summaryrefslogtreecommitdiff
path: root/tools/test.sh
blob: 8159a4495d8446b4dafff1c259382b09f44b1e21 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

#!/bin/bash -e
#
# Copyright (c) 2018 Yubico AB. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.

if [[ "$#" -ne 1 ]]; then
	echo "usage: test.sh device" 1>&2
	exit 1
fi

read -p "This script will reset the authenticator at $1, permanently erasing "\
"its credentials. Are you *SURE* you want to proceed (yes/no)? "
if [[ "${REPLY}" != "yes" ]]; then
	exit 1
fi

echo "Resetting authenticator... (tap to continue!)"
fido2-token -R $1

CRED_PARAM="$(mktemp /tmp/cred_param.XXXXXXXX)"
ASSERT_PARAM="$(mktemp /tmp/assert_param.XXXXXXXX)"
ASSERT_PUBKEY="$(mktemp /tmp/assert_pubkey.XXXXXXXX)"
ES256_CRED="$(mktemp /tmp/es256_cred.XXXXXXX)"
ES256_CRED_R="$(mktemp /tmp/es256_cred_r.XXXXXXXX)"

cleanup() {
	echo "Cleaning up..."
	[[ "${CRED_PARAM}" != "" ]] && rm "${CRED_PARAM}"
	[[ "${ASSERT_PARAM}" != "" ]] && rm "${ASSERT_PARAM}"
	[[ "${ASSERT_PUBKEY}" != "" ]] && rm "${ASSERT_PUBKEY}"
	[[ "${ES256_CRED}" != "" ]] && rm "${ES256_CRED}"
	[[ "${ES256_CRED_R}" != "" ]] && rm "${ES256_CRED_R}"
}

trap cleanup EXIT

dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 > "${CRED_PARAM}"
echo "Boring Relying Party" >> "${CRED_PARAM}"
echo "Boring User Name" >> "${CRED_PARAM}"
dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 >> "${CRED_PARAM}"
echo "Credential parameters:"
cat "${CRED_PARAM}"

echo "Generating non-resident ES256 credential... (tap to continue!)"
fido2-cred -M -i "${CRED_PARAM}" $1 | fido2-cred -V | tee "${ES256_CRED}"
echo "Generating resident ES256 credential... (tap to continue!)"
fido2-cred -M -r -i "${CRED_PARAM}" $1 | fido2-cred -V | tee "${ES256_CRED_R}"

PIN1="$(dd if=/dev/urandom | tr -cd '[:print:]' | fold -w50 | head -1)"
PIN2="$(dd if=/dev/urandom | tr -cd '[:print:]' | fold -w50 | head -1)"

echo "Setting ${PIN1} as the PIN..."
echo -e "${PIN1}\n${PIN1}" | setsid -w fido2-token -S $1
echo "Changing PIN from ${PIN1} to ${PIN2}..."
echo -e "${PIN1}\n${PIN2}\n${PIN2}" | setsid -w fido2-token -C $1
echo ""

echo "Testing non-resident ES256 credential..."
echo "Getting assertion without user presence verification..."
dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 > "${ASSERT_PARAM}"
echo "Boring Relying Party" >> "${ASSERT_PARAM}"
head -1 "${ES256_CRED}" >> "${ASSERT_PARAM}"
tail -n +2 "${ES256_CRED}" > "${ASSERT_PUBKEY}"
echo "Assertion parameters:"
cat "${ASSERT_PARAM}"
fido2-assert -G -i "${ASSERT_PARAM}" $1 | fido2-assert -V "${ASSERT_PUBKEY}" 
echo "Checking that the user presence bit is observed..."
! fido2-assert -G -i "${ASSERT_PARAM}" $1 | fido2-assert -V -p "${ASSERT_PUBKEY}"
echo "Checking that the user verification bit is observed..."
! fido2-assert -G -i "${ASSERT_PARAM}" $1 | fido2-assert -V -v "${ASSERT_PUBKEY}"
echo "Getting assertion _with_ user presence verification... (tap to continue!)"
fido2-assert -G -p -i "${ASSERT_PARAM}" $1 | fido2-assert -V -p "${ASSERT_PUBKEY}" 
echo "Getting assertion  _with_ user verification..."
echo -e "${PIN2}\n" | setsid -w fido2-assert -G -v -i "${ASSERT_PARAM}" $1 | \
	fido2-assert -V -v "${ASSERT_PUBKEY}" 
echo ""

echo "Testing resident ES256 credential..."
echo "Getting assertion without user presence verification..."
dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 > "${ASSERT_PARAM}"
echo "Boring Relying Party" >> "${ASSERT_PARAM}"
tail -n +2 "${ES256_CRED_R}" > "${ASSERT_PUBKEY}"
echo "Assertion parameters:"
cat "${ASSERT_PARAM}"
fido2-assert -G -r -i "${ASSERT_PARAM}" $1 | fido2-assert -V "${ASSERT_PUBKEY}" 
echo "Checking that the user presence bit is observed..."
! fido2-assert -G -r -i "${ASSERT_PARAM}" $1 | fido2-assert -V -p "${ASSERT_PUBKEY}"
echo "Checking that the user verification bit is observed..."
! fido2-assert -G -r -i "${ASSERT_PARAM}" $1 | fido2-assert -V -v "${ASSERT_PUBKEY}"
echo "Getting assertion _with_ user presence verification... (tap to continue!)"
fido2-assert -G -r -p -i "${ASSERT_PARAM}" $1 | fido2-assert -V -p "${ASSERT_PUBKEY}" 
echo "Getting assertion _with_ user verification..."
echo -e "${PIN2}\n" | setsid -w fido2-assert -G -v -r -i "${ASSERT_PARAM}" $1 | \
	fido2-assert -V -v "${ASSERT_PUBKEY}" 
echo ""
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-06 03:42:36 +0000