Merge remote-tracking branch 'origin/master' into HEAD

canokeys · May 11, 2024 · 6833836 · 6833836
2 parents 1054820 + 0afb6fc
commit 6833836
Show file tree

Hide file tree

Showing 76 changed files with 8,493 additions and 3,068 deletions.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -1,56 +1,124 @@
 name: tests
-on: [push, pull_request]
+on: [push, pull_request, workflow_dispatch]
 jobs:
+  build_opensc:
+    name: Build opensc package
+    #if: github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    steps:
+    - name: Cache deb files
+      uses: actions/cache@v3
+      env:
+        cache-name: opensc-deb
+      with:
+        path: opensc*.deb
+        key: ${{ runner.os }}-${{ env.cache-name }}
+    - name: Check file existence
+      id: check_deb_files
+      uses: andstor/file-existence-action@v1
+      with:
+        files: "opensc*.deb"
+    - name: Package Install
+      if: steps.check_deb_files.outputs.files_exists == 'false'
+      run: |
+        sudo sed -i 's/^# deb-src/deb-src/' /etc/apt/sources.list  
+        sudo apt-get update
+        sudo apt-get install -q -y curl git gcc g++ cmake swig psmisc procps debian-keyring devscripts
+        sudo apt-get build-dep -q -y opensc
+        sudo rm -f /usr/bin/clang-tidy
+    - name: Build the package
+      if: steps.check_deb_files.outputs.files_exists == 'false'
+      run: |
+        dget http://archive.ubuntu.com/ubuntu/pool/universe/o/opensc/opensc_0.23.0-0.1ubuntu1.dsc  
+        cd opensc-0.23.0
+        curl https://github.com/OpenSC/OpenSC/commit/a0aef25c7f2ce0ec2c7e1014f959f0fe86ff0479.diff | patch -p1
+        dch --local ppa~jammy --distribution jammy "Apply a patch. Backports to Jammy."
+        DEB_BUILD_OPTIONS='parallel=2' debuild --no-sign -b
+    - name: Upload package files
+      uses: actions/upload-artifact@v3
+      with:
+        name: opensc-deb
+        path: opensc*.deb
+
+
+
   build_test:
     name: Build and Test
     runs-on: ubuntu-latest
+    needs: build_opensc
     steps:
+    - name: Download backport OpenSC package
+      uses: actions/download-artifact@v3
+      with:
+        name: opensc-deb
+
     - name: Package Install
       run: |
         sudo apt-add-repository ppa:yubico/stable
         sudo apt-get update
-        sudo apt-get install -q -y git gcc g++ cmake swig psmisc procps pcscd pcsc-tools yubico-piv-tool libhidapi-dev libassuan-dev libgcrypt20-dev libksba-dev libnpth0-dev opensc openssl openssh-server libpcsclite-dev libudev-dev libcmocka-dev python3-pip python3-setuptools python3-wheel lcov yubikey-manager
+        sudo apt-get install -q -y git gcc g++ cmake swig psmisc procps pcscd pcsc-tools yubico-piv-tool libhidapi-dev libassuan-dev libgcrypt20-dev libksba-dev libnpth0-dev libssl3 zlib1g libglib2.0-0 openssl openssh-server libpcsclite-dev libudev-dev libcmocka-dev python3-pip python3-setuptools python3-wheel lcov yubikey-manager libcbor-dev
+        sudo dpkg -i opensc*.deb
         pip3 install --upgrade pip
 
-    - name: Set up Go 1.13
-      uses: actions/setup-go@v1
+    - name: Set up Go 1.16
+      uses: actions/setup-go@v4
       with:
-        go-version: 1.13
+        go-version: "^1.16.1"
       id: go
 
     - name: Check out code
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
       with:
         submodules: recursive
 
+    - name: Check out piv-go
+      uses: actions/checkout@v4
+      with:
+        repository: canokeys/piv-go
+        path: piv-go
+
     - name: Cache GO Modules
-      uses: actions/cache@v1
+      uses: actions/cache@v3
       env:
         cache-name: go_mod
       with:
         path: ~/go/pkg/mod
         key: ${{ runner.os }}-${{ env.cache-name }}-${{ hashFiles('./go.mod') }}
 
     - name: Cache Patched GPG
-      uses: actions/cache@v1
+      uses: actions/cache@v3
       env:
         cache-name: cache_gpg_binary
       with:
         path: gnupg
         key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('./test-via-pcsc/build_gpg.sh') }}
 
+    - name: Cache FIDO Tools
+      uses: actions/cache@v3
+      env:
+        cache-name: cache_fido_tools
+      with:
+        path: |
+          u2f-ref-code
+          libfido2
+        key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('./test-via-pcsc/build_fido_tests.sh') }}
+
     - name: Build Patched GPG
       run: |
         ./test-via-pcsc/build_gpg.sh
         gpg --version
-    
+
     - name: Build FIDO Tests
-      run: ./test-via-pcsc/build_fido_tests.sh
+      run: |
+        ./test-via-pcsc/build_fido_tests.sh
+        sudo ldconfig
+        which fido2-token
+        ldd $(which fido2-token)
 
     - name: Build for Test
       run: |
         mkdir build && pushd build
-        cmake .. -DENABLE_TESTS=ON -DCMAKE_BUILD_TYPE=Debug
+        cmake .. -DENABLE_TESTS=ON -DENABLE_DEBUG_OUTPUT=ON -DCMAKE_BUILD_TYPE=Debug
         make -j2
       
     - name: Setup a SSH Server
@@ -92,16 +160,30 @@ jobs:
 
     - name: Test the FIDO2
       run: |
-        echo 1 >/tmp/canokey-test-nfc # Emulate the NFC mode
+        #echo 1 >/tmp/canokey-test-nfc # Emulate the NFC mode
+        #pushd test-real && ./test-libfido2.sh && popd
         cd fido2-tests
-        ~/.local/bin/pytest --color=yes --nfc tests/standard/
-        ~/.local/bin/pytest --color=yes --nfc tests/vendor/canokeys/ --capture=no 
+        #../build/fido-hid-over-udp &
+        git pull
+        ~/.local/bin/pytest --color=yes --vendor canokeys --nfc tests/standard/
+        ~/.local/bin/pytest --color=yes --vendor canokeys --nfc tests/vendor/canokeys/
+        #kill %1
 
     - name: Test the U2F
       run: |
         echo 0 | ./u2f-ref-code/u2f-tests/NFC/u2f_nfc_test -v | tee /tmp/u2f_nfc_test.log
         test $(grep -c 'PASS(signCheckSignature(regReq, regRsp, authReq, authRsp, rapduLen))' /tmp/u2f_nfc_test.log) -eq 6
 
+    - name: Test the ckman Utility
+      run: |
+        pip3 install canokey-manager
+        ckman --log-level DEBUG info
+        ckman oath accounts add steam1 HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ -i Steam
+        ckman oath accounts code
+        ckman openpgp info
+        ckman piv info
+        #ckman fido credentials list --pin 123456
+
     - name: Test the OATH
       run: go test -v test-via-pcsc/oath_test.go
 
@@ -190,7 +272,7 @@ jobs:
         GPGEnc
         UserChecked 1
         echo 1 >/tmp/canokey-test-nfc
-        
+
         GPGReset
         gpg --card-status |grep -E 'Signature key.+none'
         Addkey 4 2048 # [4] gen RSA2048 key
@@ -300,12 +382,15 @@ jobs:
     - name: Test the PIV
       run: |
         set -o xtrace
+        go test -v test-via-pcsc/piv_test.go
         RDID="Canokey [OpenPGP PIV OATH] 00 00"
         yubico-piv-tool -r "$RDID" -a status -a set-ccc -a set-chuid -a status
         opensc-tool -r "$RDID" -s '00 F8 00 00' | grep 'SW1=0x90, SW2=0x00' # PIV_INS_GET_SERIAL, Yubico
         opensc-tool -r "$RDID" -s '00 FD 00 00' | grep 'SW1=0x90, SW2=0x00' # PIV_INS_GET_VERSION, Yubico
         pkcs15-tool --reader "$RDID" -D
-        PIV_EXT_AUTH_KEY=test-via-pcsc/PIV_EXT_AUTH_KEY.txt piv-tool --reader "$RDID" --admin A:9B:03 || true # External Auth
+
+        cd piv-go; go test -v ./piv --wipe-yubikey; cd -
+
         yubico-piv-tool -r "$RDID" -a verify-pin -P 123456
         yubico-piv-tool -r "$RDID" -a change-pin -P 123456 -N 654321
         yubico-piv-tool -r "$RDID" -a verify-pin -P 654321
@@ -314,6 +399,10 @@ jobs:
         yubico-piv-tool -r "$RDID" -a verify-pin -P 654321
         yubico-piv-tool -r "$RDID" -a set-mgm-key -n F1F2F3F4F5F6F7F8F1F2F3F4F5F6F7F8F1F2F3F4F5F6F7F8
         yubico-piv-tool -r "$RDID" -a set-mgm-key --key=F1F2F3F4F5F6F7F8F1F2F3F4F5F6F7F8F1F2F3F4F5F6F7F8 -n 010203040506070801020304050607080102030405060708
+        export PIV_EXT_AUTH_KEY=$PWD/test-via-pcsc/PIV_EXT_AUTH_KEY.txt 
+        # opensc 0.22.0~0.23.0 has a bug on External Auth. See opensc commit: a0aef25c7f2ce0ec2c7e1014f959f0fe86ff0479
+        piv-tool --reader "$RDID" --admin A:9B:03  # External Auth
+        piv-tool --reader "$RDID" --admin M:9B:03  # Mutual Auth
         ## Key generation
         PIVGenKeyCert() {
           key=$1
@@ -332,24 +421,22 @@ jobs:
           if [[ -z "$op" || d = "$op" ]]; then yubico-piv-tool -r "$RDID" $pinArgs -a test-decipher -s $key < /tmp/cert-$key.pem; fi
         }
         ## RSA2048 tests
-        for s in 9a 9c 9d 9e; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" RSA2048; done
+        for s in 9a 9c 9d 9e 82 83; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" RSA2048; done
         yubico-piv-tool -r "$RDID" -a status
         PIVSignDec 9e # PIN not required for key 9e
-        for s in 9a 9c 9d; do PIVSignDec $s 1; done
+        for s in 9a 9c 9d 82 83; do PIVSignDec $s 1; done
         pkcs15-tool --reader "$RDID" --read-certificate 04 | openssl x509 -text | grep 'CN = CertAtSlot9e'
         echo -n hello >/tmp/hello.txt
         pkcs11-tool --slot "$RDID" -d 04 -s -m SHA256-RSA-PKCS -i /tmp/hello.txt -o /tmp/hello-signed --pin 654321
         openssl dgst -sha256 -verify /tmp/pubkey-9e.pem -signature /tmp/hello-signed /tmp/hello.txt
         ## ECC256 tests
-        for s in 9a 9c 9d 9e; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" ECCP256; done
+        for s in 9a 9c 9d 9e 82 83; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" ECCP256; done
         yubico-piv-tool -r "$RDID" -a status
-        for s in 9a 9c 9e; do PIVSignDec $s 1 s; done # 9a/9c/9e only do the ECDSA
-        PIVSignDec 9d 1 d # 9d only do the ECDH
+        for s in 9a 9c 9d 9e 82 83; do PIVSignDec $s 1 s;PIVSignDec $s 1 d; done
         ## ECC384 tests
         for s in 9a 9c 9d 9e; do PIVGenKeyCert $s "/CN=CertAtSlot$s/" ECCP384; done
         yubico-piv-tool -r "$RDID" -a status
-        for s in 9a 9c 9e; do PIVSignDec $s 1 s; done # 9a/9c/9e only do the ECDSA
-        PIVSignDec 9d 1 d # 9d only do the ECDH
+        for s in 9a 9c 9d 9e 82 83; do PIVSignDec $s 1 s;PIVSignDec $s 1 d; done
         ## PIN unblock
         yubico-piv-tool -r "$RDID" -P 654321 -a verify-pin -a test-signature -s 9a < /tmp/cert-9a.pem
         yubico-piv-tool -r "$RDID" -P 654321 -a verify-pin -a test-signature -s 9c < /tmp/cert-9c.pem
@@ -364,13 +451,17 @@ jobs:
         ## Key import
         openssl ecparam -name prime256v1 -out p256.pem
         openssl req -x509 -newkey ec:p256.pem -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=www.example.com"
-        yubico-piv-tool -r "$RDID" -a import-key -s 9a -i key.pem
-        yubico-piv-tool -r "$RDID" -a import-certificate -s 9a -i cert.pem
-        yubico-piv-tool -r "$RDID" -P 654321 -a verify-pin -a test-signature -s 9a <cert.pem
+        for s in 9a 9d 82 83; do
+            yubico-piv-tool -r "$RDID" -a import-key -s $s -i key.pem
+            yubico-piv-tool -r "$RDID" -a import-certificate -s $s -i cert.pem
+            yubico-piv-tool -r "$RDID" -P 654321 -a verify-pin -a test-signature -s $s <cert.pem
+        done
         openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=www.example.com"
-        yubico-piv-tool -r "$RDID" -a import-key -s 9c -i key.pem
-        yubico-piv-tool -r "$RDID" -a import-certificate -s 9c -i cert.pem
-        yubico-piv-tool -r "$RDID" -P 654321 -a verify-pin -a test-signature -s 9c <cert.pem
+        for s in 9c 9d 82 83; do
+            yubico-piv-tool -r "$RDID" -a import-key -s $s -i key.pem
+            yubico-piv-tool -r "$RDID" -a import-certificate -s $s -i cert.pem
+            yubico-piv-tool -r "$RDID" -P 654321 -a verify-pin -a test-signature -s $s <cert.pem
+        done
         ## Factory reset
         yubico-piv-tool -r "$RDID" -a change-puk -P 12345678 -N 11111111 2>&1 | grep 'Failed verifying puk code, now 2 tries left before blocked'
         yubico-piv-tool -r "$RDID" -a change-puk -P 12345678 -N 11111111 2>&1 | grep 'Failed verifying puk code, now 1 tries left before blocked'
@@ -383,11 +474,11 @@ jobs:
         yubico-piv-tool -r "$RDID" -a unblock-pin -P 12345678 -N 654321 2>&1 | grep 'Successfully unblocked the pin code'
         ## Test long data object
         yubico-piv-tool -r "$RDID" -a set-ccc -a set-chuid -a status
-        for s in 9a 9c 9d 9e; do 
+        for s in 9a 9c 9d 9e 82 83; do
           PIVGenKeyCert $s "/CN=CertAtSlot$s/" RSA2048
           yubico-piv-tool -r "$RDID" -a import-certificate -s $s -i test-via-pcsc/long-cert.pem
         done
-    
+
     - name: Prepare the Test Coverage Report
       run: |
         go test test-via-pcsc/admin_test.go -v -run TestFSUsage

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -28,8 +28,8 @@ endif ()
 
 add_subdirectory(canokey-crypto EXCLUDE_FROM_ALL)
 
-if (DEFINED USBD_PRODUCT_STRING)
-    add_definitions(-DUSBD_PRODUCT_STRING="${USBD_PRODUCT_STRING}")
+if (DEFINED PRODUCT_NAME)
+    add_definitions(-DUSBD_PRODUCT_STRING="${PRODUCT_NAME}")
 endif ()
 
 add_definitions(-DCFG_TUSB_MCU=${TINYUSB_MCU})
@@ -91,6 +91,7 @@ if (ENABLE_TESTS)
             littlefs/bd/lfs_filebd.c)
     target_include_directories(fido-hid-over-udp SYSTEM PRIVATE virt-card littlefs)
     target_link_libraries(fido-hid-over-udp general canokey-core "-fsanitize=address")
+    add_dependencies(fido-hid-over-udp gitrev)
 
     pkg_search_module(PCSCLITE libpcsclite)
     if (PCSCLITE_FOUND)