def comparePin(self, pin):
log.debug("[comparePin] entering comparePin")
res = False
## check for a valid input
if pin is None:
log.error("[comparePin] no valid PIN!")
return res
if self.LinOtpPinHash:
if self.isPinEncrypted():
log.debug("[comparePin] we got an encrypted PIN!")
tokenPin = self.LinOtpPinHash[2:]
decryptTokenPin = decryptPin(tokenPin)
if decryptTokenPin == pin:
res = True
else:
log.debug("[comparePin] we got a hashed PIN!")
## is there a hashed pin
hashed_pin = self.getHashedPin(pin)
if hashed_pin == self.LinOtpPinHash:
res = True
else: ## token hashed pin is empyt or none
log.debug("[comparePin] there is no pin for this token!")
if pin == '':
res = True
return res
def comparePin(self, pin):
log.debug("[comparePin] entering comparePin")
res = False
## check for a valid input
if pin is None:
log.error("[comparePin] no valid PIN!")
return res
if self.LinOtpPinHash:
if self.isPinEncrypted():
log.debug("[comparePin] we got an encrypted PIN!")
tokenPin = self.LinOtpPinHash[2:]
decryptTokenPin = decryptPin(tokenPin)
if decryptTokenPin == pin:
res = True
else:
log.debug("[comparePin] we got a hashed PIN!")
## is there a hashed pin
hashed_pin = self.getHashedPin(pin)
if hashed_pin == self.LinOtpPinHash:
res = True
else: ## token hashed pin is empyt or none
log.debug("[comparePin] there is no pin for this token!")
if pin == '':
res = True
return res
def comparePin(self, pin):
log.debug("[comparePin] entering comparePin")
res = False
## check for a valid input
if pin is None:
log.error("[comparePin] no valid PIN!")
return res
if (self.isPinEncrypted() == True):
log.debug("[comparePin] we got an encrypted PIN!")
tokenPin = self.LinOtpPinHash[2:]
decryptTokenPin = decryptPin(tokenPin)
# TODO CKO: remove the TokenPin
#log.debug("[comparePin] the decrypted PIN is %s" % decryptTokenPin)
if (decryptTokenPin == pin):
res = True
else:
log.debug("[comparePin] we got a hashed PIN!")
# TODO CKO: remove the PIN hash
#log.debug("[comparePin] The Hash is %s while the LinOtpPinHash is %s" % (mypHash,self.LinOtpPinHash))
if len(self.LinOtpPinHash) > 0:
mypHash = self.getHashedPin(pin)
else:
mypHash = pin
if (mypHash == self.LinOtpPinHash):
res = True
return res
def do_request(servers, env, user, passw, options):
"""
make the call to the foreign server
"""
log.debug("start request to foreign server: %r" % servers)
for server in servers.split(' '):
parsed_server = urlparse.urlparse(server)
# the urlparse has a bug,, where in elder versions, the
# path is not split from the query
if not parsed_server.query:
path, _sep, query = parsed_server.path.partition('?')
else:
path = parsed_server.path
query = parsed_server.query
# finally we found the query parameters
params = urlparse.parse_qs(query)
for key, entry in params.items():
params[key] = entry[0]
if 'encsecret' in params:
params['secret'] = decryptPin(params['encsecret'])
del params['encsecret']
parsed_list = list(parsed_server[:])
parsed_list[ForwardServerPolicy.Path_index] = path.strip()
parsed_list[ForwardServerPolicy.Query_index] = \
urllib.urlencode(params)
server_url = urlparse.urlunparse(tuple(parsed_list))
if 'radius://' in server_url:
rad = RadiusRequest(server=server_url, env=env)
res, opt = rad.do_request(user, passw, options)
return res, opt
elif 'http://' in server_url or 'https://' in server_url:
http = HttpRequest(server=server_url, env=env)
res, opt = http.do_request(user, passw, options)
return res, opt
def do_request(servers, env, user, passw, options):
"""
make the call to the foreign server
"""
log.debug("start request to foreign server: %r" % servers)
for server in servers.split(' '):
parsed_server = urlparse.urlparse(server)
# the urlparse has a bug,, where in elder versions, the
# path is not split from the query
if not parsed_server.query:
path, _sep, query = parsed_server.path.partition('?')
else:
path = parsed_server.path
query = parsed_server.query
# finally we found the query parameters
params = urlparse.parse_qs(query)
for key, entry in params.items():
params[key] = entry[0]
if 'encsecret' in params:
params['secret'] = decryptPin(params['encsecret'])
del params['encsecret']
parsed_list = list(parsed_server[:])
parsed_list[ForwardServerPolicy.Path_index] = path.strip()
parsed_list[ForwardServerPolicy.Query_index] = \
urllib.urlencode(params)
server_url = urlparse.urlunparse(tuple(parsed_list))
if 'radius://' in server_url:
rad = RadiusRequest(server=server_url, env=env)
res, opt = rad.do_request(user, passw, options)
return res, opt
elif 'http://' in server_url or 'https://' in server_url:
http = HttpRequest(server=server_url, env=env)
res, opt = http.do_request(user, passw, options)
return res, opt
def getPin(self):
ret = -1
if self.isPinEncrypted() == True:
tokenPin = self.LinOtpPinHash[2:]
ret = decryptPin(tokenPin)
return ret
def getPin(self):
ret = -1
if self.isPinEncrypted() == True:
tokenPin = self.LinOtpPinHash[2:]
ret = decryptPin(tokenPin)
return ret
def _rollout_2(self, params):
'''
2.
https://linotpserver/admin/init?
type=ocra&
genkey=1&
activationcode=AKTIVIERUNGSCODE&
user=BENUTZERNAME&
message=MESSAGE&
session=SESSIONKEY
=>> "serial" : SERIENNUMMER, "nonce" : DATAOBJECT, "transactionid" : "TRANSAKTIONSID, "app_import" : IMPORTURL
- nonce - von HSM oder random ?
- pkcs5 - kdf2
- es darf zur einer Zeit nur eine QR Token inaktiv (== im Ausrollzustand) sein !!!!!
der Token wird über den User gefunden
- seed = pdkdf2(nonce + activcode + shared secret)
- challenge generiern - von urandom oder HSM
'''
log.debug('[_rollout_2] %r ' % (params))
activationcode = params.get('activationcode', None)
if activationcode is not None:
## genkey might have created a new key, so we have to rely on
encSharedSecret = self.getFromTokenInfo('sharedSecret', None)
if encSharedSecret is None:
raise Exception ('missing shared secret of initialition for token %r' % (self.getSerial()))
sharedSecret = decryptPin(encSharedSecret)
## we generate a nonce, which in the end is a challenge
nonce = createNonce()
self.addToTokenInfo('nonce', nonce)
## create a new key from the ocrasuite
key_len = 20
if self.ocraSuite.find('-SHA256'):
key_len = 32
elif self.ocraSuite.find('-SHA512'):
key_len = 64
newkey = kdf2(sharedSecret, nonce, activationcode, key_len)
self.setOtpKey(binascii.hexlify(newkey))
## generate challenge, which is part of the app_import
message = params.get('message', None)
#(transid, challenge, _ret, url) = self.challenge(message)
#self.createChallenge()
(res, opt) = create_challenge(self, options=params)
challenge = opt.get('challenge')
url = opt.get('url')
transid = opt.get('transactionid')
## generate response
info = {}
uInfo = {}
info['serial'] = self.getSerial()
uInfo['se'] = self.getSerial()
info['nonce'] = nonce
uInfo['no'] = nonce
info['transactionid'] = transid
uInfo['tr'] = transid
info['challenge'] = challenge
uInfo['ch'] = challenge
if message is not None:
uInfo['me'] = str(message.encode("utf-8"))
ustr = urllib.urlencode({'u':str(url.encode("utf-8"))})
uInfo['u'] = ustr[2:]
info['url'] = str(url.encode("utf-8"))
app_import = 'lseqr://nonce?%s' % (urllib.urlencode(uInfo))
## add a signature of the url
signature = {'si': self.signData(app_import) }
info['signature'] = signature.get('si')
info['app_import'] = "%s&%s" % (app_import, urllib.urlencode(signature))
self.info = info
## setup new state
self.addToTokenInfo('rollout', '2')
self.enable(True)
log.debug('[_rollout_2]:')
return
