def hello(request):
client_hello = request.decrypted_json
try:
client_key = PublicKey.objects.get(
fingerprint=client_hello["client_key_fingerprint"])
except PublicKey.DoesNotExist:
return HttpResponseForbidden("Unknown client: %s" %
client_hello["client_key_fingerprint"])
response = {
"client_guid": client_hello["client_guid"],
"server_guid": random_guid(),
"expires": None,
"server_key_fingerprint": SERVER_KEY_FINGERPRINT
}
started_session = PQAuthSession(server_guid=response["server_guid"],
client_guid=response["client_guid"],
user=client_key.user)
started_session.save()
encrypted_response = rsa_encrypt(json.dumps(response),
client_key.public_key)
return HttpResponse(encrypted_response,
mimetype="application/pqauth-encrypted")
def get_hello_message(self):
self.client_guid = crypto.random_guid()
hello_message = {"client_guid": self.client_guid,
"client_key_fingerprint": self.client_key_fprint}
return hello_message
def test_mystery_confirmation_guid(self):
# Confirmation server_guid not in the DB
pqa_client = get_pqa_client()
unknown_confirmation = {"server_guid": crypto.random_guid()}
encrypted = pqa_client.encrypt_for_server(unknown_confirmation)
confirm_resp = self.client.generic("POST", reverse(confirm), data=encrypted)
self.assertEquals(200, confirm_resp.status_code)
n_sessions = PQAuthSession.objects.count()
self.assertEquals(0, n_sessions)
def test_mystery_confirmation_guid(self):
# Confirmation server_guid not in the DB
pqa_client = get_pqa_client()
unknown_confirmation = {"server_guid": crypto.random_guid()}
encrypted = pqa_client.encrypt_for_server(unknown_confirmation)
confirm_resp = self.client.generic("POST",
reverse(confirm),
data=encrypted)
self.assertEquals(200, confirm_resp.status_code)
n_sessions = PQAuthSession.objects.count()
self.assertEquals(0, n_sessions)
def client_whatup_message(client_public_key):
"""
Authentication Step 1
Client sends a nonce to the server, along with a key fingerprint
that identifies the client. The server has prior knowledge of the client's
public key, and can look up the entire key given the fingerprint.
Client: "What up, server?"
"""
message = {"client_key_fingerprint": public_key_fingerprint(client_public_key),
"client_guid": random_guid()}
return message
def hello(request):
client_hello = request.decrypted_json
try:
client_key = PublicKey.objects.get(fingerprint=client_hello["client_key_fingerprint"])
except PublicKey.DoesNotExist:
return HttpResponseForbidden("Unknown client: %s" % client_hello["client_key_fingerprint"])
response = {
"client_guid": client_hello["client_guid"],
"server_guid": random_guid(),
"expires": None,
"server_key_fingerprint": SERVER_KEY_FINGERPRINT,
}
started_session = PQAuthSession(
server_guid=response["server_guid"], client_guid=response["client_guid"], user=client_key.user
)
started_session.save()
encrypted_response = rsa_encrypt(json.dumps(response), client_key.public_key)
return HttpResponse(encrypted_response, mimetype="application/pqauth-encrypted")
def server_yaheard_message(client_guid, server_public_key, expires=None):
"""
Authentication Step 2
Server sends its own nonce back to the client, along with the nonce
the client sends. Server also sends its own identity fingerprint.
Optionally, the server may send an "expires" timestamp, after which
the session key will no longer be honored.
While not necessarily used for a key lookup on the client side, this
mitigates a Man-In-The-Middle attack on the protocol, provided the
client checks that the server's fingerprint matches the key the client
is using to encrypt messages for the server.
Server: "Yo dogg. Here's my nonce, ya heard?"
"""
message = {"client_guid": client_guid,
"server_guid": random_guid(),
"expires": expires,
"server_key_fingerprint": public_key_fingerprint(server_public_key)}
return message
