linotp.lib.crypto.utils module¶
Cryptographic utility functions
- linotp.lib.crypto.utils.check(st)¶
calculate the checksum of st :param st: input string :return: the checksum code as 2 hex bytes
- linotp.lib.crypto.utils.compare(one, two)¶
position independend comparison of values
- Parameters
one – first value
two – second value
- Returns
boolean
- linotp.lib.crypto.utils.compare_password(password, crypted_password)¶
comparing passwords
for password comparison the passwords crypt algorithms are supported, which are indicated by the “$ID$” prefix :
ID | Method ───────────────────────────────────────────────────────── 1 | MD5 2a | Blowfish (not in mainline glibc; added in some
Linux distributions)5 | SHA-256 (since glibc 2.7) 6 | SHA-512 (since glibc 2.7)
to upport passowrds on a broad range of platforms the passlib library is used:
algorithm: we iterate over supported list of passlib modules to identify the hashing algorithm (s.o.) and do the comparison with the matching one.
- Parameters
password – the plain text password
crypted_password – the encrypted password
- Returns
boolean - for the password comparison result
- linotp.lib.crypto.utils.createActivationCode(acode: Optional[str] = None, checksum=True)¶
create the activation code
- Parameters
acode – activation code or None
checksum – flag to indicate, if a checksum will be calculated
- Returns
return the activation code
- linotp.lib.crypto.utils.createNonce(len=64)¶
create a nonce - which is a random string :param len: len of bytes to return :return: hext string
- linotp.lib.crypto.utils.crypt_password(password)¶
generate a new crypted hashed password from a given password
we use crypt type sha512, which is a secure and standard according to: http://security.stackexchange.com/questions/20541/ insecure-versions-of-crypt-hashes
sha512 is selected be the first position in the PasslibHashes schemes
- Parameters
password – the plaintext password
- Returns
the encrypted password
- linotp.lib.crypto.utils.decode_base64_urlsafe(data)¶
decodes a string encoded with :func encode_base64_urlsafe
- linotp.lib.crypto.utils.decrypt(input, iv, id=0, hsm=None)¶
decrypt a variable from the given input with an initialization vector
- Parameters
input (buffer of bytes) – buffer, which contains the crypted value
iv (buffer (20 bytes random)) – initialization vector
id (int) – contains the id of which key of the keyset should be used
- Returns
decryted buffer
- linotp.lib.crypto.utils.decryptPassword(cryptPass: str) bytes¶
Restore the encrypted password
- Parameters
cryptPass – encrypted password (i.e. ldap password)
- Returns
decrypted password
- linotp.lib.crypto.utils.decryptPin(cryptPin, hsm=None)¶
- Parameters
cryptPin – encrypted pin (i.e. token pin)
hsm – hsm security object instance
- Returns
decrypted pin
- linotp.lib.crypto.utils.dsa_to_dh_public(dsa_public_key)¶
- linotp.lib.crypto.utils.dsa_to_dh_secret(dsa_secret_key)¶
- linotp.lib.crypto.utils.encode_base64_urlsafe(data)¶
encodes a string with urlsafe base64 and removes its padding
- linotp.lib.crypto.utils.encrypt(data: str, iv: bytes, id: int = 0, hsm=None) bytes¶
encrypt a variable from the given input with an initialization vector
- Parameters
input (buffer of bytes) – buffer, which contains the value
iv (buffer (20 bytes random)) – initialization vector
id (int) – contains the id of which key of the keyset should be used
- Returns
encryted buffer
- linotp.lib.crypto.utils.encryptPassword(password)¶
Encrypt password (i.e. ldap password)
- Parameters
password – password to encrypt
- Returns
encrypted password
- linotp.lib.crypto.utils.encryptPin(cryptPin: bytes, iv=None, hsm=None)¶
Encrypt pin (i.e. token pin)
- Parameters
cryptPin – pin to encrypt
iv – initializain vector
hsm – hsm security object instance
- Returns
return encrypted pin
- linotp.lib.crypto.utils.extract_tan(signature, digits)¶
Calculates a TAN from a signature using a procedure similar to HOTP
- Parameters
signature – the signature used as a source for the TAN
digits – number of digits the should be long
:returns TAN (as string)
- linotp.lib.crypto.utils.get_dh_secret_key(partition)¶
transforms the ed25519 secret key (which is used for DSA) into a Diffie-Hellman secret key
- linotp.lib.crypto.utils.get_hashalgo_from_description(description, fallback='sha1')¶
get the hashing function from a string value
- Parameters
description – the literal description of the hash
fallback – the fallback hash allgorithm
- Returns
hashing function pointer
- linotp.lib.crypto.utils.get_public_key(partition)¶
reads the password config entry ‘linotp.PublicKey.Partition.<partition>’, extracts and decodes the public key and returns it as a 32 bytes.
- linotp.lib.crypto.utils.get_rand_digit_str(length=16)¶
return a string of digits with a defined length using the urandom
- Parameters
length – number of digits the string should return
- Returns
return string, which will contain length digits
- linotp.lib.crypto.utils.get_secret_key(partition)¶
reads the password config entry ‘linotp.SecretKey.Partition.<partition>’, extracts and decodes the secret key and returns it as a 32 bytes.
- linotp.lib.crypto.utils.geturandom(len=20)¶
get random - from the security module
- Parameters
len – len of the returned bytes - defalt is 20 bytes
- Tyrpe len
int
- Returns
buffer of bytes
- linotp.lib.crypto.utils.hash_digest(val: bytes, seed: bytes, algo=None, hsm=None)¶
hash_digest - hmac digest, lower level api
operating on byte level
calling level to the hsm module
- linotp.lib.crypto.utils.hmac_digest(bkey, data_input, hsm=None, hash_algo=None)¶
- linotp.lib.crypto.utils.init_key_partition(config, partition, key_type='ed25519')¶
create an elliptic curve secret + public key pair and store it in the linotp config
- linotp.lib.crypto.utils.kdf2(sharedsecret, nonce, activationcode, len, iterations=10000, digest='SHA256', macmodule=<module 'hmac' from '/usr/lib/python3.7/hmac.py'>, checksum=True)¶
key derivation function
takes the shared secret, an activation code and a nonce to generate a new key
the last 4 btyes (8 chars) of the nonce is the salt
the last byte (2 chars) of the activation code are the checksum
- the activation code mitght contain ‘-‘ signs for grouping char blocks
aabbcc-ddeeff-112233-445566
- Parameters
sharedsecret – hexlified binary value
nonce – hexlified binary value
activationcode – base32 encoded value
- linotp.lib.crypto.utils.zerome(bufferObject)¶
clear a string value from memory
- Parameters
string (string or key buffer) – the string variable, which should be cleared
- Returns
nothing -