linotp.lib.security.default module

default SecurityModules which takes the enc keys from a file

class linotp.lib.security.default.DefaultSecurityModule(config=None, add_conf=None)

Bases: SecurityModule

the default security provider - provides the default implementation to all semantic security

interface to all LinOTP operations

decrypt(value: bytes, iv: bytes, id: int = 2) bytes

security module methods: decrypt

Parameters:

data – the to be decrypted data

:type data:byte string

Parameters:
  • iv (random bytes) – initialisation vector (salt)

  • id (int) – slot of the key array

Returns:

decrypted data

Return type:

byte string

decryptPassword(cryptPass: str) bytes

dedicated security module methods: decryptPassword which used one slot id to decryt a string

Parameters:

cryptPassword (byte string) – the crypted password - leading iv, seperated by the ‘:’

Returns:

decrypted data

Return type:

byte string

decryptPin(cryptPin: str) bytes

dedicated security module methods: decryptPin which used one slot id to decryt a string

Parameters:

cryptPin (byte string) – the crypted pin - - leading iv, seperated by the ‘:’

Returns:

decrypted data

Return type:

byte string

encrypt(data: bytes, iv: bytes, id: int = 2) bytes

security module methods: encrypt

This module performs the following operations on the input data, which is a string:

  • convert data to hexidcimal representation

  • add termination string

  • pad with null to a multiple of 16 bytes

  • aes encrypt

Parameters:

data – the to be encrypted data

:type data:byte string

Parameters:
  • iv (random bytes) – initialisation vector (salt)

  • id (int - slotid) – slot of the key array

Returns:

encrypted data

Return type:

byte string

encryptPassword(cryptPass: bytes) str

dedicated security module methods: encryptPassword which used one slot id to encrypt a string

Parameters:

password (byte string) – the to be encrypted password

Returns:

encrypted data - leading iv, seperated by the ‘:’

Return type:

byte string

encryptPin(cryptPin: bytes, iv: Optional[bytes] = None) str

dedicated security module methods: encryptPin which used one slot id to encrypt a string

Parameters:
  • pin (byte string) – the to be encrypted pin

  • iv (buffer (20 bytes random)) – initialisation vector (optional)

Returns:

encrypted data - leading iv, seperated by the ‘:’

Return type:

byte string

getSecret(id=0)

internal function, which acceses the key in the defined slot

Parameters:

id (int - slotId) – slot id of the key array

Returns:

key or secret

Return type:

binary string

hash_digest(val, seed, hash_algo=None)

simple hash with implicit digest :param val: val - data part1 :param seed: seed - data part2 :param hash_algo: hashing function pointer

hmac_digest(bkey, data_input, hash_algo)

simple hmac with implicit digest

Parameters:
  • bkey – the private shared secret

  • data_input – the data

  • hash_algo – one of the hashing algorithms

isReady()

provides the status, if the security module is fully initializes this is required especially for the runtime confi like set password ++

Returns:

status, if the module is fully operational

Return type:

boolean

static padd_data(input_data)

padd the given data to a blocksize of 16 according to pkcs7 padding

Parameters:

input_data – the data, which should be padded

Returns:

data with appended padding

random(len: int = 32) bytes

security module methods: random

Parameters:

len (int) – length of the random byte array

Returns:

random bytes

Return type:

byte string

schema = {'properties': {'configHandle': {'type': 'number'}, 'crypted': 'FALSE', 'defaultHandle': {'type': 'number'}, 'module': {'type': 'string'}, 'poolsize': {'type': 'number'}, 'tokenHandle': {'type': 'number'}, 'valueHandle': {'type': 'number'}}, 'required': ['module', 'tokenHandle', 'configHandle', 'configHandle', 'valueHandle', 'defaultHandle'], 'type': 'object'}
setup_module(params)

callback, which is called during the runtime to initialze the security module

Parameters:

params (dict) – all parameters, which are provided by the http request

Returns:

signMessage(message, method=<built-in function openssl_sha256>, slot_id=2)

create the hex mac for the message -

Parameters:
  • message – the original message

  • method – the hash method - we use by default sha256

  • slot_id – which key should be used

Returns:

hex mac

static unpadd_data(input_data)

unpadd a given data from a blocksize of 16 according to pkcs7 padding

Parameters:

input_data – the data with appended padding

Returns:

stripped of data

verfiyMessageSignature(message, hex_mac, method=<built-in function openssl_sha256>, slot_id=2)
verify the hex mac is same for the message -

the comparison is done in a constant time comparison

Parameters:
  • message – the original message

  • hex_mac – the to compared mac in hex

  • method – the hash method - we use by default sha256

  • slot_id – which key should be used

Returns:

boolean