Update Set-YubiKey-HOTP.ps1 (#163)

JMarkstrom · web-flow · commit 60370c68ee76 · 2025-06-12T21:07:14.000+02:00
Added optional secret format param to support writing hex secret to csv instead of base32.
Added check for OTP capability.
diff --git a/Docs/Cookbook/Set-YubiKey-HOTP.ps1 b/Docs/Cookbook/Set-YubiKey-HOTP.ps1
@@ -1,6 +1,6 @@
 <#
 .SYNOPSIS
-Programs HOTP to a slot on a YubiKey and outputs to seed file.
+Programs HOTP to a slot on a YubiKey and outputs to seed file in Hex or Base32 format.
 
 .DESCRIPTION
 This Cmdlet programs HOTP (HMAC-based One-Time Password) to a selected slot on a YubiKey.
@@ -23,46 +23,68 @@ Appends a carriage return (Enter) after the passcode
 .PARAMETER Use8Digits
 Use 8 digits instead of 6 for the passcode
 
+.PARAMETER SecretFormat
+Secret format to use (Base32 or Hex)
+
 .EXAMPLE
 .\Set-YubiKey-HOTP.ps1 -ShortPress
-Programs HOTP to slot 1 (short press) on the YubiKey.
+Programs HOTP to slot 1 (short press) on the YubiKey using Base32 format (default).
 
 .EXAMPLE
 .\Set-YubiKey-HOTP.ps1 -LongPress -SendTabFirst -AppendCarriageReturn
-Programs HOTP to slot 2 (long press) with TAB before the code and Enter after.
+Programs HOTP to slot 2 (long press) with TAB before the code and Enter after, using Base32 format.
 
 .EXAMPLE
 .\Set-YubiKey-HOTP.ps1 -ShortPress -Use8Digits
-Programs HOTP to slot 1 with 8-digit passcodes.
+Programs HOTP to slot 1 with 8-digit passcodes using Base32 format.
+
+.EXAMPLE
+.\Set-YubiKey-HOTP.ps1 -ShortPress -SecretFormat Hex
+Programs HOTP to slot 1 using hex format (recommended for Cisco Duo and Ping Identity).
+
+.EXAMPLE
+.\Set-YubiKey-HOTP.ps1 -LongPress -SecretFormat Hex -SendTabFirst -AppendCarriageReturn
+Programs HOTP to slot 2 using hex format with TAB and Enter, suitable for Cisco Duo.
 
 .NOTES
 - Requires the powerShellYK module
 - Creates/updates a CSV file named 'hotp-secrets.csv' in the current directory
 - Each configuration generates a new secret key
 - If a YubiKey with the same serial number is programmed again, its entry will be updated
 - After programming, prompts to program another YubiKey (Y/n)
+- For Cisco Duo and Ping Identity, use hex format with "-SecretFormat Hex"
 
 .LINK
 https://github.com/virot/powershellYK/
 #>
 
 # Function to program a single YubiKey
-function Program-YubiKey {
+function Set-YubiKeyHOTPConfig {
     param (
         [Yubico.YubiKey.Otp.Slot]$Slot,
         [switch]$SendTabFirst,
         [switch]$AppendCarriageReturn,
         [switch]$Use8Digits,
-        [string]$CsvFilePath
+        [string]$CsvFilePath,
+        [ValidateSet('Base32', 'Hex')]
+        [string]$SecretFormat = 'Base32'
     )
 
     # Connect to YubiKey
     try {
         Connect-Yubikey
-        $yubiKey = Get-YubiKey
-        if ($null -eq $yubiKey) {
+        $yubiKeyInfo = Get-YubiKey
+        if ($null -eq $yubiKeyInfo) {
             throw "No YubiKey found."
         }
+
+        # Check if the insertedYubiKey supports OTP
+        if (-not $yubiKeyInfo.AvailableUsbCapabilities.HasFlag([Yubico.YubiKey.YubiKeyCapabilities]::Otp)) {
+            Clear-Host
+            Write-Host "This YubiKey does not support OTP functionality." -ForegroundColor Red
+            Write-Host ""
+            return $false
+        }
     }
     catch {
         Clear-Host
@@ -76,8 +98,8 @@ function Program-YubiKey {
 
     # Create new configuration object
     $newConfig = [PSCustomObject]@{
-        'Serial' = $yubiKey.SerialNumber
-        'Secret' = $result.Base32Secret
+        'Serial' = $yubiKeyInfo.SerialNumber
+        'Secret' = if ($SecretFormat -eq 'Hex') { $result.HexSecret } else { $result.Base32Secret }
         'Counter' = 0
         'Length' = if ($Use8Digits) { 8 } else { 6 }
     }
@@ -88,7 +110,7 @@ function Program-YubiKey {
 
     # Check if serial exists and update if found
     $updatedData = @($existingData | ForEach-Object {
-        if ($_.Serial -eq $yubiKey.SerialNumber) {
+        if ($_.Serial -eq $yubiKeyInfo.SerialNumber) {
             $serialExists = $true
             $newConfig
         } else {
@@ -113,9 +135,9 @@ function Program-YubiKey {
     Write-Host "YUBIKEY SUCCESSFULLY PROGRAMMED WITH HOTP TO SLOT!" -ForegroundColor Yellow
     Write-Host "*****************************************************************" -ForegroundColor Yellow
     if ($serialExists) {
-        Write-Host "ℹ️ Updated existing entry for YubiKey with serial: $($yubiKey.SerialNumber)" -ForegroundColor Yellow
+        Write-Host "ℹ️ Updated existing entry for YubiKey with serial: $($yubiKeyInfo.SerialNumber)" -ForegroundColor Yellow
     } else {
-        Write-Host "ℹ️ Added new entry for YubiKey with serial: $($yubiKey.SerialNumber)" -ForegroundColor Yellow
+        Write-Host "ℹ️ Added new entry for YubiKey with serial: $($yubiKeyInfo.SerialNumber)" -ForegroundColor Yellow
     }
     Write-Host "📝 Information saved to: $CsvFilePath" -ForegroundColor Yellow
     Write-Host ""
@@ -153,7 +175,13 @@ function Set-YubiKeyHOTP {
         [Parameter(Mandatory=$False,
                   HelpMessage = "Use 8 digits instead of 6 for the passcode")]
         [switch]
-        $Use8Digits
+        $Use8Digits,
+
+        [Parameter(Mandatory=$False,
+                  HelpMessage = "Secret format to use (Base32 or Hex)")]
+        [ValidateSet('Base32', 'Hex')]
+        [string]
+        $SecretFormat = 'Base32'
     )
 
     begin {
@@ -178,7 +206,7 @@ function Set-YubiKeyHOTP {
         [System.Console]::ReadKey() > $null
         Clear-Host
 
-        if (-not (Program-YubiKey -Slot $slot -SendTabFirst:$SendTabFirst -AppendCarriageReturn:$AppendCarriageReturn -Use8Digits:$Use8Digits -CsvFilePath $csvFilePath)) {
+        if (-not (Set-YubiKeyHOTPConfig -Slot $slot -SendTabFirst:$SendTabFirst -AppendCarriageReturn:$AppendCarriageReturn -Use8Digits:$Use8Digits -CsvFilePath $csvFilePath -SecretFormat $SecretFormat)) {
             return
         }
 
@@ -205,7 +233,7 @@ function Set-YubiKeyHOTP {
                 [System.Console]::ReadKey() > $null
                 Clear-Host
 
-                if (-not (Program-YubiKey -Slot $slot -SendTabFirst:$SendTabFirst -AppendCarriageReturn:$AppendCarriageReturn -Use8Digits:$Use8Digits -CsvFilePath $csvFilePath)) {
+                if (-not (Set-YubiKeyHOTPConfig -Slot $slot -SendTabFirst:$SendTabFirst -AppendCarriageReturn:$AppendCarriageReturn -Use8Digits:$Use8Digits -CsvFilePath $csvFilePath -SecretFormat $SecretFormat)) {
                     continue
                 }
             }
