Merge pull request #84 from anibyl/base32-string-builder-and-docs

BastiaanJansen · web-flow · commit 04c823283c59 · 2024-12-23T19:35:02.000+01:00
Add a String secret Builder constructor + Base32 docs and comments #83
diff --git a/README.md b/README.md
@@ -57,7 +57,7 @@ Or you can download the source from the [GitHub releases page](https://github.co
 To create a `HOTPGenerator` instance, use the `HOTPGenerator.Builder` class as follows:
 
 ```java
-byte[] secret = "VV3KOX7UQJ4KYAKOHMZPPH3US4CJIMH6F3ZKNB5C2OOBQ6V2KIYHM27Q".getBytes();
+String secret = "VV3KOX7UQJ4KYAKOHMZPPH3US4CJIMH6F3ZKNB5C2OOBQ6V2KIYHM27Q";
 HOTPGenerator hotp = new HOTPGenerator.Builder(secret).build();
 ```
 The above builder creates a HOTP instance with default values for passwordLength = 6 and algorithm = SHA1. Use the builder to change these defaults:
@@ -68,12 +68,20 @@ HOTPGenerator hotp = new HOTPGenerator.Builder(secret)
         .build();
 ```
 
+If you have a shared secret described in [RFC-4226](https://www.rfc-editor.org/rfc/rfc4226), you need to encode it first:
+
+```java
+byte[] sharedSecret = getMySharedSecret();
+
+byte[] secret = Base32.encode(sharedSecret);
+```
+
 When you don't already have a secret, you can let the library generate it:
 ```java
-// To generate a secret with 160 bits
+// To generate a Base32-encoded secret with 160 bits
 byte[] secret = SecretGenerator.generate();
 
-// To generate a secret with a custom amount of bits
+// To generate a Base32-encoded secret with a custom amount of bits
 byte[] secret = SecretGenerator.generate(512);
 ```
 
@@ -131,7 +139,6 @@ TOTPGenerator totpGenerator = TOTPGenerator.fromURI(uri);
 
 Get information about the generator:
 ```java
-byte[] secret = totpGenerator.getSecret();
 int passwordLength = totpGenerator.getPasswordLength(); // 6
 HMACAlgorithm algorithm = totpGenerator.getAlgorithm(); // HMACAlgorithm.SHA1
 Duration period = totpGenerator.getPeriod(); // Duration.ofSeconds(30)
diff --git a/src/main/java/com/bastiaanjansen/otp/HOTPGenerator.java b/src/main/java/com/bastiaanjansen/otp/HOTPGenerator.java
@@ -8,13 +8,14 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.nio.ByteBuffer;
-import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
+
 public final class HOTPGenerator {
 
     private static final String URL_SCHEME = "otpauth";
@@ -38,7 +39,7 @@ public static HOTPGenerator fromURI(final URI uri) throws URISyntaxException {
         Map<String, String> query = URIHelper.queryItems(uri);
 
         byte[] secret = Optional.ofNullable(query.get(URIHelper.SECRET))
-                .map(String::getBytes)
+                .map(s -> s.getBytes(UTF_8))
                 .orElseThrow(() -> new IllegalArgumentException("Secret query parameter must be set"));
 
         Builder builder = new Builder(secret);
@@ -117,7 +118,7 @@ public String generate(final long counter) throws IllegalStateException {
     public URI getURI(final String type, final String issuer, final String account, final Map<String, String> query) throws URISyntaxException {
         query.put(URIHelper.DIGITS, String.valueOf(passwordLength));
         query.put(URIHelper.ALGORITHM, algorithm.name());
-        query.put(URIHelper.SECRET, new String(secret, StandardCharsets.UTF_8));
+        query.put(URIHelper.SECRET, new String(secret, UTF_8));
         query.put(URIHelper.ISSUER, issuer);
 
         String path = account.isEmpty() ? URIHelper.encode(issuer) : String.format("%s:%s", URIHelper.encode(issuer), URIHelper.encode(account));
@@ -194,8 +195,21 @@ public static final class Builder {
 
         private HMACAlgorithm algorithm;
 
+        /**
+         * Base32 encoded secret
+         */
         private final byte[] secret;
 
+        /**
+         * Creates a new builder.
+         * <p>
+         * Use {@link SecretGenerator#generate()} to create a secret.
+         * <p>
+         * If you are using a shared secret from another generator, you would likely need to encode it using
+         * {@link org.apache.commons.codec.binary.Base32#encode(byte[])}}
+         *
+         * @param secret Base32 encoded secret
+         */
         public Builder(final byte[] secret) {
             if (secret.length == 0)
                 throw new IllegalArgumentException("Secret must not be empty");
@@ -205,6 +219,13 @@ public Builder(final byte[] secret) {
             this.algorithm = DEFAULT_HMAC_ALGORITHM;
         }
 
+        /**
+         * @param secret Base32 encoded secret
+         */
+        public Builder(String secret) {
+            this(secret.getBytes(UTF_8));
+        }
+
         public Builder withPasswordLength(final int passwordLength) {
             if (!passwordLengthIsValid(passwordLength))
                 throw new IllegalArgumentException("Password length must be between 6 and 8 digits");
diff --git a/src/main/java/com/bastiaanjansen/otp/TOTPGenerator.java b/src/main/java/com/bastiaanjansen/otp/TOTPGenerator.java
@@ -12,6 +12,8 @@
 import java.util.concurrent.TimeUnit;
 import java.util.function.Consumer;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
+
 public final class TOTPGenerator {
     private static final String OTP_TYPE = "totp";
     private static final Duration DEFAULT_PERIOD = Duration.ofSeconds(30);
@@ -32,8 +34,7 @@ private TOTPGenerator(final Builder builder) {
     public static TOTPGenerator fromURI(URI uri) throws URISyntaxException {
         Map<String, String> query = URIHelper.queryItems(uri);
 
-        byte[] secret = Optional.ofNullable(query.get(URIHelper.SECRET))
-                .map(String::getBytes)
+        String secret = Optional.ofNullable(query.get(URIHelper.SECRET))
                 .orElseThrow(() -> new IllegalArgumentException("Secret query parameter must be set"));
 
         Builder builder = new Builder(secret);
@@ -171,12 +172,29 @@ public static final class Builder {
 
         private final HOTPGenerator.Builder hotpBuilder;
 
+        /**
+         * Creates a new builder.
+         * <p>
+         * Use {@link SecretGenerator#generate()} to create a secret.
+         * <p>
+         * If you are using a shared secret from another generator, you would likely need to encode it using
+         * {@link org.apache.commons.codec.binary.Base32#encode(byte[])}}
+         *
+         * @param secret Base32 encoded secret
+         */
         public Builder(byte[] secret) {
             this.period = DEFAULT_PERIOD;
             this.clock = DEFAULT_CLOCK;
             this.hotpBuilder = new HOTPGenerator.Builder(secret);
         }
 
+        /**
+         * @param secret Base32 encoded secret
+         */
+        public Builder(String secret) {
+            this(secret.getBytes(UTF_8));
+        }
+
         public Builder withHOTPGenerator(Consumer<HOTPGenerator.Builder> builder) {
             builder.accept(hotpBuilder);
             return this;
diff --git a/src/test/java/com/bastiaanjansen/otp/HOTPGeneratorTest.java b/src/test/java/com/bastiaanjansen/otp/HOTPGeneratorTest.java
@@ -41,7 +41,7 @@ private static Stream<Arguments> testData() {
     @ParameterizedTest
     @MethodSource("testData")
     void generateWithCounter(int passwordLength, long counter, HMACAlgorithm algorithm, String otp) {
-        HOTPGenerator generator = new HOTPGenerator.Builder(secret.getBytes())
+        HOTPGenerator generator = new HOTPGenerator.Builder(secret)
                 .withPasswordLength(passwordLength)
                 .withAlgorithm(algorithm)
                 .build();
@@ -52,30 +52,30 @@ void generateWithCounter(int passwordLength, long counter, HMACAlgorithm algorit
     @ParameterizedTest
     @ValueSource(ints = {-1, -100})
     void generateWithInvalidCounter_throwsIllegalArgumentException(long counter) {
-        HOTPGenerator generator = new HOTPGenerator.Builder(secret.getBytes()).build();
+        HOTPGenerator generator = new HOTPGenerator.Builder(secret).build();
 
         assertThrows(IllegalArgumentException.class, () -> generator.generate(counter));
     }
 
     @Test
     void verifyCurrentCode_true() {
-        HOTPGenerator generator = new HOTPGenerator.Builder(secret.getBytes()).build();
+        HOTPGenerator generator = new HOTPGenerator.Builder(secret).build();
         String code = generator.generate(1);
 
         assertThat(generator.verify(code, 1), is(true));
     }
 
     @Test
     void verifyOlderCodeWithDelayWindowIs0_false() {
-        HOTPGenerator generator = new HOTPGenerator.Builder(secret.getBytes()).build();
+        HOTPGenerator generator = new HOTPGenerator.Builder(secret).build();
         String code = generator.generate(1);
 
         assertThat(generator.verify(code, 2), is(false));
     }
 
     @Test
     void verifyOlderCodeWithDelayWindowIs1_true() {
-        HOTPGenerator generator = new HOTPGenerator.Builder(secret.getBytes()).build();
+        HOTPGenerator generator = new HOTPGenerator.Builder(secret).build();
         String code = generator.generate(1);
 
         assertThat(generator.verify(code, 2, 1), is(true));
@@ -99,7 +99,7 @@ void withDefaultValues_passwordLength() {
 
     @Test
     void getURIWithIssuer_doesNotThrow() {
-        HOTPGenerator generator = new HOTPGenerator.Builder(secret.getBytes()).build();
+        HOTPGenerator generator = new HOTPGenerator.Builder(secret).build();
 
         assertDoesNotThrow(() -> {
            generator.getURI(10, "issuer");
@@ -108,14 +108,14 @@ void getURIWithIssuer_doesNotThrow() {
 
     @Test
     void getURIWithIssuerWithSpace_doesNotThrow() {
-        HOTPGenerator generator = new HOTPGenerator.Builder(secret.getBytes()).build();
+        HOTPGenerator generator = new HOTPGenerator.Builder(secret).build();
 
         assertDoesNotThrow(() -> generator.getURI(10, "issuer with space"));
     }
 
     @Test
     void getURIWithIssuerWithSpace_doesEscapeIssuer() throws URISyntaxException {
-        HOTPGenerator generator = new HOTPGenerator.Builder(secret.getBytes()).build();
+        HOTPGenerator generator = new HOTPGenerator.Builder(secret).build();
 
         String url = generator.getURI(10, "issuer with space").toString();
 
@@ -124,15 +124,15 @@ void getURIWithIssuerWithSpace_doesEscapeIssuer() throws URISyntaxException {
 
     @Test
     void getURIWithIssuer() throws URISyntaxException {
-        HOTPGenerator generator = new HOTPGenerator.Builder(secret.getBytes()).build();
+        HOTPGenerator generator = new HOTPGenerator.Builder(secret).build();
         URI uri = generator.getURI(10, "issuer");
 
         assertThat(uri.toString(), is("otpauth://hotp/issuer?digits=6&counter=10&secret=" + secret + "&issuer=issuer&algorithm=SHA1"));
     }
 
     @Test
     void getURIWithIssuerWithUrlUnsafeCharacters() throws URISyntaxException {
-        HOTPGenerator generator = new HOTPGenerator.Builder(secret.getBytes()).build();
+        HOTPGenerator generator = new HOTPGenerator.Builder(secret).build();
         URI uri = generator.getURI(10, "mac&cheese");
 
         assertThat(uri.toString(), is("otpauth://hotp/mac%26cheese?digits=6&counter=10&secret=" + secret + "&issuer=mac%26cheese&algorithm=SHA1"));
@@ -141,7 +141,7 @@ void getURIWithIssuerWithUrlUnsafeCharacters() throws URISyntaxException {
 
     @Test
     void getURIWithIssuerAndAccount_doesNotThrow() {
-        HOTPGenerator generator = new HOTPGenerator.Builder(secret.getBytes()).build();
+        HOTPGenerator generator = new HOTPGenerator.Builder(secret).build();
 
         assertDoesNotThrow(() -> {
             generator.getURI(100, "issuer", "account");
@@ -150,15 +150,15 @@ void getURIWithIssuerAndAccount_doesNotThrow() {
 
     @Test
     void getURIWithIssuerAndAccount() throws URISyntaxException {
-        HOTPGenerator generator = new HOTPGenerator.Builder(secret.getBytes()).build();
+        HOTPGenerator generator = new HOTPGenerator.Builder(secret).build();
 
         URI uri = generator.getURI(100, "issuer", "account");
         assertThat(uri.toString(), is("otpauth://hotp/issuer:account?digits=6&counter=100&secret=" + secret + "&issuer=issuer&algorithm=SHA1"));
     }
 
     @Test
     void getURIWithIssuerAndAccountWithUrlUnsafeCharacters() throws URISyntaxException {
-        HOTPGenerator generator = new HOTPGenerator.Builder(secret.getBytes()).build();
+        HOTPGenerator generator = new HOTPGenerator.Builder(secret).build();
 
         URI uri = generator.getURI(100, "mac&cheese", "ac@cou.nt");
 
@@ -224,44 +224,44 @@ void builderWithEmptySecret_throwsIllegalArgumentException() {
         @Test
         void builderWithPasswordLengthIs5_throwsIllegalArgumentException() {
             assertThrows(IllegalArgumentException.class, () -> {
-                new HOTPGenerator.Builder(secret.getBytes()).withPasswordLength(5).build();
+                new HOTPGenerator.Builder(secret).withPasswordLength(5).build();
             });
         }
 
         @Test
         void builderWithPasswordLengthIs9_throwsIllegalArgumentException() {
             assertThrows(IllegalArgumentException.class, () -> {
-                new HOTPGenerator.Builder(secret.getBytes()).withPasswordLength(9).build();
+                new HOTPGenerator.Builder(secret).withPasswordLength(9).build();
             });
         }
 
         @Test
         void builderWithPasswordLengthIs6() {
-            HOTPGenerator generator = new HOTPGenerator.Builder(secret.getBytes()).withPasswordLength(6).build();
+            HOTPGenerator generator = new HOTPGenerator.Builder(secret).withPasswordLength(6).build();
             int expected = 6;
 
             assertThat(generator.getPasswordLength(), Matchers.is(expected));
         }
 
         @Test
         void builderWithAlgorithmSHA1() {
-            HOTPGenerator generator = new HOTPGenerator.Builder(secret.getBytes()).withAlgorithm(HMACAlgorithm.SHA1).build();
+            HOTPGenerator generator = new HOTPGenerator.Builder(secret).withAlgorithm(HMACAlgorithm.SHA1).build();
             HMACAlgorithm expected = HMACAlgorithm.SHA1;
 
             assertThat(generator.getAlgorithm(), Matchers.is(expected));
         }
 
         @Test
         void builderWithAlgorithmSHA256() {
-            HOTPGenerator generator = new HOTPGenerator.Builder(secret.getBytes()).withAlgorithm(HMACAlgorithm.SHA256).build();
+            HOTPGenerator generator = new HOTPGenerator.Builder(secret).withAlgorithm(HMACAlgorithm.SHA256).build();
             HMACAlgorithm expected = HMACAlgorithm.SHA256;
 
             assertThat(generator.getAlgorithm(), Matchers.is(expected));
         }
 
         @Test
         void builderWithAlgorithmSHA512() {
-            HOTPGenerator generator = new HOTPGenerator.Builder(secret.getBytes()).withAlgorithm(HMACAlgorithm.SHA512).build();
+            HOTPGenerator generator = new HOTPGenerator.Builder(secret).withAlgorithm(HMACAlgorithm.SHA512).build();
             HMACAlgorithm expected = HMACAlgorithm.SHA512;
 
             assertThat(generator.getAlgorithm(), Matchers.is(expected));
@@ -270,12 +270,12 @@ void builderWithAlgorithmSHA512() {
         @ParameterizedTest
         @ValueSource(ints = { 1, 2, 3, 4, 5, 9, 10 })
         void builderWithInvalidPasswordLength_throwsIllegalArgumentException(int passwordLength) {
-            assertThrows(IllegalArgumentException.class, () -> new HOTPGenerator.Builder(secret.getBytes()).withPasswordLength(passwordLength).build());
+            assertThrows(IllegalArgumentException.class, () -> new HOTPGenerator.Builder(secret).withPasswordLength(passwordLength).build());
         }
 
         @Test
         void builderWithoutAlgorithm_defaultAlgorithm() {
-            HOTPGenerator generator = new HOTPGenerator.Builder(secret.getBytes()).build();
+            HOTPGenerator generator = new HOTPGenerator.Builder(secret).build();
             HMACAlgorithm expected = HMACAlgorithm.SHA1;
 
             assertThat(generator.getAlgorithm(), is(expected));
diff --git a/src/test/java/com/bastiaanjansen/otp/TOTPGeneratorTest.java b/src/test/java/com/bastiaanjansen/otp/TOTPGeneratorTest.java
