I have some troubles verifying the response from the Yubico server.
The response I get is something like this (REPLAYED_OTP is ok, I'm fooling around)
What I do is the following:
- base 64 decode the hash which gives me (200 251 11 162 215 23 249 83 136 63 243 146 149 88 139 170 195 11 151 135)
- compute the verification line which is in this case "s=REPLAYED_OTP&t=2008-10-05T09:17:26Z0459". It's all ASCII so it's the same in UTF-8.
- compute the HMAC-SHA1 hash over the verification line using my shared secret and compare it with hash from the first step. They don't match.
I also sign my requests and the server does verify them. If I attach a wrong signature the server complains with BAD_SIGNATURE. So I think my HMAC-SHA1 library is ok. My first guess would be that my verification line is bad.