From f02207ceb8164491b782f7cee19c9bf46612bb0c Mon Sep 17 00:00:00 2001 From: Dennis Dyall Date: Tue, 17 Dec 2024 15:35:14 +0100 Subject: [PATCH 1/5] Removed TDES as default assumption --- .../Yubico/YubiKey/Piv/PivSession.Pinonly.cs | 59 +++++++++---------- 1 file changed, 29 insertions(+), 30 deletions(-) diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Pinonly.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Pinonly.cs index 6fe0b3cb..c5dd4787 100644 --- a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Pinonly.cs +++ b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Pinonly.cs @@ -267,7 +267,7 @@ public PivPinOnlyMode TryRecoverPinOnlyMode() // If we can authenticate the mgmt key, then set ADMIN DATA and // PRINTED. var userKeyCollector = KeyCollector; - using var specialKeyCollector = new SpecialKeyCollector(); + using var specialKeyCollector = new SpecialKeyCollector(DefaultManagementKeyAlgorithm); try { @@ -349,7 +349,7 @@ private PivPinOnlyMode TryAuthenticatePinOnly(bool trustAdminData) } var userKeyCollector = KeyCollector; - using var specialKeyCollector = new SpecialKeyCollector(); + using var specialKeyCollector = new SpecialKeyCollector(DefaultManagementKeyAlgorithm); try { @@ -513,7 +513,7 @@ private PivPinOnlyMode GetPinDerivedStatus( /// /// Set the YubiKey's PIV application to be PIN-only with a PIN-derived - /// and/or PIN-Protected Triple-DES management key. This sets the + /// and/or PIN-Protected management key (Firmware 5.7.x and later: AES-192. Firmware 5.6.x and earlier: TDES.). This sets the /// YubiKey to either /// /// PivPinOnlyMode.PinProtected @@ -544,7 +544,7 @@ private PivPinOnlyMode GetPinDerivedStatus( /// /// /// Note also that this will make sure that the management key algorithm - /// will be Triple-DES, even if the current management key is a different + /// will be default management key algorithm (Firmware 5.7.x and later: AES-192. Firmware 5.6.x and earlier: TDES.), even if the current management key is a different /// algorithm. This behavior matches how this method operated in previous /// versions of the SDK. /// @@ -554,7 +554,7 @@ private PivPinOnlyMode GetPinDerivedStatus( /// /// /// There is no KeyCollector loaded, one of the keys provided was - /// not a valid Triple-DES key, the data stored on the YubiKey is + /// not of a valid key algorithm type (Firmware 5.7.x and later: AES-192. Firmware 5.6.x and earlier: TDES.), the data stored on the YubiKey is /// incompatible with PIN-only, or the YubiKey had some other error, such /// as unreliable connection. /// @@ -566,7 +566,7 @@ private PivPinOnlyMode GetPinDerivedStatus( /// authenticated, or the remaining retries count indicates the PIN is /// blocked. /// - public void SetPinOnlyMode(PivPinOnlyMode pinOnlyMode) => SetPinOnlyMode(pinOnlyMode, PivAlgorithm.TripleDes); + public void SetPinOnlyMode(PivPinOnlyMode pinOnlyMode) => SetPinOnlyMode(pinOnlyMode, DefaultManagementKeyAlgorithm); /// /// Set the YubiKey's PIV application to be PIN-only with a PIN-derived @@ -604,13 +604,13 @@ private PivPinOnlyMode GetPinDerivedStatus( /// The management key derived and/or stored in PRINTED will be for the /// specified algorithm. For all YubiKeys, TripleDes is a valid /// algorithm. For YubiKeys 5.4.2 and later, it is possible to set the - /// management key to an AES key. Before setting the - /// mgmtKeyAlgorithm arg to an AES algorithm, make sure it is + /// management key to an AES key. For YubiKeys 5.7 and later, AES192 is the default. + /// Before setting the mgmtKeyAlgorithm arg to an AES algorithm, make sure it is /// allowed on the YubiKey. You can use the HasFeature call. For /// example, /// /// PivAlgorithm mgmtKeyAlgorithm = yubiKey.HasFeature(YubiKeyFeature.PivAesManagementKey) ? - /// PivAlgorithm.Aes128 : PivAlgorithm.TripleDes; + /// PivAlgorithm.Aes192 : PivAlgorithm.TripleDes; /// pivSession.SetPinOnlyMode(PivPinOnlyMode.PinProtected, mgmtKeyAlgorithm); /// /// If the algorithm is not supported by the YubiKey, this method will @@ -641,16 +641,11 @@ private PivPinOnlyMode GetPinDerivedStatus( /// currently set to PIN-only (and neither PinProtected nor PinDerived is /// Unavailable), this method will remove the contents of the storage /// locations ADMIN DATA and PRINTED, and reset the management key to the - /// default: - /// - /// Triple-DES - /// 0x01 02 03 04 05 06 07 08 - /// 01 02 03 04 05 06 07 08 - /// 01 02 03 04 05 06 07 08 - /// + /// default management key. /// In this case, the mgmtKeyAlgorithm arg will be ignored, the /// management key's algorithm after removing PIN-only status will be - /// Triple-DES. The touch policy of the management key will also be set + /// the default management key algorithm (Firmware 5.7.x and later: AES-192. Firmware 5.6.x and earlier: TDES.). + /// The touch policy of the management key will also be set /// to the default (Never). Note that the management key must be /// authenticated and the PIN verified in order to perform this task. /// This method will authenticate the management key using the PIN-only @@ -732,7 +727,7 @@ private PivPinOnlyMode GetPinDerivedStatus( /// /// /// There is no KeyCollector loaded, one of the keys provided was - /// not a valid Triple-DES key, the data stored on the YubiKey is + /// not of a valid key algorithm type (Firmware 5.7.x and later: AES-192. Firmware 5.6.x and earlier: TDES.), the data stored on the YubiKey is /// incompatible with PIN-only, or the YubiKey had some other error, such /// as unreliable connection. /// @@ -751,7 +746,7 @@ public void SetPinOnlyMode(PivPinOnlyMode pinOnlyMode, PivAlgorithm mgmtKeyAlgor pinOnlyMode.ToString(), mgmtKeyAlgorithm.ToString()); var userKeyCollector = KeyCollector; - using var specialKeyCollector = new SpecialKeyCollector(); + using var specialKeyCollector = new SpecialKeyCollector(DefaultManagementKeyAlgorithm); try { @@ -777,7 +772,7 @@ private void SetPinOnlyMode(ReadOnlyMemory pin, PivPinOnlyMode pinOnlyMode } var userKeyCollector = KeyCollector; - using var specialKeyCollector = new SpecialKeyCollector(); + using var specialKeyCollector = new SpecialKeyCollector(DefaultManagementKeyAlgorithm); try { @@ -835,7 +830,7 @@ private void SetPinOnlyMode( // Or some other reason. var newPinOnlyMode = PivPinOnlyMode.None; var currentPinOnlyMode = GetPrintedPinProtectedStatus(specialKeyCollector, userKeyCollector); - + var pinOnlyCheck = CheckPinOnlyStatus( currentPinOnlyMode, pinOnlyMode, PivPinOnlyMode.PinProtected, PivPinOnlyMode.PinProtectedUnavailable, newAlgorithm, ref newPinOnlyMode); @@ -1028,11 +1023,12 @@ private void ClearPinOnly(PivPinOnlyMode currentMode, SpecialKeyCollector specia PutEmptyData(AdminDataDataTag); } + var managementKeyAlgorithm = DefaultManagementKeyAlgorithm; specialKeyCollector.SetKeyData( SpecialKeyCollector.SetKeyDataDefault, ReadOnlyMemory.Empty, isNewKey: true, - PivAlgorithm.TripleDes); + managementKeyAlgorithm); - specialKeyCollector.ChangeManagementKey(this, PivAlgorithm.TripleDes); + specialKeyCollector.ChangeManagementKey(this, managementKeyAlgorithm); } private void PutEmptyData(int dataTag) @@ -1087,7 +1083,7 @@ private void SetYubiKeyPinDerived( // because this method will update the current key with the new key. specialKeyCollector.ChangeManagementKey(this, mgmtKeyAlgorithm); _ = BlockPinOrPuk(PivSlot.Puk); - + adminData.SetSalt(saltBytes); adminData.PukBlocked = true; } @@ -1150,7 +1146,7 @@ private bool TryGetChangePinMode(ReadOnlyMemory pin, out PivPinOnlyMode mo mode = PivPinOnlyMode.None; var userKeyCollectorFunc = KeyCollector; - using var specialKeyCollector = new SpecialKeyCollector(); + using var specialKeyCollector = new SpecialKeyCollector(DefaultManagementKeyAlgorithm); bool isValid = TryReadObject(out AdminData adminData); @@ -1179,9 +1175,10 @@ private bool TryGetChangePinMode(ReadOnlyMemory pin, out PivPinOnlyMode mo _ = specialKeyCollector.DeriveKeyData(salt, ManagementKeyAlgorithm, isNewKey: false); + var managementKeyAlgorithm = DefaultManagementKeyAlgorithm; specialKeyCollector.SetKeyData( SpecialKeyCollector.SetKeyDataDefault, ReadOnlyMemory.Empty, isNewKey: true, - PivAlgorithm.TripleDes); + managementKeyAlgorithm); // If this fails, then the mgmt key is not PIN-derived from the // PIN and salt, so we'll say it is not PIN-derived. @@ -1189,7 +1186,7 @@ private bool TryGetChangePinMode(ReadOnlyMemory pin, out PivPinOnlyMode mo specialKeyCollector.GetCurrentMgmtKey(), specialKeyCollector.GetNewMgmtKey(), PivTouchPolicy.Never, - PivAlgorithm.TripleDes)) + managementKeyAlgorithm)) { return true; } @@ -1405,13 +1402,14 @@ private sealed class SpecialKeyCollector : IDisposable private readonly MgmtKeyHolder _currentKey; private readonly Memory _defaultKey; private readonly MgmtKeyHolder _newKey; + private readonly PivAlgorithm _defaultManagementKeyAlgorithm; private readonly byte[] _pinData = new byte[MaxPinLength]; private readonly Memory _pinMemory; private bool _disposed; private int _pinLength; - public SpecialKeyCollector() + public SpecialKeyCollector(PivAlgorithm defaultManagemenyKeyAlgorithm) { _defaultKey = new Memory( new byte[] @@ -1425,7 +1423,8 @@ public SpecialKeyCollector() _newKey = new MgmtKeyHolder(); // Make sure the current key is init to the default. - _currentKey.SetKeyData(_defaultKey, PivAlgorithm.TripleDes); + _defaultManagementKeyAlgorithm = defaultManagemenyKeyAlgorithm; + _currentKey.SetKeyData(_defaultKey, _defaultManagementKeyAlgorithm); PinCollected = false; _pinMemory = new Memory(_pinData); @@ -1494,7 +1493,7 @@ public void SetKeyData(int setFlag, ReadOnlyMemory keyData, bool isNewKey, return; } - destinationKeyHolder.SetKeyData(_defaultKey, PivAlgorithm.TripleDes); + destinationKeyHolder.SetKeyData(_defaultKey, _defaultManagementKeyAlgorithm); } // Derive the mgmt key from the PIN in this object, along with the From 8994a2f50e2961cd58f131d46f47da567c00a672 Mon Sep 17 00:00:00 2001 From: Dennis Dyall Date: Tue, 17 Dec 2024 16:10:22 +0100 Subject: [PATCH 2/5] removed assumption in commands and response objects as well --- ...tializeAuthenticateManagementKeyCommand.cs | 17 +++++-- ...ializeAuthenticateManagementKeyResponse.cs | 15 ++---- .../Piv/Commands/SetManagementKeyCommand.cs | 49 ++++++------------- .../CompleteAuthMgmtKeyCommandTests.cs | 11 ++--- .../Commands/InitAuthMgmtKeyCommandTests.cs | 12 ++--- .../Commands/InitAuthMgmtKeyResponseTests.cs | 24 ++++----- .../Commands/SetManagementKeyCommandTests.cs | 14 +++--- 7 files changed, 61 insertions(+), 81 deletions(-) diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/InitializeAuthenticateManagementKeyCommand.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/InitializeAuthenticateManagementKeyCommand.cs index 7270fc7f..7b9c3ec4 100644 --- a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/InitializeAuthenticateManagementKeyCommand.cs +++ b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/InitializeAuthenticateManagementKeyCommand.cs @@ -12,6 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. +using System; using Yubico.Core.Iso7816; namespace Yubico.YubiKey.Piv.Commands @@ -306,18 +307,25 @@ public sealed class InitializeAuthenticateManagementKeyCommand : IYubiKeyCommand /// public YubiKeyApplication Application => YubiKeyApplication.Piv; + + [Obsolete("This constructor is deprecated. Users must specify management key algorithm type, as it cannot be assumed.")] + public InitializeAuthenticateManagementKeyCommand() + : this(true) + { + } + /// /// Initializes a new instance of the InitializeAuthenticateManagementKeyCommand class for - /// Mutual Authentication, and a Triple-DES management key. + /// Mutual Authentication. /// /// /// Using this constructor is equivalent to /// - /// new InitializeAuthenticateManagementKeyCommand(true); + /// new InitializeAuthenticateManagementKeyCommand(true, PivAlgorithm.AES192); /// /// - public InitializeAuthenticateManagementKeyCommand() - : this(true) + public InitializeAuthenticateManagementKeyCommand(PivAlgorithm algorithm) + : this(true, algorithm) { } @@ -335,6 +343,7 @@ public InitializeAuthenticateManagementKeyCommand() /// /// True for mutual authentication, false for single. /// + [Obsolete("This constructor is deprecated. Users must specify management key algorithm type, as it cannot be assumed.")] public InitializeAuthenticateManagementKeyCommand(bool mutualAuthentication) : this(mutualAuthentication, PivAlgorithm.TripleDes) { diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/InitializeAuthenticateManagementKeyResponse.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/InitializeAuthenticateManagementKeyResponse.cs index 0cdc6146..c2303d24 100644 --- a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/InitializeAuthenticateManagementKeyResponse.cs +++ b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/InitializeAuthenticateManagementKeyResponse.cs @@ -61,16 +61,7 @@ public sealed class InitializeAuthenticateManagementKeyResponse : PivResponse, I // ResponseApdu.Data. It will be 8 bytes. private readonly byte[]? _clientAuthenticationChallenge; - /// - /// Constructs an InitializeAuthenticateManagementKeyResponse based on a ResponseApdu - /// received from the YubiKey for the Triple-DES algorithm. - /// - /// - /// The object containing the Response APDU
returned by the YubiKey. - /// - /// - /// Thrown when the data provided does not meet the expectations, and cannot be parsed. - /// + [Obsolete("This constructor is deprecated. Users must specify management key algorithm type, as it cannot be assumed.")] public InitializeAuthenticateManagementKeyResponse(ResponseApdu responseApdu) : this(responseApdu, PivAlgorithm.TripleDes) { @@ -90,8 +81,8 @@ public InitializeAuthenticateManagementKeyResponse(ResponseApdu responseApdu) /// /// Thrown when the data provided does not meet the expectations, and cannot be parsed. /// - public InitializeAuthenticateManagementKeyResponse(ResponseApdu responseApdu, PivAlgorithm algorithm) : - base(responseApdu) + public InitializeAuthenticateManagementKeyResponse(ResponseApdu responseApdu, PivAlgorithm algorithm) + : base(responseApdu) { Algorithm = algorithm; diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/SetManagementKeyCommand.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/SetManagementKeyCommand.cs index 9300984d..8341772d 100644 --- a/Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/SetManagementKeyCommand.cs +++ b/Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/SetManagementKeyCommand.cs @@ -159,6 +159,12 @@ private SetManagementKeyCommand() throw new NotImplementedException(); } + [Obsolete("This constructor is deprecated. Users must specify management key algorithm type, as it cannot be assumed.")] + public SetManagementKeyCommand(ReadOnlyMemory newKey) + : this(newKey, PivTouchPolicy.Default, PivAlgorithm.TripleDes) + { + } + /// /// Initializes a new instance of the SetManagementKeyCommand class. /// This command takes the new management key as input and will set the @@ -176,11 +182,9 @@ private SetManagementKeyCommand() /// }; /// /// - /// The default algorithm is TripleDes. If you do not set the - /// Algorithm property after instantiating with this constructor, - /// the SDK will expect the key to be TripleDES. Valid algorithms are - /// PivAlgorithm.TripleDes, PivAlgorithm.Aes128, - /// PivAlgorithm.Aes192, and PivAlgorithm.Aes256. + /// Valid algorithms are PivAlgorithm.TripleDes, + /// PivAlgorithm.Aes128, PivAlgorithm.Aes192, and + /// PivAlgorithm.Aes256. FIPS YubiKeys versions 5.7 and greater require PivAlgorithm.Aes192. /// /// /// Note that you need to authenticate the current PIV management key before @@ -190,36 +194,15 @@ private SetManagementKeyCommand() /// /// The bytes that make up the new management key. /// - public SetManagementKeyCommand(ReadOnlyMemory newKey) - : this(newKey, PivTouchPolicy.Default, PivAlgorithm.TripleDes) + /// + /// The algorithm of the new management key. + /// + public SetManagementKeyCommand(ReadOnlyMemory newKey, PivAlgorithm algorithm) + : this(newKey, PivTouchPolicy.Default, algorithm) { } - /// - /// Initializes a new instance of the SetManagementKeyCommand class. This - /// command takes the new management key and the touch policy as input. - /// - /// - /// Note that a touchPolicy of PivTouchPolicy.Default or - /// None is equivalent to Never. - /// - /// The default algorithm is TripleDes. If you do not set the - /// Algorithm property after instantiating with this constructor, - /// the SDK will expect the key to be TripleDES. Valid algorithms are - /// PivAlgorithm.TripleDes, PivAlgorithm.Aes128, - /// PivAlgorithm.Aes192, and PivAlgorithm.Aes256. - /// - /// - /// Note also that you need to authenticate the current PIV management - /// key before setting it to a new value with this command. - /// - /// - /// - /// The bytes that make up the new management key. - /// - /// - /// The touch policy for the management key. - /// + [Obsolete("This constructor is deprecated. Users must specify management key algorithm type, as it cannot be assumed.")] public SetManagementKeyCommand(ReadOnlyMemory newKey, PivTouchPolicy touchPolicy) : this(newKey, touchPolicy, PivAlgorithm.TripleDes) { @@ -236,7 +219,7 @@ public SetManagementKeyCommand(ReadOnlyMemory newKey, PivTouchPolicy touch /// /// Valid algorithms are PivAlgorithm.TripleDes, /// PivAlgorithm.Aes128, PivAlgorithm.Aes192, and - /// PivAlgorithm.Aes256, + /// PivAlgorithm.Aes256. FIPS YubiKeys versions 5.7 and greater require PivAlgorithm.Aes192. /// /// /// Note also that you need to authenticate the current PIV management diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/CompleteAuthMgmtKeyCommandTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/CompleteAuthMgmtKeyCommandTests.cs index 17387355..857c37d1 100644 --- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/CompleteAuthMgmtKeyCommandTests.cs +++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/CompleteAuthMgmtKeyCommandTests.cs @@ -148,13 +148,13 @@ public void CreateCommandApdu_GetInsProperty_ReturnsHex87(bool isMutual) [Theory] [InlineData(true)] [InlineData(false)] - public void CreateCommandApdu_GetP1Property_ReturnsThree(bool isMutual) + public void CreateCommandApdu_GetP1Property_Returns10ForAes192(bool isMutual) { CommandApdu cmdApdu = GetCommandApdu(isMutual, true); byte P1 = cmdApdu.P1; - Assert.Equal(3, P1); + Assert.Equal(10, P1); } [Theory] @@ -257,10 +257,7 @@ private static CompleteAuthenticateManagementKeyCommand GetCommandObject(bool is } finally { - if (!(replacement is null)) - { - replacement.RestoreRandomProvider(); - } + replacement?.RestoreRandomProvider(); } } @@ -332,7 +329,7 @@ private static InitializeAuthenticateManagementKeyResponse GetInitResponse(bool 0x7C, 0x0A, tag1, 0x08, 0x39, 0xA0, 0xA8, 0xE9, 0xF5, 0x28, 0x87, 0x75, sw1, sw2 }); - return new InitializeAuthenticateManagementKeyResponse(responseApdu); + return new InitializeAuthenticateManagementKeyResponse(responseApdu, PivAlgorithm.TripleDes); } } } diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/InitAuthMgmtKeyCommandTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/InitAuthMgmtKeyCommandTests.cs index d0d375c7..9ffce857 100644 --- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/InitAuthMgmtKeyCommandTests.cs +++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/InitAuthMgmtKeyCommandTests.cs @@ -23,7 +23,7 @@ public class InitializeAuthenticateManagementKeyCommandTests [Fact] public void ClassType_DerivedFromPivCommand_IsTrue() { - var command = new InitializeAuthenticateManagementKeyCommand(); + var command = new InitializeAuthenticateManagementKeyCommand(PivAlgorithm.Aes192); Assert.True(command is IYubiKeyCommand); } @@ -31,7 +31,7 @@ public void ClassType_DerivedFromPivCommand_IsTrue() [Fact] public void Constructor_Application_Piv() { - var command = new InitializeAuthenticateManagementKeyCommand(); + var command = new InitializeAuthenticateManagementKeyCommand(PivAlgorithm.Aes192); YubiKeyApplication application = command.Application; @@ -146,7 +146,7 @@ public void CreateResponseForApdu_ReturnsCorrectType() byte sw2 = unchecked((byte)SWConstants.Success); var responseApdu = new ResponseApdu( new byte[] { 0x7C, 0x0A, 0x81, 0x08, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, sw1, sw2 }); - var command = new InitializeAuthenticateManagementKeyCommand(); + var command = new InitializeAuthenticateManagementKeyCommand(PivAlgorithm.Aes192); InitializeAuthenticateManagementKeyResponse? response = command.CreateResponseForApdu(responseApdu); @@ -164,9 +164,9 @@ private static CommandApdu GetInitAuthMgmtKeyCommandApdu(int constructor) { InitializeAuthenticateManagementKeyCommand command = constructor switch { - 0 => new InitializeAuthenticateManagementKeyCommand(false), - 1 => new InitializeAuthenticateManagementKeyCommand(true), - _ => new InitializeAuthenticateManagementKeyCommand(), + 0 => new InitializeAuthenticateManagementKeyCommand(false, PivAlgorithm.Aes192), + 1 => new InitializeAuthenticateManagementKeyCommand(true, PivAlgorithm.Aes192), + _ => new InitializeAuthenticateManagementKeyCommand(PivAlgorithm.Aes192), }; return command.CreateCommandApdu(); diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/InitAuthMgmtKeyResponseTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/InitAuthMgmtKeyResponseTests.cs index 15b9e7fd..be9db485 100644 --- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/InitAuthMgmtKeyResponseTests.cs +++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/InitAuthMgmtKeyResponseTests.cs @@ -26,7 +26,7 @@ public class InitAuthMgmtKeyResponseTests public void Constructor_GivenNullResponseApdu_ThrowsArgumentNullExceptionFromBase() { #pragma warning disable CS8625 // testing null input, disable warning that null is passed to non-nullable arg. - _ = Assert.Throws(() => new InitializeAuthenticateManagementKeyResponse(null)); + _ = Assert.Throws(() => new InitializeAuthenticateManagementKeyResponse(null, PivAlgorithm.Aes192)); #pragma warning restore CS8625 } @@ -39,7 +39,7 @@ public void Constructor_InvalidLength_CorrectException() new byte[] { 0x7C, 0x09, 0x81, 0x07, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, sw1, sw2 }); _ = Assert.Throws(() => - new InitializeAuthenticateManagementKeyResponse(responseApdu)); + new InitializeAuthenticateManagementKeyResponse(responseApdu, PivAlgorithm.Aes192)); } [Fact] @@ -51,7 +51,7 @@ public void Constructor_InvalidT0_CorrectException() new byte[] { 0x78, 0x0A, 0x81, 0x08, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, sw1, sw2 }); _ = Assert.Throws(() => - new InitializeAuthenticateManagementKeyResponse(responseApdu)); + new InitializeAuthenticateManagementKeyResponse(responseApdu, PivAlgorithm.Aes192)); } [Fact] @@ -63,7 +63,7 @@ public void Constructor_InvalidT2_CorrectException() new byte[] { 0x7C, 0x0A, 0x82, 0x08, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, sw1, sw2 }); _ = Assert.Throws(() => - new InitializeAuthenticateManagementKeyResponse(responseApdu)); + new InitializeAuthenticateManagementKeyResponse(responseApdu, PivAlgorithm.Aes192)); } [Fact] @@ -75,7 +75,7 @@ public void Constructor_InvalidL1_CorrectException() new byte[] { 0x7C, 0x0A, 0x81, 0x07, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, sw1, sw2 }); _ = Assert.Throws(() => - new InitializeAuthenticateManagementKeyResponse(responseApdu)); + new InitializeAuthenticateManagementKeyResponse(responseApdu, PivAlgorithm.Aes192)); } [Fact] @@ -86,7 +86,7 @@ public void Constructor_SuccessResponseApdu_SetsStatusWordCorrectly() var responseApdu = new ResponseApdu( new byte[] { 0x7C, 0x0A, 0x81, 0x08, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, sw1, sw2 }); - var response = new InitializeAuthenticateManagementKeyResponse(responseApdu); + var response = new InitializeAuthenticateManagementKeyResponse(responseApdu, PivAlgorithm.Aes192); Assert.Equal(SWConstants.Success, response.StatusWord); } @@ -99,7 +99,7 @@ public void Constructor_SuccessResponseApdu_SetsStatusCorrectly() var responseApdu = new ResponseApdu( new byte[] { 0x7C, 0x0A, 0x81, 0x08, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, sw1, sw2 }); - var response = new InitializeAuthenticateManagementKeyResponse(responseApdu); + var response = new InitializeAuthenticateManagementKeyResponse(responseApdu, PivAlgorithm.Aes192); Assert.Equal(ResponseStatus.Success, response.Status); } @@ -120,7 +120,7 @@ public void Constructor_SuccessResponseApdu_GetDataCorrectBool(bool isMutual) var responseApdu = new ResponseApdu( new byte[] { 0x7C, 0x0A, tag2, 0x08, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, sw1, sw2 }); - var response = new InitializeAuthenticateManagementKeyResponse(responseApdu); + var response = new InitializeAuthenticateManagementKeyResponse(responseApdu, PivAlgorithm.Aes192); (bool isMutualAuth, ReadOnlyMemory clientAuthenticationChallenge) = response.GetData(); @@ -138,7 +138,7 @@ public void Constructor_SuccessResponseApdu_GetDataCorrectBytes() var responseApdu = new ResponseApdu( new byte[] { 0x7C, 0x0A, 0x81, 0x08, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, sw1, sw2 }); - var response = new InitializeAuthenticateManagementKeyResponse(responseApdu); + var response = new InitializeAuthenticateManagementKeyResponse(responseApdu, PivAlgorithm.Aes192); (bool isMutualAuth, ReadOnlyMemory clientAuthenticationChallenge) = response.GetData(); @@ -155,7 +155,7 @@ public void Constructor_FailResponseApdu_SetsStatusWordCorrectly() byte sw2 = unchecked((byte)SWConstants.ConditionsNotSatisfied); var responseApdu = new ResponseApdu(new byte[] { sw1, sw2 }); - var response = new InitializeAuthenticateManagementKeyResponse(responseApdu); + var response = new InitializeAuthenticateManagementKeyResponse(responseApdu, PivAlgorithm.Aes192); Assert.Equal(SWConstants.ConditionsNotSatisfied, response.StatusWord); } @@ -167,7 +167,7 @@ public void Constructor_FailResponseApdu_SetsStatusCorrectly() byte sw2 = unchecked((byte)SWConstants.ConditionsNotSatisfied); var responseApdu = new ResponseApdu(new byte[] { sw1, sw2 }); - var response = new InitializeAuthenticateManagementKeyResponse(responseApdu); + var response = new InitializeAuthenticateManagementKeyResponse(responseApdu, PivAlgorithm.Aes192); Assert.Equal(ResponseStatus.ConditionsNotSatisfied, response.Status); } @@ -179,7 +179,7 @@ public void Constructor_FailResponseApdu_ThrowOnGetData() byte sw2 = unchecked((byte)SWConstants.ConditionsNotSatisfied); var responseApdu = new ResponseApdu(new byte[] { sw1, sw2 }); - var response = new InitializeAuthenticateManagementKeyResponse(responseApdu); + var response = new InitializeAuthenticateManagementKeyResponse(responseApdu, PivAlgorithm.Aes192); _ = Assert.Throws(() => response.GetData()); } diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/SetManagementKeyCommandTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/SetManagementKeyCommandTests.cs index 386bdf17..536d62d9 100644 --- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/SetManagementKeyCommandTests.cs +++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/SetManagementKeyCommandTests.cs @@ -24,7 +24,7 @@ public class SetManagementKeyCommandTests public void ClassType_DerivedFromPivCommand_IsTrue() { byte[] mgmtKey = GetMgmtKeyArray(); - var command = new SetManagementKeyCommand(mgmtKey, PivTouchPolicy.Always); + var command = new SetManagementKeyCommand(mgmtKey, PivTouchPolicy.Always, PivAlgorithm.TripleDes); Assert.True(command is IYubiKeyCommand); } @@ -33,7 +33,7 @@ public void ClassType_DerivedFromPivCommand_IsTrue() public void Constructor_Application_Piv() { byte[] mgmtKey = GetMgmtKeyArray(); - var command = new SetManagementKeyCommand(mgmtKey, PivTouchPolicy.Always); + var command = new SetManagementKeyCommand(mgmtKey, PivTouchPolicy.Always, PivAlgorithm.TripleDes); YubiKeyApplication application = command.Application; @@ -45,7 +45,7 @@ public void Constructor_Property_TouchPolicy() { byte[] mgmtKey = GetMgmtKeyArray(); PivTouchPolicy touchPolicy = PivTouchPolicy.Always; - var command = new SetManagementKeyCommand(mgmtKey, touchPolicy); + var command = new SetManagementKeyCommand(mgmtKey, touchPolicy, PivAlgorithm.TripleDes); PivTouchPolicy getPolicy = command.TouchPolicy; @@ -206,11 +206,11 @@ private static SetManagementKeyCommand GetCommandObject(int cStyle, PivTouchPoli switch (cStyle) { default: - cmd = new SetManagementKeyCommand(mgmtKey, touchPolicy); + cmd = new SetManagementKeyCommand(mgmtKey, touchPolicy, PivAlgorithm.TripleDes); break; case 2: - cmd = new SetManagementKeyCommand(mgmtKey) + cmd = new SetManagementKeyCommand(mgmtKey, PivAlgorithm.TripleDes) { TouchPolicy = touchPolicy, }; @@ -219,13 +219,13 @@ private static SetManagementKeyCommand GetCommandObject(int cStyle, PivTouchPoli case 3: #pragma warning disable IDE0017 // Specifically testing this construction - cmd = new SetManagementKeyCommand(mgmtKey); + cmd = new SetManagementKeyCommand(mgmtKey, PivAlgorithm.TripleDes); cmd.TouchPolicy = touchPolicy; break; #pragma warning restore IDE0017 case 4: - cmd = new SetManagementKeyCommand(mgmtKey); + cmd = new SetManagementKeyCommand(mgmtKey, PivAlgorithm.TripleDes); break; } From 7400b6ea4524656f42750d1889d064ab00a08479 Mon Sep 17 00:00:00 2001 From: Dennis Dyall Date: Tue, 17 Dec 2024 16:19:56 +0100 Subject: [PATCH 3/5] tests: fix tests --- .../YubiKey/Piv/Commands/CompleteAuthMgmtKeyCommandTests.cs | 4 ++-- .../YubiKey/Piv/Commands/InitAuthMgmtKeyCommandTests.cs | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/CompleteAuthMgmtKeyCommandTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/CompleteAuthMgmtKeyCommandTests.cs index 857c37d1..012768a0 100644 --- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/CompleteAuthMgmtKeyCommandTests.cs +++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/CompleteAuthMgmtKeyCommandTests.cs @@ -148,13 +148,13 @@ public void CreateCommandApdu_GetInsProperty_ReturnsHex87(bool isMutual) [Theory] [InlineData(true)] [InlineData(false)] - public void CreateCommandApdu_GetP1Property_Returns10ForAes192(bool isMutual) + public void CreateCommandApdu_GetP1Property_ReturnsThreeForTdes(bool isMutual) { CommandApdu cmdApdu = GetCommandApdu(isMutual, true); byte P1 = cmdApdu.P1; - Assert.Equal(10, P1); + Assert.Equal(3, P1); } [Theory] diff --git a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/InitAuthMgmtKeyCommandTests.cs b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/InitAuthMgmtKeyCommandTests.cs index 9ffce857..12af27e1 100644 --- a/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/InitAuthMgmtKeyCommandTests.cs +++ b/Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/Commands/InitAuthMgmtKeyCommandTests.cs @@ -164,9 +164,9 @@ private static CommandApdu GetInitAuthMgmtKeyCommandApdu(int constructor) { InitializeAuthenticateManagementKeyCommand command = constructor switch { - 0 => new InitializeAuthenticateManagementKeyCommand(false, PivAlgorithm.Aes192), - 1 => new InitializeAuthenticateManagementKeyCommand(true, PivAlgorithm.Aes192), - _ => new InitializeAuthenticateManagementKeyCommand(PivAlgorithm.Aes192), + 0 => new InitializeAuthenticateManagementKeyCommand(false, PivAlgorithm.TripleDes), + 1 => new InitializeAuthenticateManagementKeyCommand(true, PivAlgorithm.TripleDes), + _ => new InitializeAuthenticateManagementKeyCommand(PivAlgorithm.TripleDes), }; return command.CreateCommandApdu(); From 441ad34bac91c12bfa38cb3c2f9bc4829df7b2cc Mon Sep 17 00:00:00 2001 From: Dennis Dyall Date: Tue, 17 Dec 2024 16:28:27 +0100 Subject: [PATCH 4/5] tests: fixed more pivsession tests --- .../Yubico/YubiKey/Piv/Commands/AuthMgmtKeyCmdTests.cs | 4 ++-- .../Yubico/YubiKey/Piv/Commands/SetMgmtKeyCmdTests.cs | 5 +---- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/Commands/AuthMgmtKeyCmdTests.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/Commands/AuthMgmtKeyCmdTests.cs index 7fca166e..da901cbb 100644 --- a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/Commands/AuthMgmtKeyCmdTests.cs +++ b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/Commands/AuthMgmtKeyCmdTests.cs @@ -56,7 +56,7 @@ public void AuthKey_Default_Succeeds() 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 }; - var initCmd = new InitializeAuthenticateManagementKeyCommand(false); + var initCmd = new InitializeAuthenticateManagementKeyCommand(false, PivAlgorithm.TripleDes); InitializeAuthenticateManagementKeyResponse initRsp = pivSession.Connection.SendCommand(initCmd); Assert.Equal(ResponseStatus.Success, initRsp.Status); @@ -88,7 +88,7 @@ public void AuthKey_Aes_Succeeds() 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58 }; - var initCmd = new InitializeAuthenticateManagementKeyCommand(true); + var initCmd = new InitializeAuthenticateManagementKeyCommand(true, PivAlgorithm.TripleDes); InitializeAuthenticateManagementKeyResponse initRsp = pivSession.Connection.SendCommand(initCmd); Assert.Equal(ResponseStatus.Success, initRsp.Status); diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/Commands/SetMgmtKeyCmdTests.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/Commands/SetMgmtKeyCmdTests.cs index a030e3b6..d219c5f7 100644 --- a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/Commands/SetMgmtKeyCmdTests.cs +++ b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/Commands/SetMgmtKeyCmdTests.cs @@ -52,10 +52,7 @@ public void SetKey_ValidAes_Succeeds() 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38 }; - var setCmd = new SetManagementKeyCommand(keyData) - { - Algorithm = PivAlgorithm.Aes128, - }; + var setCmd = new SetManagementKeyCommand(keyData, PivAlgorithm.Aes128); SetManagementKeyResponse setRsp = pivSession.Connection.SendCommand(setCmd); Assert.Equal(ResponseStatus.AuthenticationRequired, setRsp.Status); From 4e5a6851abf485bd856607e5e373bd2370b27cb6 Mon Sep 17 00:00:00 2001 From: Dennis Dyall Date: Tue, 17 Dec 2024 16:28:59 +0100 Subject: [PATCH 5/5] tests: fixed more pivsession tests --- .../Yubico/YubiKey/Piv/Commands/SetMgmtKeyCmdTests.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/Commands/SetMgmtKeyCmdTests.cs b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/Commands/SetMgmtKeyCmdTests.cs index d219c5f7..1caaf59b 100644 --- a/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/Commands/SetMgmtKeyCmdTests.cs +++ b/Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/Commands/SetMgmtKeyCmdTests.cs @@ -115,7 +115,7 @@ public void SetKey_TDes_Succeeds() 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58 }; - var setCmd = new SetManagementKeyCommand(keyData); + var setCmd = new SetManagementKeyCommand(keyData, PivAlgorithm.TripleDes); SetManagementKeyResponse setRsp = pivSession.Connection.SendCommand(setCmd); Assert.Equal(ResponseStatus.Success, setRsp.Status);