A small Perl script to verify a Yubikey OTP

yubikey-verify.pl

#!/usr/bin/env perl

# A small script to verify a Yubikey OTP with Yubico.
# Inspired by https://www.crc.id.au/openvpn-otp-with-a-yubikey/
# Usage: curl $(./yubikey-verify.pl)

use MIME::Base64 qw( encode_base64 decode_base64 );
use Digest::HMAC_SHA1 qw( hmac_sha1 );
use URI::Escape qw( uri_escape );

my $yubico_id=11111;
my %yubico_secrets = (
  11111 => 'secret',
  11112 => 'sekret'
);

print STDERR "Touch the Yubikey! ";
my $password=<STDIN>;
chomp $password;

my @alphanumeric = ('a'..'z', 'A'..'Z', 0..9);
my $nonce = join '', map $alphanumeric[rand @alphanumeric], 16..40;

my %request_parameters = (
  'id' => $yubico_id,
  'otp' => $password,
  'nonce' => $nonce,
  'sl' => 'secure',
  'timeout' => 10
);

my $query_string = join("&", map { "$_=$request_parameters{$_}" } sort keys %request_parameters);
my $unescaped_signature = encode_base64(hmac_sha1($query_string, decode_base64($yubico_secrets{$yubico_id})));
chomp $unescaped_signature;
my $signature = uri_escape($unescaped_signature);

print "https://api.yubico.com/wsapi/2.0/verify?$query_string&h=$signature\n";