def complete_register(request_data, response, valid_facets=None):
request_data = RegisterRequestData.wrap(request_data)
response = RegisterResponse.wrap(response)
return u2f_v2.complete_register(request_data.getRegisterRequest(response),
response,
valid_facets)
def bind(self, response):
"""
Complete registration, returning a U2FBinding.
registrationResponse = {
"registrationData": string, //b64 encoded raw registration response
"clientData": string, //b64 encoded JSON of ClientData
}
"""
if not isinstance(response, RegisterResponse):
response = RegisterResponse(response)
self._validate_client_data(response.clientData)
raw_response = RawRegistrationResponse(
self.app_param,
response.clientParam,
websafe_decode(response['registrationData'])
)
raw_response.verify_csr_signature()
# TODO: Validate the certificate as well
return U2FBinding(self.app_id, self.facets, raw_response)
def register(self, request, facet="https://www.example.com"):
"""
RegisterRequest = {
"version": "U2F_V2",
"challenge": string, //b64 encoded challenge
"appId": string, //app_id
}
"""
if not isinstance(request, RegisterRequest):
request = RegisterRequest(request)
if request.version != "U2F_V2":
raise ValueError("Unsupported U2F version: %s" % request.version)
# Client data
client_data = ClientData(typ='navigator.id.finishEnrollment',
challenge=request['challenge'],
origin=facet)
client_data = client_data.json.encode('utf-8')
client_param = sha_256(client_data)
# ECC key generation
priv_key = ec.generate_private_key(CURVE, default_backend())
pub_key = priv_key.public_key().public_bytes(
Encoding.DER, PublicFormat.SubjectPublicKeyInfo)
pub_key = pub_key[-65:]
# Store
key_handle = rand_bytes(64)
app_param = request.appParam
self.keys[key_handle] = (priv_key, app_param)
# Attestation signature
cert_priv = load_pem_private_key(CERT_PRIV,
password=None,
backend=default_backend())
cert = CERT
data = b'\x00' + app_param + client_param + key_handle + pub_key
signer = cert_priv.signer(ec.ECDSA(hashes.SHA256()))
signer.update(data)
signature = signer.finalize()
raw_response = (b'\x05' + pub_key + int2byte(len(key_handle)) +
key_handle + cert + signature)
return RegisterResponse(
registrationData=websafe_encode(raw_response),
clientData=websafe_encode(client_data),
)
def register(self, request, facet="https://www.example.com"):
"""
RegisterRequest = {
"version": "U2F_V2",
"challenge": string, //b64 encoded challenge
"appId": string, //app_id
}
"""
if not isinstance(request, RegisterRequest):
request = RegisterRequest(request)
if request.version != "U2F_V2":
raise ValueError("Unsupported U2F version: %s" % request.version)
# Client data
client_data = ClientData(typ='navigator.id.finishEnrollment',
challenge=request['challenge'],
origin=facet)
client_data = client_data.json
client_param = H(client_data)
# ECC key generation
privu = EC.gen_params(CURVE)
privu.gen_key()
pub_key = str(privu.pub().get_der())[-65:]
# Store
key_handle = rand_bytes(64)
app_param = request.appParam
self.keys[key_handle] = (privu, app_param)
# Attestation signature
cert_priv = EC.load_key_bio(BIO.MemoryBuffer(CERT_PRIV))
cert = CERT
digest = H(chr(0x00) + app_param + client_param + key_handle + pub_key)
signature = cert_priv.sign_dsa_asn1(digest)
raw_response = chr(0x05) + pub_key + chr(len(key_handle)) + \
key_handle + cert + signature
return RegisterResponse(
registrationData=websafe_encode(raw_response),
clientData=websafe_encode(client_data),
)
def complete_register(request, response, valid_facets=None):
request = RegisterRequest.wrap(request)
response = RegisterResponse.wrap(response)
_validate_client_data(response.clientData, request.challenge,
"navigator.id.finishEnrollment", valid_facets)
raw_response = RawRegistrationResponse(request.appParam,
response.clientParam,
response.registrationData)
raw_response.verify_csr_signature()
return DeviceRegistration(
appId=request.appId,
keyHandle=websafe_encode(raw_response.key_handle),
publicKey=websafe_encode(
raw_response.pub_key)), raw_response.certificate
def complete_register(request, response, valid_facets=None):
request = RegisterRequest.wrap(request)
response = RegisterResponse.wrap(response)
_validate_client_data(response.clientData, request.challenge,
"navigator.id.finishEnrollment", valid_facets)
raw_response = RawRegistrationResponse(
request.appParam,
response.clientParam,
response.registrationData
)
raw_response.verify_csr_signature()
return DeviceRegistration(
appId=request.appId,
keyHandle=websafe_encode(raw_response.key_handle),
publicKey=websafe_encode(raw_response.pub_key)
), raw_response.certificate
def test_clientParam(self):
obj = RegisterResponse(clientData='eyJhIjoxfQ')
self.assertEqual("\x01Z\xbd\x7f\\\xc5z-\xd9Ku\x90\xf0J\xd8\x08"
"Bs\x90^\xe3>\xc5\xce\xbe\xaeb'j\x97\xf8b",
obj.clientParam)
def test_clientData(self):
obj = RegisterResponse(clientData='eyJhIjoxfQ')
self.assertEqual({'a': 1}, obj.clientData)
self.assertTrue(isinstance(obj.clientData, ClientData))
def registerResponse(self):
return RegisterResponse(self['registerResponse'])
