-
Notifications
You must be signed in to change notification settings - Fork 37
/
app.py
224 lines (174 loc) · 7.06 KB
/
app.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
import argparse
import binascii
from flask import Flask, request, render_template, jsonify
from werkzeug.exceptions import BadRequest
from derive import derive_tag_key, derive_undiversified_key
from config import SDMMAC_PARAM, ENC_FILE_DATA_PARAM, ENC_PICC_DATA_PARAM, SDM_MASTER_KEY, UID_PARAM, CTR_PARAM, REQUIRE_LRP
from libsdm import decrypt_sun_message, validate_plain_sun, InvalidMessage, EncMode
app = Flask(__name__)
app.config['JSONIFY_PRETTYPRINT_REGULAR'] = True
@app.errorhandler(400)
def bad_request(e):
return render_template('error.html', code=400, msg=str(e)), 400
@app.errorhandler(403)
def bad_request(e):
return render_template('error.html', code=403, msg=str(e)), 403
@app.errorhandler(404)
def bad_request(e):
return render_template('error.html', code=404, msg=str(e)), 404
@app.context_processor
def inject_demo_mode():
demo_mode = (SDM_MASTER_KEY == (b"\x00" * 16))
return {"demo_mode": demo_mode}
@app.route('/')
def sdm_main():
"""
Main page with a few examples.
"""
return render_template('sdm_main.html')
def _internal_sdm(with_tt=False, force_json=False):
"""
SUN decrypting/validating endpoint.
"""
enc_picc_data = request.args.get(ENC_PICC_DATA_PARAM)
enc_file_data = request.args.get(ENC_FILE_DATA_PARAM)
sdmmac = request.args.get(SDMMAC_PARAM)
if not enc_picc_data:
raise BadRequest("Parameter {} is required".format(ENC_PICC_DATA_PARAM))
if not sdmmac:
raise BadRequest("Parameter {} is required".format(SDMMAC_PARAM))
try:
enc_file_data_b = None
enc_picc_data_b = binascii.unhexlify(enc_picc_data)
sdmmac_b = binascii.unhexlify(sdmmac)
if enc_file_data:
enc_file_data_b = binascii.unhexlify(enc_file_data)
except binascii.Error:
raise BadRequest("Failed to decode parameters.")
try:
res = decrypt_sun_message(sdm_meta_read_key=derive_undiversified_key(SDM_MASTER_KEY, 1),
sdm_file_read_key=lambda uid: derive_tag_key(SDM_MASTER_KEY, uid, 2),
picc_enc_data=enc_picc_data_b,
sdmmac=sdmmac_b,
enc_file_data=enc_file_data_b)
except InvalidMessage:
raise BadRequest("Invalid message (most probably wrong signature).")
if REQUIRE_LRP and res['encryption_mode'] != EncMode.LRP:
raise BadRequest("Invalid encryption mode, expected LRP.")
picc_data_tag = res['picc_data_tag']
uid = res['uid']
read_ctr_num = res['read_ctr']
file_data = res['file_data']
encryption_mode = res['encryption_mode'].name
file_data_utf8 = ""
tt_status_api = ""
tt_status = ""
tt_color = ""
if file_data:
file_data_utf8 = file_data.decode('utf-8', 'ignore')
if with_tt:
tt_perm_status = file_data_utf8[0]
tt_cur_status = file_data_utf8[1]
if tt_perm_status == 'C' and tt_cur_status == 'C':
tt_status_api = 'secure'
tt_status = 'OK (not tampered)'
tt_color = 'green'
elif tt_perm_status == 'O' and tt_cur_status == 'C':
tt_status_api = 'tampered_closed'
tt_status = 'Tampered! (loop closed)'
tt_color = 'red'
elif tt_perm_status == 'O' and tt_cur_status == 'O':
tt_status_api = 'tampered_open'
tt_status = 'Tampered! (loop open)'
tt_color = 'red'
elif tt_perm_status == 'I' and tt_cur_status == 'I':
tt_status_api = 'not_initialized'
tt_status = 'Not initialized'
tt_color = 'orange'
else:
tt_status_api = 'unknown'
tt_status = 'Unknown'
tt_color = 'orange'
if request.args.get("output") == "json" or force_json:
return jsonify({
"uid": uid.hex().upper(),
"file_data": file_data.hex() if file_data else None,
"read_ctr": read_ctr_num,
"tt_status": tt_status_api,
"enc_mode": encryption_mode
})
else:
return render_template('sdm_info.html',
encryption_mode=encryption_mode,
picc_data_tag=picc_data_tag,
uid=uid,
read_ctr_num=read_ctr_num,
file_data=file_data,
file_data_utf8=file_data_utf8,
tt_status=tt_status,
tt_color=tt_color)
@app.route('/tagtt')
def sdm_info_tt():
return _internal_sdm(with_tt=True)
@app.route('/api/tagtt')
def sdm_api_info_tt():
try:
return _internal_sdm(with_tt=True, force_json=True)
except BadRequest as e:
return jsonify({"error": str(e)})
@app.route('/tag')
def sdm_info():
return _internal_sdm(with_tt=False)
@app.route('/api/tag')
def sdm_api_info():
try:
return _internal_sdm(with_tt=False, force_json=True)
except BadRequest as e:
return jsonify({"error": str(e)})
def _internal_tagpt(force_json=False):
try:
uid = binascii.unhexlify(request.args[UID_PARAM])
read_ctr = binascii.unhexlify(request.args[CTR_PARAM])
cmac = binascii.unhexlify(request.args[SDMMAC_PARAM])
except binascii.Error:
raise BadRequest("Failed to decode parameters.")
try:
res = validate_plain_sun(uid=uid,
read_ctr=read_ctr,
sdmmac=cmac,
sdm_file_read_key=derive_tag_key(SDM_MASTER_KEY, uid, 2))
except InvalidMessage:
raise BadRequest("Invalid message (most probably wrong signature).")
if REQUIRE_LRP and res['encryption_mode'] != EncMode.LRP:
raise BadRequest("Invalid encryption mode, expected LRP.")
if request.args.get("output") == "json" or force_json:
return jsonify({
"uid": res['uid'].hex().upper(),
"read_ctr": res['read_ctr'],
"enc_mode": res['encryption_mode'].name
})
else:
return render_template('sdm_info.html',
encryption_mode=res['encryption_mode'].name,
uid=res['uid'],
read_ctr_num=res['read_ctr'])
@app.route('/tagpt')
def sdm_info_plain():
return _internal_tagpt()
@app.route('/api/tagpt')
def sdm_api_info_plain():
try:
return _internal_tagpt(force_json=True)
except BadRequest as e:
return jsonify({"error": str(e)}), 400
@app.route('/webnfc')
def sdm_webnfc():
return render_template('sdm_webnfc.html')
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='OTA NFC Server')
parser.add_argument('--host', type=str, nargs='?',
help='address to listen on')
parser.add_argument('--port', type=int, nargs='?',
help='port to listen on')
args = parser.parse_args()
app.run(host=args.host, port=args.port)