OTP Code validation problem #45
-
|
HI , I have generated the otp using java-otp.jar file , trying to validate the generated otp code using otp.verify ( which is part otp-java.3.2.1) . Below is the sample code. Note: I am using java7 I have a server which uses TOTP builder and built with java 8 . Could you please help me , what is the wrong in the below code import com.bastiaanjansen.otp.HMACAlgorithm;
import com.bastiaanjansen.otp.TOTP;
import com.eatthepath.otp.TimeBasedOneTimePasswordGenerator;
import javax.crypto.KeyGenerator;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.UndeclaredThrowableException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.time.Duration;
import java.time.Instant;
import java.time.Duration;
import java.util.Base64;
import java.util.Calendar;
import java.util.Date;
import java.util.TimeZone;
import java.util.concurrent.TimeUnit;
import org.apache.commons.codec.binary.Base32;
import static com.eatthepath.otp.TimeBasedOneTimePasswordGenerator.TOTP_ALGORITHM_HMAC_SHA512;
import static java.util.concurrent.TimeUnit.SECONDS;
public class Checktotp {
// Coverting the Secret Key to String
public static String convertSecretKeyToString(SecretKey secretKey) throws NoSuchAlgorithmException {
byte[] rawData = secretKey.getEncoded();
String encodedKey = Base64.getEncoder().encodeToString(rawData);
System.out.println("ALG USed" + secretKey.getAlgorithm());
System.out.println("Format is " + secretKey.getFormat());
return encodedKey;
}
// Converting the String to Secret Key
public static SecretKey convertStringToSecretKeyto(String encodedKey) throws UnsupportedEncodingException, NoSuchAlgorithmException, InvalidKeySpecException {
byte[] decodedKey = Base64.getDecoder().decode(encodedKey); //encodedKey.getBytes();
SecretKey originalKey = new SecretKeySpec(encodedKey.getBytes(), 0,decodedKey.length ,"AES");
return originalKey;
}
public static void main(String[] args) throws NoSuchAlgorithmException, InvalidKeyException, InvalidKeySpecException, UnsupportedEncodingException {
TOTP totp_latest;
final SecretKey key;
String sec = "RktU1I1UlpHWlQ3MlFDVDVFUUFJSUZMVzMzR09TRTQ1S1pCVURaUlJTNklLRUI2RFIzV1hFSVJQWT0";
key = convertStringToSecretKeyto(sec);
byte[] secret1 = Base64.getDecoder().decode(sec);
totp_latest = new TOTP.Builder(secret1)
.withPasswordLength(6)
.withAlgorithm(HMACAlgorithm.SHA512)
.withPeriod(Duration.ofSeconds(10))
.build();
// Generating the otp using otp-java-1.3.2
totp_latest.now();
System.out.println("OTP Code with Latest Jar File otp-java-1.3.2 " + totp_latest.now());
// Generating the otp using java-otp-0.1.0 .jar
String code1 = otpNow(sec);
System.out.println("OTP Code with old Jar File java-otp.0.1.0.jar " + code1);
if ( totp_latest.verify(code1)) {
System.out.println("The OTP is matched ");
}
else {
System.out.println("OTP Code is Not Matched");
}
}
public static String otpNow(String key) throws InvalidKeyException, NoSuchAlgorithmException {
// decode the base64 encoded string
byte[] decodedKey = Base64.getDecoder().decode(key);
// rebuild key using SecretKeySpec
SecretKey originalKey = new SecretKeySpec(decodedKey, 0, decodedKey.length, "AES");
final TimeBasedOneTimePasswordGenerator totp = new TimeBasedOneTimePasswordGenerator(30, SECONDS, 6, TOTP_ALGORITHM_HMAC_SHA512);
final Date now = new Date();
String code = String.valueOf(totp.generateOneTimePassword(originalKey,now ));
return code;
}
} |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Please bear in mind that That said, your problem is almost certainly that you're using a 10-second time step with I'd also point out that you appear to be using AES keys with a HmacSHA512 MAC; I don't think that's the root problem here, but it's something you might want to investigate further. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you jchambers, Figured out the problem , Inside totp.now() , using Base32 Decoder (this.decodeBase32) inside generate() before using it as a Key inside the function generateHash(). Where the attached sample code uses Base64 Decoder only. After i have modified accordingly in the sample code, It Worked. Client Application : is built with java 7 and uses library java-otp The below sample code validates the client generated OTP using java-otp by the server application which uses otp-java Libraries used:
Here is the sample Working Code: import com.bastiaanjansen.otp.HMACAlgorithm;
import com.bastiaanjansen.otp.TOTP;
import com.eatthepath.otp.TimeBasedOneTimePasswordGenerator;
import javax.crypto.KeyGenerator;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.UndeclaredThrowableException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.time.Duration;
import java.time.Instant;
import java.time.Duration;
import java.util.Base64;
import java.util.Calendar;
import java.util.Date;
import java.util.TimeZone;
import java.util.concurrent.TimeUnit;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Base32;
import static com.eatthepath.otp.TimeBasedOneTimePasswordGenerator.TOTP_ALGORITHM_HMAC_SHA512;
import static java.util.concurrent.TimeUnit.SECONDS;
public class Checktotp {
public static void main(String[] args) throws NoSuchAlgorithmException, InvalidKeyException, InvalidKeySpecException, UnsupportedEncodingException, DecoderException {
TOTP totp_latest;
final SecretKey key;
String sec = "RktZUlBCNUQyUU5EOQkZUQkdaUUVEVUNOU1I1UlpHWlQ3MlFDVDVFUUFJSUZMVzMzR09TRTQ1S1pCVURaUlJTNklLRUI2RFIzV1hFSVJQWT0";
byte[] secret1 = Base64.getDecoder().decode(sec);
totp_latest = new TOTP.Builder(secret1)
.withPasswordLength(6)
.withAlgorithm(HMACAlgorithm.SHA512)
.withPeriod(Duration.ofSeconds(100))
.build();
// Generating the otp using otp-java-1.3.2
totp_latest.now();
System.out.println("OTP Code with Latest Jar File otp-java-1.3.2 " + totp_latest.now());
// Generating the otp using java-otp-0.1.0 .jar
String code1 = otpNow(sec);
System.out.println("OTP Code with old Jar File java-otp.0.1.0.jar " + code1);
if ( totp_latest.verify(code1)) {
System.out.println("The OTP is matched ");
}
else {
System.out.println("OTP Code is Not Matched");
}
}
public static String otpNow(String key) throws InvalidKeyException, NoSuchAlgorithmException {
byte[] secret1 = Base64.getDecoder().decode(key);
String decodedStr = new String(secret1);
Base32 codec1 = new Base32();
byte[] secret2 = codec1.decode(decodedStr);
// rebuild key using SecretKeySpec
SecretKey originalKey = new SecretKeySpec(secret2, "RAW");
final TimeBasedOneTimePasswordGenerator totp = new TimeBasedOneTimePasswordGenerator(100, SECONDS, 6, TOTP_ALGORITHM_HMAC_SHA512);
final Date now = new Date();
long code = totp.generateOneTimePassword(originalKey, new Date());
return String.format("%0" +6+ "d", code);
}
} |
Beta Was this translation helpful? Give feedback.
Please bear in mind that
otp-javaandjava-otpare entirely separate projects. This is the repository forjava-otp, and speaking generally, I'm not in a great position to offer support for third-party software likeotp-java.That said, your problem is almost certainly that you're using a 10-second time step with
otp-javaand a 30-second time step withjava-otp. If you make the time steps match, I think things will work as expected.I'd also point out that you appear to be using AES keys with a HmacSHA512 MAC; I don't think that's the root problem here, but it's something you might want to investigate further.