依據谷歌官方的算法實現mfa認證:
谷歌mfa算法工具(直接copy后改了下):
public class GoogleAuthenticator { // taken from Google pam docs - we probably don't need to mess with these public static final int SECRET_SIZE = 10; public static final String RANDOM_NUMBER_ALGORITHM = "SHA1PRNG"; int window_size = 3; // default 3 - max 17 (from google docs)最多可偏移的時間 public void setWindowSize(int s) { if (s >= 1 && s <= 17) { window_size = s; } } public static Boolean authcode(String codes, String savedSecret) { // enter the code shown on device. Edit this and run it fast before the // code expires! long code = Long.parseLong(codes); long t = System.currentTimeMillis(); GoogleAuthenticator ga = new GoogleAuthenticator(); ga.setWindowSize(15); // should give 5 * 30 seconds of grace... boolean r = ga.check_code(savedSecret, code, t); return r; } public static String genSecret(String name) { String secret = GoogleAuthenticator.generateSecretKey(name); GoogleAuthenticator.getQRBarcodeURL("testuser", "testhost", secret); return secret; } public static String generateSecretKey(String name) { SecureRandom sr = null; try { sr = SecureRandom.getInstance(RANDOM_NUMBER_ALGORITHM); sr.setSeed(Base64.decodeBase64(UUID.randomUUID().toString()+name)); byte[] buffer = sr.generateSeed(SECRET_SIZE); Base32 codec = new Base32(); byte[] bEncodedKey = codec.encode(buffer); String encodedKey = new String(bEncodedKey); return encodedKey; } catch (NoSuchAlgorithmException e) { // should never occur... configuration error } return null; } //獲取二維碼的url public static String getQRBarcodeURL(String user, String host, String secret) { String format = "otpauth://totp/%s@%s?secret=%s"; return String.format(format, user, host, secret); } public boolean check_code(String secret, long code, long timeMsec) { Base32 codec = new Base32(); byte[] decodedKey = codec.decode(secret); // convert unix msec time into a 30 second "window" // this is per the TOTP spec (see the RFC for details) long t = (timeMsec / 1000L) / 30L; // Window is used to check codes generated in the near past. // You can use this value to tune how far you're willing to go. for (int i = -window_size; i <= window_size; ++i) { long hash; try { hash = verify_code(decodedKey, t + i); } catch (Exception e) { // Yes, this is bad form - but // the exceptions thrown would be rare and a static configuration problem e.printStackTrace(); throw new RuntimeException(e.getMessage()); //return false; } if (hash == code) { return true; } } // The validation code is invalid. return false; } private static int verify_code(byte[] key, long t) throws Exception { byte[] data = new byte[8]; long value = t; for (int i = 8; i-- > 0; value >>>= 8) { data[i] = (byte) value; } SecretKeySpec signKey = new SecretKeySpec(key, "HmacSHA1"); Mac mac = Mac.getInstance("HmacSHA1"); mac.init(signKey); byte[] hash = mac.doFinal(data); int offset = hash[20 - 1] & 0xF; // We're using a long because Java hasn't got unsigned int. long truncatedHash = 0; for (int i = 0; i < 4; ++i) { truncatedHash <<= 8; // We are dealing with signed bytes: // we just keep the first byte. truncatedHash |= (hash[offset + i] & 0xFF); } truncatedHash &= 0x7FFFFFFF; truncatedHash %= 1000000; return (int) truncatedHash; } }
使用方法:
@Test public void genSecretTest() {
//生成secret String secret = GoogleAuthenticator.generateSecretKey("test");
//生成二維碼url String url = GoogleAuthenticator.getQRBarcodeURL("test", "testhost", secret); QrConfig qrConfig = new QrConfig(); qrConfig.setErrorCorrection(ErrorCorrectionLevel.L); qrConfig.setWidth(200); qrConfig.setHeight(200);
//生成二維碼,生成后需要手機下載谷歌或者微軟的Authenticator進行掃描綁定 QrCodeUtil.generate(url, qrConfig, FileUtil.file("d:/qrcode.jpg")); System.out.println("Please register " + url); System.out.println("Secret key is " + secret); } //在測試之前保存上一步生成的secret. static String savedSecret = "XLFAQII7HRRMZEP3";
@Test public void authTest() { //code碼為0開頭的去掉0再進行驗證,否則類型超范圍 long code = 驗證器的驗證碼; long t = System.currentTimeMillis(); GoogleAuthenticator ga = new GoogleAuthenticator(); ga.setWindowSize(5); //寬限時間5*30秒 boolean r = ga.check_code(savedSecret, code, t); System.out.println("Check code = " + r); }
