tests: PivSessionIntegrationTestBase.cs can now manage Fips credentials

Author: DennisDyallo

Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/AttestTests.cs

@@ -51,19 +51,20 @@ public void Attest_Imported_ThrowsException(
                 Session.CreateAttestationStatement(PivSlot.Retired1));
         }
 
-        [Theory]
+        [SkippableTheory(typeof(DeviceNotFoundException))]
         [InlineData(KeyType.RSA2048, StandardTestDevice.Fw5)]
         [InlineData(KeyType.RSA3072, StandardTestDevice.Fw5)]
         [InlineData(KeyType.RSA4096, StandardTestDevice.Fw5)]
-        [InlineData(KeyType.ECP256, StandardTestDevice.Fw5)]
+        [InlineData(KeyType.ECP256, StandardTestDevice.Fw5Fips)]
         [InlineData(KeyType.Ed25519, StandardTestDevice.Fw5)]
         public void AttestGenerated(
             KeyType keyType,
             StandardTestDevice deviceType)
         {
             TestDeviceType = deviceType;
             const byte slotNumber = PivSlot.Retired1;
-            Session.GenerateKeyPair(slotNumber, keyType, PivPinPolicy.Never, PivTouchPolicy.Never);
+            
+            Session.GenerateKeyPair(slotNumber, keyType);
 
             // If this test fails, it's possible the attestation key or cert is missing or broken.
             // In that case, run LoadAttestationPair(KeyType, true) to fix the problem.

Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/PivSessionIntegrationTestBase.cs

@@ -13,6 +13,7 @@
 // limitations under the License.
 
 using System;
+using System.Diagnostics;
 using Xunit;
 using Yubico.YubiKey.Cryptography;
 using Yubico.YubiKey.Scp;
@@ -34,23 +35,51 @@ public class PivSessionIntegrationTestBase : IDisposable
         0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08
     };
 
+    public static readonly byte[] ComplexManagementKey =
+    {
+        0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88,
+        0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF, 0x12,
+        0x23, 0x34, 0x45, 0x56, 0x67, 0x78, 0x89, 0x9A
+    };
+
+    // public void SetFipsApprovedCredentials(PivSession? session)
+    // {
+    //     session ??= Session;
+    //     session.TryChangePin(DefaultPin, ComplexPin, out _);
+    //     session.TryChangePuk(DefaultPuk, ComplexPuk, out _);
+    //     session.TryChangeManagementKey(DefaultManagementKey, ComplexManagementKey, PivTouchPolicy.Always);
+    //     Assert.True(session.TryVerifyPin(ComplexPin, out _));
+    // }
+
+    // public void SetFipsApprovedCredentials(
+    //     IYubiKeyDevice? device,
+    //     ScpKeyParameters parameters)
+    // {
+    //     device ??= Device;
+    //     using var session = new PivSession(device, parameters);
+    //     SetFipsApprovedCredentials(session);
+    // }
+
     protected KeyType DefaultManagementKeyType =>
         Device.FirmwareVersion > FirmwareVersion.V5_7_0 ? KeyType.AES192 : KeyType.TripleDES;
 
-    protected StandardTestDevice TestDeviceType { get; set; } = StandardTestDevice.Fw5;
-    
+    protected StandardTestDevice TestDeviceType { get; set; } = StandardTestDevice.Any;
+
     /// <summary>
     /// Returns an authenticated PivSession.
     /// </summary>
     protected PivSession Session => _session ??= GetSession(true);
+
     protected IYubiKeyDevice Device => IntegrationTestDeviceEnumeration.GetTestDevice(TestDeviceType);
 
     private bool _disposed;
     private PivSession? _session;
 
+    private bool UseComplexCreds => Device.IsFipsSeries || Device.IsPinComplexityEnabled;
+
     protected PivSessionIntegrationTestBase()
     {
-        using var session = GetSessionInternal(Device, false);
+        using var session = GetSessionInternal(Device, false, false);
         session.ResetApplication();
     }
 
@@ -60,10 +89,11 @@ protected PivSessionIntegrationTestBase()
     }
 
     protected PivSession GetSession(
-        bool authenticate = false) => GetSessionInternal(Device, authenticate);
+        bool authenticate = false) => GetSessionInternal(Device, authenticate, UseComplexCreds);
 
     protected PivSession GetSessionScp(
-        bool authenticate = false) => GetSessionInternal(Device, authenticate, Scp03KeyParameters.DefaultKey);
+        bool authenticate = false) =>
+        GetSessionInternal(Device, authenticate, UseComplexCreds, Scp03KeyParameters.DefaultKey);
 
     public void Dispose()
     {
@@ -91,30 +121,41 @@ protected virtual void Dispose(
     private static PivSession GetSessionInternal(
         IYubiKeyDevice testDevice,
         bool authenticate,
+        bool useComplexCreds,
         Scp03KeyParameters? keyParameters = null)
     {
         Assert.True(testDevice.EnabledUsbCapabilities.HasFlag(YubiKeyCapabilities.Piv));
 
-        PivSession? pivSession = null;
+        PivSession? session = null;
         try
         {
-            pivSession = new PivSession(testDevice, keyParameters);
-            if (pivSession.KeyCollector == null)
+            session = new PivSession(testDevice, keyParameters);
+
+            if (useComplexCreds)
+            {
+                session.TryChangePin(DefaultPin, ComplexPin, out _);
+                session.TryChangePuk(DefaultPuk, ComplexPuk, out _);
+                var managementKeyChanged = session.TryChangeManagementKey(DefaultManagementKey, ComplexManagementKey);
+                Debug.Assert(managementKeyChanged, "Failed to change management");
+                Assert.True(session.TryVerifyPin(ComplexPin, out _));
+            }
+
+            if (session.KeyCollector == null)
             {
-                var collectorObj = new Simple39KeyCollector();
-                pivSession.KeyCollector = collectorObj.Simple39KeyCollectorDelegate;
+                var collectorObj = new Simple39KeyCollector(false, useComplexCreds);
+                session.KeyCollector = collectorObj.Simple39KeyCollectorDelegate;
             }
 
             if (authenticate)
             {
-                pivSession.AuthenticateManagementKey();
+                session.AuthenticateManagementKey();
             }
 
-            return pivSession;
+            return session;
         }
         catch
         {
-            pivSession?.Dispose();
+            session?.Dispose();
             throw;
         }
     }

Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/Simple39KeyCollector.cs

@@ -24,17 +24,21 @@ namespace Yubico.YubiKey.Piv
     public class Simple39KeyCollector
     {
         private static bool _setKeyFlagOnChange;
+        public static bool _useComplexCreds;
 
         // If the caller sets the input arg to true, then when the call asks for
         // Change, return the old and new, then set KeyFlag to the opposite of
         // what it currently is.
         // For false, then this returns old and new, but does nothing to KeyFlag.
         // If there is no arg, that's false.
-        public Simple39KeyCollector(bool setKeyFlagOnChange = false)
+        public Simple39KeyCollector(
+            bool setKeyFlagOnChange = false,
+            bool useComplexCreds = false)
         {
             KeyFlag = 0;
             RetryFlag = 0;
             _setKeyFlagOnChange = setKeyFlagOnChange;
+            _useComplexCreds = useComplexCreds;
         }
 
         // If KeyFlag is set to 0, the current PIN, PUK, or key returned will be
@@ -50,10 +54,11 @@ public Simple39KeyCollector(bool setKeyFlagOnChange = false)
         // PUK. This way we can block the PIN or PUK for testing purposes.
         public int RetryFlag { get; set; }
 
-        public bool Simple39KeyCollectorDelegate(KeyEntryData keyEntryData)
+        public bool Simple39KeyCollectorDelegate(
+            KeyEntryData keyEntryData)
         {
-            if (keyEntryData.IsRetry && 
-                RetryFlag == 0 && 
+            if (keyEntryData.IsRetry &&
+                RetryFlag == 0 &&
                 keyEntryData.RetriesRemaining is not null &&
                 keyEntryData.RetriesRemaining == 1)
             {
@@ -70,28 +75,27 @@ keyEntryData.RetriesRemaining is not null &&
                     return false;
 
                 case KeyEntryRequest.Release:
-
                     return true;
 
                 case KeyEntryRequest.VerifyPivPin:
-                    currentValue = CollectPin();
+                    currentValue = CollectPin(_useComplexCreds);
                     break;
 
                 case KeyEntryRequest.ChangePivPin:
-                    currentValue = CollectPin();
-                    newValue = CollectPin();
+                    currentValue = CollectPin(_useComplexCreds);
+                    newValue = CollectPin(_useComplexCreds);
                     isChange = true;
                     break;
 
                 case KeyEntryRequest.ChangePivPuk:
-                    currentValue = CollectPuk();
-                    newValue = CollectPuk();
+                    currentValue = CollectPuk(_useComplexCreds);
+                    newValue = CollectPuk(_useComplexCreds);
                     isChange = true;
                     break;
 
                 case KeyEntryRequest.ResetPivPinWithPuk:
-                    currentValue = CollectPuk();
-                    newValue = CollectPin();
+                    currentValue = CollectPuk(_useComplexCreds);
+                    newValue = CollectPin(_useComplexCreds);
                     isChange = true;
                     break;
 
@@ -101,7 +105,7 @@ keyEntryData.RetriesRemaining is not null &&
                         return false;
                     }
 
-                    currentValue = CollectMgmtKey();
+                    currentValue = CollectMgmtKey(_useComplexCreds);
                     break;
 
                 case KeyEntryRequest.ChangePivManagementKey:
@@ -110,8 +114,8 @@ keyEntryData.RetriesRemaining is not null &&
                         return false;
                     }
 
-                    currentValue = CollectMgmtKey();
-                    newValue = CollectMgmtKey();
+                    currentValue = CollectMgmtKey(_useComplexCreds);
+                    newValue = CollectMgmtKey(_useComplexCreds);
                     isChange = true;
                     break;
             }
@@ -147,8 +151,19 @@ keyEntryData.RetriesRemaining is not null &&
             return true;
         }
 
-        public static Memory<byte> CollectPin() => PivSessionIntegrationTestBase.DefaultPin;
-        public static Memory<byte> CollectPuk() => PivSessionIntegrationTestBase.DefaultPuk;
-        public static Memory<byte> CollectMgmtKey() => PivSessionIntegrationTestBase.DefaultManagementKey;
+        public static Memory<byte> CollectPin(
+            bool useComplex) => useComplex
+            ? PivSessionIntegrationTestBase.ComplexPin
+            : PivSessionIntegrationTestBase.DefaultPin;
+
+        public static Memory<byte> CollectPuk(
+            bool useComplex) => useComplex
+            ? PivSessionIntegrationTestBase.ComplexPuk
+            : PivSessionIntegrationTestBase.DefaultPuk;
+
+        public static Memory<byte> CollectMgmtKey(
+            bool useComplex) => useComplex
+            ? PivSessionIntegrationTestBase.ComplexManagementKey
+            : PivSessionIntegrationTestBase.DefaultManagementKey;
     }
 }

Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/StandardTestDevice.cs

@@ -16,6 +16,11 @@ namespace Yubico.YubiKey.TestUtilities
 {
     public enum StandardTestDevice
     {
+        /// <summary>
+        /// Any version
+        /// </summary>
+        Any,
+     
         /// <summary>
         /// Major version 3, USB A keychain, not FIPS
         /// </summary>

Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/TestDeviceSelection.cs

@@ -90,6 +90,7 @@ public static IYubiKeyDevice SelectByStandardTestDevice(
                 StandardTestDevice.Fw5 => SelectDevice(5),
                 StandardTestDevice.Fw5Fips => SelectDevice(5, isFipsSeries: true),
                 StandardTestDevice.Fw5Bio => SelectDevice(5,  [FormFactor.UsbCBiometricKeychain, FormFactor.UsbABiometricKeychain]),
+                StandardTestDevice.Any => devices.First(),
                 _ => throw new ArgumentException("Invalid test device value.", nameof(testDeviceType)),
             };