Improve tests

tests/device/cli/piv/conftest.py

@@ -1,9 +1,53 @@
 from yubikit.management import CAPABILITY
 from ... import condition
+from .util import DEFAULT_PIN, DEFAULT_PUK, DEFAULT_MANAGEMENT_KEY
+from typing import NamedTuple
 import pytest
 
 
 @pytest.fixture(autouse=True)
 @condition.capability(CAPABILITY.PIV)
 def ensure_piv(ykman_cli):
     ykman_cli("piv", "reset", "-f")
+
+
+class Keys(NamedTuple):
+    pin: str
+    puk: str
+    mgmt: str
+
+
+@pytest.fixture
+def default_keys():
+    yield Keys(DEFAULT_PIN, DEFAULT_PUK, DEFAULT_MANAGEMENT_KEY)
+
+
+@pytest.fixture
+def keys(ykman_cli, info, default_keys):
+    if CAPABILITY.PIV in info.fips_capable:
+        new_keys = Keys(
+            "12345679",
+            "12345670",
+            "010203040506070801020304050607080102030405060709",
+        )
+
+        ykman_cli(
+            "piv", "access", "change-pin", "-P", default_keys.pin, "-n", new_keys.pin
+        )
+        ykman_cli(
+            "piv", "access", "change-puk", "-p", default_keys.puk, "-n", new_keys.puk
+        )
+        ykman_cli(
+            "piv",
+            "access",
+            "change-management-key",
+            "-m",
+            default_keys.mgmt,
+            "-n",
+            new_keys.mgmt,
+            "-f",
+        )
+
+        yield new_keys
+    else:
+        yield default_keys

tests/device/cli/piv/test_generate_cert_and_csr.py

@@ -3,7 +3,7 @@
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.asymmetric import ec, rsa, padding
-from .util import DEFAULT_PIN, DEFAULT_MANAGEMENT_KEY, NON_DEFAULT_MANAGEMENT_KEY
+from .util import NON_DEFAULT_MANAGEMENT_KEY
 from ... import condition
 import pytest
 
@@ -33,20 +33,20 @@ def not_roca(version):
 
 class TestNonDefaultMgmKey:
     @pytest.fixture(autouse=True)
-    def set_mgmt_key(self, ykman_cli):
+    def set_mgmt_key(self, ykman_cli, keys):
         ykman_cli(
             "piv",
             "access",
             "change-management-key",
             "-P",
-            DEFAULT_PIN,
+            keys.pin,
             "-m",
-            DEFAULT_MANAGEMENT_KEY,
+            keys.mgmt,
             "-n",
             NON_DEFAULT_MANAGEMENT_KEY,
         )
 
-    def _test_generate_self_signed(self, ykman_cli, slot, algo):
+    def _test_generate_self_signed(self, ykman_cli, keys, slot, algo):
         pubkey_output = ykman_cli(
             "piv",
             "keys",
@@ -68,7 +68,7 @@ def _test_generate_self_signed(self, ykman_cli, slot, algo):
             "-s",
             "subject-" + algo,
             "-P",
-            DEFAULT_PIN,
+            keys.pin,
             "-",
             input=pubkey_output,
         )
@@ -82,37 +82,37 @@ def _test_generate_self_signed(self, ykman_cli, slot, algo):
 
     @condition.yk4_fips(False)
     @condition.check(not_roca)
-    def test_generate_self_signed_slot_9a_rsa1024(self, ykman_cli):
-        self._test_generate_self_signed(ykman_cli, "9a", "RSA1024")
+    def test_generate_self_signed_slot_9a_rsa2048(self, ykman_cli, keys):
+        self._test_generate_self_signed(ykman_cli, keys, "9a", "RSA2048")
 
-    def test_generate_self_signed_slot_9a_eccp256(self, ykman_cli):
-        self._test_generate_self_signed(ykman_cli, "9a", "ECCP256")
+    def test_generate_self_signed_slot_9a_eccp256(self, ykman_cli, keys):
+        self._test_generate_self_signed(ykman_cli, keys, "9a", "ECCP256")
 
     @condition.yk4_fips(False)
     @condition.check(not_roca)
-    def test_generate_self_signed_slot_9c_rsa1024(self, ykman_cli):
-        self._test_generate_self_signed(ykman_cli, "9c", "RSA1024")
+    def test_generate_self_signed_slot_9c_rsa2048(self, ykman_cli, keys):
+        self._test_generate_self_signed(ykman_cli, keys, "9c", "RSA2048")
 
-    def test_generate_self_signed_slot_9c_eccp256(self, ykman_cli):
-        self._test_generate_self_signed(ykman_cli, "9c", "ECCP256")
+    def test_generate_self_signed_slot_9c_eccp256(self, ykman_cli, keys):
+        self._test_generate_self_signed(ykman_cli, keys, "9c", "ECCP256")
 
     @condition.yk4_fips(False)
     @condition.check(not_roca)
-    def test_generate_self_signed_slot_9d_rsa1024(self, ykman_cli):
-        self._test_generate_self_signed(ykman_cli, "9d", "RSA1024")
+    def test_generate_self_signed_slot_9d_rsa2048(self, ykman_cli, keys):
+        self._test_generate_self_signed(ykman_cli, keys, "9d", "RSA2048")
 
-    def test_generate_self_signed_slot_9d_eccp256(self, ykman_cli):
-        self._test_generate_self_signed(ykman_cli, "9d", "ECCP256")
+    def test_generate_self_signed_slot_9d_eccp256(self, ykman_cli, keys):
+        self._test_generate_self_signed(ykman_cli, keys, "9d", "ECCP256")
 
     @condition.yk4_fips(False)
     @condition.check(not_roca)
-    def test_generate_self_signed_slot_9e_rsa1024(self, ykman_cli):
-        self._test_generate_self_signed(ykman_cli, "9e", "RSA1024")
+    def test_generate_self_signed_slot_9e_rsa2048(self, ykman_cli, keys):
+        self._test_generate_self_signed(ykman_cli, keys, "9e", "RSA2048")
 
-    def test_generate_self_signed_slot_9e_eccp256(self, ykman_cli):
-        self._test_generate_self_signed(ykman_cli, "9e", "ECCP256")
+    def test_generate_self_signed_slot_9e_eccp256(self, ykman_cli, keys):
+        self._test_generate_self_signed(ykman_cli, keys, "9e", "ECCP256")
 
-    def _test_generate_csr(self, ykman_cli, slot, algo):
+    def _test_generate_csr(self, ykman_cli, keys, slot, algo):
         subject_input = "subject-" + algo
         pubkey_output = ykman_cli(
             "piv",
@@ -131,7 +131,7 @@ def _test_generate_csr(self, ykman_cli, slot, algo):
             "request",
             slot,
             "-P",
-            DEFAULT_PIN,
+            keys.pin,
             "-",
             "-",
             "-s",
@@ -147,62 +147,62 @@ def _test_generate_csr(self, ykman_cli, slot, algo):
 
     @condition.yk4_fips(False)
     @condition.check(not_roca)
-    def test_generate_csr_slot_9a_rsa1024(self, ykman_cli):
-        self._test_generate_csr(ykman_cli, "9a", "RSA1024")
+    def test_generate_csr_slot_9a_rsa2048(self, ykman_cli, keys):
+        self._test_generate_csr(ykman_cli, keys, "9a", "RSA2048")
 
-    def test_generate_csr_slot_9a_eccp256(self, ykman_cli):
-        self._test_generate_csr(ykman_cli, "9a", "ECCP256")
+    def test_generate_csr_slot_9a_eccp256(self, ykman_cli, keys):
+        self._test_generate_csr(ykman_cli, keys, "9a", "ECCP256")
 
     @condition.yk4_fips(False)
     @condition.check(not_roca)
-    def test_generate_csr_slot_9c_rsa1024(self, ykman_cli):
-        self._test_generate_csr(ykman_cli, "9c", "RSA1024")
+    def test_generate_csr_slot_9c_rsa2048(self, ykman_cli, keys):
+        self._test_generate_csr(ykman_cli, keys, "9c", "RSA2048")
 
-    def test_generate_csr_slot_9c_eccp256(self, ykman_cli):
-        self._test_generate_csr(ykman_cli, "9c", "ECCP256")
+    def test_generate_csr_slot_9c_eccp256(self, ykman_cli, keys):
+        self._test_generate_csr(ykman_cli, keys, "9c", "ECCP256")
 
     @condition.yk4_fips(False)
     @condition.check(not_roca)
-    def test_generate_csr_slot_9d_rsa1024(self, ykman_cli):
-        self._test_generate_csr(ykman_cli, "9d", "RSA1024")
+    def test_generate_csr_slot_9d_rsa2048(self, ykman_cli, keys):
+        self._test_generate_csr(ykman_cli, keys, "9d", "RSA2048")
 
-    def test_generate_csr_slot_9d_eccp256(self, ykman_cli):
-        self._test_generate_csr(ykman_cli, "9d", "ECCP256")
+    def test_generate_csr_slot_9d_eccp256(self, ykman_cli, keys):
+        self._test_generate_csr(ykman_cli, keys, "9d", "ECCP256")
 
     @condition.yk4_fips(False)
     @condition.check(not_roca)
-    def test_generate_csr_slot_9e_rsa1024(self, ykman_cli):
-        self._test_generate_csr(ykman_cli, "9e", "RSA1024")
+    def test_generate_csr_slot_9e_rsa2048(self, ykman_cli, keys):
+        self._test_generate_csr(ykman_cli, keys, "9e", "RSA2048")
 
-    def test_generate_csr_slot_9e_eccp256(self, ykman_cli):
-        self._test_generate_csr(ykman_cli, "9e", "ECCP256")
+    def test_generate_csr_slot_9e_eccp256(self, ykman_cli, keys):
+        self._test_generate_csr(ykman_cli, keys, "9e", "ECCP256")
 
 
 class TestProtectedMgmKey:
     @pytest.fixture(autouse=True)
-    def protect_mgmt_key(self, ykman_cli):
+    def protect_mgmt_key(self, ykman_cli, keys):
         ykman_cli(
             "piv",
             "access",
             "change-management-key",
             "-p",
             "-P",
-            DEFAULT_PIN,
+            keys.pin,
             "-m",
-            DEFAULT_MANAGEMENT_KEY,
+            keys.mgmt,
         )
 
-    def _test_generate_self_signed(self, ykman_cli, slot, algo):
+    def _test_generate_self_signed(self, ykman_cli, keys, slot, algo):
         pubkey_output = ykman_cli(
-            "piv", "keys", "generate", slot, "-a", algo, "-P", DEFAULT_PIN, "-"
+            "piv", "keys", "generate", slot, "-a", algo, "-P", keys.pin, "-"
         ).output
         ykman_cli(
             "piv",
             "certificates",
             "generate",
             slot,
             "-P",
-            DEFAULT_PIN,
+            keys.pin,
             "-s",
             "subject-" + algo,
             "-",
@@ -218,48 +218,48 @@ def _test_generate_self_signed(self, ykman_cli, slot, algo):
 
     @condition.yk4_fips(False)
     @condition.check(not_roca)
-    def test_generate_self_signed_slot_9a_rsa1024(self, ykman_cli):
-        self._test_generate_self_signed(ykman_cli, "9a", "RSA1024")
+    def test_generate_self_signed_slot_9a_rsa2048(self, ykman_cli, keys):
+        self._test_generate_self_signed(ykman_cli, keys, "9a", "RSA2048")
 
-    def test_generate_self_signed_slot_9a_eccp256(self, ykman_cli):
-        self._test_generate_self_signed(ykman_cli, "9a", "ECCP256")
+    def test_generate_self_signed_slot_9a_eccp256(self, ykman_cli, keys):
+        self._test_generate_self_signed(ykman_cli, keys, "9a", "ECCP256")
 
     @condition.yk4_fips(False)
     @condition.check(not_roca)
-    def test_generate_self_signed_slot_9c_rsa1024(self, ykman_cli):
-        self._test_generate_self_signed(ykman_cli, "9c", "RSA1024")
+    def test_generate_self_signed_slot_9c_rsa2048(self, ykman_cli, keys):
+        self._test_generate_self_signed(ykman_cli, keys, "9c", "RSA2048")
 
-    def test_generate_self_signed_slot_9c_eccp256(self, ykman_cli):
-        self._test_generate_self_signed(ykman_cli, "9c", "ECCP256")
+    def test_generate_self_signed_slot_9c_eccp256(self, ykman_cli, keys):
+        self._test_generate_self_signed(ykman_cli, keys, "9c", "ECCP256")
 
     @condition.yk4_fips(False)
     @condition.check(not_roca)
-    def test_generate_self_signed_slot_9d_rsa1024(self, ykman_cli):
-        self._test_generate_self_signed(ykman_cli, "9d", "RSA1024")
+    def test_generate_self_signed_slot_9d_rsa2048(self, ykman_cli, keys):
+        self._test_generate_self_signed(ykman_cli, keys, "9d", "RSA2048")
 
-    def test_generate_self_signed_slot_9d_eccp256(self, ykman_cli):
-        self._test_generate_self_signed(ykman_cli, "9d", "ECCP256")
+    def test_generate_self_signed_slot_9d_eccp256(self, ykman_cli, keys):
+        self._test_generate_self_signed(ykman_cli, keys, "9d", "ECCP256")
 
     @condition.yk4_fips(False)
     @condition.check(not_roca)
-    def test_generate_self_signed_slot_9e_rsa1024(self, ykman_cli):
-        self._test_generate_self_signed(ykman_cli, "9e", "RSA1024")
+    def test_generate_self_signed_slot_9e_rsa2048(self, ykman_cli, keys):
+        self._test_generate_self_signed(ykman_cli, keys, "9e", "RSA2048")
 
-    def test_generate_self_signed_slot_9e_eccp256(self, ykman_cli):
-        self._test_generate_self_signed(ykman_cli, "9e", "ECCP256")
+    def test_generate_self_signed_slot_9e_eccp256(self, ykman_cli, keys):
+        self._test_generate_self_signed(ykman_cli, keys, "9e", "ECCP256")
 
-    def _test_generate_csr(self, ykman_cli, slot, algo):
+    def _test_generate_csr(self, ykman_cli, keys, slot, algo):
         subject_input = "subject-" + algo
         pubkey_output = ykman_cli(
-            "piv", "keys", "generate", slot, "-a", algo, "-P", DEFAULT_PIN, "-"
+            "piv", "keys", "generate", slot, "-a", algo, "-P", keys.pin, "-"
         ).output
         csr_output = ykman_cli(
             "piv",
             "certificates",
             "request",
             slot,
             "-P",
-            DEFAULT_PIN,
+            keys.pin,
             "-",
             "-",
             "-s",
@@ -275,32 +275,32 @@ def _test_generate_csr(self, ykman_cli, slot, algo):
 
     @condition.yk4_fips(False)
     @condition.check(not_roca)
-    def test_generate_csr_slot_9a_rsa1024(self, ykman_cli):
-        self._test_generate_csr(ykman_cli, "9a", "RSA1024")
+    def test_generate_csr_slot_9a_rsa2048(self, ykman_cli, keys):
+        self._test_generate_csr(ykman_cli, keys, "9a", "RSA2048")
 
-    def test_generate_csr_slot_9a_eccp256(self, ykman_cli):
-        self._test_generate_csr(ykman_cli, "9a", "ECCP256")
+    def test_generate_csr_slot_9a_eccp256(self, ykman_cli, keys):
+        self._test_generate_csr(ykman_cli, keys, "9a", "ECCP256")
 
     @condition.yk4_fips(False)
     @condition.check(not_roca)
-    def test_generate_csr_slot_9c_rsa1024(self, ykman_cli):
-        self._test_generate_csr(ykman_cli, "9c", "RSA1024")
+    def test_generate_csr_slot_9c_rsa2048(self, ykman_cli, keys):
+        self._test_generate_csr(ykman_cli, keys, "9c", "RSA2048")
 
-    def test_generate_csr_slot_9c_eccp256(self, ykman_cli):
-        self._test_generate_csr(ykman_cli, "9c", "ECCP256")
+    def test_generate_csr_slot_9c_eccp256(self, ykman_cli, keys):
+        self._test_generate_csr(ykman_cli, keys, "9c", "ECCP256")
 
     @condition.yk4_fips(False)
     @condition.check(not_roca)
-    def test_generate_csr_slot_9d_rsa1024(self, ykman_cli):
-        self._test_generate_csr(ykman_cli, "9d", "RSA1024")
+    def test_generate_csr_slot_9d_rsa2048(self, ykman_cli, keys):
+        self._test_generate_csr(ykman_cli, keys, "9d", "RSA2048")
 
-    def test_generate_csr_slot_9d_eccp256(self, ykman_cli):
-        self._test_generate_csr(ykman_cli, "9d", "ECCP256")
+    def test_generate_csr_slot_9d_eccp256(self, ykman_cli, keys):
+        self._test_generate_csr(ykman_cli, keys, "9d", "ECCP256")
 
     @condition.yk4_fips(False)
     @condition.check(not_roca)
-    def test_generate_csr_slot_9e_rsa1024(self, ykman_cli):
-        self._test_generate_csr(ykman_cli, "9e", "RSA1024")
+    def test_generate_csr_slot_9e_rsa2048(self, ykman_cli, keys):
+        self._test_generate_csr(ykman_cli, keys, "9e", "RSA2048")
 
-    def test_generate_csr_slot_9e_eccp256(self, ykman_cli):
-        self._test_generate_csr(ykman_cli, "9e", "ECCP256")
+    def test_generate_csr_slot_9e_eccp256(self, ykman_cli, keys):
+        self._test_generate_csr(ykman_cli, keys, "9e", "ECCP256")