73 | 73 |
}
|
74 | 74 |
if !ecdsa.Verify(pub, data[:], sig.R, sig.S) {
|
75 | 75 |
t.Errorf("signature didn't match")
|
|
76 |
}
|
|
77 |
}
|
|
78 |
|
|
79 |
func TestSlots(t *testing.T) {
|
|
80 |
tests := []struct {
|
|
81 |
name string
|
|
82 |
slot Slot
|
|
83 |
}{
|
|
84 |
{"Authentication", SlotAuthentication},
|
|
85 |
{"CardAuthentication", SlotCardAuthentication},
|
|
86 |
{"KeyManagement", SlotKeyManagement},
|
|
87 |
{"Signature", SlotSignature},
|
|
88 |
}
|
|
89 |
|
|
90 |
for _, test := range tests {
|
|
91 |
t.Run(test.name, func(t *testing.T) {
|
|
92 |
yk, close := newTestYubiKey(t)
|
|
93 |
defer close()
|
|
94 |
|
|
95 |
k := Key{
|
|
96 |
Algorithm: AlgorithmEC256,
|
|
97 |
PINPolicy: PINPolicyNever,
|
|
98 |
TouchPolicy: TouchPolicyNever,
|
|
99 |
}
|
|
100 |
pub, err := yk.GenerateKey(DefaultManagementKey, test.slot, k)
|
|
101 |
if err != nil {
|
|
102 |
t.Fatalf("generating key on slot: %v", err)
|
|
103 |
}
|
|
104 |
priv, err := yk.PrivateKey(test.slot, pub, KeyAuth{PIN: DefaultPIN})
|
|
105 |
if err != nil {
|
|
106 |
t.Fatalf("private key: %v", err)
|
|
107 |
}
|
|
108 |
|
|
109 |
tmpl := &x509.Certificate{
|
|
110 |
Subject: pkix.Name{CommonName: "my-client"},
|
|
111 |
SerialNumber: big.NewInt(1),
|
|
112 |
NotBefore: time.Now(),
|
|
113 |
NotAfter: time.Now().Add(time.Hour),
|
|
114 |
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
|
|
115 |
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
|
|
116 |
}
|
|
117 |
raw, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, pub, priv)
|
|
118 |
if err != nil {
|
|
119 |
t.Fatalf("signing self-signed certificate: %v", err)
|
|
120 |
}
|
|
121 |
cert, err := x509.ParseCertificate(raw)
|
|
122 |
if err != nil {
|
|
123 |
t.Fatalf("parse certificate: %v", err)
|
|
124 |
}
|
|
125 |
if err := yk.SetCertificate(DefaultManagementKey, test.slot, cert); err != nil {
|
|
126 |
t.Fatalf("set certificate: %v", err)
|
|
127 |
}
|
|
128 |
got, err := yk.Certificate(test.slot)
|
|
129 |
if err != nil {
|
|
130 |
t.Fatalf("get certifiate: %v", err)
|
|
131 |
}
|
|
132 |
if !bytes.Equal(got.Raw, raw) {
|
|
133 |
t.Errorf("certificate from slot didn't match the certificate written")
|
|
134 |
}
|
|
135 |
})
|
76 | 136 |
}
|
77 | 137 |
}
|
78 | 138 |
|