tests for client pin

2019-03-03 17:17:04 -05:00 · 2019-03-03 17:17:04 -05:00 · 67faef0117
commit 67faef0117
parent 0b9f0af3c7
1 changed files with 169 additions and 39 deletions
--- a/tools/ctap_test.py
+++ b/tools/ctap_test.py
@ -23,7 +23,7 @@ from fido2.ctap import CtapError
 from fido2.ctap1 import CTAP1, ApduError, APDU
 from fido2.ctap2 import *
 from fido2.cose import *
-from fido2.utils import Timeout, sha256
+from fido2.utils import Timeout, sha256, hmac_sha256
 from fido2.attestation import Attestation

 from solo.fido2 import force_udp_backend
@ -761,6 +761,7 @@ class Tester:
        user2 = {"id": b"oiewhfoi", "name": "Han Solo"}
        user3 = {"id": b"23ohfpjwo@@", "name": "John Smith"}
        challenge = "Y2hhbGxlbmdl"
+        pin_protocol = 1
        key_params = [{"type": "public-key", "alg": ES256.ALGORITHM}]
        cdh = b"123456789abcdef0123456789abcdef0"

@ -784,12 +785,21 @@ class Tester:
            print("Pass")
            return res

+        def testReset():
+            print("Resetting Authenticator...")
+            self.ctap.reset()
+
        def testMC(test, *args, **kwargs):
            return testFunc(self.ctap.make_credential, test, *args, **kwargs)

        def testGA(test, *args, **kwargs):
            return testFunc(self.ctap.get_assertion, test, *args, **kwargs)

+        def testCP(test, *args, **kwargs):
+            return testFunc(self.ctap.client_pin, test, *args, **kwargs)
+
+        testReset()
+
        print("Get info")
        info = self.ctap.get_info()

@ -1284,10 +1294,9 @@ class Tester:
            allow_list + [{"type": b"public-key"}],
        )

-        print("Test Reset, expect SUCCESS")
-        self.ctap.reset()
-        print("Pass")
+        testReset()

+        def testRk(pin_code=None):
            testGA(
                "Send GA request with reset auth, expect NO_CREDENTIALS",
                rp["id"],
@ -1296,13 +1305,21 @@ class Tester:
                expectedError=CtapError.ERR.NO_CREDENTIALS,
            )

+            pin_auth = None
+            if pin_code:
+                print("Setting pin code ...")
+                self.client.pin_protocol.set_pin(pin_code)
+                pin_token = self.client.pin_protocol.get_pin_token(pin_code)
+                pin_auth = hmac_sha256(pin_token, cdh)[:16]
+                print("Pass")
+
            testMC(
                "Send MC request with rk option set to true, expect SUCCESS",
                cdh,
                rp,
                user,
                key_params,
-            other={"options": {"rk": True}},
+                other={"options": {"rk": True}, "pin_auth": pin_auth},
                expectedError=CtapError.ERR.SUCCESS,
            )

@ -1318,7 +1335,7 @@ class Tester:
                    rp2,
                    x,
                    key_params,
-                other={"options": options},
+                    other={"options": options, "pin_auth": pin_auth},
                    expectedError=CtapError.ERR.SUCCESS,
                )

@ -1326,6 +1343,7 @@ class Tester:
                "Send GA request with no allow_list, expect SUCCESS",
                rp2["id"],
                cdh,
+                other={"options": options, "pin_auth": pin_auth},
                expectedError=CtapError.ERR.SUCCESS,
            )

@ -1338,11 +1356,123 @@ class Tester:
            auth3 = self.ctap.get_next_assertion()
            print("Pass")

+            if not pin_code:
                print("Check only the user ID was returned")
                assert "id" in auth1.user.keys() and len(auth1.user.keys()) == 1
                assert "id" in auth2.user.keys() and len(auth2.user.keys()) == 1
                assert "id" in auth3.user.keys() and len(auth3.user.keys()) == 1
                print("Pass")
+            else:
+                print("Check that all user info was returned")
+                for x in (auth1, auth2, auth3):
+                    for y in ("name", "icon", "displayName", "id"):
+                        assert y in x.user.keys()
+                    assert len(x.user.keys()) == 4
+                print("Pass")
+
+            print("Send an extra getNextAssertion request, expect error")
+            try:
+                auth4 = self.ctap.get_next_assertion()
+            except CtapError as e:
+                print(e)
+            print("Pass")
+
+        testRk(None)
+        #
+        # print("Assuming authenticator does NOT have a display.")
+        pin1 = "1234567890"
+        testRk("1234567890")
+
+        # PinProtocolV1
+        res = testCP(
+            "Test getKeyAgreement, expect SUCCESS",
+            pin_protocol,
+            PinProtocolV1.CMD.GET_KEY_AGREEMENT,
+            expectedError=CtapError.ERR.SUCCESS,
+        )
+
+        print("Test getKeyAgreement has appropriate fields")
+        key = res[1]
+        assert "Is public key" and key[1] == 2
+        assert "Is P256" and key[-1] == 1
+        assert "Is right alg" and key[3] == -7
+        assert "Right key" and len(key[-3]) == 32 and type(key[-3]) == type(bytes())
+        print("Pass")
+
+        print("Test setting a new pin")
+        pin2 = "qwertyuiop\x11\x22\x33\x00123"
+        self.client.pin_protocol.change_pin(pin1, pin2)
+        print("Pass")
+
+        print("Test getting new pin_auth")
+        pin_token = self.client.pin_protocol.get_pin_token(pin2)
+        pin_auth = hmac_sha256(pin_token, cdh)[:16]
+        print("Pass")
+
+        res_mc = testMC(
+            "Send MC request with new pin auth",
+            cdh,
+            rp,
+            user,
+            key_params,
+            other={"pin_auth": pin_auth},
+            expectedError=CtapError.ERR.SUCCESS,
+        )
+
+        print("Check UV flag is set")
+        assert res_mc.auth_data.flags & (1 << 2)
+        print("Pass")
+
+        res_ga = testGA(
+            "Send GA request with no allow_list, expect SUCCESS",
+            rp["id"],
+            cdh,
+            [
+                {
+                    "type": "public-key",
+                    "id": res_mc.auth_data.credential_data.credential_id,
+                }
+            ],
+            other={"pin_auth": pin_auth},
+            expectedError=CtapError.ERR.SUCCESS,
+        )
+
+        print("Check UV flag is set")
+        assert res_ga.auth_data.flags & (1 << 2)
+        print("Pass")
+
+        testReset()
+
+        print("Setting pin code, expect SUCCESS")
+        self.client.pin_protocol.set_pin(pin1)
+        print("Pass")
+
+        testReset()
+
+        # print("Setting pin code <4 bytes, expect POLICY_VIOLATION ")
+        # try:
+        #     self.client.pin_protocol.set_pin("123")
+        # except CtapError as e:
+        #     assert e.code == CtapError.ERR.POLICY_VIOLATION
+        # print("Pass")
+
+        print("Setting pin code >63 bytes, expect POLICY_VIOLATION ")
+        try:
+            self.client.pin_protocol.set_pin("A" * 64)
+        except CtapError as e:
+            assert e.code == CtapError.ERR.PIN_POLICY_VIOLATION
+        print("Pass")
+
+        res = testCP(
+            "Test getRetries, expect SUCCESS",
+            pin_protocol,
+            PinProtocolV1.CMD.GET_RETRIES,
+            expectedError=CtapError.ERR.SUCCESS,
+        )
+
+        print("Check there is 8 tries")
+        assert res[3] == 8
+        print("Pass")

    def test_rk(self,):
        creds = []