Skip to content

fix,tests: Fixed bug where attest cert could not be RSA3072 or RSA4096, removed obsolete tests and consolidated Piv tests #230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 47 commits into from
May 27, 2025
Merged

fix,tests: Fixed bug where attest cert could not be RSA3072 or RSA4096, removed obsolete tests and consolidated Piv tests #230

merged 47 commits into from
May 27, 2025

Conversation

DennisDyallo
Copy link
Collaborator

@DennisDyallo DennisDyallo commented May 5, 2025
edited
Loading

Description

This PR fixes a bug where attestation cert could not be RSA3072 or RSA4096, as well as updates a number of tests that were made obsolete in recent refactors around ECPublicKey, ECPrivateKey, RSAPublicKey and RSAPrivateKey.

Additional changes:

  • logging: Added logging when changing pin or puk
  • refactor: refactor: Proper parsing of X509Certificate2 around Piv attestation and importing of attest certificate
  • refactor: Consolidated logic around key size and key definition lookup in Piv
  • refactor: Consolidated logic around GetMetadata in Piv
  • docs: Removed legacy documentation regarding valid key slots for creating attestations

Type of change

  • Refactor (non-breaking change which improves code quality or performance)
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How has this been tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

Test configuration:

  • OS version: Arch Linux
  • Firmware version: 5.7.4, 5.4.3
  • Yubikey model1: USB A, USB C

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have run dotnet format to format my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

Footnotes

  1. See Yubikey models (Multi-protocol, Security Key, FIPS, Bio, YubiHSM, YubiHSM FIPS)

DennisDyallo and others added 20 commits April 22, 2025 14:51
@DennisDyallo
tests: added ability to select usbcbio
2472f0e
@DennisDyallo
wip: remake tests
3f735f2
@DennisDyallo
samples: fix sample project
f5ef846
@AaFortner @DennisDyallo
Remove incorrect auth token truncation from various commands
3d1dbc6
@equijano21 @DennisDyallo
commits from PR204
1971953
@equijano21 @DennisDyallo
typos, other minor fixes
1f51a6b
@DennisDyallo
misc: add comments, clarify return type
74838b0
@DennisDyallo
tests: remove bio requirement on fido tests
fcd00ff
@DennisDyallo
tests: improved usability of TestKeys
59ea863
@DennisDyallo
docs: fix wording
30b3db7
@DennisDyallo
misc: separate into files
4131d0e
@DennisDyallo
tests: wording, misc
4dea521
@DennisDyallo
tests: added tests for RSA keys
836635d 
add tests to verify private key with piv and asn encoding/decoding works

add tests to verify functionality of RSAPublicKey.CreateFromPkcs8
@DennisDyallo
tests: refactor
0ec46e1 
refactor rsaformat
refactor cryptosupport
@DennisDyallo
change: EncodeToSubjectPublicKeyInfo will throw on missing public key…
3c1632f 
… components
@DennisDyallo
tests: refactor CryptoSupport.cs
07ea148
@DennisDyallo
tests: refactored tests
c3a6621 
use TestKeys class
use common base class for Piv
remove SampleKeyPairs.cs
removed CertConverter
@DennisDyallo
tests: update cert data to include CA extensions
23b6ee9
@DennisDyallo
tests: remove obsolete class
46295ec
@DennisDyallo
tests: piv test use reusable base class and all pass
9b82282
@github-actions GitHub Actions
Copy link

github-actions bot commented May 5, 2025
edited
Loading

Test Results: Windows

    2 files      2 suites   9s ⏱️
3 897 tests 3 897 ✅ 0 💤 0 ❌
3 899 runs  3 899 ✅ 0 💤 0 ❌

Results for commit dbb6718.

♻️ This comment has been updated with latest results.

@github-actions GitHub Actions
Copy link

github-actions bot commented May 5, 2025
edited
Loading

Test Results: Ubuntu

    2 files      2 suites   13s ⏱️
3 889 tests 3 889 ✅ 0 💤 0 ❌
3 891 runs  3 891 ✅ 0 💤 0 ❌

Results for commit dbb6718.

♻️ This comment has been updated with latest results.

@github-actions GitHub Actions
Copy link

github-actions bot commented May 5, 2025
edited
Loading

Test Results: MacOS

    2 files      2 suites   9s ⏱️
3 889 tests 3 889 ✅ 0 💤 0 ❌
3 891 runs  3 891 ✅ 0 💤 0 ❌

Results for commit dbb6718.

♻️ This comment has been updated with latest results.

@DennisDyallo
misc: removed comments
37fe763
@DennisDyallo
misc: Rename comment
0e0d65b
@DennisDyallo
tests: fixed some tests
745b9b1
@DennisDyallo
tests: refactor piv tests to reuse base class
80f09a9
@DennisDyallo
tests: improved PivSession tests
279fd05 
remove unnecessary test on size of certs
reduced test logic
remove unused class
add default pin and puk to base class
@DennisDyallo
tests: misc Scp test changes
8c52f4e
@DennisDyallo
tests:
c268c1d 
remove overlapping test
add docs
@DennisDyallo
tests: PivSession
32256bf 
fix tests with auth
add complex pin and puk
@DennisDyallo
tests: Fix PinOnlyWithResetTests.cs for devices gt v5.7
96196da
@DennisDyallo
refactor: PivSession
a7b54cc 
- added field DefaultManagementKey
- early exit when fail TryVerifyPin
- use range operator
@DennisDyallo
fix: bug where SDK would print a failure log even though we were succ…
abf8c71 
…essful (PivSession)

- additional: added param docs for mutualAuthentication
@DennisDyallo
tests: minor refactor for tests in PivSession
32f35d8
@DennisDyallo
misc: added logging for changing pin / puk
d307713
@DennisDyallo
refactor: reuse logic for GetMetadata (PivSession)
ace1a0a
@DennisDyallo
tests:
46999f0 
AttestTests - added comment on CreateAttestationStatement
Added test for Ed25519 attest

Fix tests in PivSessionTests
@DennisDyallo
refactor: minor work on Piv Attestation and RSAPublicKey
5c5e93a 
- lookup of key definitions
- determine valid attestation cert
@DennisDyallo
misc: code cleanup
7bca86e
@DennisDyallo
misc: remove add default management key
78b1f2c
@DennisDyallo DennisDyallo changed the title tests: Updated obsolete tests fix,tests: Fixed bug where attest cert could not be RSA3072 or RSA4096, removed obsolete tests and consolidated Piv tests May 26, 2025
@DennisDyallo DennisDyallo requested a review from Copilot May 26, 2025 00:02
Copilot
Copilot AI reviewed May 26, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request fixes a bug preventing RSA3072 and RSA4096 attestation certificates from being used, removes obsolete tests, and refactors several command and cryptographic methods to improve clarity and consistency. Key changes include:

  • Bug fix and consolidation of key size and definition lookup in PIV commands.
  • Refactoring of obsolete test invocations and adjustments in exception handling.
  • Code style improvements such as replacing explicit equality checks with negated Boolean expressions and updating inline comments.

Reviewed Changes

Copilot reviewed 148 out of 148 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/GetMetadataCommand.cs Removed explicit initialization of _slotNumber in the parameterless constructor.
Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/CreateAttestationStatementCommand.cs Replaced equality checks with negated conditions for slot number validation.
Yubico.YubiKey/src/Yubico/YubiKey/Piv/Commands/AuthenticateSignCommand.cs Refactored algorithm determination into a separate method using LINQ.
Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Commands/* Updated ReadOnlyMemory constructions to use full authParam data.
Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/RSAPublicKey.cs Moved private key parameter validation into CreateFromParameters and updated key definition lookup.
Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/KeyDefinitions.cs Introduced a convenience method for RSA modulus length and clarified ECDSA OID error handling.
Yubico/YubiKey/src/Yubico/YubiKey/Cryptography/ECPublicKey.cs Updated return types for public key creation methods for better type clarity.
Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/AsnUtilities.cs Revised bit clamping checks for X25519 with updated (but inconsistent) inline comments.
Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/AsnPublicKeyEncoder.cs Changed exception type and message for missing RSA parameters.
Various examples under /examples/PivSampleCode/ Added pragma warning disables around obsolete API usage.
Comments suppressed due to low confidence (1)

Yubico.YubiKey/src/Yubico/YubiKey/Cryptography/AsnPublicKeyEncoder.cs:105

  • [nitpick] The exception thrown for missing RSA parameter values now uses InvalidOperationException with a different message. Consider aligning the exception type and message with similar methods to ensure consistency in error reporting.
if (parameters.Exponent == null ||

@DennisDyallo
tests: PivSessionIntegrationTestBase.cs can now manage Fips credentials
2705379
@DennisDyallo
tests: rename class
3eea339
@DennisDyallo
misc: added logging when generate key
4e3aade
@DennisDyallo
tests: added FIPS tests for generate
9b2a69f
@DennisDyallo
test: comments, restructure
68fecf7 
tests: fixed comments and code restructure
@DennisDyallo
Merge branch 'develop' into dennisdyallo/tests
b3f5446
@DennisDyallo
Merge branch 'develop' into dennisdyallo/tests
dbb6718 
# Conflicts:
#	Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Attestation.cs
#	Yubico.YubiKey/src/Yubico/YubiKey/Piv/PivSession.Crypto.cs
#	Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/ImportTests.cs
#	Yubico.YubiKey/tests/unit/Yubico/YubiKey/Cryptography/ECPrivateKeyTests.cs
#	Yubico.YubiKey/tests/unit/Yubico/YubiKey/Cryptography/ECPublicKeyTests.cs
#	Yubico.YubiKey/tests/unit/Yubico/YubiKey/Cryptography/RSAPublicKeyTests.cs
#	Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/PivEncoderDecoderTests.cs
#	Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/PivPrivateKeyTests.cs
#	Yubico.YubiKey/tests/unit/Yubico/YubiKey/Piv/PivPublicKeyTests.cs
#	Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/KeyConverter.cs
#	Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/PivKeyExtensions.cs
#	Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/SampleKeyPairs.cs
#	Yubico.YubiKey/tests/utilities/Yubico/YubiKey/TestUtilities/TestKeyExtensions.cs
AdamVe
AdamVe approved these changes May 27, 2025
View reviewed changes
Copy link
Member

@AdamVe AdamVe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I ran the integration tests locally also. See my comments as ideas for future improvements.

Yubico.YubiKey/tests/integration/Yubico/YubiKey/Piv/PinNoCollectorTests.cs
Comment on lines +123 to +124
public void ChangeRetryCounts_Succeeds(
StandardTestDevice testDeviceType)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

out of curiosity, is this the way the formatter works on the c# code?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dont know honestly, this is the way the formatter works with the current .editorconfig and Rider, so I dont question it too much. Im sure it could be optimized. I would only want it to split into rows if the params are larger than 2. Now I think it splits when it reaches a current viewport width

@DennisDyallo
misc: pr feedback
92da903 
remove comments,
revert test change, simpler complexpin and complexpuk
@DennisDyallo DennisDyallo merged commit 76e5dd6 into develop May 27, 2025
4 checks passed
@DennisDyallo DennisDyallo deleted the dennisdyallo/tests branch May 27, 2025 22:32
@github-actions GitHub Actions
Copy link

Code Coverage

Package Line Rate Branch Rate Complexity Health
Yubico.Core 40% 31% 4365
Yubico.YubiKey 51% 46% 20595
Summary 49% (35397 / 72330) 44% (8637 / 19755) 24960

Minimum allowed line rate is 40%

@DennisDyallo DennisDyallo mentioned this pull request Jun 25, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@AdamVe AdamVe AdamVe approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@DennisDyallo @AdamVe @AaFortner @equijano21