Failing to configure Yubikey - Secret key too long

I’m trying to configure our Passbolt instance (2.10.0) to use a Yubikey OTP.

As explained in the guide here: https://help.passbolt.com/configure/mfa/yubikey.html

I’ve created an API key. However it seems that the Key secret I got is too long for the passbolt entry field.
The key I received is 27 characters long in the form of xxxxxxxxxxxxxxxxxxxxxxxxxxx= while the documentation seem to show a secret key of 23 characters in the form xx/xxxxxx/xxxxxxxxxxxx=

Maybe there is a change in the Yubikey system. My key is a Yubikey 5C Nano.

Ludovic
PS: we are a pro subscriber

Hello @ldubost,

That is strange. This indeed might be a change of behavior of the Yubicloud API.
I just tried with a Yubikey 5C nano and I got the secret key in 23 chars format.

Can you confirm you requested the key here: https://upgrade.yubico.com/getapikey/
If that’s the case we’ll need to relax the validation rules.

Sorry for the inconvenience, the documentation for Yubicloud is quite terse with regards to the expected formats.

Yes I can confirm this is where I got it.

@ldubost thanks for this, i’ll try to arrange a release asap to fix this, most likely next week.

@ldubost I think I found the issue

Index: CHANGELOG.md
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- CHANGELOG.md	(date 1565266637000)
+++ CHANGELOG.md	(date 1571907709000)
@@ -3,6 +3,7 @@
 This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [unreleased]
+- PB-818: Fix Yubicloud secret key does not validate when it contains a + char
 
 ## [2.11.0] - 2019-08-08
 ### Security fixes
Index: plugins/Passbolt/MultiFactorAuthentication/src/Utility/MfaOrgSettingsYubikeyTrait.php
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- plugins/Passbolt/MultiFactorAuthentication/src/Utility/MfaOrgSettingsYubikeyTrait.php	(date 1565266637000)
+++ plugins/Passbolt/MultiFactorAuthentication/src/Utility/MfaOrgSettingsYubikeyTrait.php	(date 1571907709000)
@@ -77,7 +77,7 @@
             $errors[MfaSettings::PROVIDER_YUBIKEY][MfaOrgSettings::YUBIKEY_SECRET_KEY]['notEmpty'] = $msg;
         } else {
             $secretKey = $data[MfaSettings::PROVIDER_YUBIKEY][MfaOrgSettings::YUBIKEY_SECRET_KEY];
-            if (!Validation::custom($secretKey, '/^[a-zA-Z0-9\/=]{10,128}$/')) {
+            if (!Validation::custom($secretKey, '/^[a-zA-Z0-9\/=\+]{10,128}$/')) {
                 $msg = __('Yubikey OTP secret key is not valid.');
                 $errors[MfaSettings::PROVIDER_YUBIKEY][MfaOrgSettings::YUBIKEY_SECRET_KEY]['isValidSecretKey'] = $msg;
             }
Index: plugins/Passbolt/MultiFactorAuthentication/tests/TestCase/Controllers/OrgSettings/MfaOrgSettingsPostControllerTest.php
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- plugins/Passbolt/MultiFactorAuthentication/tests/TestCase/Controllers/OrgSettings/MfaOrgSettingsPostControllerTest.php	(date 1565266637000)
+++ plugins/Passbolt/MultiFactorAuthentication/tests/TestCase/Controllers/OrgSettings/MfaOrgSettingsPostControllerTest.php	(date 1571907709000)
@@ -116,7 +116,7 @@
             ],
             MfaSettings::PROVIDER_YUBIKEY => [
                 'clientId' => '12345',
-                'secretKey' => 'i2/j3jIQBO/axOl3ah4mlgXlXUY='
+                'secretKey' => 'i2/j3jIQBO/axOl3ah4mlgXlXU+Y='
             ],
             MfaSettings::PROVIDER_DUO => [
                 'salt' => '__CHANGE_ME__THIS_MUST_BE_AT_LEAST_FOURTY_CHARACTERS_____',

@ldubost how urgent is this issue for you? We can publish a v2.11.1 shortly if that’s a blocker from your side.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.