Import Upstream version 1.3.3

2025-08-13 10:23:20 +02:00
commit 65be73d223
43 changed files with 4458 additions and 0 deletions
--- a/util/yubikey-totp
+++ b/util/yubikey-totp
@@ -0,0 +1,132 @@
+#!/usr/bin/env python
+#
+# Copyright (c) 2011, Yubico AB
+# See the file COPYING for licence statement.
+#
+
+"""
+This program lets you use the HMAC-SHA-1 in your YubiKey to produce
+OATH TOTP (RFC 6238) codes.
+
+To verify the output of this program, first program a YubiKey with the
+RFC 6238 test key "12345678901234567890" (ASCII) :
+
+  $ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 \
+	-o serial-api-visible \
+	-a 3132333435363738393031323334353637383930
+
+and then examine the OATH codes for the test values (Time) in Appendix B
+of RFC 6238 (SHA1) :
+
+  Time           SHA1
+  59          -> 94287082
+  1111111109  -> 07081804
+  1234567890  -> 89005924
+  20000000000 -> 65353130
+
+Like this :
+
+  $ yubikey-totp --step 30 --digits 8 --time 59
+  94287082
+  $
+
+"""
+
+
+import sys
+import time
+import struct
+import yubico
+import argparse
+import binascii
+
+default_slot=2
+default_time=int(time.time())
+default_step=30
+default_digits=6
+
+def parse_args():
+    """
+    Parse the command line arguments
+    """
+    parser = argparse.ArgumentParser(description = "Generate OATH TOTP codes using a YubiKey",
+                                     add_help = True,
+                                     formatter_class = argparse.ArgumentDefaultsHelpFormatter,
+                                     )
+    parser.add_argument('-v', '--verbose',
+                        dest='verbose',
+                        action='store_true', default=False,
+                        help='Enable verbose operation'
+                        )
+    parser.add_argument('--debug',
+                        dest='debug',
+                        action='store_true', default=False,
+                        help='Enable debug operation'
+                        )
+    parser.add_argument('--time',
+                        dest='time',
+                        type=int, default=default_time,
+                        required=False,
+                        help='Time to use as number of seconds since epoch',
+                        )
+    parser.add_argument('--step',
+                        dest='step',
+                        type=int, default=default_step,
+                        required=False,
+                        help='Time step in use (in seconds)',
+                        )
+    parser.add_argument('--digits',
+                        dest='digits',
+                        type=int, default=default_digits,
+                        required=False,
+                        help='Length of OTP in decimal digits',
+                        )
+    parser.add_argument('--slot',
+                        dest='slot',
+                        type=int, default=default_slot,
+                        required=False,
+                        help='YubiKey slot configured for Challenge-Response',
+                        )
+
+    args = parser.parse_args()
+
+    return args
+
+def make_totp(args):
+    """
+    Create an OATH TOTP OTP and return it as a string (to disambiguate leading zeros).
+    """
+    YK = yubico.find_yubikey(debug=args.debug)
+    if args.debug or args.verbose:
+        print("Version : %s " % YK.version())
+        if args.debug:
+            print("Serial  : %i" % YK.serial())
+        print("")
+    # Do challenge-response
+    secret = struct.pack("> Q", args.time / args.step).ljust(64, chr(0x0))
+    if args.debug:
+        print("Sending challenge : %s\n" % (binascii.hexlify(secret)))
+    response = YK.challenge_response(secret, slot=args.slot)
+    # format with appropriate number of leading zeros
+    totp_str = '%.*i' % (args.digits, yubico.yubico_util.hotp_truncate(response, length=args.digits))
+    return totp_str
+
+def main():
+    """ Main program. """
+    args = parse_args()
+
+    otp = None
+    try:
+        otp = make_totp(args)
+    except yubico.yubico_exception.YubicoError as e:
+        print("ERROR: %s" % (e.reason))
+        return 1
+
+    if not otp:
+        return 1
+
+    print(otp)
+    return 0
+
+if __name__ == '__main__':
+    sys.exit(main())
--- a/util/yubikey-totp.1
+++ b/util/yubikey-totp.1
@@ -0,0 +1,102 @@
+.\" Copyright (c) 2012 Yubico AB
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions are
+.\" met:
+.\"
+.\"     * Redistributions of source code must retain the above copyright
+.\"       notice, this list of conditions and the following disclaimer.
+.\"
+.\"     * Redistributions in binary form must reproduce the above
+.\"       copyright notice, this list of conditions and the following
+.\"       disclaimer in the documentation and/or other materials provided
+.\"       with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+.\" OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" The following commands are required for all man pages.
+.de URL
+\\$2 \(laURL: \\$1 \(ra\\$3
+..
+.if \n[.g] .mso www.tmac
+.TH yubikey-totp "1" "June 2012" "python-yubico"
+.SH NAME
+yubikey-totp - Produce an OATH TOTP code using a YubiKey
+.SH SYNOPSIS
+.B yubikey-totp
+[\fI-v\fR] [\fI-h\fR] [\fI--time\fR | \fI--step\fR] [\fI--digits\fR] [\fI--slot\fR] [\fI--debug\fR]
+
+.SH DESCRIPTION
+OATH codes are one time passwords (OTP) calculated in a standardized way. While the YubiKey
+is primarily used with Yubico OTP's, the YubiKey is also capable of producing OATH codes.
+
+OATH generally comes in two flavors -- event based (called HOTP) and time based (called TOTP).
+Since the YubiKey does not contain a battery, it cannot keep track of the current time itself
+and therefor a helper application such as yubikey-totp is required to effectively send the
+current time to the YubiKey, which can then perform the cryptographic calculation needed to
+produce the OATH code.
+
+Through the use of a helper application, such as yubikey-totp, the YubiKey can be used with
+sites offering OATH TOTP authentication, such as Google GMail.
+.SH OPTIONS
+.TP
+\fB\-v\fR
+enable verbose mode.
+.TP
+\fB\-h\fR
+show help
+.TP
+\fB\-\-time\fR
+specify the time value to use (in seconds since epoch)
+.TP
+\fB\-\-step\fR
+how frequent codes change in your system - typically 30 or 60 seconds
+.TP
+\fB\-\-digits\fR
+digits in OATH code - typically 6
+.TP
+\fB\-\-slot\fR
+YubiKey slot to use - default 2
+.TP
+\fB\-\-debug\fR
+enable debug output
+
+.SH EXAMPLE
+
+The YubiKey OATH TOTP operation can be demonstrated using the
+\fBRFC 6238\fR test key "12345678901234567890" (ASCII).
+.P
+First, program a YubiKey for HMAC-SHA1 Challenge-Response operation with the test vector HMAC key :
+.HP
+.nf
+$ \fBykpersonalize \-2 \-ochal\-resp \-ochal\-hmac \-ohmac\-lt64 \-o serial\-api\-visible \\
+	\-a 3132333435363738393031323334353637383930\fR
+.fi
+.HP
+Now, send the NIST test challenge to the YubiKey and verify the result matches the
+expected :
+.HP
+.nf
+$ \fByubikey\-totp \-\-step 30 \-\-digits 8 \-\-time 1111111109\fR
+07081804
+$
+.fi
+
+.SH BUGS
+Report yubikey-totp bugs in
+.URL "https://github.com/Yubico/python-yubico/issues/" "the issue tracker" "."
+.SH "SEE ALSO"
+.PP
+YubiKeys can be obtained from
+.URL "http://www.yubico.com/" "Yubico" "."