Commit 4085e25c39a1b3aeb8fbef5de3fbc7e626b097b2 - golang-github-go-piv-piv-go

piv: fix slot object IDs and add management key slot Eric Chiang authored 4 years ago Eric Chiang committed 4 years ago

2 changed file(s) with 69 addition(s) and 2 deletion(s). Raw diff Collapse all Expand all

-2

piv/key.go less more

219	219	}
220	220
221	221	// Slot combinations pre-defined by this package.
	222	//
	223	// Object IDs are specified in NIST 800-73-4 section 4.3:
	224	// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf#page=30
	225	//
	226	// Key IDs are specified in NIST 800-73-4 section 5.1:
	227	// https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf#page=32
222	228	var (
223		SlotAuthentication = Slot{0x9a, 0x5fc101}
	229	SlotAuthentication = Slot{0x9a, 0x5fc105}
224	230	SlotSignature = Slot{0x9c, 0x5fc10a}
225		SlotCardAuthentication = Slot{0x9e, 0x5fc10b}
	231	SlotCardAuthentication = Slot{0x9e, 0x5fc101}
	232	SlotKeyManagement = Slot{0x9d, 0x5fc10b}
226	233
227	234	slotAttestation = Slot{0xf9, 0x5fff01}
228	235	)

+60

-0

piv/key_test.go less more

73	73	}
74	74	if !ecdsa.Verify(pub, data[:], sig.R, sig.S) {
75	75	t.Errorf("signature didn't match")
	76	}
	77	}
	78
	79	func TestSlots(t *testing.T) {
	80	tests := []struct {
	81	name string
	82	slot Slot
	83	}{
	84	{"Authentication", SlotAuthentication},
	85	{"CardAuthentication", SlotCardAuthentication},
	86	{"KeyManagement", SlotKeyManagement},
	87	{"Signature", SlotSignature},
	88	}
	89
	90	for _, test := range tests {
	91	t.Run(test.name, func(t *testing.T) {
	92	yk, close := newTestYubiKey(t)
	93	defer close()
	94
	95	k := Key{
	96	Algorithm: AlgorithmEC256,
	97	PINPolicy: PINPolicyNever,
	98	TouchPolicy: TouchPolicyNever,
	99	}
	100	pub, err := yk.GenerateKey(DefaultManagementKey, test.slot, k)
	101	if err != nil {
	102	t.Fatalf("generating key on slot: %v", err)
	103	}
	104	priv, err := yk.PrivateKey(test.slot, pub, KeyAuth{PIN: DefaultPIN})
	105	if err != nil {
	106	t.Fatalf("private key: %v", err)
	107	}
	108
	109	tmpl := &x509.Certificate{
	110	Subject: pkix.Name{CommonName: "my-client"},
	111	SerialNumber: big.NewInt(1),
	112	NotBefore: time.Now(),
	113	NotAfter: time.Now().Add(time.Hour),
	114	KeyUsage: x509.KeyUsageKeyEncipherment \| x509.KeyUsageDigitalSignature,
	115	ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
	116	}
	117	raw, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, pub, priv)
	118	if err != nil {
	119	t.Fatalf("signing self-signed certificate: %v", err)
	120	}
	121	cert, err := x509.ParseCertificate(raw)
	122	if err != nil {
	123	t.Fatalf("parse certificate: %v", err)
	124	}
	125	if err := yk.SetCertificate(DefaultManagementKey, test.slot, cert); err != nil {
	126	t.Fatalf("set certificate: %v", err)
	127	}
	128	got, err := yk.Certificate(test.slot)
	129	if err != nil {
	130	t.Fatalf("get certifiate: %v", err)
	131	}
	132	if !bytes.Equal(got.Raw, raw) {
	133	t.Errorf("certificate from slot didn't match the certificate written")
	134	}
	135	})
76	136	}
77	137	}
78	138