Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:57 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Sun Oct 05, 2008 10:54 am 
Offline

Joined: Sun Oct 05, 2008 10:27 am
Posts: 3
I have some troubles verifying the response from the Yubico server.

The response I get is something like this (REPLAYED_OTP is ok, I'm fooling around)
Code:
h=yPsLotcX+VOIP/OSlViLqsMLl4c=
t=2008-10-05T09:17:26Z0459
status=REPLAYED_OTP

What I do is the following:
  1. base 64 decode the hash which gives me (200 251 11 162 215 23 249 83 136 63 243 146 149 88 139 170 195 11 151 135)
  2. compute the verification line which is in this case "s=REPLAYED_OTP&t=2008-10-05T09:17:26Z0459". It's all ASCII so it's the same in UTF-8.
  3. compute the HMAC-SHA1 hash over the verification line using my shared secret and compare it with hash from the first step. They don't match.
I also sign my requests and the server does verify them. If I attach a wrong signature the server complains with BAD_SIGNATURE. So I think my HMAC-SHA1 library is ok. My first guess would be that my verification line is bad.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Oct 06, 2008 8:38 pm 
Offline
User avatar

Joined: Wed May 07, 2008 5:25 pm
Posts: 110
Location: Sunnyvale, California
The hmac calc has not been working well for awhile in the validation response.

So I'm migrating it to the new server at:

http://63.146.69.105/wsapi/verify.php?id=1&otp=...

Let me know if you have problems with the new server?

Thanks

_________________
The YubiKey Server Guy


Top
 Profile  
Reply with quote  
PostPosted: Tue Oct 07, 2008 7:26 pm 
Offline

Joined: Sun Oct 05, 2008 10:27 am
Posts: 3
Yes, now requests that previously returned OK now return BAD_SIGNATURE. I tried to use it without the h parameter but then I get MISSING_PARAMETER info=h.


Top
 Profile  
Reply with quote  
PostPosted: Wed Oct 08, 2008 7:35 am 
Offline
User avatar

Joined: Wed May 07, 2008 5:25 pm
Posts: 110
Location: Sunnyvale, California
Philippe wrote:
Yes, now requests that previously returned OK now return BAD_SIGNATURE. I tried to use it without the h parameter but then I get MISSING_PARAMETER info=h.


Philippe, you can turn on/off of signature & id checking at our new validation server in beta:

http://63.146.69.105/yms/

And, you can use this to test the generated signature:

http://63.146.69.105/wsapi/sign_demo.php

To validate an OTP:

Debug mode: http://63.146.69.105/wsapi/verify_debug ... ....&h=....

Production mode: http://63.146.69.105/wsapi/verify?id=...&otp=....&h=....

This beta server's database is used only for testing purpose, NOT the same as the production database behind the server at http://api.yubico.com.

Thanks for comments

_________________
The YubiKey Server Guy


Top
 Profile  
Reply with quote  
PostPosted: Mon Oct 20, 2008 12:27 pm 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
We have some clients that perform signing/validation of signatures, check the yubico.com web pages. Maybe you can debug some of them to find out what is going on with your implementation? I think they are supposed to work with our current server.

/Simon


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group