def provision(p, args):
request = vp.generate_request(token_model=args.token_model)
response = vp.get_provisioning_response(request)
otp_token = vp.get_token_from_response(response.content)
otp_secret = vp.decrypt_key(otp_token['iv'], otp_token['cipher'])
otp_secret_b64 = base64.b32encode(otp_secret).upper()
if not vp.check_token(otp_token['id'], otp_secret):
sys.stderr.write("Something went wrong--the token is invalid.\n")
sys.exit(1)
if args.print:
otp_uri = vp.generate_otp_uri(otp_token['id'], otp_secret)
print('Credential created successfully:\n\t' + otp_uri)
print("This credential expires on this date: " + otp_token['expiry'])
print('\nYou will need the ID to register this credential: ' + otp_token['id'])
print('\nYou can use oathtool to generate the same OTP codes')
print('as would be produced by the official VIP Access apps:\n')
print(' oathtool -d6 -b --totp {} # 6-digit code'''.format(otp_secret_b64))
print(' oathtool -d6 -b --totp -v {} # ... with extra information'''.format(otp_secret_b64))
else:
os.umask(0o077) # stoken does this too (security)
with open(os.path.expanduser(args.dotfile), "wx") as dotfile:
dotfile.write('version 1\n')
dotfile.write('secret %s\n' % otp_secret_b64)
dotfile.write('id %s\n' % otp_token['id'])
dotfile.write('expiry %s\n' % otp_token['expiry'])
print('Credential created and saved successfully: ' + dotfile.name)
print('You will need the ID to register this credential: ' + otp_token['id'])
def provision(p, args):
request = vp.generate_request(token_model=args.token_model)
response = vp.get_provisioning_response(request)
otp_token = vp.get_token_from_response(response.content)
otp_secret = vp.decrypt_key(otp_token['iv'], otp_token['cipher'])
otp_secret_b32 = base64.b32encode(otp_secret).upper().decode('ascii')
if not vp.check_token(otp_token['id'], otp_secret):
print("WARNING: Something went wrong--the token could not be validated.",
" (check that your system time is set correctly)\n", file=sys.stderr)
if args.print:
otp_uri = vp.generate_otp_uri(otp_token['id'], otp_secret)
print('Credential created successfully:\n\t' + otp_uri)
print("This credential expires on this date: " + otp_token['expiry'])
print('\nYou will need the ID to register this credential: ' + otp_token['id'])
print('\nYou can use oathtool to generate the same OTP codes')
print('as would be produced by the official VIP Access apps:\n')
print(' oathtool -d6 -b --totp {} # 6-digit code'''.format(otp_secret_b32))
print(' oathtool -d6 -b --totp -v {} # ... with extra information'''.format(otp_secret_b32))
else:
os.umask(0o077) # stoken does this too (security)
with open(os.path.expanduser(args.dotfile), EXCL_WRITE) as dotfile:
dotfile.write('version 1\n')
dotfile.write('secret %s\n' % otp_secret_b32)
dotfile.write('id %s\n' % otp_token['id'])
dotfile.write('expiry %s\n' % otp_token['expiry'])
print('Credential created and saved successfully: ' + dotfile.name)
print('You will need the ID to register this credential: ' + otp_token['id'])
def check(p, args):
if args.secret:
d, secret = {'id': args.identity or 'Unknown'}, args.secret
else:
with open(args.dotfile, "r") as dotfile:
d = dict(l.strip().split(None, 1) for l in dotfile)
if 'version' not in d:
p.error('%s does not specify version' % args.dotfile)
elif d['version'] != '1':
p.error("%s specifies version %r, rather than expected '1'" %
(args.dotfile, d['version']))
elif 'secret' not in d:
p.error('%s does not specify secret' % args.dotfile)
secret = d['secret']
if not args.identity:
p.error("Token identity unknown; specify with -I/--identity")
try:
key = oath.google_authenticator.lenient_b32decode(secret)
except Exception as e:
p.error('error interpreting secret as base32: %s' % e)
d.setdefault('period', 30)
print("Checking token...")
session = vp.requests.Session()
for skew in (None, +d['period'] // 2, -d['period'] // 2, +d['period'],
-d['period'], +d['period'] * 3 // 2, -d['period'] * 3 // 2):
if skew is None:
if vp.check_token(d, key, session):
print("Token is valid and working.")
break
else:
print("Trying %+d seconds timeskew..." % skew)
if vp.check_token(d, key, session, timestamp=time.time() + skew):
print(
"Token is valid and working, but we had to skew by %+d seconds (check your system time)\n"
% skew)
break
else:
print(
"WARNING: Something went wrong--the token could not be validated.\n",
file=sys.stderr)
def provision(p, args):
print("Generating request...")
request = vp.generate_request(token_model=args.token_model)
print("Fetching provisioning response from Symantec server...")
session = vp.requests.Session()
response = vp.get_provisioning_response(request, session)
print("Getting token from response...")
otp_token = vp.get_token_from_response(response.content)
print("Decrypting token...")
otp_secret = vp.decrypt_key(otp_token['iv'], otp_token['cipher'])
otp_secret_b32 = base64.b32encode(otp_secret).upper().decode('ascii')
print("Checking token against Symantec server...")
if not vp.check_token(otp_token, otp_secret, session):
p.error(
"Something went wrong--the token could not be validated.\n"
" (Check your system time; it differs from the server's by %d seconds)\n"
% otp_token['timeskew'])
elif 'period' in otp_token and otp_token[
'timeskew'] > otp_token['period'] / 10:
p.error(
"Your system time differs from the server's by %d seconds;\n"
" The offset would be 'baked in' to the newly-created token.\n"
" Fix system time and try again." % otp_token['timeskew'])
if args.print:
otp_uri = vp.generate_otp_uri(otp_token, otp_secret, args.issuer)
print('Credential created successfully:\n\t' + otp_uri)
print("This credential expires on this date: " + otp_token['expiry'])
print('\nYou will need the ID to register this credential: ' +
otp_token['id'])
if otp_token['period'] is not None and otp_token['counter'] is None:
print('\nYou can use oathtool to generate the same OTP codes')
print('as would be produced by the official VIP Access apps:\n')
d = '-d{} '.format(
otp_token['digits']) if otp_token['digits'] != 6 else ''
s = '-s{} '.format(
otp_token['period']) if otp_token['period'] != 30 else ''
print(' oathtool {}{}-b --totp {} # output one code'
''.format(d, s, otp_secret_b32))
print(
' oathtool -v {}{}-b --totp {} # ... with extra information'
''.format(d, s, otp_secret_b32))
elif otp_token['digits'] == 6 and otp_token[
'algorithm'] == 'sha1' and otp_token['period'] == 30:
os.umask(0o077) # stoken does this too (security)
with open(os.path.expanduser(args.dotfile), EXCL_WRITE) as dotfile:
dotfile.write('version 1\n')
dotfile.write('secret %s\n' % otp_secret_b32)
dotfile.write('id %s\n' % otp_token['id'])
dotfile.write('expiry %s\n' % otp_token['expiry'])
print('Credential created and saved successfully: ' + dotfile.name)
print('You will need the ID to register this credential: ' +
otp_token['id'])
else:
p.error('Cannot currently save a token of this type (try -p to print)')
def provision(p, args):
print("Generating request...")
request = vp.generate_request(token_model=args.token_model)
print("Fetching provisioning response...")
session = vp.requests.Session()
response = vp.get_provisioning_response(request, session)
print("Getting token from response...")
otp_token = vp.get_token_from_response(response.content)
print("Decrypting token...")
otp_secret = vp.decrypt_key(otp_token['iv'], otp_token['cipher'])
otp_secret_b32 = base64.b32encode(otp_secret).upper().decode('ascii')
print("Checking token...")
if not vp.check_token(otp_token['id'], otp_secret, session):
print("WARNING: Something went wrong--the token could not be validated.\n",
" (check your system time; it differs from the server's by %d seconds)\n" % otp_token['timeskew'],
file=sys.stderr)
if args.print:
otp_uri = vp.generate_otp_uri(otp_token, otp_secret)
print('Credential created successfully:\n\t' + otp_uri)
print("This credential expires on this date: " + otp_token['expiry'])
print('\nYou will need the ID to register this credential: ' + otp_token['id'])
if otp_token['id'].startswith('VSMB'):
otp_secret_hex = vp.decode_secret_hex(otp_secret)
print('Secret in HEX for Yubikey: '+ otp_secret_hex)
else:
print('\nYou can use oathtool to generate the same OTP codes')
print('as would be produced by the official VIP Access apps:\n')
print(' Token is Time based TOTP Token')
print(' oathtool -d6 -b --totp {} # 6-digit code'''.format(otp_secret_b32))
print(' oathtool -d6 -b --totp -v {} # ... with extra information'''.format(otp_secret_b32))
print('Generating QR Code')
print('File will be saved as: ' + otp_token['id'] + '.jpg')
qr_image = vp.generate_qr_code(otp_uri)
qr_file = otp_token['id']+'.jpg'
qr_image.save(qr_file)
else:
assert otp_token['digits'] == 6
assert otp_token['algorithm'] == 'sha1'
if not otp_token['id'].startswith('VSMB'):
assert otp_token['period'] == 30
os.umask(0o077) # stoken does this too (security)
with open(os.path.expanduser(args.dotfile), EXCL_WRITE) as dotfile:
dotfile.write('version 1\n')
dotfile.write('secret %s\n' % otp_secret_b32)
dotfile.write('id %s\n' % otp_token['id'])
dotfile.write('expiry %s\n' % otp_token['expiry'])
if otp_token['id'].startswith('VSMB'):
# increase counter because we used 2 to test token
dotfile.write('count 2')
print('Credential created and saved successfully: ' + dotfile.name)
print('You will need the ID to register this credential: ' + otp_token['id'])
