hotp: Index | Files | Directories

package hotp

import ""

Package hotp implements the RFC 4226 OATH-HOTP algorithm; these passwords derived from the HMAC-SHA1 of an internal counter. They are presented as (typically) 6 or 8-digit numeric passphrases.

The package provides facilities for interacting with YubiKeys programmed in OATH-HOTP mode, as well as with the Google Authenticator application. The package also provides QR-code generation for new OTPs.


Package Files

doc.go hotp.go


var ErrInvalidHOTPURL = errors.New("hotp: invalid HOTP url")

ErrInvalidHOTPURL is returned via FromURL; it indicates a malformed HOTP otpauth URL.

var PRNG = rand.Reader

PRNG is the source of random data; this is used by GenerateHOTP and should be a cryptographically-secure PRNG.

func Marshal Uses

func Marshal(otp *HOTP) ([]byte, error)

Marshal serialises an HOTP key value as a DER-encoded byte slice.

type HOTP Uses

type HOTP struct {
    Key []byte

    Digits int
    // contains filtered or unexported fields

HOTP represents a new key value for generating one-time passwords; it contains the key used to construct one-time passwords and the counter state used in the OTP generation. Digits contains the number of digits that generated OTPs should output. Key is a cryptographic secret, and should be treated as such.

func FromURL Uses

func FromURL(urlString string) (*HOTP, string, error)

FromURL parses a new HOTP from a URL string. It returns the OTP, the label associated with the OTP, and any errors that occurred.

func GenerateHOTP Uses

func GenerateHOTP(digits int, randCounter bool) (*HOTP, error)

GenerateHOTP will generate a randomised HOTP source; if the randCounter parameter is true, the counter will be randomised.

func NewHOTP Uses

func NewHOTP(key []byte, counter uint64, digits int) *HOTP

NewHOTP intialises a new HOTP instance with the key and counter values. No check is done on the digits, but typical values are 6 and 8.

func Unmarshal Uses

func Unmarshal(in []byte) (otp *HOTP, err error)

Unmarshal parses a DER-encoded serialised HOTP key value.

func (*HOTP) Check Uses

func (otp *HOTP) Check(code string) bool

Check takes an input code and verifies it against the OTP. If successful, the counter is incremented.

func (HOTP) Counter Uses

func (otp HOTP) Counter() uint64

Counter returns the HOTP's 8-byte counter as an unsigned 64-bit integer.

func (HOTP) Increment Uses

func (otp HOTP) Increment()

Increment will increment an HOTP source's counter. This is useful for providers like the Google Authenticator app, which immediately increments the counter and uses the 0 counter value as an integrity check.

func (*HOTP) IntegrityCheck Uses

func (otp *HOTP) IntegrityCheck() (string, uint64)

IntegrityCheck returns two values, the base OTP and the current counter. This is used, for example, with the Google Authenticator app's "Check key value" function and can be used to verify that the application and the provider are in sync.

func (HOTP) OTP Uses

func (otp HOTP) OTP() string

OTP generates a new one-time password.

func (*HOTP) QR Uses

func (otp *HOTP) QR(label string) ([]byte, error)

QR generates a byte slice containing the a QR code encoded as a PNG with level Q error correction.

func (*HOTP) Scan Uses

func (otp *HOTP) Scan(code string, window int) bool

Scan takes a code input (i.e. from the user), and scans ahead within a certain window of counter values. This can be used in the case where the server's counter and the user's counter have fallen out of sync.

func (*HOTP) URL Uses

func (otp *HOTP) URL(label string) string

URL returns a suitable URL, such as for the Google Authenticator app. The label is used by these apps to identify the service to which this OTP belongs. The digits value is ignored by the Google authenticator app, and is therefore elided in the resulting URL.

func (*HOTP) YubiKey Uses

func (otp *HOTP) YubiKey(in string) (string, string, bool)

YubiKey reads an OATH-HOTP string as returned by a YubiKey, and returns three values. The first value contains the actual OTP, the second value contains the YubiKey's token identifier, and the final value indicates whether the input string was a valid YubiKey OTP. This does not check whether the code is correct or not, it only ensures that it is well-formed output from a token and splits the output into the code and the public identity.



Package hotp imports 15 packages (graph) and is imported by 13 packages. Updated 2016-07-29. Refresh now. Tools for package owners.