def test_write_all_password_safe_slots_and_read_10_times(C):
def fill(s, wid):
assert wid >= len(s)
numbers = '1234567890' * 4
s += numbers[:wid - len(s)]
assert len(s) == wid
return bb(s)
def get_pass(suffix):
return fill('pass' + suffix, 20)
def get_loginname(suffix):
return fill('login' + suffix, 32)
def get_slotname(suffix):
return fill('slotname' + suffix, 11)
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_enable_password_safe(
DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
PWS_slot_count = 16
for i in range(0, PWS_slot_count):
iss = str(i)
assert C.NK_write_password_safe_slot(
i, get_slotname(iss), get_loginname(iss),
get_pass(iss)) == DeviceErrorCode.STATUS_OK
for j in range(0, 10):
for i in range(0, PWS_slot_count):
iss = str(i)
assert gs(C.NK_get_password_safe_slot_name(i)) == get_slotname(iss)
assert gs(
C.NK_get_password_safe_slot_login(i)) == get_loginname(iss)
assert gs(C.NK_get_password_safe_slot_password(i)) == get_pass(iss)
def test_edit_OTP_slot(C):
"""
should change slots counter and name without changing its secret (using null secret for second update)
"""
# counter is not getting updated under Storage v0.43 - #TOREPORT
skip_if_device_version_lower_than({'S': 44, 'P': 7})
secret = RFC_SECRET
counter = 0
PIN_protection = False
use_8_digits = False
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
slot_number = 0
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
first_name = b'edit slot'
assert C.NK_write_hotp_slot(slot_number, first_name, bb(secret), counter, use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert gs(C.NK_get_hotp_slot_name(slot_number)) == first_name
first_code = gs(C.NK_get_hotp_code(slot_number))
changed_name = b'changedname'
empty_secret = b''
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(slot_number, changed_name, empty_secret, counter, use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
second_code = gs(C.NK_get_hotp_code(slot_number))
assert first_code == second_code
assert gs(C.NK_get_hotp_slot_name(slot_number)) == changed_name
def test_get_OTP_code_from_not_programmed_slot(C):
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(
255, 255, 255, False, True,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_erase_hotp_slot(
0, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_erase_totp_slot(
0, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code = gs(C.NK_get_hotp_code(0))
assert code == b''
assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
code = gs(C.NK_get_totp_code(0, 0, 0, 0))
assert code == b''
assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
def test_read_all_password_safe_slots_10_times(C):
def fill(s, wid):
assert wid >= len(s)
numbers = '1234567890'*4
s += numbers[:wid-len(s)]
assert len(s) == wid
return bb(s)
def get_pass(suffix):
return fill('pass' + suffix, 20)
def get_loginname(suffix):
return fill('login' + suffix, 32)
def get_slotname(suffix):
return fill('slotname' + suffix, 11)
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
PWS_slot_count = 16
for j in range(0, 10):
for i in range(0, PWS_slot_count):
iss = str(i)
assert gs(C.NK_get_password_safe_slot_name(i)) == get_slotname(iss)
assert gs(C.NK_get_password_safe_slot_login(i)) == get_loginname(iss)
assert gs(C.NK_get_password_safe_slot_password(i)) == get_pass(iss)
def test_factory_reset(C):
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(
255, 255, 255, False, True,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(
1, b'python_test', bbRFC_SECRET, 0, False, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert gs(C.NK_get_hotp_code(1)) == b"755224"
assert C.NK_factory_reset(
DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
wait(10)
assert gs(C.NK_get_hotp_code(1)) != b"287082"
assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
# restore AES key
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_build_aes_key(
DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
assert C.NK_enable_password_safe(
DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
if is_storage(C):
assert C.NK_clear_new_sd_card_warning(
DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
def test_get_code_user_authorize(C):
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_totp_slot(
0, b'python_otp_auth', bbRFC_SECRET, 30, True, False, False, b'',
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
# enable PIN protection of OTP codes with write_config
# TODO create convinience function on C API side to enable/disable OTP USER_PIN protection
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(
255, 255, 255, True, False,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code = gs(C.NK_get_totp_code(0, 0, 0, 0))
assert code == b''
assert C.NK_get_last_command_status(
) == DeviceErrorCode.STATUS_NOT_AUTHORIZED
# disable PIN protection with write_config
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(
255, 255, 255, False, True,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code = gs(C.NK_get_totp_code(0, 0, 0, 0))
assert code != b''
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
def test_destroy_password_safe(C):
"""
Sometimes fails on NK Pro - slot name is not cleared ergo key generation has not succeed despite the success result
returned from the device
"""
assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
# write password safe slot
assert C.NK_write_password_safe_slot(0, b'slotname1', b'login1', b'pass1') == DeviceErrorCode.STATUS_OK
# read slot
assert gs(C.NK_get_password_safe_slot_name(0)) == b'slotname1'
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
slot_login = C.NK_get_password_safe_slot_login(0)
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
assert gs(slot_login) == b'login1'
# destroy password safe by regenerating aes key
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_build_aes_key(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert gs(C.NK_get_password_safe_slot_name(0)) != b'slotname1'
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
# check was slot status cleared
safe_slot_status = C.NK_get_password_safe_slot_status()
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
is_slot_programmed = list(ffi.cast("uint8_t [16]", safe_slot_status)[0:16])
assert is_slot_programmed[0] == 0
def test_edit_OTP_slot(C):
"""
should change slots counter and name without changing its secret (using null secret for second update)
"""
# counter is not getting updated under Storage v0.43 - #TOREPORT
skip_if_device_version_lower_than({'S': 44, 'P': 7})
secret = RFC_SECRET
counter = 0
PIN_protection = False
use_8_digits = False
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
slot_number = 0
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
first_name = b'edit slot'
assert C.NK_write_hotp_slot(slot_number, first_name, bb(secret), counter, use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert gs(C.NK_get_hotp_slot_name(slot_number)) == first_name
first_code = gs(C.NK_get_hotp_code(slot_number))
changed_name = b'changedname'
empty_secret = b''
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(slot_number, changed_name, empty_secret, counter, use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
second_code = gs(C.NK_get_hotp_code(slot_number))
assert first_code == second_code
assert gs(C.NK_get_hotp_slot_name(slot_number)) == changed_name
def check_PWS_correctness(C):
for i in range(0, PWS_slot_count):
iss = str(i)
assert gs(C.NK_get_password_safe_slot_name(i)) == get_slotname(iss)
assert gs(
C.NK_get_password_safe_slot_login(i)) == get_loginname(iss)
assert gs(C.NK_get_password_safe_slot_password(i)) == get_pass(iss)
def test_destroy_password_safe(C):
"""
Sometimes fails on NK Pro - slot name is not cleared ergo key generation has not succeed despite the success result
returned from the device
"""
assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
# write password safe slot
assert C.NK_write_password_safe_slot(0, b'slotname1', b'login1', b'pass1') == DeviceErrorCode.STATUS_OK
# read slot
assert gs(C.NK_get_password_safe_slot_name(0)) == b'slotname1'
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
slot_login = C.NK_get_password_safe_slot_login(0)
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
assert gs(slot_login) == b'login1'
# destroy password safe by regenerating aes key
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_build_aes_key(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert gs(C.NK_get_password_safe_slot_name(0)) != b'slotname1'
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
# check was slot status cleared
safe_slot_status = C.NK_get_password_safe_slot_status()
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
is_slot_programmed = list(ffi.cast("uint8_t [16]", safe_slot_status)[0:16])
assert is_slot_programmed[0] == 0
def test_get_password_safe_slot_login_password(C):
assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert C.NK_write_password_safe_slot(0, b'slotname1', b'login1', b'pass1') == DeviceErrorCode.STATUS_OK
slot_login = C.NK_get_password_safe_slot_login(0)
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
assert gs(slot_login) == b'login1'
slot_password = gs(C.NK_get_password_safe_slot_password(0))
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
assert slot_password == b'pass1'
def test_get_password_safe_slot_login_password(C):
assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert C.NK_write_password_safe_slot(0, b'slotname1', b'login1', b'pass1') == DeviceErrorCode.STATUS_OK
slot_login = C.NK_get_password_safe_slot_login(0)
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
assert gs(slot_login) == b'login1'
slot_password = gs(C.NK_get_password_safe_slot_password(0))
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
assert slot_password == b'pass1'
def test_get_password_safe_slot_name(C):
assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert C.NK_write_password_safe_slot(0, b'slotname1', b'login1', b'pass1') == DeviceErrorCode.STATUS_OK
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert gs(C.NK_get_password_safe_slot_name(0)) == b''
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED
assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert gs(C.NK_get_password_safe_slot_name(0)) == b'slotname1'
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
def test_get_password_safe_slot_name(C):
assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert C.NK_write_password_safe_slot(0, b'slotname1', b'login1', b'pass1') == DeviceErrorCode.STATUS_OK
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert gs(C.NK_get_password_safe_slot_name(0)) == b''
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED
assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert gs(C.NK_get_password_safe_slot_name(0)) == b'slotname1'
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
def helper_check_device_for_data(C):
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
for i in range(0, PWS_SLOT_COUNT):
iss = str(i)
assert gs(C.NK_get_password_safe_slot_name(i)) == helper_PWS_get_slotname(iss)
assert gs(C.NK_get_password_safe_slot_login(i)) == helper_PWS_get_loginname(iss)
assert gs(C.NK_get_password_safe_slot_password(i)) == helper_PWS_get_pass(iss)
return True
def test_authorize_issue_user(C):
skip_if_device_version_lower_than({'S': 43, 'P': 9}) # issue fixed in Pro v0.9, Storage version chosen arbitrary
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_totp_slot(0, b'python_otp_auth', bbRFC_SECRET, 30, True, False, False, b'',
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
# enable PIN protection of OTP codes with write_config
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
gs(C.NK_get_totp_code(0, 0, 0, 0))
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED
assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK
gs(C.NK_get_totp_code_PIN(0, 0, 0, 0, DefaultPasswords.USER_TEMP))
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
assert C.NK_user_authenticate(b"wrong pass", b"another temp pass") == DeviceErrorCode.WRONG_PASSWORD
gs(C.NK_get_totp_code_PIN(0, 0, 0, 0, DefaultPasswords.USER_TEMP))
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED
assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK
gs(C.NK_get_totp_code_PIN(0, 0, 0, 0, DefaultPasswords.USER_TEMP))
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
# disable PIN protection with write_config
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code = gs(C.NK_get_totp_code(0, 0, 0, 0))
assert code != b''
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
def test_authorize_issue_user(C):
skip_if_device_version_lower_than({'S': 43, 'P': 9}) # issue fixed in Pro v0.9, Storage version chosen arbitrary
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_totp_slot(0, b'python_otp_auth', bbRFC_SECRET, 30, True, False, False, b'',
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
# enable PIN protection of OTP codes with write_config
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
gs(C.NK_get_totp_code(0, 0, 0, 0))
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED
assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK
gs(C.NK_get_totp_code_PIN(0, 0, 0, 0, DefaultPasswords.USER_TEMP))
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
assert C.NK_user_authenticate(b"wrong pass", b"another temp pass") == DeviceErrorCode.WRONG_PASSWORD
gs(C.NK_get_totp_code_PIN(0, 0, 0, 0, DefaultPasswords.USER_TEMP))
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED
assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK
gs(C.NK_get_totp_code_PIN(0, 0, 0, 0, DefaultPasswords.USER_TEMP))
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
# disable PIN protection with write_config
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code = gs(C.NK_get_totp_code(0, 0, 0, 0))
assert code != b''
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
def test_HOTP_RFC_use8digits_usepin(C, use_8_digits, use_pin_protection):
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, use_pin_protection, not use_pin_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
if use_pin_protection:
check_HOTP_RFC_codes(C,
lambda x: gs(C.NK_get_hotp_code_PIN(x, DefaultPasswords.USER_TEMP)),
lambda: C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP),
use_8_digits=use_8_digits)
else:
check_HOTP_RFC_codes(C, lambda x: gs(C.NK_get_hotp_code(x)), use_8_digits=use_8_digits)
def test_HOTP_RFC_use8digits_usepin(C, use_8_digits, use_pin_protection):
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, use_pin_protection, not use_pin_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
if use_pin_protection:
check_HOTP_RFC_codes(C,
lambda x: gs(C.NK_get_hotp_code_PIN(x, DefaultPasswords.USER_TEMP)),
lambda: C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP),
use_8_digits=use_8_digits)
else:
check_HOTP_RFC_codes(C, lambda x: gs(C.NK_get_hotp_code(x)), use_8_digits=use_8_digits)
def test_TOTP_RFC_usepin(C, PIN_protection):
slot_number = 1
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(
255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
# test according to https://tools.ietf.org/html/rfc6238#appendix-B
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_totp_slot(
slot_number, b'python_test', bbRFC_SECRET, 30, True, False, False, b'',
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
get_func = None
if PIN_protection:
get_func = lambda x, y, z, r: gs(
C.NK_get_totp_code_PIN(x, y, z, r, DefaultPasswords.USER_TEMP))
else:
get_func = lambda x, y, z, r: gs(C.NK_get_totp_code(x, y, z, r))
# Mode: Sha1, time step X=30
test_data = [
#Time T (hex) TOTP
(
59, 0x1, 94287082
), # Warning - test vector time 1 second before interval count changes
(
1111111109, 0x00000000023523EC, 7081804
), # Warning - test vector time 1 second before interval count changes
(1111111111, 0x00000000023523ED, 14050471),
(1234567890, 0x000000000273EF07, 89005924),
(2000000000, 0x0000000003F940AA, 69279037),
# (20000000000, 0x0000000027BC86AA, 65353130), # 64bit is also checked in other test
]
responses = []
data = []
correct = 0
for t, T, expected_code in test_data:
if PIN_protection:
C.NK_user_authenticate(DefaultPasswords.USER,
DefaultPasswords.USER_TEMP)
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_totp_set_time(t) == DeviceErrorCode.STATUS_OK
code_from_device = get_func(slot_number, T, 0,
30) # FIXME T is not changing the outcome
data += [(t, bb(str(expected_code).zfill(8)))]
responses += [(t, code_from_device)]
correct += expected_code == code_from_device
assert data == responses or correct == len(test_data)
def test_get_OTP_codes(C):
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
for i in range(15):
code = gs(C.NK_get_totp_code(i, 0, 0, 0))
if code == b'':
assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
for i in range(3):
code = gs(C.NK_get_hotp_code(i))
if code == b'':
assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
def test_get_OTP_codes(C):
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
for i in range(15):
code = gs(C.NK_get_totp_code(i, 0, 0, 0))
if code == b'':
assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
for i in range(3):
code = gs(C.NK_get_hotp_code(i))
if code == b'':
assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
def test_invalid_slot(C):
invalid_slot = 255
assert C.NK_erase_totp_slot(invalid_slot, b'some password') == LibraryErrors.INVALID_SLOT
assert C.NK_write_hotp_slot(invalid_slot, b'long_test', bbRFC_SECRET, 0, False, False, False, b"",
b'aaa') == LibraryErrors.INVALID_SLOT
assert gs(C.NK_get_hotp_code_PIN(invalid_slot, b'some password')) == b""
assert C.NK_get_last_command_status() == LibraryErrors.INVALID_SLOT
assert C.NK_erase_password_safe_slot(invalid_slot) == LibraryErrors.INVALID_SLOT
assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert gs(C.NK_get_password_safe_slot_name(invalid_slot)) == b''
assert C.NK_get_last_command_status() == LibraryErrors.INVALID_SLOT
assert gs(C.NK_get_password_safe_slot_login(invalid_slot)) == b''
assert C.NK_get_last_command_status() == LibraryErrors.INVALID_SLOT
def test_get_OTP_code_from_not_programmed_slot(C):
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_erase_hotp_slot(0, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_erase_totp_slot(0, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code = gs(C.NK_get_hotp_code(0))
assert code == b''
assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
code = gs(C.NK_get_totp_code(0, 0, 0, 0))
assert code == b''
assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
def test_TOTP_secrets(C, secret):
'''
NK Pro 0.8+, NK Storage 0.44+
'''
skip_if_device_version_lower_than({'S': 44, 'P': 8})
if len(secret) > 20 * 2: #*2 since secret is in hex
# pytest.skip("Secret lengths over 20 bytes are not supported by NK Pro 0.7 and NK Storage")
skip_if_device_version_lower_than({'P': 8})
slot_number = 0
time = 0
period = 30
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.totp(secret, t=t, period=period))
PIN_protection = False
use_8_digits = False
T = 0
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(
255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
assert C.NK_write_totp_slot(
slot_number, b'secret' + bytes(len(secret)), bb(secret), period,
use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_totp_set_time(time) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_totp_code(slot_number, T, 0, period))
dev_res += (time, code_device)
lib_res += (time, lib_at(time))
assert dev_res == lib_res
def test_HOTP_secrets(C, secret):
"""
NK Pro 0.8+
feature needed: support for 320bit secrets
"""
if len(secret) > 40:
skip_if_device_version_lower_than({'P': 8})
slot_number = 0
counter = 0
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.hotp(secret, counter=t))
PIN_protection = False
use_8_digits = False
T = 0
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(
255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
# repeat authentication for Pro 0.7
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(
slot_number, b'secret' + bytes(len(secret)), bb(secret), counter,
use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_hotp_code(slot_number))
dev_res += (counter, code_device)
lib_res += (counter, lib_at(counter))
assert dev_res == lib_res
def test_erase_password_safe_slot(C):
assert C.NK_enable_password_safe(
DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert C.NK_erase_password_safe_slot(0) == DeviceErrorCode.STATUS_OK
assert gs(C.NK_get_password_safe_slot_name(0)) == b''
assert C.NK_get_last_command_status(
) == DeviceErrorCode.STATUS_OK # TODO CHECK shouldn't this be DeviceErrorCode.NOT_PROGRAMMED ?
def test_HOTP_slots_read_write_counter(C, counter):
"""
Write different counters to all HOTP slots, read code and compare with 3rd party
:param counter:
"""
if counter >= 1e7:
# Storage does not handle counters longer than 7 digits
skip_if_device_version_lower_than({'P': 7})
secret = RFC_SECRET
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.hotp(secret, t, format='dec6'))
PIN_protection = False
use_8_digits = False
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(
255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
for slot_number in range(3):
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(
slot_number, b'HOTP rw' + bytes(slot_number), bb(secret), counter,
use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_hotp_code(slot_number))
dev_res += (counter, code_device)
lib_res += (counter, lib_at(counter))
assert dev_res == lib_res
def test_TOTP_64bit_time(C):
if is_storage(C):
pytest.xfail('bug in NK Storage TOTP firmware')
oath = pytest.importorskip("oath")
T = 1
lib_at = lambda t: bb(oath.totp(RFC_SECRET, t=t))
PIN_protection = False
slot_number = 1
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(
255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_totp_slot(
slot_number, b'python_test', bbRFC_SECRET, 30, False, False, False,
b'', DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
for t in range(INT32_MAX - 5, INT32_MAX + 5, 1):
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_totp_set_time(t) == DeviceErrorCode.STATUS_OK
code_device = gs((C.NK_get_totp_code(slot_number, T, 0, 30)))
dev_res += (t, code_device)
lib_res += (t, lib_at(t))
assert dev_res == lib_res
def test_OTP_secret_started_from_null(C, secret):
"""
NK Pro 0.8+, NK Storage 0.43+
"""
skip_if_device_version_lower_than({'S': 43, 'P': 8})
if len(secret) > 40:
# feature: 320 bit long secret handling
skip_if_device_version_lower_than({'P': 8})
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.hotp(secret, t, format='dec6'))
PIN_protection = False
use_8_digits = False
slot_number = 1
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(
255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
for t in range(1, 5):
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(
slot_number, b'null_secret', bb(secret), t, use_8_digits, False,
False, b'',
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_hotp_code(slot_number))
dev_res += (t, code_device)
lib_res += (t, lib_at(t))
assert dev_res == lib_res
def test_HOTP_secrets(C, secret):
"""
NK Pro 0.8+
feature needed: support for 320bit secrets
"""
if len(secret)>40:
skip_if_device_version_lower_than({'P': 8, 'S': 54})
slot_number = 0
counter = 0
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.hotp(secret, counter=t))
PIN_protection = False
use_8_digits = False
T = 0
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
# repeat authentication for Pro 0.7
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(slot_number, b'secret' + bytes(len(secret)), bb(secret), counter, use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_hotp_code(slot_number))
dev_res += (counter, code_device)
lib_res += (counter, lib_at(counter))
assert dev_res == lib_res
def test_TOTP_slots_read_write_at_time_period(C, time, period):
"""
Write to all TOTP slots with specified period, read code at specified time
and compare with 3rd party
"""
secret = RFC_SECRET
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.totp(RFC_SECRET, t=t, period=period))
PIN_protection = False
use_8_digits = False
T = 0
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
for slot_number in range(15):
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_totp_slot(slot_number, b'TOTP rw' + bytes(slot_number), bb(secret), period, use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_totp_set_time(time) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_totp_code(slot_number, T, 0, period))
dev_res += (time, code_device)
lib_res += (time, lib_at(time))
assert dev_res == lib_res
def test_HOTP_slots_read_write_counter(C, counter):
"""
Write different counters to all HOTP slots, read code and compare with 3rd party
:param counter:
"""
if counter >= 1e7:
# Storage v0.53 and below does not handle counters longer than 7 digits
skip_if_device_version_lower_than({'P': 7, 'S': 54})
secret = RFC_SECRET
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.hotp(secret, t, format='dec6'))
PIN_protection = False
use_8_digits = False
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
for slot_number in range(3):
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(slot_number, b'HOTP rw' + bytes(slot_number), bb(secret), counter, use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_hotp_code(slot_number))
dev_res += (counter, code_device)
lib_res += (counter, lib_at(counter))
assert dev_res == lib_res
def test_TOTP_slots_read_write_at_time_period(C, time, period):
"""
Write to all TOTP slots with specified period, read code at specified time
and compare with 3rd party
"""
secret = RFC_SECRET
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.totp(RFC_SECRET, t=t, period=period))
PIN_protection = False
use_8_digits = False
T = 0
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(
255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
for slot_number in range(15):
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_totp_slot(
slot_number, b'TOTP rw' + bytes(slot_number), bb(secret), period,
use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_totp_set_time(time) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_totp_code(slot_number, T, 0, period))
dev_res += (time, code_device)
lib_res += (time, lib_at(time))
assert dev_res == lib_res
def test_HOTP_64bit_counter(C):
if is_storage(C):
pytest.xfail(
'bug in NK Storage HOTP firmware - counter is set with a 8 digits string, '
'however int32max takes 10 digits to be written')
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.hotp(RFC_SECRET, t, format='dec6'))
PIN_protection = False
use_8_digits = False
slot_number = 1
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(
255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
for t in range(INT32_MAX - 5, INT32_MAX + 5, 1):
assert C.NK_first_authenticate(
DefaultPasswords.ADMIN,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(
slot_number, b'python_test', bbRFC_SECRET, t, use_8_digits, False,
False, b'',
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_hotp_code(slot_number))
dev_res += (t, code_device)
lib_res += (t, lib_at(t))
assert dev_res == lib_res
def test_OTP_secret_started_from_null(C, secret):
"""
NK Pro 0.8+, NK Storage 0.43+
"""
skip_if_device_version_lower_than({'S': 43, 'P': 8})
if len(secret) > 40:
# feature: 320 bit long secret handling
skip_if_device_version_lower_than({'P': 8, 'S': 54})
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.hotp(secret, t, format='dec6'))
PIN_protection = False
use_8_digits = False
slot_number = 1
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
for t in range(1,5):
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(slot_number, b'null_secret', bb(secret), t, use_8_digits, False, False, b'',
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_hotp_code(slot_number))
dev_res += (t, code_device)
lib_res += (t, lib_at(t))
assert dev_res == lib_res
def get_library(request, allow_offline=False):
library_read_declarations()
C = library_open_lib()
C.NK_set_debug_level(int(os.environ.get('LIBNK_DEBUG', 2)))
nk_login = C.NK_login_auto()
if nk_login != 1:
print('No devices detected!')
if not allow_offline:
assert nk_login != 0 # returns 0 if not connected or wrong model or 1 when connected
global device_type
firmware_version = C.NK_get_minor_firmware_version()
model = C.NK_get_device_model()
model = 'P' if model == 1 else 'S' if model == 2 else 'U'
device_type = (model, firmware_version)
print('Connected library: {}'.format(gs(C.NK_get_library_version())))
print('Connected device: {} {}'.format(model, firmware_version))
# assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
# assert C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP) == DeviceErrorCode.STATUS_OK
# C.NK_status()
def fin():
print('\nFinishing connection to device')
C.NK_logout()
print('Finished')
if request:
request.addfinalizer(fin)
# C.NK_set_debug(True)
C.NK_set_debug_level(int(os.environ.get('LIBNK_DEBUG', 3)))
return AttrProxy(C, "libnitrokey C")
def test_TOTP_secrets(C, secret):
'''
NK Pro 0.8+, NK Storage 0.44+
'''
skip_if_device_version_lower_than({'S': 44, 'P': 8})
if len(secret)>20*2: #*2 since secret is in hex
# pytest.skip("Secret lengths over 20 bytes are not supported by NK Pro 0.7 and NK Storage v0.53 and older")
skip_if_device_version_lower_than({'P': 8, 'S': 54})
slot_number = 0
time = 0
period = 30
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.totp(secret, t=t, period=period))
PIN_protection = False
use_8_digits = False
T = 0
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
assert C.NK_write_totp_slot(slot_number, b'secret' + bytes(len(secret)), bb(secret), period, use_8_digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_totp_set_time(time) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_totp_code(slot_number, T, 0, period))
dev_res += (time, code_device)
lib_res += (time, lib_at(time))
assert dev_res == lib_res
def test_too_long_strings(C):
new_password = b'123123123'
long_string = b'a' * 100
assert C.NK_change_user_PIN(long_string,
new_password) == LibraryErrors.TOO_LONG_STRING
assert C.NK_change_user_PIN(new_password,
long_string) == LibraryErrors.TOO_LONG_STRING
assert C.NK_change_admin_PIN(long_string,
new_password) == LibraryErrors.TOO_LONG_STRING
assert C.NK_change_admin_PIN(new_password,
long_string) == LibraryErrors.TOO_LONG_STRING
assert C.NK_first_authenticate(
long_string,
DefaultPasswords.ADMIN_TEMP) == LibraryErrors.TOO_LONG_STRING
assert C.NK_erase_totp_slot(0,
long_string) == LibraryErrors.TOO_LONG_STRING
digits = False
assert C.NK_write_hotp_slot(
1, long_string, bbRFC_SECRET, 0, digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == LibraryErrors.TOO_LONG_STRING
assert C.NK_write_hotp_slot(1, b'long_test', bbRFC_SECRET, 0, digits,
False, False, b"",
long_string) == LibraryErrors.TOO_LONG_STRING
assert gs(C.NK_get_hotp_code_PIN(0, long_string)) == b""
assert C.NK_get_last_command_status() == LibraryErrors.TOO_LONG_STRING
def test_get_code_user_authorize(C):
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_totp_slot(0, b'python_otp_auth', bbRFC_SECRET, 30, True, False, False, b'',
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
# enable PIN protection of OTP codes with write_config
# TODO create convinience function on C API side to enable/disable OTP USER_PIN protection
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, True, False, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code = gs(C.NK_get_totp_code(0, 0, 0, 0))
assert code == b''
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_NOT_AUTHORIZED
# disable PIN protection with write_config
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code = gs(C.NK_get_totp_code(0, 0, 0, 0))
assert code != b''
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
def test_sd_card_usage(C):
skip_if_device_version_lower_than({'S': 43})
data_pointer = C.NK_get_SD_usage_data_as_string()
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
data_string = gs(data_pointer)
assert len(data_string) > 0
data_dict = get_dict_from_dissect(data_string.decode("ascii"))
assert int(data_dict['WriteLevelMax']) <= 100
def get_status_storage(C):
status_pointer = C.NK_get_status_storage_as_string()
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
status_string = gs(status_pointer)
assert len(status_string) > 0
status_dict = get_dict_from_dissect(status_string.decode('ascii'))
# assert int(status_dict['AdminPwRetryCount']) == default_admin_password_retry_count
return status_dict, C.NK_get_last_command_status()
def test_invalid_slot(C):
invalid_slot = 255
assert C.NK_erase_totp_slot(invalid_slot,
'some password') == LibraryErrors.INVALID_SLOT
assert C.NK_write_hotp_slot(invalid_slot, 'long_test', RFC_SECRET, 0,
False, False, False, "",
'aaa') == LibraryErrors.INVALID_SLOT
assert C.NK_get_hotp_code_PIN(invalid_slot, 'some password') == 0
assert C.NK_get_last_command_status() == LibraryErrors.INVALID_SLOT
assert C.NK_erase_password_safe_slot(
invalid_slot) == LibraryErrors.INVALID_SLOT
assert C.NK_enable_password_safe(
DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert gs(C.NK_get_password_safe_slot_name(invalid_slot)) == ''
assert C.NK_get_last_command_status() == LibraryErrors.INVALID_SLOT
assert gs(C.NK_get_password_safe_slot_login(invalid_slot)) == ''
assert C.NK_get_last_command_status() == LibraryErrors.INVALID_SLOT
def test_sd_card_usage(C):
skip_if_device_version_lower_than({'S': 43})
data_pointer = C.NK_get_SD_usage_data_as_string()
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
data_string = gs(data_pointer)
assert len(data_string) > 0
data_dict = get_dict_from_dissect(data_string.decode("ascii"))
assert int(data_dict['WriteLevelMax']) <= 100
def test_get_status_storage(C):
skip_if_device_version_lower_than({'S': 43})
status_pointer = C.NK_get_status_storage_as_string()
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
status_string = gs(status_pointer)
assert len(status_string) > 0
status_dict = get_dict_from_dissect(status_string.decode('ascii'))
default_admin_password_retry_count = 3
assert int(status_dict['AdminPwRetryCount']) == default_admin_password_retry_count
def test_factory_reset(C):
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, False, True, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(1, b'python_test', bbRFC_SECRET, 0, False, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert gs(C.NK_get_hotp_code(1)) == b"755224"
assert C.NK_factory_reset(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
wait(10)
assert gs(C.NK_get_hotp_code(1)) != b"287082"
assert C.NK_get_last_command_status() == DeviceErrorCode.NOT_PROGRAMMED
# restore AES key
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_build_aes_key(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
assert C.NK_enable_password_safe(DefaultPasswords.USER) == DeviceErrorCode.STATUS_OK
assert C.NK_lock_device() == DeviceErrorCode.STATUS_OK
if is_storage(C):
assert C.NK_clear_new_sd_card_warning(DefaultPasswords.ADMIN) == DeviceErrorCode.STATUS_OK
def __call__(self, *args, **kwargs):
print('Calling {}{}'.format(self.name, args))
res = self.C(*args, **kwargs)
res_s = res
try:
res_s = '{} => '.format(res) + '{}'.format(gs(res))
except Exception as e:
pass
print('Result of {}: {}'.format(self.name, res_s))
return res
def __call__(self, *args, **kwargs):
print('Calling {}{}'.format(self.name, args))
res = self.C(*args, **kwargs)
res_s = res
try:
res_s = '{} => '.format(res) + '{}'.format(gs(res))
except Exception as e:
pass
print('Result of {}: {}'.format(self.name, res_s))
return res
def test_get_status_storage(C):
skip_if_device_version_lower_than({'S': 43})
status_pointer = C.NK_get_status_storage_as_string()
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
status_string = gs(status_pointer)
assert len(status_string) > 0
status_dict = get_dict_from_dissect(status_string.decode('ascii'))
default_admin_password_retry_count = 3
assert int(status_dict['AdminPwRetryCount']) == default_admin_password_retry_count
print('C.NK_get_major_firmware_version(): {}'.format(C.NK_get_major_firmware_version()))
print('C.NK_get_minor_firmware_version(): {}'.format(C.NK_get_minor_firmware_version()))
def test_get_status_storage_multiple(C):
ids = gs(C.NK_list_devices_by_cpuID())
print(ids)
devices_list = ids.split(b';')
#
# for s in devices_list:
# res = C.NK_connect_with_ID(s)
# assert res == 1
# # st = gs(C.NK_get_status_storage_as_string())
# # print(len(st))
# C.NK_lock_device()
#
for s in devices_list:
res = C.NK_connect_with_ID(s)
assert res == 1
v = C.NK_fill_SD_card_with_random_data(b'12345678')
# print(v)
devices_count = len(devices_list)
assert devices_count != 0
b = 0
last_b = 0
with tqdm(total=devices_count * 100) as pbar:
while b / devices_count < 100:
pbar.update(b - last_b)
b = defaultdict(lambda: 0)
ids = gs(C.NK_list_devices_by_cpuID())
devices_list = ids.split(b';')
devices_count = len(devices_list)
for s in devices_list:
res = C.NK_connect_with_ID(s)
if res != 1: continue
b[s] += C.NK_get_progress_bar_value()
print(b)
b = sum(b.values())
print('{}: {}'.format(b, int(b / devices_count) * '='))
sleep(5)
def test_get_status_storage_multiple(C):
ids = gs(C.NK_list_devices_by_cpuID())
print(ids)
devices_list = ids.split(b';')
#
# for s in devices_list:
# res = C.NK_connect_with_ID(s)
# assert res == 1
# # st = gs(C.NK_get_status_storage_as_string())
# # print(len(st))
# C.NK_lock_device()
#
for s in devices_list:
res = C.NK_connect_with_ID(s)
assert res == 1
v = C.NK_fill_SD_card_with_random_data(b'12345678')
# print(v)
devices_count = len(devices_list)
assert devices_count != 0
b = 0
last_b = 0
with tqdm(total=devices_count*100) as pbar:
while b/devices_count < 100:
pbar.update(b - last_b)
b = defaultdict (lambda: 0)
ids = gs(C.NK_list_devices_by_cpuID())
devices_list = ids.split(b';')
devices_count = len(devices_list)
for s in devices_list:
res = C.NK_connect_with_ID(s)
if res != 1: continue
b[s] += C.NK_get_progress_bar_value()
print(b)
b = sum(b.values())
print('{}: {}'.format(b, int(b/devices_count) * '='))
sleep(5)
def test_TOTP_RFC_usepin(C, PIN_protection):
slot_number = 1
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
# test according to https://tools.ietf.org/html/rfc6238#appendix-B
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_totp_slot(slot_number, b'python_test', bbRFC_SECRET, 30, True, False, False, b'',
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
get_func = None
if PIN_protection:
get_func = lambda x, y, z, r: gs(C.NK_get_totp_code_PIN(x, y, z, r, DefaultPasswords.USER_TEMP))
else:
get_func = lambda x, y, z, r: gs(C.NK_get_totp_code(x, y, z, r))
# Mode: Sha1, time step X=30
test_data = [
#Time T (hex) TOTP
(59, 0x1, 94287082), # Warning - test vector time 1 second before interval count changes
(1111111109, 0x00000000023523EC, 7081804), # Warning - test vector time 1 second before interval count changes
(1111111111, 0x00000000023523ED, 14050471),
(1234567890, 0x000000000273EF07, 89005924),
(2000000000, 0x0000000003F940AA, 69279037),
# (20000000000, 0x0000000027BC86AA, 65353130), # 64bit is also checked in other test
]
responses = []
data = []
correct = 0
for t, T, expected_code in test_data:
if PIN_protection:
C.NK_user_authenticate(DefaultPasswords.USER, DefaultPasswords.USER_TEMP)
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_totp_set_time(t) == DeviceErrorCode.STATUS_OK
code_from_device = get_func(slot_number, T, 0, 30) # FIXME T is not changing the outcome
data += [ (t, bb(str(expected_code).zfill(8))) ]
responses += [ (t, code_from_device) ]
correct += expected_code == code_from_device
assert data == responses or correct == len(test_data)
def test_connect_with_path(C):
ids = gs(C.NK_list_devices_by_cpuID())
# NK_list_devices_by_cpuID already opened the devices, so we have to close
# them before trying to reconnect
assert C.NK_logout() == 0
devices_list = ids.split(b';')
for value in devices_list:
parts = value.split(b'_p_')
assert len(parts) < 3
if len(parts) == 2:
path = parts[1]
else:
path = parts[0]
assert C.NK_connect_with_path(path) == 1
def test_HOTP_token(C):
"""
Check HOTP routine with written token ID to slot.
"""
use_pin_protection = False
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, use_pin_protection, not use_pin_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
token_ID = b"AAV100000022"
assert C.NK_write_hotp_slot(1, b'python_test', bbRFC_SECRET, 0, False, False, True, token_ID,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
for i in range(5):
hotp_code = gs(C.NK_get_hotp_code(1))
assert hotp_code != b''
assert C.NK_get_last_command_status() == DeviceErrorCode.STATUS_OK
def test_too_long_strings(C):
new_password = b'123123123'
long_string = b'a' * 100
assert C.NK_change_user_PIN(long_string, new_password) == LibraryErrors.TOO_LONG_STRING
assert C.NK_change_user_PIN(new_password, long_string) == LibraryErrors.TOO_LONG_STRING
assert C.NK_change_admin_PIN(long_string, new_password) == LibraryErrors.TOO_LONG_STRING
assert C.NK_change_admin_PIN(new_password, long_string) == LibraryErrors.TOO_LONG_STRING
assert C.NK_first_authenticate(long_string, DefaultPasswords.ADMIN_TEMP) == LibraryErrors.TOO_LONG_STRING
assert C.NK_erase_totp_slot(0, long_string) == LibraryErrors.TOO_LONG_STRING
digits = False
assert C.NK_write_hotp_slot(1, long_string, bbRFC_SECRET, 0, digits, False, False, b"",
DefaultPasswords.ADMIN_TEMP) == LibraryErrors.TOO_LONG_STRING
assert C.NK_write_hotp_slot(1, b'long_test', bbRFC_SECRET, 0, digits, False, False, b"",
long_string) == LibraryErrors.TOO_LONG_STRING
assert gs(C.NK_get_hotp_code_PIN(0, long_string)) == b""
assert C.NK_get_last_command_status() == LibraryErrors.TOO_LONG_STRING
def test_TOTP_codes_from_nitrokeyapp(secret, C):
"""
Helper test for manual TOTP check of written secret by Nitrokey App
Destined to run by hand
"""
slot_number = 0
PIN_protection = False
period = 30
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_totp_code(slot_number, 0, 0, period))
oath = pytest.importorskip("oath")
lib_at = lambda : bb(oath.totp(secret, period=period))
print (lib_at())
assert lib_at() == code_device
def test_HOTP_counters(C):
"""
# https://tools.ietf.org/html/rfc4226#page-32
"""
use_pin_protection = False
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, use_pin_protection, not use_pin_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
use_8_digits = True
HOTP_test_data = [
1284755224, 1094287082, 137359152, 1726969429, 1640338314,
868254676, 1918287922, 82162583, 673399871, 645520489,
]
slot_number = 1
for counter, code in enumerate(HOTP_test_data):
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(slot_number, b'python_test', bbRFC_SECRET, counter, use_8_digits, False, False, b'',
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
r = gs(C.NK_get_hotp_code(slot_number))
code = str(code)[-8:] if use_8_digits else str(code)[-6:]
assert bb(code) == r
def test_HOTP_64bit_counter(C):
if not has_binary_counter(C):
pytest.xfail('bug in NK Storage HOTP firmware - counter is set with a 8 digits string, '
'however int32max takes 10 digits to be written')
oath = pytest.importorskip("oath")
lib_at = lambda t: bb(oath.hotp(RFC_SECRET, t, format='dec6'))
PIN_protection = False
use_8_digits = False
slot_number = 1
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
for t in range(INT32_MAX - 5, INT32_MAX + 5, 1):
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_hotp_slot(slot_number, b'python_test', bbRFC_SECRET, t, use_8_digits, False, False, b'',
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
code_device = gs(C.NK_get_hotp_code(slot_number))
dev_res += (t, code_device)
lib_res += (t, lib_at(t))
assert dev_res == lib_res
def test_TOTP_64bit_time(C):
if not has_binary_counter(C):
pytest.xfail('bug in NK Storage TOTP firmware')
oath = pytest.importorskip("oath")
T = 1
lib_at = lambda t: bb(oath.totp(RFC_SECRET, t=t))
PIN_protection = False
slot_number = 1
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_config(255, 255, 255, PIN_protection, not PIN_protection,
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_write_totp_slot(slot_number, b'python_test', bbRFC_SECRET, 30, False, False, False, b'',
DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
dev_res = []
lib_res = []
for t in range(INT32_MAX - 5, INT32_MAX + 5, 1):
assert C.NK_first_authenticate(DefaultPasswords.ADMIN, DefaultPasswords.ADMIN_TEMP) == DeviceErrorCode.STATUS_OK
assert C.NK_totp_set_time(t) == DeviceErrorCode.STATUS_OK
code_device = gs((C.NK_get_totp_code(slot_number, T, 0, 30)))
dev_res += (t, code_device)
lib_res += (t, lib_at(t))
assert dev_res == lib_res
def check_PWS_correctness(C):
for i in range(0, PWS_slot_count):
iss = str(i)
assert gs(C.NK_get_password_safe_slot_name(i)) == get_slotname(iss)
assert gs(C.NK_get_password_safe_slot_login(i)) == get_loginname(iss)
assert gs(C.NK_get_password_safe_slot_password(i)) == get_pass(iss)
