sqrlserver.nut module

class sqrlserver.nut.Nut(key)

Bases: object

A class encompassing SQRL nuts.

The server should not need to use this class directly, but of course it may. It is designed to work as follows:

  • Construct the object with the 32-byte key.
  • If generating a new nut, use generate() followed by toString().
  • If validating an existing nut, use load(), then validate(), then look at the various attributes to determine if any errors were found.
key

bytes – 32 bytes used to encrypt the nut.

ipmatch

bool – Whether the last validation found matching IPs.

fresh

bool – Whether the last validation found the nut to be fresh.

countersane

bool – Whether the last validation found the counter to be within limits. Default is False, even if counter checking was disabled.

isqr

bool – Set when loading a nut. States whether it’s a QR nut.

bool – Set when loading a nut. States whether it’s a link nut.

generate(ipaddr, counter, timestamp=None)

Generates a unique nut using the technique described in the spec (LINK)

Parameters:
  • ipaddr (string) – The string representation of a valid IPv4 or IPv6 address.
  • counter (uint) – An incremental counter. Used for sanity checking.
Keyword Arguments:
 

timestamp (uint) – Unix timestamp (seconds only). If None, current time is used.
Returns:

The populated Nut object.
Return type:

Nut
load(nut)

Decrypts the given nut and extracts its parts.

Parameters:nut (string) – A previously generated nut string
Returns
Nut
toString(flag)

Converts the given nut to a base64url-encoded string

Parameters:flag (string) – One of qr, link, or raw.

Warning

While it is possible to do this to the “raw” nut, don’t! It has not been encrypted.

Returns:b64u-encoded nut
Return type:string
validate(ipaddr, ttl, maxcounter=None, mincounter=0)

Validates the currently loaded nut.

The nut must be generated or loaded first. It is the user’s responsiblity to keep a list of valid nuts and reject repeats, to avoid replay attacks. This routine only validates the data encoded into the nut.

Parameters:
  • ipaddr (string) – The string representation of a valid IPv4 or IPv6 address.
  • ttl (uint) – Number of seconds old the nut is allowed to be.
Keyword Arguments:
 
  • maxcounter (uint) – Current counter. If None, then no upper-bound checking will occur.
  • mincounter (uint) – Smallest counter value you’re willing to accept. If None, then no lower-bound checking will occur
Returns:

The user has to inspect the attributes ipmatch, fresh, and countersane to determine if the nut fully validated.
Return type:

Nut