linotp.tokens.u2ftoken.u2ftoken module

class linotp.tokens.u2ftoken.u2ftoken.U2FTokenClass(aToken)

Bases: TokenClass

U2F token class implementation

The U2F protocol as specified by the FIDO Alliance uses public key cryptography to perform second factor authentications. On registration the U2F compatible token creates a public/private key pair and sends the public key to the relying party (i.e. this LinOTP class). On authentication the U2F compatible token uses the private key to sign a challenge received from the relying party. This signature can be checked by the relying party using the public key received during registration.

checkOtp(passw, counter, window, options=None)

checkOtp - standard callback of linotp to verify the token

Parameters

  • passw (string) – the passw / otp, which has to be checked

  • counter (int) – the start counter

  • window (int) – the window, in which the token is valid

  • options (dict) – options

Returns

verification counter or -1

Return type

int (-1)

checkResponse4Challenge(user, passw, options=None, challenges=None)

This method verifies if the given passw matches any existing challenge of the token.

It then returns the new otp_counter of the token and the list of the matching challenges.

In case of success the otp_counter needs to be > 0. The matching_challenges is passed to the method challenge_janitor() to clean up challenges.

Parameters

  • user (User object) – the requesting user

  • passw (string) – the password (pin+otp)

  • options (dict) – additional arguments from the request, which could be token specific

  • challenges (list) – A sorted list of valid challenges for this token.

Returns

tuple of (otpcounter and the list of matching challenges)

createChallenge(transactionid, options=None)

create a challenge, which is submitted to the user

Parameters

  • state – the state/transaction id

  • options – the request context parameters / data

Returns

tuple of (bool, message and data) message is submitted to the user data is preserved in the challenge attributes are additional attributes, which could be returned

classmethod getClassInfo(key=None, ret='all')

getClassInfo - returns a subtree of the token definition

Parameters

  • key (string) – subsection identifier

  • ret (user defined) – default return value, if nothing is found

Returns

subsection if key exists or user defined

Return type

s.o.

classmethod getClassPrefix()
classmethod getClassType()

getClassType - return the token type shortname

Returns

‘U2F’

Return type

string

getInitDetail(params, user=None)

to complete the token normalisation, the response of the initialisation should be built by the token specific method, the getInitDetails

getOfflineInfo()
is_challenge_request(passw, user, options=None)

check if the request would start a challenge

  • default: if the passw contains only the pin, this request would

trigger a challenge

  • in this place as well the policy for a token is checked

Parameters

  • passw – password, which might be pin or pin+otp

  • options – dictionary of additional request parameters

Returns

returns true or false

splitPinPass(passw)

Split pin and otp given in the passw parameter

Parameters

passw – string representing pin+otp

Returns

returns tuple true or false for res, the pin value for pin and the otp value for otpval

update(param, reset_failcount=False)