| Yubico Forum https://forum.yubico.com/ |
|
| Validating server output https://forum.yubico.com/viewtopic.php?f=3&t=694 |
Page 1 of 1 |
| Author: | Morthawt [ Sun Jul 24, 2011 12:52 am ] |
| Post subject: | Validating server output |
I am new to all this and just found the API. It was very confusing and I had to look around online to find out that you can do it with a URL. Well I have been able to get it to validate an OTP against the Yubico server API but the h= part is confusing me. With AutoIT I would be able to write a program that passes the users input to the API via a URL and check to see if after status it says "OK". I am assuming the h= is a hash but what is the hash doing and how can it be used? I assume the private key that is generated when you register for an API thing has something to do with it maybe? Please can someone explain this. Thank you. |
|
| Author: | Morthawt [ Sun Feb 19, 2012 6:46 pm ] |
| Post subject: | Re: Validating server output |
Wow as I go searching for the answer to this question again, I find myself saying "Poor guy, nobody answered..." only to realise this is my own thread and nobody bothered to provide any help. I am still trying to verify the server result hash. I have used openssl.exe to do an hmac sha1 hash of my api key and the parts of the server result in alphabetical order as stipulated in the documentation, minus the h= one. I then also used openssl.exe to encode the result as base64. I am then left with a result that is too large and looks nothing like the hash in the result from the server. Would anyone care to attempt to explain "how" to do this process instead of just the fact you need to do it? It is not enough to tell someone "Get in the car and drive according to government guidelines" That does not tell you "how" to actually drive, only that "guidelines" exist for driving. Help would be appreciated. Thank you |
|
| Author: | rpimonitrbtch [ Mon Feb 20, 2012 3:06 am ] |
| Post subject: | Re: Validating server output |
It should be as simple as what's in the api documentation. It might help to see an example of what you're trying to do. Obviously, I wouldn't expect you to share your own api key, so maybe an example using a response with the keys in this page: http://demo.yubico.com/php-yubico/demo.php My gut reaction is that openssl on the command line is garbling something. |
|
| Author: | Morthawt [ Mon Feb 20, 2012 3:29 am ] |
| Post subject: | Re: Validating server output |
Yeah seems to not be doing what I need it to. What command line programs or what ever do I need in order to be able to verify the hash ? Since I cannot check the certificate for the SSL connection, I need to be able to verify the hash with my API key. What is the official method of doing this from command line? |
|
| Author: | Fredrik-at-Yubico [ Tue Mar 06, 2012 10:58 am ] |
| Post subject: | Re: Validating server output |
The h= is a cryptographic hash of the data in the request/response and provides integrity when SSL is not used. How to generate and validate the signatures is documented here : http://code.google.com/p/yubikey-val-server-php/wiki/ValidationProtocolV20 There is a rudimentary command line client called 'ykclient' in the yubico-c-client project at http://code.google.com/p/yubico-c-client/ /Fredrik |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|