def set_token_data(self, token_data):
serial = token_data["Serial"]
tokens = Session.query(model_token).\
filter(model_token.LinOtpTokenSerialnumber == serial).all()
token = tokens[0]
if 'TokenPin' in token_data:
enc_pin = token_data['TokenPin']
token_pin = self.crypter.decrypt(enc_pin,
just_mac=serial + token.LinOtpPinHash)
# prove, we can write
enc_pin = SecretObj.encrypt_pin(token_pin)
iv = enc_pin.split(':')[0]
token.set_encrypted_pin(enc_pin, binascii.unhexlify(iv))
if 'TokenUserPin' in token_data:
token_enc_user_pin = token_data['TokenUserPin']
user_pin = self.crypter.decrypt(token_enc_user_pin,
just_mac=serial + token.LinOtpTokenPinUser)
# prove, we can write
iv, enc_user_pin = SecretObj.encrypt(user_pin, hsm=self.hsm)
token.setUserPin(enc_user_pin, iv)
# we put the current crypted seed in the mac to check if
# something changed in meantime
encKey = token.LinOtpKeyEnc
enc_seed = token_data['TokenSeed']
token_seed = self.crypter.decrypt(enc_seed,
just_mac=serial + encKey)
# the encryption of the token seed is not part of the model anymore
iv, enc_token_seed = SecretObj.encrypt(token_seed)
token.set_encrypted_seed(enc_token_seed, iv, reset_failcount=False)
def get_token_data(self):
"""
get all tokens
"""
tokens = Session.query(model_token).all()
for token in tokens:
token_data = {}
serial = token.LinOtpTokenSerialnumber
token_data["Serial"] = serial
if token.isPinEncrypted():
iv, enc_pin = token.get_encrypted_pin()
pin = SecretObj.decrypt_pin(enc_pin, hsm=self.hsm)
enc_value = self.crypter.encrypt(input_data=pin, just_mac=serial + token.LinOtpPinHash)
token_data["TokenPin"] = enc_value
# the userpin is used in motp and ocra/ocra2 token
if token.LinOtpTokenPinUser:
key, iv = token.getUserPin()
user_pin = SecretObj.decrypt(key, iv, hsm=self.hsm)
enc_value = self.crypter.encrypt(input_data=user_pin, just_mac=serial + token.LinOtpTokenPinUser)
token_data["TokenUserPin"] = enc_value
# then we retrieve as well the original value,
# to identify changes
encKey = token.LinOtpKeyEnc
key, iv = token.get_encrypted_seed()
secObj = SecretObj(key, iv, hsm=self.hsm)
seed = secObj.getKey()
enc_value = self.crypter.encrypt(input_data=seed, just_mac=serial + encKey)
token_data["TokenSeed"] = enc_value
# next we look for tokens, where the pin is encrypted
yield token_data
def getUserPin(self):
log.debug('getHOtpKey()')
pu = self.LinOtpTokenPinUser or ''
puiv = self.LinOtpTokenPinUserIV or ''
key = binascii.unhexlify(pu)
iv = binascii.unhexlify(puiv)
secret = SecretObj(key, iv)
return secret
def get_token_data(self):
"""
get all tokens
"""
tokens = Session.query(model_token).all()
for token in tokens:
token_data = {}
serial = token.LinOtpTokenSerialnumber
token_data['Serial'] = serial
if token.isPinEncrypted():
iv, enc_pin = token.get_encrypted_pin()
pin = SecretObj.decrypt_pin(enc_pin, hsm=self.hsm)
just_mac = serial + token.LinOtpPinHash
enc_value = self.crypter.encrypt(input_data=pin,
just_mac=just_mac)
token_data['TokenPin'] = enc_value
# the userpin is used in motp and ocra/ocra2 token
if token.LinOtpTokenPinUser:
key, iv = token.getUserPin()
user_pin = SecretObj.decrypt(key, iv, hsm=self.hsm)
just_mac = serial + token.LinOtpTokenPinUser
enc_value = self.crypter.encrypt(input_data=user_pin,
just_mac=just_mac)
token_data['TokenUserPin'] = enc_value
# then we retrieve as well the original value,
# to identify changes
encKey = token.LinOtpKeyEnc
key, iv = token.get_encrypted_seed()
secObj = SecretObj(key, iv, hsm=self.hsm)
seed = secObj.getKey()
enc_value = self.crypter.encrypt(input_data=seed,
just_mac=serial + encKey)
token_data['TokenSeed'] = enc_value
# next we look for tokens, where the pin is encrypted
yield token_data
def checkOtp(self, anOtpVal, counter, window, options=None):
'''
checkOtp - validate the token otp against a given otpvalue
:param anOtpVal: the to be verified otpvalue
:type anOtpVal: string
:param counter: the counter state, that shoule be verified
:type counter: int
:param window: the counter +window, which should be checked
:type window: int
:param options: the dict, which could contain token specific info
:type options: dict
:return: the counter state or -1
:rtype: int
'''
log.debug("[checkOtp] begin. start the otp verification with: otpval %r, counter %r , window %r , options %r " %
(anOtpVal, counter, window, options))
otplen = self.token.LinOtpOtpLen
#otime contains the previous verification time
# the new one must be newer than this!
otime = self.token.LinOtpCount
secObj = self._get_secret_object()
window = self.token.LinOtpCountWindow
key, iv = self.token.getUserPin()
secPinObj = SecretObj(key, iv, hsm=context.get('hsm'))
log.debug("[checkOtp] otime %s", otime)
mtimeOtp = mTimeOtp(secObj, secPinObj, otime, otplen)
res = mtimeOtp.checkOtp(anOtpVal, window, options=options)
if (res != -1):
res = res - 1 ## later on this will be incremented by 1
if res == -1:
msg = "verification failed"
else:
msg = "verifiction was successful"
log.debug("[checkOtp] %s :res %r" % (msg, res))
return res
def getHOtpKey(self):
log.debug('getHOtpKey()')
key = binascii.unhexlify(self.LinOtpKeyEnc or '')
iv = binascii.unhexlify(self.LinOtpKeyIV or '')
secret = SecretObj(key, iv)
return secret
def getHOtpKey(self, pin=None):
log.warning('getHOtpKey()')
key = binascii.unhexlify(self.LinOtpKeyEnc or '')
iv = binascii.unhexlify(self.LinOtpKeyIV or '')
secret = SecretObj(key, iv, pin=pin)
return secret
