yubikit.oath

Classes

`HASH_ALGORITHM`	Enum where members are also (and must be) ints
`OATH_TYPE`	Enum where members are also (and must be) ints
`CredentialData`	An object holding OATH credential data.
`Code`	An OATH code object.
`Credential`	An OATH credential object.
`OathSession`	A session with the OATH application.

Functions

parse_b32_key(key)

Parse Base32 encoded key.

Module Contents

yubikit.oath.TAG_NAME = 113

yubikit.oath.TAG_NAME_LIST = 114

yubikit.oath.TAG_KEY = 115

yubikit.oath.TAG_CHALLENGE = 116

yubikit.oath.TAG_RESPONSE = 117

yubikit.oath.TAG_TRUNCATED = 118

yubikit.oath.TAG_HOTP = 119

yubikit.oath.TAG_PROPERTY = 120

yubikit.oath.TAG_VERSION = 121

yubikit.oath.TAG_IMF = 122

yubikit.oath.TAG_TOUCH = 124

yubikit.oath.INS_LIST = 161

yubikit.oath.INS_PUT = 1

yubikit.oath.INS_DELETE = 2

yubikit.oath.INS_SET_CODE = 3

yubikit.oath.INS_RESET = 4

yubikit.oath.INS_RENAME = 5

yubikit.oath.INS_CALCULATE = 162

yubikit.oath.INS_VALIDATE = 163

yubikit.oath.INS_CALCULATE_ALL = 164

yubikit.oath.INS_SEND_REMAINING = 165

yubikit.oath.TOTP_ID_PATTERN

yubikit.oath.MASK_ALGO = 15

yubikit.oath.MASK_TYPE = 240

yubikit.oath.DEFAULT_PERIOD = 30

yubikit.oath.DEFAULT_DIGITS = 6

yubikit.oath.DEFAULT_IMF = 0

yubikit.oath.CHALLENGE_LEN = 8

yubikit.oath.HMAC_MINIMUM_KEY_SIZE = 14

class yubikit.oath.HASH_ALGORITHM[source]

Bases: enum.IntEnum

Enum where members are also (and must be) ints

SHA1 = 1

SHA256 = 2

SHA512 = 3

class yubikit.oath.OATH_TYPE[source]

Bases: enum.IntEnum

Enum where members are also (and must be) ints

HOTP = 16

TOTP = 32

yubikit.oath.PROP_REQUIRE_TOUCH = 2

yubikit.oath.parse_b32_key(key)[source]

Parse Base32 encoded key.

Parameters:: key (str) – The Base32 encoded key.

class yubikit.oath.CredentialData[source]

An object holding OATH credential data.

name: str

oath_type: OATH_TYPE

hash_algorithm: HASH_ALGORITHM

secret: bytes

digits: int = 6

period: int = 30

counter: int = 0

issuer: str | None = None

classmethod parse_uri(uri)[source]

Parse OATH credential data from URI.

Parameters:: uri (str) – The URI to parse from.
Return type:: CredentialData

get_id()[source]

Return type:: bytes

class yubikit.oath.Code[source]

An OATH code object.

value: str

valid_from: int

valid_to: int

class yubikit.oath.Credential[source]

An OATH credential object.

device_id: str

id: bytes

issuer: str | None

name: str

oath_type: OATH_TYPE

period: int

touch_required: bool | None

__lt__(other)[source]

__eq__(other)[source]

__hash__()[source]

class yubikit.oath.OathSession(connection, scp_key_params=None)[source]

A session with the OATH application.

Parameters:

connection (yubikit.core.smartcard.SmartCardConnection)
scp_key_params (Optional[yubikit.core.smartcard.ScpKeyParams])

protocol

property version: yubikit.core.Version

The version of the OATH application.

Return type:: yubikit.core.Version

property device_id: str

The device ID.

A random static identifier that is re-generated on reset.

Return type:: str

property has_key: bool

If True, the YubiKey has an access key set.

Return type:: bool

property locked: bool

If True, the OATH application is currently locked via an access key.

Return type:: bool

reset()[source]

Perform a factory reset on the OATH application.

Return type:: None

derive_key(password)[source]

Derive an access key from a password.

Parameters:: password (str) – The derivation password.
Return type:: bytes

validate(key)[source]

Validate authentication with access key.

This unlocks the session for use.

Parameters:: key (bytes) – The access key.
Return type:: None

set_key(key)[source]

Set an access key for authentication.

Parameters:: key (bytes) – The access key.
Return type:: None

unset_key()[source]

Remove the access key.

This removes the need to authentication a session before using it.

Return type:: None

put_credential(credential_data, touch_required=False)[source]

Add an OATH credential.

Parameters:

credential_data (CredentialData) – The credential data.
touch_required (bool) – The touch policy.

Return type:

Credential

rename_credential(credential_id, name, issuer=None)[source]

Rename a OATH credential.

Parameters:

credential_id (bytes) – The id of the credential.
name (str) – The new name of the credential.
issuer (Optional[str]) – The credential issuer.

Return type:

bytes

list_credentials()[source]

List OATH credentials.

Return type:: list[Credential]

calculate(credential_id, challenge)[source]

Perform a calculate for an OATH credential.

Parameters:

credential_id (bytes) – The id of the credential.
challenge (bytes) – The challenge.

Return type:

bytes

delete_credential(credential_id)[source]

Delete an OATH credential.

Parameters:: credential_id (bytes) – The id of the credential.
Return type:: None

calculate_all(timestamp=None)[source]

Calculate codes for all OATH credentials on the YubiKey.

This excludes credentials which require touch as well as HOTP credentials.

Parameters:: timestamp (Optional[int]) – A timestamp used for the TOTP challenge.
Return type:: Mapping[Credential, Optional[Code]]

calculate_code(credential, timestamp=None)[source]

Calculate code for an OATH credential.

Parameters:

credential (Credential) – The credential object.
timestamp (Optional[int]) – The timestamp.

Return type:

Code

`TAG_NAME`
`TAG_NAME_LIST`
`TAG_KEY`
`TAG_CHALLENGE`
`TAG_RESPONSE`
`TAG_TRUNCATED`
`TAG_HOTP`
`TAG_PROPERTY`
`TAG_VERSION`
`TAG_IMF`
`TAG_TOUCH`
`INS_LIST`
`INS_PUT`
`INS_DELETE`
`INS_SET_CODE`
`INS_RESET`
`INS_RENAME`
`INS_CALCULATE`
`INS_VALIDATE`
`INS_CALCULATE_ALL`
`INS_SEND_REMAINING`
`TOTP_ID_PATTERN`
`MASK_ALGO`
`MASK_TYPE`
`DEFAULT_PERIOD`
`DEFAULT_DIGITS`
`DEFAULT_IMF`
`CHALLENGE_LEN`
`HMAC_MINIMUM_KEY_SIZE`
`PROP_REQUIRE_TOUCH`

yubikit.oath

Attributes

Classes

Functions

Module Contents