CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

Reusable Media: Mifare Ultralight AES support (#3335)

Browse Source
This commit is contained in:
Raphael Michel
2023-07-21 13:45:42 +02:00
committed by GitHub
parent b134f29cf6
commit 52023cde09
18 changed files with 554 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/pretix/api/auth/devicesecurity.py
View File

@@ -223,6 +223,7 @@ class PretixPosSecurityProfile(AllowListSecurityProfile):
('POST', 'api-v1:checkinrpc.redeem'),
('GET', 'api-v1:checkinrpc.search'),
('POST', 'api-v1:reusablemedium-lookup'),
('POST', 'api-v1:reusablemedium-list'),
)

10
src/pretix/api/serializers/event.py
View File

@@ -817,6 +817,10 @@ class EventSettingsSerializer(SettingsSerializer):
'reusable_media_type_nfc_uid',
'reusable_media_type_nfc_uid_autocreate_giftcard',
'reusable_media_type_nfc_uid_autocreate_giftcard_currency',
'reusable_media_type_nfc_mf0aes',
'reusable_media_type_nfc_mf0aes_autocreate_giftcard',
'reusable_media_type_nfc_mf0aes_autocreate_giftcard_currency',
'reusable_media_type_nfc_mf0aes_random_uid',
]
readonly_fields = [
# These are read-only since they are currently only settable on organizers, not events
@@ -826,6 +830,10 @@ class EventSettingsSerializer(SettingsSerializer):
'reusable_media_type_nfc_uid',
'reusable_media_type_nfc_uid_autocreate_giftcard',
'reusable_media_type_nfc_uid_autocreate_giftcard_currency',
'reusable_media_type_nfc_mf0aes',
'reusable_media_type_nfc_mf0aes_autocreate_giftcard',
'reusable_media_type_nfc_mf0aes_autocreate_giftcard_currency',
'reusable_media_type_nfc_mf0aes_random_uid',
]
def __init__(self, *args, **kwargs):
@@ -894,6 +902,8 @@ class DeviceEventSettingsSerializer(EventSettingsSerializer):
'name_scheme',
'reusable_media_type_barcode',
'reusable_media_type_nfc_uid',
'reusable_media_type_nfc_mf0aes',
'reusable_media_type_nfc_mf0aes_random_uid',
'system_question_order',
]

3
src/pretix/api/serializers/organizer.py
View File

@@ -392,6 +392,9 @@ class OrganizerSettingsSerializer(SettingsSerializer):
'reusable_media_type_nfc_uid',
'reusable_media_type_nfc_uid_autocreate_giftcard',
'reusable_media_type_nfc_uid_autocreate_giftcard_currency',
'reusable_media_type_nfc_mf0aes',
'reusable_media_type_nfc_mf0aes_autocreate_giftcard',
'reusable_media_type_nfc_mf0aes_autocreate_giftcard_currency',
]
def __init__(self, *args, **kwargs):

73
src/pretix/api/views/device.py
View File

@@ -19,8 +19,12 @@
# You should have received a copy of the GNU Affero General Public License along with this program. If not, see
# <https://www.gnu.org/licenses/>.
#
import base64
import logging
from cryptography.hazmat.backends.openssl.backend import Backend
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.serialization import load_pem_public_key
from django.db.models import Exists, OuterRef, Q
from django.db.models.functions import Coalesce
from django.utils.timezone import now
@@ -34,6 +38,8 @@ from pretix.api.auth.device import DeviceTokenAuthentication
from pretix.api.views.version import numeric_version
from pretix.base.models import CheckinList, Device, SubEvent
from pretix.base.models.devices import Gate, generate_api_token
from pretix.base.models.media import MediumKeySet
from pretix.base.services.media import get_keysets_for_organizer
logger = logging.getLogger(__name__)
@@ -47,6 +53,17 @@ class InitializationRequestSerializer(serializers.Serializer):
software_brand = serializers.CharField(max_length=190)
software_version = serializers.CharField(max_length=190)
info = serializers.JSONField(required=False, allow_null=True)
rsa_pubkey = serializers.CharField(required=False, allow_null=True)
def validate(self, attrs):
if attrs.get('rsa_pubkey'):
try:
load_pem_public_key(
attrs['rsa_pubkey'].encode(), Backend()
)
except:
raise ValidationError({'rsa_pubkey': ['Not a valid public key.']})
return attrs
class UpdateRequestSerializer(serializers.Serializer):
@@ -57,6 +74,47 @@ class UpdateRequestSerializer(serializers.Serializer):
software_brand = serializers.CharField(max_length=190)
software_version = serializers.CharField(max_length=190)
info = serializers.JSONField(required=False, allow_null=True)
rsa_pubkey = serializers.CharField(required=False, allow_null=True)
def validate(self, attrs):
if attrs.get('rsa_pubkey'):
try:
load_pem_public_key(
attrs['rsa_pubkey'].encode(), Backend()
)
except:
raise ValidationError({'rsa_pubkey': ['Not a valid public key.']})
return attrs
class RSAEncryptedField(serializers.Field):
def to_representation(self, value):
public_key = load_pem_public_key(
self.context['device'].rsa_pubkey.encode(), Backend()
)
cipher_text = public_key.encrypt(
# RSA/ECB/PKCS1Padding
value,
padding.PKCS1v15()
)
return base64.b64encode(cipher_text).decode()
class MediumKeySetSerializer(serializers.ModelSerializer):
uid_key = RSAEncryptedField(read_only=True)
diversification_key = RSAEncryptedField(read_only=True)
organizer = serializers.SlugRelatedField(slug_field='slug', read_only=True)
class Meta:
model = MediumKeySet
fields = [
'public_id',
'organizer',
'active',
'media_type',
'uid_key',
'diversification_key',
]
class GateSerializer(serializers.ModelSerializer):
@@ -108,6 +166,8 @@ class InitializeView(APIView):
device.software_brand = serializer.validated_data.get('software_brand')
device.software_version = serializer.validated_data.get('software_version')
device.info = serializer.validated_data.get('info')
print(serializer.validated_data, request.data)
device.rsa_pubkey = serializer.validated_data.get('rsa_pubkey')
device.api_token = generate_api_token()
device.save()
@@ -130,6 +190,11 @@ class UpdateView(APIView):
device.os_version = serializer.validated_data.get('os_version')
device.software_brand = serializer.validated_data.get('software_brand')
device.software_version = serializer.validated_data.get('software_version')
if serializer.validated_data.get('rsa_pubkey') and serializer.validated_data.get('rsa_pubkey') != device.rsa_pubkey:
if device.rsa_pubkey:
raise ValidationError({'rsa_pubkey': ['You cannot change the rsa_pubkey of the device once it is set.']})
else:
device.rsa_pubkey = serializer.validated_data.get('rsa_pubkey')
device.info = serializer.validated_data.get('info')
device.save()
device.log_action('pretix.device.updated', data=serializer.validated_data, auth=device)
@@ -177,8 +242,12 @@ class InfoView(APIView):
'pretix': __version__,
'pretix_numeric': numeric_version(__version__),
}
}
},
'medium_key_sets': MediumKeySetSerializer(
get_keysets_for_organizer(device.organizer),
many=True,
context={'device': request.auth}
).data if device.rsa_pubkey else []
})

6
src/pretix/api/views/media.py
View File

@@ -104,6 +104,12 @@ class ReusableMediaViewSet(viewsets.ModelViewSet):
auth=self.request.auth,
data=merge_dicts(self.request.data, {'id': inst.pk})
)
mt = MEDIA_TYPES.get(serializer.validated_data["type"])
if mt:
m = mt.handle_new(self.request.organizer, inst, self.request.user, self.request.auth)
if m:
s = self.get_serializer(m)
return Response({"result": s.data})
@transaction.atomic()
def perform_update(self, serializer):

37
src/pretix/base/media.py
View File

@@ -49,6 +49,9 @@ class BaseMediaType:
def handle_unknown(self, organizer, identifier, user, auth):
pass
def handle_new(self, organizer, medium, user, auth):
pass
def __str__(self):
return str(self.verbose_name)
@@ -108,9 +111,43 @@ class NfcUidMediaType(BaseMediaType):
return m
class NfcMf0aesMediaType(BaseMediaType):
identifier = 'nfc_mf0aes'
verbose_name = 'NFC Mifare Ultralight AES'
medium_created_by_server = False
supports_giftcard = True
supports_orderposition = False
def handle_new(self, organizer, medium, user, auth):
from pretix.base.models import GiftCard
if organizer.settings.get(f'reusable_media_type_{self.identifier}_autocreate_giftcard', as_type=bool):
with transaction.atomic():
gc = GiftCard.objects.create(
issuer=organizer,
expires=organizer.default_gift_card_expiry,
currency=organizer.settings.get(f'reusable_media_type_{self.identifier}_autocreate_giftcard_currency'),
)
medium.linked_giftcard = gc
medium.save()
medium.log_action(
'pretix.reusable_medium.linked_giftcard.changed',
user=user, auth=auth,
data={
'linked_giftcard': gc.pk
}
)
gc.log_action(
'pretix.giftcards.created',
user=user, auth=auth,
)
return medium
MEDIA_TYPES = {
m.identifier: m for m in [
BarcodePlainMediaType(),
NfcUidMediaType(),
NfcMf0aesMediaType(),
]
}

35
src/pretix/base/migrations/0244_mediumkeyset.py Normal file
View File

@@ -0,0 +1,35 @@
# Generated by Django 3.2.18 on 2023-05-17 11:32
import django.db.models.deletion
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
('pretixbase', '0243_device_os_name_and_os_version'),
]
operations = [
migrations.AddField(
model_name='device',
name='rsa_pubkey',
field=models.TextField(null=True),
),
migrations.CreateModel(
name='MediumKeySet',
fields=[
('id', models.AutoField(auto_created=True, primary_key=True, serialize=False)),
('public_id', models.BigIntegerField(unique=True)),
('media_type', models.CharField(max_length=100)),
('active', models.BooleanField(default=True)),
('uid_key', models.BinaryField()),
('diversification_key', models.BinaryField()),
('organizer', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='medium_key_sets', to='pretixbase.organizer')),
],
),
migrations.AddConstraint(
model_name='mediumkeyset',
constraint=models.UniqueConstraint(condition=models.Q(('active', True)), fields=('organizer', 'media_type'), name='keyset_unique_active'),
),
]

4
src/pretix/base/models/devices.py
View File

@@ -166,6 +166,10 @@ class Device(LoggedModel):
null=True,
blank=False
)
rsa_pubkey = models.TextField(
null=True,
blank=True,
)
info = models.JSONField(
null=True, blank=True,
)

22
src/pretix/base/models/media.py
View File

@@ -123,3 +123,25 @@ class ReusableMedium(LoggedModel):
unique_together = (("identifier", "type", "organizer"),)
index_together = (("identifier", "type", "organizer"), ("updated", "id"))
ordering = "identifier", "type", "organizer"
class MediumKeySet(models.Model):
organizer = models.ForeignKey('Organizer', on_delete=models.CASCADE, related_name='medium_key_sets')
public_id = models.BigIntegerField(
unique=True,
)
media_type = models.CharField(max_length=100)
active = models.BooleanField(default=True)
uid_key = models.BinaryField()
diversification_key = models.BinaryField()
objects = ScopedManager(organizer='organizer')
class Meta:
constraints = [
models.UniqueConstraint(
fields=["organizer", "media_type"],
condition=Q(active=True),
name="keyset_unique_active",
),
]

72
src/pretix/base/services/media.py Normal file
View File

@@ -0,0 +1,72 @@
#
# This file is part of pretix (Community Edition).
#
# Copyright (C) 2014-2020 Raphael Michel and contributors
# Copyright (C) 2020-2021 rami.io GmbH and contributors
#
# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
# Public License as published by the Free Software Foundation in version 3 of the License.
#
# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
# this file, see <https://pretix.eu/about/en/license>.
#
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License along with this program. If not, see
# <https://www.gnu.org/licenses/>.
#
import secrets
from django.db import IntegrityError
from django.db.models import Q
from django_scopes import scopes_disabled
from pretix.base.models import GiftCardAcceptance
from pretix.base.models.media import MediumKeySet
def create_nfc_mf0aes_keyset(organizer):
for i in range(20):
public_id = secrets.randbelow(2 ** 32)
uid_key = secrets.token_bytes(16)
diversification_key = secrets.token_bytes(16)
try:
return MediumKeySet.objects.create(
organizer=organizer,
media_type="nfc_mf0aes",
public_id=public_id,
diversification_key=diversification_key,
uid_key=uid_key,
active=True,
)
except IntegrityError: # either race condition with another thread or duplicate public ID
try:
return MediumKeySet.objects.get(
organizer=organizer,
media_type="nfc_mf0aes",
active=True,
)
except MediumKeySet.DoesNotExist:
continue # duplicate public ID, let's try again
@scopes_disabled()
def get_keysets_for_organizer(organizer):
sets = list(MediumKeySet.objects.filter(
Q(organizer=organizer) | Q(organizer__in=GiftCardAcceptance.objects.filter(
acceptor=organizer,
active=True,
reusable_media=True,
).values_list("issuer_id", flat=True))
))
if organizer.settings.reusable_media_type_nfc_mf0aes and not any(
ks.organizer == organizer and ks.media_type == "nfc_mf0aes" for ks in sets
):
new_set = create_nfc_mf0aes_keyset(organizer)
if new_set:
sets.append(new_set)
return sets

46
src/pretix/base/settings.py
View File

@@ -259,6 +259,46 @@ DEFAULTS = {
label=_("Gift card currency"),
)
},
'reusable_media_type_nfc_mf0aes': {
'default': 'False',
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'form_kwargs': dict(
label=_("Active"),
)
},
'reusable_media_type_nfc_mf0aes_autocreate_giftcard': {
'default': 'False',
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'form_kwargs': dict(
label=_("Automatically create a new gift card if a new chip is encoded"),
)
},
'reusable_media_type_nfc_mf0aes_autocreate_giftcard_currency': {
'default': 'EUR',
'type': str,
'form_class': forms.ChoiceField,
'serializer_class': serializers.ChoiceField,
'serializer_kwargs': dict(
choices=[(c.alpha_3, c.alpha_3 + " - " + c.name) for c in settings.CURRENCIES],
),
'form_kwargs': dict(
choices=[(c.alpha_3, c.alpha_3 + " - " + c.name) for c in settings.CURRENCIES],
label=_("Gift card currency"),
)
},
'reusable_media_type_nfc_mf0aes_random_uid': {
'default': 'False',
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'form_kwargs': dict(
label=_("Use UID protection feature of NFC chip"),
)
},
'max_items_per_order': {
'default': '10',
'type': int,
@@ -3657,14 +3697,10 @@ def validate_organizer_settings(organizer, settings_dict):
# This is not doing anything for the time being.
# But earlier we called validate_event_settings for the organizer, too - and that didn't do anything for
# organizer-settings either.
#
# N.B.: When actually fleshing out this stub, adding it to the OrganizerUpdateForm should be considered.
"""
if settings_dict.get('reusable_media_type_ntag_pretix1') and settings_dict.get('reusable_media_type_nfc_uid'):
if settings_dict.get('reusable_media_type_nfc_mf0aes') and settings_dict.get('reusable_media_type_nfc_uid'):
raise ValidationError({
'reusable_media_type_nfc_uid': _('This needs to be disabled if other NFC-based types are active.')
})
"""
def global_settings_object(holder):

4
src/pretix/control/forms/organizer.py
View File

@@ -412,6 +412,10 @@ class OrganizerSettingsForm(SettingsForm):
'reusable_media_type_nfc_uid',
'reusable_media_type_nfc_uid_autocreate_giftcard',
'reusable_media_type_nfc_uid_autocreate_giftcard_currency',
'reusable_media_type_nfc_mf0aes',
'reusable_media_type_nfc_mf0aes_autocreate_giftcard',
'reusable_media_type_nfc_mf0aes_autocreate_giftcard_currency',
'reusable_media_type_nfc_mf0aes_random_uid',
]
organizer_logo_image = ExtFileField(

1
src/pretix/control/logdisplay.py
View File

@@ -368,6 +368,7 @@ def pretixcontrol_logentry_display(sender: Event, logentry: LogEntry, **kwargs):
'pretix.reusable_medium.created.auto': _('The reusable medium has been created automatically.'),
'pretix.reusable_medium.changed': _('The reusable medium has been changed.'),
'pretix.reusable_medium.linked_orderposition.changed': _('The medium has been connected to a new ticket.'),
'pretix.reusable_medium.linked_giftcard.changed': _('The medium has been connected to a new gift card.'),
'pretix.email.error': _('Sending of an email has failed.'),
'pretix.event.comment': _('The event\'s internal comment has been updated.'),
'pretix.event.canceled': _('The event has been canceled.'),

26
src/pretix/control/templates/pretixcontrol/organizers/edit.html
View File

@@ -262,6 +262,32 @@
</div>
</div>
</div>
<div class="panel panel-default">
<div class="panel-heading">
<h4 class="panel-title">NFC Mifare Ultralight AES</h4>
</div>
<div class="panel-body">
<p class="help-block">
{% blocktrans trimmed %}
This medium type works only with NFC chips of the type Mifare Ultralight AES
made by NXP. This provides a higher level of security than other approaches, but
requires all chips to be encoded prior to use.
{% endblocktrans %}
{% blocktrans trimmed %}
NFC media can currently only be connected to gift cards.
{% endblocktrans %}
</p>
{% bootstrap_field sform.reusable_media_type_nfc_mf0aes layout="control" %}
<div data-display-dependency="#{{ sform.reusable_media_type_nfc_mf0aes.id_for_label }}">
{% bootstrap_field sform.reusable_media_type_nfc_mf0aes_autocreate_giftcard layout="control" %}
<div data-display-dependency="#{{ sform.reusable_media_type_nfc_mf0aes_autocreate_giftcard.id_for_label }}">
{% bootstrap_field sform.reusable_media_type_nfc_mf0aes_autocreate_giftcard_currency layout="control" %}
</div>
{% bootstrap_field sform.reusable_media_type_nfc_mf0aes_random_uid layout="control" %}
</div>
</div>
</div>
</div>
</fieldset>
<fieldset>