linotp.lib.crypto package

class linotp.lib.crypto.SecretObj(val, iv, preserve=True, hsm=None)

Bases: object

High level interface to security operations

This provides high level security operations without needing access to the secure data

This is to be used by token implementations and classes that need encrypted data such as the database fields

The encryption operations themselves are realised using a SecurityModule (such as HSM, PKCS11)

The class implementation ensures that secret keys are not left around in memory after an operation has been carried out.

It is possible to use this in two modes: With HSM, where operations are passed to the HSM, and without where a potentially degraded implementation is used. This is to provide the functionality during startup, before the HSM is ready.

aes_decrypt(data_input)

support inplace aes decryption for the yubikey

Parameters

data_input – data, that should be decrypted

Returns

the decrypted data

calc_dh(partition, data)

encapsulate the Diffi Helmann calculation

as the server secret key is a sensitive data, we try to encapsulate it and care for the cleanup

Parameters

partition – the id of the server secret key

:param :

static check_encrypted_pin(pin: str, encrypted_pin: bytes, iv: bytes) → bool

check an encrypted against a given pin

Parameters

• encrypted_pin – hex binary

• iv – hex binary iv from former decryption step

• pin – string

Returns

boolean

static check_hashed_pin(pin: str, hashed_pin: bytes, iv: bytes) → bool

check a hashed against a given pin

Parameters

• hashed_pin – hex binary

• iv – hex binary iv from former decryption step

• pin – string

Returns

boolean

compare(key)

compare_password(password)

compare the password of the password token

the password token contains the unix hashed (hmac256) password format and is using the standard libcryp password hash compare. the iv is used as indicator for the new password format, which is :1:

• legacy -

the seed for some tokens contains the encrypted password insetead of decrypting the password and running the comparison, the new otp will be encrypted as well.

Parameters

password – the password - for the password token this is the to be compared password

Returns

boolean

static decrypt(enc_seed, iv=None, hsm=None)

static decrypt_pin(pin, hsm=None)

static encrypt(seed: str, iv=None, hsm=None)

encryptPin()

static encrypt_pin(pin: str)

encrypt a given pin

Parameters

pin –

Returns

a concatenated ‘iv:crypt’

getKey()

static hash_pin(pin)

hash a given pin

Parameters

pin –

Returns

a concatenated ‘iv:hashed_pin’

hmac_digest(data_input, hash_algo=None, bkey=None)

Submodules

• linotp.lib.crypto.encrypted_data module
  • EncryptedData
    • EncryptedData.from_unencrypted()
    • EncryptedData.get_unencrypted()
• linotp.lib.crypto.pbkdf2 module
  • pbkdf2()
• linotp.lib.crypto.rsa module
  • RSA_Signature
    • RSA_Signature.sign()
    • RSA_Signature.verify()
  • create_rsa_signature()
  • verify_rsa_signature()
• linotp.lib.crypto.utils module
  • check()
  • compare()
  • compare_password()
  • createActivationCode()
  • createNonce()
  • crypt_password()
  • decode_base64_urlsafe()
  • decrypt()
  • decryptPassword()
  • decryptPin()
  • dsa_to_dh_public()
  • dsa_to_dh_secret()
  • encode_base64_urlsafe()
  • encrypt()
  • encryptPassword()
  • encryptPin()
  • extract_tan()
  • get_dh_secret_key()
  • get_hashalgo_from_description()
  • get_public_key()
  • get_rand_digit_str()
  • get_secret_key()
  • geturandom()
  • hash_digest()
  • hmac_digest()
  • init_key_partition()
  • kdf2()
  • zerome()