summaryrefslogtreecommitdiff
path: root/unittest/test_bindings.py
diff options
context:
space:
mode:
Diffstat (limited to 'unittest/test_bindings.py')
-rw-r--r--unittest/test_bindings.py654
1 files changed, 0 insertions, 654 deletions
diff --git a/unittest/test_bindings.py b/unittest/test_bindings.py
deleted file mode 100644
index f7ade46..0000000
--- a/unittest/test_bindings.py
+++ /dev/null
@@ -1,654 +0,0 @@
-import pytest
-import cffi
-from enum import Enum
-
-ffi = cffi.FFI()
-gs = ffi.string
-
-
-def to_hex(s):
- return "".join("{:02x}".format(ord(c)) for c in s)
-
-
-def wait(t):
- import time
- msg = 'Waiting for %d seconds' % t
- print(msg.center(40, '='))
- time.sleep(t)
-
-
-RFC_SECRET_HR = '12345678901234567890'
-RFC_SECRET = to_hex(RFC_SECRET_HR) # '12345678901234567890'
-
-
-# print( repr((RFC_SECRET, RFC_SECRET_, len(RFC_SECRET))) )
-
-class DefaultPasswords(Enum):
- ADMIN = '12345678'
- USER = '123456'
- ADMIN_TEMP = '123123123'
- USER_TEMP = '234234234'
-
-
-class DeviceErrorCode(Enum):
- STATUS_OK = 0
- NOT_PROGRAMMED = 3
- WRONG_PASSWORD = 4
- STATUS_NOT_AUTHORIZED = 5
- STATUS_AES_DEC_FAILED = 0xa
-
-
-class LibraryErrors(Enum):
- TOO_LONG_STRING = 200
- INVALID_SLOT = 201
- INVALID_HEX_STRING = 202
- TARGET_BUFFER_SIZE_SMALLER_THAN_SOURCE = 203
-
-
-@pytest.fixture(scope="module")
-def C(request):
- fp = '../NK_C_API.h'
-
- declarations = []
- with open(fp, 'r') as f:
- declarations = f.readlines()
-
- a = iter(declarations)
- for declaration in a:
- if declaration.startswith('extern') and not '"C"' in declaration:
- declaration = declaration.replace('extern', '').strip()
- while not ';' in declaration:
- declaration += (next(a)).strip()
- print(declaration)
- ffi.cdef(declaration)
-
- C = ffi.dlopen("../build/libnitrokey.so")
- C.NK_set_debug(False)
- nk_login = C.NK_login_auto()
- if nk_login != 1:
- print('No devices detected!')
- assert nk_login == 1 # returns 0 if not connected or wrong model or 1 when connected
-
- # assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- # assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK
-
- # C.NK_status()
-
- def fin():
- print('\nFinishing connection to device')
- C.NK_logout()
- print('Finished')
-
- request.addfinalizer(fin)
- C.NK_set_debug(True)
-
- return C
-
-
-def get_firmware_version_from_status(C):
- status = gs(C.NK_status())
- status = [s if 'firmware_version' in s else '' for s in status.split('\n')]
- firmware = status[0].split(':')[1]
- return firmware
-
-
-def is_pro_rtm_07(C):
- firmware = get_firmware_version_from_status(C)
- return '07 00' in firmware
-
-
-def is_storage(C):
- """
- exact firmware storage is sent by other function
- """
- firmware = get_firmware_version_from_status(C)
- return '01 00' in firmware
-
-
-def test_enable_password_safe(C):
- assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
- assert C.NK_enable_password_safe('wrong_password') == DeviceErrorCode.WRONG_PASSWORD
- assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
-
-
-def test_write_password_safe_slot(C):
- assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
- assert C.NK_write_password_safe_slot(0, 'slotname1', 'login1', 'pass1') == DeviceErrorCode.STATUS_NOT_AUTHORIZED
- assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_password_safe_slot(0, 'slotname1', 'login1', 'pass1') == DeviceErrorCode.STATUS_OK
-
-
-def test_get_password_safe_slot_name(C):
- assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_password_safe_slot(0, 'slotname1', 'login1', 'pass1') == DeviceErrorCode.STATUS_OK
- assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
- assert gs(C.NK_get_password_safe_slot_name(0)) == ''
- assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED
-
- assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
- assert gs(C.NK_get_password_safe_slot_name(0)) == 'slotname1'
- assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
-
-
-def test_get_password_safe_slot_login_password(C):
- assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_password_safe_slot(0, 'slotname1', 'login1', 'pass1') == DeviceErrorCode.STATUS_OK
- slot_login = C.NK_get_password_safe_slot_login(0)
- assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
- assert gs(slot_login) == 'login1'
- slot_password = gs(C.NK_get_password_safe_slot_password(0))
- assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
- assert slot_password == 'pass1'
-
-
-def test_erase_password_safe_slot(C):
- assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
- assert C.NK_erase_password_safe_slot(0) == DeviceErrorCode.STATUS_OK
- assert gs(C.NK_get_password_safe_slot_name(0)) == ''
- assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK # TODO CHECK shouldn't this be DeviceErrorCode.NOT_PROGRAMMED ?
-
-
-def test_password_safe_slot_status(C):
- C.NK_set_debug(True)
- assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
- assert C.NK_erase_password_safe_slot(0) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_password_safe_slot(1, 'slotname2', 'login2', 'pass2') == DeviceErrorCode.STATUS_OK
- safe_slot_status = C.NK_get_password_safe_slot_status()
- assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
- is_slot_programmed = list(ffi.cast("uint8_t [16]", safe_slot_status)[0:16])
- print((is_slot_programmed, len(is_slot_programmed)))
- assert is_slot_programmed[0] == 0
- assert is_slot_programmed[1] == 1
-
-
-def test_issue_device_locks_on_second_key_generation_in_sequence(C):
- if is_pro_rtm_07(C):
- pytest.skip("issue to register: device locks up "
- "after below commands sequence (reinsertion fixes), skipping for now")
- assert C.NK_build_aes_key(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
- assert C.NK_build_aes_key(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
-
-
-def test_regenerate_aes_key(C):
- C.NK_set_debug(True)
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_build_aes_key(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
- assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
-
-
-@pytest.mark.xfail(reason="NK Pro firmware bug: regenerating AES key command not always results in cleared slot data")
-def test_destroy_password_safe(C):
- """
- Sometimes fails on NK Pro - slot name is not cleared ergo key generation has not succeed despite the success result
- returned from the device
- """
- C.NK_set_debug(True)
- assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
- # write password safe slot
- assert C.NK_write_password_safe_slot(0, 'slotname1', 'login1', 'pass1') == DeviceErrorCode.STATUS_OK
- # read slot
- assert gs(C.NK_get_password_safe_slot_name(0)) == 'slotname1'
- assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
- slot_login = C.NK_get_password_safe_slot_login(0)
- assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
- assert gs(slot_login) == 'login1'
- # destroy password safe by regenerating aes key
- assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
-
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_build_aes_key(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
- assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
-
- assert gs(C.NK_get_password_safe_slot_name(0)) != 'slotname1'
- assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
-
- # check was slot status cleared
- safe_slot_status = C.NK_get_password_safe_slot_status()
- assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
- is_slot_programmed = list(ffi.cast("uint8_t [16]", safe_slot_status)[0:16])
- assert is_slot_programmed[0] == 0
-
-
-def test_is_AES_supported(C):
- if is_storage(C):
- pytest.skip("Storage does not implement this command")
- assert C.NK_is_AES_supported('wrong password') != 1
- assert C.NK_get_last_command_status() == DeviceErrorCode.WRONG_PASSWORD
- assert C.NK_is_AES_supported(DefaultPasswords.USER) == 1
- assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
-
-
-def test_admin_PIN_change(C):
- new_password = '123123123'
- assert C.NK_change_admin_PIN('wrong_password', new_password) == DeviceErrorCode.WRONG_PASSWORD
- assert C.NK_change_admin_PIN(DefaultPasswords.ADMIN, new_password) == DeviceErrorCode.STATUS_OK
- assert C.NK_change_admin_PIN(new_password, DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
-
-
-def test_user_PIN_change(C):
- new_password = '123123123'
- assert C.NK_change_user_PIN('wrong_password', new_password) == DeviceErrorCode.WRONG_PASSWORD
- assert C.NK_change_user_PIN(DefaultPasswords.USER, new_password) == DeviceErrorCode.STATUS_OK
- assert C.NK_change_user_PIN(new_password, DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
-
-
-def test_too_long_strings(C):
- new_password = '123123123'
- long_string = 'a' * 100
- assert C.NK_change_user_PIN(long_string, new_password) == LibraryErrors.TOO_LONG_STRING
- assert C.NK_change_user_PIN(new_password, long_string) == LibraryErrors.TOO_LONG_STRING
- assert C.NK_change_admin_PIN(long_string, new_password) == LibraryErrors.TOO_LONG_STRING
- assert C.NK_change_admin_PIN(new_password, long_string) == LibraryErrors.TOO_LONG_STRING
- assert C.NK_first_authenticate(long_string, DefaultPasswords.ADMIN_TEMP) == LibraryErrors.TOO_LONG_STRING
- assert C.NK_erase_totp_slot(0, long_string) == LibraryErrors.TOO_LONG_STRING
- digits = False
- assert C.NK_write_hotp_slot(1, long_string, RFC_SECRET, 0, digits, False, False, "",
- DefaultPasswords.ADMIN_TEMP) == LibraryErrors.TOO_LONG_STRING
- assert C.NK_write_hotp_slot(1, 'long_test', RFC_SECRET, 0, digits, False, False, "",
- long_string) == LibraryErrors.TOO_LONG_STRING
- assert C.NK_get_hotp_code_PIN(0, long_string) == 0
- assert C.NK_get_last_command_status() == LibraryErrors.TOO_LONG_STRING
-
-
-def test_invalid_slot(C):
- invalid_slot = 255
- assert C.NK_erase_totp_slot(invalid_slot, 'some password') == LibraryErrors.INVALID_SLOT
- assert C.NK_write_hotp_slot(invalid_slot, 'long_test', RFC_SECRET, 0, False, False, False, "",
- 'aaa') == LibraryErrors.INVALID_SLOT
- assert C.NK_get_hotp_code_PIN(invalid_slot, 'some password') == 0
- assert C.NK_get_last_command_status() == LibraryErrors.INVALID_SLOT
- assert C.NK_erase_password_safe_slot(invalid_slot) == LibraryErrors.INVALID_SLOT
- assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
- assert gs(C.NK_get_password_safe_slot_name(invalid_slot)) == ''
- assert C.NK_get_last_command_status() == LibraryErrors.INVALID_SLOT
- assert gs(C.NK_get_password_safe_slot_login(invalid_slot)) == ''
- assert C.NK_get_last_command_status() == LibraryErrors.INVALID_SLOT
-
-
-def test_admin_retry_counts(C):
- default_admin_retry_count = 3
- assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
- assert C.NK_get_admin_retry_count() == default_admin_retry_count
- assert C.NK_change_admin_PIN('wrong_password', DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.WRONG_PASSWORD
- assert C.NK_get_admin_retry_count() == default_admin_retry_count - 1
- assert C.NK_change_admin_PIN(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
- assert C.NK_get_admin_retry_count() == default_admin_retry_count
-
-
-def test_user_retry_counts_change_PIN(C):
- assert C.NK_change_user_PIN(DefaultPasswords.USER, DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
- wrong_password = 'wrong_password'
- default_user_retry_count = 3
- assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
- assert C.NK_get_user_retry_count() == default_user_retry_count
- assert C.NK_change_user_PIN(wrong_password, wrong_password) == DeviceErrorCode.WRONG_PASSWORD
- assert C.NK_get_user_retry_count() == default_user_retry_count - 1
- assert C.NK_change_user_PIN(DefaultPasswords.USER, DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
- assert C.NK_get_user_retry_count() == default_user_retry_count
-
-def test_user_retry_counts_PWSafe(C):
- default_user_retry_count = 3
- assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
- assert C.NK_get_user_retry_count() == default_user_retry_count
- assert C.NK_enable_password_safe('wrong_password') == DeviceErrorCode.WRONG_PASSWORD
- assert C.NK_get_user_retry_count() == default_user_retry_count - 1
- assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
- assert C.NK_get_user_retry_count() == default_user_retry_count
-
-
-def test_unlock_user_password(C):
- C.NK_set_debug(True)
- default_user_retry_count = 3
- default_admin_retry_count = 3
- new_password = '123123123'
- assert C.NK_get_user_retry_count() == default_user_retry_count
- assert C.NK_change_user_PIN('wrong_password', new_password) == DeviceErrorCode.WRONG_PASSWORD
- assert C.NK_change_user_PIN('wrong_password', new_password) == DeviceErrorCode.WRONG_PASSWORD
- assert C.NK_change_user_PIN('wrong_password', new_password) == DeviceErrorCode.WRONG_PASSWORD
- assert C.NK_get_user_retry_count() == default_user_retry_count - 3
- assert C.NK_get_admin_retry_count() == default_admin_retry_count
-
- assert C.NK_unlock_user_password('wrong password', DefaultPasswords.USER) == DeviceErrorCode.WRONG_PASSWORD
- assert C.NK_get_admin_retry_count() == default_admin_retry_count - 1
- assert C.NK_unlock_user_password(DefaultPasswords.ADMIN, DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
- assert C.NK_get_user_retry_count() == default_user_retry_count
- assert C.NK_get_admin_retry_count() == default_admin_retry_count
-
-
-def test_admin_auth(C):
- assert C.NK_first_authenticate('wrong_password', DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.WRONG_PASSWORD
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
-
-
-def test_user_auth(C):
- assert C.NK_user_authenticate('wrong_password', DefaultPasswords.USER_TEMP) == DeviceErrorCode.WRONG_PASSWORD
- assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK
-
-
-def check_HOTP_RFC_codes(C, func, prep=None, use_8_digits=False):
- """
- # https://tools.ietf.org/html/rfc4226#page-32
- """
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_hotp_slot(1, 'python_test', RFC_SECRET, 0, use_8_digits, False, False, "",
- DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- test_data = [
- 1284755224, 1094287082, 137359152, 1726969429, 1640338314, 868254676, 1918287922, 82162583, 673399871,
- 645520489,
- ]
- for code in test_data:
- if prep:
- prep()
- r = func(1)
- code = str(code)[-8:] if use_8_digits else str(code)[-6:]
- assert int(code) == r
-
-
-@pytest.mark.parametrize("use_8_digits", [False, True, ])
-@pytest.mark.parametrize("use_pin_protection", [False, True, ])
-def test_HOTP_RFC_use8digits_usepin(C, use_8_digits, use_pin_protection):
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(255, 255, 255, use_pin_protection, not use_pin_protection,
- DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- if use_pin_protection:
- check_HOTP_RFC_codes(C,
- lambda x: C.NK_get_hotp_code_PIN(x, DefaultPasswords.USER_TEMP),
- lambda: C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP),
- use_8_digits=use_8_digits)
- else:
- check_HOTP_RFC_codes(C, C.NK_get_hotp_code, use_8_digits=use_8_digits)
-
-
-def test_HOTP_token(C):
- """
- Check HOTP routine with written token ID to slot.
- """
- use_pin_protection = False
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(255, 255, 255, use_pin_protection, not use_pin_protection,
- DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- token_ID = "AAV100000022"
- assert C.NK_write_hotp_slot(1, 'python_test', RFC_SECRET, 0, False, False, True, token_ID,
- DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- for i in range(5):
- hotp_code = C.NK_get_hotp_code(1)
- assert hotp_code != 0
- assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
-
-def test_HOTP_counters(C):
- """
- # https://tools.ietf.org/html/rfc4226#page-32
- """
- use_pin_protection = False
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(255, 255, 255, use_pin_protection, not use_pin_protection,
- DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- use_8_digits = True
- HOTP_test_data = [
- 1284755224, 1094287082, 137359152, 1726969429, 1640338314,
- 868254676, 1918287922, 82162583, 673399871, 645520489,
- ]
- slot_number = 1
- for counter, code in enumerate(HOTP_test_data):
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_hotp_slot(slot_number, 'python_test', RFC_SECRET, counter, use_8_digits, False, False, "",
- DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- r = C.NK_get_hotp_code(slot_number)
- code = str(code)[-8:] if use_8_digits else str(code)[-6:]
- assert int(code) == r
-
-
-INT32_MAX = 2 ** 31 - 1
-def test_HOTP_64bit_counter(C):
- if is_storage(C):
- pytest.xfail('bug in NK Storage HOTP firmware - counter is set with a 8 digits string, '
- 'however int32max takes 10 digits to be written')
- oath = pytest.importorskip("oath")
- lib_at = lambda t: oath.hotp(RFC_SECRET, t, format='dec6')
- PIN_protection = False
- use_8_digits = False
- slot_number = 1
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
- DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- dev_res = []
- lib_res = []
- for t in range(INT32_MAX - 5, INT32_MAX + 5, 1):
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_hotp_slot(slot_number, 'python_test', RFC_SECRET, t, use_8_digits, False, False, "",
- DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- code_device = str(C.NK_get_hotp_code(slot_number))
- dev_res += (t, code_device)
- lib_res += (t, lib_at(t))
- assert dev_res == lib_res
-
-
-def test_TOTP_64bit_time(C):
- if is_storage(C):
- pytest.xfail('bug in NK Storage TOTP firmware')
- oath = pytest.importorskip("oath")
- T = 1
- lib_at = lambda t: oath.totp(RFC_SECRET, t=t)
- PIN_protection = False
- slot_number = 1
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
- DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_totp_slot(slot_number, 'python_test', RFC_SECRET, 30, False, False, False, "",
- DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- dev_res = []
- lib_res = []
- for t in range(INT32_MAX - 5, INT32_MAX + 5, 1):
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_totp_set_time(t) == DeviceErrorCode.STATUS_OK
- code_device = str((C.NK_get_totp_code(slot_number, T, 0, 30)))
- dev_res += (t, code_device)
- lib_res += (t, lib_at(t))
- assert dev_res == lib_res
-
-
-@pytest.mark.xfail(reason="NK Pro: possible firmware bug or communication issue: set time command not always changes the time on stick thus failing this test, "
- "this does not influence normal use since setting time is not done every TOTP code request"
- "Rarely fail occurs on NK Storage")
-@pytest.mark.parametrize("PIN_protection", [False, True, ])
-def test_TOTP_RFC_usepin(C, PIN_protection):
- slot_number = 1
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
- DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- # test according to https://tools.ietf.org/html/rfc6238#appendix-B
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_totp_slot(slot_number, 'python_test', RFC_SECRET, 30, True, False, False, "",
- DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
-
- get_func = None
- if PIN_protection:
- get_func = lambda x, y, z, r: C.NK_get_totp_code_PIN(x, y, z, r, DefaultPasswords.USER_TEMP)
- else:
- get_func = C.NK_get_totp_code
-
- # Mode: Sha1, time step X=30
- test_data = [
- #Time T (hex) TOTP
- (59, 0x1, 94287082),
- (1111111109, 0x00000000023523EC, 7081804),
- (1111111111, 0x00000000023523ED, 14050471),
- (1234567890, 0x000000000273EF07, 89005924),
- (2000000000, 0x0000000003F940AA, 69279037),
- # (20000000000, 0x0000000027BC86AA, 65353130), # 64bit is also checked in other test
- ]
- responses = []
- data = []
- correct = 0
- for t, T, expected_code in test_data:
- if PIN_protection:
- C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP)
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_totp_set_time(t) == DeviceErrorCode.STATUS_OK
- code_from_device = get_func(slot_number, T, 0, 30) # FIXME T is not changing the outcome
- data += [ (t, expected_code) ]
- responses += [ (t, code_from_device) ]
- correct += expected_code == code_from_device
- assert data == responses or correct == len(test_data)
-
-def test_get_slot_names(C):
- C.NK_set_debug(True)
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_erase_totp_slot(0, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- # erasing slot invalidates temporary password, so requesting authentication
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_erase_hotp_slot(0, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
-
- for i in range(15):
- name = ffi.string(C.NK_get_totp_slot_name(i))
- if name == '':
- assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
- for i in range(3):
- name = ffi.string(C.NK_get_hotp_slot_name(i))
- if name == '':
- assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
-
-
-def test_get_OTP_codes(C):
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- for i in range(15):
- code = C.NK_get_totp_code(i, 0, 0, 0)
- if code == 0:
- assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
-
- for i in range(3):
- code = C.NK_get_hotp_code(i)
- if code == 0:
- assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
-
-
-def test_get_OTP_code_from_not_programmed_slot(C):
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_erase_hotp_slot(0, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_erase_totp_slot(0, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
-
- code = C.NK_get_hotp_code(0)
- assert code == 0
- assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
-
- code = C.NK_get_totp_code(0, 0, 0, 0)
- assert code == 0
- assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
-
-
-def test_get_code_user_authorize(C):
- C.NK_set_debug(True)
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_totp_slot(0, 'python_otp_auth', RFC_SECRET, 30, True, False, False, "",
- DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- # enable PIN protection of OTP codes with write_config
- # TODO create convinience function on C API side to enable/disable OTP USER_PIN protection
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(255, 255, 255, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- code = C.NK_get_totp_code(0, 0, 0, 0)
- assert code == 0
- assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED
- # disable PIN protection with write_config
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- code = C.NK_get_totp_code(0, 0, 0, 0)
- assert code != 0
- assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
-
-
-def cast_pointer_to_tuple(obj, typen, len):
- # usage:
- # config = cast_pointer_to_tuple(config_raw_data, 'uint8_t', 5)
- return tuple(ffi.cast("%s [%d]" % (typen, len), obj)[0:len])
-
-
-def test_read_write_config(C):
- C.NK_set_debug(True)
-
- # let's set sample config with pin protection and disabled scrolllock
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(0, 1, 2, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- config_raw_data = C.NK_read_config()
- assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
- config = cast_pointer_to_tuple(config_raw_data, 'uint8_t', 5)
- assert config == (0, 1, 2, True, False)
-
- # restore defaults and check
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- config_raw_data = C.NK_read_config()
- assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
- config = cast_pointer_to_tuple(config_raw_data, 'uint8_t', 5)
- assert config == (255, 255, 255, False, True)
-
-
-def test_factory_reset(C):
- if is_storage(C):
- pytest.skip('Recovery not implemented for NK Storage')
- C.NK_set_debug(True)
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_hotp_slot(1, 'python_test', RFC_SECRET, 0, False, False, False, "",
- DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_get_hotp_code(1) == 755224
- assert C.NK_factory_reset(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
- wait(10)
- assert C.NK_get_hotp_code(1) != 287082
- assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
- # restore AES key
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_build_aes_key(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
- assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
- assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
-
-
-@pytest.mark.skip(reason='Experimental')
-def test_clear(C):
- d = 'asdasdasd'
- print(d)
- C.clear_password(d)
- print(d)
-
-
-def test_get_status(C):
- status = C.NK_status()
- s = gs(status)
- assert len(s) > 0
-
-
-def test_get_serial_number(C):
- sn = C.NK_device_serial_number()
- sn = gs(sn)
- assert len(sn) > 0
- print(('Serial number of the device: ', sn))
-
-
-@pytest.mark.parametrize("invalid_hex_string",
- ['text', '00 ', '0xff', 'zzzzzzzzzzzz', 'fff', '', 'f' * 257, 'f' * 258])
-def test_invalid_secret_hex_string_for_OTP_write(C, invalid_hex_string):
- """
- Tests for invalid secret hex string during writing to OTP slot. Invalid strings are not hexadecimal number,
- empty or longer than 255 characters.
- """
- assert C.NK_write_hotp_slot(1, 'slot_name', invalid_hex_string, 0, True, False, False, '',
- DefaultPasswords.ADMIN_TEMP) == LibraryErrors.INVALID_HEX_STRING
- assert C.NK_write_totp_slot(1, 'python_test', invalid_hex_string, 30, True, False, False, "",
- DefaultPasswords.ADMIN_TEMP) == LibraryErrors.INVALID_HEX_STRING
-
-
-def test_warning_binary_bigger_than_secret_buffer(C):
- invalid_hex_string = to_hex('1234567890') * 3
- assert C.NK_write_hotp_slot(1, 'slot_name', invalid_hex_string, 0, True, False, False, '',
- DefaultPasswords.ADMIN_TEMP) == LibraryErrors.TARGET_BUFFER_SIZE_SMALLER_THAN_SOURCE
-
-
-@pytest.mark.xfail(reason="TODO")
-def test_OTP_secret_started_from_null(C):
- assert False