o z@spdZddlZddlZddlZddlmZddlmZddlmZddlmZe fddZ Gd d d e Z dS) aNImplement a high level U2F API analogous to the javascript API spec. This modules implements a high level U2F API that is analogous in spirit to the high level U2F javascript API. It supports both registration and authetication. For the purposes of this API, the "origin" is the hostname of the machine this library is running on. N)errors)hardware) hidtransport)modelc CsHt}|D]}z ttj|d|dWStjyYqwt)zEObtains a U2FInterface for the first valid local U2FHID device found.) transport) security_keyorigin)rDiscoverLocalHIDU2FDevices U2FInterfacer SecurityKeyrUnsupportedVersionExceptionNoDeviceFoundError)rhid_transportstr2/tmp/google-cloud-sdk/lib/third_party/pyu2f/u2f.pyGetLocalU2FInterface!s  rc@s8eZdZdZefddZddZddZdd Z d S) r aHigh level U2F interface. Implements a high level interface in the spirit of the FIDO U2F javascript API high level interface. It supports registration and authentication (signing). IMPORTANT NOTE: This class does NOT validate the app id against the origin. In particular, any user can assert any app id all the way to the device. The security model of a python library is such that doing so would not provide significant benfit as it could be bypassed by the caller talking to a lower level of the API. In fact, so could the origin itself. The origin is still set to a plausible value (the hostname) by this library. TODO(user): Figure out a plan on how to address this gap/document the consequences of this more clearly. cCs&||_||_|jdkrtdS)NsU2F_V2)rr CmdVersionrr )selfrrrrr__init__Cs zU2FInterface.__init__c Csjttjj||j}||}||}|D]M}z|jdkr"Wq|j|||j d}t dt j y?t t j jt jyQ} zWYd} ~ qd} ~ wt j ye} zt t j j| d} ~ wwtdD]C} z|j||}t||WSt j y} z|jtdWYd} ~ qjd} ~ wt j y} zt t j j| d} ~ wwt t j j)aRegisters app_id with the security key. Executes the U2F registration flow with the security key. Args: app_id: The app_id to register the security key against. challenge: Server challenge passed to the security key. registered_keys: List of keys already registered for this app_id+user. Returns: RegisterResponse with key_handle and attestation information in it ( encoded in FIDO U2F binary format within registration_data field). Raises: U2FError: There was some kind of problem with registration (e.g. the device was already registered or there was a timeout waiting for the test of user presence). U2F_V2TzShould Never HappenN?)r ClientDataTYP_REGISTRATIONrInternalSHA256GetJsonversionrCmdAuthenticate key_handler HardwareErrorTUPRequiredErrorU2FErrorDEVICE_INELIGIBLEInvalidKeyHandleError BAD_REQUESTrange CmdRegisterRegisterResponseCmdWinktimesleepTIMEOUT) rapp_id challengeregistered_keys client_datachallenge_param app_paramkeyrespe_rrrRegisterJsF        zU2FInterface.Registerc Csttjj||j}||}||}d}|D]_}z;|jdkr$WqtdD]-} z|j |||j } t |j | |WWSt j yU|jtdYq(wWqt jye|d7}Yqt jyy} zt t jj| d} ~ ww|t|krt t jjt t jj)aAuthenticates app_id with the security key. Executes the U2F authentication/signature flow with the security key. Args: app_id: The app_id to register the security key against. challenge: Server challenge passed to the security key as a bytes object. registered_keys: List of keys already registered for this app_id+user. Returns: SignResponse with client_data, key_handle, and signature_data. The client data is an object, while the signature_data is encoded in FIDO U2F binary format. Raises: U2FError: There was some kind of problem with authentication (e.g. there was a timeout while waiting for the test of user presence.) rrrrN)rrTYP_AUTHENTICATIONrrrrr&rrr SignResponserr!r)r*r+r$r r"r%lenr#r,) rr-r.r/r0r2r1num_invalid_keysr3r6r4r5rrr Authenticates>       zU2FInterface.AuthenticatecCst}|||S)N)hashlibsha256updateencodedigest)rstringmdrrrrszU2FInterface.InternalSHA256N) __name__ __module__ __qualname____doc__socket gethostnamerr7r=rrrrrr 0s 9 1r ) rHr>rIr*pyu2frrrrrJrobjectr rrrrs