turnkey/openpgp-card
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
openpgp-card/card-functionality/src/tests.rs
Heiko Schaefer 858d91b1f8
openpgp-card-sequoia: don't do automatic cardholder name encoding, and document this 
Normalize fn name: set_name() -> set_cardholder_name().
2023-09-06 01:28:48 +02:00

689 lines
19 KiB
Rust
Raw Blame History

// SPDX-FileCopyrightText: 2021-2022 Heiko Schaefer <heiko@schaefer.name>
// SPDX-License-Identifier: MIT OR Apache-2.0
use std::convert::TryFrom;
use std::str::FromStr;
use std::string::FromUtf8Error;
use anyhow::Result;
use openpgp_card::algorithm::AlgoSimple;
use openpgp_card::card_do::{KeyGenerationTime, Sex};
use openpgp_card::{Error, KeyType, StatusBytes};
use openpgp_card_sequoia::sq_util;
use openpgp_card_sequoia::state::{Admin, Open, Transaction};
use openpgp_card_sequoia::util::{
make_cert, public_key_material_and_fp_to_key, public_key_material_to_key,
};
use openpgp_card_sequoia::Card;
use sequoia_openpgp::parse::Parse;
use sequoia_openpgp::policy::StandardPolicy;
use sequoia_openpgp::serialize::SerializeInto;
use sequoia_openpgp::types::{HashAlgorithm, SymmetricAlgorithm};
use sequoia_openpgp::Cert;
use thiserror;
use crate::util;
#[derive(Debug)]
pub enum TestResult {
Status(StatusBytes),
StatusOk,
Text(String),
}
type TestOutput = Vec<TestResult>;
#[derive(thiserror::Error, Debug)]
pub enum TestError {
#[error("Failed to upload key {0} ({1})")]
KeyUploadError(String, anyhow::Error),
#[error(transparent)]
OPGP(#[from] Error),
#[error(transparent)]
OCard(#[from] StatusBytes),
#[error(transparent)]
Other(#[from] anyhow::Error), // source and Display delegate to anyhow::Error
#[error(transparent)]
Utf8Error(#[from] FromUtf8Error),
}
/// Run after each "upload keys", if key *was* uploaded (?)
pub fn test_decrypt(tx: &mut Card<Transaction>, param: &[&str]) -> Result<TestOutput, TestError> {
assert_eq!(
param.len(),
2,
"test_decrypt needs filenames for 'cert' and 'encrypted'"
);
let msg = param[1].to_string();
let p = StandardPolicy::new();
let mut user = tx.to_user_card("123456")?;
let d = user.decryptor(&|| {})?;
let res = sq_util::decrypt(d, msg.into_bytes(), &p)?;
let plain = String::from_utf8_lossy(&res);
assert_eq!(plain, "Hello world!\n");
Ok(vec![])
}
/// Run after each "upload keys", if key *was* uploaded (?)
pub fn test_sign(tx: &mut Card<Transaction>, param: &[&str]) -> Result<TestOutput, TestError> {
assert_eq!(param.len(), 1, "test_sign needs a filename for 'cert'");
let cert = Cert::from_str(param[0])?;
let mut sign = tx.to_signing_card("123456").unwrap();
let s = sign.signer(&|| {})?;
let msg = "Hello world, I am signed.";
let sig = sq_util::sign(s, &mut msg.as_bytes())?;
// validate sig
assert!(util::verify_sig(&cert, msg.as_bytes(), sig.as_bytes())?);
Ok(vec![])
}
fn check_key_upload_metadata(
admin: &mut Card<Admin>,
meta: &[(String, KeyGenerationTime)],
) -> Result<()> {
admin.as_transaction().reload_ard()?;
// check fingerprints
let card_fp = admin.as_transaction().fingerprints()?;
let sig = card_fp.signature().expect("signature fingerprint");
assert_eq!(format!("{sig:X}"), meta[0].0);
let dec = card_fp.decryption().expect("decryption fingerprint");
assert_eq!(format!("{dec:X}"), meta[1].0);
let auth = card_fp
.authentication()
.expect("authentication fingerprint");
assert_eq!(format!("{auth:X}"), meta[2].0);
// get_key_generation_times
let card_kg = admin.as_transaction().key_generation_times()?;
let sig = card_kg.signature().expect("signature creation time");
assert_eq!(sig, &meta[0].1);
let dec = card_kg.decryption().expect("decryption creation time");
assert_eq!(dec, &meta[1].1);
let auth = card_kg
.authentication()
.expect("authentication creation time");
assert_eq!(auth, &meta[2].1);
Ok(())
}
fn check_key_upload_algo_attrs() -> Result<()> {
// get_algorithm_attributes
// FIXME
Ok(())
}
pub fn test_print_caps(
pgp: &mut openpgp_card::Card,
_param: &[&str],
) -> Result<TestOutput, TestError> {
let mut pgpt = pgp.transaction()?;
let ard = pgpt.application_related_data()?;
let aid = ard.application_id()?;
println!("aid: {aid:#x?}");
let hist = ard.historical_bytes()?;
println!("hist: {hist:#?}");
let ecap = ard.extended_capabilities()?;
println!("ecap: {ecap:#?}");
let eli = ard.extended_length_information()?;
println!("eli: {eli:#?}");
Ok(vec![])
}
pub fn test_print_algo_info(
pgp: &mut openpgp_card::Card,
_param: &[&str],
) -> Result<TestOutput, TestError> {
let mut pgpt = pgp.transaction()?;
let ard = pgpt.application_related_data()?;
let dec = ard.algorithm_attributes(KeyType::Decryption)?;
println!("Current algorithm for the decrypt slot: {dec}");
println!();
let algo = pgpt.algorithm_information();
if let Ok(Some(algo)) = algo {
println!("Card algorithm list:\n{algo}");
}
Ok(vec![])
}
pub fn test_upload_keys(
tx: &mut Card<Transaction>,
param: &[&str],
) -> Result<TestOutput, TestError> {
assert_eq!(
param.len(),
1,
"test_upload_keys needs a filename for 'cert'"
);
let cert = Cert::from_file(param[0])?;
let p = StandardPolicy::new();
let mut admin = tx.to_admin_card(b"12345678")?;
let meta = util::upload_subkeys(&mut admin, &cert, &p)
.map_err(|e| TestError::KeyUploadError(param[0].to_string(), e))?;
check_key_upload_metadata(&mut admin, &meta)?;
// FIXME: implement
check_key_upload_algo_attrs()?;
Ok(vec![])
}
/// Generate keys for each of the three KeyTypes
pub fn test_keygen(tx: &mut Card<Transaction>, param: &[&str]) -> Result<TestOutput, TestError> {
let mut admin = tx
.to_admin_card("12345678")
.expect("Couldn't get Admin card");
// Generate all three subkeys on card
let algo = param[0];
let alg = AlgoSimple::try_from(algo)?;
println!(" Generate subkey for Signing");
admin.set_algorithm(KeyType::Signing, alg)?;
let (pkm, ts) = admin.generate_key(KeyType::Signing)?;
let key_sig = public_key_material_to_key(&pkm, KeyType::Signing, &ts, None, None)?;
println!(" Generate subkey for Decryption");
admin.set_algorithm(KeyType::Decryption, alg)?;
let (pkm, ts) = admin.generate_key(KeyType::Decryption)?;
let key_dec = public_key_material_to_key(
&pkm,
KeyType::Decryption,
&ts,
Some(HashAlgorithm::SHA256),
Some(SymmetricAlgorithm::AES128),
)?;
println!(" Generate subkey for Authentication");
admin.set_algorithm(KeyType::Authentication, alg)?;
let (pkm, ts) = admin.generate_key(KeyType::Authentication)?;
let key_aut = public_key_material_to_key(&pkm, KeyType::Authentication, &ts, None, None)?;
tx.reload_ard()?;
// Generate a Cert for this set of generated keys
let cert = make_cert(
tx,
key_sig,
Some(key_dec),
Some(key_aut),
Some(b"123456"),
&|| {},
&|| {},
&[],
)?;
let armored = String::from_utf8(cert.armored().to_vec()?)?;
let res = TestResult::Text(armored);
Ok(vec![res])
}
/// Construct public key based on data from the card
pub fn test_get_pub(mut card: Card<Open>, _param: &[&str]) -> Result<TestOutput, TestError> {
let mut transaction = card.transaction()?;
let times = transaction.key_generation_times()?;
let fps = transaction.fingerprints()?;
// --
let sig = transaction.public_key_material(KeyType::Signing)?;
let ts = times.signature().unwrap().get().into();
let key =
public_key_material_and_fp_to_key(&sig, KeyType::Signing, &ts, fps.signature().unwrap())?;
println!(" sig key data from card -> {key:x?}");
// --
let dec = transaction.public_key_material(KeyType::Decryption)?;
let ts = times.decryption().unwrap().get().into();
let key = public_key_material_and_fp_to_key(
&dec,
KeyType::Decryption,
&ts,
fps.decryption().unwrap(),
)?;
println!(" dec key data from card -> {key:x?}");
// --
let auth = transaction.public_key_material(KeyType::Authentication)?;
let ts = times.authentication().unwrap().get().into();
let key = public_key_material_and_fp_to_key(
&auth,
KeyType::Authentication,
&ts,
fps.authentication().unwrap(),
)?;
println!(" auth key data from card -> {key:x?}");
Ok(vec![])
}
pub fn test_reset(tx: &mut Card<Transaction>, _param: &[&str]) -> Result<TestOutput, TestError> {
tx.factory_reset()?;
Ok(vec![])
}
/// Sets name, lang, sex, url; then reads the fields from the card and
/// compares the values with the expected values.
///
/// Returns an empty TestOutput, throws errors for unexpected Status codes
/// and for unequal field values.
pub fn test_set_user_data(
tx: &mut Card<Transaction>,
_param: &[&str],
) -> Result<TestOutput, TestError> {
let mut admin = tx.to_admin_card("12345678")?;
// name
admin.set_cardholder_name("Bar<<Foo")?;
// lang
admin.set_lang(&[['d', 'e'].into(), ['e', 'n'].into()])?;
// sex
admin.set_sex(Sex::Female)?;
// url
admin.set_url("https://duckduckgo.com/")?;
// reload application releated data
tx.reload_ard()?;
// compare the reloaded fields, expect equal data
let ch = tx.cardholder_related_data()?;
assert_eq!(ch.name(), Some("Bar<<Foo".as_bytes()));
assert_eq!(
ch.lang().expect("Language setting is None"),
&[['d', 'e'].into(), ['e', 'n'].into()]
);
assert_eq!(ch.sex(), Some(Sex::Female));
let url = tx.url()?;
assert_eq!(&url, "https://duckduckgo.com/");
Ok(vec![])
}
pub fn test_set_login_data(
tx: &mut Card<Transaction>,
_params: &[&str],
) -> std::result::Result<TestOutput, TestError> {
let mut admin = tx.to_admin_card("12345678")?;
let test_login = "someone@somewhere.com";
admin.set_login_data(test_login.as_bytes())?;
// Read the previously set login data
let read_login_data = tx.login_data()?;
assert_eq!(&read_login_data, test_login.as_bytes());
Ok(vec![])
}
// pub fn test_private_data(mut card: Card<Open>, _param: &[&str]) -> Result<TestOutput, TestError> {
// let mut transaction = card.transaction()?;
//
// let out = vec![];
//
// println!();
//
// let d = transaction.private_use_do(1)?;
// println!("data 1 {d:?}");
//
// transaction.verify_pw1_user(b"123456")?;
//
// transaction.set_private_use_do(1, "Foo bar1!".as_bytes().to_vec())?;
// transaction.set_private_use_do(3, "Foo bar3!".as_bytes().to_vec())?;
//
// transaction.verify_pw3(b"12345678")?;
//
// transaction.set_private_use_do(2, "Foo bar2!".as_bytes().to_vec())?;
// transaction.set_private_use_do(4, "Foo bar4!".as_bytes().to_vec())?;
//
// let d = transaction.private_use_do(1)?;
// println!("data 1 {d:?}");
// let d = transaction.private_use_do(2)?;
// println!("data 2 {d:?}");
// let d = transaction.private_use_do(3)?;
// println!("data 3 {d:?}");
// let d = transaction.private_use_do(4)?;
// println!("data 4 {d:?}");
//
// Ok(out)
// }
// pub fn test_cardholder_cert(
// card_tx: &mut CardApp,
// _param: &[&str],
// ) -> Result<TestOutput, TestError> {
// let mut out = vec![];
//
// println!();
//
// match card_tx.cardholder_certificate() {
// Ok(res) => {
// out.push(TestResult::Text(format!("got cert {:x?}", res.data())))
// }
// Err(e) => {
// out.push(TestResult::Text(format!(
// "get_cardholder_certificate failed: {:?}",
// e
// )));
// return Ok(out);
// }
// };
//
// card_tx.verify_pw3("12345678")?;
//
// let data = "Foo bar baz!".as_bytes();
//
// match card_tx.set_cardholder_certificate(data.to_vec()) {
// Ok(_resp) => out.push(TestResult::Text("set cert ok".to_string())),
// Err(e) => {
// out.push(TestResult::Text(format!(
// "set_cardholder_certificate: {:?}",
// e
// )));
// return Ok(out);
// }
// }
//
// let res = card_tx.cardholder_certificate()?;
// out.push(TestResult::Text("get cert ok".to_string()));
//
// if res.data() != data {
// out.push(TestResult::Text(format!(
// "get after set doesn't match original data: {:x?}",
// data
// )));
// return Ok(out);
// };
//
// // try using slot 2
//
// match card_tx.select_data(2, &[0x7F, 0x21]) {
// Ok(_res) => out.push(TestResult::Text("select_data ok".to_string())),
// Err(e) => {
// out.push(TestResult::Text(format!("select_data: {:?}", e)));
// return Ok(out);
// }
// }
//
// Ok(out)
// }
pub fn test_pw_status(mut card: Card<Open>, _param: &[&str]) -> Result<TestOutput, TestError> {
let mut transaction = card.transaction()?;
let out = vec![];
let mut pws = transaction.pw_status_bytes()?;
println!("pws {pws:?}");
let mut admin = transaction.to_admin_card("12345678")?;
pws.set_pw1_cds_valid_once(false);
pws.set_pw1_pin_block(true);
admin.set_pw_status_bytes(&pws, false)?;
transaction.reload_ard()?;
let pws = transaction.pw_status_bytes()?;
println!("pws {pws:?}");
Ok(out)
}
/// Outputs:
/// - verify pw3 (check) -> Status
/// - verify pw1 (check) -> Status
pub fn test_verify(mut card: Card<Open>, _param: &[&str]) -> Result<TestOutput, TestError> {
let mut transaction = card.transaction()?;
// Steps:
//
// - try to set name without verify, assert result is not ok
// - verify pw3 + pin -> Status
// - verify pw3 (check) -> Status
// - set name -> Status
// - get name -> Text(name)
// - verify pw1 + pin -> Status
// - verify pw1 (check) -> Status
// - set name -> Status
// - get name -> Text(name)
let mut out = vec![];
// try to set name without verify, assert result is not ok!
let mut admin = transaction.to_admin_card(None)?;
let res = admin.set_cardholder_name("Notverified<<Hello");
if let Err(Error::CardStatus(s)) = res {
assert_eq!(s, StatusBytes::SecurityStatusNotSatisfied);
} else {
panic!("Status should be 'SecurityStatusNotSatisfied'");
}
transaction.verify_admin(b"12345678")?;
match transaction.check_admin_verified() {
Err(Error::CardStatus(s)) => {
// e.g. yubikey5 returns an error status!
out.push(TestResult::Status(s));
}
Err(_) => {
panic!("unexpected error");
}
Ok(_) => out.push(TestResult::StatusOk),
}
let mut admin = transaction.to_admin_card(None)?;
admin.set_cardholder_name("Admin<<Hello")?;
transaction.reload_ard()?;
let cardholder = transaction.cardholder_related_data()?;
assert_eq!(cardholder.name(), Some("Admin<<Hello".as_bytes()));
transaction.verify_user(b"123456")?;
match transaction.check_user_verified() {
Err(Error::CardStatus(s)) => {
// e.g. yubikey5 returns an error status!
out.push(TestResult::Status(s));
}
Err(_) => {
panic!("unexpected error");
}
Ok(_) => out.push(TestResult::StatusOk),
}
let mut admin = transaction.to_admin_card(None)?;
admin.set_cardholder_name("There<<Hello")?;
transaction.reload_ard()?;
let cardholder = transaction.cardholder_related_data()?;
assert_eq!(cardholder.name(), Some("There<<Hello".as_bytes()));
Ok(out)
}
pub fn test_change_pw(mut card: Card<Open>, _param: &[&str]) -> Result<TestOutput, TestError> {
let mut transaction = card.transaction()?;
let out = vec![];
// first do admin-less pw1 on gnuk
// (NOTE: Gnuk requires a key to be loaded before allowing pw changes!)
println!("change pw1");
transaction.change_user_pin(b"123456", b"abcdef00")?;
// also set admin pw, which means pw1 is now only user-pw again, on gnuk
println!("change pw3");
// ca.change_pw3("abcdef00", "abcdefgh")?; // gnuk
transaction.change_admin_pin(b"12345678", b"abcdefgh")?;
println!("change pw1");
transaction.change_user_pin(b"abcdef00", b"abcdef")?; // gnuk
// ca.change_pw1("123456", "abcdef")?;
println!("verify bad pw1");
match transaction.verify_user(b"123456ab") {
Err(Error::CardStatus(StatusBytes::SecurityStatusNotSatisfied)) => {
// this is expected
}
Err(_) => {
panic!("unexpected error");
}
Ok(_) => panic!("this value for pw1 should be considered wrong!"),
}
println!("verify good pw1");
transaction.verify_user(b"abcdef")?;
println!("verify bad pw3");
match transaction.verify_admin(b"00000000") {
Err(Error::CardStatus(StatusBytes::SecurityStatusNotSatisfied)) => {
// this is expected
}
Err(_) => {
panic!("unexpected error");
}
Ok(_) => panic!("this value for pw3 should be considered wrong!"),
}
println!("verify good pw3");
transaction.verify_admin(b"abcdefgh")?;
println!("change pw3 back to default");
transaction.change_admin_pin(b"abcdefgh", b"12345678")?;
println!("change pw1 back to default");
transaction.change_user_pin(b"abcdef", b"123456")?;
Ok(out)
}
pub fn test_reset_retry_counter(
mut card: Card<Open>,
_param: &[&str],
) -> Result<TestOutput, TestError> {
let mut transaction = card.transaction()?;
let out = vec![];
// set pw3, then pw1 (to bring gnuk into non-admin mode)
println!("set pw3");
transaction.change_admin_pin(b"12345678", b"12345678")?;
println!("set pw1");
transaction.change_user_pin(b"123456", b"123456")?;
println!("break pw1");
let _ = transaction.verify_user(b"wrong0");
let _ = transaction.verify_user(b"wrong0");
let _ = transaction.verify_user(b"wrong0");
let res = transaction.verify_user(b"wrong0");
match res {
Err(Error::CardStatus(StatusBytes::AuthenticationMethodBlocked)) => {
// this is expected
}
Err(Error::CardStatus(StatusBytes::IncorrectParametersCommandDataField)) => {
println!(
"yk says IncorrectParametersCommandDataField when PW \
error count is exceeded"
);
}
Err(e) => {
panic!("unexpected error {:?}", e);
}
Ok(_) => panic!("use of pw1 should be blocked!"),
}
println!("verify pw3");
transaction.verify_admin(b"12345678")?;
println!("set resetting code");
let mut admin = transaction.to_admin_card(None)?;
admin.set_resetting_code(b"abcdefgh")?;
println!("reset retry counter");
// ca.reset_retry_counter_pw1("abcdef".as_bytes().to_vec(), None)?;
let _res = transaction.reset_user_pin(b"abcdef", b"abcdefgh");
println!("verify good pw1");
transaction.verify_user(b"abcdef")?;
println!("verify bad pw1");
match transaction.verify_user(b"00000000") {
Err(Error::CardStatus(StatusBytes::SecurityStatusNotSatisfied)) => {
// this is expected
}
Err(_) => {
panic!("unexpected error");
}
Ok(_) => panic!("this value for pw1 should be considered wrong!"),
}
Ok(out)
}
pub fn run_test(
card: &mut Card<Transaction>,
t: fn(&mut Card<Transaction>, &[&str]) -> Result<TestOutput, TestError>,
param: &[&str],
) -> Result<TestOutput, TestError> {
t(card, param)
}
Reference in a new issue View git blame Copy permalink