1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
|
package AnyEvent::Yubico;
use strict;
use AnyEvent::HTTP;
use UUID::Tiny;
use MIME::Base64;
use Digest::HMAC_SHA1 qw(hmac_sha1);
use URI::Escape;
our $VERSION = '0.9.3';
# Creates a new Yubico instance to be used for validation of OTPs.
sub new {
my $class = shift;
my $self = {
sign_request => 1,
local_timeout => 30.0,
urls => [
"https://api.yubico.com/wsapi/2.0/verify",
"https://api2.yubico.com/wsapi/2.0/verify",
"https://api3.yubico.com/wsapi/2.0/verify",
"https://api4.yubico.com/wsapi/2.0/verify",
"https://api5.yubico.com/wsapi/2.0/verify"
]
};
my $options = shift;
$self = { %$self, %$options };
return bless $self, $class;
};
# Verifies the given OTP and returns a true value if the OTP could be
# verified, false otherwise.
sub verify {
return verify_async(@_)->recv->{status} eq 'OK';
}
# Verifies the given OTP and returns a hash containing the server response.
sub verify_sync {
return verify_async(@_)->recv
}
# Non-blocking version of verify_sync, which returns a condition variable
# (see AnyEvent->condvar for details).
sub verify_async {
my($self, $otp, $callback) = @_;
my $nonce = create_UUID_as_string(UUID_V4);
$nonce =~ s/-//g;
my $params = {
id => $self->{client_id},
nonce => $nonce,
otp => $otp
};
if(exists $self->{timeout}) {
$params->{timeout} = $self->{timeout};
}
if(exists $self->{sl}) {
$params->{sl} = $self->{sl};
}
if($self->{timestamp}) {
$params->{timestamp} = 1;
}
if($self->{sign_request} and !$self->{api_key} eq '') {
$params->{h} = $self->sign($params);
}
my $query = "";
for my $key (keys %$params) {
$query = "$query&$key=".uri_escape($params->{$key});
}
$query = "?".substr($query, 1);
my $last_response;
my @requests = ();
my $result_var = AnyEvent->condvar(cb => $callback);
my $inner_var = AnyEvent->condvar(cb => sub {
my $result = shift->recv;
foreach my $req (@requests) {
undef $req;
}
if(exists $result->{status}) {
$result_var->send($result);
} elsif(exists $last_response->{status}) {
#All responses returned replayed request.
$result_var->send($last_response);
} else {
#Didn't get any valid responses.
$result_var->croak("No valid response!");
}
});
foreach my $url (@{$self->{urls}}) {
$inner_var->begin();
push(@requests, http_get("$url$query",
timeout => $self->{local_timeout},
tls_ctx => 'high',
sub {
my($body, $hdr) = @_;
if(not $hdr->{Status} =~ /^2/) {
#Error, store message if none exists.
if(not exists $last_response->{status}) {
$last_response->{status} = $hdr->{Reason};
}
$inner_var->end();
return;
}
my $response = parse_response($body);
if(! exists $response->{status}) {
#Response does not look valid, discard.
$inner_var->end();
return;
}
if(! $self->{api_key} eq '') {
my $signature = $response->{h};
delete $response->{h};
if(! $signature eq $self->sign($response)) {
$response->{status} = "BAD_RESPONSE_SIGNATURE";
}
}
$last_response = $response;
if($response->{status} eq "REPLAYED_REQUEST") {
#Replayed request, wait for next.
$inner_var->end();
} else {
#Definitive response, return it.
if($response->{status} eq "OK") {
$inner_var->croak("Response nonce does not match!") if(! $nonce eq $response->{nonce});
$inner_var->croak("Response OTP does not match!") if(! $otp eq $response->{otp});
}
$inner_var->send($response);
}
}));
}
return $result_var;
};
# Signs a parameter hash using the client API key.
sub sign {
my ($self, $params) = @_;
my $content = "";
foreach my $key (sort keys %$params) {
$content = $content."&$key=$params->{$key}";
}
$content = substr($content, 1);
my $key = decode_base64($self->{api_key});
my $signature = encode_base64(hmac_sha1($content, $key), '');
return $signature;
}
# Parses a response body into a hash.
sub parse_response {
my $body = shift;
my $response = {};
if($body) {
my @lines = split(' ', $body);
foreach my $line (@lines) {
my $index = index($line, '=');
$response->{substr($line, 0, $index)} = substr($line, $index+1);
}
}
return $response;
}
1;
__END__
=head1 NAME
AnyEvent::Yubico - AnyEvent based Perl extension for validating YubiKey OTPs.
Though AnyEvent is used internally, the module does not impose any particular
coding style on the caller. Provides both blocking and non-blocking methods of
OTP verification.
=head1 SYNOPSIS
use AnyEvent::Yubico;
$yk = AnyEvent::Yubico->new({ client_id => 4711, api_key => '<your API key here>' });
$result = $yk->verify('<YubiKey OTP here>');
if($result) ...
For more details about the response, instead call verify_sync($otp), which
returns a hash containing all the parameters that were in the response.
$result_details = $yk->verify_sync('<YubiKey OTP here>');
if($result_details->{status} == 'OK') ...
As an alternative, you can call verify_async, which will return a condition
variable immediately. This can be used if your application already uses an
asynchronous model. You can also pass a callback as a second parameter to
verify as well as verify_async, which will be invoked once validation has
completed, with the result.
$result_cv = $yk->verify_async('<YubiKey OTP here>', sub {
#Callback invoked when verification is done
$result_details = shift;
if($result_details->{status} eq 'OK') ...
});
#Wait for the result (blocking, same as calling verify directly).
$result_details = $result_cv->recv;
=head1 DESCRIPTION
Validates a YubiKey OTP (One Time Password) using the YKVAL 2.0 protocol as
defined here: https://github.com/Yubico/yubikey-val/wiki/ValidationProtocolV20
To use this module, an API key is required, which can be requested here:
https://upgrade.yubico.com/getapikey/
When creating the AnyEvent::Yubico instance, the following arguments can be passed:
=over 4
=item client_id = $id_int
Required. The client ID corresponding to the API key.
=item api_key => $api_key_string
Optional. The API key used to sign requests and verify responses. Without
this response signatures won't be verified.
=item urls => $array_of_urls
Optional. Defines which validation server URLs to query. The default uses
the public YubiCloud validation servers. Must support version 2.0 of the
validation protocol.
Example:
$yk = AnyEvent::Yubico->new({
client_id => ...,
api_key => ...,
urls => [
"http://example.com/wsapi/2.0/verify",
"http://127.0.0.1/wsapi/2.0/verify"
]
});
=item sign_requests => $enable
Optional. When enabled (enabled by default) requests will be signed, as long
as api_key is also provided.
=item timeout => $seconds
Optional. Timeout parameter sent to the server, see the protocol details for
more information.
=item sl => $level
Optional. Security level parameter sent to the server, see the protocol
details for more information.
=item timestamp => $enable
Optional. When enabled, sends the timestamp parameter to the server, causing
YubiKey counter and timestamp information to be returned in the response.
=item local_timeout => $seconds
Optional. Sets the local timeout for how long the verify method will wait
until failing. The default is 30 seconds.
=back
=head1 SEE ALSO
The Yubico Validation Protocol 2.0 specification:
https://github.com/Yubico/yubikey-val/wiki/ValidationProtocolV20
More information about the YubiKey:
http://www.yubico.com
=head1 AUTHOR
Dain Nilsson, E<lt>dain@yubico.comE<gt>
=head1 COPYRIGHT AND LICENSE
Copyright (C) 2013 Yubico AB
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
=cut
|
