def getPin(self):
"""
:return: the value of the pin- if it is stored encrypted
"""
pin = ""
hsm = context["hsm"]
if self.token.isPinEncrypted():
_iv, enc_pin = self.token.get_encrypted_pin()
pin = SecretObj.decrypt_pin(enc_pin, hsm=hsm)
return pin
def getPin(self):
"""
:return: the value of the pin- if it is stored encrypted
"""
pin = ''
hsm = context['hsm']
if self.token.isPinEncrypted():
_iv, enc_pin = self.token.get_encrypted_pin()
pin = SecretObj.decrypt_pin(enc_pin, hsm=hsm)
return pin
def get_token_data(self):
"""
get all tokens
"""
tokens = Session.query(model_token).all()
for token in tokens:
token_data = {}
serial = token.LinOtpTokenSerialnumber
token_data['Serial'] = serial
if token.isPinEncrypted():
iv, enc_pin = token.get_encrypted_pin()
pin = SecretObj.decrypt_pin(enc_pin, hsm=self.hsm)
just_mac = serial + token.LinOtpPinHash
enc_value = self.crypter.encrypt(input_data=pin,
just_mac=just_mac)
token_data['TokenPin'] = enc_value
# the userpin is used in motp and ocra/ocra2 token
if token.LinOtpTokenPinUser:
key, iv = token.getUserPin()
user_pin = SecretObj.decrypt(key, iv, hsm=self.hsm)
just_mac = serial + token.LinOtpTokenPinUser
enc_value = self.crypter.encrypt(input_data=user_pin,
just_mac=just_mac)
token_data['TokenUserPin'] = enc_value
# then we retrieve as well the original value,
# to identify changes
encKey = token.LinOtpKeyEnc
key, iv = token.get_encrypted_seed()
secObj = SecretObj(key, iv, hsm=self.hsm)
seed = secObj.getKey()
enc_value = self.crypter.encrypt(input_data=seed,
just_mac=serial + encKey)
token_data['TokenSeed'] = enc_value
# next we look for tokens, where the pin is encrypted
yield token_data
def do_request(servers, env, user, passw, options):
"""
make the call to the foreign server
"""
log.debug("start request to foreign server: %r", servers)
for server in servers.split(" "):
parsed_server = urllib.parse.urlparse(server)
# the urlparse has a bug,, where in elder versions, the
# path is not split from the query
if not parsed_server.query:
path, _sep, query = parsed_server.path.partition("?")
else:
path = parsed_server.path
query = parsed_server.query
# finally we found the query parameters
params = urllib.parse.parse_qs(query)
for key, entry in list(params.items()):
params[key] = entry[0]
if "encsecret" in params:
params["secret"] = SecretObj.decrypt_pin(params["encsecret"])
del params["encsecret"]
parsed_list = list(parsed_server[:])
parsed_list[ForwardServerPolicy.Path_index] = path.strip()
parsed_list[ForwardServerPolicy.
Query_index] = urllib.parse.urlencode(params)
server_url = urllib.parse.urlunparse(tuple(parsed_list))
if "radius://" in server_url:
rad = RadiusRequest(server=server_url, env=env)
res, opt = rad.do_request(user, passw, options)
return res, opt
elif "http://" in server_url or "https://" in server_url:
http = HttpRequest(server=server_url, env=env)
res, opt = http.do_request(user, passw, options)
return res, opt
def get_token_data(self):
"""
get all tokens
"""
tokens = Session.query(model_token).all()
for token in tokens:
token_data = {}
serial = token.LinOtpTokenSerialnumber
token_data['Serial'] = serial
if token.isPinEncrypted():
iv, enc_pin = token.get_encrypted_pin()
pin = SecretObj.decrypt_pin(enc_pin, hsm=self.hsm)
just_mac = serial + token.LinOtpPinHash
enc_value = self.crypter.encrypt(input_data=pin,
just_mac=just_mac)
token_data['TokenPin'] = enc_value
# the userpin is used in motp and ocra/ocra2 token
if token.LinOtpTokenPinUser:
key, iv = token.getUserPin()
user_pin = SecretObj.decrypt(key, iv, hsm=self.hsm)
just_mac = serial + token.LinOtpTokenPinUser
enc_value = self.crypter.encrypt(input_data=user_pin,
just_mac=just_mac)
token_data['TokenUserPin'] = enc_value
# then we retrieve as well the original value,
# to identify changes
encKey = token.LinOtpKeyEnc
key, iv = token.get_encrypted_seed()
secObj = SecretObj(key, iv, hsm=self.hsm)
seed = secObj.getKey()
enc_value = self.crypter.encrypt(input_data=seed,
just_mac=serial + encKey)
token_data['TokenSeed'] = enc_value
# next we look for tokens, where the pin is encrypted
yield token_data
def _rollout_2(self, params):
'''
2.
https://linotpserver/admin/init?
type=ocra&
genkey=1&
activationcode=AKTIVIERUNGSCODE&
user=BENUTZERNAME&
message=MESSAGE&
session=SESSIONKEY
=>> "serial" : SERIENNUMMER, "nonce" : DATAOBJECT,
"transactionid" : "TRANSAKTIONSID, "app_import" : IMPORTURL
- nonce - von HSM oder random ?
- pkcs5 - kdf2
- es darf zur einer Zeit nur eine QR Token inaktiv
(== im Ausrollzustand) sein !!!!!
der Token wird über den User gefunden
- seed = pdkdf2(nonce + activcode + shared secret)
- challenge generiern - von urandom oder HSM
'''
activationcode = params.get('activationcode', None)
if activationcode is not None:
# genkey might have created a new key, so we have to rely on
encSharedSecret = self.getFromTokenInfo('sharedSecret', None)
if encSharedSecret is None:
raise Exception('missing shared secret of initialition'
' for token %r' % (self.getSerial()))
sharedSecret = SecretObj.decrypt_pin(encSharedSecret)
# we generate a nonce, which in the end is a challenge
nonce = createNonce()
self.addToTokenInfo('nonce', nonce)
# create a new key from the ocrasuite
key_len = 20
if self.ocraSuite.find('-SHA256'):
key_len = 32
elif self.ocraSuite.find('-SHA512'):
key_len = 64
newkey = kdf2(sharedSecret, nonce, activationcode, key_len)
self.setOtpKey(binascii.hexlify(newkey))
# generate challenge, which is part of the app_import
message = params.get('message', None)
(transid, challenge, _ret, url) = self.challenge(message)
# generate response
info = {}
uInfo = {}
info['serial'] = self.getSerial()
uInfo['se'] = self.getSerial()
info['nonce'] = nonce
uInfo['no'] = nonce
info['transactionid'] = transid
uInfo['tr'] = transid
info['challenge'] = challenge
uInfo['ch'] = challenge
if message is not None:
uInfo['me'] = str(message.encode("utf-8"))
ustr = urllib.parse.urlencode({'u': str(url.encode("utf-8"))})
uInfo['u'] = ustr[2:]
info['url'] = str(url.encode("utf-8"))
app_import = 'lseqr://nonce?%s' % (urllib.parse.urlencode(uInfo))
# add a signature of the url
signature = {'si': self.signData(app_import)}
info['signature'] = signature.get('si')
info['app_import'] = "%s&%s" % (app_import,
urllib.parse.urlencode(signature))
self.info = info
# setup new state
self.addToTokenInfo('rollout', '2')
self.enable(True)
return