def create_request_body(user, url, cmd=None):
info = urlparse.urlparse(url)
host = info.netloc
pw_hash = verify_password(user.identity, user.pw)
if not pw_hash:
raise Exception('Invalid password')
salt = crypto_generichash(user.identity.salt)
original_masterkey = xor_masterkey(user.identity.masterkey, pw_hash, salt)
seed = crypto_generichash(host, k=original_masterkey)
pk, sk = generate_site_keypair(original_masterkey, host)
req = libsqrl.SqrlRequestBody()
req.server = url
req.client.cmd = cmd
req.client.idk = pk
clientval = req.client.serialize()
serverval = base64url.encode(req.server)
m = clientval + serverval
req.ids = base64url.encode(crypto_sign(m, sk))
return req
def create_request_body(user, url, cmd=None):
info = urlparse.urlparse(url)
host = info.netloc
pw_hash = verify_password(user.identity, user.pw)
if not pw_hash:
raise Exception('Invalid password')
salt = crypto_generichash(user.identity.salt)
original_masterkey = xor_masterkey(
user.identity.masterkey,
pw_hash,
salt)
seed = crypto_generichash(host, k=original_masterkey)
pk, sk = generate_site_keypair(original_masterkey, host)
req = libsqrl.SqrlRequestBody()
req.server = url
req.client.cmd = cmd
req.client.idk = pk
clientval = req.client.serialize()
serverval = base64url.encode(req.server)
m = clientval + serverval
req.ids = base64url.encode(crypto_sign(m, sk))
return req
def serialize(self):
return base64url.encode('&'.join([
'ver=' + str(self.ver), 'cmd=' + str(self.cmd),
'idk=' + base64url.encode(self.idk), 'pidk=' +
(base64url.encode(self.pidk) if len(self.pidk) > 0 else ''),
'suk=' + (base64url.encode(self.suk) if len(self.suk) > 0 else ''),
'vuk=' + (base64url.encode(self.vuk) if len(self.vuk) > 0 else '')
]))
def serialize(self):
return '&'.join([
'client=' + self.client.serialize(),
'server=' + base64url.encode(self.server),
'ids=' + base64url.encode(self.ids),
'pids=' + (base64url.encode(self.pids) if len(self.pids) > 0 else ''),
'urs=' + (base64url.encode(self.urs) if len(self.urs) > 0 else '')
])
def serialize(self):
return '&'.join([
'client=' + self.client.serialize(),
'server=' + base64url.encode(self.server),
'ids=' + base64url.encode(self.ids), 'pids=' +
(base64url.encode(self.pids) if len(self.pids) > 0 else ''),
'urs=' + (base64url.encode(self.urs) if len(self.urs) > 0 else '')
])
def serialize(self):
return base64url.encode('&'.join([
'ver=' + str(self.ver),
'cmd=' + str(self.cmd),
'idk=' + base64url.encode(self.idk),
'pidk=' + (base64url.encode(self.pidk) if len(self.pidk) > 0 else ''),
'suk=' + (base64url.encode(self.suk) if len(self.suk) > 0 else ''),
'vuk=' + (base64url.encode(self.vuk) if len(self.vuk) > 0 else '')
]))
def index():
try:
session_id = unicode(session['session_id'])
except KeyError:
session_id = base64url.encode(crypto_stream(8L))
session['session_id'] = session_id
user = get_user_by_session(session_id)
if user:
return render_template('logged_in.html', idk=user.idk)
else:
login_url = generate_login_url(session_id)
qr_code = base64url.encode(login_url)
return render_template('login.html', login_url=login_url, qr_code=qr_code)
def login(identity, pw, url):
info = urlparse.urlparse(url)
if info.scheme not in ['qrl', 'sqrl']:
raise Exception('Url schema not supported.')
secure = info.scheme == 'sqrl'
host = info.netloc
headers = {
'User-Agent': 'SQRL/1'
}
if '@' in host:
userpass, host = host.split('@')
headers['Authentication'] = userpass
pw_hash = create_pw_hash(pw, identity.salt, identity.pw_iterations)
original_masterkey = xor_masterkey(identity.masterkey, pw_hash, identity.salt)
pk, sk = generate_site_keypair(original_masterkey, host)
clientargs = dict(
ver=1,
cmd='login',
idk=base64url.encode(pk)
)
clientval = base64url.encode('&'.join('%s=%s' % (k, v) for k, v in clientargs.iteritems()))
serverval = base64url.encode(url)
m = clientval + serverval
ids = base64url.encode(crypto_sign(m, sk))
args = {
'client': clientval,
'server': serverval,
'ids': ids
}
payload = '&'.join('%s=%s' % (k, v) for k, v in args.iteritems())
if secure:
post_url = url.replace('sqrl://', 'https://')
else:
post_url = url.replace('qrl://', 'http://')
r = requests.post(post_url, data=payload, headers=headers)
print r.text
return r
def get_user_by_idk(idk):
vals = (base64url.encode(idk),)
c = conn.cursor()
c.execute("""
select id, idk, suk, vuk
from sqrl_identity
where idk = ?
""", vals)
row = c.fetchone()
return sqrl_user(*row) if row else None
def get_user_by_idk(idk):
vals = (base64url.encode(idk), )
c = conn.cursor()
c.execute(
"""
select id, idk, suk, vuk
from sqrl_identity
where idk = ?
""", vals)
row = c.fetchone()
return sqrl_user(*row) if row else None
def index():
try:
session_id = unicode(session['session_id'])
except KeyError:
session_id = base64url.encode(crypto_stream(8L))
session['session_id'] = session_id
user = get_user_by_session(session_id)
if user:
return render_template('logged_in.html', idk=user.idk)
else:
login_url = generate_login_url(session_id)
qr_code = base64url.encode(login_url)
return render_template('login.html',
login_url=login_url,
qr_code=qr_code)
def index():
login_url = generate_login_url()
qr_data = base64url.encode(login_url)
return '<p>Login url:</p><a href="' + login_url + '"><img src="/qr?' + qr_data + '" /></a><p>' + login_url + '</p>'
def handle_sqrl_request():
req = libsqrl.SqrlRequestBody.deserialize(request.data)
# TODO: Verify signatures
# TODO: Verify unchanged message contents
info = urlparse.urlparse(req.server)
qs = urlparse.parse_qs(info.query)
session_id = qs['session_id'][0]
user = get_user_by_idk(req.client.idk)
tif = libsqrl.TIF.AccountCreationEnabled
if user:
tif |= libsqrl.TIF.IdMatch
# TODO: Update TIF
if 'setkey' in req.client.cmd:
abort(505)
if 'setlock' in req.client.cmd:
abort(505)
if 'disable' in req.client.cmd:
abort(505)
if 'enable' in req.client.cmd:
abort(505)
if 'delete' in req.client.cmd:
abort(505)
if 'create' in req.client.cmd:
c = conn.cursor()
vals = (base64url.encode(req.client.idk), \
base64url.encode(req.client.suk), \
base64url.encode(req.client.vuk))
c.execute("""
insert into sqrl_identity (idk, suk, vuk)
values (?, ?, ?)
""", vals)
conn.commit()
if user and 'login' in req.client.cmd:
c = conn.cursor()
vals = (session_id, user.identity_id, datetime.utcnow())
c.execute("""
insert into sqrl_session (
session_id,
identity_id,
created_date)
values (?, ?, ?)
""", vals)
conn.commit()
if 'logme' in req.client.cmd:
abort(505)
if 'logoff' in req.client.cmd:
abort(505)
# TODO: Attach nut
res = libsqrl.SqrlResponse()
res.tif = tif
if user:
res.suk = user.suk
res.vuk = user.vuk
return res.serialize()
def handle_sqrl_request():
req = libsqrl.SqrlRequestBody.deserialize(request.data)
# TODO: Verify signatures
# TODO: Verify unchanged message contents
info = urlparse.urlparse(req.server)
qs = urlparse.parse_qs(info.query)
session_id = qs['session_id'][0]
user = get_user_by_idk(req.client.idk)
tif = libsqrl.TIF.AccountCreationEnabled
if user:
tif |= libsqrl.TIF.IdMatch
# TODO: Update TIF
if 'setkey' in req.client.cmd:
abort(505)
if 'setlock' in req.client.cmd:
abort(505)
if 'disable' in req.client.cmd:
abort(505)
if 'enable' in req.client.cmd:
abort(505)
if 'delete' in req.client.cmd:
abort(505)
if 'create' in req.client.cmd:
c = conn.cursor()
vals = (base64url.encode(req.client.idk), \
base64url.encode(req.client.suk), \
base64url.encode(req.client.vuk))
c.execute(
"""
insert into sqrl_identity (idk, suk, vuk)
values (?, ?, ?)
""", vals)
conn.commit()
if user and 'login' in req.client.cmd:
c = conn.cursor()
vals = (session_id, user.identity_id, datetime.utcnow())
c.execute(
"""
insert into sqrl_session (
session_id,
identity_id,
created_date)
values (?, ?, ?)
""", vals)
conn.commit()
if 'logme' in req.client.cmd:
abort(505)
if 'logoff' in req.client.cmd:
abort(505)
# TODO: Attach nut
res = libsqrl.SqrlResponse()
res.tif = tif
if user:
res.suk = user.suk
res.vuk = user.vuk
return res.serialize()
def serialize(self):
return '&'.join([
'tif=' + str(self.tif),
'suk=' + (base64url.encode(self.suk) if len(self.suk) > 0 else ''),
'vuk=' + (base64url.encode(self.vuk) if len(self.vuk) > 0 else '')
])
def generate_login_url():
return 'qrl://localhost:5000/sqrl?' + base64url.encode(crypto_stream(32L))
def serialize(self):
return '&'.join([
'tif=' + str(self.tif),
'suk=' + (base64url.encode(self.suk) if len(self.suk) > 0 else ''),
'vuk=' + (base64url.encode(self.vuk) if len(self.vuk) > 0 else '')
])
