def test_02_fault_recovery(self): with self.pkcs11: hsm = get_hsm() self.assertIsInstance(hsm, AESHardwareSecurityModule) # encryption initially works r = encryptPin("test") pin = decryptPin(r) self.assertEqual(pin, "test") self.assertTrue(hsm.is_ready) # the HSM disappears generate_random_call_count = self.pkcs11.session_mock.generateRandom.call_count open_session_call_count = self.pkcs11.mock.openSession.call_count with self.pkcs11.simulate_disconnect(100): with self.assertRaises(PyKCS11Error): encryptPin("test") # we have tried to generate a random number once self.assertEqual(self.pkcs11.session_mock.generateRandom.call_count, generate_random_call_count + 1) # we have tried to open a new session once self.assertEqual(self.pkcs11.mock.openSession.call_count, open_session_call_count + 1) # HSM is now defunct # try to recover now r = encryptPin("test") pin = decryptPin(r) self.assertEqual(pin, "test")
def test_02_fault_recovery(self): with self.pkcs11: hsm = get_hsm() self.assertIsInstance(hsm, AESHardwareSecurityModule) # encryption initially works r = encryptPin("test") pin = decryptPin(r) self.assertEqual(pin, "test") self.assertTrue(hsm.is_ready) # the HSM disappears generate_random_call_count = self.pkcs11.session_mock.generateRandom.call_count open_session_call_count = self.pkcs11.mock.openSession.call_count with self.pkcs11.simulate_disconnect(100): with self.assertRaises(PyKCS11Error): encryptPin("test") # we have tried to generate a random number once self.assertEqual( self.pkcs11.session_mock.generateRandom.call_count, generate_random_call_count + 1) # we have tried to open a new session once self.assertEqual(self.pkcs11.mock.openSession.call_count, open_session_call_count + 1) # HSM is now defunct # try to recover now r = encryptPin("test") pin = decryptPin(r) self.assertEqual(pin, "test")
def test_00_encrypt_decrypt_pin(self): r = encryptPin("test") pin = decryptPin(r) self.assertTrue(pin == "test", (r, pin)) # decrypt some pins generated with 2.23 pin1 = 'd2c920ad10513c8ea322b522751185a3:54f068cffb43ada1edd024087da614ec' self.assertEqual(decryptPin(pin1), 'test') pin2 = '223f414872122ad112eb9f17b05da0b8:123079d997cd18601414830ab7c97678' self.assertEqual(decryptPin(pin2), 'test') pin3 = '4af7590600286becde70b99b10493104:09e4133652c609f9697e1923cde72904' self.assertEqual(decryptPin(pin3), '1234')
def test_00_encrypt_decrypt_pin(self): r = encryptPin("test") pin = decryptPin(r) self.assertTrue(pin == "test", (r, pin)) # decrypt some pins generated with 2.23 pin1 = 'd2c920ad10513c8ea322b522751185a3:54f068cffb43ada1edd024087da614ec' self.assertEqual(decryptPin(pin1), 'test') pin2 = '223f414872122ad112eb9f17b05da0b8:123079d997cd18601414830ab7c97678' self.assertEqual(decryptPin(pin2), 'test') pin3 = '4af7590600286becde70b99b10493104:09e4133652c609f9697e1923cde72904' self.assertEqual(decryptPin(pin3), '1234')
def comparePin(self, pin): log.debug("entering comparePin") res = False # check for a valid input if pin is None: log.error("no valid PIN!") return res if (self.isPinEncrypted() is True): log.debug("we got an encrypted PIN!") tokenPin = self.privacyIDEAPinHash[2:] decryptTokenPin = decryptPin(tokenPin) if (decryptTokenPin == pin): res = True else: log.debug("we got a hashed PIN!") if len(self.privacyIDEAPinHash) > 0: mypHash = self.getHashedPin(pin) else: mypHash = pin if (mypHash == self.privacyIDEAPinHash): res = True return res
def test_01_simple(self): with self.pkcs11: self.assertIsInstance(get_hsm(), AESHardwareSecurityModule) r = encryptPin("test") pin = decryptPin(r) self.assertEqual(pin, "test") self.assertTrue(get_hsm().is_ready) self.assertEqual(self.pkcs11.session_mock.encrypt.call_count, 1)
def test_01_simple(self): with self.pkcs11: self.assertIsInstance(get_hsm(), AESHardwareSecurityModule) r = encryptPin("test") pin = decryptPin(r) self.assertEqual(pin, "test") self.assertTrue(get_hsm().is_ready) self.assertEqual(self.pkcs11.session_mock.encrypt.call_count, 1)
def test_00_encrypt_decrypt_pin(self): r = encryptPin("test") pin = decryptPin(r) self.assertTrue(pin == "test", (r, pin))
def getPin(self): ret = -1 if self.isPinEncrypted() is True: tokenPin = self.privacyIDEAPinHash[2:] ret = decryptPin(tokenPin) return ret
def test_00_encrypt_decrypt_pin(self): r = encryptPin("test") pin = decryptPin(r) self.assertTrue(pin == "test", (r, pin))
def _rollout_2(self, params): ''' 2. https://privacyideaserver/admin/init? type=ocra& genkey=1& activationcode=AKTIVIERUNGSCODE& user=BENUTZERNAME& message=MESSAGE& session=SESSIONKEY =>> "serial" : SERIENNUMMER, "nonce" : DATAOBJECT, "transactionid" : "TRANSAKTIONSID, "app_import" : IMPORTURL - nonce - von HSM oder random ? - pkcs5 - kdf2 - es darf zur einer Zeit nur eine QR Token inaktiv (== im Ausrollzustand) sein !!!!! der Token wird über den User gefunden - seed = pdkdf2(nonce + activcode + shared secret) - challenge generiern - von urandom oder HSM ''' activationcode = params.get('activationcode', None) if activationcode is not None: ## genkey might have created a new key, so we have to rely on encSharedSecret = self.getFromTokenInfo('sharedSecret', None) if encSharedSecret is None: raise Exception ('missing shared secret of initialition for token %r' % (self.getSerial())) sharedSecret = decryptPin(encSharedSecret) ## we generate a nonce, which in the end is a challenge nonce = createNonce() self.addToTokenInfo('nonce', nonce) ## create a new key from the ocrasuite key_len = 20 if self.ocraSuite.find('-SHA256'): key_len = 32 elif self.ocraSuite.find('-SHA512'): key_len = 64 newkey = kdf2(sharedSecret, nonce, activationcode, key_len) self.setOtpKey(binascii.hexlify(newkey)) ## generate challenge, which is part of the app_import message = params.get('message', None) #(transid, challenge, _ret, url) = self.challenge(message) #self.createChallenge() (res, opt) = create_challenge(self, options=params) challenge = opt.get('challenge') url = opt.get('url') transid = opt.get('transactionid') ## generate response info = {} uInfo = {} info['serial'] = self.getSerial() uInfo['se'] = self.getSerial() info['nonce'] = nonce uInfo['no'] = nonce info['transactionid'] = transid uInfo['tr'] = transid info['challenge'] = challenge uInfo['ch'] = challenge if message is not None: uInfo['me'] = str(message.encode("utf-8")) ustr = urllib.urlencode({'u':str(url.encode("utf-8"))}) uInfo['u'] = ustr[2:] info['url'] = str(url.encode("utf-8")) app_import = 'lseqr://nonce?%s' % (urllib.urlencode(uInfo)) ## add a signature of the url signature = {'si': self.signData(app_import) } info['signature'] = signature.get('si') info['app_import'] = "%s&%s" % (app_import, urllib.urlencode(signature)) self.info = info ## setup new state self.addToTokenInfo('rollout', '2') self.enable(True) return