summaryrefslogtreecommitdiff
path: root/unittest
diff options
context:
space:
mode:
Diffstat (limited to 'unittest')
-rw-r--r--unittest/test_bindings.py230
1 files changed, 185 insertions, 45 deletions
diff --git a/unittest/test_bindings.py b/unittest/test_bindings.py
index afe7d0d..5688adb 100644
--- a/unittest/test_bindings.py
+++ b/unittest/test_bindings.py
@@ -20,6 +20,7 @@ class DeviceErrorCode(Enum):
NOT_PROGRAMMED = 3
WRONG_PASSWORD = 4
STATUS_NOT_AUTHORIZED = 5
+ STATUS_AES_DEC_FAILED = 0xa
@pytest.fixture(scope="module")
@@ -30,25 +31,28 @@ def C(request):
with open(fp, 'r') as f:
declarations = f.readlines()
- for declaration in declarations:
- # extern int NK_write_totp_slot(int slot_number, char* secret, int time_window);
- if 'extern' in declaration and not '"C"' in declaration:
+ a = iter(declarations)
+ for declaration in a:
+ if declaration.startswith('extern') and not '"C"' in declaration:
declaration = declaration.replace('extern', '').strip()
+ while not ';' in declaration:
+ declaration += (next(a)).strip()
print(declaration)
ffi.cdef(declaration)
C = ffi.dlopen("../build/libnitrokey.so")
C.NK_set_debug(False)
C.NK_login('P')
+
# assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
# assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK
# C.NK_status()
def fin():
- print ('\nFinishing connection to device')
+ print('\nFinishing connection to device')
C.NK_logout()
- print ('Finished')
+ print('Finished')
request.addfinalizer(fin)
C.NK_set_debug(True)
@@ -107,11 +111,64 @@ def test_password_safe_slot_status(C):
safe_slot_status = C.NK_get_password_safe_slot_status()
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
is_slot_programmed = list(ffi.cast("uint8_t [16]", safe_slot_status)[0:16])
- print ((is_slot_programmed, len(is_slot_programmed)))
+ print((is_slot_programmed, len(is_slot_programmed)))
assert is_slot_programmed[0] == 0
assert is_slot_programmed[1] == 1
+@pytest.mark.xfail(run=False, reason="issue to register: device locks up after below commands sequence (reinsertion fixes), skipping for now")
+def test_issue_device_locks_on_second_key_generation_in_sequence(C):
+ assert C.NK_build_aes_key(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
+ assert C.NK_build_aes_key(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
+
+
+def test_regenerate_aes_key(C):
+ C.NK_set_debug(True)
+ assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ assert C.NK_build_aes_key(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
+ assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
+
+
+@pytest.mark.xfail(reason="firmware bug: regenerating AES key command not always results in cleared slot data")
+def test_destroy_password_safe(C):
+ """
+ Sometimes fails on NK Pro - slot name is not cleared ergo key generation has not succeed despite the success result
+ returned from the device
+ """
+ C.NK_set_debug(True)
+ assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
+ # write password safe slot
+ assert C.NK_write_password_safe_slot(0, 'slotname1', 'login1', 'pass1') == DeviceErrorCode.STATUS_OK
+ # read slot
+ assert gs(C.NK_get_password_safe_slot_name(0)) == 'slotname1'
+ assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
+ slot_login = C.NK_get_password_safe_slot_login(0)
+ assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
+ assert gs(slot_login) == 'login1'
+ # destroy password safe by regenerating aes key
+ assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
+
+ assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ assert C.NK_build_aes_key(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
+ assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
+
+ assert gs(C.NK_get_password_safe_slot_name(0)) != 'slotname1'
+ assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
+
+ # check was slot status cleared
+ safe_slot_status = C.NK_get_password_safe_slot_status()
+ assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
+ is_slot_programmed = list(ffi.cast("uint8_t [16]", safe_slot_status)[0:16])
+ assert is_slot_programmed[0] == 0
+
+
+def test_is_AES_supported(C):
+ assert C.NK_is_AES_supported('wrong password') != 1
+ assert C.NK_get_last_command_status() == DeviceErrorCode.WRONG_PASSWORD
+ assert C.NK_is_AES_supported(DefaultPasswords.USER) == 1
+ assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
+
+
def test_admin_PIN_change(C):
new_password = '123123123'
assert C.NK_change_admin_PIN('wrong_password', new_password) == DeviceErrorCode.WRONG_PASSWORD
@@ -143,60 +200,106 @@ def test_user_retry_counts(C):
assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert C.NK_get_user_retry_count() == default_user_retry_count
+
+def test_unlock_user_password(C):
+ C.NK_set_debug(True)
+ default_user_retry_count = 3
+ default_admin_retry_count = 3
+ new_password = '123123123'
+ assert C.NK_get_user_retry_count() == default_user_retry_count
+ assert C.NK_change_user_PIN('wrong_password', new_password) == DeviceErrorCode.WRONG_PASSWORD
+ assert C.NK_change_user_PIN('wrong_password', new_password) == DeviceErrorCode.WRONG_PASSWORD
+ assert C.NK_change_user_PIN('wrong_password', new_password) == DeviceErrorCode.WRONG_PASSWORD
+ assert C.NK_get_user_retry_count() == default_user_retry_count - 3
+ assert C.NK_get_admin_retry_count() == default_admin_retry_count
+
+ assert C.NK_unlock_user_password('wrong password', DefaultPasswords.USER) == DeviceErrorCode.WRONG_PASSWORD
+ assert C.NK_get_admin_retry_count() == default_admin_retry_count - 1
+ assert C.NK_unlock_user_password(DefaultPasswords.ADMIN, DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
+ assert C.NK_get_user_retry_count() == default_user_retry_count
+ assert C.NK_get_admin_retry_count() == default_admin_retry_count
+
+
def test_admin_auth(C):
assert C.NK_first_authenticate('wrong_password', DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.WRONG_PASSWORD
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+
def test_user_auth(C):
assert C.NK_user_authenticate('wrong_password', DefaultPasswords.USER_TEMP) == DeviceErrorCode.WRONG_PASSWORD
assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK
-def check_RFC_codes(C, func, prep=None):
+def check_HOTP_RFC_codes(C, func, prep=None, use_8_digits=False):
+ """
+ # https://tools.ietf.org/html/rfc4226#page-32
+ """
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_hotp_slot(1, 'python_test', RFC_SECRET, 0, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ assert C.NK_write_hotp_slot(1, 'python_test', RFC_SECRET, 0, use_8_digits, False, False, "",
+ DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
test_data = [
- 755224, 287082, 359152, 969429, 338314, 254676, 287922, 162583, 399871, 520489,
+ 1284755224, 1094287082, 137359152, 1726969429, 1640338314, 868254676, 1918287922, 82162583, 673399871,
+ 645520489,
]
for code in test_data:
if prep:
prep()
r = func(1)
- assert code == r
+ code = str(code)[-8:] if use_8_digits else str(code)[-6:]
+ assert int(code) == r
-@pytest.mark.skip(reason="not working correctly, skipping for now")
-def test_HOTP_RFC_pin_protection(C):
- C.NK_set_debug(True)
- assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(True, True, True, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+@pytest.mark.parametrize("use_8_digits", [False, True, ])
+@pytest.mark.parametrize("use_pin_protection", [False, True, ])
+def test_HOTP_RFC_use8digits_usepin(C, use_8_digits, use_pin_protection):
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_hotp_slot(1, 'python_test', RFC_SECRET, 0, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- # check_RFC_codes(C, lambda x: C.NK_get_hotp_code_PIN(x, DefaultPasswords.USER_TEMP), lambda: C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP))
- assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_get_hotp_code_PIN(1, DefaultPasswords.USER_TEMP) == 755224
- assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
-
-
-@pytest.mark.skip(reason="not implemented yet")
-def test_HOTP_RFC_no_pin_protection_8digits(C):
- assert False # TODO to write
-
-def test_HOTP_RFC_no_pin_protection(C):
+ assert C.NK_write_config(255, 255, 255, use_pin_protection, not use_pin_protection,
+ DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ if use_pin_protection:
+ check_HOTP_RFC_codes(C,
+ lambda x: C.NK_get_hotp_code_PIN(x, DefaultPasswords.USER_TEMP),
+ lambda: C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP),
+ use_8_digits=use_8_digits)
+ else:
+ check_HOTP_RFC_codes(C, C.NK_get_hotp_code, use_8_digits=use_8_digits)
+
+
+def test_HOTP_token(C):
+ """
+ Check HOTP routine with written token ID to slot.
+ """
+ use_pin_protection = False
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_hotp_slot(1, 'python_test', RFC_SECRET, 0, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ assert C.NK_write_config(255, 255, 255, use_pin_protection, not use_pin_protection,
+ DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(True, True, True, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- # https://tools.ietf.org/html/rfc4226#page-32
- check_RFC_codes(C, C.NK_get_hotp_code)
+ token_ID = "AAV100000022"
+ assert C.NK_write_hotp_slot(1, 'python_test', RFC_SECRET, 0, False, False, True, token_ID,
+ DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ for i in range(5):
+ hotp_code = C.NK_get_hotp_code(1)
+ assert hotp_code != 0
+ assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
-def test_TOTP_RFC_no_pin_protection(C):
+@pytest.mark.xfail(reason="firmware bug: set time command not always changes the time on stick thus failing this test, "
+ "this does not influence normal use since setting time is not done every TOTP code request")
+@pytest.mark.parametrize("PIN_protection", [False, True, ])
+def test_TOTP_RFC_usepin(C, PIN_protection):
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(True, True, True, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
+ DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
# test according to https://tools.ietf.org/html/rfc6238#appendix-B
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_totp_slot(1, 'python_test', RFC_SECRET, 30, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ assert C.NK_write_totp_slot(1, 'python_test', RFC_SECRET, 30, True, False, False, "",
+ DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+
+ get_func = None
+ if PIN_protection:
+ get_func = lambda x, y, z, r: C.NK_get_totp_code_PIN(x, y, z, r, DefaultPasswords.USER_TEMP)
+ else:
+ get_func = C.NK_get_totp_code
+
test_data = [
(59, 1, 94287082),
(1111111109, 0x00000000023523EC, 7081804),
@@ -204,8 +307,17 @@ def test_TOTP_RFC_no_pin_protection(C):
(1234567890, 0x000000000273EF07, 89005924),
]
for t, T, code in test_data:
- C.NK_totp_set_time(t)
- r = C.NK_get_totp_code(1, T, 0, 30) # FIXME T is not changing the outcome
+ """
+ FIXME without the delay 50% of tests fails, with it only 12%, higher delay removes fails
+ -> set_time function not always works, to investigate why
+ """
+ # import time
+ # time.sleep(2)
+ assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ if PIN_protection:
+ C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP)
+ assert C.NK_totp_set_time(t) == DeviceErrorCode.STATUS_OK # FIXME needs admin authentication
+ r = get_func(1, T, 0, 30) # FIXME T is not changing the outcome
assert code == r
@@ -228,7 +340,8 @@ def test_get_slot_names(C):
def test_get_OTP_codes(C):
- C.NK_set_debug(True)
+ assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_erase_hotp_slot(0, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
@@ -247,18 +360,18 @@ def test_get_OTP_codes(C):
def test_get_code_user_authorize(C):
C.NK_set_debug(True)
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_totp_slot(0, 'python_otp_auth', RFC_SECRET, 30, True,
+ assert C.NK_write_totp_slot(0, 'python_otp_auth', RFC_SECRET, 30, True, False, False, "",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
# enable PIN protection of OTP codes with write_config
# TODO create convinience function on C API side to enable/disable OTP USER_PIN protection
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(True, True, True, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ assert C.NK_write_config(255, 255, 255, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code = C.NK_get_totp_code(0, 0, 0, 0)
assert code == 0
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED
# disable PIN protection with write_config
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(True, True, True, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code = C.NK_get_totp_code(0, 0, 0, 0)
assert code != 0
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
@@ -273,18 +386,45 @@ def cast_pointer_to_tuple(obj, typen, len):
def test_read_write_config(C):
C.NK_set_debug(True)
- # let's set sample config with pin protection and disabled capslock
+ # let's set sample config with pin protection and disabled scrolllock
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(True, False, True, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ assert C.NK_write_config(0, 1, 2, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
config_raw_data = C.NK_read_config()
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
config = cast_pointer_to_tuple(config_raw_data, 'uint8_t', 5)
- assert config == (True, False, True, True, False)
+ assert config == (0, 1, 2, True, False)
# restore defaults and check
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
- assert C.NK_write_config(True, True, True, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
config_raw_data = C.NK_read_config()
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
config = cast_pointer_to_tuple(config_raw_data, 'uint8_t', 5)
- assert config == (True, True, True, False, True)
+ assert config == (255, 255, 255, False, True)
+
+
+def wait(t):
+ import time
+ msg = 'Waiting for %d seconds' % t
+ print(msg.center(40, '='))
+ time.sleep(t)
+
+
+# @pytest.mark.skip()
+def test_factory_reset(C):
+ C.NK_set_debug(True)
+ assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ assert C.NK_write_hotp_slot(1, 'python_test', RFC_SECRET, 0, False, False, False, "",
+ DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ assert C.NK_get_hotp_code(1) == 755224
+ assert C.NK_factory_reset(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
+ wait(10)
+ assert C.NK_get_hotp_code(1) != 287082
+ assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
+ # restore AES key
+ assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
+ assert C.NK_build_aes_key(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
+ assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
+ assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK