14.2.1.2.6. HOTP Token¶
- class edumfa.lib.tokens.hotptoken.HotpTokenClass(db_token)[source]¶
hotp token class implementation
Create a new HOTP Token object
- Parameters:
db_token (DB object) – instance of the orm db object
- can_verify_enrollment = True¶
- check_otp(anOtpVal, counter=None, window=None, options=None)[source]¶
check if the given OTP value is valid for this token.
- Parameters:
anOtpVal (string) – the to be verified otpvalue
counter (int) – the counter state, that should be verified
window (int) – the counter +window, which should be checked
options (dict) – the dict, which could contain token specific info
- Returns:
the counter state or -1
- Return type:
int
- check_otp_exist(otp, window=10, symetric=False, inc_counter=True)[source]¶
checks if the given OTP value is/are values of this very token. This is used to autoassign and to determine the serial number of a token.
- Parameters:
otp (string) – the to be verified otp value
window (int) – the lookahead window for the counter
- Returns:
counter or -1 if otp does not exist
- Return type:
int
- desc_hash_func = 'Specify the hashing function to be used. Can be SHA1, SHA256 or SHA512.'¶
- desc_key_gen = 'Force the key to be generated on the server.'¶
- desc_otp_len = 'Specify the OTP length to be used. Can be 6 or 8 digits.'¶
- desc_two_step_admin = 'Specify whether admins are allowed or forced to use two-step enrollment.'¶
- desc_two_step_user = 'Specify whether users are allowed or forced to use two-step enrollment.'¶
- classmethod enroll_via_validate(g, content, user_obj)[source]¶
This class method is used in the policy ENROLL_VIA_MULTICHALLENGE. It enrolls a new token of this type and returns the necessary information to the client by modifying the content.
- Parameters:
g – context object
content – The content of a response
user_obj – A user object
- Returns:
None, the content is modified
- generate_symmetric_key(server_component, client_component, options=None)[source]¶
Generate a composite key from a server and client component using a PBKDF2-based scheme.
- Parameters:
server_component (hex string) – The component usually generated by privacyIDEA
client_component (hex string) – The component usually generated by the client (e.g. smartphone)
options
- Returns:
the new generated key as hex string
- Return type:
str
- static get_class_info(key=None, ret='all')[source]¶
returns a subtree of the token definition Is used by lib.token.get_token_info
- Parameters:
key (string) – subsection identifier
ret (user defined) – default return value, if nothing is found
- Returns:
subsection if key exists or user defined
- Return type:
dict
- static get_class_prefix()[source]¶
Return the prefix, that is used as a prefix for the serial numbers. :return: oath
- static get_class_type()[source]¶
return the token type shortname
- Returns:
‘hotp’
- Return type:
string
- classmethod get_default_settings(g, params)[source]¶
This method returns a dictionary with default settings for token enrollment. These default settings are defined in SCOPE.USER or SCOPE.ADMIN and are hotp_hashlib, hotp_otplen. If these are set, the user or admin will only be able to enroll tokens with these values.
The returned dictionary is added to the parameters of the API call. :param g: context object, see documentation of
Match
:param params: The call parameters :type params: dict :return: default parameters
- static get_import_csv(l)[source]¶
Read the list from a csv file and return a dictionary, that can be used to do a token_init.
- Parameters:
l (list) – The list of the line of a csv file
- Returns:
A dictionary of init params
- get_init_detail(params=None, user=None)[source]¶
to complete the token initialization some additional details should be returned, which are displayed at the end of the token initialization. This is the e.g. the enrollment URL for a Google Authenticator.
- get_multi_otp(count=0, epoch_start=0, epoch_end=0, curTime=None, timestamp=None, counter_index=False)[source]¶
return a dictionary of multiple future OTP values of the HOTP/HMAC token
- WARNING: the dict that is returned contains a sequence number as key.
This it NOT the otp counter!
- Parameters:
count (int) – how many otp values should be returned
epoch_start – Not used in HOTP
epoch_end – Not used in HOTP
curTime – Not used in HOTP
timestamp – not used in HOTP
counter_index – whether the counter should be used as index
- Returns:
tuple of status: boolean, error: text and the OTP dictionary
- get_otp(current_time=None)[source]¶
return the next otp value
- Parameters:
curTime – Not Used in HOTP
- Returns:
next otp value and PIN if possible
- Return type:
tuple
- static get_setting_type(key)[source]¶
This function returns the type of the token specific config/setting. This way a tokenclass can define settings, that can be “public” or a “password”. If this setting is written to the database, the type of the setting is set automatically in set_edumfa_config
The key name needs to start with the token type.
- Parameters:
key – The token specific setting key
- Returns:
A string like “public”
- static get_sync_timeout()[source]¶
get the token sync timeout value
- Returns:
timeout value in seconds
- Return type:
int
- property hashlib¶
- is_multichallenge_enrollable = True¶
- is_previous_otp(otp)[source]¶
Check if the OTP values was previously used.
- Parameters:
otp
window
- Returns:
- prepare_verify_enrollment()[source]¶
This is called, if the token should be enrolled in a way, that the user needs to provide a proof, that the server can verify, that the token was successfully enrolled. E.g. with HOTP tokens the user might need to provide a correct OTP value.
The returned dictionary is added to the response in “detail” -> “verify”.
- Returns:
A dictionary with information that is needed to trigger the verification.
- previous_otp_offset = 1¶
- resync(otp1, otp2, options=None)[source]¶
resync the token based on two otp values
- Parameters:
otp1 (string) – the first otp value
otp2 (string) – the second otp value
options (dict or None) – optional token specific parameters
- Returns:
counter or -1 if otp does not exist
- Return type:
int