2024-04-30 18:06:59 -07:00
|
|
|
# Copyright (c) 2018 Yubico AB
|
|
|
|
|
# All rights reserved.
|
|
|
|
|
#
|
|
|
|
|
# Redistribution and use in source and binary forms, with or
|
|
|
|
|
# without modification, are permitted provided that the following
|
|
|
|
|
# conditions are met:
|
|
|
|
|
#
|
|
|
|
|
# 1. Redistributions of source code must retain the above copyright
|
|
|
|
|
# notice, this list of conditions and the following disclaimer.
|
|
|
|
|
# 2. Redistributions in binary form must reproduce the above
|
|
|
|
|
# copyright notice, this list of conditions and the following
|
|
|
|
|
# disclaimer in the documentation and/or other materials provided
|
|
|
|
|
# with the distribution.
|
|
|
|
|
#
|
|
|
|
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
|
|
|
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
|
|
|
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
|
|
|
|
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
|
|
|
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
|
|
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
|
|
|
|
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
|
|
|
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
|
|
|
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
|
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
|
|
|
|
|
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
|
|
|
# POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
|
|
|
|
|
|
"""
|
|
|
|
|
Connects to the first FIDO device found (starts from USB, then looks into NFC),
|
|
|
|
|
creates a new credential for it, and authenticates the credential.
|
|
|
|
|
This works with both FIDO 2.0 devices as well as with U2F devices.
|
|
|
|
|
On Windows, the native WebAuthn API will be used.
|
|
|
|
|
"""
|
2024-05-02 10:32:22 -07:00
|
|
|
import time
|
2024-05-06 11:04:37 -07:00
|
|
|
import configparser
|
2024-05-09 19:36:28 -07:00
|
|
|
gpie = True
|
2024-05-06 13:26:33 -07:00
|
|
|
if gpie:
|
|
|
|
|
import RPi.GPIO as GPIO
|
2024-05-02 11:37:00 -07:00
|
|
|
import pickle
|
2024-05-02 19:11:59 -07:00
|
|
|
import psycopg2
|
2024-05-09 19:26:26 -07:00
|
|
|
import ndef
|
2024-05-02 10:32:22 -07:00
|
|
|
import fido2.webauthn
|
2024-04-30 18:06:59 -07:00
|
|
|
from fido2.hid import CtapHidDevice
|
|
|
|
|
from fido2.client import Fido2Client, WindowsClient, UserInteraction
|
|
|
|
|
from fido2.server import Fido2Server
|
|
|
|
|
from getpass import getpass
|
|
|
|
|
import sys
|
|
|
|
|
import ctypes
|
2024-05-02 09:25:29 -07:00
|
|
|
from fido2.ctap2 import Ctap2
|
2024-05-09 19:26:26 -07:00
|
|
|
from fido2 import cbor
|
2024-05-09 18:21:11 -07:00
|
|
|
import nfc
|
2024-05-02 09:25:29 -07:00
|
|
|
|
2024-05-06 11:04:37 -07:00
|
|
|
config = configparser.ConfigParser()
|
|
|
|
|
|
2024-05-06 11:09:53 -07:00
|
|
|
config.read('config.ini')
|
2024-05-06 11:04:37 -07:00
|
|
|
|
2024-05-09 19:34:53 -07:00
|
|
|
isNfc = False
|
2024-05-06 13:26:33 -07:00
|
|
|
|
2024-05-06 11:12:46 -07:00
|
|
|
dbusername = config.get('Setup', 'dbusername')
|
|
|
|
|
dbpassword = config.get('Setup', 'dbpassword')
|
|
|
|
|
dbname = config.get('Setup', 'dbname')
|
|
|
|
|
dbhost = config.get('Setup', 'dbhost')
|
|
|
|
|
doorID = config.get('Setup', 'doorID')
|
2024-05-06 06:45:03 -07:00
|
|
|
|
2024-05-02 10:32:22 -07:00
|
|
|
gotAaguid = None
|
2024-05-06 13:26:33 -07:00
|
|
|
if gpie:
|
2024-05-07 06:35:49 -07:00
|
|
|
GPIO.setmode(GPIO.BOARD)
|
2024-05-05 16:58:51 -07:00
|
|
|
|
2024-05-06 13:06:57 -07:00
|
|
|
secLevel = 0
|
2024-05-06 13:26:33 -07:00
|
|
|
user_id = None
|
2024-05-07 06:35:49 -07:00
|
|
|
greenLed = 8
|
|
|
|
|
redLed = 7
|
2024-05-05 16:58:51 -07:00
|
|
|
|
2024-05-07 06:35:49 -07:00
|
|
|
door = 40
|
2024-05-06 06:45:03 -07:00
|
|
|
|
2024-05-09 19:26:26 -07:00
|
|
|
def send_fido2_over_nfc(encoded_message):
|
|
|
|
|
ndef_message = ndef.Message(ndef.Record('application/fido2', '', encoded_message))
|
|
|
|
|
return clf.connect(rdwr={'on-connect': lambda tag: tag.ndef.records.append(ndef_message)})
|
2024-05-06 11:28:46 -07:00
|
|
|
|
2024-05-06 13:26:33 -07:00
|
|
|
if gpie:
|
|
|
|
|
# badCredentials = False
|
|
|
|
|
GPIO.setup(greenLed, GPIO.OUT)
|
|
|
|
|
GPIO.output(greenLed, GPIO.LOW)
|
|
|
|
|
GPIO.setup(redLed, GPIO.OUT)
|
|
|
|
|
|
|
|
|
|
GPIO.output(redLed, GPIO.HIGH)
|
|
|
|
|
time.sleep(1)
|
|
|
|
|
GPIO.output(redLed, GPIO.LOW)
|
|
|
|
|
time.sleep(0.2)
|
2024-05-06 11:28:46 -07:00
|
|
|
|
2024-05-06 13:26:33 -07:00
|
|
|
GPIO.output(greenLed, GPIO.HIGH)
|
|
|
|
|
time.sleep(1)
|
|
|
|
|
GPIO.output(greenLed, GPIO.LOW)
|
|
|
|
|
time.sleep(0.2)
|
2024-05-06 06:45:03 -07:00
|
|
|
|
2024-05-06 13:26:33 -07:00
|
|
|
GPIO.setup(door, GPIO.OUT)
|
|
|
|
|
GPIO.output(door, GPIO.LOW)
|
2024-05-05 17:30:39 -07:00
|
|
|
def badCred():
|
|
|
|
|
print("Bad credential!")
|
|
|
|
|
# badCredentials = True
|
|
|
|
|
# time.sleep(2)
|
2024-05-02 11:53:02 -07:00
|
|
|
class CliInteraction(UserInteraction):
|
|
|
|
|
def prompt_up(self):
|
|
|
|
|
print("\nTouch your authenticator device now...\n")
|
|
|
|
|
|
|
|
|
|
def request_pin(self, permissions, rd_id):
|
|
|
|
|
return getpass("Enter PIN: ")
|
|
|
|
|
|
|
|
|
|
def request_uv(self, permissions, rd_id):
|
|
|
|
|
print("User Verification required.")
|
|
|
|
|
return True
|
|
|
|
|
|
2024-05-09 19:46:21 -07:00
|
|
|
clf = None
|
2024-05-09 18:47:06 -07:00
|
|
|
def read_nfc_tag():
|
|
|
|
|
try:
|
2024-05-09 19:46:21 -07:00
|
|
|
import nfc
|
2024-05-09 19:34:53 -07:00
|
|
|
clf = nfc.ContactlessFrontend('usb')
|
2024-05-09 18:47:06 -07:00
|
|
|
tag = clf.connect(rdwr={'on-connect': lambda tag: False})
|
2024-05-09 19:26:26 -07:00
|
|
|
nfc = True
|
2024-05-09 18:47:06 -07:00
|
|
|
return tag.identifier if tag else None
|
|
|
|
|
except Exception as e:
|
2024-05-09 19:13:00 -07:00
|
|
|
# print("NFC read error:", e)
|
2024-05-09 18:47:06 -07:00
|
|
|
return None
|
2024-05-09 18:53:18 -07:00
|
|
|
finally:
|
|
|
|
|
if clf:
|
2024-05-09 19:13:00 -07:00
|
|
|
clf.close()
|
2024-05-09 18:59:18 -07:00
|
|
|
pass
|
2024-05-06 13:06:57 -07:00
|
|
|
|
2024-05-02 10:32:22 -07:00
|
|
|
while True:
|
2024-05-09 19:34:53 -07:00
|
|
|
isNfc = False
|
2024-05-06 13:26:33 -07:00
|
|
|
if gpie:
|
|
|
|
|
GPIO.output(door, GPIO.LOW)
|
2024-05-09 18:47:06 -07:00
|
|
|
|
2024-05-03 16:02:19 -07:00
|
|
|
print("Waiting for device...")
|
2024-05-05 17:30:39 -07:00
|
|
|
badCredentials = False
|
2024-05-06 13:26:33 -07:00
|
|
|
if gpie:
|
|
|
|
|
GPIO.output(redLed, GPIO.HIGH)
|
2024-05-02 10:32:22 -07:00
|
|
|
while True:
|
2024-05-05 17:14:22 -07:00
|
|
|
try:
|
2024-05-09 18:47:06 -07:00
|
|
|
nfc_tag = read_nfc_tag()
|
2024-05-05 17:14:22 -07:00
|
|
|
dev = next(CtapHidDevice.list_devices(), None)
|
2024-05-02 09:25:29 -07:00
|
|
|
|
2024-05-05 17:14:22 -07:00
|
|
|
if dev:
|
|
|
|
|
ctap2 = Ctap2(dev)
|
2024-05-02 10:32:22 -07:00
|
|
|
|
2024-05-05 17:14:22 -07:00
|
|
|
info = ctap2.get_info()
|
|
|
|
|
gotAaguid = info.aaguid
|
|
|
|
|
print(str(gotAaguid))
|
|
|
|
|
break
|
2024-05-02 10:32:22 -07:00
|
|
|
|
2024-05-05 17:14:22 -07:00
|
|
|
time.sleep(0.1)
|
|
|
|
|
except Exception as e:
|
|
|
|
|
print(e)
|
2024-05-02 10:32:22 -07:00
|
|
|
# Handle user interaction
|
|
|
|
|
|
2024-05-02 11:47:20 -07:00
|
|
|
try:
|
2024-05-02 10:32:22 -07:00
|
|
|
server = Fido2Server({"id": "example.com", "name": "Example RP"}, attestation="direct")
|
2024-05-02 11:47:20 -07:00
|
|
|
uv = "discouraged"
|
2024-05-02 10:32:22 -07:00
|
|
|
|
2024-05-02 11:47:20 -07:00
|
|
|
# Set up a FIDO 2 client using the origin https://example.com
|
|
|
|
|
client = Fido2Client(dev, "https://example.com", user_interaction=CliInteraction())
|
2024-05-02 10:32:22 -07:00
|
|
|
|
2024-05-02 19:11:59 -07:00
|
|
|
|
2024-05-02 10:32:22 -07:00
|
|
|
|
|
|
|
|
# Replace these variables with your connection parameters
|
2024-05-06 11:04:37 -07:00
|
|
|
|
|
|
|
|
user = dbusername
|
|
|
|
|
password = dbpassword
|
|
|
|
|
host = dbhost
|
2024-05-02 10:32:22 -07:00
|
|
|
|
2024-05-02 11:47:20 -07:00
|
|
|
# Define the SQL query for retrieving data
|
|
|
|
|
select_query = '''
|
2024-05-06 06:45:03 -07:00
|
|
|
SELECT "AAGUID", user_id, credential_id, pk_algo, pk_1, pk_3, pk_neg1, pk_neg2, pk_neg3, pickled
|
2024-05-02 11:47:20 -07:00
|
|
|
FROM credential_data
|
|
|
|
|
WHERE "AAGUID" = %s;
|
|
|
|
|
'''
|
2024-05-02 10:32:22 -07:00
|
|
|
|
2024-05-02 11:47:20 -07:00
|
|
|
|
|
|
|
|
# Function to connect to the PostgreSQL database and retrieve data
|
|
|
|
|
def fetch_data(aaguid):
|
2024-05-02 10:32:22 -07:00
|
|
|
conn = None
|
|
|
|
|
try:
|
|
|
|
|
# Connect to the PostgreSQL server
|
|
|
|
|
conn = psycopg2.connect(dbname=dbname, user=user, password=password, host=host)
|
|
|
|
|
cur = conn.cursor()
|
|
|
|
|
|
|
|
|
|
# Execute the SQL query
|
2024-05-02 11:47:20 -07:00
|
|
|
cur.execute(select_query, (gotAaguid,))
|
|
|
|
|
|
|
|
|
|
# Fetch the results
|
2024-05-05 17:17:07 -07:00
|
|
|
result = None
|
2024-05-02 11:47:20 -07:00
|
|
|
result = cur.fetchone()
|
|
|
|
|
if result:
|
|
|
|
|
data = {
|
|
|
|
|
"AAGUID": result[0],
|
2024-05-06 06:45:03 -07:00
|
|
|
"user_id": result[1],
|
|
|
|
|
"credential_id": result[2],
|
|
|
|
|
"pk_algo": result[3],
|
|
|
|
|
"pk_1": result[4],
|
|
|
|
|
"pk_3": result[5],
|
|
|
|
|
"pk_neg1": result[6],
|
|
|
|
|
"pk_neg2": result[7],
|
|
|
|
|
"pk_neg3": result[8],
|
|
|
|
|
"pickled": result[9]
|
2024-05-02 11:47:20 -07:00
|
|
|
}
|
|
|
|
|
return data
|
|
|
|
|
else:
|
|
|
|
|
print("No data found for AAGUID:", aaguid)
|
2024-05-02 11:53:02 -07:00
|
|
|
badCred()
|
2024-05-05 17:30:39 -07:00
|
|
|
raise Exception
|
2024-05-02 11:47:20 -07:00
|
|
|
return None
|
2024-05-02 10:32:22 -07:00
|
|
|
|
|
|
|
|
# Close communication with the database
|
|
|
|
|
cur.close()
|
|
|
|
|
except (Exception, psycopg2.DatabaseError) as error:
|
|
|
|
|
print(error)
|
2024-05-05 17:30:39 -07:00
|
|
|
raise Exception
|
2024-05-02 10:32:22 -07:00
|
|
|
finally:
|
|
|
|
|
if conn is not None:
|
|
|
|
|
conn.close()
|
|
|
|
|
|
2024-05-02 11:47:20 -07:00
|
|
|
|
|
|
|
|
# Example usage: Fetch data for a specific AAGUID and store in variables
|
2024-05-05 17:10:28 -07:00
|
|
|
aaguid_data = None
|
|
|
|
|
aaguid_data = fetch_data("")
|
2024-05-06 13:26:33 -07:00
|
|
|
user_id = aaguid_data["user_id"]
|
2024-05-02 11:47:20 -07:00
|
|
|
|
|
|
|
|
if aaguid_data:
|
2024-05-06 13:26:33 -07:00
|
|
|
|
2024-05-02 11:47:20 -07:00
|
|
|
# Store each piece of data into a separate variable
|
|
|
|
|
testa = aaguid_data["AAGUID"]
|
|
|
|
|
cred_id = aaguid_data["credential_id"]
|
|
|
|
|
pk_algo = aaguid_data["pk_algo"]
|
|
|
|
|
pk_1 = aaguid_data["pk_1"]
|
|
|
|
|
pk_3 = aaguid_data["pk_3"]
|
|
|
|
|
pk_neg1 = aaguid_data["pk_neg1"]
|
|
|
|
|
pk_neg2 = aaguid_data["pk_neg2"]
|
|
|
|
|
pk_neg3 = aaguid_data["pk_neg3"]
|
|
|
|
|
pickled = aaguid_data["pickled"]
|
2024-05-02 10:32:22 -07:00
|
|
|
|
2024-05-05 17:30:39 -07:00
|
|
|
if badCredentials:
|
2024-05-05 17:22:43 -07:00
|
|
|
raise Exception
|
2024-05-02 10:32:22 -07:00
|
|
|
|
2024-05-02 11:47:20 -07:00
|
|
|
credentials = pickle.loads(pickled)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Prepare parameters for getAssertion
|
|
|
|
|
request_options, state = server.authenticate_begin(credentials, user_verification=uv)
|
|
|
|
|
|
|
|
|
|
# Authenticate the credential
|
2024-05-09 19:34:53 -07:00
|
|
|
if not isNfc:
|
2024-05-09 19:26:26 -07:00
|
|
|
result = client.get_assertion(request_options["publicKey"])
|
|
|
|
|
else:
|
|
|
|
|
sendme = cbor.encode(credentials)
|
|
|
|
|
send_fido2_over_nfc(sendme)
|
2024-05-02 11:47:20 -07:00
|
|
|
# Only one cred in allowCredentials, only one response.
|
|
|
|
|
result = result.get_response(0)
|
|
|
|
|
|
|
|
|
|
# Complete authenticator
|
|
|
|
|
server.authenticate_complete(
|
|
|
|
|
state,
|
|
|
|
|
|
|
|
|
|
credentials,
|
|
|
|
|
result.credential_id,
|
|
|
|
|
result.client_data,
|
|
|
|
|
result.authenticator_data,
|
|
|
|
|
result.signature,
|
|
|
|
|
)
|
2024-05-02 10:32:22 -07:00
|
|
|
|
2024-05-02 11:47:20 -07:00
|
|
|
print("Credential authenticated!")
|
2024-05-06 13:06:57 -07:00
|
|
|
print("CLIENT DATA:", result.client_data)
|
|
|
|
|
print()
|
|
|
|
|
print("AUTH DATA:", result.authenticator_data)
|
|
|
|
|
# GPIO.output(14, GPIO.LOW)
|
|
|
|
|
|
|
|
|
|
conn = None
|
|
|
|
|
try:
|
|
|
|
|
# Connect to the PostgreSQL server
|
|
|
|
|
conn = psycopg2.connect(dbname=dbname, user=user, password=password, host=host)
|
|
|
|
|
cur = conn.cursor()
|
|
|
|
|
select_query = '''
|
|
|
|
|
SELECT sec_level
|
|
|
|
|
FROM users
|
|
|
|
|
WHERE "user_id" = %s;
|
|
|
|
|
'''
|
|
|
|
|
# Execute the SQL query
|
2024-05-06 13:26:33 -07:00
|
|
|
cur.execute(select_query, (str(user_id)))
|
2024-05-06 13:06:57 -07:00
|
|
|
|
|
|
|
|
# Fetch the results
|
|
|
|
|
result = None
|
|
|
|
|
result = cur.fetchone()
|
|
|
|
|
if result:
|
|
|
|
|
userSecLevel = result[0]
|
|
|
|
|
|
|
|
|
|
else:
|
|
|
|
|
badCred()
|
|
|
|
|
raise Exception
|
|
|
|
|
|
|
|
|
|
# Close communication with the database
|
|
|
|
|
cur.close()
|
|
|
|
|
except (Exception, psycopg2.DatabaseError) as error:
|
|
|
|
|
print(error)
|
|
|
|
|
raise Exception
|
|
|
|
|
finally:
|
|
|
|
|
if conn is not None:
|
|
|
|
|
conn.close()
|
|
|
|
|
|
|
|
|
|
conn = None
|
|
|
|
|
try:
|
|
|
|
|
# Connect to the PostgreSQL server
|
|
|
|
|
conn = psycopg2.connect(dbname=dbname, user=user, password=password, host=host)
|
|
|
|
|
cur = conn.cursor()
|
|
|
|
|
select_query = '''
|
|
|
|
|
SELECT sec_level
|
2024-05-06 13:26:33 -07:00
|
|
|
FROM doors
|
2024-05-06 13:06:57 -07:00
|
|
|
WHERE "door_id" = %s;
|
|
|
|
|
'''
|
|
|
|
|
# Execute the SQL query
|
|
|
|
|
cur.execute(select_query, (doorID))
|
|
|
|
|
|
|
|
|
|
# Fetch the results
|
|
|
|
|
result = None
|
|
|
|
|
result = cur.fetchone()
|
|
|
|
|
if result:
|
|
|
|
|
doorSecLevel = result[0]
|
|
|
|
|
|
|
|
|
|
else:
|
|
|
|
|
badCred()
|
|
|
|
|
raise Exception
|
|
|
|
|
|
|
|
|
|
# Close communication with the database
|
|
|
|
|
cur.close()
|
|
|
|
|
except (Exception, psycopg2.DatabaseError) as error:
|
|
|
|
|
print(error)
|
|
|
|
|
raise Exception
|
|
|
|
|
finally:
|
|
|
|
|
if conn is not None:
|
|
|
|
|
conn.close()
|
|
|
|
|
|
|
|
|
|
if doorSecLevel < userSecLevel:
|
|
|
|
|
raise Exception
|
2024-04-30 18:06:59 -07:00
|
|
|
|
2024-05-06 13:26:33 -07:00
|
|
|
if gpie:
|
|
|
|
|
GPIO.output(redLed, GPIO.LOW)
|
|
|
|
|
for i in range(2):
|
|
|
|
|
GPIO.output(greenLed, GPIO.HIGH)
|
|
|
|
|
time.sleep(0.05)
|
|
|
|
|
GPIO.output(greenLed, GPIO.LOW)
|
|
|
|
|
time.sleep(0.05)
|
|
|
|
|
|
2024-05-05 16:58:51 -07:00
|
|
|
GPIO.output(greenLed, GPIO.HIGH)
|
2024-05-06 13:26:33 -07:00
|
|
|
GPIO.output(door, GPIO.HIGH)
|
2024-05-09 17:16:10 -07:00
|
|
|
time.sleep(5)
|
2024-05-05 16:58:51 -07:00
|
|
|
GPIO.output(greenLed, GPIO.LOW)
|
2024-05-06 06:45:03 -07:00
|
|
|
|
|
|
|
|
|
2024-05-02 11:47:20 -07:00
|
|
|
except Exception as e:
|
2024-05-05 16:58:51 -07:00
|
|
|
print("Authentication Failed!")
|
|
|
|
|
for i in range(5):
|
2024-05-06 13:26:33 -07:00
|
|
|
if gpie:
|
|
|
|
|
GPIO.output(redLed, GPIO.LOW)
|
|
|
|
|
time.sleep(0.05)
|
|
|
|
|
GPIO.output(redLed, GPIO.HIGH)
|
|
|
|
|
time.sleep(0.05)
|
2024-05-06 08:52:11 -07:00
|
|
|
|
