def get_public_key(partition):
"""
reads the password config entry 'linotp.PublicKey.Partition.<partition>',
extracts and decodes the public key and returns it as a 32 bytes.
"""
import linotp.lib.config
key = 'linotp.PublicKey.Partition.%d' % partition
# FIXME: unencryption should not happen at this early stage
public_key_b64 = linotp.lib.config.getFromConfig(key).get_unencrypted()
if not public_key_b64:
raise ConfigAdminError('No public key found for %d' % partition)
public_key = base64.b64decode(public_key_b64)
# TODO: key type checking
if len(public_key) != 32:
raise ValidateError('Public key has an invalid '
'format. Key must be 32 bytes long')
return public_key
def get_secret_key(partition):
"""
reads the password config entry 'linotp.SecretKey.Partition.<partition>',
extracts and decodes the secret key and returns it as a 32 bytes.
"""
import linotp.lib.config
key = "linotp.SecretKey.Partition.%d" % partition
# FIXME: unencryption should not happen at this early stage
secret_key_b64 = linotp.lib.config.getFromConfig(key).get_unencrypted()
if not secret_key_b64:
raise ConfigAdminError("No secret key found for %d" % partition)
secret_key = base64.b64decode(secret_key_b64)
# TODO: key type checking
if len(secret_key) != 64:
raise ValidateError(
"Secret key has an invalid format. Key must be 64 bytes long")
return secret_key
def pair(self):
try:
# ------------------------------------------------------------------
params = dict(**request.params)
enc_response = params.get('pairing_response')
if enc_response is None:
raise Exception('Parameter missing')
# ------------------------------------------------------------------
dec_response = decrypt_pairing_response(enc_response)
token_type = dec_response.token_type
pairing_data = dec_response.pairing_data
if not hasattr(pairing_data, 'serial') or \
pairing_data.serial is None:
raise ValidateError(
'Pairing responses with no serial attached '
'are currently not implemented.')
# ------------------------------------------------------------------
# TODO: pairing policy
tokens = getTokens4UserOrSerial(None, pairing_data.serial)
if not tokens:
raise Exception('Invalid serial in pairing response')
if len(tokens) > 1:
raise Exception('Multiple tokens found. Pairing not possible')
token = tokens[0]
# ------------------------------------------------------------------
if token.type != token_type:
raise Exception('Serial in pairing response doesn\'t match '
'supplied token_type')
# ------------------------------------------------------------------
token.pair(pairing_data)
Session.commit()
return sendResult(response, False)
# ----------------------------------------------------------------------
except Exception:
Session.rollback()
return sendResult(response, False, 0, status=False)
finally:
Session.close()
def pair(self):
try:
params = dict(**request.params)
enc_response = params.get('pairing_response')
if enc_response is None:
raise Exception('Parameter missing')
dec_response = decrypt_pairing_response(enc_response)
if not dec_response.serial:
raise ValidateError(
'Pairing responses with no serial attached '
'are currently not implemented.')
serial = dec_response.serial
user_public_key = dec_response.user_public_key
user_token_id = dec_response.user_token_id
user = dec_response.user_login
user = getUserFromParam(params, optional)
# TODO: pairing policy
tokens = getTokens4UserOrSerial(None, serial)
if not tokens:
raise Exception('Invalid serial in pairing response')
if len(tokens) > 1:
raise Exception('Multiple tokens found. Pairing not possible')
token = tokens[0]
if token.type != 'qr':
raise Exception('Pairing is only implemented for the qrtoken')
token.ensure_state('pairing_url_sent')
token.addToTokenInfo('user_token_id', user_token_id)
b64_user_public_key = b64encode(user_public_key)
token.addToTokenInfo('user_public_key', b64_user_public_key)
params['serial'] = serial
params['user_public_key'] = user_public_key
params['user_token_id'] = user_token_id
params['user'] = user
params['content_type'] = CONTENT_TYPE_PAIRING
params['data'] = serial
token.change_state('pairing_response_received')
Session.commit()
return sendResult(response, False)
except Exception:
Session.rollback()
return sendResult(response, False, 0, status=False)
finally:
Session.close()
def get_qrtoken_public_key(cert_id='system'):
"""
reads the config entry 'linotp.QrTokenPublicKey',
extracts and decodes the public key and returns it as a 32 bytes.
"""
import linotp.lib.config
public_key_b64 = linotp.lib.config.getFromConfig('QrTokenPublicKey.' +
cert_id)
if not public_key_b64:
raise ConfigAdminError('Missing entry QrTokenPublicKey')
if not public_key_b64.startswith('qrtokenpk:'):
raise ValidateError('Curve 25519 / QR secret key has an invalid '
'format. Must begin with \'qrtokenpk:\'')
public_key = base64.b64decode(public_key_b64[len('qrtokenpk:'):])
if len(public_key) != 32:
raise ValidateError('Curve 25519 / QR public key has an invalid '
'format. Key must be 32 bytes long')
return public_key
def get_qrtoken_secret_key(cert_id='system'):
"""
reads the config entry 'enclinotp.QrTokenSecretKey',
extracts and decodes the secret key and returns it as a 32 bytes.
"""
import linotp.lib.config
secret_key_b64 = linotp.lib.config.getFromConfig(
'enclinotp.QrTokenSecretKey.' + cert_id)
if not secret_key_b64:
raise ConfigAdminError('Missing entry QrTokenSecretKey')
if not secret_key_b64.startswith('qrtokensk:'):
raise ValidateError('QR secret key has an invalid '
'format. Must begin with \'qrtokensk:\'')
secret_key = base64.b64decode(secret_key_b64[len('qrtokensk:'):])
if len(secret_key) != 64:
raise ValidateError('QR secret key has an invalid '
'format. Key must be 64 bytes long')
return secret_key
def get_public_key(partition):
"""
reads the config entry 'enclinotp.PublicKey.Partition.<partition>',
extracts and decodes the public key and returns it as a 32 bytes.
"""
import linotp.lib.config
public_key_b64 = linotp.lib.config.getFromConfig(
'enclinotp.PublicKey.Partition.%d' % partition)
if not public_key_b64:
raise ConfigAdminError('No public key found for %d' % partition)
public_key = base64.b64decode(public_key_b64)
# TODO: key type checking
if len(public_key) != 32:
raise ValidateError('Public key has an invalid '
'format. Key must be 32 bytes long')
return public_key
def get_secret_key(partition):
"""
reads the config entry 'enclinotp.SecretKey.Partition.<partition>',
extracts and decodes the secret key and returns it as a 32 bytes.
"""
import linotp.lib.config
secret_key_b64 = linotp.lib.config.getFromConfig(
'enclinotp.SecretKey.Partition.%d' % partition)
if not secret_key_b64:
raise ConfigAdminError('No secret key found for %d' % partition)
secret_key = base64.b64decode(secret_key_b64)
# TODO: key type checking
if len(secret_key) != 64:
raise ValidateError('Secret key has an invalid '
'format. Key must be 64 bytes long')
return secret_key
def pair(self):
"""
validate/pair: for the enrollment of qr and push token
"""
try:
# -------------------------------------------------------------- --
enc_response = self.request_params.get('pairing_response')
if enc_response is None:
raise Exception('Parameter missing')
# -------------------------------------------------------------- --
dec_response = decrypt_pairing_response(enc_response)
token_type = dec_response.token_type
pairing_data = dec_response.pairing_data
if not hasattr(pairing_data, 'serial') or \
pairing_data.serial is None:
raise ValidateError('Pairing responses with no serial attached'
' are currently not implemented.')
# --------------------------------------------------------------- -
# TODO: pairing policy
tokens = getTokens4UserOrSerial(None, pairing_data.serial)
if not tokens:
raise Exception('Invalid serial in pairing response')
if len(tokens) > 1:
raise Exception('Multiple tokens found. Pairing not possible')
token = tokens[0]
# prepare some audit entries
t_owner = token.getUser()
realms = token.getRealms()
realm = ''
if realms:
realm = realms[0]
c.audit['user'] = t_owner or ''
c.audit['realm'] = realm
# --------------------------------------------------------------- --
if token.type != token_type:
raise Exception('Serial in pairing response doesn\'t match '
'supplied token_type')
# --------------------------------------------------------------- --
token.pair(pairing_data)
c.audit['success'] = 1
Session.commit()
return sendResult(response, False)
# ------------------------------------------------------------------- --
except Exception as exx:
log.exception("validate/pair failed: %r" % exx)
c.audit['info'] = unicode(exx)
Session.rollback()
return sendResult(response, False, 0, status=False)
finally:
Session.close()
def pair(self):
"""
validate/pair: for the enrollment of qr and push token
"""
try:
# -------------------------------------------------------------- --
enc_response = self.request_params.get("pairing_response")
if enc_response is None:
raise Exception("Parameter missing")
# -------------------------------------------------------------- --
dec_response = decrypt_pairing_response(enc_response)
token_type = dec_response.token_type
pairing_data = dec_response.pairing_data
if (
not hasattr(pairing_data, "serial")
or pairing_data.serial is None
):
raise ValidateError(
"Pairing responses with no serial attached"
" are currently not implemented."
)
# --------------------------------------------------------------- -
# TODO: pairing policy
tokens = getTokens4UserOrSerial(None, pairing_data.serial)
if not tokens:
raise Exception("Invalid serial in pairing response")
if len(tokens) > 1:
raise Exception("Multiple tokens found. Pairing not possible")
token = tokens[0]
# prepare some audit entries
t_owner = token.getUser()
realms = token.getRealms()
realm = ""
if realms:
realm = realms[0]
g.audit["user"] = t_owner or ""
g.audit["realm"] = realm
# --------------------------------------------------------------- --
if token.type != token_type:
raise Exception(
"Serial in pairing response doesn't match "
"supplied token_type"
)
# --------------------------------------------------------------- --
token.pair(pairing_data)
g.audit["success"] = 1
g.audit["serial"] = token.getSerial()
db.session.commit()
return sendResult(response, False)
# ------------------------------------------------------------------- --
except Exception as exx:
log.error("validate/pair failed: %r", exx)
g.audit["info"] = str(exx)
db.session.rollback()
return sendResult(response, False, 0, status=False)
