A quick-and-dirty implementation of HOTP (RFC 4226) in Javascript.

2024-12-22 08:46:10 +00:00 · 2009-12-13 19:19:24 +01:00 · 2009-12-13 19:19:24 +01:00 · df149b65f6
commit df149b65f6
2 changed files with 134 additions and 0 deletions
--- a/example.html
+++ b/example.html
@ -0,0 +1,33 @@
+<html>
+<head>
+<script type="text/javascript" src="http://crypto-js.googlecode.com/files/2.0.0-crypto-sha1.js"></script>
+<script type="text/javascript" src="http://crypto-js.googlecode.com/files/2.0.0-hmac-min.js"></script>
+<script type="text/javascript" src="http://www.foo.be/hotp/hotp/hotp.js"></script>
+<title>HOTP Sample Test Page in Javascript</title>
+</head>
+<body>
+
+<h1>HOTP Sample Test Page in Javascript</h1>
+
+<script>
+
+//document.write(hotp("505FAB31EDDE28AAC73F3531771758A2C5CF9730","4008","hex40"));
+//document.write(" ");
+//document.write(hotp("505FAB31EDDE28AAC73F3531771758A2C5CF9730","4008","dec6"));
+
+document.write("test vector from RFC 4226 for token key : 0x3132333435363738393031323334353637383930<br/>");
+for (var i=0; i<10; i++) {
+        document.write("count: "+i); 
+        document.write(" hex40 (used in ootp): ");
+        document.write(hotp("3132333435363738393031323334353637383930",i,"hex40"));
+        document.write(" HOTP value: ");
+        document.write(hotp("3132333435363738393031323334353637383930",i,"dec6"));
+        document.write("<br />");
+}
+</script>
+<br />
+<br />
+<a href="http://www.gitorious.org/hotp-js">demo of hotp-js - source code available at http://www.gitorious.org/hotp-js</a>
+
+</body>
+</html>
--- a/hotp/hotp.js
+++ b/hotp/hotp.js
@ -0,0 +1,101 @@
+/*
+  A simple Javascript HOTP implementation (HMAC-Based One-Time Password Algorithm) as described in RFC 4226. 
+ 
+  The library is relying on crypto-js (http://code.google.com/p/crypto-js/) for the javascript HMAC-SHA1 implementation. 
+ 
+  The library can be used to create software token (don't forget to protect the key of the token...).
+ 
+  If you want to use the library, you'll need to load the crypto-js (sha1 and hmac) and  hotp.js.
+
+  Calling the library is easy, you just have to set the hex key of the token, the counter plus the output format.
+
+     otp = hotp("3132333435363738393031323334353637383930","4","dec6");
+
+  Current output formats are : hex40 (format used by ootp, a free software library) and dec6 (the 6 decimal digit as described in the RFC 4226).
+
+  A demo page with the test vector of the RFC 4226 : http://www.foo.be/hotp/example.html*
+
+  http://www.gitorious.org/hotp-js/
+  
+  Copyright (C) 2009 Alexandre Dulaunoy
+
+  This program is free software: you can redistribute it and/or modify
+  it under the terms of the GNU Affero General Public License as
+  published by the Free Software Foundation, either version 3 of the
+  License, or (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU Affero General Public License for more details.
+
+  You should have received a copy of the GNU Affero General Public License
+  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+
+function hotp(key, counter, format) {
+
+    function hotp_hexkeytobytestream(s) {
+        // s is the key to be converted in bytes
+        var b = new Array();
+        var last = s.length;
+        for (var i = 0; i < last; i = i + 2) {
+            var x = s[i] + s[i + 1];
+            x.toUpperCase();
+            x = "0x" + x;
+            x = parseInt(x);
+            b[i] = String.fromCharCode(x);
+        }
+        var ret = new String();
+        ret = b.join('');
+        return ret;
+
+    }
+    function hotp_movingfactortohex(count) {
+        // count is the moving factor in OTP to be converted in bytes
+        v = decimaltohex(count, 16);
+        var decb = new Array();
+        lhex = Crypto.util.hexToBytes(v);
+        for (var i = 0; i < lhex.length; i++) {
+            decb[i] = String.fromCharCode(lhex[i]);
+        }
+        var retval = new String();
+        retval = decb.join('');
+        return retval;
+    }
+
+    function decimaltohex(d, padding) {
+        // d is the decimal value
+        // padding is the padding to apply (O pad)
+        var hex = Number(d).toString(16);
+        padding = typeof(padding) === "undefined" || padding === null ? padding = 2 : padding;
+        while (hex.length < padding) {
+            hex = "0" + hex;
+        }
+        return hex;
+    }
+
+    function truncatedvalue(h, p) {
+        // h is the hash value
+        // p is precision
+        offset = h[19] & 0xf;
+        v = (h[offset] & 0x7f) << 24 | (h[offset + 1] & 0xff) << 16 | (h[offset + 2] & 0xff) << 8 | (h[offset + 3] & 0xff);
+        v = "" + v;
+        v = v.substr(v.length - p, p);
+        return v;
+    }
+
+    var hmacBytes = Crypto.HMAC(Crypto.SHA1, Crypto.charenc.Binary.stringToBytes((hotp_movingfactortohex(counter))), Crypto.charenc.Binary.stringToBytes(hotp_hexkeytobytestream(key)));
+
+    if (format == "hex40") {
+        return hmacBytes.substring(0, 10);
+    } else if (format == "dec6") {
+        return truncatedvalue(Crypto.util.hexToBytes(hmacBytes), 6);
+    }
+    else {
+        return "unknown format";
+    }
+
+}