Yubico Forum

I got the protocol working pretty first, so that's all good. But for increased security, we'd like to add the 'h' parameter to the url, but no matter what I try, I always get the response "BAD_SIGNATURE".

As for now, I am using this site to generate the signature: https://quickhash.com/ Algorithim is SHA1 with "Use HMAC Method?" checked and output set to Base64.
The HMAC key I use is the 'Secret Key' I get from https://upgrade.yubico.com/getapikey/.
The id parameter in the url is also from the /getapikey site.

If I input this in the quickhash input box: id=15401&nonce=askjdnkajsndjkasndkjsnad&otp=ccccccdbrldiifthrjbbjlvgkcguceiheninhbubtgil
And then click generate I get this output: by7jCdAlZI1osGspmzHIGQEjnZ4=

So I go to this url: http://api.yubico.com/wsapi/2.0/verify? ... HIGQEjnZ4=

And get this response:
h=vA0nh/B/o/NqgjbaTiwFdP7QBFU=
t=2014-02-19T08:39:59Z0949
status=BAD_SIGNATURE


Any and all help would be appreciated!

The protocol uses HMAC-SHA-1 signatures. The HMAC key to use is the client API key.

Generate the signature over the parameters in the message. Each message contains a set of key/value pairs, and the signature is always over the entire set (excluding the signature itself), and sorted in alphabetical order of the keys. More precisely, to generate a message signature do:

1- Alphabetically sort the set of key/value pairs by key order.
2- Construct a single line with each ordered key/value pair concatenated using '&', and each key and value contatenated with '='. Do not add any linebreaks. Do not add whitespace. For example: `a=2&b=1&c=3`.
3- Apply the HMAC-SHA-1 algorithm on the line as an octet string using the API key as key.
4- Base 64 encode the resulting value according to RFC 4648, for example, `t2ZMtKeValdA+H0jVpj3LIichn4=`.
5- Append the value under key 'h' to the message.[/list]

_________________
-Tom

While being thankful for your reply, I'm afraid that I cannot use it for anything, since I've already read the guide from where you copy/pasted the steps.
I followed every step the best I could, but still nothing.

Hello,

That site isn't doing base64 decoding of your key..

Let's do a little example..

We're using id 15618 and key Eibja2kRFXXoW6hjZaiyBtWnCBA=
With the string id=15618&nonce=0102030405060708090a0b0c0d0e0f&otp=ccccccbteuddjivcnlfefefrccdcjrfjfvgjnfkcklge quickhash.com gives us XsQI1OJZ+R0KsAokpdAAhHQQavQ= but the correct signature is Jt19GpDOAraTYRFBHSofYZFEwjE=

https://api.yubico.com/wsapi/verify/2.0 ... ofYZFEwjE=
https://api.yubico.com/wsapi/verify/2.0 ... AAhHQQavQ=

and finally some perl code:



/klas