linotp.lib.crypto.utils module

Cryptographic utility functions

linotp.lib.crypto.utils.check(st)

calculate the checksum of st :param st: input string :return: the checksum code as 2 hex bytes

linotp.lib.crypto.utils.compare(one, two)

position independend comparison of values

Parameters

  • one – first value

  • two – second value

Returns

boolean

linotp.lib.crypto.utils.compare_password(password, crypted_password)

comparing passwords

for password comparison the passwords crypt algorithms are supported, which are indicated by the “$ID$” prefix :

ID | Method ───────────────────────────────────────────────────────── 1 | MD5 2a | Blowfish (not in mainline glibc; added in some

Linux distributions)

5 | SHA-256 (since glibc 2.7) 6 | SHA-512 (since glibc 2.7)

to upport passowrds on a broad range of platforms the passlib library is used:

algorithm: we iterate over supported list of passlib modules to identify the hashing algorithm (s.o.) and do the comparison with the matching one.

Parameters

  • password – the plain text password

  • crypted_password – the encrypted password

Returns

boolean - for the password comparison result

linotp.lib.crypto.utils.createActivationCode(acode: Optional[str] = None, checksum=True)

create the activation code

Parameters

  • acode – activation code or None

  • checksum – flag to indicate, if a checksum will be calculated

Returns

return the activation code

linotp.lib.crypto.utils.createNonce(len=64)

create a nonce - which is a random string :param len: len of bytes to return :return: hext string

linotp.lib.crypto.utils.crypt_password(password)

generate a new crypted hashed password from a given password

we use crypt type sha512, which is a secure and standard according to: http://security.stackexchange.com/questions/20541/ insecure-versions-of-crypt-hashes

sha512 is selected be the first position in the PasslibHashes schemes

Parameters

password – the plaintext password

Returns

the encrypted password

linotp.lib.crypto.utils.decode_base64_urlsafe(data)

decodes a string encoded with :func encode_base64_urlsafe

linotp.lib.crypto.utils.decrypt(input, iv, id=0, hsm=None)

decrypt a variable from the given input with an initialization vector

Parameters

  • input (buffer of bytes) – buffer, which contains the crypted value

  • iv (buffer (20 bytes random)) – initialization vector

  • id (int) – contains the id of which key of the keyset should be used

Returns

decryted buffer

linotp.lib.crypto.utils.decryptPassword(cryptPass: str) bytes

Restore the encrypted password

Parameters

cryptPass – encrypted password (i.e. ldap password)

Returns

decrypted password

linotp.lib.crypto.utils.decryptPin(cryptPin, hsm=None)
Parameters

  • cryptPin – encrypted pin (i.e. token pin)

  • hsm – hsm security object instance

Returns

decrypted pin

linotp.lib.crypto.utils.dsa_to_dh_public(dsa_public_key)
linotp.lib.crypto.utils.dsa_to_dh_secret(dsa_secret_key)
linotp.lib.crypto.utils.encode_base64_urlsafe(data)

encodes a string with urlsafe base64 and removes its padding

linotp.lib.crypto.utils.encrypt(data: str, iv: bytes, id: int = 0, hsm=None) bytes

encrypt a variable from the given input with an initialization vector

Parameters

  • input (buffer of bytes) – buffer, which contains the value

  • iv (buffer (20 bytes random)) – initialization vector

  • id (int) – contains the id of which key of the keyset should be used

Returns

encryted buffer

linotp.lib.crypto.utils.encryptPassword(password)

Encrypt password (i.e. ldap password)

Parameters

password – password to encrypt

Returns

encrypted password

linotp.lib.crypto.utils.encryptPin(cryptPin: bytes, iv=None, hsm=None)

Encrypt pin (i.e. token pin)

Parameters

  • cryptPin – pin to encrypt

  • iv – initializain vector

  • hsm – hsm security object instance

Returns

return encrypted pin

linotp.lib.crypto.utils.extract_tan(signature, digits)

Calculates a TAN from a signature using a procedure similar to HOTP

Parameters

  • signature – the signature used as a source for the TAN

  • digits – number of digits the should be long

:returns TAN (as string)

linotp.lib.crypto.utils.get_dh_secret_key(partition)

transforms the ed25519 secret key (which is used for DSA) into a Diffie-Hellman secret key

linotp.lib.crypto.utils.get_hashalgo_from_description(description, fallback='sha1')

get the hashing function from a string value

Parameters

  • description – the literal description of the hash

  • fallback – the fallback hash allgorithm

Returns

hashing function pointer

linotp.lib.crypto.utils.get_public_key(partition)

reads the password config entry ‘linotp.PublicKey.Partition.<partition>’, extracts and decodes the public key and returns it as a 32 bytes.

linotp.lib.crypto.utils.get_rand_digit_str(length=16)

return a string of digits with a defined length using the urandom

Parameters

length – number of digits the string should return

Returns

return string, which will contain length digits

linotp.lib.crypto.utils.get_secret_key(partition)

reads the password config entry ‘linotp.SecretKey.Partition.<partition>’, extracts and decodes the secret key and returns it as a 32 bytes.

linotp.lib.crypto.utils.geturandom(len=20)

get random - from the security module

Parameters

len – len of the returned bytes - defalt is 20 bytes

Tyrpe len

int

Returns

buffer of bytes

linotp.lib.crypto.utils.hash_digest(val: bytes, seed: bytes, algo=None, hsm=None)

hash_digest - hmac digest, lower level api

  • operating on byte level

  • calling level to the hsm module

linotp.lib.crypto.utils.hmac_digest(bkey, data_input, hsm=None, hash_algo=None)
linotp.lib.crypto.utils.init_key_partition(config, partition, key_type='ed25519')

create an elliptic curve secret + public key pair and store it in the linotp config

linotp.lib.crypto.utils.kdf2(sharedsecret, nonce, activationcode, len, iterations=10000, digest='SHA256', macmodule=<module 'hmac' from '/usr/lib/python3.7/hmac.py'>, checksum=True)

key derivation function

  • takes the shared secret, an activation code and a nonce to generate a new key

  • the last 4 btyes (8 chars) of the nonce is the salt

  • the last byte (2 chars) of the activation code are the checksum

  • the activation code mitght contain ‘-‘ signs for grouping char blocks

    aabbcc-ddeeff-112233-445566

Parameters

  • sharedsecret – hexlified binary value

  • nonce – hexlified binary value

  • activationcode – base32 encoded value

linotp.lib.crypto.utils.zerome(bufferObject)

clear a string value from memory

Parameters

string (string or key buffer) – the string variable, which should be cleared

Returns

  • nothing -