yubikey 1.2.1 → 1.3.0

data/README.md

@@ -0,0 +1,70 @@
+# yubikey
+
+[![Build Status](https://travis-ci.org/rainforestapp/yubikey.png?branch=master)](https://travis-ci.org/rainforestapp/yubikey)
+
+## Description
+
+A library to verify, decode, decrypt and parse [Yubikey](http://www.yubico.com/home/index/) one-time passwords.
+
+## Usage
+
+### OTP Decryption
+
+```ruby
+key = 'ecde18dbe76fbd0c33330f1c354871db'
+otp = 'dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'
+token = Yubikey::OTP.new(otp, key)
+
+p "Device public id: #{token.public_id}" #=> 'dteffuje'
+p "Device secret id: #{token.secret_id}" #=> '8792ebfe26cc'
+p "Device insertions: #{token.insert_counter}" #=> 19
+p "Session activation counter: #{token.session_counter}" #=> 17
+p "Session timestamp: #{token.timestamp}" #=> 49712
+p "OTP random data: #{token.random_number}" #=> 40904
+```
+
+### OTP Verification
+Use your own `api_key` and `api_id`, which you can get at [yubico.com](https://upgrade.yubico.com/getapikey/).
+
+```ruby
+begin
+  otp = Yubikey::OTP::Verify.new(:api_id => 1234,
+                                 :api_key => 'NiSwGZBQ0gTbwXbRGWAf4kM5xXg=',
+                                 :otp => 'dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh')
+    
+  if otp.valid?
+    p 'valid OTP'
+  elsif otp.replayed?
+    p 'replayed OTP'
+  end
+rescue Yubikey::OTP::InvalidOTPError
+  p 'invalid OTP'
+end
+```
+
+## Install
+
+Yubikey is available as a gem, to install it just install the gem:
+
+    gem install yubikey
+
+If you're using Bundler, add the gem to Gemfile.
+
+    gem 'yubikey'
+
+Then run bundle install.
+
+## Copyright
+
+### Ruby library
+  Written by [Jonathan Rudenberg](https://github.com/titanous) <jon335@gmail.com>
+  Copyright (c) 2009 Jonathan Rudenberg
+  The MIT License. See LICENSE.
+
+### Contributors
+- Carl Byström
+- Erik Ruwalder
+- [Russell Smith](https://github.com/ukd1)
+- [Chris Lundquist](https://github.com/ChrisLundquist)
+- [Maarten van Grootel](https://github.com/maartenvg)
+- [Chris Benedict](https://github.com/chrisbdaemon)

data/lib/yubikey.rb

@@ -1,12 +1,12 @@
-$:.unshift(File.dirname(__FILE__)) unless
-  $:.include?(File.dirname(__FILE__)) || $:.include?(File.expand_path(File.dirname(__FILE__)))
+$LOAD_PATH.unshift(File.dirname(__FILE__)) unless
+  $LOAD_PATH.include?(File.dirname(__FILE__)) || $LOAD_PATH.include?(File.expand_path(File.dirname(__FILE__)))
 
 require 'net/https'
-require 'crypt/rijndael'
+require 'openssl'
 
 module Yubikey; end;
 
 require 'yubikey/hex'
 require 'yubikey/modhex'
 require 'yubikey/otp'
-require 'yubikey/otp_verify'
+require 'yubikey/otp_verify'

data/lib/yubikey/otp.rb

@@ -15,31 +15,41 @@ class Yubikey::OTP
   attr_reader :session_counter
   # random integer used as padding and extra random noise
   attr_reader :random_number
-  
-  
+
+
   # Decode/decrypt a Yubikey one-time password
   #
   # [+otp+] ModHex encoded Yubikey OTP (at least 32 characters)
   # [+key+] 32-character hex AES key
-  def initialize(otp, key)    
+  def initialize(otp, key)
+
+    # Get the public ID first
+    @public_id = otp[0, 12]
+
+    # Strip prefix so otp will decode (following from yubico-c library)
+    otp = otp[-32,32] if otp.length > 32
+
     raise InvalidOTPError, 'OTP must be at least 32 characters of modhex' unless otp.modhex? && otp.length >= 32
     raise InvalidKeyError, 'Key must be 32 hex characters' unless key.hex? && key.length == 32
-    
-    @public_id = otp[0,otp.length-32] if otp.length > 32
-    
+
+
     @token = Yubikey::ModHex.decode(otp[-32,32])
     @aes_key = key.to_bin
-    
-    @token = Crypt::Rijndael.new(@aes_key, 128).decrypt_block(@token)
-    
+
+    decrypter = OpenSSL::Cipher.new('AES-128-ECB').decrypt
+    decrypter.key = @aes_key
+    decrypter.padding = 0
+
+    @token = decrypter.update(@token) + decrypter.final
+
     raise BadCRCError unless crc_valid?
-    
+
     @secret_id, @insert_counter, @timestamp, @timestamp_lo, @session_counter, @random_number, @crc = @token.unpack('H12vvCCvv')
     @timestamp += @timestamp_lo * 65536
   end
-  
+
   private
-  
+
   def crc_valid?
     crc = 0xffff
     @token.each_byte do |b|
@@ -52,9 +62,9 @@ class Yubikey::OTP
     end
     crc == 0xf0b8
   end
-  
+
   # :stopdoc:
   class InvalidOTPError < StandardError; end
   class InvalidKeyError < StandardError; end
   class BadCRCError < StandardError; end
-end # Yubikey::OTP
+end # Yubikey::OTP

data/lib/yubikey/otp_verify.rb

@@ -1,16 +1,26 @@
+require 'base64'
+require 'securerandom'
+
 module Yubikey
   
-  API_URL = 'https://api.yubico.com/wsapi/'
-  API_ID  = 2549
-  API_KEY = 'e928a7d3076516a8c8c879f42c3ea0388f3b19f'  
-  
+  API_URL = 'https://api.yubico.com/wsapi/2.0/'
+
   class OTP::Verify
-    
     # The raw status from the Yubico server
     attr_reader :status
-    
-    def initialize(otp)
-      verify("id=#{API_ID}&otp=#{otp}")
+
+    def initialize(args)
+      raise(ArgumentError, "Must supply API ID") if args[:api_id].nil?
+      raise(ArgumentError, "Must supply API Key") if args[:api_key].nil?
+      raise(ArgumentError, "Must supply OTP") if args[:otp].nil?
+
+      @api_key = args[:api_key]
+      @api_id = args[:api_id]
+      
+      @url = args[:url] || API_URL
+      @nonce = args[:nonce] || OTP::Verify.generate_nonce(32)
+
+      verify(args)
     end
     
     def valid?
@@ -23,8 +33,10 @@ module Yubikey
     
     private
     
-    def verify(query)
-      uri = URI.parse(API_URL) + 'verify'
+    def verify(args)
+      query = "id=#{@api_id}&otp=#{args[:otp]}&nonce=#{@nonce}"
+
+      uri = URI.parse(@url) + 'verify'
       uri.query = query
       
       http = Net::HTTP.new(uri.host, uri.port)
@@ -33,12 +45,52 @@ module Yubikey
       
       req = Net::HTTP::Get.new(uri.request_uri)
       result = http.request(req).body
-      
+
       @status = result[/status=(.*)$/,1].strip
       
       if @status == 'BAD_OTP' || @status == 'BACKEND_ERROR'
         raise OTP::InvalidOTPError, "Received error: #{@status}"
       end
+
+      if ! verify_response(result)
+        @status = 'BAD_RESPONSE'
+        return
+      end
+    end
+
+    def verify_response(result)
+
+      signature = result[/^h=(.+)$/, 1].strip
+      returned_nonce = result[/nonce=(.+)$/, 1]
+      returned_nonce.strip! unless returned_nonce.nil?
+
+      if @nonce != returned_nonce
+        return false
+      end
+
+      generated_signature = OTP::Verify.generate_hmac(result, @api_key)
+
+      return signature == generated_signature
+    end
+
+
+    def self.generate_nonce(length)
+      return SecureRandom.hex length/2
+    end
+
+
+    def self.generate_hmac(response, api_key)
+      response_params = response.split(' ')
+      response_params.reject! do |p|
+        p =~ /^h=(.+)$/
+      end
+
+      response_string = response_params.sort.join('&')
+      response_string.strip!
+
+      hmac = OpenSSL::HMAC.digest('sha1', Base64.decode64(api_key), response_string)
+
+      return Base64.encode64(hmac).strip
     end
   end # OTP::Verify
 end # Yubikey

data/spec/hex_spec.rb

@@ -1,27 +1,26 @@
-require File.dirname(__FILE__) + '/spec_helper.rb'
-
+# encoding: US-ASCII 
 describe 'hex' do
-  it 'should encode binary to hex' do
+  it 'encodes binary to hex' do
     "i\266H\034\213\253\242\266\016\217\"\027\233X\315V".to_hex.
       should == '69b6481c8baba2b60e8f22179b58cd56'
-    
+
     "\354\336\030\333\347o\275\f33\017\0345Hq\333".to_hex.
       should == 'ecde18dbe76fbd0c33330f1c354871db'
   end
-  
-  it 'should decode hex to binary' do
+
+  it 'decodes hex to binary' do
     '69b6481c8baba2b60e8f22179b58cd56'.to_bin.
       should == "i\266H\034\213\253\242\266\016\217\"\027\233X\315V"
-    
+
     'ecde18dbe76fbd0c33330f1c354871db'.to_bin.
       should == "\354\336\030\333\347o\275\f33\017\0345Hq\333"
   end
-  
-  it 'should know whether a string is hex' do
-    'ecde18dbe76fbd0c33330f1c354871db'.hex?.should == true
-    'dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'.modhex?.should == true
-    
-    'foobar'.hex?.should == false
-    'test'.modhex?.should == false
+
+  it 'detects if a string is hex' do
+    'ecde18dbe76fbd0c33330f1c354871db'.hex?.should be_true
+    'dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'.modhex?.should be_true
+
+    'foobar'.hex?.should be_false
+    'test'.modhex?.should be_false
   end
-end
+end

data/spec/spec_helper.rb

@@ -1,10 +1,5 @@
-begin
-  require 'spec'
-rescue LoadError
-  require 'rubygems'
-  gem 'rspec'
-  require 'spec'
-end
+require 'rubygems'
+require 'rspec'
 
-$:.unshift(File.dirname(__FILE__) + '/../lib')
+$LOAD_PATH.unshift(File.dirname(__FILE__) + '/../lib')
 require 'yubikey'

metadata

@@ -1,37 +1,24 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: yubikey
-version: !ruby/object:Gem::Version 
-  version: 1.2.1
+version: !ruby/object:Gem::Version
+  version: 1.3.0
+  prerelease: 
 platform: ruby
-authors: 
+authors:
 - Jonathan Rudenberg
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2009-12-04 00:00:00 -05:00
-default_executable: 
-dependencies: 
-- !ruby/object:Gem::Dependency 
-  name: crypt19
-  type: :runtime
-  version_requirement: 
-  version_requirements: !ruby/object:Gem::Requirement 
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        version: "0"
-    version: 
+date: 2013-03-19 00:00:00.000000000 Z
+dependencies: []
 description: A library to verify, decode, decrypt and parse Yubikey one-time passwords.
 email: jon335@gmail.com
 executables: []
-
 extensions: []
-
-extra_rdoc_files: 
+extra_rdoc_files:
 - LICENSE
-- README.rdoc
-files: 
+- README.md
+files:
 - examples/otp.rb
 - lib/yubikey.rb
 - lib/yubikey/hex.rb
@@ -39,49 +26,35 @@ files:
 - lib/yubikey/otp.rb
 - lib/yubikey/otp_verify.rb
 - spec/hex_spec.rb
-- spec/spec.opts
 - spec/spec_helper.rb
-- spec/yubikey_modhex_spec.rb
-- spec/yubikey_otp_spec.rb
-- spec/yubikey_otp_verify_spec.rb
 - LICENSE
-- README.rdoc
-has_rdoc: true
-homepage: http://github.com/titanous/yubikey
+- README.md
+homepage: https://github.com/titanous/yubikey
 licenses: []
-
 post_install_message: 
-rdoc_options: 
-- --charset=UTF-8
+rdoc_options:
 - --title
 - yubikey
 - --main
 - README.rdoc
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      version: "0"
-  version: 
-required_rubygems_version: !ruby/object:Gem::Requirement 
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      version: "0"
-  version: 
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: yubikey
-rubygems_version: 1.3.5
+rubygems_version: 1.8.25
 signing_key: 
 specification_version: 3
-summary: A library to verify, decode, decrypt and parse Yubikey one-time passwords.
-test_files: 
-- spec/hex_spec.rb
-- spec/spec_helper.rb
-- spec/yubikey_modhex_spec.rb
-- spec/yubikey_otp_spec.rb
-- spec/yubikey_otp_verify_spec.rb
-- examples/otp.rb
+summary: Yubikey library for Ruby
+test_files: []

data/README.rdoc

@@ -1,49 +0,0 @@
-= yubikey
-
-== Description
-
-A library to verify, decode, decrypt and parse Yubikey[http://www.yubico.com/home/index/] one-time passwords.
-
-== Usage
-
-=== OTP Decryption
-
-  key = 'ecde18dbe76fbd0c33330f1c354871db'
-  otp = 'dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'
-  token = Yubikey::OTP.new(otp, key)
-  
-  p "Device public id: #{token.public_id}" #=> 'dteffuje'
-  p "Device secret id: #{token.secret_id}" #=> '8792ebfe26cc'
-  p "Device insertions: #{token.insert_counter}" #=> 19
-  p "Session activation counter: #{token.session_counter}" #=> 17
-  p "Session timestamp: #{token.timestamp}" #=> 49712
-  p "OTP random data: #{token.random_number}" #=> 40904
-
-=== OTP Verification
-
-  begin
-    otp = Yubikey::OTP::Verify.new('dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh')
-  
-    if otp.valid?
-      p 'valid OTP'
-    elsif otp.replayed?
-      p 'replayed OTP'
-    end
-  rescue Yubikey::OTP::InvalidOTPError
-    p 'invalid OTP'
-  end
-
-== Install
-
-  sudo gem install yubikey
-
-== Copyright
-
-=== Ruby library
-  Written by Jonathan Rudenberg <jon335@gmail.com>
-  Copyright (c) 2009 Jonathan Rudenberg
-  The MIT License. See LICENSE.
-
-=== Contributors
-  Carl Byström
-  Erik Ruwalder

data/spec/spec.opts

@@ -1 +0,0 @@
---colour

data/spec/yubikey_modhex_spec.rb

@@ -1,31 +0,0 @@
-require File.dirname(__FILE__) + '/spec_helper.rb'
-
-describe 'Yubikey::Modhex' do
-  it 'should decode modhex' do
-    Yubikey::ModHex.decode('hknhfjbrjnlnldnhcujvddbikngjrtgh').should == "i\266H\034\213\253\242\266\016\217\"\027\233X\315V"
-    Yubikey::ModHex.decode('urtubjtnuihvntcreeeecvbregfjibtn').should == "\354\336\030\333\347o\275\f33\017\0345Hq\333"
-    
-    Yubikey::ModHex.decode('dteffuje').should == "-4N\203"
-    
-    Yubikey::ModHex.decode('ifhgieif').should == 'test'
-    Yubikey::ModHex.decode('hhhvhvhdhbid').should == 'foobar'
-    
-    Yubikey::ModHex.decode('cc').should == "\000"
-  end
-  
-  it 'should raise if modhex string length uneven' do
-    lambda { Yubikey::ModHex.decode('ifh') }.should raise_error(ArgumentError)
-  end
-  
-  it 'should encode modhex' do
-    Yubikey::ModHex.encode("i\266H\034\213\253\242\266\016\217\"\027\233X\315V").should == 'hknhfjbrjnlnldnhcujvddbikngjrtgh'
-    Yubikey::ModHex.encode("\354\336\030\333\347o\275\f33\017\0345Hq\333").should == 'urtubjtnuihvntcreeeecvbregfjibtn'
-    
-    Yubikey::ModHex.encode("-4N\203").should == 'dteffuje'
-    
-    Yubikey::ModHex.encode('test').should == 'ifhgieif'
-    Yubikey::ModHex.encode('foobar').should == 'hhhvhvhdhbid'
-    
-    Yubikey::ModHex.encode("\000").should == 'cc'
-  end
-end

data/spec/yubikey_otp_spec.rb

@@ -1,28 +0,0 @@
-require File.dirname(__FILE__) + '/spec_helper.rb'
-
-describe 'Yubikey::OTP' do
-  it 'should parse a otp' do
-    token = Yubikey::OTP.new('dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh', 'ecde18dbe76fbd0c33330f1c354871db')
-    
-    token.public_id.should == 'dteffuje'
-    token.secret_id.should == '8792ebfe26cc'
-    token.insert_counter.should == 19
-    token.session_counter.should == 17
-    token.timestamp.should == 49712
-    token.random_number.should == 40904
-  end
-  
-  it 'should raise if key or otp invalid' do
-    otp = 'hknhfjbrjnlnldnhcujvddbikngjrtgh'
-    key = 'ecde18dbe76fbd0c33330f1c354871db'
-    
-    lambda { Yubikey::OTP.new(key, key) }.should raise_error(Yubikey::OTP::InvalidOTPError)
-    lambda { Yubikey::OTP.new(otp, otp) }.should raise_error(Yubikey::OTP::InvalidKeyError)
-    
-    lambda { Yubikey::OTP.new(otp[0,31], key) }.should raise_error(Yubikey::OTP::InvalidOTPError)
-    lambda { Yubikey::OTP.new(otp, key[0,31]) }.should raise_error(Yubikey::OTP::InvalidKeyError)
-    
-    lambda { Yubikey::OTP.new(otp[1,31]+'d', key) }.should raise_error(Yubikey::OTP::BadCRCError)
-  end
-  
-end

data/spec/yubikey_otp_verify_spec.rb

@@ -1,38 +0,0 @@
-require File.dirname(__FILE__) + '/spec_helper.rb'
-
-describe 'Yubikey::OTP::Verify' do
-  
-  before do
-    @otp = 'dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'
-    
-    @mock_http = mock('http')
-    @mock_http_get = mock('http_get')
-    
-    Net::HTTP.should_receive(:new).with('api.yubico.com', 443).and_return(@mock_http)
-    @mock_http.should_receive(:use_ssl=).and_return(nil)
-    @mock_http.should_receive(:verify_mode=).and_return(nil)
-    @mock_http.should_receive(:request).with(@mock_http_get).and_return(@mock_http_get)
-    Net::HTTP::Get.should_receive(:new).with(/otp=#{@otp}/).and_return(@mock_http_get)
-  end
-  
-  it 'should verify a valid OTP' do
-    @mock_http_get.should_receive(:body).and_return('status=OK')
-    otp = Yubikey::OTP::Verify.new(@otp)
-    otp.valid?.should == true
-    otp.replayed?.should == false
-  end
-  
-  it 'should verify a replayed OTP' do
-    @mock_http_get.should_receive(:body).and_return('status=REPLAYED_OTP')
-    otp = Yubikey::OTP::Verify.new(@otp)
-    otp.valid?.should == false
-    otp.replayed?.should == true
-  end
-  
-  it 'should raise on invalid OTP' do
-    @mock_http_get.should_receive(:body).and_return('status=BAD_OTP')
-    lambda { otp = Yubikey::OTP::Verify.new(@otp) }.should raise_error(Yubikey::OTP::InvalidOTPError)
-  end
-  
-  
-end