Plain Text Export

[GoogleCodeExporter]

I'm developer behind Authenticator Plus (TOTP / HOTP Android App)

I would like to support importing WinAuth data, I have inspected the xml file 
used by WinAuth, looks like account secrets are stored in encrypted format even 
if we choose no encryption in settings.

Could you add export edata support as plain text so that it can be imported?

If possible can you give me outline of how secret is stored in xml with 
encrypted and non-ecrypted settings?

Original issue reported on code.google.com by mu...@authenticatorplus.com on 10 Jun 2014 at 9:51

[GoogleCodeExporter]

Hi Mufri. I wouldn't suggested trying to parse the xml file, in case it ever 
changes, plus the encryption can be by Windows itself, a password for them all, 
or a separate password per authenticator. The user would have to make their 
file insecure in order to make it readable.

Better, as I mentioned in the other issue, is to use the existing KeyUri 
interchange format. If we agree on the Battle.Net format then we can more 
easily pass a simple text file between us.

Let me know what you think.

Cheers

-c.

Original comment by winauth on 10 Jun 2014 at 5:20

• Changed state: Accepted
• Added labels: Type-Enhancement
• Removed labels: Type-Defect

[GoogleCodeExporter]

Sure. 

How about a CSV file (each account entry is separated by a comma)  with below 
detail, where serial param will be  
available only for battlenet

otpauth://totp/BattleNet:mylabel?secret=SECRET&digits=8&issuer=BattleNet&serial=
US140610734960

Original comment by mu...@authenticatorplus.com on 10 Jun 2014 at 5:43

[GoogleCodeExporter]

Personally I'd prefer one per line, just in case there is a comma in the label, 
and then we don't have to escape.

I had thought of an extra parameter, and prefer it, although the KeyUri spec 
didn't seem to go into detail about extra ones. But I agree, so as you've 
written.

otpauth://totp/BattleNet:mylabel?secret=SECRET&digits=8&issuer=BattleNet&serial=
US140610734960

The SECRET will have to be base32 encoded.

Original comment by winauth on 10 Jun 2014 at 5:55

[GoogleCodeExporter]

Agreed, pls consider both \n and \r as line endings.

otpauth://totp/BattleNet:mylabel?secret=SECRET_in_base32&digits=8&issuer=BattleN
et&serial=US140610734960

I shall send your test binary with this implementation. 

Original comment by mu...@authenticatorplus.com on 11 Jun 2014 at 4:29

[GoogleCodeExporter]

I have sent beta test request, if you have Android phone you can test this 
binary.

I have implemented both import and export as text file in the discussed format.

Few sample are

otpauth://totp/Google:sergey@gmail.com?secret=7777777777777777&issuer=Google&dig
its=6
otpauth://totp/dave@gmail.com?secret=2222222222222222&digits=6
otpauth://totp/Facebook:mark@facebook.com?secret=tnfzi4fhu6f55g5y&issuer=Faceboo
k&digits=6
otpauth://totp/BattleNet:BattleNet:Daredevil?secret=GFQTEYRTGA3TINRQMY4WGZJWHFST
CNRQHAYTIOJQMQ3WGNJZGVSDOMLBGY2DINLE&issuer=BattleNet&digits=8&serial=US

Original comment by mu...@authenticatorplus.com on 11 Jun 2014 at 5:10

[GoogleCodeExporter]

Thanks. I'm hoping to get to this over the weekend. I'll add in an 
import/export to WinAuth too and put up a test version so we can check 
everything is being passed back and forth correctly.

Original comment by winauth on 13 Jun 2014 at 3:20

[GoogleCodeExporter]

Couple of things I noticed straightaway.

1. In your export file. The label has to be URLencoded, e.g. 
"otpauth://totp/Test (my@email.com)?..." should be 
"otpauth://totp/Test%20(my@email.com)?..."

2. The Battle.net serial has 0x00 in between the digits, e.g. 
&serial=US\x001234\x005678\x001234

Original comment by winauth on 13 Jun 2014 at 5:40

[GoogleCodeExporter]

I found the null char in serial and sent you fixed binary. 

Will url encode the label and send you new binary.

Original comment by mu...@authenticatorplus.com on 13 Jun 2014 at 5:54

[GoogleCodeExporter]

URLEncoding will convert @ too, say @ will be converted %40 or You would like 
convert only spaces to %20.

For eg : twin@gmail.com (Imported 1) to twin%40gmail.com%20(Imported%201) 

Original comment by mu...@authenticatorplus.com on 13 Jun 2014 at 7:06

[GoogleCodeExporter]

Yep. I'd just convert anything as normal for a URL, e.g. java.net.URLEncoder. 

Original comment by winauth on 13 Jun 2014 at 7:35

[GoogleCodeExporter]

Ah, bit confused,  java.net.URLEncoder converts spaces to +.

http://docs.oracle.com/javase/7/docs/api/java/net/URLEncoder.html

From docs,

For example using UTF-8 as the encoding scheme the string "The string 
ü@foo-bar" would get converted to "The+string+%C3%BC%40foo-bar"

Original comment by mu...@authenticatorplus.com on 14 Jun 2014 at 4:59

[GoogleCodeExporter]

If you share your API to encode and decode I can implement similarly.

Original comment by mu...@authenticatorplus.com on 14 Jun 2014 at 5:00

[GoogleCodeExporter]

Officially + and %20 are interchangeable in the query string, but + should only 
be used in the path. http://www.w3.org/Addressing/URL/uri-spec.html

In reality they'll get decoded fine. As long as you use java.net.URI or 
java.net.URLEncoder then my equivalent C# will definitely work 
(http://msdn.microsoft.com/en-us/library/system.web.httputility.urldecode(v=vs.9
0).aspx) no matter what chars and unicode chars are in there.

Original comment by winauth on 14 Jun 2014 at 5:23

[GoogleCodeExporter]

In my testing the WinAuth changes it looks like you are encoding your BattleNet 
secret keys as Base32 from hex strings, but they should be done directly from 
the byte arrays to Base32.

e.g. a key of [0x48, 0x65, 0x6c, 0x6c, 0x6f, 0xde, 0xad, 0xbe, 0xef] would be 
JBSWY3DPEHPK3PXP (see example in 
https://code.google.com/p/google-authenticator/wiki/KeyUriFormat)

Here is my test case:

Label: Test Case (my@test.com) £:€
Serial: US-1306-2525-4376
Restore Code: CR24KPKF51
Key: 
[0x7b,0x0b,0xfa,0x82,0x30,0xe5,0x44,0x24,0xab,0x51,0x77,0x7d,0xad,0xbf,0xd5,0x37
,0x41,0x43,0xe3,0xb0]
Base32: PMF7VARQ4VCCJK2RO5623P6VG5AUHY5Q
URL: 
otpauth://totp/BattleNet:Test+Case+(my%40test.com)+%c2%a3%3a%e2%82%ac?secret=PMF
7VARQ4VCCJK2RO5623P6VG5AUHY5Q&digits=8&serial=US130625254376&issuer=BattleNet

I tried to import this into you app but it doesn't show the code

Original comment by winauth on 17 Jun 2014 at 1:52

[GoogleCodeExporter]

There is now a beta version of WinAuth that we can try alongside your 
development version.

https://winauth.com/downloads/3.x/WinAuth-3.1.1-BETA.zip

Original comment by winauth on 17 Jun 2014 at 7:18

[GoogleCodeExporter]

Awesome, I have tested with fixed app, everything looks fine.

I have tried import/export, codes generated in phone and winauth is same.

I shall send you test apk soon, if you have any exported text with all possible 
dummy values please share it, I can verify it once before releasing apk to you.

Original comment by mu...@authenticatorplus.com on 17 Jun 2014 at 7:38

[GoogleCodeExporter]

Just tried your latest version with WinAuth 3.1.2. My test cases all succeeded, 
from WinAuth to Authenticator Plus and back again.

Original comment by winauth on 18 Jun 2014 at 7:37

[GoogleCodeExporter]

Cool, lets conclude this implementation. I shall release new binary in Google 
Play store with this support.

Original comment by mu...@authenticatorplus.com on 18 Jun 2014 at 8:41

[GoogleCodeExporter]

Released in 3.1.5

Original comment by winauth on 5 Jul 2014 at 10:20

• Changed state: Verified