npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

yubikeyotp

v0.2.0

Published

Low-level Yubikey OTP decryption / verification library for node.js

Downloads

284

Readme

yubikeyotp

Low-level Yubikey OTP decryption / verification library for node.js.

Install

npm install yubikeyotp

Usage

Offline low-level verification

var yubikeyotp = require('yubikeyotp');

// hex-encoded AES key
var aeskey = 'e6cdae77f55ac1db4acd3b7fd8151334';

// modhex-encoded OTP key generated by Yubikey programmed with above key
var otp = 'khdnrutkdendbrbghdjcidkhveuhbrcuublkdjfttcrk';

// result contents documented below
var result = yubikeyotp.parseOTP(otp, aeskey);

console.log(result);

Output:

{ pubUid: '962bced923b2',
  uid: '4e8308389518',
  useCtr: 7,
  tstp: 1768874,
  sessionCtr: 0,
  rnd: 199,
  crc: 50219 }

Online verfication with Yubico Cloud

var yubikeyotp = require('yubikeyotp');

yubikeyotp.verifyOTP({
	otp: 'ccccccdbrrebjrtefjjcklkuehfjrktcfikdidujblvv',
	id: 'xxxxx', // replace with real ID
	key: 'xxxxx', // replace with real key
	sl: '100',
	timestamp: true
}, function(err, results) {
	console.log(results);
});

Output:

{ h: 'XpqsKMYH3DVXOGXHZeXqyKmdMVs',
  t: '2014-02-14T19:26:41Z0233',
  otp: 'ccccccbfttfbuldcefjvnkeijhljrhdcjerhccundbjd',
  nonce: 'szUJ2dCI7gEPinJfKvu0fAIFoEi8DU',
  sl: '100',
  timestamp: '5993928',
  sessioncounter: '338',
  sessionuse: '0',
  status: 'OK' }

Documentation

parseOTP

parseOTP decrypts OTP using given AES key and returns false when the OTP is malformed or computed CRC16 does not match. Otherwise object with following properties is returned:

  • pubUid: hex-encoded public UID (it is part of OTP string)
  • uid: hex-encoded private UID (programmed on key along with AES key)
  • useCtr: 15-bit boot counter - number of times Yubikey device was booted (inserted into USB port) since last reconfiguration
  • tstp: 24-bit timer counting at approximately 8 Hz since last device boot (initialized randomly at boot)
  • sessionCtr: 8-bit usage counter since last boot (bumps useCtr when overflowing)
  • rnd: 16-bit random number
  • crc: 16-bit CRC checksum (already verified by parseOTP method)

This method works offline and is synchronous.

verifyOTP

verifyOTP takes OTP along with Yubikey API id and optional API key and verifies using Yubicloud Web API. Arguments:

  • options object with following properties:
    • otp: required - modhex-encoded OTP to verify, generated with Yubikey
    • id: required - your API id
    • key: optional - your base64 encoded API key - if provided it will be used to sign request. This allows verification of server response.
    • nonce: optional - defaults to random string generated by crypto.pseudoRandomBytes. Nonce used in request.
    • apiUrl: optional - API endpoint URL - defaults to https://api.yubico.com/wsapi/2.0/verify. Can be changed to use private cloud.
    • requestParams: optional - defaults to {}. Can be used to override request parameters (e.g. proxy settings).
    • timestamp: optional - boolean defaults to false. If set to true, requests timestamp and session counter information to be added to response.
    • sl: optional - defaults to false. Can be value 0 to 100 indicating percentage of syncing required by client, or strings "fast" or "secure" to use server-configured values; if absent, let the server decide (as per protocol spec).
    • timeout: optional - defaults to false. Number of seconds server will wait for sync responses; if absent, let the server decide (as per protocol spec).
  • callback takes function with parameters err and result. err contains error string or null if server responded with well-formed and properly signed answer. In this case result is an object with following properties (unmodified as received from server):
    • otp: original OTP from request (automatically verified by method)
    • nonce: nonce from request
    • h: HMAC-SHA1 signature (automatically verified by method)
    • t: string with UTC timestamp
    • timestamp: present if timestamp was requested. Contains internal Yubikey timestamp
    • sessioncounter: present if timestamp was requested. Contains interal Yubikey boot counter
    • sessionuse: present if timestamp was requested. Contains interal Yubikey session counter
    • sl: percentage of external validation server that replied successfully (0 to 100)
    • status: one of following (as per protocol spec):
      • OK: The OTP is valid.
      • BAD_OTP: The OTP is invalid format.
      • REPLAYED_OTP: The OTP has already been seen by the service.
      • BAD_SIGNATURE: The HMAC signature verification failed.
      • MISSING_PARAMETER: The request lacks a parameter.
      • NO_SUCH_CLIENT: The request id does not exist.
      • OPERATION_NOT_ALLOWED: The request id is not allowed to verify OTPs.
      • BACKEND_ERROR: Unexpected error on server.
      • NOT_ENOUGH_ANSWERS: Server could not get requested number of syncs during requested timeout
      • REPLAYED_REQUEST: Server has seen the OTP/Nonce combination before

This method requires internet connection and is asynchronous.

Resources