Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
check key length when creating tokens in the UI. #1631
check for the length of the otpkey when creating an HOTP or TOTP token.
Based on the hash algo we can check the otp length to be correct.
I am not sure if we should avoid creating a token with a wrong key length or if we only should warn.
I was trying to start to implement this.
We have "base32check", when the otpkey is passed base32 encoded.
I wonder if we should add a classmethod, that checks for parameter aspects during enrollment.
if "otpkey" in upd_param and upd_param.get("otpkeyformat", "hex") == "hex": # If the user provides an otpkey, we check the length unless base32check check_hash_keylength(hashlibStr, len(otpKey)/2)
But it breaks with 2step enrollment. We could also exclude
This is still a bit nasty, since
I think we should not check the keylength all the time, but maybe only if certain conditions are met like:
There are some nasty, old parameters like "keysize". This is totally bullocks, since the keysize depends on used hash algorithm.
Thinking about it again I think it is the best to create a decorator for the API call to token/init.
If we now add a check, that the seed-length for HOTP and TOTP token matches the expected hashlib, then we do not want to create a DB token. And maybe next time another users says, that he wants to be able to create HMAC-SHA1 token with a 64byte long seed. So this will need to be configurable - in a policy. And this would be added as a prepolicy-decorator anyways.