6.1.1.3.1.5.1.4. linotp.lib.tokens.ocra2token module

This file containes the standard token definitions:

• OCRA2TokenClass

the OCRA2 Token will use the standard challenge response instead of the dedicated ocra/request and ocra/check_t

class linotp.lib.tokens.ocra2token.Ocra2TokenClass(aToken)

Bases: linotp.lib.tokenclass.TokenClass

Ocra2TokenClass implement an ocra compliant token

used from Config

OcraMaxChallenges - number of open challenges per token

if None: 3

Ocra2ChallengeValidityTime timeout definition in seconds OcraDefaultSuite - if none :’OCRA-1:HOTP-SHA256-8:C-QN08’ QrOcraDefaultSuite - if none :’OCRA-1:HOTP-SHA256-8:C-QA64’

algorithm Ocra Token Rollout: tow phases of rollout

1. https://linotpserver/admin/init?

   type=ocra& genkey=1& sharedsecret=1& user=BENUTZERNAME& session=SESSIONKEY

   =>> “serial” : SERIENNUMMER, “sharedsecret” : DATAOBJECT, “app_import” : IMPORTURL - genSharedSecret - vom HSM oder urandom ? - app_import : + linotp://

   • ocrasuite ->> default aus dem config: (DefaultOcraSuite)
   • sharedsecret (Länge wie ???)
   • seriennummer

   • seriennummer: uuid
   • token wird angelegt ist aber nicht aktiv!!! (counter == 0)

2. https://linotpserver/admin/init?

   type=ocra& genkey=1& activationcode=AKTIVIERUNGSCODE& user=BENUTZERNAME& message=MESSAGE& session=SESSIONKEY

   =>> “serial” : SERIENNUMMER, “nonce” : DATAOBJECT, “transactionid” : “TRANSAKTIONSID, “app_import” : IMPORTURL

   • nonce - von HSM oder random ?
   • pkcs5 - kdf2
   • es darf zur einer Zeit nur eine QR Token inaktiv (== im Ausrollzustand) sein !!!!! der Token wird über den User gefunden
   • seed = pdkdf2(nonce + activcode + shared secret)
   • challenge generiern - von urandom oder HSM

3. check_t

   • counter ist > nach der ersten Transaktion
   • if counter >= 1: delete sharedsecret löschen

autosync(ocraSuite, passw, challenge)

try to resync a token automaticaly, if a former and the current request failed

Parameters:

• ocraSuite (ocra object) – the ocraSuite of the current Token
• passw –

challenge(data, session='', typ='raw', challenge=None)

the challenge method is for creating an transaction / challenge object

remark: the transaction has a maximum lifetime and a reference to

the OcraSuite token (serial)

Parameters:

• data (string or None) – data, which is the base for the challenge or None
• session (string) – session support for ocratokens

Returns:

challenge response containing the transcation id and the challenge for the ocrasuite

:rtype : tuple of (transId(string), challenge(string))

checkOtp(passw, counter, window, options=None)

checkOtp - standard callback of linotp to verify the token

Parameters:

• passw (string) – the passw / otp, which has to be checked
• counter (int) – the start counter
• window (int) – the window, in which the token is valid
• options (dict) – options contains the transaction id, eg. if check_t checks one transaction this will support assynchreonous otp checks (when check_t is used)

Returns:

verification counter or -1

Return type:

int (-1)

checkResponse4Challenge(user, passw, options=None, challenges=None)

verify the response of a previous challenge

Parameters:

• user – the requesting user
• passw – the to be checked pass: (otp) & trans_id | (pin+otp)
• options – options an additional argument, which could be token specific
• challenges – the list of challenges, where each challenge is described as dict

Returns:

tuple of (boolean and the list matching challenge ids)

classmethod classInit(param, user=None)

createChallenge(state, options=None)

standard API to create an ocra challenge

classmethod getClassInfo(key=None, ret='all')

getClassInfo - returns all or a subtree of the token definition

Parameters:

• key (string) – subsection identifier
• ret (user defined) – default return value, if nothing is found

Returns:

subsection if key exists or user defined

:rtype : s.o.

classmethod getClassPrefix()

classmethod getClassType()

getClassType - return the token type shortname

Returns:‘ocra2’ Return type:string

getInfo()

getInfo - return the status of the token rollout

Returns:info of the ocra token state Return type:dict

getInitDetail(params, user=None)

to complete the token normalisation, the response of the initialiastion should be build by the token specific method, the getInitDetails

getOcraSuiteSuite()

getQROcraSuiteSuite - return the QR Ocra Suite - if none, it will return the default

Returns:Ocrasuite of token Return type:string

getQRImageData(response_detail)

getQROcraSuiteSuite()

getQROcraSuiteSuite - return the QR Ocra Suite - if none, it will return the default

Returns:QROcrasuite of token Return type:string

getStatus(transactionId)

getStatus - assembles the status of a transaction / challenge in a dict

{ “serial”: SERIENNUMMER1,

“transactionid”: TRANSACTIONID1, “received_tan”: true, “valid_tan”: true, “failcount”: 0

}

Parameters:transactionId (string) – the transaction / challenge id Returns:status dict Return type:dict

is_challenge_request(passw, user, options=None)

check, if the request would start a challenge

• default: if the passw contains only the pin, this request would

trigger a challenge

• in this place as well the policy for a token is checked

Parameters:

• passw – password, which might be pin or pin+otp
• options – dictionary of additional request parameters

Retrun :

returns true or false

is_challenge_response(passw, user, options=None, challenges=None)

for the ocra token,

Parameters:

• passw – password, which might be pin or pin+otp
• user – the requesting user
• options – dictionary of additional request parameters

Returns:

returns true or false

is_challenge_valid(challenge=None)

this method proves the validity of a challenge - the default implementation tests, if the challegenge start is in the default vality time window.

Parameters:challenge – challenge object Returns:true or false

prepare_message(data, transId)

prepare the challenge response message

Parameters:

• data –
• transId – the transaction/state refenence id

remark: we need the state/transId in the inner scope to support the signing of the whole request including the state/transId

resync(otp1, otp2, options=None)

• for the resync to work, we take the last two transactions and their challenges
• for each challenge, we search forward the sync window length

signData(data)

sign the received data with the secret key

Parameters:data – arbitrary string object Returns:hexlified signature of the data

statusValidationFail()

statusValidationFail - callback to enable a status change,

will be called if the token verification has failed

:return - nothing

statusValidationSuccess()

statusValidationSuccess - callback to enable a status change,

remark: will be called if the token has been succesfull verified

Returns:

• nothing

update(params, reset_failcount=True)

update: add further definition for token from param in case of init

verify_challenge_is_valid(challenge, session)

verify, if a challenge is valid according to the ocrasuite definition of the token