# Copyright (c) 2013 Yubico AB # All rights reserved. # # Redistribution and use in source and binary forms, with or # without modification, are permitted provided that the following # conditions are met: # # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above # copyright notice, this list of conditions and the following # disclaimer in the documentation and/or other materials provided # with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. from __future__ import absolute_import from .hid import CTAPHID from .utils import websafe_encode from enum import IntEnum, unique from binascii import b2a_hex import struct import six @unique class APDU(IntEnum): OK = 0x9000 USE_NOT_SATISFIED = 0x6985 WRONG_DATA = 0x6a80 class ApduError(Exception): def __init__(self, code, data=b''): self.code = code self.data = data def __repr__(self): return 'APDU error: 0x{:04X} {:d} bytes of data'.format( self.code, len(self.data)) class RegistrationData(bytes): def __init__(self, _): if six.indexbytes(self, 0) != 0x05: raise ValueError('Reserved byte != 0x05') self.public_key = self[1:66] kh_len = six.indexbytes(self, 66) self.key_handle = self[67:67+kh_len] cert_offs = 67 + kh_len cert_len = six.indexbytes(self, cert_offs + 1) if cert_len > 0x80: n_bytes = cert_len - 0x80 cert_len = int(b2a_hex(self[cert_offs+2:cert_offs+2+n_bytes]), 16) \ + n_bytes cert_len += 2 self.certificate = self[cert_offs:cert_offs+cert_len] self.signature = self[cert_offs+cert_len:] @property def b64(self): return websafe_encode(self) def __repr__(self): return ("RegistrationData(public_key: h'%s', key_handle: h'%s', " "certificate: h'%s', signature: h'%s')") % ( b2a_hex(x).decode() for x in ( self.public_key, self.key_handle, self.certificate, self.signature ) ) def __str__(self): return '%r' % self class SignatureData(bytes): def __init__(self, _): self.user_presence, self.counter = struct.unpack('>BI', self[:5]) self.signature = self[5:] @property def b64(self): return websafe_encode(self) def __repr__(self): return ('SignatureData(user_presence: 0x%02x, counter: %d, ' "signature: h'%s'") % (self.user_presence, self.counter, b2a_hex(self.signature)) def __str__(self): return '%r' % self class CTAP1(object): @unique class INS(IntEnum): REGISTER = 0x01 AUTHENTICATE = 0x02 VERSION = 0x03 def __init__(self, device): self.device = device def send_apdu(self, cla=0, ins=0, p1=0, p2=0, data=b''): size = len(data) size_h = size >> 16 & 0xff size_l = size & 0xffff apdu = struct.pack('>BBBBBH', cla, ins, p1, p2, size_h, size_l) \ + data + b'\0\0' response = self.device.call(CTAPHID.MSG, apdu) status = struct.unpack('>H', response[-2:])[0] data = response[:-2] if status != APDU.OK: raise ApduError(status, data) return data def get_version(self): return self.send_apdu(ins=CTAP1.INS.VERSION).decode() def register(self, client_param, app_param): data = client_param + app_param response = self.send_apdu(ins=CTAP1.INS.REGISTER, data=data) return RegistrationData(response) def authenticate(self, client_param, app_param, key_handle, check_only=False): data = client_param + app_param \ + struct.pack('>B', len(key_handle)) + key_handle p1 = 0x07 if check_only else 0x03 response = self.send_apdu(ins=CTAP1.INS.AUTHENTICATE, p1=p1, data=data) return SignatureData(response)