def data(self):
"""Return a RegisterRequest object."""
return RegisterRequest(
version=VERSION,
challenge=websafe_encode(self.challenge),
appId=self.app_id
)
def start_register(app_id, challenge=None):
if challenge is None:
challenge = rand_bytes(32)
return RegisterRequest(version=VERSION,
appId=app_id,
challenge=websafe_encode(challenge))
def register(self, request, facet="https://www.example.com"):
"""
RegisterRequest = {
"version": "U2F_V2",
"challenge": string, //b64 encoded challenge
"appId": string, //app_id
}
"""
if not isinstance(request, RegisterRequest):
request = RegisterRequest(request)
if request.version != "U2F_V2":
raise ValueError("Unsupported U2F version: %s" % request.version)
# Client data
client_data = ClientData(typ='navigator.id.finishEnrollment',
challenge=request['challenge'],
origin=facet)
client_data = client_data.json.encode('utf-8')
client_param = sha_256(client_data)
# ECC key generation
priv_key = ec.generate_private_key(CURVE, default_backend())
pub_key = priv_key.public_key().public_bytes(
Encoding.DER, PublicFormat.SubjectPublicKeyInfo)
pub_key = pub_key[-65:]
# Store
key_handle = rand_bytes(64)
app_param = request.appParam
self.keys[key_handle] = (priv_key, app_param)
# Attestation signature
cert_priv = load_pem_private_key(CERT_PRIV,
password=None,
backend=default_backend())
cert = CERT
data = b'\x00' + app_param + client_param + key_handle + pub_key
signer = cert_priv.signer(ec.ECDSA(hashes.SHA256()))
signer.update(data)
signature = signer.finalize()
raw_response = (b'\x05' + pub_key + int2byte(len(key_handle)) +
key_handle + cert + signature)
return RegisterResponse(
registrationData=websafe_encode(raw_response),
clientData=websafe_encode(client_data),
)
def register(self, request, facet="https://www.example.com"):
"""
RegisterRequest = {
"version": "U2F_V2",
"challenge": string, //b64 encoded challenge
"appId": string, //app_id
}
"""
if not isinstance(request, RegisterRequest):
request = RegisterRequest(request)
if request.version != "U2F_V2":
raise ValueError("Unsupported U2F version: %s" % request.version)
# Client data
client_data = ClientData(typ='navigator.id.finishEnrollment',
challenge=request['challenge'],
origin=facet)
client_data = client_data.json
client_param = H(client_data)
# ECC key generation
privu = EC.gen_params(CURVE)
privu.gen_key()
pub_key = str(privu.pub().get_der())[-65:]
# Store
key_handle = rand_bytes(64)
app_param = request.appParam
self.keys[key_handle] = (privu, app_param)
# Attestation signature
cert_priv = EC.load_key_bio(BIO.MemoryBuffer(CERT_PRIV))
cert = CERT
digest = H(chr(0x00) + app_param + client_param + key_handle + pub_key)
signature = cert_priv.sign_dsa_asn1(digest)
raw_response = chr(0x05) + pub_key + chr(len(key_handle)) + \
key_handle + cert + signature
return RegisterResponse(
registrationData=websafe_encode(raw_response),
clientData=websafe_encode(client_data),
)
def complete_register(request, response, valid_facets=None):
request = RegisterRequest.wrap(request)
response = RegisterResponse.wrap(response)
_validate_client_data(response.clientData, request.challenge,
"navigator.id.finishEnrollment", valid_facets)
raw_response = RawRegistrationResponse(request.appParam,
response.clientParam,
response.registrationData)
raw_response.verify_csr_signature()
return DeviceRegistration(
appId=request.appId,
keyHandle=websafe_encode(raw_response.key_handle),
publicKey=websafe_encode(
raw_response.pub_key)), raw_response.certificate
def complete_register(request, response, valid_facets=None):
request = RegisterRequest.wrap(request)
response = RegisterResponse.wrap(response)
_validate_client_data(response.clientData, request.challenge,
"navigator.id.finishEnrollment", valid_facets)
raw_response = RawRegistrationResponse(
request.appParam,
response.clientParam,
response.registrationData
)
raw_response.verify_csr_signature()
return DeviceRegistration(
appId=request.appId,
keyHandle=websafe_encode(raw_response.key_handle),
publicKey=websafe_encode(raw_response.pub_key)
), raw_response.certificate
def test_appParam(self):
req = RegisterRequest(appId='https://example.com')
self.assertEqual('\x10\x06\x80\xadTl\xe6\xa5w\xf4/R\xdf3\xb4\xcf'
'\xdc\xa7V\x85\x9efK\x8d}\xe3)\xb1P\xd0\x9c\xe9',
req.appParam)
def test_challenge(self):
req = RegisterRequest(challenge='Zm9vYmFy')
self.assertEqual('foobar', req.challenge)
def test_enroll_serialization(self):
enroll1 = u2f.start_register('https://example.com')
enroll2 = RegisterRequest(enroll1.json)
assert enroll1.appId == enroll2.appId
assert enroll1.json == enroll2.json
def registerRequests(self):
return [RegisterRequest(x) for x in self['registerRequests']]