def test_register_fixed_values(self):
request = {
"challenge": "KEzvDDdHwnXtPHIMb0Uh43hgOJ-wQTsdLujGkeg6JxM",
"version": "U2F_V2",
"appId": "http://localhost:8081"
}
response = {
"registrationData":
"BQS94xQL46G4vheJPkYSuEteM6Km4-MwgBAu1zZ6MAbjDDgqhYbpHuIhhGOKjedeDd58qqktqOJsby9wMdHGnUtVQD8ISPywVi3J6SaKebCVQdHPu3_zQigRS8LhoDwKT5Ed3tg8AWuNw9XBZEh4doEDxKGuInFazirUw8acOu2qDcEwggIjMIIBDaADAgECAgRyuHt0MAsGCSqGSIb3DQEBCzAPMQ0wCwYDVQQDEwR0ZXN0MB4XDTE1MDkwNDA3MTAyNloXDTE2MDkwMzA3MTAyNlowKjEoMCYGA1UEAxMfWXViaWNvIFUyRiBFRSBTZXJpYWwgMTkyNDY5Mjg1MjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABC37i_h-xmEtGfWnuvj_BmuhtU18MKShNP_vZ7C2WJwj8OHaSLnzAfha14CMUPaKPtRFfP6w9CFGhvEizH33XZKjOzA5MCIGCSsGAQQBgsQKAgQVMS4zLjYuMS40LjEuNDE0ODIuMS4yMBMGCysGAQQBguUcAgEBBAQDAgQwMAsGCSqGSIb3DQEBCwOCAQEAab7fWlJ-lOR1sqIxawPU5DWZ1b9nQ0QmNNoetPHJ_fJC95r0esRq5axfmGufbNktNWanHww7i9n5WWxSaMTWuJSF0eAXUajo8odYA8nB4_0I6z615MWa9hTU64Pl9HlqkR5ez5jndmJNuAfhaIF4h062Jw051kMo_aENxuLixnybTfJG7Q5KRE00o2MFs5b9L9fzhDtBzv5Z-vGOefuiohowpwnxIA9l0tGqrum9plUdx06K9TqKMRDQ8naosy01rbouA6i5xVjl-tHT3z-r__FYcSZ_dQ5-SCPOh4F0w6T0UwzymQmeqYN3pP-UUgnJ-ihD-uhEWklKNYRy0K0G0jBGAiEA7rbbx2jwC1YGICkZMR07ggKWaHCwFBxNDW3OwhLNNzUCIQCSq0sjGSUnWMQgPEImrmd3tMKcbrjI995rti6UYozqsg",
"clientData":
"eyJvcmlnaW4iOiAiaHR0cDovL2xvY2FsaG9zdDo4MDgxIiwgImNoYWxsZW5nZSI6ICJLRXp2RERkSHduWHRQSElNYjBVaDQzaGdPSi13UVRzZEx1akdrZWc2SnhNIiwgInR5cCI6ICJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCJ9"
}
u2f.complete_register(request, response)
def test_authenticate_soft_u2f(self):
token = SoftU2FDevice()
request = u2f.start_register(APP_ID)
response = token.register(request.json, FACET)
device, cert = u2f.complete_register(request, response)
challenge1 = u2f.start_authenticate(device)
challenge2 = u2f.start_authenticate(device)
response2 = token.getAssertion(challenge2.json, FACET)
response1 = token.getAssertion(challenge1.json, FACET)
assert u2f.verify_authenticate(device, challenge1, response1)
assert u2f.verify_authenticate(device, challenge2, response2)
try:
u2f.verify_authenticate(device, challenge1, response2)
except:
pass
else:
assert False, "Incorrect validation should fail!"
try:
u2f.verify_authenticate(device, challenge2, response1)
except:
pass
else:
assert False, "Incorrect validation should fail!"
def complete_register(request_data, response, valid_facets=None):
request_data = RegisterRequestData.wrap(request_data)
response = RegisterResponse.wrap(response)
return u2f_v2.complete_register(request_data.getRegisterRequest(response),
response,
valid_facets)
def test_authenticate_soft_u2f(self):
token = SoftU2FDevice()
request = u2f.start_register(APP_ID)
response = token.register(request.json, FACET)
device, cert = u2f.complete_register(request, response)
challenge1 = u2f.start_authenticate(device)
challenge2 = u2f.start_authenticate(device)
response2 = token.getAssertion(challenge2.json, FACET)
response1 = token.getAssertion(challenge1.json, FACET)
assert u2f.verify_authenticate(device, challenge1, response1)
assert u2f.verify_authenticate(device, challenge2, response2)
try:
u2f.verify_authenticate(device, challenge1, response2)
except:
pass
else:
assert False, "Incorrect validation should fail!"
try:
u2f.verify_authenticate(device, challenge2, response1)
except:
pass
else:
assert False, "Incorrect validation should fail!"
def add_key(request):
if request.method == 'POST':
# Add the key
keyresponseform = KeyResponseForm(request.POST)
if keyresponseform.is_valid():
response = keyresponseform.cleaned_data['response']
challenge = request.session['u2f_registration_challenge']
print(challenge)
del request.session['u2f_registration_challenge']
device, attestation_cert = u2f.complete_register(
challenge, response)
request.user.u2f_keys.create(
public_key=device['publicKey'],
key_handle=device['keyHandle'],
app_id=device['appId'],
)
print("%s\n\n\n%s" % (device, attestation_cert))
return HttpResponseRedirect('/dashboard/')
# Else if its a GET variable
# Send them the request
origin = '{scheme}://{host}'.format(
scheme='https' if request.is_secure() else 'http',
host=request.get_host(),
)
origin = "https://www.bestedm.org"
challenge = u2f.start_register(origin)
request.session['u2f_registration_challenge'] = challenge
# sign_requests = [u2f.start_authenticate(d.to_json()) for d in request.user.u2f_keys.all()]
context = {'challenge': json.dumps(challenge)}
# 'sign_requests': sign_requests}
return render(request, 'u2f/add_key.html', context)
def add_key(request):
if request.method == 'POST':
# Add the key
keyresponseform = KeyResponseForm(request.POST)
if keyresponseform.is_valid():
response = keyresponseform.cleaned_data['response']
challenge = request.session['u2f_registration_challenge']
print(challenge)
del request.session['u2f_registration_challenge']
device, attestation_cert = u2f.complete_register(challenge, response)
request.user.u2f_keys.create(
public_key=device['publicKey'],
key_handle=device['keyHandle'],
app_id=device['appId'],
)
print("%s\n\n\n%s" % (device, attestation_cert))
return HttpResponseRedirect('/dashboard/')
# Else if its a GET variable
# Send them the request
origin = '{scheme}://{host}'.format(
scheme='https' if request.is_secure() else 'http',
host=request.get_host(),
)
challenge = u2f.start_register(origin)
request.session['u2f_registration_challenge'] = challenge
# sign_requests = [u2f.start_authenticate(d.to_json()) for d in request.user.u2f_keys.all()]
context = {'challenge': json.dumps(challenge)}
# 'sign_requests': sign_requests}
return render(request, 'u2f/add_key.html', context)
def test_register_soft_u2f(self):
token = SoftU2FDevice()
request = u2f.start_register(APP_ID)
response = token.register(request.json, FACET)
device, cert = u2f.complete_register(request, response)
assert device
def test_register_soft_u2f(self):
token = SoftU2FDevice()
request = u2f.start_register(APP_ID)
response = token.register(request.json, FACET)
device, cert = u2f.complete_register(request, response)
assert device
def bind(self, username, data):
user = self.users[username]
binding, cert = complete_register(user['_u2f_enroll_'], data,
[self.facet])
user['_u2f_binding_'] = binding.json
log.info("U2F device enrolled. Username: %s", username)
log.debug("Attestation certificate:\n%s", cert.as_text())
return json.dumps(True)
def bind(self, username, password, data):
user = self._get_user(username, password)
enroll = user.attributes['_u2f_enroll_']
binding, cert = complete_register(enroll, data, [self.origin])
user.attributes['_u2f_binding_'] = binding.json
user.attributes['_u2f_cert_'] = cert.as_pem()
return json.dumps({
'username': username[4:],
'origin': self.origin,
'attest_cert': cert.as_pem()
})
def bind(self, username, password, data):
user = self._get_user(username, password)
enroll = user.attributes['_u2f_enroll_']
binding, cert = complete_register(enroll, data, [self.origin])
user.attributes['_u2f_binding_'] = binding.json
user.attributes['_u2f_cert_'] = cert.as_pem()
return json.dumps({
'username': username[4:],
'origin': self.origin,
'attest_cert': cert.as_pem()
})
def form_valid(self, form):
response = form.cleaned_data['response']
challenge = self.request.session['u2f_registration_challenge']
del self.request.session['u2f_registration_challenge']
device, attestation_cert = u2f.complete_register(challenge, response)
self.request.user.u2f_keys.create(
public_key=device['publicKey'],
key_handle=device['keyHandle'],
app_id=device['appId'],
)
messages.success(self.request, 'Key added.')
return HttpResponseRedirect(reverse(keys))
def form_valid(self, form):
response = form.cleaned_data['response']
challenge = self.request.session['u2f_registration_challenge']
del self.request.session['u2f_registration_challenge']
device, attestation_cert = u2f.complete_register(challenge, response)
self.request.user.u2f_keys.create(
public_key=device['publicKey'],
key_handle=device['keyHandle'],
app_id=device['appId'],
)
messages.success(self.request, _("Key added."))
return super(AddKeyView, self).form_valid(form)
def form_valid(self, form):
response = form.cleaned_data['response']
challenge = self.request.session['u2f_registration_challenge']
del self.request.session['u2f_registration_challenge']
device, attestation_cert = u2f.complete_register(challenge, response)
self.request.user.u2f_keys.create(
public_key=device['publicKey'],
key_handle=device['keyHandle'],
app_id=device['appId'],
)
messages.success(self.request, 'Key added.')
return HttpResponseRedirect(reverse(keys))
def register_complete(self, username, resp):
memkey = resp.clientData.challenge
data = self._memstore.retrieve(self._client.id, username, memkey)
bind, cert = complete_register(data['request'], resp,
self._client.valid_facets)
attestation = self._metadata.get_attestation(cert)
if self._require_trusted and not attestation.trusted:
raise BadInputException('Device type is not trusted')
user = self._get_or_create_user(username)
dev = user.add_device(bind.json, cert)
log.info('User: "******" - Device registered: "%s"',
self._client.name, username, dev.handle)
return dev.handle
def register_complete(self, username, resp):
memkey = resp.clientData.challenge
data = self._memstore.retrieve(self._client.id, username, memkey)
bind, cert = complete_register(data['request'], resp,
self._client.valid_facets)
attestation = self._metadata.get_attestation(cert)
if self._require_trusted and not attestation.trusted:
raise BadInputException('Device type is not trusted')
user = self._get_or_create_user(username)
dev = user.add_device(bind.json, cert, attestation.transports)
log.info('User: "******" - Device registered: "%s"',
self._client.name, username, dev.handle)
return dev.handle
def test_wrong_facet(self):
token = SoftU2FDevice()
request = u2f.start_register(APP_ID)
response = token.register(request.json, "http://wrongfacet.com")
try:
u2f.complete_register(request, response, FACETS)
except:
pass
else:
assert False, "Incorrect facet should fail!"
response2 = token.register(request.json, FACET)
device, cert = u2f.complete_register(request, response2)
challenge = u2f.start_authenticate(device)
response = token.getAssertion(challenge.json, "http://notright.com")
try:
u2f.verify_authenticate(device, challenge, response, FACETS)
except:
pass
else:
assert False, "Incorrect facet should fail!"
def test_wrong_facet(self):
token = SoftU2FDevice()
request = u2f.start_register(APP_ID)
response = token.register(request.json, "http://wrongfacet.com")
try:
u2f.complete_register(request, response, FACETS)
except:
pass
else:
assert False, "Incorrect facet should fail!"
response2 = token.register(request.json, FACET)
device, cert = u2f.complete_register(request, response2)
challenge = u2f.start_authenticate(device)
response = token.getAssertion(challenge.json, "http://notright.com")
try:
u2f.verify_authenticate(device, challenge, response, FACETS)
except:
pass
else:
assert False, "Incorrect facet should fail!"
def enroll_response():
username = session.get('username')
user = db_session.query(User).filter_by(username=username).first()
response = dict(registrationData=session.get('registrationData'),
clientData=session.get('clientData'))
binding, cert = complete_register(session.get('u2f_enroll'), response,
'http://localhost:5000')
user.u2f_binding = binding.json
db_session.commit()
print binding.json
print cert.as_text()
return Response('Enrolled token!')
def enroll_response():
username = session.get('username')
user = db_session.query(User).filter_by(username=username).first()
response = dict(registrationData=session.get('registrationData'),
clientData=session.get('clientData'))
binding, cert = complete_register(session.get('u2f_enroll'),
response, 'http://localhost:5000')
user.u2f_binding = binding.json
db_session.commit()
print binding.json
print cert.as_text()
return Response('Enrolled token!')
def test_register_fixed_values(self):
request = {"challenge": "KEzvDDdHwnXtPHIMb0Uh43hgOJ-wQTsdLujGkeg6JxM", "version": "U2F_V2", "appId": "http://localhost:8081"}
response = {"registrationData": "BQS94xQL46G4vheJPkYSuEteM6Km4-MwgBAu1zZ6MAbjDDgqhYbpHuIhhGOKjedeDd58qqktqOJsby9wMdHGnUtVQD8ISPywVi3J6SaKebCVQdHPu3_zQigRS8LhoDwKT5Ed3tg8AWuNw9XBZEh4doEDxKGuInFazirUw8acOu2qDcEwggIjMIIBDaADAgECAgRyuHt0MAsGCSqGSIb3DQEBCzAPMQ0wCwYDVQQDEwR0ZXN0MB4XDTE1MDkwNDA3MTAyNloXDTE2MDkwMzA3MTAyNlowKjEoMCYGA1UEAxMfWXViaWNvIFUyRiBFRSBTZXJpYWwgMTkyNDY5Mjg1MjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABC37i_h-xmEtGfWnuvj_BmuhtU18MKShNP_vZ7C2WJwj8OHaSLnzAfha14CMUPaKPtRFfP6w9CFGhvEizH33XZKjOzA5MCIGCSsGAQQBgsQKAgQVMS4zLjYuMS40LjEuNDE0ODIuMS4yMBMGCysGAQQBguUcAgEBBAQDAgQwMAsGCSqGSIb3DQEBCwOCAQEAab7fWlJ-lOR1sqIxawPU5DWZ1b9nQ0QmNNoetPHJ_fJC95r0esRq5axfmGufbNktNWanHww7i9n5WWxSaMTWuJSF0eAXUajo8odYA8nB4_0I6z615MWa9hTU64Pl9HlqkR5ez5jndmJNuAfhaIF4h062Jw051kMo_aENxuLixnybTfJG7Q5KRE00o2MFs5b9L9fzhDtBzv5Z-vGOefuiohowpwnxIA9l0tGqrum9plUdx06K9TqKMRDQ8naosy01rbouA6i5xVjl-tHT3z-r__FYcSZ_dQ5-SCPOh4F0w6T0UwzymQmeqYN3pP-UUgnJ-ihD-uhEWklKNYRy0K0G0jBGAiEA7rbbx2jwC1YGICkZMR07ggKWaHCwFBxNDW3OwhLNNzUCIQCSq0sjGSUnWMQgPEImrmd3tMKcbrjI995rti6UYozqsg", "clientData": "eyJvcmlnaW4iOiAiaHR0cDovL2xvY2FsaG9zdDo4MDgxIiwgImNoYWxsZW5nZSI6ICJLRXp2RERkSHduWHRQSElNYjBVaDQzaGdPSi13UVRzZEx1akdrZWc2SnhNIiwgInR5cCI6ICJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCJ9"}
u2f.complete_register(request, response)
