Merge remote-tracking branch 'origin/main'

Author: uaraven

.github/workflows/go.yml

@@ -0,0 +1,25 @@
+name: Go
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+
+    - name: Set up Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.17
+
+    - name: Build
+      run: go build -v ./...
+
+    - name: Test
+      run: go test -v ./...

hotp.go

@@ -14,6 +14,8 @@ import (
 	"sync"
 )
 
+const DefaultTransactionOffset = -1
+
 // HOTP is an implementation of RFC4226, HMAC-based one-time password algorithm
 type HOTP struct {
 	OTP
@@ -56,7 +58,7 @@ func NewHOTPFromUri(uri string) (*OTPKeyData, error) {
 	if !u.Query().Has(counterKey) {
 		return nil, fmt.Errorf("'counter' parameter required")
 	}
-	label, issuer := getLabelIssuer(u)
+	accountName, issuer := getAccountIssuer(u)
 	digits := int64(DefaultDigits)
 	if u.Query().Has(digitsKey) {
 		digits, err = strconv.ParseInt(u.Query().Get(digitsKey), 10, 32)
@@ -84,17 +86,17 @@ func NewHOTPFromUri(uri string) (*OTPKeyData, error) {
 	}
 
 	return &OTPKeyData{
-		OTP:    NewHOTPHash(key, counter, int(digits), -1, algorithm),
-		Label:  label,
-		Issuer: issuer}, nil
+		OTP:     NewHOTPHash(key, counter, int(digits), DefaultTransactionOffset, algorithm),
+		Account: accountName,
+		Issuer:  issuer}, nil
 }
 
 // NewDefaultHOTP crates an instance of Hotp with default parameters:
 // Number of OTP digits is 6, SHA1 for hashing and using dynamic truncation offset
 //
 // key is the shared secret key
 func NewDefaultHOTP(key []byte, counter int64) *HOTP {
-	return NewHOTP(key, counter, DefaultDigits, -1)
+	return NewHOTP(key, counter, DefaultDigits, DefaultTransactionOffset)
 }
 
 // NewHOTPDigits creates an instance of Hotp with given number of digits for the OTP
@@ -103,7 +105,7 @@ func NewDefaultHOTP(key []byte, counter int64) *HOTP {
 // key is the shared secret key
 // digits is the number of digits in the resulting one-time password code
 func NewHOTPDigits(key []byte, counter int64, digits int) *HOTP {
-	return NewHOTP(key, counter, digits, -1)
+	return NewHOTP(key, counter, digits, DefaultTransactionOffset)
 }
 
 // NewHOTP allows to create an instance of Hotp and set the parameters

hotp_test.go

@@ -79,41 +79,41 @@ func TestHOTPVerify(t *testing.T) {
 
 func TestHotpUrlGenerator(t *testing.T) {
 	hotp := NewHOTPDigits([]byte("key"), 342, 8)
-	url := hotp.ProvisioningUri("Example", "test@example.com")
+	url := hotp.ProvisioningUri("test@example.com", "Issuer")
 
-	expected := "otpauth://hotp/test@example.com:Example?counter=342&digits=8&issuer=test%40example.com&secret=NNSXS"
+	expected := "otpauth://hotp/Issuer:test@example.com?counter=342&digits=8&issuer=Issuer&secret=NNSXS"
 	if url != expected {
 		t.Errorf("Invalid url generated.\nExpected: %s\n  Actual: %s", expected, url)
 	}
 
 	hotp = NewDefaultHOTP([]byte("key"), 2342)
-	url = hotp.ProvisioningUri("Example", "test@example.com")
+	url = hotp.ProvisioningUri("test@example.com", "Issuer")
 
-	expected = "otpauth://hotp/test@example.com:Example?counter=2342&issuer=test%40example.com&secret=NNSXS"
+	expected = "otpauth://hotp/Issuer:test@example.com?counter=2342&issuer=Issuer&secret=NNSXS"
 	if url != expected {
 		t.Errorf("Invalid url generated.\nExpected: %s\n  Actual: %s", expected, url)
 	}
 
 	hotp = NewHOTPHash([]byte("key"), 2342, DefaultDigits, -1, crypto.SHA512)
-	url = hotp.ProvisioningUri("Example", "test@example.com")
+	url = hotp.ProvisioningUri("test@example.com", "Issuer")
 
-	expected = "otpauth://hotp/test@example.com:Example?algorithm=SHA512&counter=2342&issuer=test%40example.com&secret=NNSXS"
+	expected = "otpauth://hotp/Issuer:test@example.com?algorithm=SHA512&counter=2342&issuer=Issuer&secret=NNSXS"
 	if url != expected {
 		t.Errorf("Invalid url generated.\nExpected: %s\n  Actual: %s", expected, url)
 	}
 }
 
 func TestHotpUrlParser(t *testing.T) {
-	data, err := NewHOTPFromUri("otpauth://hotp/test1@example.com:Example?digits=8&issuer=test%40example.com&secret=NNSXS&counter=10")
+	data, err := NewHOTPFromUri("otpauth://hotp/test1@example.com?digits=8&issuer=Issuer&secret=NNSXS&counter=10")
 	if err != nil {
 		t.Error(err)
 	}
 	otp := data.OTP.(*HOTP)
 
-	if data.Label != "Example" {
+	if data.Issuer != "Issuer" {
 		t.Errorf("Error parsing label from URL")
 	}
-	if data.Issuer != "test@example.com" {
+	if data.Account != "test1@example.com" {
 		t.Errorf("Error parsing issuer from URL")
 	}
 	if !reflect.DeepEqual(otp.Secret, []byte("key")) {
@@ -126,7 +126,7 @@ func TestHotpUrlParser(t *testing.T) {
 		t.Errorf("Error setting counter from URL")
 	}
 
-	data, err = NewHOTPFromUri("otpauth://hotp/test@example.com:Example?issuer=test%40example.com&counter=45&secret=NNSXS")
+	data, err = NewHOTPFromUri("otpauth://hotp/Issuer:test@example.com:Example?issuer=Overriden&counter=45&secret=NNSXS")
 	if err != nil {
 		t.Error(err)
 	}
@@ -137,12 +137,18 @@ func TestHotpUrlParser(t *testing.T) {
 	if otp.GetCounter() != 45 {
 		t.Errorf("Error parsing counter from URL")
 	}
+	if data.Issuer != "Overriden" {
+		t.Errorf("Error parsing label from URL")
+	}
 
-	data, err = NewHOTPFromUri("otpauth://hotp/test@example.com:Example?algorithm=SHA512&counter=10&issuer=test%40example.com&secret=NNSXS")
+	data, err = NewHOTPFromUri("otpauth://hotp/Issuer:test@example.com?algorithm=SHA512&counter=10&secret=NNSXS")
 	if err != nil {
 		t.Error(err)
 	}
 	otp = data.OTP.(*HOTP)
+	if data.Issuer != "Issuer" {
+		t.Errorf("Error parsing label from URL")
+	}
 	if otp.GetHash() != crypto.SHA512 {
 		t.Errorf("Error parsing time step from URL")
 	}

otp.go

@@ -49,12 +49,22 @@ type OTP interface {
 type OTPKeyData struct {
 	// OTP implementation, either *HOTP or *TOTP
 	OTP OTP
-	// Label contains user-visible label for the OTP
-	Label string
+	// Account contains the account Id for the OTP
+	Account string
 	// Issuer contains the name of the issuer of the OTP
 	Issuer string
 }
 
+// GetLabelRepr returns OTP label in human readable format
+// DO NOT use it for constructing otpauth: URIs
+func (okd *OTPKeyData) GetLabelRepr() string {
+	if okd.Issuer != "" {
+		return fmt.Sprintf("%s:%s", okd.Issuer, okd.Account)
+	} else {
+		return okd.Account
+	}
+}
+
 func adjustForHash(key []byte, algorithm crypto.Hash) []byte {
 	hash := algorithm.New()
 	if len(key) > hash.BlockSize() { // if key is longer than block size
@@ -67,25 +77,26 @@ func adjustForHash(key []byte, algorithm crypto.Hash) []byte {
 	return key
 }
 
-// getLabelIssuer extracts label and issuer name from the URL
-// label is populated from URL's account name
+// getAccountIssuer extracts account name and issuer name from the URL
+// returns (Account Name, Issuer)
+// account name is populated from URL's label
 // if label contains issuer separated from the account name with ':', then issuer is extracted from the label
 // if URL contains 'issuer' parameter then it overrides any other issuer value set previously
-func getLabelIssuer(u *url.URL) (string, string) {
-	label := u.Path[1:] // skip '/'
+func getAccountIssuer(u *url.URL) (string, string) {
+	accountName := u.Path[1:] // skip '/'
 	var labelIssuer string
-	if strings.Contains(label, ":") {
-		lbl := strings.Split(label, ":")
+	if strings.Contains(accountName, ":") {
+		lbl := strings.Split(accountName, ":")
 		labelIssuer = lbl[0]
-		label = lbl[1]
+		accountName = lbl[1]
 	}
 	var issuer string
 	if u.Query().Has(issuerKey) {
 		issuer = u.Query().Get(issuerKey)
 	} else {
 		issuer = labelIssuer
 	}
-	return label, issuer
+	return accountName, issuer
 }
 
 // EncodeKey converts a key to Base32 representation
@@ -136,17 +147,25 @@ const (
 	SHA1 = "SHA1"
 )
 
-func generateProvisioningUri(otpType string, accountName string, issuer string, digits int, key []byte, extra url.Values) string {
-	extra.Add(secretKey, EncodeKey(key))
-	extra.Add(issuerKey, issuer)
+func generateProvisioningUri(otpType string, accountName string, issuer string, digits int, key []byte, params url.Values) string {
+	params.Add(secretKey, EncodeKey(key))
+	if issuer != "" {
+		params.Add(issuerKey, issuer)
+	}
 	if digits != DefaultDigits {
-		extra.Add(digitsKey, fmt.Sprintf("%d", digits))
+		params.Add(digitsKey, fmt.Sprintf("%d", digits))
+	}
+	var label string
+	if issuer != "" {
+		label = url.PathEscape(issuer) + ":" + url.PathEscape(accountName)
+	} else {
+		label = url.PathEscape(accountName)
 	}
 	u := url.URL{
 		Scheme:   otpAuthSheme,
 		Host:     otpType,
-		Path:     url.PathEscape(issuer) + ":" + url.PathEscape(accountName),
-		RawQuery: extra.Encode(),
+		Path:     label,
+		RawQuery: params.Encode(),
 	}
 	return u.String()
 }

topt_test.go

@@ -85,25 +85,25 @@ func TestTOTPVerifyWithWindow(t *testing.T) {
 
 func TestTotpUrlGenerator(t *testing.T) {
 	totp := NewTOTPDigits([]byte("key"), 8)
-	url := totp.ProvisioningUri("Example", "test@example.com")
+	url := totp.ProvisioningUri("test@example.com", "Issuer")
 
-	expected := "otpauth://totp/test@example.com:Example?digits=8&issuer=test%40example.com&secret=NNSXS"
+	expected := "otpauth://totp/Issuer:test@example.com?digits=8&issuer=Issuer&secret=NNSXS"
 	if url != expected {
 		t.Errorf("Invalid url generated.\nExpected: %s\n  Actual: %s", expected, url)
 	}
 
 	totp = NewDefaultTOTP([]byte("key"))
-	url = totp.ProvisioningUri("Example", "test@example.com")
+	url = totp.ProvisioningUri("test@example.com", "Issuer")
 
-	expected = "otpauth://totp/test@example.com:Example?issuer=test%40example.com&secret=NNSXS"
+	expected = "otpauth://totp/Issuer:test@example.com?issuer=Issuer&secret=NNSXS"
 	if url != expected {
 		t.Errorf("Invalid url generated.\nExpected: %s\n  Actual: %s", expected, url)
 	}
 
 	totp = NewTOTP([]byte("key"), 8, 45, 0)
-	url = totp.ProvisioningUri("Example", "test@example.com")
+	url = totp.ProvisioningUri("test@example.com", "Issuer")
 
-	expected = "otpauth://totp/test@example.com:Example?digits=8&issuer=test%40example.com&period=45&secret=NNSXS"
+	expected = "otpauth://totp/Issuer:test@example.com?digits=8&issuer=Issuer&period=45&secret=NNSXS"
 	if url != expected {
 		t.Errorf("Invalid url generated.\nExpected: %s\n  Actual: %s", expected, url)
 	}
@@ -118,16 +118,16 @@ func TestTotpUrlGenerator(t *testing.T) {
 }
 
 func TestTotpUrlParser(t *testing.T) {
-	data, err := NewTOTPFromUri("otpauth://totp/test1@example.com:Example?digits=8&issuer=test%40example.com&secret=NNSXS")
+	data, err := NewTOTPFromUri("otpauth://totp/test1@example.com?digits=8&issuer=Issuer&secret=NNSXS")
 	if err != nil {
 		t.Error(err)
 	}
 	otp := data.OTP.(*TOTP)
 
-	if data.Label != "Example" {
+	if data.Account != "test1@example.com" {
 		t.Errorf("Error parsing label from URL")
 	}
-	if data.Issuer != "test@example.com" {
+	if data.Issuer != "Issuer" {
 		t.Errorf("Error parsing issuer from URL")
 	}
 	if !reflect.DeepEqual(otp.Secret, []byte("key")) {
@@ -140,7 +140,7 @@ func TestTotpUrlParser(t *testing.T) {
 		t.Errorf("Error setting default time step")
 	}
 
-	data, err = NewTOTPFromUri("otpauth://totp/test@example.com:Example?issuer=test%40example.com&period=45&secret=DDINI")
+	data, err = NewTOTPFromUri("otpauth://totp/Issuer:test@example.com?issuer=Overriden&period=45&secret=DDINI")
 	if err != nil {
 		t.Error(err)
 	}
@@ -151,11 +151,17 @@ func TestTotpUrlParser(t *testing.T) {
 	if otp.GetTimeStep() != 45 {
 		t.Errorf("Error parsing time step from URL")
 	}
+	if data.Issuer != "Overriden" {
+		t.Errorf("Error parsing issuer from URL")
+	}
 
-	data, err = NewTOTPFromUri("otpauth://totp/test@example.com:Example?algorithm=SHA256&issuer=test%40example.com&secret=NNSXS")
+	data, err = NewTOTPFromUri("otpauth://totp/Issuer:test@example.com?algorithm=SHA256&secret=NNSXS")
 	if err != nil {
 		t.Error(err)
 	}
+	if data.Issuer != "Issuer" {
+		t.Errorf("Error parsing issuer from URL")
+	}
 	otp = data.OTP.(*TOTP)
 	if otp.GetHash() != crypto.SHA256 {
 		t.Errorf("Error parsing time step from URL")
@@ -165,18 +171,18 @@ func TestTotpUrlParser(t *testing.T) {
 func TestTotpUrlParserErrors(t *testing.T) {
 	_, err := NewTOTPFromUri("otpauth://hotp/test@example.com:Example?digits=8&issuer=test%40example.com&secret=DDINI")
 	if err == nil {
-		t.Errorf("Expected to faile because of invalid otp type")
+		t.Errorf("Expected to fail because of invalid otp type")
 	}
 	_, err = NewTOTPFromUri("not_otpauth://totp/test@example.com:Example?digits=8&issuer=test%40example.com&secret=DDINI")
 	if err == nil {
-		t.Errorf("Expected to faile because of invalid URI schema")
+		t.Errorf("Expected to fail because of invalid URI schema")
 	}
 	_, err = NewTOTPFromUri("otpauth://totp/test@example.com:Example?digits=8&issuer=test%40example.com")
 	if err == nil {
-		t.Errorf("Expected to faile because of missing secret")
+		t.Errorf("Expected to fail because of missing secret")
 	}
 	_, err = NewTOTPFromUri("otpauth://totp/test@example.com:Example?digits=8&issuer=test%40example.com&secret=X0NNSXS")
 	if err == nil {
-		t.Errorf("Expected to faile because of invalid secret")
+		t.Errorf("Expected to fail because of invalid secret")
 	}
 }