Aditional support to store otp secrets as Base32.

[rhyamada]

Propose

I think with small fix various issues and discussions can be solved.

Motivation

There are various tries to import OTP from legacy system and then will fail because current implementation of HmacOTP function, as get a secret as String and invoke getBytes() on them. Then non-printable chars are returned as byte '?'/63.

keycloak/server-spi/src/main/java/org/keycloak/models/utils/HmacOTP.java

Line 115 in 3862f82

byte[] k = key.getBytes();

Some cases

• We have one customer with 15k OTP with non-printable secrets
• HFI7QHU7S5BO3ZZ3DOIPTUS4 from OTP base32 decode improvements #9434
• BHPPUOGKBU7O3OJHEPCJIWTX from Importing users and totp credentials? #15334
• CDLYAYRJ73ORTU4PUWWATWSYQCP4H2QL from Non ASCII characters in TOTP secret not supported in 2FA configurations #11561
• Possible problem at Which format google authenticator secret is stored in credential table? #11163

The people envolved in theses cases have experience to develop SPI/RealmsResources or insert data directly on database, but was effortless because this (issue)[#motivation].

Implementation

The fix is implemeted at this line, with a check for "{B32}" prefix, triggering Base32.decode

-        byte[] k = key.getBytes();
+        byte[] k = key.startsWith("{B32}") ? Base32.decode(key.substring(5)) : key.getBytes(); // if key has {B32} prefix is Base32 encoded

Some tests

Some tests are:

Using own test base at

keycloak/server-spi-private/src/test/java/org/keycloak/models/HmacTest.java

Line 34 in d800947

String secret = "JNSVMMTEKZCUGSKJIVGHMNSQOZBDA5JT";

using same Secret and test values

    @Test
    public void testHmacBase32() {
        HmacOTP hmacOTP = new HmacOTP(6, HmacOTP.HMAC_SHA1, 10);
        String decoded = "{B32}JNSVMMTEKZCUGSKJIVGHMNSQOZBDA5JT";
        System.out.println(hmacOTP.generateHOTP(decoded, 0));
        System.out.println(hmacOTP.validateHOTP("550233", decoded, 0));
        Assert.assertEquals(1, hmacOTP.validateHOTP("550233", decoded, 0));
    }

Using a non-printable secret Base32.decode("CDLYAYRJ73ORTU4PUWWATWSYQCP4H2QL") from #11561

    @Test
    public void testHmacBase32Binary() {
        // Secret from https://github.com/keycloak/keycloak/issues/11561
        // Codes values validated aganist https://totp.app/
        HmacOTP hmacOTP = new HmacOTP(6, HmacOTP.HMAC_SHA1, 30);
        String decoded = "{B32}CDLYAYRJ73ORTU4PUWWATWSYQCP4H2QL";
        String counter = "000000000359675C";
        Assert.assertEquals("754397", hmacOTP.generateOTP(decoded, counter, 6, HmacOTP.HMAC_SHA1));
        String counter2 = "0000000003596781";
        Assert.assertEquals("386679", hmacOTP.generateOTP(decoded, counter2, 6, HmacOTP.HMAC_SHA1));
    }

Values of code was generated from above B32 at https://totp.app/ on counters from last week..

PR

I already sent PR. as #20755

[rhyamada]

Previus PR #20755 have a flaky test not related to this change.
I'm preparing another PR from a separate branch.

[rhyamada]

Checklist for PR

Discussion

Started discussion as #20781

Issue

#9434
#11561

One feature/change per PR

Exactly one

One commit per PR

WIP

Commit

`git commit -m "OTP support for binary secrets encoded in Base32" -m "Closes #11561" -m "Closes https://github.com/keycloak/keycloak/issues/9434"``

WIP

No changes to code not directly related to your PR

I think so, there one line of change.

Includes functional/integration test

Has a functional test

Includes documentation

WIP

Passing all test

Running tests local
Have been passed with:

Test rewritten

mvn -f testsuite/integration-arquillian/pom.xml clean install -Dtest=HmacTest

Test not rewritten but could be affected

mvn -f testsuite/integration-arquillian/pom.xml clean install -Dtest=LoginTotpTest

Current PR

#20795

Previous PR with a test flanky

#20755