def challenge(self, data, session='', typ='raw', challenge=None):
'''
the challenge method is for creating an transaction / challenge object
remark: the transaction has a maximum lifetime and a reference to
the OcraSuite token (serial)
:param data: data, which is the base for the challenge or None
:type data: string or None
:param session: session support for ocratokens
:type session: string
:type typ: define, which kind of challenge base should be used
could be raw - take the data input as is
(extract chars accordind challenge definition Q)
or random - will generate a random input
or hased - will take the hash of the input data
:return: challenge response containing the transcation id and the
challenge for the ocrasuite
:rtype : tuple of (transId(string), challenge(string))
'''
log.debug('[challenge] %r: %r: %r' % (data, session, challenge))
secretHOtp = self.token.getHOtpKey()
ocraSuite = OcraSuite(self.getOcraSuiteSuite(), secretHOtp)
if data is None or len(data) == 0:
typ = 'random'
if challenge is None:
if typ == 'raw':
challenge = ocraSuite.data2rawChallenge(data)
elif typ == 'random':
challenge = ocraSuite.data2randomChallenge(data)
elif typ == 'hash':
challenge = ocraSuite.data2hashChallenge(data)
log.debug('[Ocra2TokenClass] challenge: %r ' % (challenge))
counter = self.getOtpCount()
## set the pin onyl in the compliant hashed mode
pin = ''
if ocraSuite.P is not None:
pinObj = self.token.getUserPin()
pin = pinObj.getKey()
try:
param = {}
param['C'] = counter
param['Q'] = challenge
param['P'] = pin
param['S'] = session
if ocraSuite.T is not None:
now = datetime.datetime.now()
stime = now.strftime("%s")
itime = int(stime)
param['T'] = itime
''' verify that the data is compliant with the OcraSuitesuite
and the client is able to calc the otp
'''
c_data = ocraSuite.combineData(**param)
ocraSuite.compute(c_data)
except Exception as ex:
log.error("[Ocra2TokenClass] %r" % (traceback.format_exc()))
raise Exception('[Ocra2TokenClass] Failed to create ocrasuite '
'challenge: %r' % (ex))
## create a non exisiting challenge
try:
(res, opt) = create_challenge(self, options={'messgae': data})
transid = opt.get('transactionid')
challenge = opt.get('challenge')
except Exception as ex:
## this might happen if we have a db problem or
## the uniqnes constrain does not fit
log.error("[Ocra2TokenClass] %r" % (traceback.format_exc()))
raise Exception('[Ocra2TokenClass] Failed to create '
'challenge object: %s' % (ex))
realm = None
realms = self.token.getRealms()
if len(realms) > 0:
realm = realms[0]
url = ''
if realm is not None:
url = get_qrtan_url(realm.name)
log.debug('[challenge]: %r: %r: %r' % (transid, challenge, url))
return (transid, challenge, True, url)
def _rollout_2(self, params):
'''
2.
https://linotpserver/admin/init?
type=ocra&
genkey=1&
activationcode=AKTIVIERUNGSCODE&
user=BENUTZERNAME&
message=MESSAGE&
session=SESSIONKEY
=>> "serial" : SERIENNUMMER, "nonce" : DATAOBJECT, "transactionid" : "TRANSAKTIONSID, "app_import" : IMPORTURL
- nonce - von HSM oder random ?
- pkcs5 - kdf2
- es darf zur einer Zeit nur eine QR Token inaktiv (== im Ausrollzustand) sein !!!!!
der Token wird über den User gefunden
- seed = pdkdf2(nonce + activcode + shared secret)
- challenge generiern - von urandom oder HSM
'''
log.debug('[_rollout_2] %r ' % (params))
activationcode = params.get('activationcode', None)
if activationcode is not None:
## genkey might have created a new key, so we have to rely on
encSharedSecret = self.getFromTokenInfo('sharedSecret', None)
if encSharedSecret is None:
raise Exception ('missing shared secret of initialition for token %r' % (self.getSerial()))
sharedSecret = decryptPin(encSharedSecret)
## we generate a nonce, which in the end is a challenge
nonce = createNonce()
self.addToTokenInfo('nonce', nonce)
## create a new key from the ocrasuite
key_len = 20
if self.ocraSuite.find('-SHA256'):
key_len = 32
elif self.ocraSuite.find('-SHA512'):
key_len = 64
newkey = kdf2(sharedSecret, nonce, activationcode, key_len)
self.setOtpKey(binascii.hexlify(newkey))
## generate challenge, which is part of the app_import
message = params.get('message', None)
#(transid, challenge, _ret, url) = self.challenge(message)
#self.createChallenge()
(res, opt) = create_challenge(self, options=params)
challenge = opt.get('challenge')
url = opt.get('url')
transid = opt.get('transactionid')
## generate response
info = {}
uInfo = {}
info['serial'] = self.getSerial()
uInfo['se'] = self.getSerial()
info['nonce'] = nonce
uInfo['no'] = nonce
info['transactionid'] = transid
uInfo['tr'] = transid
info['challenge'] = challenge
uInfo['ch'] = challenge
if message is not None:
uInfo['me'] = str(message.encode("utf-8"))
ustr = urllib.urlencode({'u':str(url.encode("utf-8"))})
uInfo['u'] = ustr[2:]
info['url'] = str(url.encode("utf-8"))
app_import = 'lseqr://nonce?%s' % (urllib.urlencode(uInfo))
## add a signature of the url
signature = {'si': self.signData(app_import) }
info['signature'] = signature.get('si')
info['app_import'] = "%s&%s" % (app_import, urllib.urlencode(signature))
self.info = info
## setup new state
self.addToTokenInfo('rollout', '2')
self.enable(True)
log.debug('[_rollout_2]:')
return
