def set_token_data(self, token_data): serial = token_data["Serial"] tokens = Session.query(model_token).\ filter(model_token.LinOtpTokenSerialnumber == serial).all() token = tokens[0] if 'TokenPin' in token_data: enc_pin = token_data['TokenPin'] token_pin = self.crypter.decrypt(enc_pin, just_mac=serial + token.LinOtpPinHash) # prove, we can write enc_pin = SecretObj.encrypt_pin(token_pin) iv = enc_pin.split(':')[0] token.set_encrypted_pin(enc_pin, binascii.unhexlify(iv)) if 'TokenUserPin' in token_data: token_enc_user_pin = token_data['TokenUserPin'] user_pin = self.crypter.decrypt(token_enc_user_pin, just_mac=serial + token.LinOtpTokenPinUser) # prove, we can write iv, enc_user_pin = SecretObj.encrypt(user_pin, hsm=self.hsm) token.setUserPin(enc_user_pin, iv) # we put the current crypted seed in the mac to check if # something changed in meantime encKey = token.LinOtpKeyEnc enc_seed = token_data['TokenSeed'] token_seed = self.crypter.decrypt(enc_seed, just_mac=serial + encKey) # the encryption of the token seed is not part of the model anymore iv, enc_token_seed = SecretObj.encrypt(token_seed) token.set_encrypted_seed(enc_token_seed, iv, reset_failcount=False)
def get_token_data(self): """ get all tokens """ tokens = Session.query(model_token).all() for token in tokens: token_data = {} serial = token.LinOtpTokenSerialnumber token_data["Serial"] = serial if token.isPinEncrypted(): iv, enc_pin = token.get_encrypted_pin() pin = SecretObj.decrypt_pin(enc_pin, hsm=self.hsm) enc_value = self.crypter.encrypt(input_data=pin, just_mac=serial + token.LinOtpPinHash) token_data["TokenPin"] = enc_value # the userpin is used in motp and ocra/ocra2 token if token.LinOtpTokenPinUser: key, iv = token.getUserPin() user_pin = SecretObj.decrypt(key, iv, hsm=self.hsm) enc_value = self.crypter.encrypt(input_data=user_pin, just_mac=serial + token.LinOtpTokenPinUser) token_data["TokenUserPin"] = enc_value # then we retrieve as well the original value, # to identify changes encKey = token.LinOtpKeyEnc key, iv = token.get_encrypted_seed() secObj = SecretObj(key, iv, hsm=self.hsm) seed = secObj.getKey() enc_value = self.crypter.encrypt(input_data=seed, just_mac=serial + encKey) token_data["TokenSeed"] = enc_value # next we look for tokens, where the pin is encrypted yield token_data
def getUserPin(self): log.debug('getHOtpKey()') pu = self.LinOtpTokenPinUser or '' puiv = self.LinOtpTokenPinUserIV or '' key = binascii.unhexlify(pu) iv = binascii.unhexlify(puiv) secret = SecretObj(key, iv) return secret
def get_token_data(self): """ get all tokens """ tokens = Session.query(model_token).all() for token in tokens: token_data = {} serial = token.LinOtpTokenSerialnumber token_data['Serial'] = serial if token.isPinEncrypted(): iv, enc_pin = token.get_encrypted_pin() pin = SecretObj.decrypt_pin(enc_pin, hsm=self.hsm) just_mac = serial + token.LinOtpPinHash enc_value = self.crypter.encrypt(input_data=pin, just_mac=just_mac) token_data['TokenPin'] = enc_value # the userpin is used in motp and ocra/ocra2 token if token.LinOtpTokenPinUser: key, iv = token.getUserPin() user_pin = SecretObj.decrypt(key, iv, hsm=self.hsm) just_mac = serial + token.LinOtpTokenPinUser enc_value = self.crypter.encrypt(input_data=user_pin, just_mac=just_mac) token_data['TokenUserPin'] = enc_value # then we retrieve as well the original value, # to identify changes encKey = token.LinOtpKeyEnc key, iv = token.get_encrypted_seed() secObj = SecretObj(key, iv, hsm=self.hsm) seed = secObj.getKey() enc_value = self.crypter.encrypt(input_data=seed, just_mac=serial + encKey) token_data['TokenSeed'] = enc_value # next we look for tokens, where the pin is encrypted yield token_data
def checkOtp(self, anOtpVal, counter, window, options=None): ''' checkOtp - validate the token otp against a given otpvalue :param anOtpVal: the to be verified otpvalue :type anOtpVal: string :param counter: the counter state, that shoule be verified :type counter: int :param window: the counter +window, which should be checked :type window: int :param options: the dict, which could contain token specific info :type options: dict :return: the counter state or -1 :rtype: int ''' log.debug("[checkOtp] begin. start the otp verification with: otpval %r, counter %r , window %r , options %r " % (anOtpVal, counter, window, options)) otplen = self.token.LinOtpOtpLen #otime contains the previous verification time # the new one must be newer than this! otime = self.token.LinOtpCount secObj = self._get_secret_object() window = self.token.LinOtpCountWindow key, iv = self.token.getUserPin() secPinObj = SecretObj(key, iv, hsm=context.get('hsm')) log.debug("[checkOtp] otime %s", otime) mtimeOtp = mTimeOtp(secObj, secPinObj, otime, otplen) res = mtimeOtp.checkOtp(anOtpVal, window, options=options) if (res != -1): res = res - 1 ## later on this will be incremented by 1 if res == -1: msg = "verification failed" else: msg = "verifiction was successful" log.debug("[checkOtp] %s :res %r" % (msg, res)) return res
def getHOtpKey(self): log.debug('getHOtpKey()') key = binascii.unhexlify(self.LinOtpKeyEnc or '') iv = binascii.unhexlify(self.LinOtpKeyIV or '') secret = SecretObj(key, iv) return secret
def getHOtpKey(self, pin=None): log.warning('getHOtpKey()') key = binascii.unhexlify(self.LinOtpKeyEnc or '') iv = binascii.unhexlify(self.LinOtpKeyIV or '') secret = SecretObj(key, iv, pin=pin) return secret