S!dZddlZddlZddlZddlZddlZddlZddlZddlm Z ddlm Z ddl m Z dZ dZdZdZd ZGd d e j$Zy) z4Class to offload the end to end flow of U2F signing.N)errors)model)baseauthenticatorSK_SIGNING_PLUGINiiijcleZdZdZdZej jfdZdZ dZ dZ dZ dZ d Zy ) CustomAuthenticatoraOffloads U2F signing to a pluggable command-line tool. Offloads U2F signing to a signing plugin which takes the form of a command-line tool. The command-line tool is configurable via the SK_SIGNING_PLUGIN environment variable. The signing plugin should implement the following interface: Communication occurs over stdin/stdout, and messages are both sent and received in the form: [4 bytes - payload size (little-endian)][variable bytes - json payload] Signing Request JSON { "type": "sign_helper_request", "signData": [{ "keyHandle": , "appIdHash": , "challengeHash": , "version": U2F protocol version (usually "U2F_V2") },...], "timeoutSeconds": } Signing Response JSON { "type": "sign_helper_reply", "code": . "errorDetail": , "responseData": { "appIdHash": , "challengeHash": , "keyHandle": , "version": , "signatureData": } } Possible response error codes are: NoError = 0 UnknownError = -127 TouchRequired = 0x6985 WrongData = 0x6a80 c||_y)N)origin)selfr s 8lib/third_party/pyu2f/convenience/customauthenticator.py__init__zCustomAuthenticator.__init__Us DKcvtjjt}|(t j dj t|j|||j\}}|d|j|g|}|d|df}||} | j} |j|| |S)See base class.z{} env var is not setz*Please insert and touch your security key keyHandle challengeHash) osenvirongetSK_SIGNING_PLUGIN_ENV_VARr PluginErrorformat_BuildPluginRequestr _CallPluginencode_BuildAuthenticatorResponse) r app_idchallenge_dataprint_callback plugin_cmdclient_data_map signing_inputresponsekey_challenge_pairclient_data_json client_datas r Authenticatez CustomAuthenticator.AuthenticateXs  9:J   6 &'@ A CC&*%=%= &-"O]@A m>3 4D @@rci}g}|j|j|}|D]}|d}|j|j} |d} tjtjj | |j } |j|j| } |j|| | |jd| | f} | || <d|tdd}|tj|fS)z:Builds a JSON request in the form that the plugin expects.key challenge) appIdHashrrversionsign_helper_requestT)typesignDatatimeoutSeconds localAlways) _Base64Encode_SHA256 key_handler ClientDataTYP_AUTHENTICATIONGetJsonappendr/U2F_SIGNATURE_TIMEOUT_SECONDSjsondumps)r rrr r"encoded_challengesapp_id_hash_encodedchallenge_itemr,key_handle_encoded raw_challenger&challenge_hash_encodedr%signing_requests r rz'CustomAuthenticator._BuildPluginRequesttsO,,T\\&-AB( 5 !c--cnn=$[1m))    - -  ') $11 ,,' ( **1)[[ ! /0FG,> 2 2    = 6+##M2   "%%n5M    M 6+    K 5   P &{ 3 555s .#J.J.ctj}|j|j|j S)z Helper method to perform SHA256.)hashlibsha256updaterdigest)r stringmds r r6zCustomAuthenticator._SHA256s,  BIIfmmo 99;rcftj|jjdS)zKHelper method to base64 encode, strip padding, and return str result.=)base64urlsafe_b64encoder`rstrip)r bytes_datas r r5z!CustomAuthenticator._Base64Encodes) % %j 1 8 8 : A A# FFrN)__name__ __module__ __qualname____doc__rsysstderrwriter(r*rrrr6r5rr r r %sE-^#&**"2"2K0A&8P @D Grr )rrrxr=rrWrYrpyu2frrpyu2f.conveniencerrr<rgrbreBaseAuthenticatorr rrr rs];   // !#) %PG+==PGr