6.1.1.3.1.4.1.4. linotp.lib.security.yubihsm module

This module is used to access the YubiHSM for encrypting and

decrypting the data

linotp.ini: linotpActiveSecurityModule = yubihsm linotpSecurity.yubihsm.module = linotp.lib.security.yubihsm.YubiSecurityModule linotpSecurity.yubihsm.pinHandle =21 linotpSecurity.yubihsm.valueHandle =22 linotpSecurity.yubihsm.passwordHandle =23 linotpSecurity.yubihsm.defaultHandle = 0x1111 linotpSecurity.yubihsm.password = 14fda9321ae820aa34e57852a31b10d0 linotpSecurity.yubihsm.device = /dev/ttyACM3

You need to change the access rights of /dev/ttyACM? You could add the user “linotp” to the group “dialout”

class linotp.lib.security.yubihsm.YubiSecurityModule(config=None)

Bases: linotp.lib.security.SecurityModule

Class that handles all AES stuff

createAES(ks=32, label='new AES Key')

Creates a new AES key with the given label and the given length

returns the hanlde

decrypt(data, iv, id=0)

decrypts the given data, using the IV and the key specified by the handle

possible id’s are:

0 1 2

decryptPassword(cryptPass)

dedicated security module methods: decryptPassword which used one slot id to decryt a string

@param cryptPassword: the crypted password - leading iv, seperated by the ‘:’ @param cryptPassword: byte string

@return: decrypted data @rtype: byte string

decryptPin(cryptPin)

dedicated security module methods: decryptPin which used one slot id to decryt a string

@param cryptPin: the crypted pin - - leading iv, seperated by the ‘:’ @param cryptPin: byte string

@return: decrypted data @rtype: byte string

encrypt(data, iv, id=0)

encrypts the given input data

AES hat eine blocksize von 16 byte. Daher muss die data ein vielfaches von 16 sein und der IV im Falle von CBC auch 16 byte lang.

encryptPassword(password)

dedicated security module methods: encryptPassword which used one slot id to encrypt a string

@param password: the to be encrypted password @param password: byte string

@return: encrypted data - leading iv, seperated by the ‘:’ @rtype: byte string

encryptPin(pin)

dedicated security module methods: encryptPin which used one slot id to encrypt a string

@param pin: the to be encrypted pin @param pin: byte string

@return: encrypted data - leading iv, seperated by the ‘:’ @rtype: byte string

find_aes_keys(label='testAES', wanted=1)

Find and AES key with the given label The number of keys to be found is restricted by “wanted”

Returns

• the number of keys and
• the handle to the key

gettokeninfo(slotid=0)

This returns a dictionary with the token info

isReady()

login(password=None, slotid=0)

Open a session on the first token

After this, we got a self.hSession

logout()

closes the existing session

pad(unpadded_str, block=16)

PKCS7 padding pads the missing bytes with the value of the number of the bytes. If 4 bytes are missing, this missing bytes are filled with 

Parameters:

• unpadded_str (str) – The string to pad
• block (int) – Block size

Returns:

padded string

Return type:

str

random(l=32)

create a random value and return it l specifies the length of the random data to be created.

setup_module(params)

used to set the password, if the password is not contained in the config file

unpad(padded_str, block=16)

This removes and checks the PKCS #7 padding.

Parameters:

• padded_str (str) – The string to unpad
• block (int) – Block size

Raises ValueError:  

If padded_str is not correctly padded a ValueError can be raised. This depends on the ‘yubihsm.accept_invalid_padding’ LinOTP config option. If set to False (default) ValueError is raised. The reason why the data is sometimes incorrectly padded is because the pad() method delivered with LinOTP version < 2.7.1 didn’t pad correctly when the data-length was a multiple of the block-length. Beware that in some cases (statistically about 0.4% of data-chunks whose length is a multiple of the block length) the incorrect padding can not be detected and incomplete data is returned. One example for this last case is when the data ends with the byte 0x01. This is recognized as legitimate padding and is removed before returning the data, thus removing a legitimate byte from the data and making it unusable. If you didn’t upgrade from a LinOTP version before 2.7.1 (or don’t use a YubiHSM) you will not be affected by this in any way. ValueError will of course also be raised if you data became corrupt for some other reason (e.g. disk failure) and can not be unpadded. In this case you should NOT set ‘yubihsm.accept_invalid_padding’ to True because your data will be unusable anyway.

Returns:

unpadded string or sometimes padded string when ‘yubihsm.accept_invalid_padding’ is set to True. See above.

Return type:

str

linotp.lib.security.yubihsm.main()

This module can be called to create an AES key.

Parameters are:

-p / –password= The Password of the partition. Can be ommitted. Then you are asked -d / –device= The device (default /dev/ttyACM0) -n / –name= The name of the AES key. -f / –find= Find the AES key -h / –help