1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
package Auth::Yubikey_WebClient;
use warnings;
use strict;
use MIME::Base64;
use Digest::HMAC_SHA1 qw(hmac_sha1 hmac_sha1_hex);
use LWP::Simple;
use URI::Escape;
=head1 NAME
Auth::Yubikey_WebClient - Authenticating the Yubikey against the Yubico Web API
=head1 VERSION
Version 2.00
=cut
our $VERSION = '2.01';
=head1 SYNOPSIS
Authenticate against the Yubico server via the Web API in Perl
Sample CGI script :-
#!/usr/bin/perl
use CGI;
$cgi = new CGI;
$otp = $cgi->param("otp");
print "Content-type: text/html\n\n";
print "<html>\n";
print "<form method=get>Yubikey : <input type=text name=otp size=40 type=password></form>\n";
use Auth::Yubikey_WebClient;
$id = "<enter your id here>";
$api = "<enter your API key here>";
$nonce = "<enter your nonce here>";
if($otp)
{
$result = Auth::Yubikey_WebClient::yubikey_webclient($otp,$id,$api,$nonce);
# result can be either ERR or OK
print "Authentication result : <b>$result</b><br>";
}
print "</html>\n";
=head1 FUNCTIONS
=head2 yubikey_webclient
=cut
sub yubikey_webclient
{
my ($otp,$id,$api,$nonce) = @_;
# Generate nonce unless passed
$nonce = hmac_sha1_hex(time, rand()) unless $nonce;
my $params = "id=$id&nonce=$nonce&otp=" . uri_escape($otp) . '×tamp=1';
$params .= '&h=' . uri_escape(encode_base64(hmac_sha1($params, decode_base64($api)), ''));
my $response = get("http://api2.yubico.com/wsapi/2.0/verify?$params");
# sanitize the output in case we get some strange characters back
$response =~ s/\s//g;
chomp($response);
if($response !~ /status=ok/i)
{
# If the status is not ok, let's not even go through the rest...
$response =~ m/status=(.+)/;
return "ERR_$1";
}
#extract each of the lines, and store in a hash...
my %result;
foreach (split(/\n/,$response))
{
chomp;
if($_ =~ /=/)
{
($a,$b) = split(/=/,$_,2);
$b =~ s/\s//g;
$result{$a} = $b;
}
}
# save the h parameter, that's what we'll be comparing to
my $signatur=$result{h};
delete $result{h};
my $datastring='';
my $key;
foreach $key (sort keys %result)
{
$result{$key} =~ s/\s//g;
$datastring .= "$key=$result{$key}&";
}
$datastring = substr($datastring,0,length($datastring)-1);
# Check that nonce and OTP are the ones we asked for
return "ERR_MSG_AUTH" unless ($nonce eq $result{nonce} and $otp eq $result{otp});
my $hmac = encode_base64(hmac_sha1($datastring,decode_base64($api)));
chomp($hmac);
if($hmac eq $signatur)
{
return "OK";
}
else
{
return "ERR_HMAC";
}
}
=head1 USAGE
Before you can use this module, you need to register for an API key at Yubico. This is as simple as logging onto <https://upgrade.yubico.com/getapikey/> and entering your Yubikey's OTP and a brief description. Once you have the API and ID, you need to provide those details to the module to work.
=head1 AUTHOR
Phil Massyn, C<< <phil at massyn.net> >>
=head1 BUGS
Please report any bugs or feature requests to C<bug-auth-yubikey_webclient at rt.cpan.org>, or through
the web interface at L<http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Auth-Yubikey_WebClient>. I will be notified, and then you'll
automatically be notified of progress on your bug as I make changes.
=head1 SUPPORT
You can find documentation for this module with the perldoc command.
perldoc Auth::Yubikey_WebClient
You can also look for information at:
=over 4
=item * RT: CPAN's request tracker
L<http://rt.cpan.org/NoAuth/Bugs.html?Dist=Auth-Yubikey_WebClient>
=item * AnnoCPAN: Annotated CPAN documentation
L<http://annocpan.org/dist/Auth-Yubikey_WebClient>
=item * CPAN Ratings
L<http://cpanratings.perl.org/d/Auth-Yubikey_WebClient>
=item * Search CPAN
L<http://search.cpan.org/dist/Auth-Yubikey_WebClient>
=back
=head1 Version history
0.04 - Fixed bug L<http://rt.cpan.org/Public/Bug/Display.html?id=51121>
1.00 - Added validation of the request to Yubico (Thanks to Kirill Miazine)
2.00 - Added nounce coding (Thanks to Ludvig af Klinteberg)
2.01 - Response turning into an array due to \r bug (Thanks to Peter Norin)
=head1 ACKNOWLEDGEMENTS
=head1 COPYRIGHT & LICENSE
Copyright 2010 Phil Massyn, all rights reserved.
This program is free software; you can redistribute it and/or modify it
under the same terms as Perl itself.
=cut
1; # End of Auth::Yubikey_WebClient
|
