pass fido2 tests
This commit is contained in:
Conor Patrick
@@ -387,13 +387,13 @@ class Tester():
|
||||
def test_u2f(self,):
|
||||
pass
|
||||
|
||||
def test_fido2_simple(self):
|
||||
def test_fido2_simple(self, pin_token=None):
|
||||
creds = []
|
||||
exclude_list = []
|
||||
rp = {'id': 'examplo.org', 'name': 'ExaRP'}
|
||||
user = {'id': b'usee_od', 'name': 'AB User'}
|
||||
challenge = 'Y2hhbGxlbmdl'
|
||||
PIN = None
|
||||
PIN = pin_token
|
||||
|
||||
fake_id1 = array.array('B',[randint(0,255) for i in range(0,150)]).tostring()
|
||||
fake_id2 = array.array('B',[randint(0,255) for i in range(0,73)]).tostring()
|
||||
@@ -488,6 +488,7 @@ class Tester():
|
||||
attest.verify(data.hash)
|
||||
cred = attest.auth_data.credential_data
|
||||
creds.append(cred)
|
||||
print(cred)
|
||||
print('PASS')
|
||||
|
||||
if PIN is not None:
|
||||
@@ -511,15 +512,19 @@ class Tester():
|
||||
real_excl = [{'id': cred.credential_id, 'type': 'public-key'}]
|
||||
try:
|
||||
attest, data = self.client.make_credential(rp, user, challenge, pin = PIN, exclude_list = exclude_list + real_excl)
|
||||
raise RuntimeError('Exclude list did not return expected error')
|
||||
except CtapError as e:
|
||||
assert(e.code == CtapError.ERR.CREDENTIAL_EXCLUDED)
|
||||
except ClientError as e:
|
||||
assert(e.cause.code == CtapError.ERR.CREDENTIAL_EXCLUDED)
|
||||
print('PASS')
|
||||
|
||||
print('get assertion')
|
||||
allow_list = [{'id':creds[0].credential_id, 'type': 'public-key'}]
|
||||
assertions, client_data = self.client.get_assertion(rp['id'], challenge, allow_list, pin = PIN)
|
||||
assertions[0].verify(client_data.hash, creds[0].public_key)
|
||||
print('PASS')
|
||||
for i, x in enumerate(creds):
|
||||
print('get assertion %d' % i)
|
||||
allow_list = [{'id':x.credential_id, 'type': 'public-key'}]
|
||||
assertions, client_data = self.client.get_assertion(rp['id'], challenge, allow_list, pin = PIN)
|
||||
assertions[0].verify(client_data.hash, x.public_key)
|
||||
print('PASS')
|
||||
|
||||
if PIN is not None:
|
||||
print('get assertion with wrong pin code')
|
||||
@@ -531,11 +536,16 @@ class Tester():
|
||||
assert(e.cause.code == CtapError.ERR.PIN_INVALID)
|
||||
print('PASS')
|
||||
|
||||
|
||||
print('get multiple assertions')
|
||||
allow_list = [{'id': x.credential_id, 'type': 'public-key'} for x in creds]
|
||||
assertions, client_data = self.client.get_assertion(rp['id'], challenge, allow_list, pin = PIN)
|
||||
|
||||
for ass,cred in zip(assertions, creds):
|
||||
i += 1
|
||||
|
||||
ass.verify(client_data.hash, cred.public_key)
|
||||
print('%d verified' % i)
|
||||
print('PASS')
|
||||
|
||||
print('Reset device')
|
||||
@@ -573,6 +583,20 @@ class Tester():
|
||||
assert(e.code == CtapError.ERR.PIN_INVALID)
|
||||
print('PASS')
|
||||
|
||||
print('MC using wrong pin')
|
||||
try:
|
||||
self.test_fido2_simple('abcd3');
|
||||
except CtapError as e:
|
||||
assert(e.code == CtapError.ERR.PIN_INVALID)
|
||||
except ClientError as e:
|
||||
assert(e.cause.code == CtapError.ERR.PIN_INVALID)
|
||||
print('PASS')
|
||||
|
||||
print('Reboot device and hit enter')
|
||||
input()
|
||||
self.find_device()
|
||||
self.test_fido2_simple(PIN);
|
||||
|
||||
print('Re-run make_credential and get_assertion tests with pin code')
|
||||
test(self, PIN)
|
||||
|
||||
@@ -583,7 +607,6 @@ class Tester():
|
||||
print('Warning, reset failed: ', e)
|
||||
print('PASS')
|
||||
|
||||
|
||||
def test_find_brute_force():
|
||||
i = 0
|
||||
while 1:
|
||||
@@ -602,6 +625,6 @@ if __name__ == '__main__':
|
||||
# t.test_hid()
|
||||
# t.test_long_ping()
|
||||
t.test_fido2()
|
||||
#test_find_brute_force()
|
||||
# test_find_brute_force()
|
||||
#t.test_fido2_simple()
|
||||
#t.test_fido2_brute_force()
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
#!/usr/bin/env python
|
||||
from __future__ import print_function
|
||||
import base64
|
||||
"""
|
||||
cbytes.py
|
||||
|
||||
@@ -39,4 +40,6 @@ print()
|
||||
print('code uint8_t __attest[] = \n%s;' % c_str)
|
||||
print('const uint16_t __attest_size = sizeof(__attest)-1;')
|
||||
|
||||
|
||||
b = base64.b64encode(buf)
|
||||
print('b64: ')
|
||||
print(b)
|
||||
|
||||
22
tools/gencert/gen_intermediate.sh
Normal file
22
tools/gencert/gen_intermediate.sh
Normal file
@@ -0,0 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
keyname=interkey.pem
|
||||
certname=intercert.pem
|
||||
smallcertname=intercert.der
|
||||
curve=prime256v1
|
||||
|
||||
[[ "$#" != 2 ]] && echo "usage: $0 <signing-key> <root-ca>" && exit 1
|
||||
|
||||
# generate EC private key
|
||||
openssl ecparam -genkey -name "$curve" -out "$keyname" -rand seed.txt
|
||||
|
||||
# generate a "signing request"
|
||||
openssl req -new -key "$keyname" -out "$keyname".csr -subj "/C=US/ST=Maryland/O=Solo Keys/OU=Authenticator Attestation/CN=solokeys.com/emailAddress=hello@solokeys.com"
|
||||
|
||||
# sign the request
|
||||
openssl x509 -req -days 18250 -in "$keyname".csr -extfile v3.ext -CA "$2" -CAkey "$1" -set_serial 01 -out "$certname" -sha256
|
||||
|
||||
# convert to smaller size format DER
|
||||
openssl x509 -in $certname -outform der -out $smallcertname
|
||||
|
||||
openssl x509 -in $certname -text -noout
|
||||
@@ -6,12 +6,13 @@ smallcertname=cert.der
|
||||
curve=prime256v1
|
||||
|
||||
# generate EC private key
|
||||
openssl ecparam -genkey -name "$curve" -out "$keyname"
|
||||
openssl ecparam -genkey -name "$curve" -out "$keyname" -rand seed.txt
|
||||
# generate a "signing request"
|
||||
openssl req -new -key "$keyname" -out "$keyname".csr
|
||||
openssl req -new -key "$keyname" -out "$keyname".csr -subj "/C=US/ST=Maryland/O=Solo Keys/OU=Root CA/CN=solokeys.com/emailAddress=hello@solokeys.com"
|
||||
# self sign the request
|
||||
openssl x509 -req -days 18250 -in "$keyname".csr -signkey "$keyname" -out "$certname"
|
||||
openssl x509 -trustout -req -days 18250 -in "$keyname".csr -signkey "$keyname" -out "$certname" -sha256
|
||||
|
||||
# convert to smaller size format DER
|
||||
openssl x509 -in $certname -outform der -out $smallcertname
|
||||
|
||||
openssl x509 -in $certname -text -noout
|
||||
|
||||
16
tools/gencert/print_x_y.py
Normal file
16
tools/gencert/print_x_y.py
Normal file
@@ -0,0 +1,16 @@
|
||||
import sys
|
||||
from ecdsa import SigningKey, NIST256p
|
||||
|
||||
sk = SigningKey.from_pem(open(sys.argv[1]).read())
|
||||
|
||||
|
||||
print('Private key in various formats:')
|
||||
print()
|
||||
print([c for c in sk.to_string()])
|
||||
print()
|
||||
print(''.join(['%02x'%c for c in sk.to_string()]))
|
||||
print()
|
||||
print('"\\x' + '\\x'.join(['%02x'%c for c in sk.to_string()]) + '"')
|
||||
print()
|
||||
|
||||
|
||||
22
tools/gencert/verify_certs.sh
Normal file
22
tools/gencert/verify_certs.sh
Normal file
@@ -0,0 +1,22 @@
|
||||
|
||||
# verify that the root CA/keypair and intermediate CA/keypairs are set up correctly.
|
||||
|
||||
[[ "$#" != 4 ]] && echo "usage: $0 <inter-key> <inter-cert> <root-key> <root-cert>" && exit 1
|
||||
|
||||
ikey=$1
|
||||
icert=$2
|
||||
|
||||
rkey=$3
|
||||
rcert=$4
|
||||
|
||||
echo 'challenge $RANDOM' > chal.txt
|
||||
|
||||
# check that they are actual key pairs
|
||||
openssl dgst -sha256 -sign "$ikey" -out sig.txt chal.txt
|
||||
openssl dgst -sha256 -verify <(openssl x509 -in "$icert" -pubkey -noout) -signature sig.txt chal.txt
|
||||
|
||||
openssl dgst -sha256 -sign "$rkey" -out sig.txt chal.txt
|
||||
openssl dgst -sha256 -verify <(openssl x509 -in "$rcert" -pubkey -noout) -signature sig.txt chal.txt
|
||||
|
||||
# Check they are a chain
|
||||
openssl verify -verbose -CAfile "$rcert" "$icert"
|
||||
Reference in New Issue
Block a user