{"id":22253540,"url":"https://github.com/nitrokey/trussed-secrets-app","last_synced_at":"2026-04-02T14:03:02.869Z","repository":{"id":64259603,"uuid":"556899187","full_name":"Nitrokey/trussed-secrets-app","owner":"Nitrokey","description":"Secrets App: OTP and PWS application for the Nitrokey 3","archived":false,"fork":false,"pushed_at":"2026-03-23T12:27:37.000Z","size":13040,"stargazers_count":14,"open_issues_count":18,"forks_count":5,"subscribers_count":6,"default_branch":"main","last_synced_at":"2026-03-24T09:29:34.396Z","etag":null,"topics":["nitrokey-3"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"trussed-dev/oath-authenticator","license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Nitrokey.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE-APACHE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-10-24T18:19:53.000Z","updated_at":"2026-02-26T20:05:18.000Z","dependencies_parsed_at":"2023-02-14T00:30:47.998Z","dependency_job_id":"fd2d4e5c-fd87-4c5c-abdc-106ebb157bdd","html_url":"https://github.com/Nitrokey/trussed-secrets-app","commit_stats":null,"previous_names":[],"tags_count":21,"template":false,"template_full_name":null,"purl":"pkg:github/Nitrokey/trussed-secrets-app","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Nitrokey%2Ftrussed-secrets-app","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Nitrokey%2Ftrussed-secrets-app/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Nitrokey%2Ftrussed-secrets-app/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Nitrokey%2Ftrussed-secrets-app/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Nitrokey","download_url":"https://codeload.github.com/Nitrokey/trussed-secrets-app/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Nitrokey%2Ftrussed-secrets-app/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31307465,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T12:59:32.332Z","status":"ssl_error","status_checked_at":"2026-04-02T12:54:48.875Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["nitrokey-3"],"created_at":"2024-12-03T07:18:51.436Z","updated_at":"2026-04-02T14:03:02.849Z","avatar_url":"https://github.com/Nitrokey.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c!--\nCopyright (C) 2023 Nitrokey GmbH\nSPDX-License-Identifier: CC0-1.0\n--\u003e\n\n# Secrets App\n\nA Trussed app to manage OTP and Password Safe features of Nitrokey 3.\n\nBased on [oath-authenticator][], an implementation of\nreverse-engineered specification of Yubico's [OATH application][yubico-oath].\n\n[trussed]: https://trussed.dev\n\n[oath-authenticator]: https://github.com/trussed-dev/oath-authenticator\n\n[yubico-oath]: https://developers.yubico.com/OATH/YKOATH_Protocol.html\n\n### Current Features\n\nSecrets App supports the following features:\n\n- HOTP implementation - [RFC4226];\n- TOTP implementation - [RFC6238];\n- Reverse HOTP implementation - [the original client][hotp-verif];\n- Yubikey's HMAC-SHA1 challenge for KeepassXC - [KeepassXC documentation][keepass-docs];\n- Password Safe;\n- A PIN with attempts counter;\n- PIN-based encryption per credential;\n- Touch-button protected use per credential.\n\nThe pynitrokey library can be used to communicate with this application over CTAPHID, and nitropy provides the CLI using\nit. See [ctaphid.md](docs/ctaphid.md) for the details.\n\nCCID transport is also available, and while not supported in the mentioned library yet, it can be potentially used by\nthe protocol-compatible applications, like the mentioned KeepassXC.\n\nSee [design.md](docs/design.md) for the UX design choices.\n\n[RFC4226]: https://www.rfc-editor.org/rfc/rfc4226\n\n[RFC6238]: https://www.rfc-editor.org/rfc/rfc6238\n\n[hotp-verif]: https://github.com/Nitrokey/nitrokey-hotp-verification#verifying-hotp-code\n[keepass-docs]: https://keepassxc.org/docs/\n[hmac-tutorial]: https://docs.yubikey.wiki/tutorials/keepassxc\n\n#### OTP\n\nOTP support works reasonably well, with the following remarks:\n\n1. Shared secret key length can be 320 bits (40 bytes) or longer.\n2. HOTP implementation allows using only 32 bit counter for the initialization as of now.\n3. Usage confirmation through the touch button gesture (aka UP confirmation) can be set during the credential\n   registration.\n4. Additional protection in a means of PIN-based encryption can be additionally set up.\n\n#### Reverse HOTP\n\nReverse HOTP is an operation that allows to verify the HOTP code coming from a PC host, and shows visually to user, that\nthe code is correct or not, with a green or red LED respectively.\nDoes not need authorization by design, so the process would be automatically executed during the boot, without any\nadditional user intervention when possible.\n\nThis is used for the Measured Boot feature provided by Heads, which in turn is used in Nitrokey Nitropads. With\nthat, the Nitrokey 3 could be used in place of the sold until now Nitrokey Pro and Nitrokey Storage.\n\nSee the original description at:\n\n- https://github.com/Nitrokey/nitrokey-hotp-verification#verifying-hotp-code\n\nSolution contains means to avoid desynchronization between the host's and device's counters. Device calculates up to 9\nvalues ahead of its current counter to find the matching code (in total it calculates HOTP code for 10 subsequent\ncounter positions). In case:\n\n- no code would match - the on-device counter will not be changed;\n- incoming code parsing would fail - the on-device counter will not be changed;\n- code would match, but with some counter's offset (up to 9) - the on-device counter will be set to matched\n  code-generated HOTP counter and incremented by 1;\n- code would match, and the code matches counter without offset - the counter will be incremented by 1;\n- the HOTP counter overflows while searching for the matching code - error is returned, and counter is not changed.\n\nDevice will stop verifying the HOTP codes, when the difference between the host and on-device counters will be greater\nor equal to 9.\n\nCredentials registered to use with this operation cannot be used with regular HOTP calls by design.\n\n#### Password Safe\nA Password Safe credential can store login, password and additional information, each having maximum 128 bytes.\nCredentials can be encrypted and/or require touch button press before reading.\n\n#### KeepassXC support With HMAC-SHA1\nKeepassXC is supported through the Yubikey's HMAC-SHA1 challenge commands. Both slots are supported. What's more, any number of credentials can be created of this kind to support other HMAC-SHA1 applications.\nThere is no other support for Yubikey commands planned, nor tested. In fact, the authorization method used by Yubikey is removed, which will probably make it not working with the clients supporting this protocol.\n\n#### CTAPHID Extension\n\nThis implementation uses CTAPHID to transfer commands to the Secrets App application. This transport is used to\nimprove compatibility on platforms, where the default transport for this application, CCID, is not easily available (\ne.g. due to being taken by other services, or requiring Administrator\nprivileges). A CTAPHID vendor command number was selected to use (`0x70`), thus allowing for a compatible extension of\nany FIDO compliant device.\n\nSee [CTAPHID](docs/ctaphid.md) for the further documentation regarding the NLnet funded CTAPHID extension.\n\n### Further work\n\nWhile most of the features needed for the daily use are implemented, there are still some tasks to do:\n\n- proper LED blinking for the Reverse HOTP feature - since the upstream framework does not handle any LED animations\n  yet, the failing and successful cases can be distinguished only by the blinking length at the moment (10 seconds for\n  the pass, 1000 for the failed case). There is no support for the animation priority in the upstream framework as well,\n  hence any other operation can overwrite the animation.\n\nTasks and features still discussed to be done:\n\n- extend HOTP feature to handle 64-bit counter - right now only 32-bit value is supported to stay compatible with the\n  original protocol, however this should be easily extended by introducing a new TLV tag, which would mark the wider\n  value;\n- support SHA512 if that would be ever needed.\n\n### Development\n\nSee [design](docs/design.md) document to see decisions taken to make the solution cohesive.\n\nUse `dangerous_disable_encryption` Rust flag to disable data encryption for the debug purposes. E.g.:\n\n```text\n$ env RUSTFLAGS=\"--cfg dangerous_disable_encryption\" cargo test\n```\n\n### License\n\n\u003csup\u003e`oath-authenticator` is licensed under either of [Apache License, Version 2.0](LICENSE-APACHE)\nor [MIT License](LICENSE-MIT) at your option.\u003c/sup\u003e\n\u003cbr\u003e\n\u003csub\u003eUnless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you,\nas defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.\u003c/sub\u003e\n\n## Funding\n\n[\u003cimg src=\"https://nlnet.nl/logo/banner.svg\" width=\"200\" alt=\"Logo NLnet: abstract logo of four people seen from above\" hspace=\"20\"\u003e](https://nlnet.nl/)\n[\u003cimg src=\"https://nlnet.nl/image/logos/NGI0PET_tag.svg\" width=\"200\" alt=\"Logo NGI Zero: letterlogo shaped like a tag\" hspace=\"20\"\u003e](https://nlnet.nl/NGI0/)\n\nChanges in this project were funded through the [NGI0 PET](https://nlnet.nl/PET) Fund, a fund established\nby [NLnet](https://nlnet.nl/) with financial support from the European\nCommission's [Next Generation Internet programme](https://ngi.eu/), under the aegis of DG Communications Networks,\nContent and Technology under grant agreement No 825310.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnitrokey%2Ftrussed-secrets-app","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnitrokey%2Ftrussed-secrets-app","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnitrokey%2Ftrussed-secrets-app/lists"}