- 一、项目背景:
- 二、代码原理:
- 三、使用说明(重要):
- 四、源代码:
客户需求:使用Java作为后台,编写一个Java网页系统,其中包含登录功能,涉及到用户身份验证的功能,都要做成双因子验证(密码、手机令牌、用户生物特征任选两个作为身份验证),所以要作一个手机令牌,本次使用谷歌Google authenticator作为手机令牌,以下为粘贴即用的代码。
二、代码原理:1.客户端每30秒使用密钥,如:5GWF6POOIZNLFD6M 和时间戳通过一种算法生成一个6位数字的一次性密码
2.用户登陆时输入一次性密码,如:544506。
3.服务器端使用保存在数据库中的密钥和时间戳通过同一种『算法』生成一个6位数字的一次性密码。控制变量法,如果算法相同、密钥相同,又是同一个时间(时间戳相同),那么客户端和服务器计算出的一次性密码是一样的。服务器验证时如果一样,就登录成功了。
需要引用commons-codec-1.9.jar包,
先调用这个生成一个16位密钥,如:5GWF6POOIZNLFD6M
,然后存数据库里,下次用户验证再用这个密钥解码:
String my = GoogleAuthenticator.genSecret(此处填写用户手机号);
然后让用户下载Google authenticator手机APP,以这个密钥注册Google authenticator
用户登录时,输入手机上的六位密钥,后台调用方法进行转码校验:
Boolean isTrue = GoogleAuthenticator.authcode("544506", "5GWF6POOIZNLFD6M ");
判断isTrue是否正确即可。
四、源代码:package com.oumasoft.art.manage.client.business; import org.apache.commons.codec.binary.base32; import org.apache.commons.codec.binary.base64; import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; public class GoogleAuthenticator { public static void main(String args[]){ //测试用例 //生成一次密钥即可 //String my = GoogleAuthenticator.genSecret("此处填写用户手机号"); //System.out.println("秘钥:"+my); //校验 Boolean isTrue = GoogleAuthenticator.authcode("544506", "56H6T2CON3EV52AS"); System.out.println(isTrue); } // taken from Google pam docs - we probably don't need to mess with these public static final int SECRET_SIZE = 10; public static final String SEED = "g8GjEvTbW5oVSV7avLBdwIHqGlUYNzKFI7izOF8GwLDVKs2m0QN7vxRs2im5MDaNCWGmcD2rvcZx"; public static final String RANDOM_NUMBER_ALGORITHM = "SHA1PRNG"; // default 3 - max 17 (from google docs)最多可偏移的时间 int window_size = 3; public void setWindowSize(int s) { if (s >= 1 && s <= 17){ window_size = s; } } public static Boolean authcode(String codes, String savedSecret) { // enter the code shown on device. Edit this and run it fast before the // code expires! long code = Long.parseLong(codes); long t = System.currentTimeMillis(); GoogleAuthenticator ga = new GoogleAuthenticator(); // should give 5 * 30 seconds of grace... ga.setWindowSize(15);//不用怀疑是不是16,这里就是15 boolean r = ga.check_code(savedSecret, code, t); return r; } public static String genSecret(String user) { String secret = GoogleAuthenticator.generateSecretKey(); GoogleAuthenticator.getQRBarcodeURL(user, "testhost", secret); return secret; } public static String generateSecretKey() { SecureRandom sr = null; try { sr = SecureRandom.getInstance(RANDOM_NUMBER_ALGORITHM); sr.setSeed(base64.decodebase64(SEED)); byte[] buffer = sr.generateSeed(SECRET_SIZE); base32 codec = new base32(); byte[] bEncodedKey = codec.encode(buffer); String encodedKey = new String(bEncodedKey); return encodedKey; } catch (NoSuchAlgorithmException e) { // should never occur... configuration error } return null; } public static String getQRBarcodeURL(String user, String host, String secret) { String format = "https://www.google.com/chart?chs=200x200&chld=M%%7C0&cht=qr&chl=otpauth://totp/%s@%s%%3Fsecret%%3D%s"; return String.format(format, user, host, secret); } public boolean check_code(String secret, long code, long timeMsec) { base32 codec = new base32(); byte[] decodedKey = codec.decode(secret); // convert unix msec time into a 30 second "window" // this is per the TOTP spec (see the RFC for details) long t = (timeMsec / 1000L) / 30L; // Window is used to check codes generated in the near past. // You can use this value to tune how far you're willing to go. for (int i = -window_size; i <= window_size; ++i) { long hash; try { hash = verify_code(decodedKey, t + i); } catch (Exception e) { // Yes, this is bad form - but // the exceptions thrown would be rare and a static configuration problem //e.printStackTrace(); throw new RuntimeException(e.getMessage()); //return false; } if (hash == code) { return true; } } // The validation code is invalid. return false; } private static int verify_code(byte[] key, long t) throws NoSuchAlgorithmException, InvalidKeyException { byte[] data = new byte[8]; long value = t; for (int i = 8; i-- > 0; value >>>= 8) { data[i] = (byte) value; } SecretKeySpec signKey = new SecretKeySpec(key, "HmacSHA1"); Mac mac = Mac.getInstance("HmacSHA1"); mac.init(signKey); byte[] hash = mac.doFinal(data); int offset = hash[20 - 1] & 0xF; // We're using a long because Java hasn't got unsigned int. long truncatedHash = 0; for (int i = 0; i < 4; ++i) { truncatedHash <<= 8; // We are dealing with signed bytes: // we just keep the first byte. truncatedHash |= (hash[offset + i] & 0xFF); } truncatedHash &= 0x7FFFFFFF; truncatedHash %= 1000000; return (int) truncatedHash; } }
欢迎分享,转载请注明来源:内存溢出
评论列表(0条)