Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:39 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Sat May 31, 2008 2:19 am 
Offline

Joined: Sat May 31, 2008 1:15 am
Posts: 4
Hi I just got got the yubikey and verifies fine when I do the api test. I wanted to get hmac signatures working but I'm not getting it to work, the is always "BAD_SIGNATURE"

I am using php5 to do this. Take the following code as an example (api id, api key, and otp are fictional here)
Code:
<?php
$apiKey = 'dksh3icnsle';
$message = 'id=1&otp=ddkwn3kdlsh3kglskeh3kld';
$signature = hash_hmac('sha1', $message, $apiKey, TRUE);
$signature = base64_encode($signature);
$url = 'http://api.yubico.com/wsapi/verify?'.$message.'&h='.$signature'
// $url becomes http://api.yubico.com/wsapi/verify?id=1&otp=ddkwn3kdlsh3kglskeh3kld&h=ODK20DHD92LSHGKJLSL3KSL
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
$result = curl_exec($ch);
curl_close($ch);
echo $result;


The result would have an h and t value and status would be BAD_SIGNATURE

So I registered for an api key and id. I hash id and otp values with my api key (the TRUE at the end returns the raw byte value, I've tried using the hexadecimal representation as well), base64 encode it, and place it at the end of the call. Is there a step I'm missing somewhere?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sat May 31, 2008 10:09 am 
Offline

Joined: Sat May 31, 2008 1:15 am
Posts: 4
looked at it some more and solved the problem. The api key you get when you request it is base64 encoded. You need to decode it first before perfoming hmac. After I did that it worked just fine.

The attached file is a proof of concept that creates a signature on sending and verifies the response. I made it in php since I know that the most. I heavily commented it so it shouldn't be too difficult to port to other languages. Keep in mind this is a proof of concept script only. I'm doing no real sanitizing of input and so there's the chance this script is susceptible to XSS in its current form.

You'll need to enter your own values for the api id and key that you get when you request it.

I have observed a bug where I'll get the BAD_SIGNATURE response on occasion. It's sporadic and submitting a new OTP it will usually go away. This could be a problem with this implementation or on the server end or somewhere else. Since testing this I've never had a bad signature in the response though.


Top
 Profile  
Reply with quote  
PostPosted: Mon Jun 02, 2008 8:51 am 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
Wow, thanks for providing this code. Integrating this into Auth_Yubico would solve one of the open issues. Do you have the time to prepare a patch for the yubico-php code? See:

http://code.google.com/p/php-yubico/sou ... Yubico.php

The reason for failed signature validation could be because of URL parameter ordering issues, or possibly URI encoding of non-URI alphabetical characters. The latter would only be triggered in a few cases, so that may explain it.

/Simon


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group