I just got my first Yubikey and of course had to play with it. Since I've been experimenting with webapps in python I figured I might as well figure out how to verify a OTP in python. Sure there are a couple of other python libraries out there, but none of them supported validating against the HMAC signatures, so I wrote one of my own. The documentation on http://yubico.com/developers/api/
was a bit harder to understand than it needed to be so I'm sharing my implementation at http://code.google.com/p/python-yubikey-auth/
A couple of things about validating HMAC signatures that I learned in the process and that others trying to do their own implementations might find helpful:
- The API Key that you get from https://api.yubico.com/get-api-key/ is base64 encoded - before you use it to generate or check signatures you need to decode it! This wasn't obvious to me and I wasted a lot of time because of this.
- The API docs talk about key value pairs and the keys needing to be in alphabetical order when verifying the signature. When explaining the procedure for generating signatures they keep talking about keys a, b & c but in reality the keys you care about are "info" (not always there), "status" and "t". (Keys "a", "b", and "c" aren't ever used anytime in the whole process so why even mention them!)