Yubico Forum

Re: yms, yubiphpbase and yubico-php-lib

2009-02-04T12:35:35+01:00

The AES secret stored in the database when adding the token using YMS is 45 chars long and when added using mysql it is 24.

From what I can tell this problem is caused by the AES encryption of the base64 AES key that yms does

If I remove the aesEncrypt($sec) from yubiphpbase/key_lib.php the key is stored in a format that libyubikey-client accepts, the accessed date however is still a problem when it is set to '0000-00-00 00:00:00' and the AES secret shown in YMS is currupted, I guess since it is the AES decoded value of the base64 string.

Code:

function addNewKey($devId64, $active, $sec, $note, $client, $user=-1, $serial='') {
        global $admEmail;
        $usrid = $user > 0 ? $user : base64_encode(time());
        $sn = $serial != '' ? $serial : nextSerial();
        $stmt = 'INSERT INTO yubikeys '.
          '(client_id,active,created,tokenId,userId,secret,counter,low,high,notes,serial) VALUES ('.
                $client.','.
                $active.','.
                'NOW(),'.
                mysql_quote($devId64).','.
                mysql_quote($usrid).','.
                mysql_quote($sec).','.
                '0,'.
                '0,'.
                '0,'.
                mysql_quote($note).','.
                mysql_quote($sn).
                ')';
        writeLog($stmt);
        if (!query($stmt)) {
                $err = 'Failed to add a new key, devId='.$devId64.' for client '.$client;
                writeLog($err);
                sendMail($admEmail, 'Failed to add a new yubikey', $err, $admEmail);
                return null;
        }
        $a = array();
        $a['keyid'] = mysql_insert_id();
        $a['sn'] = $sn;
        $a['usrid'] = $usrid;
        return $a;
}

Statistics: Posted by maho — Wed Feb 04, 2009 12:35 pm

Re: yms, yubiphpbase and yubico-php-lib

2009-02-04T12:08:01+01:00

We would appreciate if you can check the values stored in the database when the AES key is inserted using the YMS and when we manually insert the AES Key into the database. Both the time the AES Key values stored in the database should be same.

Statistics: Posted by network-marvels — Wed Feb 04, 2009 12:08 pm

Re: yms, yubiphpbase and yubico-php-lib

2009-02-04T11:29:24+01:00

I did cut and paste the b64 encoded key from api.yubico.com/yms to my own yms installation, however the result in my database looks nothing like what I inserted into yms, one interesting thing is that if I base64 decode the key from api.yubico base64 tells me that the input is invalid while base64 have no problem decoding the secret from my own installation.

If I look at the token in yms when It has been manually added using

Code:

mysql yubikey -e "insert into yubikeys(client_id, userId, active, created, accessed, tokenId, secret) values(1,xxx, 1, '`date +"%Y-%m-%d %H:%M:%S"`', '`date +"%Y-%m-%d %H:%M:%S"`', 'base65 yubikeyid', 'base64 AES secret');" 

The AES secret information is completely wrong and incomplete but if I add the key using yms it looks alright.

So my guess is that yms encodes the encoded key and then decodes it when displayed in yms, libubikey-client/server-j however does not seem to decode the key that is in the database.

Statistics: Posted by maho — Wed Feb 04, 2009 11:29 am

Re: yms, yubiphpbase and yubico-php-lib

2009-02-04T11:08:13+01:00

The AES key stored in the YMS database should be base 64 encoded. While using the YMS to enter the AES key, please enter the AES key in base 64 encoded format.

Feel free to write back to us in case you face any problems.

Statistics: Posted by network-marvels — Wed Feb 04, 2009 11:08 am

Re: yms, yubiphpbase and yubico-php-lib

2009-02-04T10:49:00+01:00

I noticed another thing, except that the key added through yms gets BAD_OTP when I try it, it seems like the AES secret in the database is wrong it is almost twice as long as the one I entered, does yms AES encrypt the AES key I enter and if so why?
If I add the key manually I'm able verify the OTP so I guess that yms does something wrong.

Statistics: Posted by maho — Wed Feb 04, 2009 10:49 am

Re: yms, yubiphpbase and yubico-php-lib

2009-02-04T10:39:28+01:00

I might have been a bit early shouting success, not sure who to blame here but server-j seems to have problems dealing with 0000-00-00 00:00:00 which is set on the accessed column in the yubikey table when the token is added to the database.

2009-02-04 11:34:55,458 [http-8080-Processor23] WARN com.yubico.wsapi.Database - java.sql.SQLException: Value '0000-00-00' can not be represe nted as java.sql.Date
2009-02-04 11:34:55,458 [http-8080-Processor23] INFO com.yubico.wsapi.KeySubsystem - While checking otp=dbdvkiukuvcevijfdcinjfvcbltcjtunvjhfn jkhtjhe
2009-02-04 11:34:55,458 [http-8080-Processor23] INFO com.yubico.wsapi.KeySubsystem - java.lang.NullPointerException

Statistics: Posted by maho — Wed Feb 04, 2009 10:39 am

Re: yms, yubiphpbase and yubico-php-lib

2009-02-04T10:34:01+01:00

Thank you!

Statistics: Posted by maho — Wed Feb 04, 2009 10:34 am

Re: yms, yubiphpbase and yubico-php-lib

2009-02-04T10:26:17+01:00

Please replace the setStatVal function definition from the "yubiphpbase/appinclude.php" file with the function definition given below:

Code:

function setStatVal($name, $val) {
   if (getStatVal($name) == null) { // Insert new
      $stmt = 'INSERT INTO stats (name, value) VALUES ('.
         mysql_quote($name).','.
         mysql_quote($val).
         ')';
      query($stmt);
   } else { // Update existing
      $stmt = 'UPDATE stats SET value='.mysql_quote($val).
         ' WHERE name='.mysql_quote($name);
      query($stmt);
   }
}

Feel free to write back to us in case you face any problems.

Statistics: Posted by network-marvels — Wed Feb 04, 2009 10:26 am

Re: yms, yubiphpbase and yubico-php-lib

2009-02-04T10:10:42+01:00

Statistics: Posted by maho — Wed Feb 04, 2009 10:10 am

Re: yms, yubiphpbase and yubico-php-lib

2009-02-04T09:56:56+01:00

Here is the table structure of the stats table:

Code:

DROP TABLE IF EXISTS `stats`;
SET @saved_cs_client     = @@character_set_client;
SET character_set_client = utf8;
CREATE TABLE `stats` (
  `id` int(10) unsigned NOT NULL auto_increment,
  `name` varchar(55) default NULL,
  `value` varchar(120) default NULL,
  PRIMARY KEY  (`id`),
) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=latin1;
SET character_set_client = @saved_cs_client;

Feel free to write back to us in case you face any problems.

Statistics: Posted by network-marvels — Wed Feb 04, 2009 9:56 am

Re: yms, yubiphpbase and yubico-php-lib

2009-02-03T18:05:47+01:00

network-marvels wrote:

We are unable to recreate the problem you are facing. There is no stats table in our Yubico database.

That is pretty much my problem I would love to have the stats table what ever it is, it would make adding new keys so much easier.

Statistics: Posted by maho — Tue Feb 03, 2009 6:05 pm

Re: yms, yubiphpbase and yubico-php-lib

2009-02-03T18:04:14+01:00

Sure, to large to attach so http://www.mighty.se/yubico-stuff.tar

-M

Statistics: Posted by maho — Tue Feb 03, 2009 6:04 pm

Re: yms, yubiphpbase and yubico-php-lib

2009-02-03T16:32:27+01:00

We are unable to recreate the problem you are facing. There is no stats table in our Yubico database.
We would appreciate if you can provide us all the source code files that you are using to install the YMS and validation server. We would look into the source code files provided by you and we will update you accordingly.

Statistics: Posted by network-marvels — Tue Feb 03, 2009 4:32 pm

Re: yms, yubiphpbase and yubico-php-lib

2009-02-02T07:39:17+01:00

Thanks for providing the information. We are working on the problem and we will update you accordingly.

Statistics: Posted by network-marvels — Mon Feb 02, 2009 7:39 am

Re: yms, yubiphpbase and yubico-php-lib

2009-01-30T11:53:58+01:00

Sure.

yms logs:
2009-01-29 17:23:46: Check time? 1 by 10.20.0.29
2009-01-29 17:23:50: SELECT id, pin FROM admin WHERE keyid= by 10.20.0.29
2009-01-29 17:23:50: Invalid query -- SELECT id, pin FROM admin WHERE keyid= -- by 10.20.0.29
2009-01-29 17:24:17: SELECT id, pin FROM admin WHERE keyid= by 10.20.0.29
2009-01-29 17:24:17: Invalid query -- SELECT id, pin FROM admin WHERE keyid= -- by 10.20.0.29
2009-01-29 17:24:33: Check time? 1 by 10.20.0.29
2009-01-29 17:24:42: SELECT id, pin FROM admin WHERE keyid= by 10.20.0.29
2009-01-29 17:24:42: Invalid query -- SELECT id, pin FROM admin WHERE keyid= -- by 10.20.0.29
2009-01-29 17:24:49: SELECT id, pin FROM admin WHERE keyid= by 10.20.0.29
2009-01-29 17:24:49: Invalid query -- SELECT id, pin FROM admin WHERE keyid= -- by 10.20.0.29
2009-01-29 17:24:51: SELECT id, pin FROM admin WHERE keyid= by 10.20.0.29
2009-01-29 17:24:51: Invalid query -- SELECT id, pin FROM admin WHERE keyid= -- by 10.20.0.29
2009-01-29 17:24:56: SELECT id, pin FROM admin WHERE keyid= by 10.20.0.29
2009-01-29 17:24:56: Invalid query -- SELECT id, pin FROM admin WHERE keyid= -- by 10.20.0.29
2009-01-29 17:31:57: Check time? 1 by 10.20.0.29
2009-01-29 17:32:04: SELECT id, pin FROM admin WHERE keyid=1 by 10.20.0.29
2009-01-29 17:32:26: # act=find_client, client=-1 by 10.20.0.29
2009-01-29 17:46:21: Del adm key 2 by 10.20.0.29
2009-01-29 17:46:28: Del adm key 2 by 10.20.0.29
2009-01-29 17:46:37: Del adm key 1 by 10.20.0.29
2009-01-29 17:46:38: Del adm key 1 by 10.20.0.29
2009-01-29 17:46:46: Del adm key 2 by 10.20.0.29
2009-01-29 17:47:35: idstr=ghjdhhecrhvd idtype=tokid by 10.20.0.29
2009-01-29 17:48:16: idstr=ghjdhhecrhvd idtype=tokid by 10.20.0.29
2009-01-29 17:49:05: Del adm key 2 by 10.20.0.29
2009-01-29 17:49:05: Invalid query -- UPDATE clients SET perm_id=2 WHERE id=1 -- by 10.20.0.29
2009-01-29 17:54:51: # act=find_client, client=-1 by 10.20.0.29
2009-01-29 21:51:01: Del adm key 1 by 10.20.0.30
2009-01-29 21:51:02: Del adm key 1 by 10.20.0.30
2009-01-29 21:55:19: Invalid query -- SELECT value FROM stats WHERE name='serial' -- by 10.20.0.30
2009-01-29 22:12:27: Invalid query -- SELECT value FROM yubikeys WHERE name='serial' -- by 10.20.0.30

Here are my notes from the installation of yms, my complete setup can be found at http://www.mattiasholm.com/node/25 a work in progress.

The database setup script that is recomended by the documentation needs to be altered to fit the setup we got, they basically want to create the client, yubikeys and perms tables again, we dont..

SET character_set_client = utf8;
CREATE TABLE `admin` (
`id` int(10) unsigned NOT NULL auto_increment,
`keyid` int(11) NOT NULL default '0',
`note` varchar(45) default NULL,
`pin` varchar(120) default NULL,
`last_access` datetime default NULL,
`ip` varchar(45) default NULL,
`creation` datetime default NULL,
`client` int(11) NOT NULL default '0',
`timeout` int(10) unsigned NOT NULL default '3600',
PRIMARY KEY (`id`),
KEY `FK_admin_2` (`keyid`),
KEY `FK_admin_1` (`client`),
CONSTRAINT `FK_admin_1` FOREIGN KEY (`client`) REFERENCES `clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE,
CONSTRAINT `FK_admin_2` FOREIGN KEY (`keyid`) REFERENCES `yubikeys` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
) ENGINE=InnoDB AUTO_INCREMENT=33 DEFAULT CHARSET=latin1;

CREATE TABLE `buyers` (
`id` int(10) unsigned NOT NULL auto_increment,
`email` varchar(100) default NULL,
`created` datetime default NULL,
`addr` varchar(200) default NULL,
`qty` int(10) unsigned default NULL,
`client_id` int(11) NOT NULL default '0',
`name` varchar(45) default NULL,
PRIMARY KEY (`id`),
KEY `FK_client_id_1` USING BTREE (`client_id`),
CONSTRAINT `FK_client_info_1` FOREIGN KEY (`client_id`) REFERENCES `clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
) ENGINE=InnoDB AUTO_INCREMENT=2201 DEFAULT CHARSET=latin1;

CREATE TABLE `history` (
`id` int(10) unsigned NOT NULL auto_increment,
`usrid` int(10) unsigned NOT NULL default '0',
`note` varchar(45) NOT NULL default '',
`ip` varchar(45) NOT NULL default '',
`creation` datetime NOT NULL default '0000-00-00 00:00:00',
`keyid` int(10) unsigned NOT NULL default '0',
PRIMARY KEY (`id`),
KEY `FK_hist_1` (`usrid`)
) ENGINE=InnoDB AUTO_INCREMENT=347 DEFAULT CHARSET=latin1;

alter table clients add `notes` varchar(100) default NULL;
alter table clients add `chk_sig` tinyint(1) NOT NULL default '0';
alter table clients add `chk_owner` tinyint(1) NOT NULL default '0';
alter table clients add `chk_time` tinyint(1) NOT NULL default '1';
alter table yubikeys add `notes` varchar(100) default NULL;
alter table yubikeys add `serial` varchar(45) default NULL;

copy config.php.sample to config.php
open config.php with an editor and change
$opt, a key from you yubikey
$pin, you pin tu use when accessing YMS
$aesParams['__ADM_KEY_SECRET__'], your yubikeys AES secret
$aesParams['__ENC_KEY_SECRET__'], secret to use when encrypting data in the database, keep this one safe for future use
$baseParams['__DB_HOST__'], database host
$baseParams['__DB_USER__'], database user
$baseParams['__DB_PW__'], database password
$baseParams['__DB_NAME__', database name
$baseParams['__ROOT_EMAIL__'], your email address or whoever is responsible for this
$baseParams['__ORDER_URL__'], url to user yubikey request form perhaps?
$baseParams['__DOMAIN__'], your domain
$baseParams['__DOC_ROOT__'], filesystem path to apache root
$valParams['__VAL_URL__'], validation server URL if you have followed my instructions it should be http://localhost:8080/wsapi/verify?id= make sure that this one does not point to verify.php which is the default value.
$headParams['__SHORTCUT_ICON_URL__'], URL to favicon, should be located in yms/images
$letterParams['__KMS_URL__'], URL to yms, why the keep calling it kms is a mystery

When finished save and close config.php
before you can go on and run the installer you need to install yubikey-val-server-php in to yourwebroot/wsapi since there are undocumented dependencies to a file in that package..

The script will try to create the first user which already exists so we need to modify the script, open install.php and remove the entire variables starting with
$stmt = 'INSERT INTO clients VALUES (1,1,1,' .
and
$stmt = 'INSERT INTO yubikeys VALUES (1,1,1,' .
or just remove quert($stmt); beneath those variables.

run install.php, php install.php
the install script is very likely to fail a few times, that is no problem just correct the problems and run the script again..

After a successful run of install.php open config.php and remove everything between the remove this section comments.

copy yms to your web server root and rename it to kms

touch /tmp/kms.log;chown apache.apache /tmp/kms.log

In yubiphpbase/key_lib.php there is a function that sets $id to default if no $id is provided, I don't know what this is and it will not work unless there is an id 28 in the clients table, I just set to to 1 to make it work, I have no idea what the impact on security or other functionality will be..
function verifyYubikeyOtp($otp, $id=28) > function verifyYubikeyOtp($otp, $id=1)
If I can find some time I might patch this but for now, good enough..

Statistics: Posted by maho — Fri Jan 30, 2009 11:53 am