Hello,

mosts package resolvers think 0.9 is older than 0.81... could you please re-release the last version as 0.90?

Thanks,
--Simone

On Pop! OS here (Debian/Ubuntu), and neither Ctrl-w nor Ctrl-q close the app. It's necessary to point and click on the X in the window controls, which isn't very accessible.

Just wanted to ask if the project is still functional and in development? I see that RSA SecurID Software Token from April 8, 2022, will this work comparably with tokens made for that? I may not entirely understand how that works.

Why is there stoken-gui.desktop and stoken-gui-small.desktop?

https://archlinux.org/packages/extra/x86_64/stoken/

and the icon is not HiDPI enough.

I have a token that starts with com.rsa.securid://ctf?ctfData=BAEBB...
It is protected by password and I suppose it is encrypted, that is why I received the:

error: --token string is garbled: General failure

If I decode the token using base64 and then analyze the hex, token starts with the following hex data: 04 01 01 07... It is definitely new version of token.

Is there any public resource about v3 and v4 spec? Or does this task require reverse engineering?

Is it possible to release binaries and wrapper jar for Android (arm, armv7, x86) this will help us to get a known stable binary.

I could not find any documentation about how to display the next token code on the cli. Also, --help does not list this information. After a lot of digging I was able to discover the stoken --next will display this information. Requesting that the --next option be added to the help file as well as the project README.md to save others from my experience.

It would be nice if stoken supported XDG base directories instead of dumping the .stokenrc file in the home directory.

Is it possible next time on release new version make the github release to have entry on https://github.com/stoken-dev/stoken/releases? 🤔

I'm asking because only on make gh release is spread notification about new release to those who have set watch->releases.

More about gh releases is possible to find on
https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository
https://github.com/marketplace/actions/github-release

I have a bunch of network equipment to access using RSA Tokens. I usually develop in Python, but any portability will be depreciated.

The URL form exported by stoken export --iphone (and the same URL, QR-encoded via --show-qr) is not recognized by the current versions of the RSA authenticator iphone app. They are of the form: "com.rsa.securid.iphone://ctf?ctfData=..."

It seems current RSA iOS URLs are of the form: "com.rsa.securid://ctf?ctfData=...". When I edit an exported token URL from stoken by removing ".iphone" from the protocol portion of the URI, the RSA app is able to import the token URL successfully.

This should be a trivial string change somewhere; I can look into sending a PR tomorrow or something if you don't want to just do it yourself.

Thanks again for stoken! It is immensely useful.

autogen.sh is missing from Linux compile instructions.

Currently it's not possible to import token from web with activation code.
On mobile phone it can be done eg using link like:
com.rsa.securid://ctkip?scheme=https&url=securid1.access.organization.com:7005/ctkip/services/CtkipService&activationCode=xxxxxxxxxxxx

Is it possible to add this functionality to stoken?

At rhe moment only few packages are still not able to use openssl crypto library.
It would be good to have possibility to compile stoken against openssl.

Hi!
I have installed stoken-0.90-1 on Ubuntu 16.04.
Then imported my token into it. I set it to ask only PIN.
I noticed that it prints an empty line before one-time-pass when I want it to read my PIN from stdin:

$ echo $PIN | stoken -s tokencode

37150875

It doesn't occur when I enter PIN interactively.

$ stoken tokencode
Enter PIN:
44865380

That's not a big problem, I know. But it makes stoken a bit less usable for scripts.

I have a SID700 hardware token which has a token-id-looking-9digits-number and expiration date written in the back side (I bought this hardware token in eBay so I don't know anything else except these two parameters). Let's say the 9 digits are "012345678", and the expiration date is "01/01/21". Can the generated 6-digits token be emulated with this library?

It would be good to add support for copying both the current tokencode and next tokencode. Perhaps both can be made a button that copies on click to save space (and also allow for keyboard shortcuts for both).

Hey there, great tool btw, but I've been having a problem where I get the error above when I try to import a token file generated from our RSA console.

• The files import fine into the Windows RSA application, but I had our admin generate me another one, and got the same error.
• A couple of my colleagues who use it also get the same, but for most it works perfectly.

I'm no expert on RSA tokens at all, but I compared my token files with a couple that have imported correctly, in a text editor. The only difference I could see is that the TokenMAC properties in my files have '+' in them, where the tokens that imported normally, are purely alphanumeric.

Any guidance on what might be happening here?

I'm experiencing a problem similar to issue #1 below, but with RSA SecurID 1.0.0 on Blackberry 10. I'm unable to import a token secured with a Device ID despite entering in the eight-digit Device ID from the "About" page of the Blackberry app. (The IMEI and serial numbers don't work either.)

Thanks in advance for any help!

$ stoken import --token=<81-digit numeric string>
Enter device ID from the RSA 'About' screen: 
Device ID does not match the token.

Is there currently support for or any plans to add support for multiple tokens? I have a workaround of swapping which .stokenrc file in my home directory based on which token I want active but it'd be nice if there was native support for multiple tokens.

Thank you for this very useful tool

I am trying to import a RSA SecureID token that I originally received and installed on my android phone using the RSA v1.2 application. I am specifying the token (from the url I was sent) and have tried entering the IMEI, IMEI SV, SIM, and the DeviceID from the RSA application.

I am loath to post the specifics in this ticket since the values are highly sensitive.

I'm sure this is a case of me being silly or doing something completely wrong; but I am just not sure what it could be.

I didn't see any other way of contacting you on any of the pages about this app, so I figured filing an issue may be the best way to go.

I know its too much to ask, however since you done all the code changes to make library compatible with Android except that its licence LGPL.

As explained in https://source.android.com/source/licenses.html its clear we cannot link stoken dynamically in Android.

Could you please consider changing the licence to Apache Software License, Version 2.0

On OS X 10.9 build fails with

$ make
/Applications/Xcode.app/Contents/Developer/usr/bin/make  all-am
  CCLD     libstoken.la
ld: unknown option: --version-script
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[1]: *** [libstoken.la] Error 1
make: *** [all] Error 2

Reason is
libstoken_la_LDFLAGS<-->+= -Wl,--version-script,@srcdir@/libstoken.map
in the Makefile.am. If i am commenting out this line build is fine.

Probably this flag should be avoided on OSX.

How do you remove a stored token that you have imported? I have removed stoken with apt remove stoken and when I reinstall it with apt install stoken I can see that the token that I imported is still present (ie: running stoken still displays the current token code)
Also, where are the imported tokens stored on disk?

Much like #1 and #3, I am unable to import a token. I received the token as an XML file, but stoken was unable to digest it.

jeward@ward-MacBookPro:~/Downloads$ stoken import --token java -jar TokenConverter.jar jward_000129365220.sdtid -p "redacted"
This token is bound to a specific device.
Enter device ID from the RSA 'About' screen:

There is no device ID available anywhere that I can find from the Windows software and I've tried all the serial numbers and likely looking strings from the XML file.

Can you help?

Thanks in advance,

James

Hello,

Currently when building as is with mingw64 for windows the resultant stoken-gui.exe will automatically spawn a cmd prompt behind the GUI window. I was able to resolve this issue by changing the following flag in the Makefile after running ./configure.
Change:
CC= x86_64-w64-mingw32-gcc
to
CC= x86_64-w64-mingw32-gcc -02 -Wall -mms-bitfields -mwindows

I believe the only really needed flag is "-mwindows", perhaps it should be added to the preconfigured makefile to be added automatically to all mingw builds.

After you enter a PIN the passcodes seem to be provided indefinitely. This behavior is pretty different than the RSA SecurID Windows application. I think a lot of corporate IT/security departments would likely have an issue with that. Please look at adding a configurable timeout that would force you to re-enter your PIN to continue to get new passcodes. The vendor provided windows app seems to require a new PIN after 3.5 minutes. Please default it to that since that seems acceptable to corporate IT/security departments.

https://github.com/cernekee/stoken/blob/ddb5c7d4747a4923456551c1b054ea05e926a561/src/common.c#L378

Hi, I have an error in this line with this message

/root/main/ics-openconnect/external/stoken/src/common.c:378:2: warning: nested extern declaration of 'mlockall' [-Wnested-externs] /root/main/ics-openconnect/external/stoken/src/common.c: At top level: cc1: warning: unrecognized command line option "-Wno-unused-const-variable"

I try to compile latest openconnect library for android.

Can u help me please?

Hi,
The current certificate will expire in 2022. Is there a way to create a new one self signed?
I tried to do that using openssl but doesn't work.

There is a comment in the source code about RSA modules from the private key not be the same from the certificate.

Ventura

I followed all steps (even autogen.sh not included on instructions) and everything gone well, no errors in terminal during process.

However, when I try to execute the "stoken" command I get: "error while loading shared libraries: libstoken.so.1: cannot open shared object file: No such file or directory"

Any ideas here? I'm using Linux Debian 9 Stretch, kernel version: 4.9.0-6-amd64

how to resolve this when I do ./configure

configure: error: unable to link gtk+ test program

I have arch linux

Hi there, first time opening an issue so please correct if I do anything wrong.

I think it would be useful to have the possibility to see the remaining life time of a token in a numeric format in the command line and the gui. It could be useful for example to know when a token is going to expire or has expired and then change it in some random script that uses the token to authenticate. I could send a pull request with the changes if someone can point me to the necessary files.

Thanks for your time

Basically stoken only accepts integers between 4-8 digits.
Valid = 1234
Invalid = 1234a

RSA at least does allow and sometimes requires a pin that is a mix of alphanumeric.

I'm looking through code, but having trouble locating the pin validation code.

Hi, I have compiled stoken on my pc from git, and I am seeing this error when I import my sdtid file.
/usr/local/lib does have libstoken.so, libstoken.so.1, and libstoken.so.1.3.0.

What could I be missing?

When you update you MacOS to Monterrey version, stoken-gui gets invisible (only appear name window bar) . I don’t know if it is a problem with gnome-icon-theme, but if you change icon theme parameter on installation instrucctions, you stoken-gui will open normally.

Only you need replace this on step Use Homebrew to satisfy dependencies

•  brew install git autoconf automake libtool nettle pkg-config gtk+3 gnome-icon-theme hicolor-icon-theme

To this:

• brew install git autoconf automake libtool nettle pkg-config gtk+3 adwaita-icon-theme hicolor-icon-theme

Hello, I would like to use Arduino Due as an replacement for android app Easy Token (RSA).
This board should be powerful enough to compute the token in an reasonable time.

So my question is if there is an easy way to extract only the needed functionality, because GUI will be significantly different. Maybe I just missed the pattern in the files organization :)

How can i generate device with stoken?

I am getting this issue. I saw a couple of fixes for similar issues but those fixes were already merged into main when I cloned and installed it. I am on a Mac. I tried both of these methods
stoken import --token 7bf4ea23e06...
stoken import --token com.rsa.securid://ctkip?url=https://token.comerica.com/ctkip/services/CtkipService&activationCode=

with the activation code

Hello Kevin,
I noticed that running make -j4 check outputs (compiled with libtomcrypt):

FAIL: tests/tokencode
FAIL: tests/export

$ cat tests/tokencode.log
cmd 0 failed
$ cat tests/export.log
test 1 failed

Probably they share some common temp file.

Simply with make check:
FAIL: tests/export

$ cat tests/export.log
out2.tmp ./tests/pinmode-2.sdtid differ: byte 338, line 13
test 5 failed

I tried v0.8 and make check fails:
FAIL: tests/export-v3-sdtid.pipe

It seems that this test isn't executable, but even if I make it, it fails with the following error:

STOKEN=./stoken TESTDIR=./tests tests/export-v3-sdtid.pipe
http://127.0.0.1/securid/ctf?ctfData=AwAAowgs1dlyJB6xs47Dp5e4dp9VNVDDzasezUGFIi5CUc6jCCzV2XIkHrGzjsOnl7h2n1U1UMPNqx7NQYUiLkJRzhccu2uokGIVQP9uDPIL%2FjtuXhrC%2F95282gT3iwhfmR%2FbXdqSUTyfoKklWPunSNL7%2FWIz66TeQbK7rx%2BnGoNA8ar%2BukqwC4m2ywNrxcrwRJ%2BAxRaJJCfyTZ9btWEiAseyyAWNVWYpamcW%2B8N8fCV1kCJ1Y3vfmMQCJZsijsLv52F7AaniiDgoEI%2FPzu1dh0Op4XvsuIlxL%2FGwFeot4Cri0ndH3JLiPDhnUQPUrEZVzcg%2B%2FCE0dRjfr5CfLTTe7atWuKleWc488sRtXury3OFwgxPEqcmLhNYaipNkXVUs7lK
error: --token string is garbled: General failure

btw. Several tests don't include #!/bin/sh

Our company RSA enabled Anyconnect client often asks as the next code token every once in a while as a "security measure". This currently involves waiting for the timeout to expire and for the next code to appear.

Would it be possible to have the next token code printed along the main one? This feature is available in RSA's official Windows Software Token code.

Thanks & regards,
--Simone

Is there a documented spec you follow anywhere? I would like to bring this to NodeJS but I am not familiar enough with C to just straight port from C to JS

In the usage message printed by stoken we see stoken import { --token=<token_string> | --file=<token_file> } [ --force ]. The message here has equals signs between the flags and their corresponding input, but this is incorrect and will actually cause the import to fail (at least for --file).

When i start "/usr/local/bin/stoken-gui", the dialog is generated, but shown behind all other existing windows. I have to search for it first and click on the window to bring it to front.

It would be a very helpful fix, when the dialog gets focussed directly when created/shown up and also the first input field (password / PIN) is focussed to start typing directly.

I already looked into the code and in my opinion the file src/gui.c -> function do_password_dialog is the right place... The is a set_keep_above method in the reference...

OS: macOS 10.13.1 (High Sierra)
Stoken was build with the instructions from the README file.

The reason the RSA client has buttons for entering the "Pin" number is that it prevents a key logger from stealing the pin number used(while I understand that if a key logger is present there is trouble, its better to protect the RSA key if possible) . This version of stoken only allows entering the pin number via the keyboard . I have created a fork to enable this.

The patch can be found here:
http://pastebin.com/8mbGGhgE

Can you please add this to the main upstream version ?

URLs look like com.rsa.securid://ctkip?url=https://XXX.com:443/ctkip/services/CtkipService and come with a 12 decimal digit activation code.

The protocol is documented in this RFC: https://tools.ietf.org/html/rfc4758

Edit 2019-01-27: Some exciting news! While not yet integrated into stoken, users with these activation tokens can derive the shared secret and import it into stoken with Dan Lenski's excellent https://github.com/dlenski/rsa_ct_kip client.py!

As stoken supports importing/exporting seed files, it would be interesting to see the ability to actually generate private keys aka seeds per-request. This will be useful for testing, and I can imagine multiple use cases like server-side use of the library.

Please correct me if I completely misunderstood the method of operation of this system and the algorythm to generate private keys isn't public

When trying to import my token from a url like:
http://127.0.0.1/securid/ctf?ctfData=20001188................

Using just the numbers:
stoken import --token=20001188....

It prompts saying:
This token is bound to a specific device.
Enter device ID from the RSA 'About' screen:

It will not accept the device ID.
Things I have tried:

• Verifying time is in sync
• Building stoken from git
• Installing stoken from Ubuntu repo
• Pulling and copying device ID from the following file on my phone /data/data/com.rsa.securidapp/shared_prefs/DataKeySetting.xml
• Uninstalling and wiping all data of com.rsa.securidapp on my phone and then installing it and importing the token again and verifying I am still able to authenticate.
• Note: When uninstalling/wiping RSA app, it does generate a new device ID.

I got a problem importing a token, I received it a while ago and successfully imported in RSA app in iPhone and it's working fine till this very day
Received token header is looks exactly like that:
com.rsa.secureid://ctf?ctfData=81 symbols______
And device ID looks like this in app:
0123 4567 89AB
CDEF 0123 4567

I'm typing it in when prompted like this:
0123456789ABCDEF01234567

and getting "Device ID does not match the token."

What I've tried so far:
different headers: with 127.0.0.1 in them, com.rsa.secureid.iphone://ctf?ctfData=, none of them
different cases for Device ID, spaces - still nothing

I commented the code to bypass this Device ID check and found that parsing is ok - I see correct serial number and expiration date

so i'm open to any advices

It seems due to commit 2c6c0eb, I can no longer compile stoken. In particular, this line:

ltc_mp = ltm_desc;

breaks the build with

src/common.o: In function common_init': /tmp/stoken/src/common.c:381: undefined reference toltm_desc'

I do have what appears to be the required header files available - libtomcrypt. I couldn't determine the reason for adding the line, so not sure where to begin trying to improve it.