Java实现谷歌身份验证器

1. 生成一个随机秘钥

	public static String generateSecretKey() throws NoSuchAlgorithmException {
        SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
        sr.setSeed(Base64.decodeBase64("fooabrbalabala"));
        byte[] buffer = sr.generateSeed(10);
        Base32 codec = new Base32();
        byte[] bEncodedKey = codec.encode(buffer);
        return new String(bEncodedKey);
    }

2. 生成二维码

    public static String getQRBarcode(String user, String secret) {
        String format = "otpauth://totp/%s?secret=%s";
        return String.format(format, user, secret);
    }

3. 扫码添加
   根据服务端生成的二维码字符串生成二维码图片，用户在身份验真器扫码添加。
   e.g.

otpauth://totp/test_user_001?secret=H3GKOORXVD76URAB

4. 生成验证码
身份验证器每个30秒更新一次验证码，服务端校验时根据系统时间和密钥生成验证码。

    public static int generateCode(byte[] key, long t) throws NoSuchAlgorithmException, InvalidKeyException {
        byte[] data = new byte[8];
        long value = t;
        for (int i = 8; i-- > 0; value >>>= 8) {
            data[i] = (byte) value;
        }
        SecretKeySpec signKey = new SecretKeySpec(key, "HmacSHA1");
        Mac mac = Mac.getInstance("HmacSHA1");
        mac.init(signKey);
        byte[] hash = mac.doFinal(data);
        int offset = hash[20 - 1] & 0xF;
        // We're using a long because Java hasn't got unsigned int.
        long truncatedHash = 0;
        for (int i = 0; i < 4; ++i) {
            truncatedHash <<= 8;
            // We are dealing with signed bytes:
            // we just keep the first byte.
            truncatedHash |= (hash[offset + i] & 0xFF);
        }
        truncatedHash &= 0x7FFFFFFF;
        truncatedHash %= 1000000;
        return (int) truncatedHash;
    }

    @Test
    public void generateCode() throws InvalidKeyException, NoSuchAlgorithmException {
        byte[] key = new Base32().decode("H3GKOORXVD76URAB");
        long t = (System.currentTimeMillis() / 1000L) / 30L;
        int code = GoogleAuthenticator.generateCode(key, t);
        System.out.println(code);
    }

5. 校验验证码
   为了避免用户输入、网路等延时因素引起的校验问题，服务端通常会根据时间校验多个值。

    /**
     * 最多可偏移的时间
     * default 3 - max 17
     */
    int window_size = 3;
	public boolean check_code(String secret, long code, long timeMsec) {
        Base32 codec = new Base32();
        byte[] decodedKey = codec.decode(secret);
        long t = (timeMsec / 1000L) / 30L;
        for (int i = -window_size; i <= window_size; ++i) {
            long hash;
            try {
                hash = generateCode(decodedKey, t + i);
            } catch (Exception e) {
                e.printStackTrace();
                throw new RuntimeException(e.getMessage());
            }
            if (hash == code) {
                return true;
            }
        }
        return false;
    }