def __init__(self, action, req, user_id, credstore, config):
VCCSFactor.__init__(self, 'password')
self._user_id = str(user_id)
self._H1 = str(req['H1'])
self.config = config
self.credstore = credstore
if len(self._H1) != 31:
# A full bcrypt is 60 chars. the frontend should NOT send the whole
# bcrypt digest to the authentication backend. bcrypt - salt = 31.
raise VCCSAuthenticationError("Bad H1: {!r}".format(self._H1))
if action == 'auth':
_cred_id = str(req['credential_id'])
self.cred = credstore.get_credential(_cred_id)
if not self.cred:
raise VCCSAuthenticationError("Unknown credential: {!r}".format(_cred_id))
if self.cred.type() != self.type:
raise VCCSAuthenticationError("Credential {!r} has unexpected type: {!r}".format(
self.cred.type()))
if self.cred.version() != 'NDNv1':
raise VCCSAuthenticationError("Unknown credential version: {!r}".format(
self.cred))
# too few iterations is insecure, too many might be a DoS
if self.cred.iterations() < config.kdf_min_iterations or \
self.cred.iterations() > config.kdf_max_iterations:
raise VCCSAuthenticationError("Bad NDNv1 iterations count: {}".format(
self.cred.iterations()))
# 16 bytes minimum (pwhash is hex encoded, so 32)
if len(self.cred.derived_key()) < 32:
raise VCCSAuthenticationError("Bad NDNv1 derived_key length: {}".format(
len(self.cred.derived_key())))
elif action == 'add_creds':
if config.add_creds_password_version != 'NDNv1':
raise VCCSAuthenticationError("Add password credentials of version {!r} not implemented".format(
config.add_creds_password_version))
if not config.add_creds_password_key_handle:
raise VCCSAuthenticationError("Add password credentials key_handle not set".format(
config.add_creds_password_version))
cred_data = {'type': 'password',
'status': 'active',
'version': 'NDNv1',
'kdf': 'PBKDF2-HMAC-SHA512',
'derived_key': None, # will be calculated later, in add_credential()
'key_handle': config.add_creds_password_key_handle,
'iterations': config.add_creds_password_kdf_iterations,
'salt': None, # will be added later, in add_credential()
'credential_id': str(req['credential_id']),
}
self.cred = vccs_auth.credential.from_dict(cred_data, None)
else:
raise VCCSAuthenticationError("Unknown action {!r}".format(action))
def __init__(self, oath_type, action, req, user_id, credstore, config):
VCCSFactor.__init__(self, oath_type)
self.credstore = credstore
config = config
if action == 'auth':
self.cred = credstore.get_credential(req['credential_id'])
if not self.cred:
raise VCCSAuthenticationError(
"Unknown credential: {!r}".format(req['credential_id']))
if self.cred.version() != 'NDNv1':
raise VCCSAuthenticationError(
"Unknown credential version: {!r}".format(self.cred))
self._user_code = int(req['user_code'])
self._user_id = user_id
elif action == 'add_creds':
if config.add_creds_oath_version != 'NDNv1':
raise VCCSAuthenticationError(
"Add OATH credentials of version {!r} not implemented".
format(config.add_creds_password_version))
if not req['key_handle'] in config.add_creds_oath_key_handles_allow:
raise VCCSAuthenticationError(
"Add OATH credentials key_handle {!r} not in allowed list {!r}"
.format(req['key_handle'],
config.add_creds_oath_key_handles_allow))
cred_data = {
'type': self.type,
'status': 'active',
'version': 'NDNv1',
'key_handle': req['key_handle'],
'nonce': req['nonce'],
'aead': req['aead'],
'digits': req['digits'],
'credential_id': req['credential_id'],
'oath_counter': req['oath_counter'],
'user_id': user_id,
}
self.cred = vccs_auth.credential.from_dict(cred_data, None)
else:
raise VCCSAuthenticationError("Unknown action {!r}".format(action))
def __init__(self, oath_type, action, req, user_id, credstore, config):
VCCSFactor.__init__(self, oath_type)
self.credstore = credstore
config = config
if action == 'auth':
self.cred = credstore.get_credential(req['credential_id'])
if not self.cred:
raise VCCSAuthenticationError("Unknown credential: {!r}".format(req['credential_id']))
if self.cred.version() != 'NDNv1':
raise VCCSAuthenticationError("Unknown credential version: {!r}".format(
self.cred))
self._user_code = int(req['user_code'])
self._user_id = user_id
elif action == 'add_creds':
if config.add_creds_oath_version != 'NDNv1':
raise VCCSAuthenticationError("Add OATH credentials of version {!r} not implemented".format(
config.add_creds_password_version))
if not req['key_handle'] in config.add_creds_oath_key_handles_allow:
raise VCCSAuthenticationError("Add OATH credentials key_handle {!r} not in allowed list {!r}".format(
req['key_handle'], config.add_creds_oath_key_handles_allow))
cred_data = {'type': self.type,
'status': 'active',
'version': 'NDNv1',
'key_handle': req['key_handle'],
'nonce': req['nonce'],
'aead': req['aead'],
'digits': req['digits'],
'credential_id': req['credential_id'],
'oath_counter': req['oath_counter'],
'user_id': user_id,
}
self.cred = vccs_auth.credential.from_dict(cred_data, None)
else:
raise VCCSAuthenticationError("Unknown action {!r}".format(action))
def __init__(self, action, req, user_id, credstore, config):
VCCSFactor.__init__(self, 'password')
self._user_id = str(user_id)
self._H1 = str(req['H1'])
self.config = config
self.credstore = credstore
if self._H1.startswith('$'):
# If the frontend uses bcrypt() to generate H1, it should NOT send the whole
# bcrypt digest to the authentication backend. The salt is better kept separate
# in the frontend.
raise VCCSAuthenticationError("Bad H1: {!r}".format(self._H1))
if len(self._H1) < 31:
# Ensure a minimum length.
raise VCCSAuthenticationError("Bad H1: {!r}".format(self._H1))
try:
# see if H1 is hex encoded, otherwise leave unaltered
_decoded = self._H1.decode('hex')
self._H1 = _decoded
except Exception:
pass
if action == 'auth':
_cred_id = str(req['credential_id'])
self.cred = credstore.get_credential(_cred_id)
if not self.cred:
raise VCCSAuthenticationError(
"Unknown credential: {!r}".format(_cred_id))
if self.cred.type() != self.type:
raise VCCSAuthenticationError(
"Credential {!r} has unexpected type: {!r}".format(
self.cred.type()))
if self.cred.version() != 'NDNv1':
raise VCCSAuthenticationError(
"Unknown credential version: {!r}".format(self.cred))
# too few iterations is insecure, too many might be a DoS
if self.cred.iterations() < config.kdf_min_iterations or \
self.cred.iterations() > config.kdf_max_iterations:
raise VCCSAuthenticationError(
"Bad NDNv1 iterations count: {}".format(
self.cred.iterations()))
# 16 bytes minimum (pwhash is hex encoded, so 32)
if len(self.cred.derived_key()) < 32:
raise VCCSAuthenticationError(
"Bad NDNv1 derived_key length: {}".format(
len(self.cred.derived_key())))
elif action == 'add_creds':
if config.add_creds_password_version != 'NDNv1':
raise VCCSAuthenticationError(
"Add password credentials of version {!r} not implemented".
format(config.add_creds_password_version))
if not config.add_creds_password_key_handle:
raise VCCSAuthenticationError(
"Add password credentials key_handle not set".format(
config.add_creds_password_version))
cred_data = {
'type': 'password',
'status': 'active',
'version': 'NDNv1',
'kdf': 'PBKDF2-HMAC-SHA512',
'derived_key':
None, # will be calculated later, in add_credential()
'key_handle': config.add_creds_password_key_handle,
'iterations': config.add_creds_password_kdf_iterations,
'salt': None, # will be added later, in add_credential()
'credential_id': str(req['credential_id']),
}
self.cred = vccs_auth.credential.from_dict(cred_data, None)
else:
raise VCCSAuthenticationError("Unknown action {!r}".format(action))
