def setPin(self, pin, param=None):
"""
set the PIN. The optional parameter "param" can hold the information,
if the PIN is encrypted or hashed.
:param pin: the pin value
:param param: the additional request parameters, which could contain
the 'encryptpin' value, that triggers, that the token
secret are stored in an encrypted form
:return: - nothing -
"""
if param is None:
param = {}
storeHashed = True
enc = param.get("encryptpin", None)
if enc is not None and "true" == enc.lower():
storeHashed = False
if storeHashed is True:
iv, hashed_pin = SecretObj.hash_pin(pin)
self.token.set_hashed_pin(hashed_pin, iv)
else:
enc_pin = SecretObj.encrypt_pin(pin)
iv = enc_pin.split(":")[0]
self.token.set_encrypted_pin(enc_pin.encode("utf-8"),
binascii.unhexlify(iv))
def checkPin(self, pin, options=None):
'''
checkPin - test is the pin is matching
:param pin: the pin
:param options: additional optional parameters, which could
be token specific
:return: boolean
'''
res = False
hsm = context['hsm']
if self.token.isPinEncrypted():
# for comparison we encrypt the pin and do the comparison
iv, encrypted_token_pin = self.token.get_encrypted_pin()
encrypted_pin = SecretObj.encrypt_pin(pin, iv=iv, hsm=hsm)
if encrypted_token_pin == encrypted_pin:
res = True
else:
# for hashed pins we re-do the hash and compare the hashes
iv, hashed_token_pin = self.token.get_hashed_pin()
iv, hashed_pin = SecretObj.hash_pin(pin or '', iv, hsm=hsm)
if hashed_pin == hashed_token_pin:
res = True
# special case of empty pin, where pin has never been set
# especially in case of lost token with the pw token
if len(hashed_token_pin) == 0 and len(pin) == 0:
res = True
return res
def checkPin(self, pin, options=None):
'''
checkPin - test is the pin is matching
:param pin: the pin
:param options: additional optional parameters, which could
be token specific
:return: boolean
'''
res = False
hsm = context['hsm']
if self.token.isPinEncrypted():
# for comparison we encrypt the pin and do the comparison
iv, encrypted_token_pin = self.token.get_encrypted_pin()
encrypted_pin = SecretObj.encrypt_pin(pin, iv=iv, hsm=hsm)
if encrypted_token_pin == encrypted_pin:
res = True
else:
# for hashed pins we re-do the hash and compare the hashes
iv, hashed_token_pin = self.token.get_hashed_pin()
iv, hashed_pin = SecretObj.hash_pin(pin or '', iv, hsm=hsm)
if hashed_pin == hashed_token_pin:
res = True
# special case of empty pin, where pin has never been set
# especially in case of lost token with the pw token
if len(hashed_token_pin) == 0 and len(pin) == 0:
res = True
return res
def setPin(self, pin, param=None):
'''
set the PIN. The optional parameter "param" can hold the information,
if the PIN is encrypted or hashed.
:param pin: the pin value
:param param: the additional request parameters, which could contain
the 'encryptpin' value, that triggers, that the token
secret are stored in an encrypted form
:return: - nothing -
'''
if param is None:
param = {}
hsm = context['hsm']
storeHashed = True
enc = param.get("encryptpin", None)
if enc is not None and "true" == enc.lower():
storeHashed = False
if storeHashed is True:
iv, hashed_pin = SecretObj.hash_pin(pin, hsm=hsm)
self.token.set_hashed_pin(hashed_pin, iv)
else:
enc_pin = SecretObj.encrypt_pin(pin, hsm=hsm)
iv = enc_pin.split(':')[0]
self.token.set_encrypted_pin(enc_pin, binascii.unhexlify(iv))