def get_public_key(partition): """ reads the password config entry 'linotp.PublicKey.Partition.<partition>', extracts and decodes the public key and returns it as a 32 bytes. """ import linotp.lib.config key = 'linotp.PublicKey.Partition.%d' % partition # FIXME: unencryption should not happen at this early stage public_key_b64 = linotp.lib.config.getFromConfig(key).get_unencrypted() if not public_key_b64: raise ConfigAdminError('No public key found for %d' % partition) public_key = base64.b64decode(public_key_b64) # TODO: key type checking if len(public_key) != 32: raise ValidateError('Public key has an invalid ' 'format. Key must be 32 bytes long') return public_key
def get_secret_key(partition): """ reads the password config entry 'linotp.SecretKey.Partition.<partition>', extracts and decodes the secret key and returns it as a 32 bytes. """ import linotp.lib.config key = "linotp.SecretKey.Partition.%d" % partition # FIXME: unencryption should not happen at this early stage secret_key_b64 = linotp.lib.config.getFromConfig(key).get_unencrypted() if not secret_key_b64: raise ConfigAdminError("No secret key found for %d" % partition) secret_key = base64.b64decode(secret_key_b64) # TODO: key type checking if len(secret_key) != 64: raise ValidateError( "Secret key has an invalid format. Key must be 64 bytes long") return secret_key
def pair(self): try: # ------------------------------------------------------------------ params = dict(**request.params) enc_response = params.get('pairing_response') if enc_response is None: raise Exception('Parameter missing') # ------------------------------------------------------------------ dec_response = decrypt_pairing_response(enc_response) token_type = dec_response.token_type pairing_data = dec_response.pairing_data if not hasattr(pairing_data, 'serial') or \ pairing_data.serial is None: raise ValidateError( 'Pairing responses with no serial attached ' 'are currently not implemented.') # ------------------------------------------------------------------ # TODO: pairing policy tokens = getTokens4UserOrSerial(None, pairing_data.serial) if not tokens: raise Exception('Invalid serial in pairing response') if len(tokens) > 1: raise Exception('Multiple tokens found. Pairing not possible') token = tokens[0] # ------------------------------------------------------------------ if token.type != token_type: raise Exception('Serial in pairing response doesn\'t match ' 'supplied token_type') # ------------------------------------------------------------------ token.pair(pairing_data) Session.commit() return sendResult(response, False) # ---------------------------------------------------------------------- except Exception: Session.rollback() return sendResult(response, False, 0, status=False) finally: Session.close()
def pair(self): try: params = dict(**request.params) enc_response = params.get('pairing_response') if enc_response is None: raise Exception('Parameter missing') dec_response = decrypt_pairing_response(enc_response) if not dec_response.serial: raise ValidateError( 'Pairing responses with no serial attached ' 'are currently not implemented.') serial = dec_response.serial user_public_key = dec_response.user_public_key user_token_id = dec_response.user_token_id user = dec_response.user_login user = getUserFromParam(params, optional) # TODO: pairing policy tokens = getTokens4UserOrSerial(None, serial) if not tokens: raise Exception('Invalid serial in pairing response') if len(tokens) > 1: raise Exception('Multiple tokens found. Pairing not possible') token = tokens[0] if token.type != 'qr': raise Exception('Pairing is only implemented for the qrtoken') token.ensure_state('pairing_url_sent') token.addToTokenInfo('user_token_id', user_token_id) b64_user_public_key = b64encode(user_public_key) token.addToTokenInfo('user_public_key', b64_user_public_key) params['serial'] = serial params['user_public_key'] = user_public_key params['user_token_id'] = user_token_id params['user'] = user params['content_type'] = CONTENT_TYPE_PAIRING params['data'] = serial token.change_state('pairing_response_received') Session.commit() return sendResult(response, False) except Exception: Session.rollback() return sendResult(response, False, 0, status=False) finally: Session.close()
def get_qrtoken_public_key(cert_id='system'): """ reads the config entry 'linotp.QrTokenPublicKey', extracts and decodes the public key and returns it as a 32 bytes. """ import linotp.lib.config public_key_b64 = linotp.lib.config.getFromConfig('QrTokenPublicKey.' + cert_id) if not public_key_b64: raise ConfigAdminError('Missing entry QrTokenPublicKey') if not public_key_b64.startswith('qrtokenpk:'): raise ValidateError('Curve 25519 / QR secret key has an invalid ' 'format. Must begin with \'qrtokenpk:\'') public_key = base64.b64decode(public_key_b64[len('qrtokenpk:'):]) if len(public_key) != 32: raise ValidateError('Curve 25519 / QR public key has an invalid ' 'format. Key must be 32 bytes long') return public_key
def get_qrtoken_secret_key(cert_id='system'): """ reads the config entry 'enclinotp.QrTokenSecretKey', extracts and decodes the secret key and returns it as a 32 bytes. """ import linotp.lib.config secret_key_b64 = linotp.lib.config.getFromConfig( 'enclinotp.QrTokenSecretKey.' + cert_id) if not secret_key_b64: raise ConfigAdminError('Missing entry QrTokenSecretKey') if not secret_key_b64.startswith('qrtokensk:'): raise ValidateError('QR secret key has an invalid ' 'format. Must begin with \'qrtokensk:\'') secret_key = base64.b64decode(secret_key_b64[len('qrtokensk:'):]) if len(secret_key) != 64: raise ValidateError('QR secret key has an invalid ' 'format. Key must be 64 bytes long') return secret_key
def get_public_key(partition): """ reads the config entry 'enclinotp.PublicKey.Partition.<partition>', extracts and decodes the public key and returns it as a 32 bytes. """ import linotp.lib.config public_key_b64 = linotp.lib.config.getFromConfig( 'enclinotp.PublicKey.Partition.%d' % partition) if not public_key_b64: raise ConfigAdminError('No public key found for %d' % partition) public_key = base64.b64decode(public_key_b64) # TODO: key type checking if len(public_key) != 32: raise ValidateError('Public key has an invalid ' 'format. Key must be 32 bytes long') return public_key
def get_secret_key(partition): """ reads the config entry 'enclinotp.SecretKey.Partition.<partition>', extracts and decodes the secret key and returns it as a 32 bytes. """ import linotp.lib.config secret_key_b64 = linotp.lib.config.getFromConfig( 'enclinotp.SecretKey.Partition.%d' % partition) if not secret_key_b64: raise ConfigAdminError('No secret key found for %d' % partition) secret_key = base64.b64decode(secret_key_b64) # TODO: key type checking if len(secret_key) != 64: raise ValidateError('Secret key has an invalid ' 'format. Key must be 64 bytes long') return secret_key
def pair(self): """ validate/pair: for the enrollment of qr and push token """ try: # -------------------------------------------------------------- -- enc_response = self.request_params.get('pairing_response') if enc_response is None: raise Exception('Parameter missing') # -------------------------------------------------------------- -- dec_response = decrypt_pairing_response(enc_response) token_type = dec_response.token_type pairing_data = dec_response.pairing_data if not hasattr(pairing_data, 'serial') or \ pairing_data.serial is None: raise ValidateError('Pairing responses with no serial attached' ' are currently not implemented.') # --------------------------------------------------------------- - # TODO: pairing policy tokens = getTokens4UserOrSerial(None, pairing_data.serial) if not tokens: raise Exception('Invalid serial in pairing response') if len(tokens) > 1: raise Exception('Multiple tokens found. Pairing not possible') token = tokens[0] # prepare some audit entries t_owner = token.getUser() realms = token.getRealms() realm = '' if realms: realm = realms[0] c.audit['user'] = t_owner or '' c.audit['realm'] = realm # --------------------------------------------------------------- -- if token.type != token_type: raise Exception('Serial in pairing response doesn\'t match ' 'supplied token_type') # --------------------------------------------------------------- -- token.pair(pairing_data) c.audit['success'] = 1 Session.commit() return sendResult(response, False) # ------------------------------------------------------------------- -- except Exception as exx: log.exception("validate/pair failed: %r" % exx) c.audit['info'] = unicode(exx) Session.rollback() return sendResult(response, False, 0, status=False) finally: Session.close()
def pair(self): """ validate/pair: for the enrollment of qr and push token """ try: # -------------------------------------------------------------- -- enc_response = self.request_params.get("pairing_response") if enc_response is None: raise Exception("Parameter missing") # -------------------------------------------------------------- -- dec_response = decrypt_pairing_response(enc_response) token_type = dec_response.token_type pairing_data = dec_response.pairing_data if ( not hasattr(pairing_data, "serial") or pairing_data.serial is None ): raise ValidateError( "Pairing responses with no serial attached" " are currently not implemented." ) # --------------------------------------------------------------- - # TODO: pairing policy tokens = getTokens4UserOrSerial(None, pairing_data.serial) if not tokens: raise Exception("Invalid serial in pairing response") if len(tokens) > 1: raise Exception("Multiple tokens found. Pairing not possible") token = tokens[0] # prepare some audit entries t_owner = token.getUser() realms = token.getRealms() realm = "" if realms: realm = realms[0] g.audit["user"] = t_owner or "" g.audit["realm"] = realm # --------------------------------------------------------------- -- if token.type != token_type: raise Exception( "Serial in pairing response doesn't match " "supplied token_type" ) # --------------------------------------------------------------- -- token.pair(pairing_data) g.audit["success"] = 1 g.audit["serial"] = token.getSerial() db.session.commit() return sendResult(response, False) # ------------------------------------------------------------------- -- except Exception as exx: log.error("validate/pair failed: %r", exx) g.audit["info"] = str(exx) db.session.rollback() return sendResult(response, False, 0, status=False)