Yubico Forum

Re: How to use HMAC verification

2008-06-02T08:51:08+01:00

Wow, thanks for providing this code. Integrating this into Auth_Yubico would solve one of the open issues. Do you have the time to prepare a patch for the yubico-php code? See:

http://code.google.com/p/php-yubico/sou ... Yubico.php

The reason for failed signature validation could be because of URL parameter ordering issues, or possibly URI encoding of non-URI alphabetical characters. The latter would only be triggered in a few cases, so that may explain it.

/Simon

Statistics: Posted by Simon — Mon Jun 02, 2008 8:51 am

Re: How to use HMAC verification

2008-05-31T10:09:53+01:00

looked at it some more and solved the problem. The api key you get when you request it is base64 encoded. You need to decode it first before perfoming hmac. After I did that it worked just fine.

The attached file is a proof of concept that creates a signature on sending and verifies the response. I made it in php since I know that the most. I heavily commented it so it shouldn't be too difficult to port to other languages. Keep in mind this is a proof of concept script only. I'm doing no real sanitizing of input and so there's the chance this script is susceptible to XSS in its current form.

You'll need to enter your own values for the api id and key that you get when you request it.

I have observed a bug where I'll get the BAD_SIGNATURE response on occasion. It's sporadic and submitting a new OTP it will usually go away. This could be a problem with this implementation or on the server end or somewhere else. Since testing this I've never had a bad signature in the response though.

Statistics: Posted by vrillusions — Sat May 31, 2008 10:09 am

How to use HMAC verification

2008-05-31T02:19:58+01:00

Hi I just got got the yubikey and verifies fine when I do the api test. I wanted to get hmac signatures working but I'm not getting it to work, the is always "BAD_SIGNATURE"

I am using php5 to do this. Take the following code as an example (api id, api key, and otp are fictional here)

Code:

$apiKey = 'dksh3icnsle';
$message = 'id=1&otp=ddkwn3kdlsh3kglskeh3kld';
$signature = hash_hmac('sha1', $message, $apiKey, TRUE);
$signature = base64_encode($signature);
$url = 'http://api.yubico.com/wsapi/verify?'.$message.'&h='.$signature'
// $url becomes http://api.yubico.com/wsapi/verify?id=1&otp=ddkwn3kdlsh3kglskeh3kld&h=ODK20DHD92LSHGKJLSL3KSL
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
$result = curl_exec($ch);
curl_close($ch);
echo $result;

The result would have an h and t value and status would be BAD_SIGNATURE

So I registered for an api key and id. I hash id and otp values with my api key (the TRUE at the end returns the raw byte value, I've tried using the hexadecimal representation as well), base64 encode it, and place it at the end of the call. Is there a step I'm missing somewhere?

Statistics: Posted by vrillusions — Sat May 31, 2008 2:19 am