Fixes for proper HOTP handling

README.md

@@ -13,6 +13,8 @@ ed evitare di installare un'altra app inutile nel telefono.
 
 Oltre che per la 2FA relativa allo SPID, l'estrazione del seed TOTP funziona anche per la 2FA relativa alla firma digitale remota di Aruba.
 
+Permette anche l'estrazione del seed HOTP pre la 2FA relativa all'accesso ad Aruba Cloud.
+
 >**NOTA BENE** Alcune app non supportano l'algoritmo `HMAC-SHA256` per il TOTP.
 >- Google Authenticator supporta solamente codici a 6 cifre (inoltre su android non supporta l'algorimo specificato, mentre su apple si)
 >- Authy non supporta l'algoritmo, ma non fornisce alcun avvertimento a riguardo. Leggendo il qr non darà errore, ma fornirà codici sbagliati.

scripts/genqr.py

@@ -2,7 +2,7 @@
 import os
 import qrcode
 
-def generate_and_print(seed=None, otp_type='TOTP', digits=8, period=60, counter=0):
+def generate_and_print(seed=None, otp_type='TOTP', digits=8, period=60, counter=0, algo='SHA256'):
 	if seed is None:
 		try:
 			with open(os.path.join(os.sys.path[0], 'seed.json'), 'r') as f:
@@ -12,16 +12,30 @@ def generate_and_print(seed=None, otp_type='TOTP', digits=8, period=60, counter=
 
 	period = int(period/1000)
 
-	uri = 'otpauth://%(type)s/%(issuer)s:%(user)s?secret=%(secret)s&issuer=%(issuer)s&algorithm=%(algo)s&digits=%(digits)d&period=%(period)d' % {
-		'type': otp_type.lower(),
-		'issuer': 'Aruba',
-		'user': 'userID',
-		'secret': seed,
-		'algo': 'SHA256',
-		'digits': digits,
-		'period': period,
-		'counter': counter
-	}
+	uri = ''
+
+	if (otp_type == 'TOTP'):
+		uri = 'otpauth://%(type)s/%(issuer)s:%(user)s?secret=%(secret)s&issuer=%(issuer)s&algorithm=%(algo)s&digits=%(digits)d&period=%(period)d' % {
+			'type': otp_type.lower(),
+			'issuer': 'Aruba',
+			'user': 'userID',
+			'secret': seed,
+			'algo': algo,
+			'digits': digits,
+			'period': period
+		}
+	elif (otp_type == 'HOTP'):
+		uri = 'otpauth://%(type)s/%(issuer)s:%(user)s?secret=%(secret)s&issuer=%(issuer)s&algorithm=%(algo)s&digits=%(digits)d&counter=%(counter)d' % {
+			'type': otp_type.lower(),
+			'issuer': 'Aruba',
+			'user': 'userID',
+			'secret': seed,
+			'algo': algo,
+			'digits': digits,
+			'counter': counter
+		}
+	else:
+		raise Exception('Unknown tokentype: "{}"'.format(otp_type))
 
 	print('In case the qr code won\'t show up, use a qr generator to convert this uri:')
 	print(uri)

scripts/main.py

@@ -19,14 +19,14 @@ def filter_activation_code(value):
 	return value
 
 def extract(activation_code, only_output, show_qr):
-	seed, otp_type, digits, period, counter = extractor.request_otp(activation_code)
+	seed, otp_type, digits, period, counter, algo = extractor.request_otp(activation_code)
 	print('Your seed is: {}'.format(seed))
 
 	if not only_output:
-		extractor.write_seed_file(seed, otp_type, digits, period, counter)
+		extractor.write_seed_file(seed, otp_type, digits, period, counter, algo)
 
 	if show_qr:
-		genqr.generate_and_print(seed, otp_type, digits, period, counter)
+		genqr.generate_and_print(seed, otp_type, digits, period, counter, algo)
 
 def generate(seed, digits, interval, time):
 	code = otputil.generate_totp(seed, digits, interval, time)

scripts/request.py

@@ -32,7 +32,8 @@ def request_otp(activation_code):
 	otp_type = resp1['tokentype']
 	digits = resp1['digit']
 	period = resp1['stepsize']
-	counter = CBCUtil.decrypt(encryption_key, resp1['counter'])
+	counter = int(CBCUtil.decrypt(encryption_key, resp1['counter']))
+	algo = ''
 
 	# validate seed
 	payload = {
@@ -43,10 +44,13 @@ def request_otp(activation_code):
 		'otp2': ''
 	}
 	if (otp_type == 'TOTP'):
+		algo = 'SHA256'
 		payload['otp1'] = pyotp.TOTP(seed_b32, digits=digits, digest=hashlib.sha256, interval=period/1000).now()
 	elif (otp_type == 'HOTP'):
-		payload['otp1'] = pyotp.HOTP(seed_b32, counter)
-		payload['otp2'] = pyotp.HOTP(seed_b32, counter + 1)
+		algo = 'SHA1'
+		payload['otp1'] = pyotp.HOTP(seed_b32, digits=digits, digest=hashlib.sha1, initial_count=counter).at(0)
+		payload['otp2'] = pyotp.HOTP(seed_b32, digits=digits, digest=hashlib.sha1, initial_count=counter).at(1)
+		counter = counter + 2
 	else:
 		raise Exception('Unknown tokentype: "{}"'.format(otp_type))
 	req2 = requests.post('https://mobile.strongauth.it/MobileLicenceServer/webresources/MobileLicenceService/SeedValidate', json=payload, headers=req_headers)
@@ -55,9 +59,9 @@ def request_otp(activation_code):
 	if (resp2['returncode'] != '0000'):
 		raise Exception('Error occured in seed validation: [{}] {}'.format(resp2['returncode'], resp2['description']))
 
-	return [seed_b32, otp_type, digits, period, counter]
+	return [seed_b32, otp_type, digits, period, counter, algo]
 
-def write_seed_file(seed, otp_type, digits, period, counter):
+def write_seed_file(seed, otp_type, digits, period, counter, algo):
 	with open(os.path.join(os.sys.path[0], 'seed.json'), 'w') as text_file:
-		text_file.write(json.dumps([seed, otp_type, digits, period, counter]))
+		text_file.write(json.dumps([seed, otp_type, digits, period, counter, algo]))