Add VALIDATE calls

[ViViDboarder]

My Yubikey Neo is password protected and requires a call to validate the password before listing or performing other actions.

In order to make the magic numbers more readable I added all the ones I found on the Yubico site to constants.go.

Other smaller changes:

• Export CALCULATE as CalculateOne and CALCULATE_ALL as CalculateAll
• Add more error codes to codes.go

This is used as follows:

package main

import (
	"fmt"
	"git.iamthefij.com/iamthefij/slog"
	"github.com/yawn/ykoath"
	"golang.org/x/crypto/ssh/terminal"
	"syscall"
)

func main() {
	oath, err := ykoath.New()
	slog.FatalOnErr(err, "failed to initialize new oath")
	oath.Debug = slog.Debug

	defer oath.Close()

	s, err := oath.Select()
	slog.FatalOnErr(err, "failed to select oath")

	if s.Challenge != nil {
		fmt.Println("Passphrase? ")
		passphrase, err := terminal.ReadPassword(int(syscall.Stdin))
		slog.FatalOnErr(err, "failed reading passphrase")
		key := s.DeriveKey(string(passphrase))

		ok, err := oath.Validate(s, key)
		slog.FatalOnErr(err, "validation failed")
		if !ok {
			panic("could not validate")
		}
	}

	names, err := oath.List()
	slog.FatalOnErr(err, "failed to list names")

	for _, name := range names {
		slog.Log(name.Name)
	}

	otp, err := oath.Calculate(names[0].Name, ykoath.ErrorTouchCallback)
	slog.FatalOnErr(err, "Failed to retrieve otp")
	slog.Log(otp)
}

[yawn]

Awesome PR @ViViDboarder, thanks a lot! Review will be done ~Monday.

[ViViDboarder]

For some reason I started getting 8 digit codes where I was supposed to get 6. I didn't change anything so I wonder if it has something to do with drivers or a dependency. To resolve it, I implemented a similar solution to yubikey-manager

[ViViDboarder]

Any chance of a review in the next week or so? I wrote a cli tool and an Alfred Workflow that depends on this. I can build and distribute binaries using replace in my go.mod for now, but it's easier for others to test and write patches if they can build directly.

[yawn]

Yeah, sorry about that. I'll do the review today / in the afternoon.

[yawn]

Thanks again for the PR, very nice work! Apart from the individual comments I have two three high-level questions:

1. Why the KDF in select.go?
2. Can you contribute changes to README as well (you made VALIDATE support a reality after all 👍 )
3. Can you contribute additional unit tests (please note that current suite will delete existing OATH tokens from your test key)?

Thanks again for the work & sorry for not getting back earlier!

[yawn]

Not sure about this - this is already a public constant. What good does the additional constant do?

[ViViDboarder]

That's a good point. I had done this initially to minimize the changes, but a single constant should be sufficient.

[yawn]

I would prefer the constants to be private tbh - they do help readability but trigger linting advice when undocumented and public.

[ViViDboarder]

Good point. I don't believe the API that this package exposes requires someone to access these either. I'll rename them.

[yawn]

Can you elaborate the scenario in which we need to handle a 0x75?

[ViViDboarder]

I'm not sure if there is a legitimate case for this, however it is included as a possible response in the spec. The result (once properly wrapping errors, as suggested) will be the same as not handling it, except with an error message that will be somewhat more helpful.

[yawn]

Ok, understood.

[yawn]

Here another errors.Wrapf + constant would be preferred.

[yawn]

Hm. If you really want to introduce a Hash function, you could potentially use the Sum / Sum256 / Sum512 functions from standard and return a slices on the array returned by them.

[ViViDboarder]

I'm not sure I follow.

[yawn]

I meant you could use the "sum" forms such as https://golang.org/pkg/crypto/sha256/#Sum256 - but I guess your way is more generic. Let's ignore this ...

[yawn]

Same error remark as above.

[yawn]

Same error remark as above.

[ViViDboarder]

Thanks for the feedback. Looks like a lot of cleanup on the constants and errors. I'll also update documentation to reflect the usage of the new functions within select.go.

Edit: Ugh. I guess that I didn't do responses properly. They show as replies above, but are duplicated here.

[ViViDboarder]

That's a good point. I had done this initially to minimize the changes, but a single constant should be sufficient.

[ViViDboarder]

I'm not sure if there is a legitimate case for this, however it is included as a possible response in the spec. The result (once properly wrapping errors, as suggested) will be the same as not handling it, except with an error message that will be somewhat more helpful.

[ViViDboarder]

I had some TOTP that were supposed to be 6 digits (this was the value of digits), and they were returned as 8 digits. This will trim them to length of whatever the the value of digits is. This logic is the same as in yubikey-manager

[ViViDboarder]

I only included the constants listed at the top of https://developers.yubico.com/OATH/YKOATH_Protocol.html

Although this 0x6a80 is not listed as a constant there, it appears to be consistent throughout the documentation. I'll take a look through and include those and make a note along with the documentation link.

[ViViDboarder]

On a similar note, rather than returning a string, I could make this return an error for each of these. What do you think?

[ViViDboarder]

Good point. I don't believe the API that this package exposes requires someone to access these either. I'll rename them.

[ViViDboarder]

I'm not sure I follow.

[yawn]

Hey @ViViDboarder - are the remaining issues clear? Should we proceed with this PR?

[ViViDboarder]

Thanks @yawn. I'm still a little confused on errors, which I think are the only outstanding items.

The way I understand error handling in Go right now (it seems to change frequently) is that a class should do something like this:

package example

import (
    "errors"
    "fmt"
)

var (
    ErrSomethingNotFound = errors.New("thing not found")
)

func CalledError() error {
    err := maybeHasError()
    if err != nil {
        return fmt.Errorf("error in this thing: %w", err)
    }

    return nil
}

func FindThing(p string) error {
    var b bool
    b = isThingFound(p)
    if !b {
        return fmt.Errorf("error finding %p: %w", p, ErrSomethingNotFound)
    }

    return nil
}

This allows some using the module and function to handle errors from findThing by using the wraps.

package main

import (
    "errors"
    "fmt"

    "example"
)

func main() {
    err = example.FindThing("foo")
    if errors.Is(err, example.ErrSomethingNotFound) {
        fmt.Println("Thing wasn't found")
    } else {
        panic(err)
    }
}

I can definitely do this, but it would be inconsistent with some of the others. I can refactor those as well, but maybe in a different patch.

[yawn]

As an alternative: just add the tests and I'll do the minor / cosmetic changes in your PR? Maybe easier?

[ViViDboarder]

That works for me.

Regarding the tests, I can definitely write some, but I do not have a spare Yubikey to test with. It also looks like I'll need to implement the SET CODE instruction that sets up authentication if a full test is to be written so that auth can be enabled, validated, and disabled.

[yawn]

I can totally live without SET CODE if you can substitute it with a ykman call. For the test environment that's fine. Spare Yubikey, hm - that's an issue of course :-)