diff options
author | Stephen Shkardoon <ss23@ss23.geek.nz> | 2019-10-06 10:52:32 +0200 |
---|---|---|
committer | Stephen Shkardoon <ss23@ss23.geek.nz> | 2019-10-06 10:52:32 +0200 |
commit | 361a97d88b28c65d0a658c76fd4190697323ed2e (patch) | |
tree | 0bfb331e0f156f3e19d7c2df94644c21a452ee0a /generate-otp.py | |
parent | Add decode-qr-uri script (diff) | |
download | entrust-identityguard-tools-361a97d88b28c65d0a658c76fd4190697323ed2e.tar entrust-identityguard-tools-361a97d88b28c65d0a658c76fd4190697323ed2e.tar.gz entrust-identityguard-tools-361a97d88b28c65d0a658c76fd4190697323ed2e.tar.bz2 entrust-identityguard-tools-361a97d88b28c65d0a658c76fd4190697323ed2e.tar.lz entrust-identityguard-tools-361a97d88b28c65d0a658c76fd4190697323ed2e.tar.xz entrust-identityguard-tools-361a97d88b28c65d0a658c76fd4190697323ed2e.tar.zst entrust-identityguard-tools-361a97d88b28c65d0a658c76fd4190697323ed2e.zip |
Diffstat (limited to 'generate-otp.py')
-rwxr-xr-x | generate-otp.py | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/generate-otp.py b/generate-otp.py new file mode 100755 index 0000000..a931a77 --- /dev/null +++ b/generate-otp.py @@ -0,0 +1,46 @@ +#!/bin/env python3 +from hashlib import pbkdf2_hmac +import argparse +import logging + +logging.basicConfig(level=logging.WARNING) + +parser = argparse.ArgumentParser(description='Generate an OTP secret for an Entrust IdentityGuard soft token') +parser.add_argument('Serial', type=str, nargs=1, help='Given to the user (such as through a QR code). Example: 48244-13456') +parser.add_argument('ActivationCode', type=str, nargs=1, help='Given to the user (such as through a QR code). Example: 1745-7712-6942-8698') +parser.add_argument('RegistrationCode', type=str, nargs=1, help='The user provides this to the activation service. Example: 12211-49352') +args = parser.parse_args() + +# Remove dashes from input so we can work with the data +serial = args.Serial[0].replace("-", "") +activation = args.ActivationCode[0].replace("-", "") +registration = args.RegistrationCode[0].replace("-", "") + +# TODO: Validate all values through the Luhn check digits + +activation = activation[0:-1] # remove last digit -- check digit +activationbytes = int(activation).to_bytes(7, byteorder='big') +logging.info("Activation bytes: 0x%s", activationbytes.hex()) + +registration = registration[0:-1] # remove last digit -- check digit +registrationbytes = int(registration).to_bytes(4, byteorder='big') +logging.info("Registration bytes: 0x%s", registrationbytes.hex()) + +# Derive the RNG output from the registration bytes +# Remaining bits are used for validation, but we can ignore that in our case +rngbytes = registrationbytes[-2:] + +logging.info("RNG Bytes: 0x%s", rngbytes.hex()) + +# Derive the secret key +key = pbkdf2_hmac( + hash_name='sha256', + password=activationbytes + rngbytes, + salt=serial.encode("utf-8"), + iterations=8, + dklen=16 +) + +print(key.hex()) +print("To generate a code immediately, run:") +print("oathtool -v --totp=sha256 --digits=6 " + key.hex()) |