap-assert 294 get_assert no.tld "-r -h -t up=true -t uv=false -t pin=true" /dev/null hmac-salt wrap-assert 295 get_assert no.tld "-r -h -t up=true -t uv=false -t pin=false" /dev/null hmac-salt wrap-assert 296 ! get_assert no.tld "-r -h -t up=false -t uv=true" /dev/null hmac-salt wrap-assert 297 ! get_assert no.tld "-r -h -t up=false -t uv=true -t pin=true" /dev/null hmac-salt wrap-assert 298 ! get_assert no.tld "-r -h -t up=false -t uv=true -t pin=false" /dev/null hmac-salt wrap-assert 299 ! get_assert no.tld "-r -h -t up=false -t uv=false" /dev/null hmac-salt wrap-assert 300 ! get_assert no.tld "-r -h -t up=false -t uv=false -t pin=true" /dev/null hmac-salt wrap-assert 301 ! get_assert no.tld "-r -h -t up=false -t uv=false -t pin=false" /dev/null hmac-salt wrap-assert 302 fi 303 304 exit 0 305
Indexes created Sun Mar 01 05:31:48 UTC 2026