a

O�bW]�@s�dZgd
�
Z
ddlmZ
ddlZddlZddlZddlmZ
ddlm	Z	
ddlm
Z

dd	lmZ
dd
lmZ
ddl
mZmZmZmZ
ddl	mZ
d
d�ZejZejZejZejZejZeddddd�eddddd�eddddd�eddddd�eddddd�edd dd!d�ed"d#d$d%d�ed&d#d'd(d�ed)d*d+d,d�g	Zed-ddd.d�ed/ddd0d1d2�ed3ddd4d�ed5ddd6d�ed7d dd8d�ed9dd+d:d�ed;dd+d<d�ed=d#d+d>d�ed?d*d+d@d�edAdd$dBdCdD�edEdd$dBdFdD�edGd#d$dBdHdD�edIdJd$dBdKdD�edLdJd$dBdMdD�edNd d'dOdPdD�edQdRd'dOdSdD�edTdd'dOdUdD�edVdd'dOdWdD�gZedXdd'dYd�edZdd'd[d�ed\dd'd]d�ed^dd_d`d�edadd_dbd�edcd d_ddd�eded#d_dfd�gZ Gdgdh�dhej!�Z"Gdidj�dje#�Z$dkdl�Z%dS)mz!
module for configuring YubiKeys
)�TicketFlags�ConfigFlags�
ExtendedFlags�YubiKeyConfigError�
YubiKeyConfig�
)
�__version__�N)
�yubico_util)
�yubikey_defs)
�
yubikey_frame)
�yubico_exception)
�yubikey_base)�YubiKeyConfigBits�YubiKeyConfigFlag�YubiKeyExtendedFlag�YubiKeyTicketFlag)
�SLOTc
CsHtj
��D]4}
|
�d
�
s
|
|
��kr
tt|
�|kr
d|

Sq
d|S)z Turn command number into name �
_zSLOT_%sz0x%02x)r�__dict__�keys�
startswith�upper�getattr)Znum�attr�r�9/usr/lib/python3.9/site-packages/yubico/yubikey_config.py�command2str s



rZ	TAB_FIRST)rrzSend TAB before first part)�	min_ykver�docZAPPEND_TAB1�zSend TAB after first partZAPPEND_TAB2�zSend TAB after second partZ
APPEND_DELAY1�zAdd 0.5s delay after first partZ
APPEND_DELAY2�z Add 0.5s delay after second partZ	APPEND_CR� zAppend CR as final character�	OATH_HOTP�@)rrzChoose OATH-HOTP mode�	CHAL_RESP)rrzChoose Challenge-Response modeZPROTECT_CFG2�)rrzProtect configuration in slot 2�SEND_REFz(Send reference string (0..F) before dataZTICKET_FIRSTz)Send ticket first (default is fixed part))r�	)rrZ	max_ykverZPACING_10MSzAdd 10ms intra-key pacingZPACING_20MSzAdd 20ms intra-key pacing�
STATIC_TICKETzStatic ticket generation�SHORT_TICKETz#Send truncated ticket (half length)Z
STRONG_PW1z+Strong password policy flag #1 (mixed case)�
STRONG_PW2z9Strong password policy flag #2 (subtitute 0..7 to digits)Z
MAN_UPDATEz)Allow manual (local) update of static OTP�
OATH_HOTP8ZOATHz+Generate 8 digits HOTP rather than 6 digits)r�moderZOATH_FIXED_MODHEX1z'First byte in fixed part sent as modhexZOATH_FIXED_MODHEX2z,First two bytes in fixed part sent as modhexZOATH_FIXED_MODHEX�PzFixed part sent as modhexZOATH_FIXED_MASKzMask to get out fixed flags�CHAL_YUBICOZCHALz,Challenge-response enabled - Yubico OTP mode�	CHAL_HMAC�"z&Challenge-response enabled - HMAC-SHA1�	HMAC_LT64z+Set when HMAC message is less than 64 bytes�
CHAL_BTN_TRIGz3Challenge-respoonse operation requires button pressZSERIAL_BTN_VISIBLEz/Serial number visible at startup (button press)ZSERIAL_USB_VISIBLEz*Serial number visible in USB iSerial fieldZSERIAL_API_VISIBLEz"Serial number visible via API callZUSE_NUMERIC_KEYPAD)r�zUse numeric keypad for digitsZ	FAST_TRIGzUse fast trig if only cfg1 setZALLOW_UPDATEzEAllow update of existing configuration (selected flags + access code)ZDORMANTzODormant configuration (can be woken up and flag removed = requires update flag)c
@seZ
dZd
ZdS)rz<
    Exception raised for YubiKey configuration errors.
    N)�__name__�
__module__�__qualname__�__doc__rrrrrhs
rc@s�eZ
dZd
Zd4dd�
Zdd�Zdd	�Zd5d
d�
Zdd
�Zdd�Z	dd�Z
dd�Zdd�Zdd�Z
d6dd�
Zd7dd �
Zd8d!d"�
Zd9d#d$�
Zd:d%d&�
Zd'd(�Zd;d*d+�
Zd<d,d-�
Zd.d/�Zd0d1�Zd2d3�ZdS)=rzH
    Base class for configuration of all current types of YubiKeys.
    NFcCs�|d
urtj
dd�
|_n||_d|_|
|_d|_d|_d|_d|_t	d�
|_
t	d�
|_t	d�
|_d|_
d|_|st|r�|jdd	d
�
||_||_||_d
S)a�
        `ykver' is a tuple (major, minor) with the version number of the key
        you are planning to apply this configuration to. Not mandated, but
        will get you an exception when trying to set flags for example, rather
        than the YubiKey just not operating as expected after programming.

        YubiKey >= 2.3 supports updating certain parts of a configuration
        (for example turning on/off APPEND_CR) without overwriting others
        (most notably the stored secret). Set `update' to True if this is
        what you want. The current programming must have flag 'ALLOW_UPDATE'
        set to allow configuration update instead of requiring complete
        reprogramming.

        YubiKey >= 2.3 also supports swapping the configurations, making
        slot 1 be slot 2 and vice versa. Set swap=True for this.

        YubiKeys support deleting a configuration, setting it in an
        unprogrammed state. Set zap=True for this.
        NT)
Zdefault_answer)rr�r�rr5��major�minor)r
ZYubiKeyCapabilities�capabilities�yk_req_version�ykver�fixed�uid�key�access_coder�ticket_flags�config_flags�extended_flags�unlock_code�_mode�_require_version�_update_config�_swap_slots�_zap)�selfrAr?�updateZswapZzaprrr�__init__rs(















zYubiKeyConfig.__init__c

Cspd
|jj
tt|�
�
|j|j|jt|j�
t|j	�
t|j
�
t|j�
|j�
�|j�
�|j�
�t|j�
|j|j|jfS)Nzr<%s instance at %s: mode %s, v=%s/%s, lf=%i, lu=%i, lk=%i, lac=%i, tf=%x, cf=%x, ef=%x, lu=%i, up=%s, sw=%s, z=%s>)�	__class__r6�hex�idrJr@rA�lenrBrCrDrErF�
to_integerrGrHrIrLrMrN�
rOrrr�__repr__�s"
















�zYubiKeyConfig.__repr__c


Cs|jS)
z`
        Return the (major, minor) versions of YubiKey required for this configuration.
        )
r@rWrrr�version_required�szYubiKeyConfig.version_requiredcCs:|j}|
d
kr6|�
|
�
}t|�
dk
r,||_n
t�d�
�
|S)aC

        The fixed string is used to identify a particular Yubikey device.

        The fixed string is referred to as the 'Token Identifier' in OATH-HOTP mode.

        The length of the fixed string can be set between 0 and 16 bytes.

        Tip: This can also be used to extend the length of a static password.
        Nr"z&The "fixed" string must be 0..16 bytes)rB�_decode_input_stringrUr�
InputError�rO�data�old�newrrr�fixed_string�s







zYubiKeyConfig.fixed_stringc

Cs4|j�
�s�|jd
d�

|�dd�
|�dd�
dS)a�

        Extended scan code mode means the Yubikey will output the bytes in
        the 'fixed string' as scan codes, without modhex encoding the data.

        Because of the way this is stored in the config flags, it is not
        possible to disable this option once it is enabled (of course, you
        can abort config update or reprogram the YubiKey again).

        Requires YubiKey 2.x.
        r�
r=r+Tr*FN)r?Zhave_extended_scan_code_moderK�config_flagrWrrr�enable_extended_scan_code_mode�s





z,YubiKeyConfig.enable_extended_scan_code_modec

Cs(|jd
d�

|�
dd�
|�
dd�
dS)a�

        This will cause a shifted character 1 (typically '!') to be sent before
        anything else. This can be used to make the YubiKey output qualify as a
        password with 'special characters', if such is required.

        Because of the way this is stored in the config flags, it is not
        possible to disable this option once it is enabled (of course, you
        can abort config update or reprogram the YubiKey again).

        Requires YubiKey 2.x.
        rrar,Tr(N)rKrbrWrrr�enable_shifted_1�s

zYubiKeyConfig.enable_shifted_1cCs6|j}|
r2|�
|
�
}t|�
d
kr(||_n
t�d�
�
|S)z�
        AES128 key to program into YubiKey.

        Supply data as either a raw string, or a hexlified string prefixed by 'h:'.
        The result, after any hex decoding, must be 16 bytes.
        r"z#AES128 key must be exactly 16 bytes)rDrZrUrr[r\rrr�aes_key�s





zYubiKeyConfig.aes_keycCsP|
�d
�
rt
�|
dd��
}n|
}t|�
dkrB||_|jsL||_n
t�d�
�
dS)z�
        Access code to allow re-programming of your YubiKey.

        Supply data as either a raw bytestring, or a hexlified bytestring prefixed by 'h:'.
        The result, after any hex decoding, must be 6 bytes.
        �h:rN�z"Unlock key must be exactly 6 bytes)r�binascii�	unhexlifyrUrIrErr[�rOr]r_rrr�
unlock_key

s




zYubiKeyConfig.unlock_keycCsD|
�d
�
rt
�|
dd��
}n|
}t|�
dkr6||_n
t�d�
�
dS)z�
        Set a new access code which will be required for future re-programmings of your YubiKey.

        Supply data as either a raw string, or a hexlified string prefixed by 'h:'.
        The result, after any hex decoding, must be 6 bytes.
        rfrNrgz"Access key must be exactly 6 bytes)rrhrirUrErr[rjrrr�
access_key
s



zYubiKeyConfig.access_keycCs�|j�
�s.t�d
|jj|jd|jdf�
�
|
�d�
rJt�|
dd��
}
t	|
�
t
jkrht�
dt
j�
�
|jddd	d
�
|
|_|�|�

dS)zA
        Set the YubiKey up for standard OTP validation.
        z,Yubico OTP not available in %s version %d.%drrrfrNzPrivate UID must be %i bytes�YUBIKEY_OTPr)r<)r?Zhave_yubico_OTPr
�YubiKeyVersionError�modelrArrhrirUr
ZUID_SIZErr[�_change_moderCre)rOZprivate_uidrerrr�mode_yubikey_otp%
s


�





zYubiKeyConfig.mode_yubikey_otprgrr;c	Cs�|j�
d
�
s0t�d|jj|jd|jdf�
�
|dkrJ|dkrJt�d�
�
|jdd	dd
�
|�	|
�

|dkrx|�
dd�
|s�|s�|r�|�|�
}t�
|�
t�
|�
|}|�|�

|r�|jt�d
|�|_dS)z\
        Set the YubiKey up for OATH-HOTP operation.

        Requires YubiKey 2.1.
        ZHOTPz+OATH HOTP not available in %s version %d.%drrrgr!zOATH-HOTP digits must be 6 or 8r$rr<r-T�<HN)r?Z	have_OATHr
rnrorArr[rp�_set_20_bytes_keyrbrZr	�chr_byter`rC�struct�pack)	rO�secret�digitsZfactor_seedZomp�ttZmuiZdecoded_muirBrrr�mode_oath_hotp5
s 

�













zYubiKeyConfig.mode_oath_hotp�HMACTcCs�|��d
v
rt
�d|�
�
|j�|���
sTt�d|��|jj|jd|jdf�
�
|j	dddd�
|��d	kr�|�
d
d�
|�
d|�
|�|
�

n|�
d
d�
|�|
�

|�
d|�
dS)aR

        Set the YubiKey up for challenge-response operation.

        `type' can be 'HMAC' or 'OTP'.

        `variable' is only applicable to type 'HMAC'.

        For type HMAC, `secret' is expected to be 20 bytes (160 bits).
        For type OTP, `secret' is expected to be 16 bytes (128 bits).

        Requires YubiKey 2.2.
        )r{ZOTPzInvalid 'type' (%s)z7%s Challenge-Response not available in %s version %d.%drrr&rr<r{r1Tr3r0r4N)
rrr[r?Zhave_challenge_responser
rnrorArprbrsre)rOrw�type�variableZrequire_buttonrrr�mode_challenge_responseL
s 





��






z%YubiKeyConfig.mode_challenge_responsec	Cs�t|
t
�}|rp|j�|�
sLt�d
|
|�|jj�
|jj|jd|jdf�
�
|�	�\}}|j
||d�
|��}nt|
�
t
u
r�t�d|
�
�
|
}|j�||�S)z�
        Get or set a ticket flag.

        'which' can be either a string ('APPEND_CR' etc.), or an integer.
        You should ALWAYS use a string, unless you really know what you are doing.
        z0Ticket flag %s requires %s, and this is %s %d.%drrr<z#Unknown non-integer TicketFlag (%s))�	_get_flagr
r?Zhave_ticket_flagr
rn�
req_stringrorA�req_versionrKrVr|�intrr[rF�get_set�rO�whichr_�flagZ	req_majorZ	req_minor�valuerrr�ticket_flagj
s





��




zYubiKeyConfig.ticket_flagc	Cs�t|
t
�}|rp|j�|�
sLt�d
|
|�|jj�
|jj|jd|jdf�
�
|�	�\}}|j
||d�
|��}nt|
�
t
u
r�t�d|
�
�
|
}|j�||�S)z�
        Get or set a config flag.

        'which' can be either a string ('PACING_20MS' etc.), or an integer.
        You should ALWAYS use a string, unless you really know what you are doing.
        z0Config flag %s requires %s, and this is %s %d.%drrr<z#Unknown non-integer ConfigFlag (%s))rrr?Zhave_config_flagr
rnr�rorAr�rKrVr|r�rr[rGr�r�rrrrb�
s





��




zYubiKeyConfig.config_flagc	Cs�t|
t
�}|rp|j�|�
sLt�d
|
|�|jj�
|jj|jd|jdf�
�
|�	�\}}|j
||d�
|��}nt|
�
t
u
r�t�d|
�
�
|
}|j�||�S)z�
        Get or set a extended flag.

        'which' can be either a string ('SERIAL_API_VISIBLE' etc.), or an integer.
        You should ALWAYS use a string, unless you really know what you are doing.
        z2Extended flag %s requires %s, and this is %s %d.%drrr<z%Unknown non-integer ExtendedFlag (%s))rrr?Zhave_extended_flagr
rnr�rorAr�rKrVr|r�rr[rHr�r�rrr�
extended_flag�
s





��




zYubiKeyConfig.extended_flagc
Cshd
}
t�
d|j|j|j|jt|j�
|j��|j	��|j
��|
�
}dt�|�
}|t�
d|�|j
}|S)zU
        Return the current configuration as a bytestring (always 64 bytes).
        rz<16s6s16s6sBBBBHi��rr)rurvrBrCrDrErUrHrVrFrGr	Zcrc16rI)rOZt_rfu�first�crc�secondrrr�	to_string�
s








�
zYubiKeyConfig.to_stringrcCs�|��}|�
d
t�d�
�}|
dkr8|jr0tj}q^tj}n&|
dkrV|jrNtj}q^tj	}nds^J�
|j
rjtj}|jrtd}t
j||d�S)zL
        Return the current configuration as a YubiKeyFrame object.
        r%rrrrr:)�command�payload)r��ljustr	rtrLr�UPDATE1�CONFIG�UPDATE2�CONFIG2rM�SWAPrNrZYubiKeyFrame)rOZslotr]r�r�rrr�to_frame�
s 








zYubiKeyConfig.to_framecCsN|
|f}|jr:||jkr:t
�d
|
||jd|jdf�
�
||jkrJ||_dS)zM Update the minimum version of YubiKey this configuration can be applied to. z7Configuration requires YubiKey %d.%d, and this is %d.%drrN)rAr
rnr@)rOr=r>Znew_verrrrrK�
s


�

zYubiKeyConfig._require_versioncCsbtj
d
krt|
t�r|
�d�
}
|
�d�
r>dt�|
dd��
}
|
�d�
rZt�	|
dd��
S|
SdS)N)r5r�asciism:rfr)
�sys�version_info�
isinstance�str�encoderr	Z
modhex_decoderhri)rOr]rrrrZ�
s








z"YubiKeyConfig._decode_input_stringcCsl|jr"|j|
kr"t
d
|j|
f�
�
|j||d�
|
|_td�
|_td�
|_td�
|_|
dkrh|�|
d�
dS)z4 Change mode of operation, with some sanity checks. z!Can't change mode (from %s to %s)r<rrmTN)rJ�RuntimeErrorrKrrFrGrHr�)rOr.r=r>rrrrps











zYubiKeyConfig._change_modecCsZ|
�d
�
rt
�|
dd��
}n|
}t|�
dkrL|dd�|_|dd�|_n
t�d�
�
dS)z�
        Set a 20 bytes key. This is used in CHAL_HMAC and OATH_HOTP mode.

        Supply data as either a raw bytestring, or a hexlified bytestring prefixed by 'h:'.
        The result, after any hex decoding, must be 20 bytes.
        rfrN�r"z!HMAC key must be exactly 20 bytes)rrhrirUrDrCrr[rjrrrrss




zYubiKeyConfig._set_20_bytes_key)NNFFF)
N)rgNrrr;)r{TF)
N)
N)
N)
r)
r)r6r7r8r9rQrXrYr`rcrdrerkrlrqrzr~r�rbr�r�r�rKrZrprsrrrrrns0

�
1





)

	
rcsB�f
d
d�|
D�
}t|�
dkr"dSt|�
dkr6|dSds>J�
dS)z  Find 'which' entry in 'flags'. c
sg|]}
|
���
r|
�qSr)
Zis_equal)�.0�this�
r�rr�
<listcomp>(r:z_get_flag.<locals>.<listcomp>rNrr)
rU)r��flags�resrr�rr&s




r)&r9�__all__Zyubico_versionrr�rurhr;r	r
rrr
Zyubikey_config_utilrrrrrrr�ZSLOT_CONFIGr�ZSLOT_CONFIG2r�ZSLOT_UPDATE1r�ZSLOT_UPDATE2r�Z	SLOT_SWAPr
rrZYubicoErrorr�objectrrrrrr�<module>
sz




















�













�




�
;