dearsky/pico-fido
1
0
Fork 0
Code Issues 46 Pull Requests 1 Actions Packages Projects Releases 22 Wiki Activity

Adding authentication tests.

Browse Source 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
Pol Henarejos
2022-10-02 00:28:13 +02:00
parent cb4827688b
commit 47ea749454
3 changed files with 262 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

182
tests/pico-fido/test_authenticate.py
View File

@@ -1,3 +1,6 @@
from fido2.utils import sha256
from fido2.client import CtapError
import pytest
def test_authenticate(device):
device.reset()
@@ -5,3 +8,182 @@ def test_authenticate(device):
credentials = [AUTData.credential_data]
AUTRes = device.authenticate(credentials)
def test_assertion_auth_data(GARes):
assert len(GARes.get_response(0).authenticator_data) == 37
def test_Check_that_AT_flag_is_not_set(GARes):
assert (GARes.get_response(0).authenticator_data.flags & 0xF8) == 0
def test_that_user_credential_and_numberOfCredentials_are_not_present(device, MCRes):
res = device.GA(allow_list=[
{"id": MCRes.auth_data.credential_data.credential_id, "type": "public-key"}
])
assert res.user == None
assert res.number_of_credentials == None
def test_empty_allowList(device):
with pytest.raises(CtapError) as e:
device.doGA(allow_list=[])
assert e.value.code == CtapError.ERR.NO_CREDENTIALS
def test_get_assertion_allow_list_filtering_and_buffering(device):
""" Check that authenticator filters and stores items in allow list correctly """
allow_list = []
rp1 = {"id": "rp1.com", "name": "rp1.com"}
rp2 = {"id": "rp2.com", "name": "rp2.com"}
rp1_registrations = []
rp2_registrations = []
rp1_assertions = []
rp2_assertions = []
l1 = 4
for i in range(0, l1):
res = device.doMC(rp=rp1).attestation_object
rp1_registrations.append(res)
allow_list.append({
"id": res.auth_data.credential_data.credential_id[:],
"type": "public-key",
})
l2 = 6
for i in range(0, l2):
res = device.doMC(rp=rp2).attestation_object
rp2_registrations.append(res)
allow_list.append({
"id": res.auth_data.credential_data.credential_id[:],
"type": "public-key",
})
# CTAP 2.1: If allowlist is passed, only one (any) applicable
# credential signs, and numberOfCredentials = None is returned.
# <https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#:~:text=If%20the%20allowList%20parameter%20is%20present%3A,Go%20to%20Step%2013>
#
# CTAP 2.0: Expects the authenticator to return the total number
# even when allowlist is passed (and hence keep the credential IDs
# cached.
# Should authenticate to all credentials matching rp1
rp1_assertions = device.doGA(rp_id=rp1['id'], allow_list=allow_list).get_assertions()
# Should authenticate to all credentials matching rp2
rp2_assertions = device.doGA(rp_id=rp2['id'], allow_list=allow_list).get_assertions()
counts = (
len(rp1_assertions),
len(rp2_assertions)
)
assert counts in [(None, None), (l1, l2)]
def test_corrupt_credId(device, MCRes):
# apply bit flip
badid = list(MCRes.auth_data.credential_data.credential_id[:])
badid[len(badid) // 2] = badid[len(badid) // 2] ^ 1
badid = bytes(badid)
allow_list = [{"id": badid, "type": "public-key"}]
with pytest.raises(CtapError) as e:
device.doGA(allow_list=allow_list)
assert e.value.code == CtapError.ERR.NO_CREDENTIALS
def test_mismatched_rp(device, GARes):
rp_id = device.rp()['id']
rp_id += ".com"
with pytest.raises(CtapError) as e:
device.doGA(rp_id=rp_id)
assert e.value.code == CtapError.ERR.NO_CREDENTIALS
def test_missing_rp(device):
with pytest.raises(CtapError) as e:
device.doGA(rp_id=None)
assert e.value.code == CtapError.ERR.MISSING_PARAMETER
def test_bad_rp(device):
with pytest.raises(CtapError) as e:
device.doGA(rp_id={"id": {"type": "wrong"}})
def test_missing_cdh(device):
with pytest.raises(CtapError) as e:
device.GA(client_data_hash=None)
assert e.value.code == CtapError.ERR.MISSING_PARAMETER
def test_bad_cdh(device):
with pytest.raises(CtapError) as e:
device.GA(client_data_hash={"type": "wrong"})
def test_bad_allow_list(device):
with pytest.raises(CtapError) as e:
device.doGA(allow_list={"type": "wrong"})
def test_bad_allow_list_item(device, MCRes):
with pytest.raises(CtapError) as e:
device.doGA(allow_list=["wrong"] + [
{"id": MCRes.auth_data.credential_data.credential_id, "type": "public-key"}
]
)
def test_unknown_option(device, MCRes):
device.GA(options={"unknown": True}, allow_list=[
{"id": MCRes.auth_data.credential_data.credential_id, "type": "public-key"}
])
def test_option_uv(device, info, GARes):
if "uv" in info.options:
if info.options["uv"]:
res = device.doGA(options={"uv": True})
assert res.auth_data.flags & (1 << 2)
def test_option_up(device, info, GARes):
if "up" in info.options:
if info.options["up"]:
res = device.doGA(options={"up": True})
assert res.auth_data.flags & (1 << 0)
def test_allow_list_fake_item(device, MCRes):
device.doGA(allow_list=[{"type": "rot13", "id": b"1234"}]
+ [
{"id": MCRes.auth_data.credential_data.credential_id, "type": "public-key"}
],
)
def test_allow_list_missing_field(device, MCRes):
with pytest.raises(CtapError) as e:
device.doGA(allow_list=[{"id": b"1234"}] + [
{"id": MCRes.auth_data.credential_data.credential_id, "type": "public-key"}
]
)
def test_allow_list_field_wrong_type(device, MCRes):
with pytest.raises(CtapError) as e:
device.doGA(allow_list=[{"type": b"public-key", "id": b"1234"}]
+ [
{"id": MCRes.auth_data.credential_data.credential_id, "type": "public-key"}
]
)
def test_allow_list_id_wrong_type(device, MCRes):
with pytest.raises(CtapError) as e:
device.doGA(allow_list=[{"type": "public-key", "id": 42}]
+ [
{"id": MCRes.auth_data.credential_data.credential_id, "type": "public-key"}
]
)
def test_allow_list_missing_id(device, MCRes):
with pytest.raises(CtapError) as e:
device.doGA(allow_list=[{"type": "public-key"}] + [
{"id": MCRes.auth_data.credential_data.credential_id, "type": "public-key"}
]
)
def test_user_presence_option_false(device, MCRes):
res = device.GA(options={"up": False}, allow_list=[
{"id": MCRes.auth_data.credential_data.credential_id, "type": "public-key"}
])

57
tests/pico-fido/test_register.py
View File

@@ -10,10 +10,10 @@ def test_register(device):
def test_make_credential():
pass
def test_attestation_format( MCRes):
def test_attestation_format(MCRes):
assert MCRes.fmt in ["packed", "tpm", "android-key", "adroid-safetynet"]
def test_authdata_length( MCRes):
def test_authdata_length(MCRes):
assert len(MCRes.auth_data) >= 77
def test_missing_cdh(device):
@@ -26,15 +26,15 @@ def test_bad_type_cdh(device):
with pytest.raises(CtapError) as e:
device.MC(client_data_hash=b'\xff')
def test_missing_user(device, MCRes):
def test_missing_user(device):
with pytest.raises(CtapError) as e:
device.MC(user=None)
device.doMC(user=None)
assert e.value.code == CtapError.ERR.MISSING_PARAMETER
def test_bad_type_user_user(device):
with pytest.raises(CtapError) as e:
device.MC(user=b"12345678")
device.doMC(user=b"12345678")
def test_missing_rp(device):
with pytest.raises(CtapError) as e:
@@ -48,7 +48,7 @@ def test_bad_type_rp(device):
def test_missing_pubKeyCredParams(device):
with pytest.raises(CtapError) as e:
device.MC(key_params=None)
device.doMC(key_params=None)
assert e.value.code == CtapError.ERR.MISSING_PARAMETER
@@ -70,45 +70,45 @@ def test_bad_type_options(device):
def test_bad_type_rp_name(device):
with pytest.raises(CtapError) as e:
device.MC(rp={"id": "test.org", "name": 8, "icon": "icon"})
device.doMC(rp={"id": "test.org", "name": 8, "icon": "icon"})
def test_bad_type_rp_id(device):
with pytest.raises(CtapError) as e:
device.MC(rp={"id": 8, "name": "name", "icon": "icon"})
device.doMC(rp={"id": 8, "name": "name", "icon": "icon"})
def test_bad_type_rp_icon(device):
with pytest.raises(CtapError) as e:
device.MC(rp={"id": "test.org", "name": "name", "icon": 8})
device.doMC(rp={"id": "test.org", "name": "name", "icon": 8})
def test_bad_type_user_name(device):
with pytest.raises(CtapError) as e:
device.MC(user={"id": b"user_id", "name": 8})
device.doMC(user={"id": b"user_id", "name": 8})
def test_bad_type_user_id(device):
with pytest.raises(CtapError) as e:
device.MC(user={"id": "user_id", "name": "name"})
device.doMC(user={"id": "user_id", "name": "name"})
def test_bad_type_user_displayName(device):
with pytest.raises(CtapError) as e:
device.MC(user={"id": "user_id", "name": "name", "displayName": 8})
device.doMC(user={"id": "user_id", "name": "name", "displayName": 8})
def test_bad_type_user_icon(device):
with pytest.raises(CtapError) as e:
device.MC(user={"id": "user_id", "name": "name", "icon": 8})
device.doMC(user={"id": "user_id", "name": "name", "icon": 8})
def test_bad_type_pubKeyCredParams(device):
with pytest.raises(CtapError) as e:
device.MC(key_params=["wrong"])
device.doMC(key_params=["wrong"])
def test_missing_pubKeyCredParams_type(device):
with pytest.raises(CtapError) as e:
device.MC(key_params=[{"alg": ES256.ALGORITHM}])
device.doMC(key_params=[{"alg": ES256.ALGORITHM}])
assert e.value.code == CtapError.ERR.MISSING_PARAMETER
def test_missing_pubKeyCredParams_alg(device):
with pytest.raises(CtapError) as e:
device.MC(key_params=[{"type": "public-key"}])
device.doMC(key_params=[{"type": "public-key"}])
assert e.value.code in [
CtapError.ERR.MISSING_PARAMETER,
@@ -117,43 +117,46 @@ def test_missing_pubKeyCredParams_alg(device):
def test_bad_type_pubKeyCredParams_alg(device):
with pytest.raises(CtapError) as e:
device.MC(key_params=[{"alg": "7", "type": "public-key"}])
device.doMC(key_params=[{"alg": "7", "type": "public-key"}])
def test_unsupported_algorithm(device):
with pytest.raises(CtapError) as e:
device.MC(key_params=[{"alg": 1337, "type": "public-key"}])
device.doMC(key_params=[{"alg": 1337, "type": "public-key"}])
assert e.value.code == CtapError.ERR.UNSUPPORTED_ALGORITHM
def test_exclude_list(resetdevice):
resetdevice.MC(exclude_list=[{"id": b"1234", "type": "rot13"}])
resetdevice.doMC(exclude_list=[{"id": b"1234", "type": "rot13"}])
def test_exclude_list2(resetdevice):
resetdevice.MC(exclude_list=[{"id": b"1234", "type": "mangoPapayaCoconutNotAPublicKey"}])
resetdevice.doMC(exclude_list=[{"id": b"1234", "type": "mangoPapayaCoconutNotAPublicKey"}])
def test_bad_type_exclude_list(device):
with pytest.raises(CtapError) as e:
device.MC(exclude_list=["1234"])
device.doMC(exclude_list=["1234"])
def test_missing_exclude_list_type(device):
with pytest.raises(CtapError) as e:
device.MC(exclude_list=[{"id": b"1234"}])
device.doMC(exclude_list=[{"id": b"1234"}])
def test_missing_exclude_list_id(device):
with pytest.raises(CtapError) as e:
device.MC(exclude_list=[{"type": "public-key"}])
device.doMC(exclude_list=[{"type": "public-key"}])
def test_bad_type_exclude_list_id(device):
with pytest.raises(CtapError) as e:
device.MC(exclude_list=[{"type": "public-key", "id": "1234"}])
device.doMC(exclude_list=[{"type": "public-key", "id": "1234"}])
def test_bad_type_exclude_list_type(device):
with pytest.raises(CtapError) as e:
device.MC(exclude_list=[{"type": b"public-key", "id": b"1234"}])
device.doMC(exclude_list=[{"type": b"public-key", "id": b"1234"}])
def test_exclude_list_excluded(device, MCRes, GARes):
def test_exclude_list_excluded(device):
res = device.doMC().attestation_object
with pytest.raises(CtapError) as e:
device.MC(exclude_list=GARes.request.allow_list)
device.doMC(exclude_list=[
{"id": res.auth_data.credential_data.credential_id, "type": "public-key"}
])
assert e.value.code == CtapError.ERR.CREDENTIAL_EXCLUDED