6.1.1.3.1.5.1.4. linotp.lib.tokens.ocra2token module¶
- This file containes the standard token definitions:
- OCRA2TokenClass
the OCRA2 Token will use the standard challenge response instead of the dedicated ocra/request and ocra/check_t
- class linotp.lib.tokens.ocra2token.Ocra2TokenClass(aToken)[source]¶
Bases: linotp.lib.tokenclass.TokenClass
Ocra2TokenClass implement an ocra compliant token
- used from Config
- OcraMaxChallenges - number of open challenges per token
- if None: 3
Ocra2ChallengeValidityTime timeout definition in seconds OcraDefaultSuite - if none :’OCRA-1:HOTP-SHA256-8:C-QN08’ QrOcraDefaultSuite - if none :’OCRA-1:HOTP-SHA256-8:C-QA64’
algorithm Ocra Token Rollout: tow phases of rollout
- https://linotpserver/admin/init?
type=ocra& genkey=1& sharedsecret=1& user=BENUTZERNAME& session=SESSIONKEY
=>> “serial” : SERIENNUMMER, “sharedsecret” : DATAOBJECT, “app_import” : IMPORTURL - genSharedSecret - vom HSM oder urandom ? - app_import : + linotp://
- ocrasuite ->> default aus dem config: (DefaultOcraSuite)
- sharedsecret (Länge wie ???)
- seriennummer
- seriennummer: uuid
- token wird angelegt ist aber nicht aktiv!!! (counter == 0)
- https://linotpserver/admin/init?
type=ocra& genkey=1& activationcode=AKTIVIERUNGSCODE& user=BENUTZERNAME& message=MESSAGE& session=SESSIONKEY
=>> “serial” : SERIENNUMMER, “nonce” : DATAOBJECT, “transactionid” : “TRANSAKTIONSID, “app_import” : IMPORTURL
- nonce - von HSM oder random ?
- pkcs5 - kdf2
- es darf zur einer Zeit nur eine QR Token inaktiv (== im Ausrollzustand) sein !!!!! der Token wird über den User gefunden
- seed = pdkdf2(nonce + activcode + shared secret)
- challenge generiern - von urandom oder HSM
- check_t
- counter ist > nach der ersten Transaktion
- if counter >= 1: delete sharedsecret löschen
- autosync(ocraSuite, passw, challenge)[source]¶
try to resync a token automaticaly, if a former and the current request failed
Parameters: - ocraSuite (ocra object) – the ocraSuite of the current Token
- passw –
- challenge(data, session='', typ='raw', challenge=None)[source]¶
the challenge method is for creating an transaction / challenge object
- remark: the transaction has a maximum lifetime and a reference to
- the OcraSuite token (serial)
Parameters: - data (string or None) – data, which is the base for the challenge or None
- session (string) – session support for ocratokens
Returns: challenge response containing the transcation id and the challenge for the ocrasuite
:rtype : tuple of (transId(string), challenge(string))
- checkOtp(passw, counter, window, options=None)[source]¶
checkOtp - standard callback of linotp to verify the token
Parameters: - passw (string) – the passw / otp, which has to be checked
- counter (int) – the start counter
- window (int) – the window, in which the token is valid
- options (dict) – options contains the transaction id, eg. if check_t checks one transaction this will support assynchreonous otp checks (when check_t is used)
Returns: verification counter or -1
Return type: int (-1)
- checkResponse4Challenge(user, passw, options=None, challenges=None)[source]¶
verify the response of a previous challenge
Parameters: - user – the requesting user
- passw – the to be checked pass: (otp) & trans_id | (pin+otp)
- options – options an additional argument, which could be token specific
- challenges – the list of challenges, where each challenge is described as dict
Returns: tuple of (boolean and the list matching challenge ids)
- classmethod getClassInfo(key=None, ret='all')[source]¶
getClassInfo - returns all or a subtree of the token definition
Parameters: - key (string) – subsection identifier
- ret (user defined) – default return value, if nothing is found
Returns: subsection if key exists or user defined
:rtype : s.o.
- classmethod getClassType()[source]¶
getClassType - return the token type shortname
Returns: ‘ocra2’ Return type: string
- getInfo()[source]¶
getInfo - return the status of the token rollout
Returns: info of the ocra token state Return type: dict
- getInitDetail(params, user=None)[source]¶
to complete the token normalisation, the response of the initialiastion should be build by the token specific method, the getInitDetails
- getOcraSuiteSuite()[source]¶
getQROcraSuiteSuite - return the QR Ocra Suite - if none, it will return the default
Returns: Ocrasuite of token Return type: string
- getQROcraSuiteSuite()[source]¶
getQROcraSuiteSuite - return the QR Ocra Suite - if none, it will return the default
Returns: QROcrasuite of token Return type: string
- getStatus(transactionId)[source]¶
getStatus - assembles the status of a transaction / challenge in a dict
- { “serial”: SERIENNUMMER1,
- “transactionid”: TRANSACTIONID1, “received_tan”: true, “valid_tan”: true, “failcount”: 0
}
Parameters: transactionId (string) – the transaction / challenge id Returns: status dict Return type: dict
- is_challenge_request(passw, user, options=None)[source]¶
check, if the request would start a challenge
- default: if the passw contains only the pin, this request would
trigger a challenge
- in this place as well the policy for a token is checked
Parameters: - passw – password, which might be pin or pin+otp
- options – dictionary of additional request parameters
Retrun : returns true or false
- is_challenge_response(passw, user, options=None, challenges=None)[source]¶
for the ocra token,
Parameters: - passw – password, which might be pin or pin+otp
- user – the requesting user
- options – dictionary of additional request parameters
Returns: returns true or false
- is_challenge_valid(challenge=None)[source]¶
this method proves the validity of a challenge - the default implementation tests, if the challegenge start is in the default vality time window.
Parameters: challenge – challenge object Returns: true or false
- prepare_message(data, transId)[source]¶
prepare the challenge response message
Parameters: - data –
- transId – the transaction/state refenence id
remark: we need the state/transId in the inner scope to support the signing of the whole request including the state/transId
- resync(otp1, otp2, options=None)[source]¶
- for the resync to work, we take the last two transactions and their challenges
- for each challenge, we search forward the sync window length
- signData(data)[source]¶
sign the received data with the secret key
Parameters: data – arbitrary string object Returns: hexlified signature of the data
- statusValidationFail()[source]¶
statusValidationFail - callback to enable a status change,
will be called if the token verification has failed
:return - nothing
- statusValidationSuccess()[source]¶
statusValidationSuccess - callback to enable a status change,
remark: will be called if the token has been succesfull verified
Returns: - nothing