linotp.lib.crypt module

access to all cryptographic aspects - declare the SecretObject to encapsulate security aspects

class linotp.lib.crypt.SecretObj(val, iv, preserve=True, hsm=None)[source]

Bases: object

aes_decrypt(data_input)[source]

support inplace aes decryption for the yubikey

Parameters:data_input – data, that should be decrypted
Returns:the decrypted data
compare(key)[source]
static decrypt(enc_seed, iv=None, hsm=None)[source]
static decrypt_pin(pin, hsm=None)[source]
static encrypt(seed, iv=None, hsm=None)[source]
encryptPin()[source]
static encrypt_pin(pin, iv=None, hsm=None)[source]

returns a concatenated ‘iv:crypt’

getKey()[source]
getPin()[source]
static hash_pin(pin, iv=None, hsm=None)[source]
hmac_digest(data_input, hash_algo)[source]
linotp.lib.crypt.aes_decrypt_data(data, key, iv=None)[source]

decrypt the given data other than the linotp std decrypt this method takes a key not a keyslot, which is required, as for every server startup the encryption key might change

Parameters:
  • data – the to be decrypted data
  • key – the encryption key
  • iv – the random initialization vector
Returns:

the decrypted value

linotp.lib.crypt.aes_encrypt_data(data, key, iv=None)[source]

encypt data for the cookie handling - other than the std linotp key slots, here the key might change per server startup, which is not in scope of std linotp encrypt

Parameters:
  • key – the encryption key
  • data – the data, which should be encrypted
  • iv – the salt value
Returns:

the encrypted data

linotp.lib.crypt.check(st)[source]

calculate the checksum of st :param st: input string :return: the checksum code as 2 hex bytes

linotp.lib.crypt.createActivationCode(acode=None, checksum=True)[source]

create the activation code

Parameters:
  • acode – activation code or None
  • checksum – flag to indicate, if a checksum will be calculated
Returns:

return the activation code

linotp.lib.crypt.createNonce(len=64)[source]

create a nonce - which is a random string :param len: len of bytes to return :return: hext string

linotp.lib.crypt.decode_base64_urlsafe(data)[source]

decodes a string encoded with :func encode_base64_urlsafe

linotp.lib.crypt.decrypt(input, iv, id=0, hsm=None)[source]

decrypt a variable from the given input with an initialization vector

Parameters:
  • input (buffer of bytes) – buffer, which contains the crypted value
  • iv (buffer (20 bytes random)) – initialization vector
  • id (int) – contains the id of which key of the keyset should be used
Returns:

decryted buffer

linotp.lib.crypt.decryptPassword(cryptPass)[source]
linotp.lib.crypt.decryptPin(cryptPin, hsm=None)[source]
linotp.lib.crypt.dsa_to_dh_public(dsa_public_key)[source]
linotp.lib.crypt.dsa_to_dh_secret(dsa_secret_key)[source]
linotp.lib.crypt.encode_base64_urlsafe(data)[source]

encodes a string with urlsafe base64 and removes its padding

linotp.lib.crypt.encrypt(data, iv, id=0, hsm=None)[source]

encrypt a variable from the given input with an initialization vector

Parameters:
  • input (buffer of bytes) – buffer, which contains the value
  • iv (buffer (20 bytes random)) – initialization vector
  • id (int) – contains the id of which key of the keyset should be used
Returns:

encryted buffer

linotp.lib.crypt.encryptPassword(password)[source]
linotp.lib.crypt.encryptPin(cryptPin, iv=None, hsm=None)[source]
linotp.lib.crypt.extract_tan(signature, digits)[source]

Calculates a TAN from a signature using a procedure similar to HOTP

Parameters:
  • signature – the signature used as a source for the TAN
  • digits – number of digits the should be long

:returns TAN (as integer)

linotp.lib.crypt.getSecret(id=0)[source]
linotp.lib.crypt.getSecretDummy()[source]
linotp.lib.crypt.get_qrtoken_dh_public_key()[source]

transforms the qrtoken public key (which is used for DSA) into a Diffie-Hellman public key

linotp.lib.crypt.get_qrtoken_dh_secret_key()[source]

transforms the qrtoken secret key (which is used for DSA) into a Diffie-Hellman secret key

linotp.lib.crypt.get_qrtoken_public_key(cert_id='system')[source]

reads the config entry ‘linotp.QrTokenPublicKey’, extracts and decodes the public key and returns it as a 32 bytes.

linotp.lib.crypt.get_qrtoken_secret_key(cert_id='system')[source]

reads the config entry ‘enclinotp.QrTokenSecretKey’, extracts and decodes the secret key and returns it as a 32 bytes.

linotp.lib.crypt.get_rand_digit_str(length=16)[source]

return a sting of digits with a defined length using the urandom

if we have leading zeros, the len of s could be smaller. Therefore we run in a repeat-until-int(len) matches loop

Parameters:length – number of digits the string should return (w.o. leading 0s)
Returns:return string, which will contain length digits, even when converted to an int
linotp.lib.crypt.geturandom(len=20)[source]

get random - from the security module

Parameters:len – len of the returned bytes - defalt is 20 bytes
Tyrpe len:int
Returns:buffer of bytes
linotp.lib.crypt.hash(val, seed, algo=None)[source]
linotp.lib.crypt.init_qrtoken_secret_key(config, cert_id='system')[source]

create an elliptic curve secret + public key pair and store it in the linotp config

linotp.lib.crypt.isWorldAccessible(filepath)[source]
linotp.lib.crypt.kdf2(sharedsecret, nonce, activationcode, len, iterations=10000, digest='SHA256', macmodule=<module 'Cryptodome.Hash.HMAC' from '/usr/lib/python2.7/dist-packages/Cryptodome/Hash/HMAC.pyc'>, checksum=True)[source]

key derivation function

  • takes the shared secret, an activation code and a nonce to generate a new key

  • the last 4 btyes (8 chars) of the nonce is the salt

  • the last byte (2 chars) of the activation code are the checksum

  • the activation code mitght contain ‘-‘ signs for grouping char blocks

    aabbcc-ddeeff-112233-445566

Parameters:
  • sharedsecret – hexlified binary value
  • nonce – hexlified binary value
  • activationcode – base32 encoded value
linotp.lib.crypt.setupKeyFile(secFile, maxId)[source]
linotp.lib.crypt.udecode(value)[source]

unicode de escape the value - required to support non-unicode databases :param value: string to be deescaped :return: unicode value

linotp.lib.crypt.uencode(value)[source]

unicode escape the value - required to support non-unicode databases :param value: string to be escaped :return: u encoded value

class linotp.lib.crypt.urandom[source]

Bases: object

classmethod choice(array)[source]

get one out of an array

Parameters:array – sequence - string or list
Returns:array element
precision = 12
classmethod randint(start, end=None)[source]

get random integer in between of start and end

Returns:random int
classmethod random()[source]

get random float value between 0.0 and 1.0

Returns:float value
classmethod randrange(start, stop=None, step=1)[source]

get one out of a range of values

Parameters:
  • start – start of range
  • stop – end value
  • step – the step distance beween two values
Returns:

int value

classmethod uniform(start, end=None)[source]

get a floating value between start and end

Parameters:
  • start – start floating value
  • end – end floating value
Returns:

floating value between start and end

linotp.lib.crypt.zerome(bufferObject)[source]

clear a string value from memory

Parameters:string (string or key buffer) – the string variable, which should be cleared
Returns:
  • nothing -