samdjstevens / java-totp

A java library for implementing Time-based One Time Passwords for Multi-Factor Authentication.
MIT License
464 stars 114 forks source link

Unable to verify TOTP using google/microsoft authenticator applications #59

Open ashutoshkumarmishra560 opened 8 months ago

ashutoshkumarmishra560 commented 8 months ago

Hi,

I have been using your library for handling TOTP based QR code generation and validation from last 1 year. It was working successfully with google and microsoft authenticator. Just all of a sudden the TOTP validation is failing which I am failing to understand why?

Below is the code to generate QR code which i scan using authenticator app:

QrData data = new QrData.Builder().label(userDispVal).secret(secret).issuer(label).algorithm(HashingAlgorithm.SHA1).digits(6).period(30).build(); QrGenerator generator = new ZxingPngQrGenerator(); byte[] imageData = generator.generate(data); String mimeType = generator.getImageMimeType(); String dataUri = getDataUriForImage(imageData, mimeType);

and below is the code to validate the the TOTP code generated by authenticator app:

TimeProvider timeProvider = new SystemTimeProvider(); CodeGenerator codeGenerator = new DefaultCodeGenerator(HashingAlgorithm.SHA1); DefaultCodeVerifier verifier = new DefaultCodeVerifier(codeGenerator, timeProvider); boolean successful = verifier.isValidCode(secret, code);

The last call is always returning false. It was working earlier like I mentioned. Any help in this regard will be appreciated.

Thanks, Ashutosh

acotiuga commented 5 months ago

Hi @ashutoshkumarmishra560,

This could be related to the fact that Since September 2021, OpenSSL in version 3.0.0 discards by default certificates signed using SHA1, as techniques have been found to create collisions on SHA1 signatures.

In order to continue using SHA1-signed certificates, end users have to configure their OpenSSL installation to lower its security level, which will also allow other less-securely signed certificates to be validated by OpenSSL (this issue talks about it).

Hope it helps, Alex