def update(self, param, reset_failcount=True):
"""
This method is called during the initialization process.
:param param: parameters from the token init
:type param: dict
:return: None
"""
TokenClass.update(self, param)
reg_data = getParam(param, "regdata")
verify_cert = is_true(getParam(param, "u2f.verify_cert", default=True))
if not reg_data:
self.token.rollout_state = ROLLOUTSTATE.CLIENTWAIT
# Set the description in the first enrollment step
if "description" in param:
self.set_description(getParam(param, "description",
default=""))
elif reg_data and self.token.rollout_state == ROLLOUTSTATE.CLIENTWAIT:
attestation_cert, user_pub_key, key_handle, \
signature, automatic_description = parse_registration_data(reg_data,
verify_cert=verify_cert)
client_data = getParam(param, "clientdata", required)
client_data_str = url_decode(client_data)
app_id = self.get_tokeninfo("appId", "")
# Verify the registration data
# In case of any crypto error, check_data raises an exception
check_registration_data(attestation_cert, app_id, client_data_str,
user_pub_key, key_handle, signature)
self.set_otpkey(key_handle)
self.add_tokeninfo("pubKey", user_pub_key)
# add attestation certificate info
issuer = x509name_to_string(attestation_cert.get_issuer())
serial = "{!s}".format(attestation_cert.get_serial_number())
subject = x509name_to_string(attestation_cert.get_subject())
self.add_tokeninfo("attestation_issuer", issuer)
self.add_tokeninfo("attestation_serial", serial)
self.add_tokeninfo("attestation_subject", subject)
# Reset rollout state
self.token.rollout_state = ""
# If no description has already been set, set the automatic description or the
# description given in the 2nd request
if not self.token.description:
self.set_description(
getParam(param,
"description",
default=automatic_description))
else:
raise ParameterError(
"regdata provided but token not in clientwait rollout_state.")
def update(self, param, reset_failcount=True):
"""
This method is called during the initialization process.
:param param: parameters from the token init
:type param: dict
:return: None
"""
TokenClass.update(self, param)
description = "U2F initialization"
reg_data = getParam(param, "regdata")
verify_cert = is_true(getParam(param, "u2f.verify_cert", default=True))
if reg_data:
self.init_step = 2
attestation_cert, user_pub_key, key_handle, \
signature, description = parse_registration_data(reg_data,
verify_cert=verify_cert)
client_data = getParam(param, "clientdata", required)
client_data_str = url_decode(client_data)
app_id = self.get_tokeninfo("appId", "")
# Verify the registration data
# In case of any crypto error, check_data raises an exception
check_registration_data(attestation_cert, app_id, client_data_str,
user_pub_key, key_handle, signature)
self.set_otpkey(key_handle)
self.add_tokeninfo("pubKey", user_pub_key)
# add attestation certificat info
issuer = x509name_to_string(attestation_cert.get_issuer())
serial = "{!s}".format(attestation_cert.get_serial_number())
subject = x509name_to_string(attestation_cert.get_subject())
self.add_tokeninfo("attestation_issuer", issuer)
self.add_tokeninfo("attestation_serial", serial)
self.add_tokeninfo("attestation_subject", subject)
# If a description is given we use the given description
description = getParam(param, "description", default=description)
self.set_description(description)
def update(self, param, reset_failcount=True):
"""
This method is called during the initialization process.
:param param: parameters from the token init
:type param: dict
:return: None
"""
TokenClass.update(self, param)
description = "U2F initialization"
reg_data = getParam(param, "regdata")
verify_cert = is_true(getParam(param, "u2f.verify_cert", default=True))
if reg_data:
self.init_step = 2
attestation_cert, user_pub_key, key_handle, \
signature, description = parse_registration_data(reg_data,
verify_cert=verify_cert)
client_data = getParam(param, "clientdata", required)
client_data_str = url_decode(client_data)
app_id = self.get_tokeninfo("appId", "")
# Verify the registration data
# In case of any crypto error, check_data raises an exception
check_registration_data(attestation_cert, app_id, client_data_str,
user_pub_key, key_handle, signature)
self.set_otpkey(key_handle)
self.add_tokeninfo("pubKey", user_pub_key)
# add attestation certificat info
issuer = x509name_to_string(attestation_cert.get_issuer())
serial = "{!s}".format(attestation_cert.get_serial_number())
subject = x509name_to_string(attestation_cert.get_subject())
self.add_tokeninfo("attestation_issuer", issuer)
self.add_tokeninfo("attestation_serial", serial)
self.add_tokeninfo("attestation_subject", subject)
# If a description is given we use the given description
description = getParam(param, "description", default=description)
self.set_description(description)
def u2ftoken_allowed(request, action):
"""
This is a token specific wrapper for u2f token for the endpoint
/token/init.
According to the policy scope=SCOPE.ENROLL,
action=U2FACTINO.REQ it checks, if the assertion certificate is an
allowed U2F token type.
If the token, which is enrolled contains a non allowed attestation
certificate, we bail out.
:param request:
:param action:
:return:
"""
from privacyidea.lib.tokens.u2ftoken import (U2FACTION,
parse_registration_data)
from privacyidea.lib.tokens.u2f import x509name_to_string
policy_object = g.policy_object
# Get the registration data of the 2nd step of enrolling a U2F device
reg_data = request.all_data.get("regdata")
if reg_data:
# We have a registered u2f device!
serial = request.all_data.get("serial")
user_object = request.User
attestation_cert, user_pub_key, key_handle, \
signature, description = parse_registration_data(reg_data)
cert_info = {
"attestation_issuer":
x509name_to_string(attestation_cert.get_issuer()),
"attestation_serial":
"{!s}".format(attestation_cert.get_serial_number()),
"attestation_subject":
x509name_to_string(attestation_cert.get_subject())
}
if user_object:
token_user = user_object.login
token_realm = user_object.realm
token_resolver = user_object.resolver
else:
token_realm = token_resolver = token_user = None
allowed_certs_pols = policy_object.get_action_values(
U2FACTION.REQ,
scope=SCOPE.ENROLL,
realm=token_realm,
user=token_user,
resolver=token_resolver,
client=g.client_ip)
for allowed_cert in allowed_certs_pols:
tag, matching, _rest = allowed_cert.split("/", 3)
tag_value = cert_info.get("attestation_{0!s}".format(tag))
# if we do not get a match, we bail out
m = re.search(matching, tag_value)
if not m:
log.warning("The U2F device {0!s} is not "
"allowed to be registered due to policy "
"restriction".format(serial))
raise PolicyError("The U2F device is not allowed "
"to be registered due to policy "
"restriction.")
# TODO: Maybe we should delete the token, as it is a not
# usable U2F token, now.
return True
def u2ftoken_allowed(request, action):
"""
This is a token specific wrapper for u2f token for the endpoint
/token/init.
According to the policy scope=SCOPE.ENROLL,
action=U2FACTION.REQ it checks, if the assertion certificate is an
allowed U2F token type.
If the token, which is enrolled contains a non allowed attestation
certificate, we bail out.
:param request:
:param action:
:return:
"""
policy_object = g.policy_object
# Get the registration data of the 2nd step of enrolling a U2F device
reg_data = request.all_data.get("regdata")
if reg_data:
# We have a registered u2f device!
serial = request.all_data.get("serial")
user_object = request.User
# We just check, if the issuer is allowed, not if the certificate
# is still valid! (verify_cert=False)
attestation_cert, user_pub_key, key_handle, \
signature, description = parse_registration_data(reg_data,
verify_cert=False)
cert_info = {
"attestation_issuer":
x509name_to_string(attestation_cert.get_issuer()),
"attestation_serial": "{!s}".format(
attestation_cert.get_serial_number()),
"attestation_subject": x509name_to_string(
attestation_cert.get_subject())}
if user_object:
token_user = user_object.login
token_realm = user_object.realm
token_resolver = user_object.resolver
else:
token_realm = token_resolver = token_user = None
allowed_certs_pols = policy_object.get_action_values(
U2FACTION.REQ,
scope=SCOPE.ENROLL,
realm=token_realm,
user=token_user,
resolver=token_resolver,
client=g.client_ip)
for allowed_cert in allowed_certs_pols:
tag, matching, _rest = allowed_cert.split("/", 3)
tag_value = cert_info.get("attestation_{0!s}".format(tag))
# if we do not get a match, we bail out
m = re.search(matching, tag_value)
if not m:
log.warning("The U2F device {0!s} is not "
"allowed to be registered due to policy "
"restriction".format(
serial))
raise PolicyError("The U2F device is not allowed "
"to be registered due to policy "
"restriction.")
# TODO: Maybe we should delete the token, as it is a not
# usable U2F token, now.
return True