Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:38 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 11 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Sat Jun 28, 2008 4:25 am 
Offline

Joined: Sat Jun 28, 2008 4:19 am
Posts: 4
Hi

I am trying to use the signature portion to verify my Yubikey, I am not sure what I am doing wrong.

Below is part of the code.
=============================================================================================
Note:_clientid and hKey is from the online API key generator
=============================================================================================
String text = "id=" + _clientId + "&otp=" + otp;

String b64Encoded = sign(text,hKey);

URL srv = new URL(YUBICO_AUTH_SRV_URL + _clientId + "&otp=" + otp + "&h=" + b64Encoded );
...

public static String sign(String what, String secret)
throws IllegalArgumentException {
try {


byte[] b = hmacSha1(Base64.decode(secret), what.getBytes("UTF-8"));
String s = Base64.encode(b);
s = s.replaceAll("\n", "");
return s;
} catch (UnsupportedEncodingException e) {
throw new IllegalArgumentException(e);
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
throw new IllegalArgumentException(e);
}
}

private static byte[] hmacSha1(byte[] key, byte[] text)
throws IllegalArgumentException {
try {
SecretKey sk = new SecretKeySpec(key, HMAC_SHA1_ALGORITHM);
Mac m = Mac.getInstance(sk.getAlgorithm());
m.init(sk);
return m.doFinal(text);
} catch (InvalidKeyException e) {
throw new IllegalArgumentException(e);
} catch (NoSuchAlgorithmException e) {
throw new IllegalArgumentException(e);
}
}

=============================================================================

Thanks

Ron


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sat Jun 28, 2008 4:58 pm 
Offline

Joined: Sat Jun 28, 2008 4:19 am
Posts: 4
I did some further testing and I got an OK status. But some times I get a BAD SIGNATURE status.

Is there a reason why somethimes it is OK and others it returns a BAD SIGNATURE?

Ron


Top
 Profile  
Reply with quote  
PostPosted: Mon Jun 30, 2008 1:27 pm 
Offline

Joined: Wed Jun 25, 2008 1:56 pm
Posts: 6
Ron,

This is interesting as we are seeing a very similar thing. The key seems to work fine for a while, but then required between 3-6 attempts before the key is accepted.

Puzzling :? I have emailed support and waiting a response.

Tony


Top
 Profile  
Reply with quote  
PostPosted: Mon Jun 30, 2008 3:15 pm 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
Could you log the requests to see which attempts work and which doesn't work for you?

Possibly it could be URL encoding that doesn't work, or some other pattern that we can detect if we see a debug log if 15-20 attempts where some work and some doesn't work.

/Simon


Top
 Profile  
Reply with quote  
PostPosted: Mon Jun 30, 2008 3:32 pm 
Offline

Joined: Wed Jun 25, 2008 1:56 pm
Posts: 6
Thanks - when you say post a debug log, do you mean a list of otps, signatures with pass and fail?

Tony


Top
 Profile  
Reply with quote  
PostPosted: Tue Jul 01, 2008 3:11 am 
Offline

Joined: Sat Jun 28, 2008 4:19 am
Posts: 4
Hi

Attached is the logging. I hope this is ok.

I also attached my servlet program I used to produce the log.

The only thing I can think of is the base64 class used to encode base64.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jul 01, 2008 10:04 am 
Offline

Joined: Wed Jun 25, 2008 1:56 pm
Posts: 6
Here is my log. I assume the API KEY is a secret, so I have registered another one to use here and for development (auth id 180). It made no difference to the number of bad signature responses.

You already have my code, which is in C#.

Tony


Top
 Profile  
Reply with quote  
PostPosted: Tue Jul 01, 2008 11:35 am 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
Thank you very much for posting the log, it allowed me to find the problem quickly.

Did you notice that all of the requests that do not succeed contain '+' in the signature field? And that all requests that succeed does not contain a '+' in the signature field? This is your problem, sending a '+' value in a HTTP GET URL requires escaping, so you need to escape it.

/Simon


Top
 Profile  
Reply with quote  
PostPosted: Tue Jul 01, 2008 12:09 pm 
Offline

Joined: Wed Jun 25, 2008 1:56 pm
Posts: 6
Of course :roll: -- good spot, Simon,

I have added a URL encode and it has solved the problem. You may want to add this to the sample code on the google sites.

For C# use the System.Web.HttpUtility.UrlEncode(string).

Tony


Top
 Profile  
Reply with quote  
PostPosted: Tue Jul 01, 2008 3:26 pm 
Offline

Joined: Sat Jun 28, 2008 4:19 am
Posts: 4
Yes,

URLEncoding worked. every call was successfull

For java I used URLEncoder.encode(string, "UTF-8");

I agree with Tony that mentioning URLencoding is needed in a sample code or as a step in the web service api page under developer section


Thanks

Ron


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group