白菜不是菜他们相信天堂是有的,可以实现的,但在现世界与那天堂的中间隔着一座海,一座血污海,人类泅得过这血海,才能登彼岸,他们决定先实现那血海。
TOTP算法Java版本
2018-01-08 1329 字Java
TOTP 概念
TOTP - Time-based One-time Password Algorithm is an extension of the HMAC-based One Time Password algorithm HOTP to support a time based moving factor.
TOTP(基于时间的一次性密码算法)是支持时间作为动态因素基于HMAC一次性密码算法的扩展。它是OTP算法的一种
算法如下: TOTP = Truncate(HMAC-SHA-1(K, (T - T0) / X))
K 共享密钥 T 时间 T0 开始计数的时间步长 X 时间步长
代码实现
最简实现需要如下两个类 1.Base32.java
publicclassBase32{privatestaticfinalchar[]ALPHABET={'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','2','3','4','5','6','7'};privatestaticfinalbyte[]DECODE_TABLE;static{DECODE_TABLE=newbyte[128];for(inti=0;i 2.GoogleAuthenticator.java importjavax.crypto.spec.SecretKeySpec;importjava.security.InvalidKeyException;importjava.security.NoSuchAlgorithmException;importjava.security.SecureRandom;importjava.util.Base64;importjavax.crypto.Mac;publicclassGoogleAuthenticator{// taken from Google pam docs - we probably don't need to mess with thesepublicstaticfinalintSECRET_SIZE=10;publicstaticfinalStringSEED="g8GjEvTbW5oVSV7avLBdwIHqGlUYNzKFI7izOF8GwLDVKs2m0QN7vxRs2im5MDaNCWGmcD2rvcZx";publicstaticfinalStringRANDOM_NUMBER_ALGORITHM="SHA1PRNG";intwindow_size=3;// default 3 - max 17 (from google docs)最多可偏移的时间/** * set the windows size. This is an integer value representing the number of 30 second windows * we allow * The bigger the window, the more tolerant of clock skew we are. * @param s window size - must be >=1 and <=17. Other values are ignored */publicvoidsetWindowSize(ints){if(s>=1&&s<=17)window_size=s;}/** * Generate a random secret key. This must be saved by the server and associated with the * users account to verify the code displayed by Google Authenticator. * The user must register this secret on their device. * @return secret key */publicstaticStringgenerateSecretKey(){SecureRandomsr=null;try{sr=SecureRandom.getInstance(RANDOM_NUMBER_ALGORITHM);sr.setSeed(Base64.getDecoder().decode(SEED));byte[]buffer=sr.generateSeed(SECRET_SIZE);Base32codec=newBase32();byte[]bEncodedKey=codec.encode(buffer).getBytes();StringencodedKey=newString(bEncodedKey);returnencodedKey;}catch(NoSuchAlgorithmExceptione){// should never occur... configuration error}returnnull;}/** * Return a URL that generates and displays a QR barcode. The user scans this bar code with the * Google Authenticator application on their smartphone to register the auth code. They can also * manually enter the * secret if desired * @param user user id (e.g. fflinstone) * @param host host or system that the code is for (e.g. myapp.com) * @param secret the secret that was previously generated for this user * @return the URL for the QR code to scan */publicstaticStringgetQRBarcodeURL(Stringuser,Stringhost,Stringsecret){Stringformat="https://www.google.com/chart?chs=200x200&chld=M%%7C0&cht=qr&chl=otpauth://totp/%s@%s%%3Fsecret%%3D%s";returnString.format(format,user,host,secret);}/** * Check the code entered by the user to see if it is valid * @param secret The users secret. * @param code The code displayed on the users device * @param t The time in msec (System.currentTimeMillis() for example) * @return * @throws Exception */publicbooleancheck_code(Stringsecret,longcode,longtimeMsec)throwsException{Base32codec=newBase32();byte[]decodedKey=codec.decode(secret);// convert unix msec time into a 30 second "window"// this is per the TOTP spec (see the RFC for details)longt=(timeMsec/1000L)/30L;// Window is used to check codes generated in the near past.// You can use this value to tune how far you're willing to go.for(inti=-window_size;i<=window_size;++i){longhash;try{hash=verify_code(decodedKey,t+i);}catch(Exceptione){// Yes, this is bad form - but// the exceptions thrown would be rare and a static configuration probleme.printStackTrace();thrownewRuntimeException(e.getMessage());//return false;}if(hash==code){returntrue;}}// The validation code is invalid.returnfalse;}privatestaticintverify_code(byte[]key,longt)throwsNoSuchAlgorithmException,InvalidKeyException{byte[]data=newbyte[8];longvalue=t;for(inti=8;i-->0;value>>>=8){data[i]=(byte)value;}SecretKeySpecsignKey=newSecretKeySpec(key,"HmacSHA1");Macmac=Mac.getInstance("HmacSHA1");mac.init(signKey);byte[]hash=mac.doFinal(data);intoffset=hash[20-1]&0xF;// We're using a long because Java hasn't got unsigned int.longtruncatedHash=0;for(inti=0;i<4;++i){truncatedHash<<=8;// We are dealing with signed bytes:// we just keep the first byte.truncatedHash|=(hash[offset+i]&0xFF);}truncatedHash&=0x7FFFFFFF;truncatedHash%=1000000;return(int)truncatedHash;}} 测试类如下: importorg.junit.Test;publicclassGoogleAuthTest{@TestpublicvoidgenSecretTest(){Stringsecret=GoogleAuthenticator.generateSecretKey();System.out.println("secret="+secret);Stringurl=GoogleAuthenticator.getQRBarcodeURL("testuser","testhost",secret);System.out.println("Please register "+url);System.out.println("Secret key is "+secret);}// Change this to the saved secret from the running the above test.staticStringsavedSecret="VGH25A7M54QPME5F";@TestpublicvoidauthTest()throwsException{// enter the code shown on device. Edit this and run it fast before the code expires!longcode=146841;longt=System.currentTimeMillis();GoogleAuthenticatorga=newGoogleAuthenticator();ga.setWindowSize(5);//should give 5 * 30 seconds of grace...booleanr=ga.check_code(savedSecret,code,t);System.out.println("Check code = "+r);}} OTP Auth协议 在实际使用中,通常把secret嵌入一段URL中并以二维码的形式发布,这个URL一般称为otpauth协议.其URL如下所示: otpauth://totp/testuser@testhost?secret=VGH25A7M54QPME5F&algorithm=SHA1&digits=6&period=30 除特殊注明部分,本站内容采用 CC BY-NC-SA 4.0 进行许可。 页面 Home Archives About Search RSS 链接 GitHub 标签 Java k8s Linux PHP Vala 闲扯淡 目录 © 2020 baicai | 基于 Fuji-v2 & Hugo 构建