Running these tests requires a YubiHSM. The user running the tests also needs
to have permission to use the device. On Ubuntu this can be achieved by adding
the user to the dialout group.
Initialize the YubiHSM by holding down the button on it while it is inserted into a USB port. The YubiHSM should blink slowly to indicate configuration mode. Connect to the serial interface of the device and enter the following commands:
HSM (keys not decrypted)> zap <enter> Confirm current config being erased (type yes) yes <enter> - wait - done NO_CFG> hsm ffffffff <enter> Enabled flags ffffffff = YSM_AEAD_GENERATE,YSM_BUFFER_AEAD_GENERATE,YSM_RANDOM_AEAD_GENERATE,YSM_AEAD_DECRYPT_CMP,YSM_DG Enter cfg password (g to generate) <enter> Enter admin Yubikey public id 001/008 (enter when done) <enter> Enter master key (g to generate) <enter> Confirm current config being erased (type yes) yes <enter> - wait - done HSM (keys changed)> keycommit <enter> - Done HSM> exit <enter>
You should now be ready to run the tests.
To run the tests, have a device configured as described above, then run:
YHSM_ZAP=1 python setup.py test
Note that subsequent testruns can omit YHSM_ZAP=1 to skip the initial HSM
device configuration, however each testrun that doesn’t reset the device
configuration will take longer and longer to complete, until the next
configuration reset. This is due to the admin YubiKey OTP counters being
incremented on each run, and not stored anywhere, requiring looping to find the
correct value. It is also possible to just reset the configuration, without
running the tests:
python -m test.configure_hsm