def test_hidden_volume_corruption(C):
# bug: this should return error without unlocking encrypted volume each hidden volume lock, but it does not
skip_if_device_version_lower_than({'S': 43})
hidden_volume_password = b'hiddenpassword'
p = lambda i: hidden_volume_password + bb(str(i))
volumes_to_setup = 4
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(
DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
for i in range(volumes_to_setup):
assert C.NK_create_hidden_volume(i, 20 + i * 10, 20 + i * 10 + i + 1,
p(i)) == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_hidden_volume(p(i)) == DeviceErrorCode.STATUS_OK
assert C.NK_lock_hidden_volume() == DeviceErrorCode.STATUS_OK
assert C.NK_lock_encrypted_volume() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(
DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
for i in range(volumes_to_setup):
assert C.NK_unlock_encrypted_volume(
DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_hidden_volume(p(i)) == DeviceErrorCode.STATUS_OK
wait(2)
assert C.NK_lock_hidden_volume() == DeviceErrorCode.STATUS_OK
def test_bootloader_password_change_pro_too_long(C):
skip_if_device_version_lower_than({'P': 11})
long_string = b'a' * 100
assert C.NK_change_firmware_password_pro(
long_string, long_string) == LibraryErrors.TOO_LONG_STRING
assert C.NK_change_firmware_password_pro(
DefaultPasswords.UPDATE, long_string) == LibraryErrors.TOO_LONG_STRING
def test_edit_OTP_slot(C):
"""
should change slots counter and name without changing its secret (using null secret for second update)
"""
# counter is not getting updated under Storage v0.43 - #TOREPORT
skip_if_device_version_lower_than({'S': 44, 'P': 7})
secret = RFC_SECRET
counter = 0
PIN_protection = False
use_8_digits = False
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
slot_number = 0
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
first_name = b'edit slot'
assert C.NK_write_hotp_slot(slot_number, first_name, bb(secret), counter, use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert gs(C.NK_get_hotp_slot_name(slot_number)) == first_name
first_code = gs(C.NK_get_hotp_code(slot_number))
changed_name = b'changedname'
empty_secret = b''
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(slot_number, changed_name, empty_secret, counter, use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
second_code = gs(C.NK_get_hotp_code(slot_number))
assert first_code == second_code
assert gs(C.NK_get_hotp_slot_name(slot_number)) == changed_name
def test_edit_OTP_slot(C):
"""
should change slots counter and name without changing its secret (using null secret for second update)
"""
# counter is not getting updated under Storage v0.43 - #TOREPORT
skip_if_device_version_lower_than({'S': 44, 'P': 7})
secret = RFC_SECRET
counter = 0
PIN_protection = False
use_8_digits = False
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
slot_number = 0
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
first_name = b'edit slot'
assert C.NK_write_hotp_slot(slot_number, first_name, bb(secret), counter, use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert gs(C.NK_get_hotp_slot_name(slot_number)) == first_name
first_code = gs(C.NK_get_hotp_code(slot_number))
changed_name = b'changedname'
empty_secret = b''
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(slot_number, changed_name, empty_secret, counter, use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
second_code = gs(C.NK_get_hotp_code(slot_number))
assert first_code == second_code
assert gs(C.NK_get_hotp_slot_name(slot_number)) == changed_name
def test_TOTP_secrets(C, secret):
'''
NK Pro 0.8+, NK Storage 0.44+
'''
skip_if_device_version_lower_than({'S': 44, 'P': 8})
if len(secret)>20*2: #*2 since secret is in hex
# pytest.skip("Secret lengths over 20 bytes are not supported by NK Pro 0.7 and NK Storage v0.53 and older")
skip_if_device_version_lower_than({'P': 8, 'S': 54})
slot_number = 0
time = 0
period = 30
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.totp(secret, t=t, period=period))
PIN_protection = False
use_8_digits = False
T = 0
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
assert C.NK_write_totp_slot(slot_number, b'secret' + bytes(len(secret)), bb(secret), period, use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_totp_set_time(time) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_totp_code(slot_number, T, 0, period))
dev_res += (time, code_device)
lib_res += (time, lib_at(time))
assert dev_res == lib_res
def test_HOTP_secrets(C, secret):
"""
NK Pro 0.8+
feature needed: support for 320bit secrets
"""
if len(secret)>40:
skip_if_device_version_lower_than({'P': 8, 'S': 54})
slot_number = 0
counter = 0
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.hotp(secret, counter=t))
PIN_protection = False
use_8_digits = False
T = 0
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
# repeat authentication for Pro 0.7
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(slot_number, b'secret' + bytes(len(secret)), bb(secret), counter, use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_hotp_code(slot_number))
dev_res += (counter, code_device)
lib_res += (counter, lib_at(counter))
assert dev_res == lib_res
def test_OTP_secret_started_from_null(C, secret):
"""
NK Pro 0.8+, NK Storage 0.43+
"""
skip_if_device_version_lower_than({'S': 43, 'P': 8})
if len(secret) > 40:
# feature: 320 bit long secret handling
skip_if_device_version_lower_than({'P': 8, 'S': 54})
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.hotp(secret, t, format='dec6'))
PIN_protection = False
use_8_digits = False
slot_number = 1
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
for t in range(1,5):
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(slot_number, b'null_secret', bb(secret), t, use_8_digits, False, False, b'',
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_hotp_code(slot_number))
dev_res += (t, code_device)
lib_res += (t, lib_at(t))
assert dev_res == lib_res
def test_HOTP_secrets(C, secret):
"""
NK Pro 0.8+
feature needed: support for 320bit secrets
"""
if len(secret) > 40:
skip_if_device_version_lower_than({'P': 8})
slot_number = 0
counter = 0
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.hotp(secret, counter=t))
PIN_protection = False
use_8_digits = False
T = 0
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(
255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
# repeat authentication for Pro 0.7
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(
slot_number, b'secret' + bytes(len(secret)), bb(secret), counter,
use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_hotp_code(slot_number))
dev_res += (counter, code_device)
lib_res += (counter, lib_at(counter))
assert dev_res == lib_res
def test_authorize_issue_user(C):
skip_if_device_version_lower_than({'S': 43, 'P': 9}) # issue fixed in Pro v0.9, Storage version chosen arbitrary
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_totp_slot(0, b'python_otp_auth', bbRFC_SECRET, 30, True, False, False, b'',
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
# enable PIN protection of OTP codes with write_config
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
gs(C.NK_get_totp_code(0, 0, 0, 0))
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED
assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK
gs(C.NK_get_totp_code_PIN(0, 0, 0, 0, DefaultPasswords.USER_TEMP))
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
assert C.NK_user_authenticate(b"wrong pass", b"another temp pass") == DeviceErrorCode.WRONG_PASSWORD
gs(C.NK_get_totp_code_PIN(0, 0, 0, 0, DefaultPasswords.USER_TEMP))
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED
assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK
gs(C.NK_get_totp_code_PIN(0, 0, 0, 0, DefaultPasswords.USER_TEMP))
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
# disable PIN protection with write_config
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code = gs(C.NK_get_totp_code(0, 0, 0, 0))
assert code != b''
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
def test_authorize_issue_user(C):
skip_if_device_version_lower_than({'S': 43, 'P': 9}) # issue fixed in Pro v0.9, Storage version chosen arbitrary
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_totp_slot(0, b'python_otp_auth', bbRFC_SECRET, 30, True, False, False, b'',
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
# enable PIN protection of OTP codes with write_config
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
gs(C.NK_get_totp_code(0, 0, 0, 0))
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED
assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK
gs(C.NK_get_totp_code_PIN(0, 0, 0, 0, DefaultPasswords.USER_TEMP))
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
assert C.NK_user_authenticate(b"wrong pass", b"another temp pass") == DeviceErrorCode.WRONG_PASSWORD
gs(C.NK_get_totp_code_PIN(0, 0, 0, 0, DefaultPasswords.USER_TEMP))
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED
assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK
gs(C.NK_get_totp_code_PIN(0, 0, 0, 0, DefaultPasswords.USER_TEMP))
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
# disable PIN protection with write_config
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code = gs(C.NK_get_totp_code(0, 0, 0, 0))
assert code != b''
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
def test_enable_firmware_update(C):
skip_if_device_version_lower_than({'S': 50})
wrong_password = b'aaaaaaaaaaa'
assert C.NK_enable_firmware_update(
wrong_password) == DeviceErrorCode.WRONG_PASSWORD
assert C.NK_enable_firmware_update(
DefaultPasswords.UPDATE) == DeviceErrorCode.STATUS_OK
def test_encrypted_volume_unlock_hidden(C):
skip_if_device_version_lower_than({'S': 43})
hidden_volume_password = b'hiddenpassword'
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert C.NK_create_hidden_volume(0, 20, 21, hidden_volume_password) == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_hidden_volume(hidden_volume_password) == DeviceErrorCode.STATUS_OK
def test_encrypted_volume_unlock_hidden(C):
skip_if_device_version_lower_than({'S': 43})
hidden_volume_password = b'hiddenpassword'
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert C.NK_create_hidden_volume(0, 20, 21, hidden_volume_password) == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_hidden_volume(hidden_volume_password) == DeviceErrorCode.STATUS_OK
def test_HOTP_slots_read_write_counter(C, counter):
"""
Write different counters to all HOTP slots, read code and compare with 3rd party
:param counter:
"""
if counter >= 1e7:
# Storage does not handle counters longer than 7 digits
skip_if_device_version_lower_than({'P': 7})
secret = RFC_SECRET
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.hotp(secret, t, format='dec6'))
PIN_protection = False
use_8_digits = False
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(
255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
for slot_number in range(3):
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(
slot_number, b'HOTP rw' + bytes(slot_number), bb(secret), counter,
use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_hotp_code(slot_number))
dev_res += (counter, code_device)
lib_res += (counter, lib_at(counter))
assert dev_res == lib_res
def test_HOTP_slots_read_write_counter(C, counter):
"""
Write different counters to all HOTP slots, read code and compare with 3rd party
:param counter:
"""
if counter >= 1e7:
# Storage v0.53 and below does not handle counters longer than 7 digits
skip_if_device_version_lower_than({'P': 7, 'S': 54})
secret = RFC_SECRET
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.hotp(secret, t, format='dec6'))
PIN_protection = False
use_8_digits = False
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
for slot_number in range(3):
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(slot_number, b'HOTP rw' + bytes(slot_number), bb(secret), counter, use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_hotp_code(slot_number))
dev_res += (counter, code_device)
lib_res += (counter, lib_at(counter))
assert dev_res == lib_res
def test_TOTP_secrets(C, secret):
'''
NK Pro 0.8+, NK Storage 0.44+
'''
skip_if_device_version_lower_than({'S': 44, 'P': 8})
if len(secret) > 20 * 2: #*2 since secret is in hex
# pytest.skip("Secret lengths over 20 bytes are not supported by NK Pro 0.7 and NK Storage")
skip_if_device_version_lower_than({'P': 8})
slot_number = 0
time = 0
period = 30
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.totp(secret, t=t, period=period))
PIN_protection = False
use_8_digits = False
T = 0
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(
255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
assert C.NK_write_totp_slot(
slot_number, b'secret' + bytes(len(secret)), bb(secret), period,
use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_totp_set_time(time) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_totp_code(slot_number, T, 0, period))
dev_res += (time, code_device)
lib_res += (time, lib_at(time))
assert dev_res == lib_res
def test_OTP_secret_started_from_null(C, secret):
"""
NK Pro 0.8+, NK Storage 0.43+
"""
skip_if_device_version_lower_than({'S': 43, 'P': 8})
if len(secret) > 40:
# feature: 320 bit long secret handling
skip_if_device_version_lower_than({'P': 8})
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.hotp(secret, t, format='dec6'))
PIN_protection = False
use_8_digits = False
slot_number = 1
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(
255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
for t in range(1, 5):
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(
slot_number, b'null_secret', bb(secret), t, use_8_digits, False,
False, b'',
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_hotp_code(slot_number))
dev_res += (t, code_device)
lib_res += (t, lib_at(t))
assert dev_res == lib_res
def test_sd_card_usage(C):
skip_if_device_version_lower_than({'S': 43})
data_pointer = C.NK_get_SD_usage_data_as_string()
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
data_string = gs(data_pointer)
assert len(data_string) > 0
data_dict = get_dict_from_dissect(data_string.decode("ascii"))
assert int(data_dict['WriteLevelMax']) <= 100
def test_sd_card_usage(C):
skip_if_device_version_lower_than({'S': 43})
data_pointer = C.NK_get_SD_usage_data_as_string()
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
data_string = gs(data_pointer)
assert len(data_string) > 0
data_dict = get_dict_from_dissect(data_string.decode("ascii"))
assert int(data_dict['WriteLevelMax']) <= 100
def test_destroy_encrypted_data_leaves_OTP_intact(C):
"""
Make sure AES key regeneration will not remove OTP records.
Test for Nitrokey Storage.
Details: https://github.com/Nitrokey/libnitrokey/issues/199
"""
skip_if_device_version_lower_than({'S': 55})
assert C.NK_enable_password_safe(
DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
# write password safe slot
assert C.NK_write_password_safe_slot(0, b'slotname1', b'login1',
b'pass1') == DeviceErrorCode.STATUS_OK
# read slot
assert gs(C.NK_get_password_safe_slot_name(0)) == b'slotname1'
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
slot_login = C.NK_get_password_safe_slot_login(0)
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
assert gs(slot_login) == b'login1'
# write OTP
use_8_digits = False
use_pin_protection = False
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(
255, 255, 255, use_pin_protection, not use_pin_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
check_HOTP_RFC_codes(C,
lambda x: gs(C.NK_get_hotp_code(x)),
use_8_digits=use_8_digits)
# confirm OTP
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert gs(C.NK_get_hotp_slot_name(1)) == b'python_test'
# destroy password safe by regenerating aes key
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_build_aes_key(
DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_enable_password_safe(
DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert gs(C.NK_get_password_safe_slot_name(0)) != b'slotname1'
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
# confirm OTP
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert gs(C.NK_get_hotp_slot_name(1)) == b'python_test'
def test_get_status_storage(C):
skip_if_device_version_lower_than({'S': 43})
status_pointer = C.NK_get_status_storage_as_string()
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
status_string = gs(status_pointer)
assert len(status_string) > 0
status_dict = get_dict_from_dissect(status_string.decode('ascii'))
default_admin_password_retry_count = 3
assert int(status_dict['AdminPwRetryCount']) == default_admin_password_retry_count
def test_bootloader_data_rention(C):
skip_if_device_version_lower_than({'P': 11})
assert helper_populate_device(C)
assert C.NK_enable_firmware_update_pro(
DefaultPasswords.UPDATE) == DeviceErrorCode.STATUS_DISCONNECTED
input('Please press ENTER after uploading new firmware to the device')
C = library_device_reconnect(C)
assert helper_check_device_for_data(C)
def test_fill_SD_card(C):
skip_if_device_version_lower_than({'S': 43})
status = C.NK_fill_SD_card_with_random_data(DefaultPasswords.ADMIN)
assert status == DeviceErrorCode.STATUS_OK or status == DeviceErrorCode.BUSY
while 1:
value = C.NK_get_progress_bar_value()
if value == -1: break
assert 0 <= value <= 100
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
wait(5)
def test_fill_SD_card(C):
skip_if_device_version_lower_than({'S': 43})
status = C.NK_fill_SD_card_with_random_data(DefaultPasswords.ADMIN)
assert status == DeviceErrorCode.STATUS_OK or status == DeviceErrorCode.BUSY
while 1:
value = C.NK_get_progress_bar_value()
if value == -1: break
assert 0 <= value <= 100
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
wait(5)
def test_get_status_storage(C):
skip_if_device_version_lower_than({'S': 43})
status_pointer = C.NK_get_status_storage_as_string()
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
status_string = gs(status_pointer)
assert len(status_string) > 0
status_dict = get_dict_from_dissect(status_string.decode('ascii'))
default_admin_password_retry_count = 3
assert int(status_dict['AdminPwRetryCount']) == default_admin_password_retry_count
print('C.NK_get_major_firmware_version(): {}'.format(C.NK_get_major_firmware_version()))
print('C.NK_get_minor_firmware_version(): {}'.format(C.NK_get_minor_firmware_version()))
def test_change_update_password(C):
skip_if_device_version_lower_than({'S': 43})
wrong_password = b'aaaaaaaaaaa'
assert C.NK_change_update_password(
wrong_password,
DefaultPasswords.UPDATE_TEMP) == DeviceErrorCode.WRONG_PASSWORD
assert C.NK_change_update_password(
DefaultPasswords.UPDATE,
DefaultPasswords.UPDATE_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_change_update_password(
DefaultPasswords.UPDATE_TEMP,
DefaultPasswords.UPDATE) == DeviceErrorCode.STATUS_OK
def test_encrypted_volume_setup_multiple_hidden_lock(C):
import random
skip_if_device_version_lower_than({'S': 45}) #hangs device on lower version
hidden_volume_password = b'hiddenpassword' + bb(str(random.randint(0,100)))
p = lambda i: hidden_volume_password + bb(str(i))
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
for i in range(4):
assert C.NK_create_hidden_volume(i, 20+i*10, 20+i*10+i+1, p(i) ) == DeviceErrorCode.STATUS_OK
for i in range(4):
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_hidden_volume(p(i)) == DeviceErrorCode.STATUS_OK
def test_encrypted_volume_setup_multiple_hidden_lock(C):
import random
skip_if_device_version_lower_than({'S': 45}) #hangs device on lower version
hidden_volume_password = b'hiddenpassword' + bb(str(random.randint(0,100)))
p = lambda i: hidden_volume_password + bb(str(i))
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
for i in range(4):
assert C.NK_create_hidden_volume(i, 20+i*10, 20+i*10+i+1, p(i) ) == DeviceErrorCode.STATUS_OK
for i in range(4):
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_hidden_volume(p(i)) == DeviceErrorCode.STATUS_OK
def test_authorize_issue_admin(C):
skip_if_device_version_lower_than({'S': 43, 'P': 9})
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(b"wrong pass", b"another temp pass") == DeviceErrorCode.WRONG_PASSWORD
assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_NOT_AUTHORIZED
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
def test_authorize_issue_admin(C):
skip_if_device_version_lower_than({'S': 43, 'P': 9})
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(b"wrong pass", b"another temp pass") == DeviceErrorCode.WRONG_PASSWORD
assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_NOT_AUTHORIZED
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
def test_encrypted_volume_setup_multiple_hidden_no_lock_device_volumes(C, volumes_to_setup):
skip_if_device_version_lower_than({'S': 43})
hidden_volume_password = b'hiddenpassword'
p = lambda i: hidden_volume_password + bb(str(i))
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
for i in range(volumes_to_setup):
assert C.NK_create_hidden_volume(i, 20+i*10, 20+i*10+i+1, p(i)) == DeviceErrorCode.STATUS_OK
assert C.NK_lock_encrypted_volume() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
for i in range(volumes_to_setup):
assert C.NK_unlock_hidden_volume(p(i)) == DeviceErrorCode.STATUS_OK
# TODO mount and test for files
assert C.NK_lock_hidden_volume() == DeviceErrorCode.STATUS_OK
def test_encrypted_volume_setup_multiple_hidden_no_lock_device_volumes(C, volumes_to_setup):
skip_if_device_version_lower_than({'S': 43})
hidden_volume_password = b'hiddenpassword'
p = lambda i: hidden_volume_password + bb(str(i))
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
for i in range(volumes_to_setup):
assert C.NK_create_hidden_volume(i, 20+i*10, 20+i*10+i+1, p(i)) == DeviceErrorCode.STATUS_OK
assert C.NK_lock_encrypted_volume() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
for i in range(volumes_to_setup):
assert C.NK_unlock_hidden_volume(p(i)) == DeviceErrorCode.STATUS_OK
# TODO mount and test for files
assert C.NK_lock_hidden_volume() == DeviceErrorCode.STATUS_OK
def test_bootloader_password_change_pro_length(C):
skip_if_device_version_lower_than({'P': 11})
# Test whether the correct password is set
assert C.NK_change_firmware_password_pro(
DefaultPasswords.UPDATE,
DefaultPasswords.UPDATE) == DeviceErrorCode.STATUS_OK
# Change to the longest possible password
assert C.NK_change_firmware_password_pro(
DefaultPasswords.UPDATE,
DefaultPasswords.UPDATE_LONG) == DeviceErrorCode.STATUS_OK
assert C.NK_change_firmware_password_pro(
DefaultPasswords.UPDATE_LONG,
DefaultPasswords.UPDATE) == DeviceErrorCode.STATUS_OK
# Use longer or shorter passwords than possible
assert C.NK_change_firmware_password_pro(
DefaultPasswords.UPDATE,
DefaultPasswords.UPDATE_TOO_LONG) == LibraryErrors.TOO_LONG_STRING
assert C.NK_change_firmware_password_pro(
DefaultPasswords.UPDATE,
DefaultPasswords.UPDATE_TOO_SHORT) == DeviceErrorCode.WRONG_PASSWORD
def test_encrypted_volume_setup_one_hidden_no_lock_device_slot(C, use_slot):
skip_if_device_version_lower_than({'S': 43})
hidden_volume_password = '******'
p = lambda i: hidden_volume_password + str(i)
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(
DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
i = use_slot
assert C.NK_create_hidden_volume(i, 20 + i * 10, 20 + i * 10 + i + 1,
p(i)) == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_hidden_volume(p(i)) == DeviceErrorCode.STATUS_OK
assert C.NK_lock_hidden_volume() == DeviceErrorCode.STATUS_OK
assert C.NK_lock_encrypted_volume() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(
DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
for j in range(3):
assert C.NK_unlock_hidden_volume(p(i)) == DeviceErrorCode.STATUS_OK
# TODO mount and test for files
assert C.NK_lock_hidden_volume() == DeviceErrorCode.STATUS_OK
def test_factory_reset_does_not_change_update_password(C):
"""
Check if factory reset changes the update password, which should not happen
"""
skip_if_device_version_lower_than({'P': 13})
from test_pro import test_factory_reset
# Revert effects of a broken test run, if needed
C.NK_change_firmware_password_pro(DefaultPasswords.UPDATE_TEMP,
DefaultPasswords.UPDATE)
# actual test
assert C.NK_change_firmware_password_pro(
DefaultPasswords.UPDATE,
DefaultPasswords.UPDATE_TEMP) == DeviceErrorCode.STATUS_OK
test_factory_reset(C)
assert C.NK_change_firmware_password_pro(
DefaultPasswords.UPDATE,
DefaultPasswords.UPDATE_TEMP) == DeviceErrorCode.WRONG_PASSWORD
assert C.NK_change_firmware_password_pro(
DefaultPasswords.UPDATE_TEMP,
DefaultPasswords.UPDATE) == DeviceErrorCode.STATUS_OK
def test_hidden_volume_corruption(C):
# bug: this should return error without unlocking encrypted volume each hidden volume lock, but it does not
skip_if_device_version_lower_than({'S': 43})
hidden_volume_password = b'hiddenpassword'
p = lambda i: hidden_volume_password + bb(str(i))
volumes_to_setup = 4
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
for i in range(volumes_to_setup):
assert C.NK_create_hidden_volume(i, 20 + i * 10, 20 + i * 10 + i + 1, p(i)) == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_hidden_volume(p(i)) == DeviceErrorCode.STATUS_OK
assert C.NK_lock_hidden_volume() == DeviceErrorCode.STATUS_OK
assert C.NK_lock_encrypted_volume() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
for i in range(volumes_to_setup):
assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_hidden_volume(p(i)) == DeviceErrorCode.STATUS_OK
wait(2)
assert C.NK_lock_hidden_volume() == DeviceErrorCode.STATUS_OK
def test_pro_factory_reset_breaks_update_password(C, mode: Modes):
from test_pro_bootloader import test_bootloader_password_change_pro, test_bootloader_password_change_pro_length
from test_pro import test_factory_reset
skip_if_device_version_lower_than({'P': 14})
func = {
Modes.EmptyBody:
lambda: True,
Modes.FactoryResetWithAES:
lambda: test_factory_reset(C) or True,
Modes.FactoryReset:
lambda: C.NK_factory_reset(DefaultPasswords.ADMIN
) == DeviceErrorCode.STATUS_OK,
Modes.AESGeneration:
lambda: C.NK_build_aes_key(DefaultPasswords.ADMIN) == DeviceErrorCode.
STATUS_OK,
}
def boot_test(C):
test_bootloader_password_change_pro(C)
# test_bootloader_password_change_pro_length(C)
def random(C):
data = ffi.new('struct GetRandom_t *')
req_count = 50
res = C.NK_get_random(req_count, data)
assert res == DeviceErrorCode.STATUS_OK
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
assert data.op_success == 1
assert data.size_effective == req_count
random(C)
boot_test(C)
random(C)
func[mode]()
random(C) # fails here
boot_test(C)
random(C)
def test_bootloader_password_change_pro(C):
skip_if_device_version_lower_than({'P': 11})
assert C.NK_change_firmware_password_pro(
b'zxcasd', b'zxcasd') == DeviceErrorCode.WRONG_PASSWORD
# Revert effects of broken test run, if needed
C.NK_change_firmware_password_pro(DefaultPasswords.UPDATE_TEMP,
DefaultPasswords.UPDATE)
# Change to the same password
assert C.NK_change_firmware_password_pro(
DefaultPasswords.UPDATE,
DefaultPasswords.UPDATE) == DeviceErrorCode.STATUS_OK
assert C.NK_change_firmware_password_pro(
DefaultPasswords.UPDATE,
DefaultPasswords.UPDATE) == DeviceErrorCode.STATUS_OK
# Change password
assert C.NK_change_firmware_password_pro(
DefaultPasswords.UPDATE,
DefaultPasswords.UPDATE_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_change_firmware_password_pro(
DefaultPasswords.UPDATE_TEMP,
DefaultPasswords.UPDATE) == DeviceErrorCode.STATUS_OK
def test_clear_new_sd_card_notification(C):
skip_if_device_version_lower_than({'S': 43})
assert C.NK_clear_new_sd_card_warning(
DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
def test_password_safe_slot_name_corruption(C):
skip_if_device_version_lower_than({'S': 43})
volumes_to_setup = 4
# connected with encrypted volumes, possible also with hidden
def fill(s, wid):
assert wid >= len(s)
numbers = '1234567890' * 4
s += numbers[:wid - len(s)]
assert len(s) == wid
return bb(s)
def get_pass(suffix):
return fill('pass' + suffix, 20)
def get_loginname(suffix):
return fill('login' + suffix, 32)
def get_slotname(suffix):
return fill('slotname' + suffix, 11)
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
PWS_slot_count = 16
for i in range(0, PWS_slot_count):
iss = str(i)
assert C.NK_write_password_safe_slot(i,
get_slotname(iss), get_loginname(iss),
get_pass(iss)) == DeviceErrorCode.STATUS_OK
def check_PWS_correctness(C):
for i in range(0, PWS_slot_count):
iss = str(i)
assert gs(C.NK_get_password_safe_slot_name(i)) == get_slotname(iss)
assert gs(C.NK_get_password_safe_slot_login(i)) == get_loginname(iss)
assert gs(C.NK_get_password_safe_slot_password(i)) == get_pass(iss)
hidden_volume_password = b'hiddenpassword'
p = lambda i: hidden_volume_password + bb(str(i))
def check_volumes_correctness(C):
for i in range(volumes_to_setup):
assert C.NK_unlock_hidden_volume(p(i)) == DeviceErrorCode.STATUS_OK
# TODO mount and test for files
assert C.NK_lock_hidden_volume() == DeviceErrorCode.STATUS_OK
check_PWS_correctness(C)
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
for i in range(volumes_to_setup):
assert C.NK_create_hidden_volume(i, 20+i*10, 20+i*10+i+1, p(i)) == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_hidden_volume(p(i)) == DeviceErrorCode.STATUS_OK
assert C.NK_lock_hidden_volume() == DeviceErrorCode.STATUS_OK
assert C.NK_lock_encrypted_volume() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
check_volumes_correctness(C)
check_PWS_correctness(C)
check_volumes_correctness(C)
check_PWS_correctness(C)
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
check_volumes_correctness(C)
check_PWS_correctness(C)
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
check_volumes_correctness(C)
check_PWS_correctness(C)
def test_export_firmware_extended_macos(C):
"""
Check, whether the firmware file is exported correctly, and in correct size.
Apparently, the auto-remounting side effect of the v0.46 change, is disturbing the export process.
Unmounting the UV just before the export gives the device 20/20 success rate.
Test case for issue https://github.com/Nitrokey/nitrokey-app/issues/399
"""
skip_if_device_version_lower_than({'S': 43})
skip_if_not_macos('macOS specific test, due to the mount path and command.')
import pexpect
from time import sleep
import os
from os.path import exists as exist
import plistlib
usb_devices = pexpect.run('system_profiler -xml SPUSBDataType')
assert b'Nitrokey' in usb_devices, 'No Nitrokey devices connected'
usb_devices_parsed = plistlib.loads(usb_devices)
assert isinstance(usb_devices_parsed, list), 'usb_devices_parsed has unexpected type'
# Try to get all USB devices
try:
devices = usb_devices_parsed[0]['_items'][0]['_items']
except KeyError:
devices = None
assert devices is not None, 'could not list USB devices'
device_item = None
for item in devices:
if '_items' in item:
# Fix for macOS 10.13.6, Python 3.6.2
item = item['_items'][0]
if 'manufacturer' in item and item['manufacturer'] == 'Nitrokey':
device_item = item
# Try to get first volume of USB device
try:
volume = device_item['Media'][0]['volumes'][0]
except (KeyError, TypeError):
volume = None
assert volume is not None, 'could not determine volume'
assert 'bsd_name' in volume, 'could not get BSD style device name'
device = '/dev/' + volume['bsd_name']
pexpect.run(f'diskutil mount {device}')
sleep(3)
assert 'mount_point' in volume, 'could not get mount point'
firmware_abs_path = volume['mount_point'] + '/firmware.bin'
checks = 0
print('path: {}, device: {}'.format(firmware_abs_path, device))
checks_add = 0
if exist(firmware_abs_path):
os.remove(firmware_abs_path)
assert not exist(firmware_abs_path)
ATTEMPTS = 20
for i in range(ATTEMPTS):
# if umount is disabled, success rate is 3/10, enabled: 10/10
pexpect.run(f'diskutil unmount {device}')
assert C.NK_export_firmware(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
pexpect.run(f'diskutil mount {device}')
sleep(1)
firmware_file_exist = exist(firmware_abs_path)
if firmware_file_exist:
checks += 1
getsize = os.path.getsize(firmware_abs_path)
print('Firmware file exist, size: {}'.format(getsize))
checks_add += 1 if getsize >= 100 * 1024 else 0
# checks_add += 1 if os.path.getsize(firmware_abs_path) == 256*1024 else 0
os.remove(firmware_abs_path)
assert not exist(firmware_abs_path)
print('CHECK {} ; CHECK ADDITIONAL {}'.format(checks, checks_add))
assert checks == ATTEMPTS
assert checks_add == checks
def test_encrypted_volume_set_read_write(C):
skip_if_device_version_lower_than({'S': 99})
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_set_encrypted_read_write(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
def test_export_firmware(C):
skip_if_device_version_lower_than({'S': 43})
assert C.NK_export_firmware(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
def test_clear_new_sd_card_notification(C):
skip_if_device_version_lower_than({'S': 43})
assert C.NK_clear_new_sd_card_warning(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
def test_export_firmware_extended_fedora29(C):
"""
Check, whether the firmware file is exported correctly, and in correct size.
Apparently, the auto-remounting side effect of the v0.46 change, is disturbing the export process.
Unmounting the UV just before the export gives the device 20/20 success rate.
Test case for issue https://github.com/Nitrokey/nitrokey-app/issues/399
"""
skip_if_device_version_lower_than({'S': 43})
skip_if_not_fedora('Tested on Fedora only. To check on other distros.')
from time import sleep
import os
from os.path import exists as exist
import re
try:
import pyudev as pu
import pexpect
except:
pytest.skip(
'Skipping due to missing required packages: pyudev and pexpect.')
ctx = pu.Context()
devices = ctx.list_devices(subsystem='block', ID_VENDOR='Nitrokey')
device = None
for d in devices:
if d.device_type == 'partition':
device = '/dev/{}'.format(d.sys_name)
break
assert device, 'Device could not be found'
pexpect.run(f'udisksctl unmount -b {device}').decode()
sleep(1)
_res = pexpect.run(f'udisksctl mount -b {device}').decode()
firmware_abs_path = re.findall('at (/.*)\.', _res)
assert firmware_abs_path, 'Cannot get mount point'
firmware_abs_path = firmware_abs_path[0]
print('path: {}, device: {}'.format(firmware_abs_path, device))
assert firmware_abs_path, 'Cannot get mount point'
firmware_abs_path = firmware_abs_path + '/firmware.bin'
checks = 0
checks_add = 0
if exist(firmware_abs_path):
os.remove(firmware_abs_path)
assert not exist(firmware_abs_path)
ATTEMPTS = 20
for i in range(ATTEMPTS):
# if umount is disabled, success rate is 3/10, enabled: 10/10
pexpect.run(f'udisksctl unmount -b {device}')
assert C.NK_export_firmware(
DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
pexpect.run(f'udisksctl mount -b {device}')
sleep(1)
firmware_file_exist = exist(firmware_abs_path)
if firmware_file_exist:
checks += 1
getsize = os.path.getsize(firmware_abs_path)
print('Firmware file exist, size: {}'.format(getsize))
checks_add += 1 if getsize >= 100 * 1024 else 0
# checks_add += 1 if os.path.getsize(firmware_abs_path) == 256*1024 else 0
os.remove(firmware_abs_path)
assert not exist(firmware_abs_path)
print('CHECK {} ; CHECK ADDITIONAL {}'.format(checks, checks_add))
assert checks == ATTEMPTS
assert checks_add == checks
def test_enable_firmware_update(C):
skip_if_device_version_lower_than({'S': 50})
wrong_password = b'aaaaaaaaaaa'
assert C.NK_enable_firmware_update(wrong_password) == DeviceErrorCode.WRONG_PASSWORD
def test_encrypted_volume_unlock(C):
skip_if_device_version_lower_than({'S': 43})
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
def test_send_startup(C):
skip_if_device_version_lower_than({'S': 43})
time_seconds_from_epoch = 0 # FIXME set proper date
assert C.NK_send_startup(time_seconds_from_epoch) == DeviceErrorCode.STATUS_OK
def test_get_busy_progress_on_idle(C):
skip_if_device_version_lower_than({'S': 43})
value = C.NK_get_progress_bar_value()
assert value == -1
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
def test_unencrypted_volume_set_read_only_admin(C):
skip_if_device_version_lower_than({'S': 51})
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_set_unencrypted_read_only_admin(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
def test_send_startup(C):
skip_if_device_version_lower_than({'S': 43})
time_seconds_from_epoch = 0 # FIXME set proper date
assert C.NK_send_startup(
time_seconds_from_epoch) == DeviceErrorCode.STATUS_OK
def test_export_firmware_extended_fedora29(C):
"""
Check, whether the firmware file is exported correctly, and in correct size.
Apparently, the auto-remounting side effect of the v0.46 change, is disturbing the export process.
Unmounting the UV just before the export gives the device 20/20 success rate.
Test case for issue https://github.com/Nitrokey/nitrokey-app/issues/399
"""
skip_if_device_version_lower_than({'S': 43})
skip_if_not_fedora('Tested on Fedora only. To check on other distros.')
from time import sleep
import os
from os.path import exists as exist
import re
try:
import pyudev as pu
import pexpect
except:
pytest.skip('Skipping due to missing required packages: pyudev and pexpect.')
ctx = pu.Context()
devices = ctx.list_devices(subsystem='block', ID_VENDOR='Nitrokey')
device = None
for d in devices:
if d.device_type == 'partition':
device = '/dev/{}'.format(d.sys_name)
break
assert device, 'Device could not be found'
pexpect.run(f'udisksctl unmount -b {device}').decode()
sleep(1)
_res = pexpect.run(f'udisksctl mount -b {device}').decode()
firmware_abs_path = re.findall('at (/.*)\.', _res)
assert firmware_abs_path, 'Cannot get mount point'
firmware_abs_path = firmware_abs_path[0]
print('path: {}, device: {}'.format(firmware_abs_path, device))
assert firmware_abs_path, 'Cannot get mount point'
firmware_abs_path = firmware_abs_path + '/firmware.bin'
checks = 0
checks_add = 0
if exist(firmware_abs_path):
os.remove(firmware_abs_path)
assert not exist(firmware_abs_path)
ATTEMPTS = 20
for i in range(ATTEMPTS):
# if umount is disabled, success rate is 3/10, enabled: 10/10
pexpect.run(f'udisksctl unmount -b {device}')
assert C.NK_export_firmware(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
pexpect.run(f'udisksctl mount -b {device}')
sleep(1)
firmware_file_exist = exist(firmware_abs_path)
if firmware_file_exist:
checks += 1
getsize = os.path.getsize(firmware_abs_path)
print('Firmware file exist, size: {}'.format(getsize))
checks_add += 1 if getsize >= 100 * 1024 else 0
# checks_add += 1 if os.path.getsize(firmware_abs_path) == 256*1024 else 0
os.remove(firmware_abs_path)
assert not exist(firmware_abs_path)
print('CHECK {} ; CHECK ADDITIONAL {}'.format(checks, checks_add))
assert checks == ATTEMPTS
assert checks_add == checks
def test_export_firmware_extended_macos(C):
"""
Check, whether the firmware file is exported correctly, and in correct size.
Apparently, the auto-remounting side effect of the v0.46 change, is disturbing the export process.
Unmounting the UV just before the export gives the device 20/20 success rate.
Test case for issue https://github.com/Nitrokey/nitrokey-app/issues/399
"""
skip_if_device_version_lower_than({'S': 43})
skip_if_not_macos(
'macOS specific test, due to the mount path and command.')
import pexpect
from time import sleep
import os
from os.path import exists as exist
import plistlib
usb_devices = pexpect.run('system_profiler -xml SPUSBDataType')
assert b'Nitrokey' in usb_devices, 'No Nitrokey devices connected'
usb_devices_parsed = plistlib.loads(usb_devices)
assert isinstance(usb_devices_parsed,
list), 'usb_devices_parsed has unexpected type'
# Try to get all USB devices
try:
devices = usb_devices_parsed[0]['_items'][0]['_items']
except KeyError:
devices = None
assert devices is not None, 'could not list USB devices'
device_item = None
for item in devices:
if '_items' in item:
# Fix for macOS 10.13.6, Python 3.6.2
item = item['_items'][0]
if 'manufacturer' in item and item['manufacturer'] == 'Nitrokey':
device_item = item
# Try to get first volume of USB device
try:
volume = device_item['Media'][0]['volumes'][0]
except (KeyError, TypeError):
volume = None
assert volume is not None, 'could not determine volume'
assert 'bsd_name' in volume, 'could not get BSD style device name'
device = '/dev/' + volume['bsd_name']
pexpect.run(f'diskutil mount {device}')
sleep(3)
assert 'mount_point' in volume, 'could not get mount point'
firmware_abs_path = volume['mount_point'] + '/firmware.bin'
checks = 0
print('path: {}, device: {}'.format(firmware_abs_path, device))
checks_add = 0
if exist(firmware_abs_path):
os.remove(firmware_abs_path)
assert not exist(firmware_abs_path)
ATTEMPTS = 20
for i in range(ATTEMPTS):
# if umount is disabled, success rate is 3/10, enabled: 10/10
pexpect.run(f'diskutil unmount {device}')
assert C.NK_export_firmware(
DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
pexpect.run(f'diskutil mount {device}')
sleep(1)
firmware_file_exist = exist(firmware_abs_path)
if firmware_file_exist:
checks += 1
getsize = os.path.getsize(firmware_abs_path)
print('Firmware file exist, size: {}'.format(getsize))
checks_add += 1 if getsize >= 100 * 1024 else 0
# checks_add += 1 if os.path.getsize(firmware_abs_path) == 256*1024 else 0
os.remove(firmware_abs_path)
assert not exist(firmware_abs_path)
print('CHECK {} ; CHECK ADDITIONAL {}'.format(checks, checks_add))
assert checks == ATTEMPTS
assert checks_add == checks
def test_get_busy_progress_on_idle(C):
skip_if_device_version_lower_than({'S': 43})
value = C.NK_get_progress_bar_value()
assert value == -1
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
def test_encrypted_volume_unlock(C):
skip_if_device_version_lower_than({'S': 43})
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_unlock_encrypted_volume(
DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
def test_change_update_password(C):
skip_if_device_version_lower_than({'S': 43})
wrong_password = b'aaaaaaaaaaa'
assert C.NK_change_update_password(wrong_password, DefaultPasswords.UPDATE_TEMP) == DeviceErrorCode.WRONG_PASSWORD
assert C.NK_change_update_password(DefaultPasswords.UPDATE, DefaultPasswords.UPDATE_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_change_update_password(DefaultPasswords.UPDATE_TEMP, DefaultPasswords.UPDATE) == DeviceErrorCode.STATUS_OK
