Expand description
PIN/OTP challenge — client proves identity by submitting a pre-shared PIN.
The PIN is known to both the CA (pre-provisioned at device manufacture time or via out-of-band admin workflow) and the device operator. It is never stored in plaintext on the CA — only the SHA-256 hash is retained.
§YubiKey HOTP integration
When paired with a YubiKey configured in HOTP mode (slot 2, long-press), this challenge enables secure headless bootstrapping:
- Admin provisions the YubiKey HOTP seed via the dashboard (→
ykpersonalize) - YubiKey is plugged into the headless router
- Router starts enrollment; enrollment client reads from
stdin - Operator presses the YubiKey button → 44-char OTP emitted via USB HID
- Enrollment client captures the code and submits it as
{ "code": "..." } - CA verifies hash → certificate issued
The max_tries limit protects against brute-force; set to 1 for HOTP
where each press generates a unique non-replayable code.
Structs§
- PinChallenge
- NDNCERT PIN/OTP challenge handler.