o
    s–h‹<  ã                   @  sN  d dl mZ ddlmZmZmZmZ ddlmZ ddl	m
Z
 d dlmZ d dlmZ d d	lmZ d d
lmZmZmZ d dlmZ d dlmZmZmZ d dlmZ d dlmZ d dlm Z m!Z!m"Z"m#Z#m$Z$m%Z% d dl&Z&d dl'Z'd dl(Z(e( )e*¡Z+d!dd„Z,G dd„ de&j-ƒZ.eG dd„ dƒƒZ/G dd„ de.ƒZ0G dd„ de0ƒZ1G dd „ d ƒZ2dS )"é    )Úannotationsé   )Úsha256Úhmac_sha256Ú	bytes2intÚ	int2bytes)ÚCoseKeyé   )ÚCtap2)Údefault_backend)Úhashes)Úec)ÚCipherÚ
algorithmsÚmodes)ÚHKDF)ÚIntEnumÚIntFlagÚunique)Ú	dataclass)ÚEvent)ÚOptionalÚAnyÚMappingÚClassVarÚTupleÚCallableNÚpinÚstrÚreturnÚbytesc                 C  sn   t | tƒstdt› ƒ‚t| ƒdk rtdƒ‚|  ¡  dd¡}|dt|ƒd  d  7 }t|ƒdkr5tdƒ‚|S )	NzPIN of wrong type, expecting é   zPIN must be >= 4 charactersé@   ó    é   éÿ   zPIN must be <= 255 bytes)Ú
isinstancer   Ú
ValueErrorÚlenÚencodeÚljust)r   Ú
pin_padded© r,   úJ/var/www/html/env_mimamsha/lib/python3.10/site-packages/fido2/ctap2/pin.pyÚ_pad_pin4   s   
r.   c                   @  sf   e Zd ZU ded< ejddd„ƒZejddd„ƒZejddd„ƒZejddd„ƒZ	ejddd„ƒZ
dS )ÚPinProtocolzClassVar[int]ÚVERSIONÚpeer_cose_keyr   r   úTuple[Mapping[int, Any], bytes]c                 C  ó   dS )zuGenerates an encapsulation of the public key.
        Returns the message to transmit and the shared secret.
        Nr,   )Úselfr1   r,   r,   r-   ÚencapsulateC   ó    zPinProtocol.encapsulateÚkeyr    Ú	plaintextc                 C  r3   )zEncrypts dataNr,   )r4   r7   r8   r,   r,   r-   ÚencryptI   r6   zPinProtocol.encryptÚ
ciphertextc                 C  r3   )zDecrypts encrypted dataNr,   )r4   r7   r:   r,   r,   r-   ÚdecryptM   r6   zPinProtocol.decryptÚmessagec                 C  r3   )z$Computes a MAC of the given message.Nr,   ©r4   r7   r<   r,   r,   r-   ÚauthenticateQ   r6   zPinProtocol.authenticateÚtokenc                 C  r3   )znValidates that a token is well-formed.
        Returns the token, or if invalid, raises a ValueError.
        Nr,   ©r4   r?   r,   r,   r-   Úvalidate_tokenU   r6   zPinProtocol.validate_tokenN)r1   r   r   r2   )r7   r    r8   r    r   r    )r7   r    r:   r    r   r    )r7   r    r<   r    r   r    )r?   r    r   r    )Ú__name__Ú
__module__Ú__qualname__Ú__annotations__ÚabcÚabstractmethodr5   r9   r;   r>   rA   r,   r,   r,   r-   r/   @   s   
 r/   c                   @  s   e Zd ZU ded< ded< dS )Ú_PinUvr/   Úprotocolr    r?   N)rB   rC   rD   rE   r,   r,   r,   r-   rH   \   s   
 rH   c                   @  sR   e Zd ZdZdZdZddd„Zd	d
„ Zdd„ Zdd„ Z	dd„ Z
dd„ Zdd„ ZdS )ÚPinProtocolV1zèImplementation of the CTAP2 PIN/UV protocol v1.

    :param ctap: An instance of a CTAP2 object.
    :cvar VERSION: The version number of the PIV/UV protocol.
    :cvar IV: An all-zero IV used for some cryptographic operations.
    r	   s                   Úzr    r   c                 C  s   t |ƒS ©N)r   )r4   rK   r,   r,   r-   Úkdfm   s   zPinProtocolV1.kdfc           
      C  s   t ƒ }t t ¡ |¡}| ¡  ¡ }dddt|jdƒt|jdƒdœ}t	|d ƒ}t	|d ƒ}t 
||t ¡ ¡ |¡}|  | t ¡ |¡¡}	||	fS )Nr   içÿÿÿr	   é    )r	   é   éÿÿÿÿéþÿÿÿéýÿÿÿrQ   rR   )r   r   Úgenerate_private_keyÚ	SECP256R1Ú
public_keyÚpublic_numbersr   ÚxÚyr   ÚEllipticCurvePublicNumbersrM   ÚexchangeÚECDH)
r4   r1   ÚbeÚskÚpnÚkey_agreementrW   rX   ÚpkÚshared_secretr,   r,   r-   r5   p   s   

ûzPinProtocolV1.encapsulatec                 C  s    t ƒ }tt |¡t tj¡|ƒS rL   )r   r   r   ÚAESr   ÚCBCrJ   ÚIV)r4   Úsecretr\   r,   r,   r-   Ú_get_cipher_v1‚   s   zPinProtocolV1._get_cipher_v1c                 C  ó$   |   |¡}| ¡ }| |¡| ¡  S rL   )rf   Ú	encryptorÚupdateÚfinalize)r4   r7   r8   ÚcipherÚencr,   r,   r-   r9   †   ó   
zPinProtocolV1.encryptc                 C  rg   rL   )rf   Ú	decryptorri   rj   )r4   r7   r:   rk   Údecr,   r,   r-   r;   ‹   rm   zPinProtocolV1.decryptc                 C  s   t ||ƒd d… S )Nr$   ©r   r=   r,   r,   r-   r>      s   zPinProtocolV1.authenticatec                 C  s   t |ƒdvr
tdƒ‚|S )N)r$   rN   z#PIN/UV token must be 16 or 32 bytes©r(   r'   r@   r,   r,   r-   rA   “   ó   zPinProtocolV1.validate_tokenN)rK   r    r   r    )rB   rC   rD   Ú__doc__r0   rd   rM   r5   rf   r9   r;   r>   rA   r,   r,   r,   r-   rJ   b   s    
rJ   c                   @  sP   e Zd ZdZdZdZdZdZdd„ Zdd	„ Z	d
d„ Z
dd„ Zdd„ Zdd„ ZdS )ÚPinProtocolV2zèImplementation of the CTAP2 PIN/UV protocol v2.

    :param ctap: An instance of a CTAP2 object.
    :cvar VERSION: The version number of the PIV/UV protocol.
    :cvar IV: An all-zero IV used for some cryptographic operations.
    r   s                                    s   CTAP2 HMAC keys   CTAP2 AES keyc                 C  sN   t ƒ }tt ¡ dtjtj|d |¡}tt ¡ dtjtj|d |¡}|| S )NrN   )Ú	algorithmÚlengthÚsaltÚinfoÚbackend)	r   r   r   ÚSHA256rt   Ú	HKDF_SALTÚHKDF_INFO_HMACÚderiveÚHKDF_INFO_AES)r4   rK   r\   Úhmac_keyÚaes_keyr,   r,   r-   rM   ¦   s(   ûúûúzPinProtocolV2.kdfc                 C  s   t ƒ }tt |¡t |¡|ƒS rL   )r   r   r   rb   r   rc   )r4   re   Úivr\   r,   r,   r-   Ú_get_cipher_v2¸   s   zPinProtocolV2._get_cipher_v2c                 C  s@   |dd … }t  d¡}|  ||¡}| ¡ }|| |¡ | ¡  S ©NrN   r$   )ÚosÚurandomr‚   rh   ri   rj   )r4   r7   r8   r€   r   rk   rl   r,   r,   r-   r9   ¼   s
   
zPinProtocolV2.encryptc                 C  sL   |dd … }|d d… |dd … }}|   ||¡}| ¡ }| |¡| ¡  S rƒ   )r‚   rn   ri   rj   )r4   r7   r:   r€   r   rk   ro   r,   r,   r-   r;   Ä   s
   zPinProtocolV2.decryptc                 C  s   |d d… }t ||ƒS )NrN   rp   )r4   r7   r<   r   r,   r,   r-   r>   Ë   s   
zPinProtocolV2.authenticatec                 C  s   t |ƒdkr
tdƒ‚|S )NrN   zPIN/UV token must be 32 bytesrq   r@   r,   r,   r-   rA   Ï   rr   zPinProtocolV2.validate_tokenN)rB   rC   rD   rs   r0   r{   r|   r~   rM   r‚   r9   r;   r>   rA   r,   r,   r,   r-   rt   ™   s    rt   c                   @  sÌ   e Zd ZdZeegZeG dd„ deƒƒZ	eG dd„ deƒƒZ
eG dd„ deƒƒZedd	„ ƒZed
d„ ƒZd2d3dd„Zdd„ Z		d4d5dd„Z				d6d7d#d$„Zd8d&d'„Zd9d)d*„Zd:d,d-„Zd;d0d1„ZdS )<Ú	ClientPina!  Implementation of the CTAP2 Client PIN API.

    :param ctap: An instance of a CTAP2 object.
    :param protocol: An optional instance of a PinUvAuthProtocol object. If None is
        provided then the latest protocol supported by both library and Authenticator
        will be used.
    c                   @  s,   e Zd ZdZdZdZdZdZdZdZ	dZ
d	S )
zClientPin.CMDr	   r   rO   r!   é   é   é   é	   N)rB   rC   rD   ÚGET_PIN_RETRIESÚGET_KEY_AGREEMENTÚSET_PINÚ
CHANGE_PINÚGET_TOKEN_USING_PIN_LEGACYÚGET_TOKEN_USING_UVÚGET_UV_RETRIESÚGET_TOKEN_USING_PINr,   r,   r,   r-   ÚCMDà   s    r“   c                   @  s    e Zd ZdZdZdZdZdZdS )zClientPin.RESULTr	   r   rO   r!   r‡   N)rB   rC   rD   ÚKEY_AGREEMENTÚPIN_UV_TOKENÚPIN_RETRIESÚPOWER_CYCLE_STATEÚ
UV_RETRIESr,   r,   r,   r-   ÚRESULTë   s    r™   c                   @  s$   e Zd ZdZdZdZdZdZdZdS )zClientPin.PERMISSIONr	   r   r!   é   r$   rN   N)	rB   rC   rD   ÚMAKE_CREDENTIALÚGET_ASSERTIONÚCREDENTIAL_MGMTÚ
BIO_ENROLLÚLARGE_BLOB_WRITEÚAUTHENTICATOR_CFGr,   r,   r,   r-   Ú
PERMISSIONó   s    r¡   c                 C  s
   d| j v S )zÌChecks if ClientPin functionality is supported.

        Note that the ClientPin function is still usable without support for client
        PIN functionality, as UV token may still be supported.
        Ú	clientPin)Úoptions©rx   r,   r,   r-   Úis_supportedü   s   
zClientPin.is_supportedc                 C  s   | j  d¡du S )z&Checks if pinUvAuthToken is supported.ÚpinUvAuthTokenT)r£   Úgetr¤   r,   r,   r-   Úis_token_supported  s   zClientPin.is_token_supportedNÚctapr
   rI   úOptional[PinProtocol]c                 C  sH   || _ |d u rtjD ]}|j|jjv r|ƒ | _ d S q
tdƒ‚|| _d S )Nz)No compatible PIN/UV protocols supported!)r©   r†   Ú	PROTOCOLSr0   rx   Úpin_uv_protocolsrI   r'   )r4   r©   rI   Úprotor,   r,   r-   Ú__init__
  s   
þ
zClientPin.__init__c                 C  s.   | j  | jjtjj¡}|tjj }| j 	|¡S rL   )
r©   Ú
client_pinrI   r0   r†   r“   rŒ   r™   r”   r5   )r4   Úrespr`   r,   r,   r-   Ú_get_shared_secret  s
   ÿzClientPin._get_shared_secretr   r   ÚpermissionsúOptional[ClientPin.PERMISSION]Úpermissions_rpidúOptional[str]r   r    c                 C  s¾   t  | jj¡stdƒ‚|  ¡ \}}t| ¡ ƒdd… }| j 	||¡}t  
| jj¡r0|r0t jj}nt jj}d}d}| jj| jj|||||d}	|	t jj }
t d|› ¡ | j | j ||
¡¡S )a-  Get a PIN/UV token from the authenticator using PIN.

        :param pin: The PIN of the authenticator.
        :param permissions: The permissions to associate with the token.
        :param permissions_rpid: The permissions RPID to associate with the token.
        :return: A PIN/UV token.
        z,Authenticator does not support get_pin_tokenNr$   )r_   Úpin_hash_encr²   r´   zGot PIN token for permissions: )r†   r¥   r©   rx   r'   r±   r   r)   rI   r9   r¨   r“   r’   r   r¯   r0   r™   r•   ÚloggerÚdebugrA   r;   )r4   r   r²   r´   r_   ra   Úpin_hashr¶   Úcmdr°   Úpin_token_encr,   r,   r-   Úget_pin_token  s.   
úÿzClientPin.get_pin_tokenÚeventúOptional[Event]Úon_keepaliveúOptional[Callable[[int], None]]c           	   	   C  sv   t  | jj¡stdƒ‚|  ¡ \}}| jj| jjt j	j
|||||d}|t jj }t d|› ¡ | j | j ||¡¡S )aH  Get a PIN/UV token from the authenticator using built-in UV.

        :param permissions: The permissions to associate with the token.
        :param permissions_rpid: The permissions RPID to associate with the token.
        :param event: An optional threading.Event which can be used to cancel
            the invocation.
        :param on_keepalive: An optional callback to handle keep-alive messages
            from the authenticator. The function is only called once for
            consecutive keep-alive messages with the same status.
        :return: A PIN/UV token.
        z+Authenticator does not support get_uv_token)r_   r²   r´   r½   r¿   zGot UV token for permissions: )r†   r¨   r©   rx   r'   r±   r¯   rI   r0   r“   r   r™   r•   r·   r¸   rA   r;   )	r4   r²   r´   r½   r¿   r_   ra   r°   r»   r,   r,   r-   Úget_uv_tokenI  s"   ù
ÿzClientPin.get_uv_tokenúTuple[int, Optional[int]]c                 C  s0   | j  | jjtjj¡}|tjj | 	tjj
¡fS )zÇGet the number of PIN retries remaining.

        :return: A tuple of the number of PIN attempts remaining until the
        authenticator is locked, and the power cycle state, if available.
        )r©   r¯   rI   r0   r†   r“   r‹   r™   r–   r§   r—   ©r4   r°   r,   r,   r-   Úget_pin_retriesp  s   ÿ
þzClientPin.get_pin_retriesÚintc                 C  s"   | j  | jjtjj¡}|tjj S )zÅGet the number of UV retries remaining.

        :return: A tuple of the number of UV attempts remaining until the
        authenticator is locked, and the power cycle state, if available.
        )	r©   r¯   rI   r0   r†   r“   r‘   r™   r˜   rÃ   r,   r,   r-   Úget_uv_retries~  s   zClientPin.get_uv_retriesÚNonec                 C  sn   t  | jj¡stdƒ‚|  ¡ \}}| j |t|ƒ¡}| j 	||¡}| jj
| jjt jj|||d t d¡ dS )z­Set the PIN of the autenticator.

        This only works when no PIN is set. To change the PIN when set, use
        change_pin.

        :param pin: A PIN to set.
        ú(Authenticator does not support ClientPin)r_   Únew_pin_encÚpin_uv_paramzPIN has been setN)r†   r¥   r©   rx   r'   r±   rI   r9   r.   r>   r¯   r0   r“   r   r·   )r4   r   r_   ra   Úpin_encrÊ   r,   r,   r-   Úset_pin‡  s   ûzClientPin.set_pinÚold_pinÚnew_pinc           	      C  s–   t  | jj¡stdƒ‚|  ¡ \}}t| ¡ ƒdd… }| j 	||¡}| j 	|t
|ƒ¡}| j ||| ¡}| jj| jjt jj||||d t d¡ dS )zäChange the PIN of the authenticator.

        This only works when a PIN is already set. If no PIN is set, use
        set_pin.

        :param old_pin: The currently set PIN.
        :param new_pin: The new PIN to set.
        rÈ   Nr$   )r_   r¶   rÉ   rÊ   zPIN has been changed)r†   r¥   r©   rx   r'   r±   r   r)   rI   r9   r.   r>   r¯   r0   r“   rŽ   r·   )	r4   rÍ   rÎ   r_   ra   r¹   r¶   rÉ   rÊ   r,   r,   r-   Ú
change_pinŸ  s$   	ÿúzClientPin.change_pinrL   )r©   r
   rI   rª   )NN)r   r   r²   r³   r´   rµ   r   r    )NNNN)
r²   r³   r´   rµ   r½   r¾   r¿   rÀ   r   r    )r   rÂ   )r   rÅ   )r   r   r   rÇ   )rÍ   r   rÎ   r   r   rÇ   )rB   rC   rD   rs   rt   rJ   r«   r   r   r“   r™   r   r¡   Ústaticmethodr¥   r¨   r®   r±   r¼   rÁ   rÄ   rÆ   rÌ   rÏ   r,   r,   r,   r-   r†   Õ   s6    


ü-û
'

	r†   )r   r   r   r    )3Ú
__future__r   Úutilsr   r   r   r   Úcoser   Úbaser
   Úcryptography.hazmat.backendsr   Úcryptography.hazmat.primitivesr   Ú)cryptography.hazmat.primitives.asymmetricr   Ú&cryptography.hazmat.primitives.ciphersr   r   r   Ú'cryptography.hazmat.primitives.kdf.hkdfr   Úenumr   r   r   Údataclassesr   Ú	threadingr   Útypingr   r   r   r   r   r   rF   r„   ÚloggingÚ	getLoggerrB   r·   r.   ÚABCr/   rH   rJ   rt   r†   r,   r,   r,   r-   Ú<module>   s0    

7<