def getPin(self): """ :return: the value of the pin- if it is stored encrypted """ pin = "" hsm = context["hsm"] if self.token.isPinEncrypted(): _iv, enc_pin = self.token.get_encrypted_pin() pin = SecretObj.decrypt_pin(enc_pin, hsm=hsm) return pin
def getPin(self): """ :return: the value of the pin- if it is stored encrypted """ pin = '' hsm = context['hsm'] if self.token.isPinEncrypted(): _iv, enc_pin = self.token.get_encrypted_pin() pin = SecretObj.decrypt_pin(enc_pin, hsm=hsm) return pin
def get_token_data(self): """ get all tokens """ tokens = Session.query(model_token).all() for token in tokens: token_data = {} serial = token.LinOtpTokenSerialnumber token_data['Serial'] = serial if token.isPinEncrypted(): iv, enc_pin = token.get_encrypted_pin() pin = SecretObj.decrypt_pin(enc_pin, hsm=self.hsm) just_mac = serial + token.LinOtpPinHash enc_value = self.crypter.encrypt(input_data=pin, just_mac=just_mac) token_data['TokenPin'] = enc_value # the userpin is used in motp and ocra/ocra2 token if token.LinOtpTokenPinUser: key, iv = token.getUserPin() user_pin = SecretObj.decrypt(key, iv, hsm=self.hsm) just_mac = serial + token.LinOtpTokenPinUser enc_value = self.crypter.encrypt(input_data=user_pin, just_mac=just_mac) token_data['TokenUserPin'] = enc_value # then we retrieve as well the original value, # to identify changes encKey = token.LinOtpKeyEnc key, iv = token.get_encrypted_seed() secObj = SecretObj(key, iv, hsm=self.hsm) seed = secObj.getKey() enc_value = self.crypter.encrypt(input_data=seed, just_mac=serial + encKey) token_data['TokenSeed'] = enc_value # next we look for tokens, where the pin is encrypted yield token_data
def do_request(servers, env, user, passw, options): """ make the call to the foreign server """ log.debug("start request to foreign server: %r", servers) for server in servers.split(" "): parsed_server = urllib.parse.urlparse(server) # the urlparse has a bug,, where in elder versions, the # path is not split from the query if not parsed_server.query: path, _sep, query = parsed_server.path.partition("?") else: path = parsed_server.path query = parsed_server.query # finally we found the query parameters params = urllib.parse.parse_qs(query) for key, entry in list(params.items()): params[key] = entry[0] if "encsecret" in params: params["secret"] = SecretObj.decrypt_pin(params["encsecret"]) del params["encsecret"] parsed_list = list(parsed_server[:]) parsed_list[ForwardServerPolicy.Path_index] = path.strip() parsed_list[ForwardServerPolicy. Query_index] = urllib.parse.urlencode(params) server_url = urllib.parse.urlunparse(tuple(parsed_list)) if "radius://" in server_url: rad = RadiusRequest(server=server_url, env=env) res, opt = rad.do_request(user, passw, options) return res, opt elif "http://" in server_url or "https://" in server_url: http = HttpRequest(server=server_url, env=env) res, opt = http.do_request(user, passw, options) return res, opt
def _rollout_2(self, params): ''' 2. https://linotpserver/admin/init? type=ocra& genkey=1& activationcode=AKTIVIERUNGSCODE& user=BENUTZERNAME& message=MESSAGE& session=SESSIONKEY =>> "serial" : SERIENNUMMER, "nonce" : DATAOBJECT, "transactionid" : "TRANSAKTIONSID, "app_import" : IMPORTURL - nonce - von HSM oder random ? - pkcs5 - kdf2 - es darf zur einer Zeit nur eine QR Token inaktiv (== im Ausrollzustand) sein !!!!! der Token wird über den User gefunden - seed = pdkdf2(nonce + activcode + shared secret) - challenge generiern - von urandom oder HSM ''' activationcode = params.get('activationcode', None) if activationcode is not None: # genkey might have created a new key, so we have to rely on encSharedSecret = self.getFromTokenInfo('sharedSecret', None) if encSharedSecret is None: raise Exception('missing shared secret of initialition' ' for token %r' % (self.getSerial())) sharedSecret = SecretObj.decrypt_pin(encSharedSecret) # we generate a nonce, which in the end is a challenge nonce = createNonce() self.addToTokenInfo('nonce', nonce) # create a new key from the ocrasuite key_len = 20 if self.ocraSuite.find('-SHA256'): key_len = 32 elif self.ocraSuite.find('-SHA512'): key_len = 64 newkey = kdf2(sharedSecret, nonce, activationcode, key_len) self.setOtpKey(binascii.hexlify(newkey)) # generate challenge, which is part of the app_import message = params.get('message', None) (transid, challenge, _ret, url) = self.challenge(message) # generate response info = {} uInfo = {} info['serial'] = self.getSerial() uInfo['se'] = self.getSerial() info['nonce'] = nonce uInfo['no'] = nonce info['transactionid'] = transid uInfo['tr'] = transid info['challenge'] = challenge uInfo['ch'] = challenge if message is not None: uInfo['me'] = str(message.encode("utf-8")) ustr = urllib.parse.urlencode({'u': str(url.encode("utf-8"))}) uInfo['u'] = ustr[2:] info['url'] = str(url.encode("utf-8")) app_import = 'lseqr://nonce?%s' % (urllib.parse.urlencode(uInfo)) # add a signature of the url signature = {'si': self.signData(app_import)} info['signature'] = signature.get('si') info['app_import'] = "%s&%s" % (app_import, urllib.parse.urlencode(signature)) self.info = info # setup new state self.addToTokenInfo('rollout', '2') self.enable(True) return