Ron,
This is interesting as we are seeing a very similar thing. The key seems to work fine for a while, but then required between 3-6 attempts before the key is accepted.
Puzzling
I have emailed support and waiting a response.Tony
| Yubico Forum https://forum.yubico.com/ |
|
| Problem with BAD SIGNATURE in java https://forum.yubico.com/viewtopic.php?f=3&t=124 |
Page 1 of 2 |
| Author: | yoshir [ Sat Jun 28, 2008 4:25 am ] |
| Post subject: | Problem with BAD SIGNATURE in java |
Hi I am trying to use the signature portion to verify my Yubikey, I am not sure what I am doing wrong. Below is part of the code. ============================================================================================= Note:_clientid and hKey is from the online API key generator ============================================================================================= String text = "id=" + _clientId + "&otp=" + otp; String b64Encoded = sign(text,hKey); URL srv = new URL(YUBICO_AUTH_SRV_URL + _clientId + "&otp=" + otp + "&h=" + b64Encoded ); ... public static String sign(String what, String secret) throws IllegalArgumentException { try { byte[] b = hmacSha1(Base64.decode(secret), what.getBytes("UTF-8")); String s = Base64.encode(b); s = s.replaceAll("\n", ""); return s; } catch (UnsupportedEncodingException e) { throw new IllegalArgumentException(e); } catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); throw new IllegalArgumentException(e); } } private static byte[] hmacSha1(byte[] key, byte[] text) throws IllegalArgumentException { try { SecretKey sk = new SecretKeySpec(key, HMAC_SHA1_ALGORITHM); Mac m = Mac.getInstance(sk.getAlgorithm()); m.init(sk); return m.doFinal(text); } catch (InvalidKeyException e) { throw new IllegalArgumentException(e); } catch (NoSuchAlgorithmException e) { throw new IllegalArgumentException(e); } } ============================================================================= Thanks Ron |
|
| Author: | yoshir [ Sat Jun 28, 2008 4:58 pm ] |
| Post subject: | Re: Problem with BAD SIGNATURE in java |
I did some further testing and I got an OK status. But some times I get a BAD SIGNATURE status. Is there a reason why somethimes it is OK and others it returns a BAD SIGNATURE? Ron |
|
| Author: | Jester [ Mon Jun 30, 2008 1:27 pm ] |
| Post subject: | Re: Problem with BAD SIGNATURE in java |
Ron, This is interesting as we are seeing a very similar thing. The key seems to work fine for a while, but then required between 3-6 attempts before the key is accepted. Puzzling I have emailed support and waiting a response.Tony |
|
| Author: | Simon [ Mon Jun 30, 2008 3:15 pm ] |
| Post subject: | Re: Problem with BAD SIGNATURE in java |
Could you log the requests to see which attempts work and which doesn't work for you? Possibly it could be URL encoding that doesn't work, or some other pattern that we can detect if we see a debug log if 15-20 attempts where some work and some doesn't work. /Simon |
|
| Author: | Jester [ Mon Jun 30, 2008 3:32 pm ] |
| Post subject: | Re: Problem with BAD SIGNATURE in java |
Thanks - when you say post a debug log, do you mean a list of otps, signatures with pass and fail? Tony |
|
| Author: | yoshir [ Tue Jul 01, 2008 3:11 am ] |
| Post subject: | Re: Problem with BAD SIGNATURE in java |
Hi Attached is the logging. I hope this is ok. I also attached my servlet program I used to produce the log. The only thing I can think of is the base64 class used to encode base64. |
|
| Author: | Jester [ Tue Jul 01, 2008 10:04 am ] |
| Post subject: | Re: Problem with BAD SIGNATURE in java |
Here is my log. I assume the API KEY is a secret, so I have registered another one to use here and for development (auth id 180). It made no difference to the number of bad signature responses. You already have my code, which is in C#. Tony |
|
| Author: | Simon [ Tue Jul 01, 2008 11:35 am ] |
| Post subject: | Re: Problem with BAD SIGNATURE in java |
Thank you very much for posting the log, it allowed me to find the problem quickly. Did you notice that all of the requests that do not succeed contain '+' in the signature field? And that all requests that succeed does not contain a '+' in the signature field? This is your problem, sending a '+' value in a HTTP GET URL requires escaping, so you need to escape it. /Simon |
|
| Author: | Jester [ Tue Jul 01, 2008 12:09 pm ] |
| Post subject: | Re: Problem with BAD SIGNATURE in java |
Of course  -- good spot, Simon,I have added a URL encode and it has solved the problem. You may want to add this to the sample code on the google sites. For C# use the System.Web.HttpUtility.UrlEncode(string). Tony |
|
| Author: | yoshir [ Tue Jul 01, 2008 3:26 pm ] |
| Post subject: | Re: Problem with BAD SIGNATURE in java |
Yes, URLEncoding worked. every call was successfull For java I used URLEncoder.encode(string, "UTF-8"); I agree with Tony that mentioning URLencoding is needed in a sample code or as a step in the web service api page under developer section Thanks Ron |
|
| Page 1 of 2 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|