def data(self):
"""Return a SignRequest."""
return SignRequest(
version=VERSION,
challenge=websafe_encode(self.challenge),
keyHandle=websafe_encode(self.binding.key_handle),
appId=self.binding.app_id
)
def start_authenticate(device, challenge=None):
device = DeviceRegistration.wrap(device)
if challenge is None:
challenge = rand_bytes(32)
return SignRequest(version=VERSION,
appId=device.appId,
keyHandle=device.keyHandle,
challenge=websafe_encode(challenge))
def verify_authenticate(device, request, response, valid_facets=None):
device = DeviceRegistration.wrap(device)
request = SignRequest.wrap(request)
response = SignResponse.wrap(response)
_validate_client_data(response.clientData, request.challenge,
"navigator.id.getAssertion", valid_facets)
raw_response = RawAuthenticationResponse(device.appParam,
response.clientParam,
response.signatureData)
raw_response.verify_signature(websafe_decode(device.publicKey))
return raw_response.counter_int, raw_response.user_presence
def getAssertion(self, request, facet="https://www.example.com"):
"""
signData = {
'version': "U2F_V2",
'challenge': websafe_encode(self.challenge),
'appId': self.binding.app_id,
'keyHandle': websafe_encode(self.binding.key_handle),
}
"""
if not isinstance(request, SignRequest):
request = SignRequest(request)
if request.version != "U2F_V2":
raise ValueError("Unsupported U2F version: %s" % request.version)
key_handle = websafe_decode(request.keyHandle)
if key_handle not in self.keys:
raise ValueError("Unknown key handle!")
# Client data
client_data = ClientData(
typ="navigator.id.getAssertion",
challenge=request['challenge'],
origin=facet
)
client_data = client_data.json.encode('utf-8')
client_param = sha_256(client_data)
# Unwrap:
priv_key, app_param = self.keys[key_handle]
# Increment counter
self.counter += 1
# Create signature
touch = int2byte(1)
counter = struct.pack('>I', self.counter)
data = app_param + touch + counter + client_param
signer = priv_key.signer(ec.ECDSA(hashes.SHA256()))
signer.update(data)
signature = signer.finalize()
raw_response = touch + counter + signature
return SignResponse(
clientData=websafe_encode(client_data),
signatureData=websafe_encode(raw_response),
keyHandle=request.keyHandle
)
def verify_authenticate(device, request, response, valid_facets=None):
device = DeviceRegistration.wrap(device)
request = SignRequest.wrap(request)
response = SignResponse.wrap(response)
_validate_client_data(response.clientData, request.challenge,
"navigator.id.getAssertion", valid_facets)
raw_response = RawAuthenticationResponse(
device.appParam,
response.clientParam,
response.signatureData
)
raw_response.verify_signature(websafe_decode(device.publicKey))
return raw_response.counter_int, raw_response.user_presence
def getAssertion(self,
request,
facet="https://www.example.com",
touch=False):
"""
signData = {
'version': "U2F_V2",
'challenge': websafe_encode(self.challenge),
'appId': self.binding.app_id,
'keyHandle': websafe_encode(self.binding.key_handle),
}
"""
if not isinstance(request, SignRequest):
request = SignRequest(request)
if request.version != "U2F_V2":
raise ValueError("Unsupported U2F version: %s" % request.version)
key_handle = websafe_decode(request.keyHandle)
if key_handle not in self.keys:
raise ValueError("Unknown key handle!")
# Client data
client_data = ClientData(typ="navigator.id.getAssertion",
challenge=request['challenge'],
origin=facet)
client_data = client_data.json
client_param = H(client_data)
# Unwrap:
privu, app_param = self.keys[key_handle]
# Increment counter
self.counter += 1
# Create signature
touch = chr(1 if touch else 0)
counter = struct.pack('>I', self.counter)
digest = H(app_param + touch + counter + client_param)
signature = privu.sign_dsa_asn1(digest)
raw_response = touch + counter + signature
return SignResponse(clientData=websafe_encode(client_data),
signatureData=websafe_encode(raw_response),
keyHandle=request.keyHandle)
def test_challenge(self):
req = SignRequest(challenge='Zm9vYmFy')
self.assertEqual('foobar', req.challenge)
def test_appParam(self):
req = SignRequest(appId='https://example.com')
self.assertEqual('\x10\x06\x80\xadTl\xe6\xa5w\xf4/R\xdf3\xb4\xcf'
'\xdc\xa7V\x85\x9efK\x8d}\xe3)\xb1P\xd0\x9c\xe9',
req.appParam)
def authenticateRequests(self):
return [SignRequest(x) for x in self['authenticateRequests']]