def test_write_all_password_safe_slots_and_read_10_times(C): def fill(s, wid): assert wid >= len(s) numbers = '1234567890' * 4 s += numbers[:wid - len(s)] assert len(s) == wid return bb(s) def get_pass(suffix): return fill('pass' + suffix, 20) def get_loginname(suffix): return fill('login' + suffix, 32) def get_slotname(suffix): return fill('slotname' + suffix, 11) assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK assert C.NK_enable_password_safe( DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK PWS_slot_count = 16 for i in range(0, PWS_slot_count): iss = str(i) assert C.NK_write_password_safe_slot( i, get_slotname(iss), get_loginname(iss), get_pass(iss)) == DeviceErrorCode.STATUS_OK for j in range(0, 10): for i in range(0, PWS_slot_count): iss = str(i) assert gs(C.NK_get_password_safe_slot_name(i)) == get_slotname(iss) assert gs( C.NK_get_password_safe_slot_login(i)) == get_loginname(iss) assert gs(C.NK_get_password_safe_slot_password(i)) == get_pass(iss)
def test_edit_OTP_slot(C): """ should change slots counter and name without changing its secret (using null secret for second update) """ # counter is not getting updated under Storage v0.43 - #TOREPORT skip_if_device_version_lower_than({'S': 44, 'P': 7}) secret = RFC_SECRET counter = 0 PIN_protection = False use_8_digits = False assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK slot_number = 0 assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK first_name = b'edit slot' assert C.NK_write_hotp_slot(slot_number, first_name, bb(secret), counter, use_8_digits, False, False, b"", DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert gs(C.NK_get_hotp_slot_name(slot_number)) == first_name first_code = gs(C.NK_get_hotp_code(slot_number)) changed_name = b'changedname' empty_secret = b'' assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_hotp_slot(slot_number, changed_name, empty_secret, counter, use_8_digits, False, False, b"", DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK second_code = gs(C.NK_get_hotp_code(slot_number)) assert first_code == second_code assert gs(C.NK_get_hotp_slot_name(slot_number)) == changed_name
def test_get_OTP_code_from_not_programmed_slot(C): assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config( 255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_erase_hotp_slot( 0, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_erase_totp_slot( 0, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK code = gs(C.NK_get_hotp_code(0)) assert code == b'' assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED code = gs(C.NK_get_totp_code(0, 0, 0, 0)) assert code == b'' assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
def test_read_all_password_safe_slots_10_times(C): def fill(s, wid): assert wid >= len(s) numbers = '1234567890'*4 s += numbers[:wid-len(s)] assert len(s) == wid return bb(s) def get_pass(suffix): return fill('pass' + suffix, 20) def get_loginname(suffix): return fill('login' + suffix, 32) def get_slotname(suffix): return fill('slotname' + suffix, 11) assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK PWS_slot_count = 16 for j in range(0, 10): for i in range(0, PWS_slot_count): iss = str(i) assert gs(C.NK_get_password_safe_slot_name(i)) == get_slotname(iss) assert gs(C.NK_get_password_safe_slot_login(i)) == get_loginname(iss) assert gs(C.NK_get_password_safe_slot_password(i)) == get_pass(iss)
def test_factory_reset(C): assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config( 255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_hotp_slot( 1, b'python_test', bbRFC_SECRET, 0, False, False, False, b"", DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert gs(C.NK_get_hotp_code(1)) == b"755224" assert C.NK_factory_reset( DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK wait(10) assert gs(C.NK_get_hotp_code(1)) != b"287082" assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED # restore AES key assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_build_aes_key( DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK assert C.NK_enable_password_safe( DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK if is_storage(C): assert C.NK_clear_new_sd_card_warning( DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
def test_get_code_user_authorize(C): assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_totp_slot( 0, b'python_otp_auth', bbRFC_SECRET, 30, True, False, False, b'', DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK # enable PIN protection of OTP codes with write_config # TODO create convinience function on C API side to enable/disable OTP USER_PIN protection assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config( 255, 255, 255, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK code = gs(C.NK_get_totp_code(0, 0, 0, 0)) assert code == b'' assert C.NK_get_last_command_status( ) == DeviceErrorCode.STATUS_NOT_AUTHORIZED # disable PIN protection with write_config assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config( 255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK code = gs(C.NK_get_totp_code(0, 0, 0, 0)) assert code != b'' assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
def test_destroy_password_safe(C): """ Sometimes fails on NK Pro - slot name is not cleared ergo key generation has not succeed despite the success result returned from the device """ assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK # write password safe slot assert C.NK_write_password_safe_slot(0, b'slotname1', b'login1', b'pass1') == DeviceErrorCode.STATUS_OK # read slot assert gs(C.NK_get_password_safe_slot_name(0)) == b'slotname1' assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK slot_login = C.NK_get_password_safe_slot_login(0) assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK assert gs(slot_login) == b'login1' # destroy password safe by regenerating aes key assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_build_aes_key(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK assert gs(C.NK_get_password_safe_slot_name(0)) != b'slotname1' assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK # check was slot status cleared safe_slot_status = C.NK_get_password_safe_slot_status() assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK is_slot_programmed = list(ffi.cast("uint8_t [16]", safe_slot_status)[0:16]) assert is_slot_programmed[0] == 0
def test_edit_OTP_slot(C): """ should change slots counter and name without changing its secret (using null secret for second update) """ # counter is not getting updated under Storage v0.43 - #TOREPORT skip_if_device_version_lower_than({'S': 44, 'P': 7}) secret = RFC_SECRET counter = 0 PIN_protection = False use_8_digits = False assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK slot_number = 0 assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK first_name = b'edit slot' assert C.NK_write_hotp_slot(slot_number, first_name, bb(secret), counter, use_8_digits, False, False, b"", DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert gs(C.NK_get_hotp_slot_name(slot_number)) == first_name first_code = gs(C.NK_get_hotp_code(slot_number)) changed_name = b'changedname' empty_secret = b'' assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_hotp_slot(slot_number, changed_name, empty_secret, counter, use_8_digits, False, False, b"", DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK second_code = gs(C.NK_get_hotp_code(slot_number)) assert first_code == second_code assert gs(C.NK_get_hotp_slot_name(slot_number)) == changed_name
def check_PWS_correctness(C): for i in range(0, PWS_slot_count): iss = str(i) assert gs(C.NK_get_password_safe_slot_name(i)) == get_slotname(iss) assert gs( C.NK_get_password_safe_slot_login(i)) == get_loginname(iss) assert gs(C.NK_get_password_safe_slot_password(i)) == get_pass(iss)
def test_destroy_password_safe(C): """ Sometimes fails on NK Pro - slot name is not cleared ergo key generation has not succeed despite the success result returned from the device """ assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK # write password safe slot assert C.NK_write_password_safe_slot(0, b'slotname1', b'login1', b'pass1') == DeviceErrorCode.STATUS_OK # read slot assert gs(C.NK_get_password_safe_slot_name(0)) == b'slotname1' assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK slot_login = C.NK_get_password_safe_slot_login(0) assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK assert gs(slot_login) == b'login1' # destroy password safe by regenerating aes key assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_build_aes_key(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK assert gs(C.NK_get_password_safe_slot_name(0)) != b'slotname1' assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK # check was slot status cleared safe_slot_status = C.NK_get_password_safe_slot_status() assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK is_slot_programmed = list(ffi.cast("uint8_t [16]", safe_slot_status)[0:16]) assert is_slot_programmed[0] == 0
def test_get_password_safe_slot_login_password(C): assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK assert C.NK_write_password_safe_slot(0, b'slotname1', b'login1', b'pass1') == DeviceErrorCode.STATUS_OK slot_login = C.NK_get_password_safe_slot_login(0) assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK assert gs(slot_login) == b'login1' slot_password = gs(C.NK_get_password_safe_slot_password(0)) assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK assert slot_password == b'pass1'
def test_get_password_safe_slot_login_password(C): assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK assert C.NK_write_password_safe_slot(0, b'slotname1', b'login1', b'pass1') == DeviceErrorCode.STATUS_OK slot_login = C.NK_get_password_safe_slot_login(0) assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK assert gs(slot_login) == b'login1' slot_password = gs(C.NK_get_password_safe_slot_password(0)) assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK assert slot_password == b'pass1'
def test_get_password_safe_slot_name(C): assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK assert C.NK_write_password_safe_slot(0, b'slotname1', b'login1', b'pass1') == DeviceErrorCode.STATUS_OK assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK assert gs(C.NK_get_password_safe_slot_name(0)) == b'' assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK assert gs(C.NK_get_password_safe_slot_name(0)) == b'slotname1' assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
def test_get_password_safe_slot_name(C): assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK assert C.NK_write_password_safe_slot(0, b'slotname1', b'login1', b'pass1') == DeviceErrorCode.STATUS_OK assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK assert gs(C.NK_get_password_safe_slot_name(0)) == b'' assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK assert gs(C.NK_get_password_safe_slot_name(0)) == b'slotname1' assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
def helper_check_device_for_data(C): assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK for i in range(0, PWS_SLOT_COUNT): iss = str(i) assert gs(C.NK_get_password_safe_slot_name(i)) == helper_PWS_get_slotname(iss) assert gs(C.NK_get_password_safe_slot_login(i)) == helper_PWS_get_loginname(iss) assert gs(C.NK_get_password_safe_slot_password(i)) == helper_PWS_get_pass(iss) return True
def test_authorize_issue_user(C): skip_if_device_version_lower_than({'S': 43, 'P': 9}) # issue fixed in Pro v0.9, Storage version chosen arbitrary assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_totp_slot(0, b'python_otp_auth', bbRFC_SECRET, 30, True, False, False, b'', DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK # enable PIN protection of OTP codes with write_config assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK gs(C.NK_get_totp_code(0, 0, 0, 0)) assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK gs(C.NK_get_totp_code_PIN(0, 0, 0, 0, DefaultPasswords.USER_TEMP)) assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK assert C.NK_user_authenticate(b"wrong pass", b"another temp pass") == DeviceErrorCode.WRONG_PASSWORD gs(C.NK_get_totp_code_PIN(0, 0, 0, 0, DefaultPasswords.USER_TEMP)) assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK gs(C.NK_get_totp_code_PIN(0, 0, 0, 0, DefaultPasswords.USER_TEMP)) assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK # disable PIN protection with write_config assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK code = gs(C.NK_get_totp_code(0, 0, 0, 0)) assert code != b'' assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
def test_authorize_issue_user(C): skip_if_device_version_lower_than({'S': 43, 'P': 9}) # issue fixed in Pro v0.9, Storage version chosen arbitrary assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_totp_slot(0, b'python_otp_auth', bbRFC_SECRET, 30, True, False, False, b'', DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK # enable PIN protection of OTP codes with write_config assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK gs(C.NK_get_totp_code(0, 0, 0, 0)) assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK gs(C.NK_get_totp_code_PIN(0, 0, 0, 0, DefaultPasswords.USER_TEMP)) assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK assert C.NK_user_authenticate(b"wrong pass", b"another temp pass") == DeviceErrorCode.WRONG_PASSWORD gs(C.NK_get_totp_code_PIN(0, 0, 0, 0, DefaultPasswords.USER_TEMP)) assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK gs(C.NK_get_totp_code_PIN(0, 0, 0, 0, DefaultPasswords.USER_TEMP)) assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK # disable PIN protection with write_config assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK code = gs(C.NK_get_totp_code(0, 0, 0, 0)) assert code != b'' assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
def test_HOTP_RFC_use8digits_usepin(C, use_8_digits, use_pin_protection): assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, use_pin_protection, not use_pin_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK if use_pin_protection: check_HOTP_RFC_codes(C, lambda x: gs(C.NK_get_hotp_code_PIN(x, DefaultPasswords.USER_TEMP)), lambda: C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP), use_8_digits=use_8_digits) else: check_HOTP_RFC_codes(C, lambda x: gs(C.NK_get_hotp_code(x)), use_8_digits=use_8_digits)
def test_HOTP_RFC_use8digits_usepin(C, use_8_digits, use_pin_protection): assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, use_pin_protection, not use_pin_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK if use_pin_protection: check_HOTP_RFC_codes(C, lambda x: gs(C.NK_get_hotp_code_PIN(x, DefaultPasswords.USER_TEMP)), lambda: C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP), use_8_digits=use_8_digits) else: check_HOTP_RFC_codes(C, lambda x: gs(C.NK_get_hotp_code(x)), use_8_digits=use_8_digits)
def test_TOTP_RFC_usepin(C, PIN_protection): slot_number = 1 assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config( 255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK # test according to https://tools.ietf.org/html/rfc6238#appendix-B assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_totp_slot( slot_number, b'python_test', bbRFC_SECRET, 30, True, False, False, b'', DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK get_func = None if PIN_protection: get_func = lambda x, y, z, r: gs( C.NK_get_totp_code_PIN(x, y, z, r, DefaultPasswords.USER_TEMP)) else: get_func = lambda x, y, z, r: gs(C.NK_get_totp_code(x, y, z, r)) # Mode: Sha1, time step X=30 test_data = [ #Time T (hex) TOTP ( 59, 0x1, 94287082 ), # Warning - test vector time 1 second before interval count changes ( 1111111109, 0x00000000023523EC, 7081804 ), # Warning - test vector time 1 second before interval count changes (1111111111, 0x00000000023523ED, 14050471), (1234567890, 0x000000000273EF07, 89005924), (2000000000, 0x0000000003F940AA, 69279037), # (20000000000, 0x0000000027BC86AA, 65353130), # 64bit is also checked in other test ] responses = [] data = [] correct = 0 for t, T, expected_code in test_data: if PIN_protection: C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_totp_set_time(t) == DeviceErrorCode.STATUS_OK code_from_device = get_func(slot_number, T, 0, 30) # FIXME T is not changing the outcome data += [(t, bb(str(expected_code).zfill(8)))] responses += [(t, code_from_device)] correct += expected_code == code_from_device assert data == responses or correct == len(test_data)
def test_get_OTP_codes(C): assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK for i in range(15): code = gs(C.NK_get_totp_code(i, 0, 0, 0)) if code == b'': assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED for i in range(3): code = gs(C.NK_get_hotp_code(i)) if code == b'': assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
def test_get_OTP_codes(C): assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK for i in range(15): code = gs(C.NK_get_totp_code(i, 0, 0, 0)) if code == b'': assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED for i in range(3): code = gs(C.NK_get_hotp_code(i)) if code == b'': assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
def test_invalid_slot(C): invalid_slot = 255 assert C.NK_erase_totp_slot(invalid_slot, b'some password') == LibraryErrors.INVALID_SLOT assert C.NK_write_hotp_slot(invalid_slot, b'long_test', bbRFC_SECRET, 0, False, False, False, b"", b'aaa') == LibraryErrors.INVALID_SLOT assert gs(C.NK_get_hotp_code_PIN(invalid_slot, b'some password')) == b"" assert C.NK_get_last_command_status() == LibraryErrors.INVALID_SLOT assert C.NK_erase_password_safe_slot(invalid_slot) == LibraryErrors.INVALID_SLOT assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK assert gs(C.NK_get_password_safe_slot_name(invalid_slot)) == b'' assert C.NK_get_last_command_status() == LibraryErrors.INVALID_SLOT assert gs(C.NK_get_password_safe_slot_login(invalid_slot)) == b'' assert C.NK_get_last_command_status() == LibraryErrors.INVALID_SLOT
def test_get_OTP_code_from_not_programmed_slot(C): assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_erase_hotp_slot(0, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_erase_totp_slot(0, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK code = gs(C.NK_get_hotp_code(0)) assert code == b'' assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED code = gs(C.NK_get_totp_code(0, 0, 0, 0)) assert code == b'' assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
def test_TOTP_secrets(C, secret): ''' NK Pro 0.8+, NK Storage 0.44+ ''' skip_if_device_version_lower_than({'S': 44, 'P': 8}) if len(secret) > 20 * 2: #*2 since secret is in hex # pytest.skip("Secret lengths over 20 bytes are not supported by NK Pro 0.7 and NK Storage") skip_if_device_version_lower_than({'P': 8}) slot_number = 0 time = 0 period = 30 oath = pytest.importorskip("oath") lib_at = lambda t: bb(oath.totp(secret, t=t, period=period)) PIN_protection = False use_8_digits = False T = 0 assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config( 255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK dev_res = [] lib_res = [] assert C.NK_write_totp_slot( slot_number, b'secret' + bytes(len(secret)), bb(secret), period, use_8_digits, False, False, b"", DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_totp_set_time(time) == DeviceErrorCode.STATUS_OK code_device = gs(C.NK_get_totp_code(slot_number, T, 0, period)) dev_res += (time, code_device) lib_res += (time, lib_at(time)) assert dev_res == lib_res
def test_HOTP_secrets(C, secret): """ NK Pro 0.8+ feature needed: support for 320bit secrets """ if len(secret) > 40: skip_if_device_version_lower_than({'P': 8}) slot_number = 0 counter = 0 oath = pytest.importorskip("oath") lib_at = lambda t: bb(oath.hotp(secret, counter=t)) PIN_protection = False use_8_digits = False T = 0 assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config( 255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK dev_res = [] lib_res = [] # repeat authentication for Pro 0.7 assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_hotp_slot( slot_number, b'secret' + bytes(len(secret)), bb(secret), counter, use_8_digits, False, False, b"", DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK code_device = gs(C.NK_get_hotp_code(slot_number)) dev_res += (counter, code_device) lib_res += (counter, lib_at(counter)) assert dev_res == lib_res
def test_erase_password_safe_slot(C): assert C.NK_enable_password_safe( DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK assert C.NK_erase_password_safe_slot(0) == DeviceErrorCode.STATUS_OK assert gs(C.NK_get_password_safe_slot_name(0)) == b'' assert C.NK_get_last_command_status( ) == DeviceErrorCode.STATUS_OK # TODO CHECK shouldn't this be DeviceErrorCode.NOT_PROGRAMMED ?
def test_HOTP_slots_read_write_counter(C, counter): """ Write different counters to all HOTP slots, read code and compare with 3rd party :param counter: """ if counter >= 1e7: # Storage does not handle counters longer than 7 digits skip_if_device_version_lower_than({'P': 7}) secret = RFC_SECRET oath = pytest.importorskip("oath") lib_at = lambda t: bb(oath.hotp(secret, t, format='dec6')) PIN_protection = False use_8_digits = False assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config( 255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK dev_res = [] lib_res = [] for slot_number in range(3): assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_hotp_slot( slot_number, b'HOTP rw' + bytes(slot_number), bb(secret), counter, use_8_digits, False, False, b"", DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK code_device = gs(C.NK_get_hotp_code(slot_number)) dev_res += (counter, code_device) lib_res += (counter, lib_at(counter)) assert dev_res == lib_res
def test_TOTP_64bit_time(C): if is_storage(C): pytest.xfail('bug in NK Storage TOTP firmware') oath = pytest.importorskip("oath") T = 1 lib_at = lambda t: bb(oath.totp(RFC_SECRET, t=t)) PIN_protection = False slot_number = 1 assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config( 255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_totp_slot( slot_number, b'python_test', bbRFC_SECRET, 30, False, False, False, b'', DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK dev_res = [] lib_res = [] for t in range(INT32_MAX - 5, INT32_MAX + 5, 1): assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_totp_set_time(t) == DeviceErrorCode.STATUS_OK code_device = gs((C.NK_get_totp_code(slot_number, T, 0, 30))) dev_res += (t, code_device) lib_res += (t, lib_at(t)) assert dev_res == lib_res
def test_OTP_secret_started_from_null(C, secret): """ NK Pro 0.8+, NK Storage 0.43+ """ skip_if_device_version_lower_than({'S': 43, 'P': 8}) if len(secret) > 40: # feature: 320 bit long secret handling skip_if_device_version_lower_than({'P': 8}) oath = pytest.importorskip("oath") lib_at = lambda t: bb(oath.hotp(secret, t, format='dec6')) PIN_protection = False use_8_digits = False slot_number = 1 assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config( 255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK dev_res = [] lib_res = [] for t in range(1, 5): assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_hotp_slot( slot_number, b'null_secret', bb(secret), t, use_8_digits, False, False, b'', DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK code_device = gs(C.NK_get_hotp_code(slot_number)) dev_res += (t, code_device) lib_res += (t, lib_at(t)) assert dev_res == lib_res
def test_HOTP_secrets(C, secret): """ NK Pro 0.8+ feature needed: support for 320bit secrets """ if len(secret)>40: skip_if_device_version_lower_than({'P': 8, 'S': 54}) slot_number = 0 counter = 0 oath = pytest.importorskip("oath") lib_at = lambda t: bb(oath.hotp(secret, counter=t)) PIN_protection = False use_8_digits = False T = 0 assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK dev_res = [] lib_res = [] # repeat authentication for Pro 0.7 assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_hotp_slot(slot_number, b'secret' + bytes(len(secret)), bb(secret), counter, use_8_digits, False, False, b"", DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK code_device = gs(C.NK_get_hotp_code(slot_number)) dev_res += (counter, code_device) lib_res += (counter, lib_at(counter)) assert dev_res == lib_res
def test_TOTP_slots_read_write_at_time_period(C, time, period): """ Write to all TOTP slots with specified period, read code at specified time and compare with 3rd party """ secret = RFC_SECRET oath = pytest.importorskip("oath") lib_at = lambda t: bb(oath.totp(RFC_SECRET, t=t, period=period)) PIN_protection = False use_8_digits = False T = 0 assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK dev_res = [] lib_res = [] for slot_number in range(15): assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_totp_slot(slot_number, b'TOTP rw' + bytes(slot_number), bb(secret), period, use_8_digits, False, False, b"", DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_totp_set_time(time) == DeviceErrorCode.STATUS_OK code_device = gs(C.NK_get_totp_code(slot_number, T, 0, period)) dev_res += (time, code_device) lib_res += (time, lib_at(time)) assert dev_res == lib_res
def test_HOTP_slots_read_write_counter(C, counter): """ Write different counters to all HOTP slots, read code and compare with 3rd party :param counter: """ if counter >= 1e7: # Storage v0.53 and below does not handle counters longer than 7 digits skip_if_device_version_lower_than({'P': 7, 'S': 54}) secret = RFC_SECRET oath = pytest.importorskip("oath") lib_at = lambda t: bb(oath.hotp(secret, t, format='dec6')) PIN_protection = False use_8_digits = False assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK dev_res = [] lib_res = [] for slot_number in range(3): assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_hotp_slot(slot_number, b'HOTP rw' + bytes(slot_number), bb(secret), counter, use_8_digits, False, False, b"", DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK code_device = gs(C.NK_get_hotp_code(slot_number)) dev_res += (counter, code_device) lib_res += (counter, lib_at(counter)) assert dev_res == lib_res
def test_TOTP_slots_read_write_at_time_period(C, time, period): """ Write to all TOTP slots with specified period, read code at specified time and compare with 3rd party """ secret = RFC_SECRET oath = pytest.importorskip("oath") lib_at = lambda t: bb(oath.totp(RFC_SECRET, t=t, period=period)) PIN_protection = False use_8_digits = False T = 0 assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config( 255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK dev_res = [] lib_res = [] for slot_number in range(15): assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_totp_slot( slot_number, b'TOTP rw' + bytes(slot_number), bb(secret), period, use_8_digits, False, False, b"", DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_totp_set_time(time) == DeviceErrorCode.STATUS_OK code_device = gs(C.NK_get_totp_code(slot_number, T, 0, period)) dev_res += (time, code_device) lib_res += (time, lib_at(time)) assert dev_res == lib_res
def test_HOTP_64bit_counter(C): if is_storage(C): pytest.xfail( 'bug in NK Storage HOTP firmware - counter is set with a 8 digits string, ' 'however int32max takes 10 digits to be written') oath = pytest.importorskip("oath") lib_at = lambda t: bb(oath.hotp(RFC_SECRET, t, format='dec6')) PIN_protection = False use_8_digits = False slot_number = 1 assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config( 255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK dev_res = [] lib_res = [] for t in range(INT32_MAX - 5, INT32_MAX + 5, 1): assert C.NK_first_authenticate( DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_hotp_slot( slot_number, b'python_test', bbRFC_SECRET, t, use_8_digits, False, False, b'', DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK code_device = gs(C.NK_get_hotp_code(slot_number)) dev_res += (t, code_device) lib_res += (t, lib_at(t)) assert dev_res == lib_res
def test_OTP_secret_started_from_null(C, secret): """ NK Pro 0.8+, NK Storage 0.43+ """ skip_if_device_version_lower_than({'S': 43, 'P': 8}) if len(secret) > 40: # feature: 320 bit long secret handling skip_if_device_version_lower_than({'P': 8, 'S': 54}) oath = pytest.importorskip("oath") lib_at = lambda t: bb(oath.hotp(secret, t, format='dec6')) PIN_protection = False use_8_digits = False slot_number = 1 assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK dev_res = [] lib_res = [] for t in range(1,5): assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_hotp_slot(slot_number, b'null_secret', bb(secret), t, use_8_digits, False, False, b'', DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK code_device = gs(C.NK_get_hotp_code(slot_number)) dev_res += (t, code_device) lib_res += (t, lib_at(t)) assert dev_res == lib_res
def get_library(request, allow_offline=False): library_read_declarations() C = library_open_lib() C.NK_set_debug_level(int(os.environ.get('LIBNK_DEBUG', 2))) nk_login = C.NK_login_auto() if nk_login != 1: print('No devices detected!') if not allow_offline: assert nk_login != 0 # returns 0 if not connected or wrong model or 1 when connected global device_type firmware_version = C.NK_get_minor_firmware_version() model = C.NK_get_device_model() model = 'P' if model == 1 else 'S' if model == 2 else 'U' device_type = (model, firmware_version) print('Connected library: {}'.format(gs(C.NK_get_library_version()))) print('Connected device: {} {}'.format(model, firmware_version)) # assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK # assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK # C.NK_status() def fin(): print('\nFinishing connection to device') C.NK_logout() print('Finished') if request: request.addfinalizer(fin) # C.NK_set_debug(True) C.NK_set_debug_level(int(os.environ.get('LIBNK_DEBUG', 3))) return AttrProxy(C, "libnitrokey C")
def test_TOTP_secrets(C, secret): ''' NK Pro 0.8+, NK Storage 0.44+ ''' skip_if_device_version_lower_than({'S': 44, 'P': 8}) if len(secret)>20*2: #*2 since secret is in hex # pytest.skip("Secret lengths over 20 bytes are not supported by NK Pro 0.7 and NK Storage v0.53 and older") skip_if_device_version_lower_than({'P': 8, 'S': 54}) slot_number = 0 time = 0 period = 30 oath = pytest.importorskip("oath") lib_at = lambda t: bb(oath.totp(secret, t=t, period=period)) PIN_protection = False use_8_digits = False T = 0 assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK dev_res = [] lib_res = [] assert C.NK_write_totp_slot(slot_number, b'secret' + bytes(len(secret)), bb(secret), period, use_8_digits, False, False, b"", DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_totp_set_time(time) == DeviceErrorCode.STATUS_OK code_device = gs(C.NK_get_totp_code(slot_number, T, 0, period)) dev_res += (time, code_device) lib_res += (time, lib_at(time)) assert dev_res == lib_res
def test_too_long_strings(C): new_password = b'123123123' long_string = b'a' * 100 assert C.NK_change_user_PIN(long_string, new_password) == LibraryErrors.TOO_LONG_STRING assert C.NK_change_user_PIN(new_password, long_string) == LibraryErrors.TOO_LONG_STRING assert C.NK_change_admin_PIN(long_string, new_password) == LibraryErrors.TOO_LONG_STRING assert C.NK_change_admin_PIN(new_password, long_string) == LibraryErrors.TOO_LONG_STRING assert C.NK_first_authenticate( long_string, DefaultPasswords.ADMIN_TEMP) == LibraryErrors.TOO_LONG_STRING assert C.NK_erase_totp_slot(0, long_string) == LibraryErrors.TOO_LONG_STRING digits = False assert C.NK_write_hotp_slot( 1, long_string, bbRFC_SECRET, 0, digits, False, False, b"", DefaultPasswords.ADMIN_TEMP) == LibraryErrors.TOO_LONG_STRING assert C.NK_write_hotp_slot(1, b'long_test', bbRFC_SECRET, 0, digits, False, False, b"", long_string) == LibraryErrors.TOO_LONG_STRING assert gs(C.NK_get_hotp_code_PIN(0, long_string)) == b"" assert C.NK_get_last_command_status() == LibraryErrors.TOO_LONG_STRING
def test_get_code_user_authorize(C): assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_totp_slot(0, b'python_otp_auth', bbRFC_SECRET, 30, True, False, False, b'', DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK # enable PIN protection of OTP codes with write_config # TODO create convinience function on C API side to enable/disable OTP USER_PIN protection assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK code = gs(C.NK_get_totp_code(0, 0, 0, 0)) assert code == b'' assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED # disable PIN protection with write_config assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK code = gs(C.NK_get_totp_code(0, 0, 0, 0)) assert code != b'' assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
def test_sd_card_usage(C): skip_if_device_version_lower_than({'S': 43}) data_pointer = C.NK_get_SD_usage_data_as_string() assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK data_string = gs(data_pointer) assert len(data_string) > 0 data_dict = get_dict_from_dissect(data_string.decode("ascii")) assert int(data_dict['WriteLevelMax']) <= 100
def get_status_storage(C): status_pointer = C.NK_get_status_storage_as_string() assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK status_string = gs(status_pointer) assert len(status_string) > 0 status_dict = get_dict_from_dissect(status_string.decode('ascii')) # assert int(status_dict['AdminPwRetryCount']) == default_admin_password_retry_count return status_dict, C.NK_get_last_command_status()
def test_invalid_slot(C): invalid_slot = 255 assert C.NK_erase_totp_slot(invalid_slot, 'some password') == LibraryErrors.INVALID_SLOT assert C.NK_write_hotp_slot(invalid_slot, 'long_test', RFC_SECRET, 0, False, False, False, "", 'aaa') == LibraryErrors.INVALID_SLOT assert C.NK_get_hotp_code_PIN(invalid_slot, 'some password') == 0 assert C.NK_get_last_command_status() == LibraryErrors.INVALID_SLOT assert C.NK_erase_password_safe_slot( invalid_slot) == LibraryErrors.INVALID_SLOT assert C.NK_enable_password_safe( DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK assert gs(C.NK_get_password_safe_slot_name(invalid_slot)) == '' assert C.NK_get_last_command_status() == LibraryErrors.INVALID_SLOT assert gs(C.NK_get_password_safe_slot_login(invalid_slot)) == '' assert C.NK_get_last_command_status() == LibraryErrors.INVALID_SLOT
def test_sd_card_usage(C): skip_if_device_version_lower_than({'S': 43}) data_pointer = C.NK_get_SD_usage_data_as_string() assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK data_string = gs(data_pointer) assert len(data_string) > 0 data_dict = get_dict_from_dissect(data_string.decode("ascii")) assert int(data_dict['WriteLevelMax']) <= 100
def test_get_status_storage(C): skip_if_device_version_lower_than({'S': 43}) status_pointer = C.NK_get_status_storage_as_string() assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK status_string = gs(status_pointer) assert len(status_string) > 0 status_dict = get_dict_from_dissect(status_string.decode('ascii')) default_admin_password_retry_count = 3 assert int(status_dict['AdminPwRetryCount']) == default_admin_password_retry_count
def test_factory_reset(C): assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_hotp_slot(1, b'python_test', bbRFC_SECRET, 0, False, False, False, b"", DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert gs(C.NK_get_hotp_code(1)) == b"755224" assert C.NK_factory_reset(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK wait(10) assert gs(C.NK_get_hotp_code(1)) != b"287082" assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED # restore AES key assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_build_aes_key(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK if is_storage(C): assert C.NK_clear_new_sd_card_warning(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
def __call__(self, *args, **kwargs): print('Calling {}{}'.format(self.name, args)) res = self.C(*args, **kwargs) res_s = res try: res_s = '{} => '.format(res) + '{}'.format(gs(res)) except Exception as e: pass print('Result of {}: {}'.format(self.name, res_s)) return res
def __call__(self, *args, **kwargs): print('Calling {}{}'.format(self.name, args)) res = self.C(*args, **kwargs) res_s = res try: res_s = '{} => '.format(res) + '{}'.format(gs(res)) except Exception as e: pass print('Result of {}: {}'.format(self.name, res_s)) return res
def test_get_status_storage(C): skip_if_device_version_lower_than({'S': 43}) status_pointer = C.NK_get_status_storage_as_string() assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK status_string = gs(status_pointer) assert len(status_string) > 0 status_dict = get_dict_from_dissect(status_string.decode('ascii')) default_admin_password_retry_count = 3 assert int(status_dict['AdminPwRetryCount']) == default_admin_password_retry_count print('C.NK_get_major_firmware_version(): {}'.format(C.NK_get_major_firmware_version())) print('C.NK_get_minor_firmware_version(): {}'.format(C.NK_get_minor_firmware_version()))
def test_get_status_storage_multiple(C): ids = gs(C.NK_list_devices_by_cpuID()) print(ids) devices_list = ids.split(b';') # # for s in devices_list: # res = C.NK_connect_with_ID(s) # assert res == 1 # # st = gs(C.NK_get_status_storage_as_string()) # # print(len(st)) # C.NK_lock_device() # for s in devices_list: res = C.NK_connect_with_ID(s) assert res == 1 v = C.NK_fill_SD_card_with_random_data(b'12345678') # print(v) devices_count = len(devices_list) assert devices_count != 0 b = 0 last_b = 0 with tqdm(total=devices_count * 100) as pbar: while b / devices_count < 100: pbar.update(b - last_b) b = defaultdict(lambda: 0) ids = gs(C.NK_list_devices_by_cpuID()) devices_list = ids.split(b';') devices_count = len(devices_list) for s in devices_list: res = C.NK_connect_with_ID(s) if res != 1: continue b[s] += C.NK_get_progress_bar_value() print(b) b = sum(b.values()) print('{}: {}'.format(b, int(b / devices_count) * '=')) sleep(5)
def test_get_status_storage_multiple(C): ids = gs(C.NK_list_devices_by_cpuID()) print(ids) devices_list = ids.split(b';') # # for s in devices_list: # res = C.NK_connect_with_ID(s) # assert res == 1 # # st = gs(C.NK_get_status_storage_as_string()) # # print(len(st)) # C.NK_lock_device() # for s in devices_list: res = C.NK_connect_with_ID(s) assert res == 1 v = C.NK_fill_SD_card_with_random_data(b'12345678') # print(v) devices_count = len(devices_list) assert devices_count != 0 b = 0 last_b = 0 with tqdm(total=devices_count*100) as pbar: while b/devices_count < 100: pbar.update(b - last_b) b = defaultdict (lambda: 0) ids = gs(C.NK_list_devices_by_cpuID()) devices_list = ids.split(b';') devices_count = len(devices_list) for s in devices_list: res = C.NK_connect_with_ID(s) if res != 1: continue b[s] += C.NK_get_progress_bar_value() print(b) b = sum(b.values()) print('{}: {}'.format(b, int(b/devices_count) * '=')) sleep(5)
def test_TOTP_RFC_usepin(C, PIN_protection): slot_number = 1 assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK # test according to https://tools.ietf.org/html/rfc6238#appendix-B assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_totp_slot(slot_number, b'python_test', bbRFC_SECRET, 30, True, False, False, b'', DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK get_func = None if PIN_protection: get_func = lambda x, y, z, r: gs(C.NK_get_totp_code_PIN(x, y, z, r, DefaultPasswords.USER_TEMP)) else: get_func = lambda x, y, z, r: gs(C.NK_get_totp_code(x, y, z, r)) # Mode: Sha1, time step X=30 test_data = [ #Time T (hex) TOTP (59, 0x1, 94287082), # Warning - test vector time 1 second before interval count changes (1111111109, 0x00000000023523EC, 7081804), # Warning - test vector time 1 second before interval count changes (1111111111, 0x00000000023523ED, 14050471), (1234567890, 0x000000000273EF07, 89005924), (2000000000, 0x0000000003F940AA, 69279037), # (20000000000, 0x0000000027BC86AA, 65353130), # 64bit is also checked in other test ] responses = [] data = [] correct = 0 for t, T, expected_code in test_data: if PIN_protection: C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_totp_set_time(t) == DeviceErrorCode.STATUS_OK code_from_device = get_func(slot_number, T, 0, 30) # FIXME T is not changing the outcome data += [ (t, bb(str(expected_code).zfill(8))) ] responses += [ (t, code_from_device) ] correct += expected_code == code_from_device assert data == responses or correct == len(test_data)
def test_connect_with_path(C): ids = gs(C.NK_list_devices_by_cpuID()) # NK_list_devices_by_cpuID already opened the devices, so we have to close # them before trying to reconnect assert C.NK_logout() == 0 devices_list = ids.split(b';') for value in devices_list: parts = value.split(b'_p_') assert len(parts) < 3 if len(parts) == 2: path = parts[1] else: path = parts[0] assert C.NK_connect_with_path(path) == 1
def test_HOTP_token(C): """ Check HOTP routine with written token ID to slot. """ use_pin_protection = False assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, use_pin_protection, not use_pin_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK token_ID = b"AAV100000022" assert C.NK_write_hotp_slot(1, b'python_test', bbRFC_SECRET, 0, False, False, True, token_ID, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK for i in range(5): hotp_code = gs(C.NK_get_hotp_code(1)) assert hotp_code != b'' assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
def test_too_long_strings(C): new_password = b'123123123' long_string = b'a' * 100 assert C.NK_change_user_PIN(long_string, new_password) == LibraryErrors.TOO_LONG_STRING assert C.NK_change_user_PIN(new_password, long_string) == LibraryErrors.TOO_LONG_STRING assert C.NK_change_admin_PIN(long_string, new_password) == LibraryErrors.TOO_LONG_STRING assert C.NK_change_admin_PIN(new_password, long_string) == LibraryErrors.TOO_LONG_STRING assert C.NK_first_authenticate(long_string, DefaultPasswords.ADMIN_TEMP) == LibraryErrors.TOO_LONG_STRING assert C.NK_erase_totp_slot(0, long_string) == LibraryErrors.TOO_LONG_STRING digits = False assert C.NK_write_hotp_slot(1, long_string, bbRFC_SECRET, 0, digits, False, False, b"", DefaultPasswords.ADMIN_TEMP) == LibraryErrors.TOO_LONG_STRING assert C.NK_write_hotp_slot(1, b'long_test', bbRFC_SECRET, 0, digits, False, False, b"", long_string) == LibraryErrors.TOO_LONG_STRING assert gs(C.NK_get_hotp_code_PIN(0, long_string)) == b"" assert C.NK_get_last_command_status() == LibraryErrors.TOO_LONG_STRING
def test_TOTP_codes_from_nitrokeyapp(secret, C): """ Helper test for manual TOTP check of written secret by Nitrokey App Destined to run by hand """ slot_number = 0 PIN_protection = False period = 30 assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK code_device = gs(C.NK_get_totp_code(slot_number, 0, 0, period)) oath = pytest.importorskip("oath") lib_at = lambda : bb(oath.totp(secret, period=period)) print (lib_at()) assert lib_at() == code_device
def test_HOTP_counters(C): """ # https://tools.ietf.org/html/rfc4226#page-32 """ use_pin_protection = False assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, use_pin_protection, not use_pin_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK use_8_digits = True HOTP_test_data = [ 1284755224, 1094287082, 137359152, 1726969429, 1640338314, 868254676, 1918287922, 82162583, 673399871, 645520489, ] slot_number = 1 for counter, code in enumerate(HOTP_test_data): assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_hotp_slot(slot_number, b'python_test', bbRFC_SECRET, counter, use_8_digits, False, False, b'', DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK r = gs(C.NK_get_hotp_code(slot_number)) code = str(code)[-8:] if use_8_digits else str(code)[-6:] assert bb(code) == r
def test_HOTP_64bit_counter(C): if not has_binary_counter(C): pytest.xfail('bug in NK Storage HOTP firmware - counter is set with a 8 digits string, ' 'however int32max takes 10 digits to be written') oath = pytest.importorskip("oath") lib_at = lambda t: bb(oath.hotp(RFC_SECRET, t, format='dec6')) PIN_protection = False use_8_digits = False slot_number = 1 assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK dev_res = [] lib_res = [] for t in range(INT32_MAX - 5, INT32_MAX + 5, 1): assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_hotp_slot(slot_number, b'python_test', bbRFC_SECRET, t, use_8_digits, False, False, b'', DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK code_device = gs(C.NK_get_hotp_code(slot_number)) dev_res += (t, code_device) lib_res += (t, lib_at(t)) assert dev_res == lib_res
def test_TOTP_64bit_time(C): if not has_binary_counter(C): pytest.xfail('bug in NK Storage TOTP firmware') oath = pytest.importorskip("oath") T = 1 lib_at = lambda t: bb(oath.totp(RFC_SECRET, t=t)) PIN_protection = False slot_number = 1 assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_write_totp_slot(slot_number, b'python_test', bbRFC_SECRET, 30, False, False, False, b'', DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK dev_res = [] lib_res = [] for t in range(INT32_MAX - 5, INT32_MAX + 5, 1): assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK assert C.NK_totp_set_time(t) == DeviceErrorCode.STATUS_OK code_device = gs((C.NK_get_totp_code(slot_number, T, 0, 30))) dev_res += (t, code_device) lib_res += (t, lib_at(t)) assert dev_res == lib_res
def check_PWS_correctness(C): for i in range(0, PWS_slot_count): iss = str(i) assert gs(C.NK_get_password_safe_slot_name(i)) == get_slotname(iss) assert gs(C.NK_get_password_safe_slot_login(i)) == get_loginname(iss) assert gs(C.NK_get_password_safe_slot_password(i)) == get_pass(iss)