search

jchambers / java-otp

A one-time password (HOTP/TOTP) library for Java
MIT License
452 stars 122 forks source link

HOTP generator return zero otp code #20

Closed otricadziziusz closed 3 years ago

otricadziziusz commented 3 years ago

Hi! I catch strange issue, i get from generator zero otp code with current counter 22165.

I attaching a reproducible example with a key.

import com.eatthepath.otp.HmacOneTimePasswordGenerator;
import org.apache.commons.codec.binary.Base32;
import org.junit.Assert;
import org.junit.Test;

import javax.crypto.spec.SecretKeySpec;

public class HotpZeroValueTest {

  private static final String KEY = "ANGNYSN4D3IZV523MRTXNRJU647E7R64";

  @Test
  public void test1() throws Exception {
    Base32 base32 = new Base32(false);
    HmacOneTimePasswordGenerator hotpGenerator = new HmacOneTimePasswordGenerator(6);
    SecretKeySpec key = new SecretKeySpec(base32.decode(KEY), HmacOneTimePasswordGenerator.HOTP_HMAC_ALGORITHM);

    int otpCode = hotpGenerator.generateOneTimePassword(key, 22164);
    Assert.assertEquals(100637, otpCode);
    otpCode = hotpGenerator.generateOneTimePassword(key, 22166);
    Assert.assertEquals(607204, otpCode);
    otpCode = hotpGenerator.generateOneTimePassword(key, 22165);
    Assert.assertEquals(0, otpCode);
  }
}
jchambers commented 3 years ago

Why do you think this is a bug? What code did you expect instead?

Bear in mind that a 6-digit HOTP generator can yield any integer between 0 and 999999. The case you've shared seems fine to me; generating 0 is no more or less likely than generating 100637 or 607204.

otricadziziusz commented 3 years ago

That's all right. I checked with reference implementation rfc4226 and return code: 000000 for counter 22165.

Thanks!