use of com.tremolosecurity.proxy.auth.otp.TOTPKey in project OpenUnison by TremoloSecurity.
the class TOTPToken method loadToken.
@Override
public Object loadToken(AuthInfo user, HttpSession session) throws Exception {
HashMap<String, String> tokenRet = new HashMap<String, String>();
Attribute attr = user.getAttribs().get(this.attributeName);
if (attr != null) {
String json = attr.getValues().get(0);
SecretKey decryptionKey = GlobalEntries.getGlobalEntries().getConfigManager().getSecretKey(encryptionKey);
Gson gson = new Gson();
Token token = gson.fromJson(new String(Base64.decode(json.getBytes("UTF-8"))), Token.class);
byte[] iv = org.bouncycastle.util.encoders.Base64.decode(token.getIv());
IvParameterSpec spec = new IvParameterSpec(iv);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, decryptionKey, spec);
String decryptedJSON = new String(cipher.doFinal(Base64.decode(token.getEncryptedRequest().getBytes("UTF-8"))));
if (logger.isDebugEnabled())
logger.debug(decryptedJSON);
TOTPKey totp = gson.fromJson(decryptedJSON, TOTPKey.class);
tokenRet.put("TOTP URL", "otpauth://totp/" + totp.getUserName() + "@" + totp.getHost() + "?secret=" + totp.getSecretKey());
} else {
tokenRet.put("TOTP URL", "No password found");
}
return tokenRet;
}
use of com.tremolosecurity.proxy.auth.otp.TOTPKey in project OpenUnison by TremoloSecurity.
the class AuthTOTPInsert method bind.
public void bind(BindInterceptorChain chain, DistinguishedName dn, Password pwd, LDAPConstraints constraints) throws LDAPException {
DistinguishedName localdn = new DistinguishedName(new DN(dn.getDN().toString()));
logger.debug("In bind");
SearchInterceptorChain schain = chain.createSearchChain();
ArrayList<Attribute> searchattrs = new ArrayList<Attribute>();
// searchattrs.add(new Attribute(this.attribute));
logger.debug("searching...");
Results res = new Results(chain.getInterceptors(), chain.getPos());
logger.debug("Created res");
schain.nextSearch(localdn, new Int(0), new Filter("(objectClass=*)"), searchattrs, new Bool(false), res, new LDAPSearchConstraints());
logger.debug("ran search");
res.start();
logger.debug("res started");
if (!res.hasMore()) {
logger.debug("user not found");
throw new LDAPException("Could not find " + localdn.getDN().toString(), LDAPException.NO_SUCH_OBJECT, "Could not find " + localdn.getDN().toString());
}
logger.debug("user found");
LDAPEntry entry = res.next().getEntry();
LDAPAttribute key = entry.getAttribute(this.attribute);
if (key == null) {
logger.debug("No key");
throw new LDAPException("Invalid Credentials", LDAPException.NO_SUCH_OBJECT, "Invalid Credentials");
}
try {
String keyjson = key.getStringValue();
if (logger.isDebugEnabled())
logger.debug("token json : '" + keyjson + "'");
Gson gson = new Gson();
Token token = gson.fromJson(new String(Base64.decode(keyjson)), Token.class);
byte[] iv = org.bouncycastle.util.encoders.Base64.decode(token.getIv());
IvParameterSpec spec = new IvParameterSpec(iv);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, GlobalEntries.getGlobalEntries().getConfigManager().getSecretKey(this.encyrptionKey), spec);
byte[] encBytes = org.bouncycastle.util.encoders.Base64.decode(token.getEncryptedRequest());
String totpJson = new String(cipher.doFinal(encBytes));
if (logger.isDebugEnabled())
logger.debug("totp json : '" + totpJson + "'");
TOTPKey totp = gson.fromJson(totpJson, TOTPKey.class);
GoogleAuthenticatorConfigBuilder b = new GoogleAuthenticatorConfigBuilder();
b.setWindowSize(this.window);
GoogleAuthenticatorConfig cfg = b.build();
GoogleAuthenticator ga = new GoogleAuthenticator(cfg);
String spwd = new String(pwd.getValue());
if (spwd.indexOf(':') == -1) {
logger.debug("no colon");
throw new LDAPException("Invalid credentials", LDAPException.INVALID_CREDENTIALS, "Invalid Credentials");
}
String scode = spwd.substring(spwd.indexOf(':') + 1);
int code = Integer.parseInt(scode);
if (!ga.authorize(totp.getSecretKey(), code)) {
logger.debug("Verify failed");
throw new LDAPException("Invalid credentials", LDAPException.INVALID_CREDENTIALS, "Invalid Credentials");
}
logger.debug("verify succeeded");
pwd.setValue(spwd.substring(0, spwd.indexOf(':')).getBytes("UTF-8"));
chain.nextBind(dn, pwd, constraints);
} catch (Exception e) {
logger.error("Could not work", e);
if (e instanceof LDAPException) {
throw ((LDAPException) e);
} else {
throw new LDAPException("Could not decrypt key", LDAPException.OPERATIONS_ERROR, "Could not decrypt key", e);
}
}
}
use of com.tremolosecurity.proxy.auth.otp.TOTPKey in project OpenUnison by TremoloSecurity.
the class CreateOTPKey method generateEncryptedToken.
public static String generateEncryptedToken(String userID, GoogleAuthenticatorKey key, String hostName, ConfigManager cfg, String encryptionKey) throws ProvisioningException {
TOTPKey totpkey = new TOTPKey();
totpkey.setHost(hostName);
totpkey.setScratchCodes(key.getScratchCodes());
totpkey.setSecretKey(key.getKey());
totpkey.setUserName(userID);
totpkey.setValidationCode(key.getVerificationCode());
Gson gson = new Gson();
String json = gson.toJson(totpkey);
SecretKey sc = cfg.getSecretKey(encryptionKey);
String attrVal = null;
try {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
baos.write(json.getBytes("UTF-8"));
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, sc);
byte[] encJson = cipher.doFinal(baos.toByteArray());
String base64d = new String(org.bouncycastle.util.encoders.Base64.encode(encJson));
Token token = new Token();
token.setEncryptedRequest(base64d);
token.setIv(new String(org.bouncycastle.util.encoders.Base64.encode(cipher.getIV())));
json = gson.toJson(token);
attrVal = new String(org.bouncycastle.util.encoders.Base64.encode(json.getBytes("UTF-8")));
} catch (Exception e) {
throw new ProvisioningException("Could not encrypt key", e);
}
return attrVal;
}
Aggregations