def testWithPlaintextWrongPassword(self): cred = CredUSPCC("user") # authenticator sets salt and challenge cred.salt = self.salt cred.challenge = credentials.cryptChallenge() # requester responds with wrong password cred.setPassword("wrong") # authenticator verifies against the known good password self.failIf(cred.checkSha256Password(self.good)) self.failIf(cred.checkSha256Password("boohoowrong"))
def testWithPlaintextWrongPassword(self): cred = CredUCPCC('user') # authenticator sets salt and challenge cred.salt = 'qi' cred.challenge = credentials.cryptChallenge() # requester responds with wrong password cred.setPassword('wrong') # authenticator verifies against the known good password self.failIf(cred.checkCryptPassword('qi1Lftt0GZC0o')) self.failIf(cred.checkCryptPassword('boohoowrong'))
def testWithPlaintext(self): cred = CredUCPCC("user") # authenticator sets salt and challenge cred.salt = "qi" cred.challenge = credentials.cryptChallenge() # not responding should fail self.failIf(cred.checkCryptPassword("qi1Lftt0GZC0o")) # requester responds cred.setPassword("test") # authenticator verifies against the known good password self.assert_(cred.checkCryptPassword("qi1Lftt0GZC0o")) self.failIf(cred.checkCryptPassword("boohoowrong"))
def testWithPlaintext(self): cred = CredUSPCC("user") # authenticator sets salt and challenge cred.salt = self.salt cred.challenge = credentials.cryptChallenge() # initially, we didn't respond, so it should fail with the right result self.failIf(cred.checkSha256Password(self.good)) # requester responds cred.setPassword("test") # authenticator verifies against the known good password self.failUnless(cred.checkSha256Password(self.good)) self.failIf(cred.checkSha256Password("boohoowrong"))
def testWithPlaintext(self): cred = CredUSPCC('user') # authenticator sets salt and challenge cred.salt = self.salt cred.challenge = credentials.cryptChallenge() # initially, we didn't respond, so it should fail with the right result self.failIf(cred.checkSha256Password(self.good)) # requester responds cred.setPassword('test') # authenticator verifies against the known good password self.failUnless(cred.checkSha256Password(self.good)) self.failIf(cred.checkSha256Password('boohoowrong'))
def do_authenticate(self, keycard): if isinstance(keycard, self.challengeResponseClasses): # Check if we need to challenge it if not self.hasAuthSession(keycard): if not self.startAuthSession(keycard): # Keycard refused right away keycard.state = keycards.REFUSED return None self.debug('putting challenge on keycard %r' % keycard) keycard.challenge = credentials.cryptChallenge() if keycard.username in self._db: keycard.salt = self._db[keycard.username] else: # random-ish salt, otherwise it's too obvious string = str(random.randint(pow(10, 10), pow(10, 11))) md = python.md5() md.update(string) keycard.salt = md.hexdigest()[:2] self.debug("user not found, inventing bogus salt") self.debug("salt %s, storing challenge for id %s" % (keycard.salt, keycard.id)) self.updateAuthSession(keycard) return keycard else: # Check if the challenge has been tampered with challenge = self.getAuthSessionInfo(keycard) if challenge != keycard.challenge: self.info('keycard %r refused, challenge tampered with' % keycard) self.cancelAuthSession(keycard) keycard.state = keycards.REFUSED return None else: # Not a challenge/response authentication. # creating a temporary session to have a keycard id if not self.startAuthSession(keycard): # Keycard refused right away keycard.state = keycards.REFUSED return None # use the checker self.debug('submitting keycard %r to checker' % keycard) d = self._checker.requestAvatarId(keycard) d.addCallback(self._requestAvatarIdCallback, keycard) d.addErrback(self._requestAvatarIdErrback, keycard) return d
def do_authenticate(self, keycard): if isinstance(keycard, self.challengeResponseClasses): # Check if we need to challenge it if not self.hasAuthSession(keycard): if not self.startAuthSession(keycard): # Keycard refused right away keycard.state = keycards.REFUSED return None self.debug('putting challenge on keycard %r' % keycard) keycard.challenge = credentials.cryptChallenge() if keycard.username in self._db: keycard.salt = self._db[keycard.username] else: # random-ish salt, otherwise it's too obvious string = str(random.randint(pow(10, 10), pow(10, 11))) md = md5.new() md.update(string) keycard.salt = md.hexdigest()[:2] self.debug("user not found, inventing bogus salt") self.debug("salt %s, storing challenge for id %s" % (keycard.salt, keycard.id)) self.updateAuthSession(keycard) return keycard else: # Check if the challenge has been tampered with challenge = self.getAuthSessionInfo(keycard) if challenge != keycard.challenge: self.info('keycard %r refused, challenge tampered with' % keycard) self.cancelAuthSession(keycard) keycard.state = keycards.REFUSED return None else: # Not a challenge/response authentication. # creating a temporary session to have a keycard id if not self.startAuthSession(keycard): # Keycard refused right away keycard.state = keycards.REFUSED return None # use the checker self.debug('submitting keycard %r to checker' % keycard) d = self._checker.requestAvatarId(keycard) d.addCallback(self._requestAvatarIdCallback, keycard) d.addErrback(self._requestAvatarIdErrback, keycard) return d
def do_authenticate(self, keycard): # at this point we add it so there's an ID for challenge-response if not self.addKeycard(keycard): keycard.state = keycards.REFUSED return keycard # check if the keycard is ready for the checker, based on the type if isinstance(keycard, self.challengeResponseClasses): # Check if we need to challenge it if not keycard.challenge: self.debug('putting challenge on keycard %r' % keycard) keycard.challenge = credentials.cryptChallenge() if keycard.username in self._db: keycard.salt = self._db[keycard.username] else: # random-ish salt, otherwise it's too obvious string = str(random.randint(pow(10, 10), pow(10, 11))) md = md5.new() md.update(string) keycard.salt = md.hexdigest()[:2] self.debug("user not found, inventing bogus salt") self.debug("salt %s, storing challenge for id %s" % ( keycard.salt, keycard.id)) # we store the challenge locally to verify against tampering self._challenges[keycard.id] = keycard.challenge return keycard if keycard.response: # Check if the challenge has been tampered with if self._challenges[keycard.id] != keycard.challenge: self.removeKeycard(keycard) self.info('keycard %r refused, challenge tampered with' % keycard) return None del self._challenges[keycard.id] # use the checker self.debug('submitting keycard %r to checker' % keycard) d = self._checker.requestAvatarId(keycard) d.addCallback(self._requestAvatarIdCallback, keycard) d.addErrback(self._requestAvatarIdErrback, keycard) return d
def setRequesterId(self, requesterId): self.requesterId = requesterId # make something uniquey self.issuerName = str(self.requesterId) + '-' + cryptChallenge()