tessl/pypi-python-yubico
Python library for communicating with Yubico YubiKey hardware authentication tokens
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-python-yubico@1.3.0index.mddocs/
Python-Yubico
A comprehensive Python library for communicating with Yubico YubiKey hardware authentication tokens. It enables bidirectional USB communication for advanced YubiKey operations including device configuration, challenge-response authentication, and device management functions.
Package Information
- Package Name: python-yubico
- Language: Python
- Installation:
pip install python-yubico - Dependencies:
pyusb(for USB HID communication)
Core Imports
import yubicoFor specific components:
from yubico import find_yubikey, YubiKey
from yubico.yubikey_config import YubiKeyConfig
from yubico.yubico_exception import YubicoErrorBasic Usage
import yubico
try:
# Find and connect to YubiKey
yubikey = yubico.find_yubikey(debug=False)
# Get device information
print("Version:", yubikey.version())
print("Serial:", yubikey.serial())
# Simple challenge-response example
challenge = b"test challenge data"
response = yubikey.challenge_response(challenge, mode='HMAC', slot=1)
print("Response:", response.hex())
except yubico.yubico_exception.YubicoError as e:
print("ERROR:", e.reason)Architecture
The library uses a hierarchical class structure:
- Device Discovery:
find_yubikey()automatically detects and returns the appropriate YubiKey class instance - YubiKey Base Class: Abstract interface providing common methods across all YubiKey versions
- Device-Specific Classes:
YubiKeyUSBHID,YubiKeyNEO_USBHID,YubiKey4_USBHIDhandle version-specific features - Configuration System:
YubiKeyConfigprovides declarative configuration with validation and version compatibility checking - Frame Protocol:
YubiKeyFramehandles low-level USB HID communication protocol
This design abstracts hardware differences while providing full access to device-specific capabilities, making it suitable for both simple authentication tasks and advanced YubiKey management applications.
Capabilities
Device Discovery and Connection
Locate and establish communication with YubiKey devices, supporting multiple connected devices and providing automatic device type detection.
def find_yubikey(debug=False, skip=0):
"""
Locate and connect to a YubiKey device.
Parameters:
- debug (bool): Enable debug output
- skip (int): Number of devices to skip
Returns:
YubiKey: Connected YubiKey instance
Raises:
YubiKeyError: If no YubiKey found
"""YubiKey Device Interface
Core device operations including version detection, serial number retrieval, and basic device status queries available across all YubiKey models.
class YubiKey:
def version(self): ...
def serial(self, may_block=True): ...
def challenge_response(self, challenge, mode='HMAC', slot=1, variable=True, may_block=True): ...
def write_config(self, cfg, slot): ...YubiKey Configuration
Comprehensive configuration system supporting all YubiKey modes including Yubico OTP, OATH-HOTP, and challenge-response with full control over device settings, flags, and security parameters.
class YubiKeyConfig:
def __init__(self, ykver=None, capabilities=None, update=False, swap=False, zap=False): ...
def mode_yubikey_otp(self, private_uid, aes_key): ...
def mode_oath_hotp(self, secret, digits=6, factor_seed=None, omp=0x0, tt=0x0, mui=''): ...
def mode_challenge_response(self, secret, type='HMAC', variable=True, require_button=False): ...
def aes_key(self, data): ...
def ticket_flag(self, which, new=None): ...
def config_flag(self, which, new=None): ...
def extended_flag(self, which, new=None): ...Challenge-Response Operations
HMAC-SHA1 and Yubico challenge-response authentication for secure authentication workflows, supporting both variable and fixed-length responses.
def challenge_response(challenge, mode='HMAC', slot=1, variable=True, may_block=True):
"""
Perform challenge-response operation.
Parameters:
- challenge (bytes): Challenge data
- mode (str): 'HMAC' or 'OTP'
- slot (int): Configuration slot (1 or 2)
- variable (bool): Variable length response
- may_block (bool): Allow blocking operations
Returns:
bytes: Response data
"""Exception Handling
Comprehensive error handling with specific exception types for different failure modes including device communication errors, configuration errors, and timeout conditions.
class YubicoError(Exception):
def __init__(self, reason): ...
class YubiKeyError(YubicoError): ...
class YubiKeyTimeout(YubiKeyError): ...
class YubiKeyVersionError(YubiKeyError): ...
class InputError(YubicoError): ...Utility Functions
Helper functions for data processing, CRC validation, hex dumping, and ModHex encoding/decoding operations commonly needed in YubiKey applications.
def crc16(data): ...
def validate_crc16(data): ...
def hexdump(src, length=8, colorize=False): ...
def modhex_decode(data): ...
def hotp_truncate(hmac_result, length=6): ...Constants and Definitions
SLOT Constants
Configuration slot identifiers and command constants:
class SLOT:
CONFIG = 0x01 # First configuration slot
CONFIG2 = 0x03 # Second configuration slot
UPDATE1 = 0x04 # Update slot 1
UPDATE2 = 0x05 # Update slot 2
SWAP = 0x06 # Swap slots
NDEF = 0x08 # Write NDEF recordDevice Mode Constants
YubiKey operating mode identifiers:
class MODE:
OTP = 0x00 # OTP only
CCID = 0x01 # CCID only, no eject
OTP_CCID = 0x02 # OTP + CCID composite
U2F = 0x03 # U2F mode
OTP_U2F = 0x04 # OTP + U2F composite
U2F_CCID = 0x05 # U2F + CCID composite
OTP_U2F_CCID = 0x06 # OTP + U2F + CCID composite
MASK = 0x07 # Mask for mode bits
FLAG_EJECT = 0x80 # CCID device supports ejectUSB Product IDs
YubiKey hardware model identification:
class PID:
YUBIKEY = 0x0010 # YubiKey (versions 1 and 2)
NEO_OTP = 0x0110 # YubiKey NEO - OTP only
NEO_OTP_CCID = 0x0111 # YubiKey NEO - OTP and CCID
NEO_CCID = 0x0112 # YubiKey NEO - CCID only
NEO_U2F = 0x0113 # YubiKey NEO - U2F only
NEO_OTP_U2F = 0x0114 # YubiKey NEO - OTP and U2F
NEO_U2F_CCID = 0x0115 # YubiKey NEO - U2F and CCID
NEO_OTP_U2F_CCID = 0x0116 # YubiKey NEO - OTP, U2F and CCID
YK4_OTP = 0x0401 # YubiKey 4 - OTP only
YK4_U2F = 0x0402 # YubiKey 4 - U2F only
YK4_OTP_U2F = 0x0403 # YubiKey 4 - OTP and U2F
YK4_CCID = 0x0404 # YubiKey 4 - CCID only
YK4_OTP_CCID = 0x0405 # YubiKey 4 - OTP and CCID
YK4_U2F_CCID = 0x0406 # YubiKey 4 - U2F and CCID
YK4_OTP_U2F_CCID = 0x0407 # YubiKey 4 - OTP, U2F and CCID