def authenticate_start(self, username, invalidate=False): user = self._get_user(username) if user is None or len(user.devices) == 0: log.info('User "%s" has no devices registered', username) raise NoEligibleDevicesException('No devices registered', []) sign_requests = [] descriptors = [] challenges = {} rand = rand_bytes(32) for handle, dev in user.devices.items(): if not dev.compromised: challenge = start_authenticate(dev.bind_data, rand) sign_requests.append(challenge) descriptors.append(dev.get_descriptor( self._metadata.get_metadata(dev))) challenges[handle] = { 'keyHandle': challenge.keyHandle, 'challenge': challenge } if not sign_requests: raise NoEligibleDevicesException( 'All devices compromised', [d.get_descriptor() for d in user.devices.values()] ) self._memstore.store(self._client.id, username, rand, challenges) return sign_requests, descriptors
def authenticate_start(self, username, setChallenge=None, invalidate=False): user = self._get_user(username) if user is None or len(user.devices) == 0: log.info('User "%s" has no devices registered', username) raise NoEligableDevicesException('No devices registered', []) sign_requests = [] challenges = {} if setChallenge: rand = setChallenge.decode("hex") else: rand = rand_bytes(32) for handle, dev in user.devices.items(): if not dev.compromised: challenge = start_authenticate(dev.bind_data, rand) sign_requests.append(challenge) challenges[handle] = { 'keyHandle': challenge.keyHandle, 'challenge': challenge } if not sign_requests: raise NoEligableDevicesException( 'All devices compromised', [d.get_descriptor() for d in user.devices.values()] ) self._memstore.store(self._client.id, username, rand, challenges) return sign_requests
def start_register(app_id, challenge=None): if challenge is None: challenge = rand_bytes(32) return RegisterRequest(version=VERSION, appId=app_id, challenge=websafe_encode(challenge))
def __init__(self, binding, challenge=None): self.binding = binding self.app_param = H(binding.app_id.encode('idna')) if challenge is None: self.challenge = rand_bytes(32) else: self.challenge = challenge
def start_register(app_id, challenge=None): if challenge is None: challenge = rand_bytes(32) return RegisterRequest( version=VERSION, appId=app_id, challenge=websafe_encode(challenge) )
def start_authenticate(device, challenge=None): device = DeviceRegistration.wrap(device) if challenge is None: challenge = rand_bytes(32) return SignRequest(version=VERSION, appId=device.appId, keyHandle=device.keyHandle, challenge=websafe_encode(challenge))
def start_authenticate(device, challenge=None): device = DeviceRegistration.wrap(device) if challenge is None: challenge = rand_bytes(32) return SignRequest( version=VERSION, appId=device.appId, keyHandle=device.keyHandle, challenge=websafe_encode(challenge) )
def __init__(self, app_id, facets=None, challenge=None): self.app_id = app_id self.app_param = H(app_id.encode('idna')) if facets is None: self.facets = [] else: self.facets = facets if challenge is None: self.challenge = rand_bytes(32) else: self.challenge = challenge
def register(self, request, facet="https://www.example.com"): """ RegisterRequest = { "version": "U2F_V2", "challenge": string, //b64 encoded challenge "appId": string, //app_id } """ if not isinstance(request, RegisterRequest): request = RegisterRequest(request) if request.version != "U2F_V2": raise ValueError("Unsupported U2F version: %s" % request.version) # Client data client_data = ClientData(typ='navigator.id.finishEnrollment', challenge=request['challenge'], origin=facet) client_data = client_data.json.encode('utf-8') client_param = sha_256(client_data) # ECC key generation priv_key = ec.generate_private_key(CURVE, default_backend()) pub_key = priv_key.public_key().public_bytes( Encoding.DER, PublicFormat.SubjectPublicKeyInfo) pub_key = pub_key[-65:] # Store key_handle = rand_bytes(64) app_param = request.appParam self.keys[key_handle] = (priv_key, app_param) # Attestation signature cert_priv = load_pem_private_key(CERT_PRIV, password=None, backend=default_backend()) cert = CERT data = b'\x00' + app_param + client_param + key_handle + pub_key signer = cert_priv.signer(ec.ECDSA(hashes.SHA256())) signer.update(data) signature = signer.finalize() raw_response = (b'\x05' + pub_key + int2byte(len(key_handle)) + key_handle + cert + signature) return RegisterResponse( registrationData=websafe_encode(raw_response), clientData=websafe_encode(client_data), )
def register( self, data, facet="https://www.example.com", ): """ data = { "version": "U2F_V2", "challenge": string, //b64 encoded challenge "appId": string, //app_id } """ if isinstance(data, basestring): data = json.loads(data) if data['version'] != "U2F_V2": raise ValueError("Unsupported U2F version: %s" % data['version']) # Client data client_data = { 'typ': "navigator.id.finishEnrollment", 'challenge': data['challenge'], 'origin': facet } client_data = json.dumps(client_data) client_param = H(client_data) # ECC key generation privu = EC.gen_params(CURVE) privu.gen_key() pub_key = str(privu.pub().get_der())[-65:] # Store key_handle = rand_bytes(64) app_param = H(data['appId']) self.keys[key_handle] = (privu, app_param) # Attestation signature cert_priv = EC.load_key_bio(BIO.MemoryBuffer(CERT_PRIV)) cert = CERT digest = H(chr(0x00) + app_param + client_param + key_handle + pub_key) signature = cert_priv.sign_dsa_asn1(digest) raw_response = chr(0x05) + pub_key + chr(len(key_handle)) + \ key_handle + cert + signature return json.dumps({ "registrationData": websafe_encode(raw_response), "clientData": websafe_encode(client_data), })
def register(self, request, facet="https://www.example.com"): """ RegisterRequest = { "version": "U2F_V2", "challenge": string, //b64 encoded challenge "appId": string, //app_id } """ if not isinstance(request, RegisterRequest): request = RegisterRequest(request) if request.version != "U2F_V2": raise ValueError("Unsupported U2F version: %s" % request.version) # Client data client_data = ClientData( typ='navigator.id.finishEnrollment', challenge=request['challenge'], origin=facet ) client_data = client_data.json.encode('utf-8') client_param = sha_256(client_data) # ECC key generation priv_key = ec.generate_private_key(CURVE, default_backend()) pub_key = priv_key.public_key().public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo) pub_key = pub_key[-65:] # Store key_handle = rand_bytes(64) app_param = request.appParam self.keys[key_handle] = (priv_key, app_param) # Attestation signature cert_priv = load_pem_private_key(CERT_PRIV, password=None, backend=default_backend()) cert = CERT data = b'\x00' + app_param + client_param + key_handle + pub_key signer = cert_priv.signer(ec.ECDSA(hashes.SHA256())) signer.update(data) signature = signer.finalize() raw_response = (b'\x05' + pub_key + int2byte(len(key_handle)) + key_handle + cert + signature) return RegisterResponse( registrationData=websafe_encode(raw_response), clientData=websafe_encode(client_data), )
def get_context_data(self, **kwargs): ctx = super().get_context_data() devices = [DeviceRegistration.wrap(device.json_data) for device in U2FDevice.objects.filter(confirmed=True, user=self.user)] if devices: challenge = u2f.start_authenticate(devices, challenge=rand_bytes(32)) self.request.session['_u2f_challenge'] = challenge.json ctx['jsondata'] = challenge.json else: if '_u2f_challenge' in self.request.session: del self.request.session['_u2f_challenge'] ctx['jsondata'] = None return ctx
def register(self, request, facet="https://www.example.com"): """ RegisterRequest = { "version": "U2F_V2", "challenge": string, //b64 encoded challenge "appId": string, //app_id } """ if not isinstance(request, RegisterRequest): request = RegisterRequest(request) if request.version != "U2F_V2": raise ValueError("Unsupported U2F version: %s" % request.version) # Client data client_data = ClientData( typ='navigator.id.finishEnrollment', challenge=request['challenge'], origin=facet ) client_data = client_data.json client_param = H(client_data) # ECC key generation privu = EC.gen_params(CURVE) privu.gen_key() pub_key = str(privu.pub().get_der())[-65:] # Store key_handle = rand_bytes(64) app_param = request.appParam self.keys[key_handle] = (privu, app_param) # Attestation signature cert_priv = EC.load_key_bio(BIO.MemoryBuffer(CERT_PRIV)) cert = CERT digest = H(chr(0x00) + app_param + client_param + key_handle + pub_key) signature = cert_priv.sign_dsa_asn1(digest) raw_response = chr(0x05) + pub_key + chr(len(key_handle)) + \ key_handle + cert + signature return RegisterResponse( registrationData=websafe_encode(raw_response), clientData=websafe_encode(client_data), )
def register(self, data, facet="https://www.example.com", ): """ data = { "version": "U2F_V2", "challenge": string, //b64 encoded challenge "appId": string, //app_id } """ if isinstance(data, basestring): data = json.loads(data) if data['version'] != "U2F_V2": raise ValueError("Unsupported U2F version: %s" % data['version']) # Client data client_data = { 'typ': "navigator.id.finishEnrollment", 'challenge': data['challenge'], 'origin': facet } client_data = json.dumps(client_data) client_param = H(client_data) # ECC key generation privu = EC.gen_params(CURVE) privu.gen_key() pub_key = str(privu.pub().get_der())[-65:] # Store key_handle = rand_bytes(64) app_param = H(data['appId']) self.keys[key_handle] = (privu, app_param) # Attestation signature cert_priv = EC.load_key_bio(BIO.MemoryBuffer(CERT_PRIV)) cert = CERT digest = H(chr(0x00) + app_param + client_param + key_handle + pub_key) signature = cert_priv.sign_dsa_asn1(digest) raw_response = chr(0x05) + pub_key + chr(len(key_handle)) + \ key_handle + cert + signature return json.dumps({ "registrationData": websafe_encode(raw_response), "clientData": websafe_encode(client_data), })
def register(self, request, facet="https://www.example.com"): """ RegisterRequest = { "version": "U2F_V2", "challenge": string, //b64 encoded challenge "appId": string, //app_id } """ if not isinstance(request, RegisterRequest): request = RegisterRequest(request) if request.version != "U2F_V2": raise ValueError("Unsupported U2F version: %s" % request.version) # Client data client_data = ClientData(typ='navigator.id.finishEnrollment', challenge=request['challenge'], origin=facet) client_data = client_data.json client_param = H(client_data) # ECC key generation privu = EC.gen_params(CURVE) privu.gen_key() pub_key = str(privu.pub().get_der())[-65:] # Store key_handle = rand_bytes(64) app_param = request.appParam self.keys[key_handle] = (privu, app_param) # Attestation signature cert_priv = EC.load_key_bio(BIO.MemoryBuffer(CERT_PRIV)) cert = CERT digest = H(chr(0x00) + app_param + client_param + key_handle + pub_key) signature = cert_priv.sign_dsa_asn1(digest) raw_response = chr(0x05) + pub_key + chr(len(key_handle)) + \ key_handle + cert + signature return RegisterResponse( registrationData=websafe_encode(raw_response), clientData=websafe_encode(client_data), )
def get_context_data(self, **kwargs): ctx = super().get_context_data() devices = [ DeviceRegistration.wrap(device.json_data) for device in U2FDevice.objects.filter(confirmed=True, user=self.request.user) ] if devices: challenge = u2f.start_authenticate(devices, challenge=rand_bytes(32)) self.request.session['_u2f_challenge'] = challenge.json ctx['jsondata'] = challenge.json else: if '_u2f_challenge' in self.request.session: del self.request.session['_u2f_challenge'] ctx['jsondata'] = None return ctx
def start_authenticate(devices, challenge=None): sign_requests = [u2f_v2.start_authenticate(d, challenge or rand_bytes(32)) for d in devices] return AuthenticateRequestData(authenticateRequests=sign_requests)