The Yubikey commands class. More...

#include <yubikeycommands.hpp>

Inheritance diagram for logicalaccess::YubikeyCommands:

Public Member Functions
	YubikeyCommands ()
	Constructor.

	YubikeyCommands (std::string cmdtype)
	Constructor.

virtual YubikeySelectResponse	selectYubikeyOATH ()=0
	Select the Yubikey OATH application.

virtual ByteVector	selectYubikeyOTP ()=0
	Select the old Yubikey OTP application.

virtual ByteVector	otp_getResponse (YubikeySlot slot, const ByteVector &challenge)=0
	Challenge/Response operation.

virtual ByteVector	otp_getSerialNumber ()=0
	Reads the serial number of the YubiKey if it is allowed by the configuration. Note that certain keys, such as the Security Key by Yubico, do not have serial numbers.

virtual std::vector< TLVPtr >	otp_getDeviceInfo ()=0
	Reads configuration and metadata information about the YubiKey. Similar commands exist in other applications. The Command APDU may be different, however the data in the Response APDU will be of identical format.

virtual bool	otp_queryFIPSMode ()=0
	Determines whether or not the device is loaded with FIPS capable firmware, as well as if the key is currently in a FIPS compliant state.

virtual void	oath_put (const ByteVector &name, YubikeyHMAC algorithm, uint8_t digits, const ByteVector &key, YubikeyProperty property=PROP_NONE, const ByteVector &imf=ByteVector())=0
	Adds a new (or overwrites) OATH credential.

virtual void	oath_delete (const ByteVector &name)=0
	Deletes an existing credential.

virtual void	oath_setCode (YubikeyHMAC algorithm, const ByteVector &key, const ByteVector &challenge)=0
	Configures Authentication. If length 0 is sent, authentication is removed. The key to be set is expected to be a user-supplied UTF-8 encoded password passed through 1000 rounds of PBKDF2 with the ID from select used as salt. 16 bytes of that are used. When configuring authentication you are required to send an 8 byte challenge and one authentication-response with that key, in order to confirm that the application and the host software can calculate the same response for that key.

virtual std::vector< YubikeyListItem >	oath_list ()=0
	Lists configured credentials.

virtual void	oath_reset ()=0
	Resets the application to just-installed state.

virtual YubikeyCalculateResponse	oath_calculate (const ByteVector &name, const ByteVector &challenge, bool truncate=false)=0
	Performs CALCULATE for one named credential.

virtual ByteVector	oath_validate (const ByteVector &challenge, const ByteVector &response)=0
	Validates authentication (mutually). The challenge for this comes from the SELECT command. The response if computed by performing the correct HMAC function of that challenge with the correct key. A new challenge is then sent to the application, together with the response. The application will then respond with a similar calculation that the host software can verify.

virtual std::vector< YubikeyCalculateResponse >	oath_calculateAll (const ByteVector &challenge, bool truncate=false)=0
	Performs CALCULATE for all available credentials, returns name + response for TOTP and just name for HOTP and credentials requiring touch.

virtual ByteVector	oath_sendRemainingInstruction ()=0
	Gets remaining data if everything didn’t fit in previous response (response code was 61xx).

virtual std::shared_ptr< ISO7816Commands >	getISO7816Commands () const =0

Public Member Functions inherited from logicalaccess::Commands
	Commands ()=delete
	Constructor.

virtual	~Commands ()

std::shared_ptr< Chip >	getChip () const override
	Get the chip.

virtual void	setChip (std::shared_ptr< Chip > chip)
	Set the chip.

std::shared_ptr< ReaderCardAdapter >	getReaderCardAdapter () const override
	Get the reader/card adapter.

virtual void	setReaderCardAdapter (std::shared_ptr< ReaderCardAdapter > adapter)
	Set the reader/card adapter.

virtual const std::string &	getCmdType () const
	Get the cmd name.

virtual void	setCmdType (const std::string &command_type)
	Set the cmd name.

Public Member Functions inherited from logicalaccess::ICommands
virtual	~ICommands ()=default

virtual std::shared_ptr< Chip >	getChip () const =0
	Get the chip.

virtual std::shared_ptr< ReaderCardAdapter >	getReaderCardAdapter () const =0
	Get the reader/card adapter.

Additional Inherited Members
Protected Member Functions inherited from logicalaccess::Commands
	Commands (std::string commandtype)
	Constructor.

Protected Attributes inherited from logicalaccess::Commands
std::shared_ptr< ReaderCardAdapter >	d_readerCardAdapter
	The reader/card adapter.

std::weak_ptr< Chip >	d_chip
	The chip.

std::string	d_commandtype
	The command type.

Detailed Description

The Yubikey commands class.

Constructor & Destructor Documentation

◆ YubikeyCommands() [1/2]

logicalaccess::YubikeyCommands::YubikeyCommands ( )

inline

Constructor.

◆ YubikeyCommands() [2/2]

logicalaccess::YubikeyCommands::YubikeyCommands ( std::string cmdtype )

inlineexplicit

Constructor.

Parameters

ct	The cmd type.

Member Function Documentation

◆ getISO7816Commands()

virtual std::shared_ptr< ISO7816Commands > logicalaccess::YubikeyCommands::getISO7816Commands ( ) const

pure virtual

Implemented in logicalaccess::YubikeyISO7816Commands.

◆ oath_calculate()

virtual YubikeyCalculateResponse logicalaccess::YubikeyCommands::oath_calculate	(	const ByteVector &	name,
		const ByteVector &	challenge,
		bool	truncate = `false`
	)

pure virtual

Performs CALCULATE for one named credential.

Parameters

name	The credential name.
challenge	The challenge.
truncate	Truncate the response, full response otherwise.

Returns: The calculate response.

Implemented in logicalaccess::YubikeyISO7816Commands.

◆ oath_calculateAll()

virtual std::vector< YubikeyCalculateResponse > logicalaccess::YubikeyCommands::oath_calculateAll	(	const ByteVector &	challenge,
		bool	truncate = `false`
	)

pure virtual

Performs CALCULATE for all available credentials, returns name + response for TOTP and just name for HOTP and credentials requiring touch.

Parameters

challenge	The challenge.
truncate	Truncate the response, full response otherwise.

Returns: The calculate responses.

Implemented in logicalaccess::YubikeyISO7816Commands.

◆ oath_delete()

virtual void logicalaccess::YubikeyCommands::oath_delete ( const ByteVector & name )

pure virtual

Deletes an existing credential.

Parameters

name	The credential name to delete.

Implemented in logicalaccess::YubikeyISO7816Commands.

◆ oath_list()

virtual std::vector< YubikeyListItem > logicalaccess::YubikeyCommands::oath_list ( )

pure virtual

Lists configured credentials.

Returns: The credentials lists.

Implemented in logicalaccess::YubikeyISO7816Commands.

◆ oath_put()

virtual void logicalaccess::YubikeyCommands::oath_put	(	const ByteVector &	name,
		YubikeyHMAC	algorithm,
		uint8_t	digits,
		const ByteVector &	key,
		YubikeyProperty	property = `PROP_NONE`,
		const ByteVector &	imf = `ByteVector()`
	)

pure virtual

Adds a new (or overwrites) OATH credential.

Parameters

name	The credential name.
algorithm	The HMAC algorithm.
digits	Number of digits in OATH code.
key	The HMAC key.
property	OATH properties.
imf	IMF (only valid for HOTP).

Implemented in logicalaccess::YubikeyISO7816Commands.

◆ oath_reset()

virtual void logicalaccess::YubikeyCommands::oath_reset ( )

pure virtual

Resets the application to just-installed state.

Implemented in logicalaccess::YubikeyISO7816Commands.

◆ oath_sendRemainingInstruction()

virtual ByteVector logicalaccess::YubikeyCommands::oath_sendRemainingInstruction ( )

pure virtual

Gets remaining data if everything didn’t fit in previous response (response code was 61xx).

Returns: Continued data where previous command left off.

Implemented in logicalaccess::YubikeyISO7816Commands.

◆ oath_setCode()

virtual void logicalaccess::YubikeyCommands::oath_setCode	(	YubikeyHMAC	algorithm,
		const ByteVector &	key,
		const ByteVector &	challenge
	)

pure virtual

Configures Authentication. If length 0 is sent, authentication is removed. The key to be set is expected to be a user-supplied UTF-8 encoded password passed through 1000 rounds of PBKDF2 with the ID from select used as salt. 16 bytes of that are used. When configuring authentication you are required to send an 8 byte challenge and one authentication-response with that key, in order to confirm that the application and the host software can calculate the same response for that key.

Parameters

name	The credential name.
algorithm	The HMAC algorithm to use.
key	The HMAC key.
challenge	The challenge.

Implemented in logicalaccess::YubikeyISO7816Commands.

◆ oath_validate()

virtual ByteVector logicalaccess::YubikeyCommands::oath_validate	(	const ByteVector &	challenge,
		const ByteVector &	response
	)

pure virtual

Validates authentication (mutually). The challenge for this comes from the SELECT command. The response if computed by performing the correct HMAC function of that challenge with the correct key. A new challenge is then sent to the application, together with the response. The application will then respond with a similar calculation that the host software can verify.

Parameters

challenge	The challenge.
challenge	The host calculated response.

Returns: The calculate response.

Implemented in logicalaccess::YubikeyISO7816Commands.

◆ otp_getDeviceInfo()

virtual std::vector< TLVPtr > logicalaccess::YubikeyCommands::otp_getDeviceInfo ( )

pure virtual

Reads configuration and metadata information about the YubiKey. Similar commands exist in other applications. The Command APDU may be different, however the data in the Response APDU will be of identical format.

Returns: The device information.

Implemented in logicalaccess::YubikeyISO7816Commands.

◆ otp_getResponse()

virtual ByteVector logicalaccess::YubikeyCommands::otp_getResponse	(	YubikeySlot	slot,
		const ByteVector &	challenge
	)

pure virtual

Challenge/Response operation.

Parameters

slot	Target slot.
challenge	Challenge to transmit.

Returns: The response.

Implemented in logicalaccess::YubikeyISO7816Commands.

◆ otp_getSerialNumber()

virtual ByteVector logicalaccess::YubikeyCommands::otp_getSerialNumber ( )

pure virtual

Reads the serial number of the YubiKey if it is allowed by the configuration. Note that certain keys, such as the Security Key by Yubico, do not have serial numbers.

Returns: The Yubikey serial number.

Implemented in logicalaccess::YubikeyISO7816Commands.

◆ otp_queryFIPSMode()

virtual bool logicalaccess::YubikeyCommands::otp_queryFIPSMode ( )

pure virtual

Determines whether or not the device is loaded with FIPS capable firmware, as well as if the key is currently in a FIPS compliant state.

Returns: True if FIPS compliant, false otherwise.

Remarks: Just because a key may be branded FIPS or have FIPS capable firmware loaded, does not mean that the YubiKey is FIPS compliant. Configurations on the key need to be locked or otherwise protected in order to claim compliant behavior.

Implemented in logicalaccess::YubikeyISO7816Commands.

◆ selectYubikeyOATH()

virtual YubikeySelectResponse logicalaccess::YubikeyCommands::selectYubikeyOATH ( )

pure virtual

Select the Yubikey OATH application.

Returns: A challenge is returned if the authentication object is set. In that case an authentication is required for all commands except VALIDATE and RESET.

Implemented in logicalaccess::YubikeyISO7816Commands.

◆ selectYubikeyOTP()

virtual ByteVector logicalaccess::YubikeyCommands::selectYubikeyOTP ( )

pure virtual

Select the old Yubikey OTP application.

Returns: A challenge is returned.

Implemented in logicalaccess::YubikeyISO7816Commands.

The documentation for this class was generated from the following file:

C:/dev/lla/liblogicalaccess/plugins/logicalaccess/plugins/cards/yubikey/yubikeycommands.hpp

Public Member Functions

Additional Inherited Members

Detailed Description

Constructor & Destructor Documentation

◆ YubikeyCommands() [1/2]

◆ YubikeyCommands() [2/2]

Member Function Documentation

◆ getISO7816Commands()

◆ oath_calculate()

◆ oath_calculateAll()

◆ oath_delete()

◆ oath_list()

◆ oath_put()

◆ oath_reset()

◆ oath_sendRemainingInstruction()

◆ oath_setCode()

◆ oath_validate()

◆ otp_getDeviceInfo()

◆ otp_getResponse()

◆ otp_getSerialNumber()

◆ otp_queryFIPSMode()

◆ selectYubikeyOATH()

◆ selectYubikeyOTP()