From 97432950b13cf5540f3c83814ec4e0e15a9fed12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Henrik=20Str=C3=A5th?= Date: Tue, 12 Aug 2014 13:45:01 +0200 Subject: [PATCH] Stricter Asciidoc, that now works on opensource.yubico.com as well --- doc/ValidationProtocolV20.adoc | 34 ++++++++++++++-------------------- 1 file changed, 14 insertions(+), 20 deletions(-) diff --git a/doc/ValidationProtocolV20.adoc b/doc/ValidationProtocolV20.adoc index 363f5eb..5d3a26a 100644 --- a/doc/ValidationProtocolV20.adoc +++ b/doc/ValidationProtocolV20.adoc @@ -1,7 +1,7 @@ Validation Protocol Version 2.0 =============================== -## Introduction +== Introduction All requests are HTTP GET requests. As such, all parameters must be properly URL encoded. In particular, some base64 characters (such as @@ -12,7 +12,7 @@ response has not been tampered with, clients either verify the HMAC signature or use HTTPS connections (and verify the server certificate). -## Generating signatures +== Generating signatures The protocol uses HMAC-SHA-1 signatures. The HMAC key to use is the client API key. @@ -29,7 +29,7 @@ signature do: * Base 64 encode the resulting value according to RFC 4648, for example, `t2ZMtKeValdA+H0jVpj3LIichn4=`. * Append the value under key 'h' to the message. -## Verifying signatures +== Verifying signatures To verify a signature on a response message, follow the same procedure that was used to sign the response message and compare the signature @@ -38,19 +38,16 @@ values are equal, the signature is correct. Make sure you remove the signature itself from the values you generate the signature over for verification. If the incoming message is -``` -b=1&a=2&c=3&h=V5FkMYr9GCG9tQA9ihuuybWl99U= -``` + b=1&a=2&c=3&h=V5FkMYr9GCG9tQA9ihuuybWl99U= + make sure to remove h before verifying: -``` -b=1&a=2&c=3 -``` + b=1&a=2&c=3 Don't forget to sort the key/value pairs. -## Verification +== Verification There is one call to verify YubiKey OTPs: verify. @@ -61,7 +58,7 @@ send the OTP. To avoid cut'n'paste attacks, the client MUST verify that the "otp" in the response is the same as the "otp" supplied in the request. -## Request +== Request Construct an HTTP GET call to @@ -112,18 +109,15 @@ with the following parameters (note that this request need not be signed): An example request: -``` -http://api.yubico.com/wsapi/2.0/verify?otp=vvvvvvcucrlcietctckflvnncdgckubflugerlnr&id=87&timeout=8&sl=50&nonce=askjdnkajsndjkasndkjsnad -``` + http://api.yubico.com/wsapi/2.0/verify?otp=vvvvvvcucrlcietctckflvnncdgckubflugerlnr&id=87&timeout=8&sl=50&nonce=askjdnkajsndjkasndkjsnad And if you require additional information on timestamp and session counters: -``` -http://api.yubico.com/wsapi/2.0/verify?id=87&otp=vvvvvvcucrlcietctckflvnncdgckubflugerlnr&timeout=8&sl=50&nonce=askjdnkajsndjkasndkjsnad×tamp=1 -``` + http://api.yubico.com/wsapi/2.0/verify?id=87&otp=vvvvvvcucrlcietctckflvnncdgckubflugerlnr&timeout=8&sl=50&nonce=askjdnkajsndjkasndkjsnad×tamp=1 -## Response + +== Response The verification response tells you whether the OTP is valid. The response has the following values: @@ -204,9 +198,9 @@ These are the possible "status" values in a verify response: | REPLAYED_REQUEST | Server has seen the OTP/Nonce combination before +|=== - -## Changes since version 1.1 +== Changes since version 1.1 The verify URL has changed. In the request, the new required field "nonce" were added, and the new optional fields "sl" and "timeout" are