p = key.p
q = key.q
n = key.n
binPrivKey = key.exportKey('DER')
binPubKey = key.publickey().exportKey('DER')
print 'Done'
print
print 'RSA p value =', repr(p)
print 'RSA q value =', repr(q)
print 'RSA n value =', repr(n)
print
print 'Initialize OnlyKey client...'
ok = OnlyKey()
print 'Done'
print
time.sleep(2)
ok.read_string(timeout_ms=100)
empty = 'a'
while not empty:
empty = ok.read_string(timeout_ms=100)
print 'You should see your OnlyKey blink 3 times'
print
print 'Setting RSA private...'
bob_private_key = bob.get_privkey()
alice_public_key = alice.get_pubkey()
bob_public_key = bob.get_pubkey()
alice_private_key = alice.get_privkey()
print("Bob's private key: ", hexlify(bob_private_key))
print("Bob's public key: ", hexlify(bob_public_key))
print()
print("Alices's private key: ", hexlify(alice_private_key))
print("Alices's public key: ", hexlify(alice_public_key))
print()
print()
print('Initialize OnlyKey client...')
ok = OnlyKey()
print('Done')
print()
time.sleep(2)
ok.read_string(timeout_ms=100)
empty = 'a'
while not empty:
empty = ok.read_string(timeout_ms=100)
print('You should see your OnlyKey blink 3 times')
print()
print('Setting ECC private...')
ok.set_ecc_key(101, (2 + 32), bob_private_key)
def __init__(self, curve=formats.CURVE_NIST256):
"""Connect to hardware device."""
self.device_name = 'OnlyKey'
self.ok = OnlyKey()
self.curve = curve
#from progressbar import ProgressBar, AnimatedMarker, Timer, Bar, Percentage, Widget
import pgpy
from pgpy import PGPKey
from pgpy.constants import PubKeyAlgorithm, KeyFlags, HashAlgorithm, SymmetricKeyAlgorithm, CompressionAlgorithm
from pgpy.packet.fields import RSAPub, MPI, RSAPriv
from pgpy.packet.packets import PubKeyV4, PrivKeyV4
from datetime import timedelta
import binascii
from onlykey import OnlyKey, Message
ok = OnlyKey()
def custRSAPub(n, e):
res = RSAPriv()
res.n = MPI(n)
res.e = MPI(e)
return res
def custPubKeyV4(custkey):
res = PrivKeyV4()
res.pkalg = PubKeyAlgorithm.RSAEncryptOrSign
res.keymaterial = custkey
res.update_hlen()
return res
class Client(object):
"""Client wrapper for SSH authentication device."""
def __init__(self, curve=formats.CURVE_NIST256):
"""Connect to hardware device."""
self.device_name = 'OnlyKey'
self.ok = OnlyKey()
self.curve = curve
def __enter__(self):
"""Start a session, and test connection."""
self.ok.read_string(timeout_ms=50)
empty = 'a'
while not empty:
empty = self.ok.read_string(timeout_ms=50)
return self
def __exit__(self, *args):
"""Forget PIN, shutdown screen and disconnect."""
log.info('disconnected from %s', self.device_name)
self.ok.close()
def get_identity(self, label, index=0):
"""Parse label string into Identity protobuf."""
identity = string_to_identity(label)
identity['proto'] = 'ssh'
identity['index'] = index
print 'identity', identity
return identity
def get_public_key(self, label):
log.info('getting public key from %s...', self.device_name)
log.info('Trying to read the public key...')
# Compute the challenge pin
h = hashlib.sha256()
h.update(label)
data = h.hexdigest()
if self.curve == formats.CURVE_NIST256:
data = '02' + data
else:
data = '01' + data
data = data.decode("hex")
log.info('Identity hash =%s', repr(data))
self.ok.send_message(msg=Message.OKGETPUBKEY,
slot_id=132,
payload=data)
time.sleep(.5)
for _ in xrange(2):
ok_pubkey = self.ok.read_bytes(64, to_str=True, timeout_ms=10)
if len(ok_pubkey) == 64:
break
log.info('received= %s', repr(ok_pubkey))
if len(set(ok_pubkey[34:63])) == 1:
ok_pubkey = ok_pubkey[0:32]
log.info('Received Public Key generated by OnlyKey= %s',
repr(ok_pubkey))
vk = ed25519.VerifyingKey(ok_pubkey)
return formats.export_public_key(vk=vk, label=label)
else:
ok_pubkey = ok_pubkey[0:64]
log.info('Received Public Key generated by OnlyKey= %s',
repr(ok_pubkey))
vk = ecdsa.VerifyingKey.from_string(ok_pubkey,
curve=ecdsa.NIST256p)
return formats.export_public_key(vk=vk, label=label)
def sign_ssh_challenge(self, label, blob):
"""Sign given blob using a private key, specified by the label."""
msg = _parse_ssh_blob(blob)
log.debug('%s: user %r via %r (%r)', msg['conn'], msg['user'],
msg['auth'], msg['key_type'])
log.debug('nonce: %s', binascii.hexlify(msg['nonce']))
log.debug('fingerprint: %s', msg['public_key']['fingerprint'])
log.debug('hidden challenge size: %d bytes', len(blob))
# self.ok.send_large_message(payload=blob, msg=Message.OKSIGNSSHCHALLENGE)
log.info('please confirm user "%s" login to "%s" using %s',
msg['user'], label, self.device_name)
h1 = hashlib.sha256()
h1.update(label)
data = h1.hexdigest()
data = data.decode("hex")
test_payload = blob + data
# Compute the challenge pin
h2 = hashlib.sha256()
h2.update(test_payload)
d = h2.digest()
assert len(d) == 32
def get_button(byte):
ibyte = ord(byte)
return ibyte % 6 + 1
b1, b2, b3 = get_button(d[0]), get_button(d[15]), get_button(d[31])
log.info('blob to send', repr(test_payload))
# Determine type of key to derive on OnlyKey for signature
# 201 = ed25519
# 202 = P256
# 203 = secp256k1
keytype = msg['key_type']
if msg['key_type'].startswith('ssh-ed25519'):
this_slot_id = 201
log.info('Key type ed25519')
elif msg['key_type'].startswith('ecdsa-sha2-nistp256'):
this_slot_id = 202
log.info('Key type P256')
else:
this_slot_id = 203
log.info('Key type secp256k1')
self.ok.send_large_message2(msg=Message.OKSIGNCHALLENGE,
payload=test_payload,
slot_id=this_slot_id)
#TODO ping messages so that we don't need enter key to tell when done.
print 'Please confirm user', msg[
'user'], 'login to', label, 'using', self.device_name
print(
'Enter the 3 digit challenge code shown below on OnlyKey to authenticate'
)
print '{} {} {}'.format(b1, b2, b3)
raw_input()
for _ in xrange(10):
result = self.ok.read_bytes(64, to_str=True, timeout_ms=200)
if len(result) >= 60:
log.info('received= %s', repr(result))
while len(result) < 64:
result.append(0)
log.info('disconnected from %s', self.device_name)
self.ok.close()
return result
raise Exception('failed to sign challenge')
class Backend(Enum):
OpenSSL = openssl.backend
global ok
ok = OnlyKey()
from onlykey import OnlyKey, Message
print 'Generating a new ed25519 key pair...'
privkey, pubkey = ed25519.create_keypair(entropy=os.urandom)
print 'Done'
print
print 'privkey=', repr(privkey.to_seed())
print 'privkey hex=', ''.join([c.encode('hex') for c in privkey.to_seed()])
print 'pubkey=', repr(pubkey.to_bytes())
print 'pubkey hex=', pubkey.to_ascii(encoding='hex')
print
print
print 'Initialize OnlyKey client...'
ok = OnlyKey()
print 'Done'
print
time.sleep(2)
ok.read_string(timeout_ms=100)
empty = 'a'
while not empty:
empty = ok.read_string(timeout_ms=100)
print 'You should see your OnlyKey blink 3 times'
print
print 'Setting SSH private...'
ok.set_ecc_key(101, (1 + 64), privkey.to_seed())
import hashlib
import time
import os
from Crypto.Cipher import PKCS1_v1_5
from Crypto.PublicKey import RSA
from Crypto.Hash import SHA
from Crypto.Random import get_random_bytes
from Crypto import Random
import binascii
from onlykey import OnlyKey, Message
print('Initialize OnlyKey client...')
ok = OnlyKey()
print('Done')
print()
time.sleep(2)
ok.read_string(timeout_ms=100)
empty = 'a'
while not empty:
empty = ok.read_string(timeout_ms=100)
time.sleep(1)
print('You should see your OnlyKey blink 3 times')
print()
print('Enter RSA slot number to use for decryption (1 - 4)')
to "\xbf\xcd\xce\xa0K\x93\x85}\xf0\x18\xb3\xd3L}\x14\xdb\xce0\x00uE,\x05'\xeeW\x1c\xeb\xcf\x8b\x1f\xcc\xc5\xc1\xe2\x17\xb7\xa3\xb6C\x16\xea?\xcchz\xebF1\xb7\xb1\x86\xb8\n}\x82\xebx\xce\x1b\x13\xdf\xdb\x19"
it seems to be want you wanted? it's 64 bytes.
"""
h = '%x' % n
s = ('0' * (len(h) % 2) + h).decode('hex')
return s
print('Done')
print()
print('RSA p value =', repr(pack_long(p)))
print('RSA q value =', repr(pack_long(q)))
print('RSA n value =', repr(pack_long(n)))
print()
print('Initialize OnlyKey client...')
ok = OnlyKey()
print('Done')
print()
time.sleep(2)
ok.read_string(timeout_ms=100)
empty = 'a'
while not empty:
empty = ok.read_string(timeout_ms=100)
print('You should see your OnlyKey blink 3 times')
print()
print('Setting SSH private...')
