From 549ee790d3e52bc62565ddf92e6a556e98b5195e Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Fri, 15 Jul 2022 00:53:48 +0530 Subject: all: re-do package structure yet again --- .../passwordstore/data/passfile/PasswordEntry.kt | 221 +++++++++++++++++++++ .../kotlin/app/passwordstore/data/passfile/Totp.kt | 8 + .../kotlin/app/passwordstore/util/time/Clocks.kt | 26 +++ .../main/kotlin/app/passwordstore/util/totp/Otp.kt | 78 ++++++++ .../app/passwordstore/util/totp/TotpFinder.kt | 29 +++ 5 files changed, 362 insertions(+) create mode 100644 format-common/src/main/kotlin/app/passwordstore/data/passfile/PasswordEntry.kt create mode 100644 format-common/src/main/kotlin/app/passwordstore/data/passfile/Totp.kt create mode 100644 format-common/src/main/kotlin/app/passwordstore/util/time/Clocks.kt create mode 100644 format-common/src/main/kotlin/app/passwordstore/util/totp/Otp.kt create mode 100644 format-common/src/main/kotlin/app/passwordstore/util/totp/TotpFinder.kt (limited to 'format-common/src/main/kotlin/app') diff --git a/format-common/src/main/kotlin/app/passwordstore/data/passfile/PasswordEntry.kt b/format-common/src/main/kotlin/app/passwordstore/data/passfile/PasswordEntry.kt new file mode 100644 index 00000000..9543eb8c --- /dev/null +++ b/format-common/src/main/kotlin/app/passwordstore/data/passfile/PasswordEntry.kt @@ -0,0 +1,221 @@ +/* + * Copyright © 2014-2021 The Android Password Store Authors. All Rights Reserved. + * SPDX-License-Identifier: GPL-3.0-only + */ + +package app.passwordstore.data.passfile + +import app.passwordstore.util.time.UserClock +import app.passwordstore.util.totp.Otp +import app.passwordstore.util.totp.TotpFinder +import com.github.michaelbull.result.mapBoth +import dagger.assisted.Assisted +import dagger.assisted.AssistedFactory +import dagger.assisted.AssistedInject +import kotlin.collections.set +import kotlin.coroutines.coroutineContext +import kotlin.time.Duration.Companion.seconds +import kotlin.time.ExperimentalTime +import kotlinx.coroutines.awaitCancellation +import kotlinx.coroutines.delay +import kotlinx.coroutines.flow.Flow +import kotlinx.coroutines.flow.flow +import kotlinx.coroutines.isActive + +/** Represents a single entry in the password store. */ +@OptIn(ExperimentalTime::class) +public class PasswordEntry +@AssistedInject +constructor( + /** A time source used to calculate the TOTP */ + private val clock: UserClock, + /** [TotpFinder] implementation to extract data from a TOTP URI */ + private val totpFinder: TotpFinder, + /** The content of this entry, as an array of bytes. */ + @Assisted bytes: ByteArray, +) { + + private val content = bytes.decodeToString() + + /** The password text for this entry. Can be null. */ + public val password: String? + + /** The username for this entry. Can be null. */ + public val username: String? + + /** A [String] to [String] [Map] of the extra content of this entry, in a key:value fashion. */ + public val extraContent: Map + + /** + * Direct [String] representation of the extra content of this entry, before any transforms are + * applied. Only use this when the extra content is required in a formatting-preserving manner. + */ + public val extraContentString: String + + /** + * A [Flow] providing the current TOTP. It will start emitting only when collected. If this entry + * does not have a TOTP secret, the flow will never emit. Users should call [hasTotp] before + * collection to check if it is valid to collect this [Flow]. + */ + public val totp: Flow = flow { + if (totpSecret != null) { + do { + val otp = calculateTotp() + emit(otp) + delay(1000L) + } while (coroutineContext.isActive) + } else { + awaitCancellation() + } + } + + /** + * String representation of [extraContent] but with authentication related data such as TOTP URIs + * and usernames stripped. + */ + public val extraContentWithoutAuthData: String + private val totpSecret: String? + + init { + val (foundPassword, passContent) = findAndStripPassword(content.split("\n".toRegex())) + password = foundPassword + extraContentString = passContent.joinToString("\n") + extraContentWithoutAuthData = generateExtraContentWithoutAuthData() + extraContent = generateExtraContentPairs() + username = findUsername() + totpSecret = totpFinder.findSecret(content) + } + + public fun hasTotp(): Boolean { + return totpSecret != null + } + + private fun findAndStripPassword(passContent: List): Pair> { + if (TotpFinder.TOTP_FIELDS.any { passContent[0].startsWith(it) }) return Pair(null, passContent) + for (line in passContent) { + for (prefix in PASSWORD_FIELDS) { + if (line.startsWith(prefix, ignoreCase = true)) { + return Pair(line.substring(prefix.length).trimStart(), passContent.minus(line)) + } + } + } + return Pair(passContent[0], passContent.minus(passContent[0])) + } + + private fun generateExtraContentWithoutAuthData(): String { + var foundUsername = false + return extraContentString + .lineSequence() + .filter { line -> + return@filter when { + USERNAME_FIELDS.any { prefix -> line.startsWith(prefix, ignoreCase = true) } && + !foundUsername -> { + foundUsername = true + false + } + TotpFinder.TOTP_FIELDS.any { prefix -> line.startsWith(prefix, ignoreCase = true) } -> { + false + } + else -> { + true + } + } + } + .joinToString(separator = "\n") + } + + private fun generateExtraContentPairs(): Map { + fun MutableMap.putOrAppend(key: String, value: String) { + if (value.isEmpty()) return + val existing = this[key] + this[key] = + if (existing == null) { + value + } else { + "$existing\n$value" + } + } + + val items = mutableMapOf() + extraContentWithoutAuthData.lines().forEach { line -> + // Split the line on ':' and save all the parts into an array + // "ABC : DEF:GHI" --> ["ABC", "DEF", "GHI"] + val splitArray = line.split(":") + // Take the first element of the array. This will be the key for the key-value pair. + // ["ABC ", " DEF", "GHI"] -> key = "ABC" + val key = splitArray.first().trimEnd() + // Remove the first element from the array and join the rest of the string again with + // ':' as separator. + // ["ABC ", " DEF", "GHI"] -> value = "DEF:GHI" + val value = splitArray.drop(1).joinToString(":").trimStart() + + if (key.isNotEmpty() && value.isNotEmpty()) { + // If both key and value are not empty, we can form a pair with this so add it to + // the map. + // key = "ABC", value = "DEF:GHI" + items[key] = value + } else { + // If either key or value is empty, we were not able to form proper key-value pair. + // So append the original line into an "EXTRA CONTENT" map entry + items.putOrAppend(EXTRA_CONTENT, line) + } + } + + return items + } + + private fun findUsername(): String? { + extraContentString.splitToSequence("\n").forEach { line -> + for (prefix in USERNAME_FIELDS) { + if (line.startsWith(prefix, ignoreCase = true)) + return line.substring(prefix.length).trimStart() + } + } + return null + } + + private fun calculateTotp(): Totp { + val digits = totpFinder.findDigits(content) + val totpPeriod = totpFinder.findPeriod(content) + val totpAlgorithm = totpFinder.findAlgorithm(content) + val issuer = totpFinder.findIssuer(content) + val millis = clock.millis() + val remainingTime = (totpPeriod - ((millis / 1000) % totpPeriod)).seconds + Otp.calculateCode(totpSecret!!, millis / (1000 * totpPeriod), totpAlgorithm, digits, issuer) + .mapBoth( + { code -> + return Totp(code, remainingTime) + }, + { throwable -> throw throwable } + ) + } + + @AssistedFactory + public interface Factory { + public fun create(bytes: ByteArray): PasswordEntry + } + + internal companion object { + + private const val EXTRA_CONTENT = "Extra Content" + internal val USERNAME_FIELDS = + arrayOf( + "login:", + "username:", + "user:", + "account:", + "email:", + "mail:", + "name:", + "handle:", + "id:", + "identity:", + ) + internal val PASSWORD_FIELDS = + arrayOf( + "password:", + "secret:", + "pass:", + ) + } +} diff --git a/format-common/src/main/kotlin/app/passwordstore/data/passfile/Totp.kt b/format-common/src/main/kotlin/app/passwordstore/data/passfile/Totp.kt new file mode 100644 index 00000000..2f42977b --- /dev/null +++ b/format-common/src/main/kotlin/app/passwordstore/data/passfile/Totp.kt @@ -0,0 +1,8 @@ +package app.passwordstore.data.passfile + +import kotlin.time.Duration +import kotlin.time.ExperimentalTime + +/** Holder for a TOTP secret and the duration for which it is valid. */ +@OptIn(ExperimentalTime::class) +public data class Totp(public val value: String, public val remainingTime: Duration) diff --git a/format-common/src/main/kotlin/app/passwordstore/util/time/Clocks.kt b/format-common/src/main/kotlin/app/passwordstore/util/time/Clocks.kt new file mode 100644 index 00000000..4ffeb6a6 --- /dev/null +++ b/format-common/src/main/kotlin/app/passwordstore/util/time/Clocks.kt @@ -0,0 +1,26 @@ +/* + * Copyright © 2014-2021 The Android Password Store Authors. All Rights Reserved. + * SPDX-License-Identifier: GPL-3.0-only + */ + +package app.passwordstore.util.time + +import java.time.Clock +import java.time.Instant +import java.time.ZoneId +import javax.inject.Inject + +/** + * A subclass of [Clock] that uses [Clock.systemDefaultZone] to get a clock that works for the + * user's current time zone. + */ +public open class UserClock @Inject constructor() : Clock() { + + private val clock = systemDefaultZone() + + override fun withZone(zone: ZoneId): Clock = clock.withZone(zone) + + override fun getZone(): ZoneId = clock.zone + + override fun instant(): Instant = clock.instant() +} diff --git a/format-common/src/main/kotlin/app/passwordstore/util/totp/Otp.kt b/format-common/src/main/kotlin/app/passwordstore/util/totp/Otp.kt new file mode 100644 index 00000000..72d5cffe --- /dev/null +++ b/format-common/src/main/kotlin/app/passwordstore/util/totp/Otp.kt @@ -0,0 +1,78 @@ +/* + * Copyright © 2014-2021 The Android Password Store Authors. All Rights Reserved. + * SPDX-License-Identifier: GPL-3.0-only + */ + +package app.passwordstore.util.totp + +import com.github.michaelbull.result.Err +import com.github.michaelbull.result.runCatching +import java.nio.ByteBuffer +import java.util.Locale +import javax.crypto.Mac +import javax.crypto.spec.SecretKeySpec +import kotlin.experimental.and +import org.apache.commons.codec.binary.Base32 + +internal object Otp { + + private val BASE_32 = Base32() + private val STEAM_ALPHABET = "23456789BCDFGHJKMNPQRTVWXY".toCharArray() + + fun calculateCode( + secret: String, + counter: Long, + algorithm: String, + digits: String, + issuer: String?, + ) = runCatching { + val algo = "Hmac${algorithm.uppercase(Locale.ROOT)}" + val decodedSecret = BASE_32.decode(secret) + val secretKey = SecretKeySpec(decodedSecret, algo) + val digest = + Mac.getInstance(algo).run { + init(secretKey) + doFinal(ByteBuffer.allocate(8).putLong(counter).array()) + } + // Least significant 4 bits are used as an offset into the digest. + val offset = (digest.last() and 0xf).toInt() + // Extract 32 bits at the offset and clear the most significant bit. + val code = digest.copyOfRange(offset, offset + 4) + code[0] = (0x7f and code[0].toInt()).toByte() + val codeInt = ByteBuffer.wrap(code).int + check(codeInt > 0) + // SteamGuard is a horrible OTP implementation that generates non-standard 5 digit OTPs as + // well + // as uses a custom character set. + if (digits == "s" || issuer == "Steam") { + var remainingCodeInt = codeInt + buildString { + repeat(5) { + append(STEAM_ALPHABET[remainingCodeInt % STEAM_ALPHABET.size]) + remainingCodeInt /= 26 + } + } + } else { + // Base 10, 6 to 10 digits + val numDigits = digits.toIntOrNull() + when { + numDigits == null -> { + return Err(IllegalArgumentException("Digits specifier has to be either 's' or numeric")) + } + numDigits < 6 -> { + return Err(IllegalArgumentException("TOTP codes have to be at least 6 digits long")) + } + numDigits > 10 -> { + return Err(IllegalArgumentException("TOTP codes can be at most 10 digits long")) + } + else -> { + // 2^31 = 2_147_483_648, so we can extract at most 10 digits with the first one + // always being 0, 1, or 2. Pad with leading zeroes. + val codeStringBase10 = codeInt.toString(10).padStart(10, '0') + check(codeStringBase10.length == 10) + codeStringBase10.takeLast(numDigits) + } + } + } + } +} diff --git a/format-common/src/main/kotlin/app/passwordstore/util/totp/TotpFinder.kt b/format-common/src/main/kotlin/app/passwordstore/util/totp/TotpFinder.kt new file mode 100644 index 00000000..d53d76dc --- /dev/null +++ b/format-common/src/main/kotlin/app/passwordstore/util/totp/TotpFinder.kt @@ -0,0 +1,29 @@ +/* + * Copyright © 2014-2021 The Android Password Store Authors. All Rights Reserved. + * SPDX-License-Identifier: GPL-3.0-only + */ + +package app.passwordstore.util.totp + +/** Defines a class that can extract relevant parts of a TOTP URL for use by the app. */ +public interface TotpFinder { + + /** Get the TOTP secret from the given extra content. */ + public fun findSecret(content: String): String? + + /** Get the number of digits required in the final OTP. */ + public fun findDigits(content: String): String + + /** Get the TOTP timeout period. */ + public fun findPeriod(content: String): Long + + /** Get the algorithm for the TOTP secret. */ + public fun findAlgorithm(content: String): String + + /** Get the issuer for the TOTP secret, if any. */ + public fun findIssuer(content: String): String? + + public companion object { + public val TOTP_FIELDS: Array = arrayOf("otpauth://totp", "totp:") + } +} -- cgit v1.2.3