After having read a lot of documents from yubico, I have the impression that they want their servers to be used to verify YubiKey's OTPs. All the documents and code I found don't really explain how exactly the OTP is built or verified.
For example "OTPs Explained" states that a checksum is appended at the end, but it does not tell how the format exactly looks like, or how the checksum is computed exactly.
So is there a useful specification out that allows me to write code to verify an OTP sent from a YubiKey 5?
Update (2023-02-23)
I managed to decode and verify some example data I found in the repositories, but I was not able to decode the output of my own YubiKey, so I guess the encryption key is not correct. However I copied the key as displayed in the YubiKey manager; it's a 32-character hex string, and I decoded that string to be my binary decryption key.
So is there some magic to be applied to the key displayed to get the correct key to use? Or do the newer YubiKeys use a different algorithm than the example from 2015 or so?
