126 lines
3.5 KiB
Go
126 lines
3.5 KiB
Go
package data
|
|
|
|
import (
|
|
"crypto/hmac"
|
|
"crypto/rand"
|
|
|
|
// #nosec G505 - SHA1 is used here because TOTP (RFC 6238) specifically uses HMAC-SHA1
|
|
// as the default algorithm, and many authenticator apps still use it.
|
|
// In the future, we should consider supporting stronger algorithms like SHA256 or SHA512.
|
|
"crypto/sha1"
|
|
"encoding/base32"
|
|
"encoding/binary"
|
|
"fmt"
|
|
"image/png"
|
|
"os"
|
|
"strings"
|
|
"time"
|
|
|
|
"rsc.io/qr"
|
|
)
|
|
|
|
const (
|
|
// TOTPTimeStep is the time step in seconds for TOTP.
|
|
TOTPTimeStep = 30
|
|
// TOTPDigits is the number of digits in a TOTP code.
|
|
TOTPDigits = 6
|
|
// TOTPModulo is the modulo value for truncating the TOTP hash.
|
|
TOTPModulo = 1000000
|
|
// TOTPTimeWindow is the number of time steps to check before and after the current time.
|
|
TOTPTimeWindow = 1
|
|
|
|
// Constants for TOTP calculation
|
|
timeBytesLength = 8
|
|
dynamicTruncationMask = 0x0F
|
|
truncationModulusMask = 0x7FFFFFFF
|
|
)
|
|
|
|
// GenerateRandomBase32 generates a random base32 encoded string of the specified length.
|
|
func GenerateRandomBase32(length int) (string, error) {
|
|
// Generate random bytes
|
|
randomBytes := make([]byte, length)
|
|
_, err := rand.Read(randomBytes)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
// Encode to base32
|
|
encoder := base32.StdEncoding.WithPadding(base32.NoPadding)
|
|
encoded := encoder.EncodeToString(randomBytes)
|
|
|
|
// Convert to uppercase and remove any padding
|
|
return strings.ToUpper(encoded), nil
|
|
}
|
|
|
|
// ValidateTOTP validates a TOTP code against a secret
|
|
func ValidateTOTP(secret, code string) bool {
|
|
// Get current time step
|
|
currentTime := time.Now().Unix() / TOTPTimeStep
|
|
|
|
// Try the time window (allow for time skew)
|
|
for i := -TOTPTimeWindow; i <= TOTPTimeWindow; i++ {
|
|
if calculateTOTP(secret, currentTime+int64(i)) == code {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// calculateTOTP calculates the TOTP code for a given secret and time
|
|
func calculateTOTP(secret string, timeCounter int64) string {
|
|
// Decode the secret from base32
|
|
encoder := base32.StdEncoding.WithPadding(base32.NoPadding)
|
|
secretBytes, err := encoder.DecodeString(strings.ToUpper(secret))
|
|
if err != nil {
|
|
return ""
|
|
}
|
|
|
|
// Convert time counter to bytes (big endian)
|
|
timeBytes := make([]byte, timeBytesLength)
|
|
binary.BigEndian.PutUint64(timeBytes, uint64(timeCounter))
|
|
|
|
// Calculate HMAC-SHA1
|
|
h := hmac.New(sha1.New, secretBytes)
|
|
h.Write(timeBytes)
|
|
hash := h.Sum(nil)
|
|
|
|
// Dynamic truncation
|
|
offset := hash[len(hash)-1] & dynamicTruncationMask
|
|
truncatedHash := binary.BigEndian.Uint32(hash[offset:offset+4]) & truncationModulusMask
|
|
otp := truncatedHash % TOTPModulo
|
|
|
|
// Format as a 6-digit string with leading zeros
|
|
return fmt.Sprintf("%0*d", TOTPDigits, otp)
|
|
}
|
|
|
|
// GenerateTOTPQRCode generates a QR code for a TOTP secret and saves it to a file
|
|
func GenerateTOTPQRCode(secret, username, issuer, outputPath string) error {
|
|
// Format the TOTP URI according to the KeyURI format
|
|
// https://github.com/google/google-authenticator/wiki/Key-Uri-Format
|
|
uri := fmt.Sprintf("otpauth://totp/%s:%s?secret=%s&issuer=%s&algorithm=SHA1&digits=%d&period=%d",
|
|
issuer, username, secret, issuer, TOTPDigits, TOTPTimeStep)
|
|
|
|
// Generate QR code
|
|
code, err := qr.Encode(uri, qr.M)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to generate QR code: %w", err)
|
|
}
|
|
|
|
// Create output file
|
|
file, err := os.Create(outputPath)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create output file: %w", err)
|
|
}
|
|
defer file.Close()
|
|
|
|
// Write QR code as PNG
|
|
img := code.Image()
|
|
err = png.Encode(file, img)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to write QR code to file: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|