def make_auth_request(keyhandle):
return dict(
version = 'U2F_V2',
challenge = websafe_encode(os.urandom(32)),
appId = OUR_APPID,
keyHandle = websafe_encode(keyhandle)
)
def do_enroll():
devs = u2f.list_devices()
req = make_reg_request()
result = register.register(devs, req, OUR_APPID)
# check client data from token
clientData = json.loads(websafe_decode(result['clientData']))
assert clientData['origin'] == OUR_APPID
assert clientData['challenge'] == req['challenge']
assert clientData['typ'] == 'navigator.id.finishEnrollment'
# check registration data
regData = decode_reg_response(websafe_decode(result['registrationData']))
salt = os.urandom(32)
with open('data.json', 'w') as f:
db = dict(
hkey = websafe_encode(H(regData.pubkey)),
keyhandle = websafe_encode(regData.keyhandle),
salt = websafe_encode(salt)
)
json.dump(db, f)
print 'written data to', f.name
key = hashlib.pbkdf2_hmac('sha256', regData.pubkey + SOME_PASSWORD, salt, SOME_ITERATIONS)
print 'secret is', key.encode('hex')
def do_enroll():
devs = u2f.list_devices()
req = make_reg_request()
result = register.register(devs, req, OUR_APPID)
# check client data from token
clientData = json.loads(websafe_decode(result['clientData']))
assert clientData['origin'] == OUR_APPID
assert clientData['challenge'] == req['challenge']
assert clientData['typ'] == 'navigator.id.finishEnrollment'
# check registration data
regData = decode_reg_response(websafe_decode(result['registrationData']))
salt = os.urandom(32)
with open('data.json', 'w') as f:
db = dict(hkey=websafe_encode(H(regData.pubkey)),
keyhandle=websafe_encode(regData.keyhandle),
salt=websafe_encode(salt))
json.dump(db, f)
print 'written data to', f.name
key = hashlib.pbkdf2_hmac('sha256', regData.pubkey + SOME_PASSWORD, salt,
SOME_ITERATIONS)
print 'secret is', key.encode('hex')
def authenticate(device, data, facet, check_only=False):
"""
Signs an authentication challenge
data = {
'version': "U2F_V2",
'challenge': websafe_encode(self.challenge),
'appId': self.binding.app_id,
'keyHandle': websafe_encode(self.binding.key_handle)
}
"""
if isinstance(data, basestring):
data = json.loads(data)
if data['version'] != VERSION:
raise ValueError('Unsupported U2F version: %s' % data['version'])
app_id = data.get('appId', facet)
verify_facet(app_id, facet)
app_param = H(app_id)
key_handle = websafe_decode(data['keyHandle'])
# Client data
client_data = {
'typ': 'navigator.id.getAssertion',
'challenge': data['challenge'],
'origin': facet
}
client_data = json.dumps(client_data)
client_param = H(client_data)
request = client_param + app_param + chr(
len(key_handle)) + key_handle
p1 = 0x07 if check_only else 0x03
p2 = 0
response = device.send_apdu(INS_SIGN, p1, p2, request)
return {
'clientData': websafe_encode(client_data),
'signatureData': websafe_encode(response),
'keyHandle': data['keyHandle']
}
def authenticate(device, data, facet, check_only=False):
"""
Signs an authentication challenge
data = {
'version': "U2F_V2",
'challenge': websafe_encode(self.challenge),
'appId': self.binding.app_id,
'keyHandle': websafe_encode(self.binding.key_handle)
}
"""
if isinstance(data, basestring):
data = json.loads(data)
if data['version'] != VERSION:
raise ValueError('Unsupported U2F version: %s' % data['version'])
app_id = data.get('appId', facet)
verify_facet(app_id, facet)
app_param = H(app_id)
key_handle = websafe_decode(data['keyHandle'])
# Client data
client_data = {
'typ': 'navigator.id.getAssertion',
'challenge': data['challenge'],
'origin': facet
}
client_data = json.dumps(client_data)
client_param = H(client_data)
request = client_param + app_param + chr(len(key_handle)) + key_handle
p1 = 0x07 if check_only else 0x03
p2 = 0
response = device.send_apdu(INS_SIGN, p1, p2, request)
return {
'clientData': websafe_encode(client_data),
'signatureData': websafe_encode(response),
'keyHandle': data['keyHandle']
}
def test_websafe_encode(self):
self.assertEqual(websafe_encode(''), '')
self.assertEqual(websafe_encode('f'), 'Zg')
self.assertEqual(websafe_encode('fo'), 'Zm8')
self.assertEqual(websafe_encode('foo'), 'Zm9v')
self.assertEqual(websafe_encode('foob'), 'Zm9vYg')
self.assertEqual(websafe_encode('fooba'), 'Zm9vYmE')
self.assertEqual(websafe_encode('foobar'), 'Zm9vYmFy')
def test_websafe_encode(self):
self.assertEqual(websafe_encode(b''), u'')
self.assertEqual(websafe_encode(b'f'), u'Zg')
self.assertEqual(websafe_encode(b'fo'), u'Zm8')
self.assertEqual(websafe_encode(b'foo'), u'Zm9v')
self.assertEqual(websafe_encode(b'foob'), u'Zm9vYg')
self.assertEqual(websafe_encode(b'fooba'), u'Zm9vYmE')
self.assertEqual(websafe_encode(b'foobar'), u'Zm9vYmFy')
def register(device, data, facet):
"""
Register a U2F device
data = {
"version": "U2F_V2",
"challenge": string, //b64 encoded challenge
"appId": string, //app_id
}
"""
if isinstance(data, basestring):
data = json.loads(data)
if data['version'] != VERSION:
raise ValueError('Unsupported U2F version: %s' % data['version'])
app_id = data.get('appId', facet)
verify_facet(app_id, facet)
app_param = H(app_id)
client_data = {
'typ': 'navigator.id.finishEnrollment',
'challenge': data['challenge'],
'origin': facet
}
client_data = json.dumps(client_data)
client_param = H(client_data)
request = client_param + app_param
p1 = 0x03
p2 = 0
response = device.send_apdu(INS_ENROLL, p1, p2, request)
return {
'registrationData': websafe_encode(response),
'clientData': websafe_encode(client_data)
}
def register(device, data, facet):
"""
Register a U2F device
data = {
"version": "U2F_V2",
"challenge": string, //b64 encoded challenge
"appId": string, //app_id
}
"""
if isinstance(data, basestring):
data = json.loads(data)
if data['version'] != VERSION:
raise ValueError('Unsupported U2F version: %s' % data['version'])
app_id = data.get('appId', facet)
verify_facet(app_id, facet)
app_param = H(app_id)
client_data = {
'typ': 'navigator.id.finishEnrollment',
'challenge': data['challenge'],
'origin': facet
}
client_data = json.dumps(client_data)
client_param = H(client_data)
request = client_param + app_param
p1 = 0x03
p2 = 0
response = device.send_apdu(INS_ENROLL, p1, p2, request)
return {
'registrationData': websafe_encode(response),
'clientData': websafe_encode(client_data)
}
def make_reg_request():
return dict(
challenge = websafe_encode(os.urandom(32)),
version = 'U2F_V2',
appId = OUR_APPID
)
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
from u2flib_host.constants import INS_ENROLL, INS_SIGN, APDU_USE_NOT_SATISFIED
from u2flib_host.utils import websafe_decode, websafe_encode
from u2flib_host.exc import APDUError
from u2flib_host import u2f_v2
import unittest
import json
VERSION = 'U2F_V2'
FACET = 'https://example.com'
CHALLENGE = 'challenge'
KEY_HANDLE = websafe_encode(b'\0' * 64)
REG_DATA = json.dumps({
'version': VERSION,
'challenge': CHALLENGE,
'appId': FACET
})
AUTH_DATA = json.dumps({
'version': VERSION,
'challenge': CHALLENGE,
'appId': FACET,
'keyHandle': KEY_HANDLE
})
DUMMY_RESP = b'a_dummy_response'
import os
import tempfile
import unittest
import json
from u2flib_host.utils import websafe_encode
from u2flib_host.soft import SoftU2FDevice
from u2flib_host.register import register
from u2flib_host.authenticate import authenticate
VERSION = 'U2F_V2'
FACET = 'https://example.com'
CHALLENGE = 'challenge'
KEY_HANDLE = websafe_encode(b'\0' * 64)
REG_DATA = json.dumps({
'version': VERSION,
'challenge': CHALLENGE,
'appId': FACET
})
AUTH_DATA = json.dumps({
'version': VERSION,
'challenge': CHALLENGE,
'appId': FACET,
'keyHandle': KEY_HANDLE
})
def make_auth_request(keyhandle):
return dict(version='U2F_V2',
challenge=websafe_encode(os.urandom(32)),
appId=OUR_APPID,
keyHandle=websafe_encode(keyhandle))
def make_reg_request():
return dict(challenge=websafe_encode(os.urandom(32)),
version='U2F_V2',
appId=OUR_APPID)
def test_websafe_encode_unicode(self):
self.assertEqual(websafe_encode(u''), u'')
self.assertEqual(websafe_encode(u'foobar'), u'Zm9vYmFy')
