Public ID problems with Yubikey test vectors
37 views
Skip to first unread message
Yuval Adam
Jul 22, 2016, 10:17:05 AM7/22/16
to django-otp
I'm trying to get a basic POC working for Yubikey OTP + Django and for that I'm using the test vectors published at https://developers.yubico.com/OTP/Test_Vectors.html
Here's what I'm doing:
>>> d = user.yubikeydevice_set.create(key='000102030405060708090a0b0c0d0e0f', private_id='010203040506', session=1, counter=1)
>>> d.id
2
I saved one device earlier so this now has ID 2, fine. For this I get:
>>> d.public_id()
b'cccccccd'
I'm on Python 3 hence the explicit mentioning of bytes.
Anyway, now I'm unsure how to verify the test token.
This public id is indeed 4 bytes long (hex-encoded), but I thought yubikeys spit out 12 chars == 6 bytes?
According to the test vector the OTP is 'dvgtiblfkbgturecfllberrvkinnctnn', but not the 4 byte nor the 6 byte public ID versions work for me:
>>> d.verify_token(b'cccccccd' + b'dvgtiblfkbgturecfllberrvkinnctnn')
False
>>> d.verify_token(b'cccccccccccd' + b'dvgtiblfkbgturecfllberrvkinnctnn')
False
What am I doing wrong? Can anyone point out a proper example of a working test vector? Thanks
Here's what I'm doing:
>>> d = user.yubikeydevice_set.create(key='000102030405060708090a0b0c0d0e0f', private_id='010203040506', session=1, counter=1)
>>> d.id
2
I saved one device earlier so this now has ID 2, fine. For this I get:
>>> d.public_id()
b'cccccccd'
I'm on Python 3 hence the explicit mentioning of bytes.
Anyway, now I'm unsure how to verify the test token.
This public id is indeed 4 bytes long (hex-encoded), but I thought yubikeys spit out 12 chars == 6 bytes?
According to the test vector the OTP is 'dvgtiblfkbgturecfllberrvkinnctnn', but not the 4 byte nor the 6 byte public ID versions work for me:
>>> d.verify_token(b'cccccccd' + b'dvgtiblfkbgturecfllberrvkinnctnn')
False
>>> d.verify_token(b'cccccccccccd' + b'dvgtiblfkbgturecfllberrvkinnctnn')
False
What am I doing wrong? Can anyone point out a proper example of a working test vector? Thanks
Yuval Adam
Jul 22, 2016, 10:26:28 AM7/22/16
to django-otp
Quick update, my counters were wrong. I should have initialized the device with counters set to 0.
Now I have:
>>> d = user.yubikeydevice_set.create(
admin = OTPAdminSite(OTPAdminSite.name)
urlpatterns = [
url(r'^admin/', admin.urls),
]
So the admin login now has 3 fields, user, pass and OTP.
And after deleting my device and incrementing my public ID, I fill in my test user and password, and paste in the proper OTP (with ID 'cccccccf' since ID ==4 now) but the login fails.
Weird thing is that when the device dropdown is shown, there are no devices there. Even though I get this:
>>> list(devices_for_user(u))
[<YubikeyDevice: (admin)>]
Thoughts?
Now I have:
>>> d = user.yubikeydevice_set.create(
key='000102030405060708090a0b0c0d0e0f', private_id='010203040506', session=0, counter=0)
>>> d.id
3
>>> d.verify_token(b'cccccccedvgtiblfkbgturecfllberrvkinnctnn')
True
So now I set this in my test projects URL conf:>>> d.id
3
>>> d.verify_token(b'cccccccedvgtiblfkbgturecfllberrvkinnctnn')
True
admin = OTPAdminSite(OTPAdminSite.name)
urlpatterns = [
url(r'^admin/', admin.urls),
]
So the admin login now has 3 fields, user, pass and OTP.
And after deleting my device and incrementing my public ID, I fill in my test user and password, and paste in the proper OTP (with ID 'cccccccf' since ID ==4 now) but the login fails.
Weird thing is that when the device dropdown is shown, there are no devices there. Even though I get this:
>>> list(devices_for_user(u))
[<YubikeyDevice: (admin)>]
Thoughts?
Peter Sagerson
Jul 23, 2016, 12:33:29 PM7/23/16
to djang...@googlegroups.com
Thanks for tracking this down and filing the bug.[1] I just pushed up version 0.3.4 with the fix.
[1] https://bitbucket.org/psagers/django-otp/issues/15/token-passed-as-str-instead-of-bytes-on
> --
> You received this message because you are subscribed to the Google Groups "django-otp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to django-otp+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
[1] https://bitbucket.org/psagers/django-otp/issues/15/token-passed-as-str-instead-of-bytes-on
> You received this message because you are subscribed to the Google Groups "django-otp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to django-otp+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages