Google Authenticator 工作流程
实际上 Google Authenticator 采用的是 TOTP 算法(Time-Based One-Time Password,即基于时间的一次性密码),其核心内容包括以下三点。
- 安全密钥
是客户端和服务端约定的安全密钥,也是手机端 APP 身份验证器绑定(手机端通过扫描或者手输安全密钥进行绑定)和验证码的验证都需要的一个唯一的安全密钥,该密钥由加密算法生成,并最后由 Base32 编码而成。 - 验证时间
Google 选择了 30 秒作为时间片,T的数值为 从Unix epoch(1970年1月1日 00:00:00)来经历的 30 秒的个数,所以在 Google Authenticator 中我们可以看见验证码每个 30 秒就会刷新一次。 - 签署算法
Google 使用的是 HMAC-SHA1 算法,全称是:Hash-based message authentication code(哈希运算消息认证码),它是以一个密钥和一个消息为输入,生成一个消息摘要作为输出,这里以 SHA1 算法作为消息输入。
使用 HMAC 算法是因为只有用户本身知道正确的输入密钥,因此会得到唯一的输出,其算法可以简单表示为:
hmac = SHA1(secret + SHA1(secret + input))
事实上,TOTP 是 HMAC-OTP(基于HMAC的一次密码生成)的超集,区别是 TOTP 是以当前时间作为输入,而HMAC-OTP 则是以自增计算器作为输入,该计数器使用时需要进行同步。
demo
GoogleCodeTest
package com.example.springboot_fastweb.controller.test;
import org.apache.commons.codec.binary.Base32;
import org.apache.commons.codec.binary.Base64;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
/**
* Java实现谷歌身份验证器
* 2021-10-25 justin
*/
public class GoogleCodeTest {
//base64随机字符
public static String BASE64 = "";
//谷歌验证码前缀
public static String PREFIX = "123";
//谷歌验证码备注
public static String REMARK = "123";
//生成的二维码的路径及名称
public static String DESTPATH = "路径/图片名称.jpg";
// TODO: 运行即可
public static void main(String[] args) throws Exception {
// 1.生成随机密钥
String code = generateSecretKey();
System.out.println("密钥:" + code);
// 2.生成验证码
Integer verifyCode = getVerifyCode(code);
System.out.println("验证码:" + verifyCode);
// 3.将生成的密钥转换为二维码
QRCode(code);
}
//TODO: 1.生成随机密钥 generateSecretKey()方法
public static String generateSecretKey() throws NoSuchAlgorithmException {
SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
sr.setSeed(Base64.decodeBase64(BASE64));
byte[] buffer = sr.generateSeed(10);
Base32 codec = new Base32();
byte[] bEncodedKey = codec.encode(buffer);
return new String(bEncodedKey);
}
//TODO: 2.生成验证码 getVerifyCode()方法
public static Integer getVerifyCode(String code) {
byte[] key = new Base32().decode(code);
long t = (System.currentTimeMillis() / 1000L) / 30L;
int verifyCode = 0;
try {
verifyCode = GoogleCodeTest.generateCode(key, t);
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (InvalidKeyException e) {
e.printStackTrace();
}
return verifyCode;
}
//TODO: 2.二维码图片 QRCode()方法
public static void QRCode(String code) throws Exception {
//user 为大标题括号内备注 code是验证吗 issuer 是前缀
String admin = getQRBarcode(PREFIX, code, REMARK);
//生成二维码
QRCodeUtil.encode(admin, DESTPATH);
//解析二维码
String str = QRCodeUtil.decode(DESTPATH);
//打印出解析出的内容
System.out.println("str:" + str);
}
public static String getQRBarcode(String user, String secret, String issuer) {
String format = "otpauth://totp/%s?secret=%s&issuer=%s";
return String.format(format, user, secret, issuer);
}
public static int generateCode(byte[] key, long t) throws NoSuchAlgorithmException, InvalidKeyException {
byte[] data = new byte[8];
long value = t;
for (int i = 8; i-- > 0; value >>>= 8) {
data[i] = (byte) value;
}
SecretKeySpec signKey = new SecretKeySpec(key, "HmacSHA1");
Mac mac = Mac.getInstance("HmacSHA1");
mac.init(signKey);
byte[] hash = mac.doFinal(data);
int offset = hash[20 - 1] & 0xF;
// We're using a long because Java hasn't got unsigned int.
long truncatedHash = 0;
for (int i = 0; i < 4; ++i) {
truncatedHash <<= 8;
// We are dealing with signed bytes:
// we just keep the first byte.
truncatedHash |= (hash[offset + i] & 0xFF);
}
truncatedHash &= 0x7FFFFFFF;
truncatedHash %= 1000000;
return (int) truncatedHash;
}
/**
* 最多可偏移的时间
* default 3 - max 17
*/
int window_size = 3;
public boolean checkCode(String secret, long code, long timeMsec) {
Base32 codec = new Base32();
byte[] decodedKey = codec.decode(secret);
long t = (timeMsec / 1000L) / 30L;
for (int i = -window_size; i <= window_size; ++i) {
long hash;
try {
hash = generateCode(decodedKey, t + i);
} catch (Exception e) {
e.printStackTrace();
throw new RuntimeException(e.getMessage());
}
if (hash == code) {
return true;
}
}
return false;
}
}
2.二维码工具类
QRCodeUtil
package com.example.springboot_fastweb.controller.test;
import cn.hutool.extra.qrcode.BufferedImageLuminanceSource;
import com.google.zxing.*;
import com.google.zxing.common.BitMatrix;
import com.google.zxing.common.HybridBinarizer;
import com.google.zxing.qrcode.decoder.ErrorCorrectionLevel;
import javax.imageio.ImageIO;
import java.awt.*;
import java.awt.geom.RoundRectangle2D;
import java.awt.image.BufferedImage;
import java.io.File;
import java.io.OutputStream;
import java.util.Hashtable;
/**
* 工具类
*/
public class QRCodeUtil {
private static final String CHARSET = "utf-8";
private static final String FORMAT_NAME = "JPG";
// 二维码尺寸
private static final int QRCODE_SIZE = 300;
// LOGO宽度
private static final int WIDTH = 60;
// LOGO高度
private static final int HEIGHT = 60;
private static BufferedImage createImage(String content, String imgPath, boolean needCompress) throws Exception {
Hashtable hints = new Hashtable();
hints.put(EncodeHintType.ERROR_CORRECTION, ErrorCorrectionLevel.H);
hints.put(EncodeHintType.CHARACTER_SET, CHARSET);
hints.put(EncodeHintType.MARGIN, 1);
BitMatrix bitMatrix = new MultiFormatWriter().encode(content, BarcodeFormat.QR_CODE, QRCODE_SIZE, QRCODE_SIZE,
hints);
int width = bitMatrix.getWidth();
int height = bitMatrix.getHeight();
BufferedImage image = new BufferedImage(width, height, BufferedImage.TYPE_INT_RGB);
for (int x = 0; x < width; x++) {
for (int y = 0; y < height; y++) {
image.setRGB(x, y, bitMatrix.get(x, y) ? 0xFF000000 : 0xFFFFFFFF);
}
}
if (imgPath == null || "".equals(imgPath)) {
return image;
}
// 插入图片
QRCodeUtil.insertImage(image, imgPath, needCompress);
return image;
}
private static void insertImage(BufferedImage source, String imgPath, boolean needCompress) throws Exception {
File file = new File(imgPath);
if (!file.exists()) {
System.err.println("" + imgPath + " 该文件不存在!");
return;
}
Image src = ImageIO.read(new File(imgPath));
int width = src.getWidth(null);
int height = src.getHeight(null);
if (needCompress) { // 压缩LOGO
if (width > WIDTH) {
width = WIDTH;
}
if (height > HEIGHT) {
height = HEIGHT;
}
Image image = src.getScaledInstance(width, height, Image.SCALE_SMOOTH);
BufferedImage tag = new BufferedImage(width, height, BufferedImage.TYPE_INT_RGB);
Graphics g = tag.getGraphics();
g.drawImage(image, 0, 0, null); // 绘制缩小后的图
g.dispose();
src = image;
}
// 插入LOGO
Graphics2D graph = source.createGraphics();
int x = (QRCODE_SIZE - width) / 2;
int y = (QRCODE_SIZE - height) / 2;
graph.drawImage(src, x, y, width, height, null);
Shape shape = new RoundRectangle2D.Float(x, y, width, width, 6, 6);
graph.setStroke(new BasicStroke(3f));
graph.draw(shape);
graph.dispose();
}
/**
* 生成二维码encode
*
* @param content
* @param imgPath
* @param destPath
* @param needCompress
* @throws Exception
*/
public static void encode(String content, String imgPath, String destPath, boolean needCompress) throws Exception {
BufferedImage image = QRCodeUtil.createImage(content, imgPath, needCompress);
mkdirs(destPath);
// String file = new Random().nextInt(99999999)+".jpg";
// ImageIO.write(image, FORMAT_NAME, new File(destPath+"/"+file));
ImageIO.write(image, FORMAT_NAME, new File(destPath));
}
public static BufferedImage encode(String content, String imgPath, boolean needCompress) throws Exception {
BufferedImage image = QRCodeUtil.createImage(content, imgPath, needCompress);
return image;
}
public static void mkdirs(String destPath) {
File file = new File(destPath);
// 当文件夹不存在时,mkdirs会自动创建多层目录,区别于mkdir.(mkdir如果父目录不存在则会抛出异常)
if (!file.exists() && !file.isDirectory()) {
file.mkdirs();
}
}
public static void encode(String content, String imgPath, String destPath) throws Exception {
QRCodeUtil.encode(content, imgPath, destPath, false);
}
public static void encode(String content, String destPath) throws Exception {
QRCodeUtil.encode(content, null, destPath, false);
}
public static void encode(String content, String imgPath, OutputStream output, boolean needCompress)
throws Exception {
BufferedImage image = QRCodeUtil.createImage(content, imgPath, needCompress);
ImageIO.write(image, FORMAT_NAME, output);
}
public static void encode(String content, OutputStream output) throws Exception {
QRCodeUtil.encode(content, null, output, false);
}
/**
* 解析二维码decode
*
* @param file
* @return
* @throws Exception
*/
public static String decode(File file) throws Exception {
BufferedImage image;
image = ImageIO.read(file);
if (image == null) {
return null;
}
BufferedImageLuminanceSource source = new BufferedImageLuminanceSource(image);
BinaryBitmap bitmap = new BinaryBitmap(new HybridBinarizer(source));
Result result;
Hashtable hints = new Hashtable();
hints.put(DecodeHintType.CHARACTER_SET, CHARSET);
result = new MultiFormatReader().decode(bitmap, hints);
String resultStr = result.getText();
return resultStr;
}
public static String decode(String path) throws Exception {
return QRCodeUtil.decode(new File(path));
}
}