HOTP Class
Properties Methods Events Config Settings Errors
The HOTP class allows creation of HMAC-Based One-Time passwords.
Syntax
ipworksauth.Hotp
Remarks
The HOTP class implements the HOTP algorithm defined in RFC 4226 (HMAC-Based One-Time Password). These types of passwords are commonly used as a second factor of authentication in multi-factor authentication scenarios.
To begin specify the shared secret in the Secret property.
Next, you may set Counter. If this property is not set, the class will use a default value.
To create the password call CreatePassword. The Password property will be populated with the new password.
To validate a password set the Password property and call ValidatePassword. The method will return True or False to indicate success or failure.
Property List
The following is the full list of the properties of the class with short descriptions. Click on the links for further details.
| Counter | The counter used for HMAC-Based One Time Password creation or validation. |
| Password | The HMAC-Based One Time Password. |
| Secret | The Base32 encoded shared secret used when creating and validating a password. |
Method List
The following is the full list of the methods of the class with short descriptions. Click on the links for further details.
| Config | Sets or retrieves a configuration setting. |
| CreatePassword | Creates a HMAC-Based One Time Password. |
| Reset | Reset the variables to default value. |
| ValidatePassword | Validates a HMAC-Based One Time Password. |
Event List
The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.
| Error | Information about errors during data delivery. |
Config Settings
The following is a list of config settings for the class with short descriptions. Click on the links for further details.
| HashAlgorithm | The hash algorithm used to sign the password. |
| PasswordLength | The length of the generated password. |
| QRCodeURI | Returns a URI suitable for encoding as a QR code. |
| SecretLength | The length of secret to generate. |
| BuildInfo | Information about the product's build. |
| GUIAvailable | Tells the class whether or not a message loop is available for processing events. |
| LicenseInfo | Information about the current license. |
| MaskSensitive | Whether sensitive data is masked in log messages. |
| UseDaemonThreads | Whether threads created by the class are daemon threads. |
| UseFIPSCompliantAPI | Tells the class whether or not to use FIPS certified APIs. |
| UseInternalSecurityAPI | Tells the class whether or not to use the system security libraries or an internal implementation. |
Counter Property (HOTP Class)
The counter used for HMAC-Based One Time Password creation or validation.
Syntax
public long getCounter(); public void setCounter(long counter);
Default Value
0
Remarks
This property holds the counter value used for HMAC-Based One Time Password creation or validation. This value must be specified before calling CreatePassword or ValidatePassword. The value should be incremented each time a password is created.
The default value is 0.
Password Property (HOTP Class)
The HMAC-Based One Time Password.
Syntax
public String getPassword(); public void setPassword(String password);
Default Value
""
Remarks
This property holds the HMAC-Based One Time Password. This property is populated after calling CreatePassword. This property must be set before calling ValidatePassword.
Secret Property (HOTP Class)
The Base32 encoded shared secret used when creating and validating a password.
Syntax
public String getSecret(); public void setSecret(String secret);
Default Value
""
Remarks
This property specifies the Base32 encoded shared secret used when creating and validating a password. This should be set before calling CreatePassword or ValidatePassword.
If this is not set before calling CreatePassword a random secret will be automatically generated. This functionality provides an easy way to create new secret values. The length of the secret is defined by SecretLength.
Config Method (Hotp Class)
Sets or retrieves a configuration setting.
Syntax
public String config(String configurationString);
Remarks
Config is a generic method available in every class. It is used to set and retrieve configuration settings for the class.
These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.
To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).
To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.
CreatePassword Method (Hotp Class)
Creates a HMAC-Based One Time Password.
Syntax
public void createPassword();
Remarks
This method creates a HMAC-Based One Time Password.
The following properties are applicable when calling CreatePassword.
Calling CreatePassword populates the Password property with the created password.
If Secret is not specified before calling this method a random secret will be automatically generated.
Reset Method (Hotp Class)
Reset the variables to default value.
Syntax
public void reset();
Remarks
This method will reset the variables to default value.
ValidatePassword Method (Hotp Class)
Validates a HMAC-Based One Time Password.
Syntax
public boolean validatePassword();
Remarks
This method validates a HMAC-Based One Time Password.
The following properties are applicable when calling ValidatePassword.
The method will return True if the password is validated, False otherwise.
Error Event (Hotp Class)
Information about errors during data delivery.
Syntax
public class DefaultHotpEventListener implements HotpEventListener { ... public void error(HotpErrorEvent e) {} ... } public class HotpErrorEvent { public int errorCode; public String description; }
Remarks
The Error event is fired in case of exceptional conditions during message processing. Normally the class throws an exception.
ErrorCode contains an error code and Description contains a textual description of the error. For a list of valid error codes and their descriptions, please refer to the Error Codes section.
Config Settings (Hotp Class)
The class accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.HOTP Config Settings
- SHA1 (default)
- SHA256
- SHA512
- 6 (default)
- 7
- 8
To use this setting first set Secret to a valid value, then execute code like:
string MyQRCodeURI = component.Config("QRCodeURI=MyServiceName:account@company.com");
In the above example the MyServiceName value is the issuer. This is typically used in authenticator applications to identify the service to which the account belongs. The account@company.com value is the account name and identifies the specific account with which the key is associated. The use of an issuer is not required but is recommended. An account name is required.
The return value from this operation is a URI in one of the following formats:
//TOTP otpauth://totp/MyServiceName:account@company.com?secret=JBSWY3DPEHPK3PXP&digits=6&period=30 //HOTP otpauth://hotp/MyServiceName:account@company.com?secret=JBSWY3DPEHPK3PXP&digits=6&counter=0
The following values are applicable when using this setting:
- Secret
- PasswordLength
- HashAlgorithm
- TimeStep (TOTP)
- Counter (HOTP)
Base Config Settings
In some non-GUI applications, an invalid message loop may be discovered that will result in errant behavior. In these cases, setting GUIAvailable to false will ensure that the class does not attempt to process external events.
- Product: The product the license is for.
- Product Key: The key the license was generated from.
- License Source: Where the license was found (e.g., RuntimeLicense, License File).
- License Type: The type of license installed (e.g., Royalty Free, Single Server).
- Last Valid Build: The last valid build number for which the license will work.
This setting only works on these classes: AS3Receiver, AS3Sender, Atom, Client(3DS), FTP, FTPServer, IMAP, OFTPClient, SSHClient, SCP, Server(3DS), Sexec, SFTP, SFTPServer, SSHServer, TCPClient, TCPServer.
The Java edition requires installation of the FIPS certified Bouncy Castle library regardless of the target operating system. This can be downloaded from https://www.bouncycastle.org/fips-java/. Only the "Provider" library is needed. The jar file should then be installed in a JRE search path.
In the application where the component will be used the following classes must be imported:
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
The Bouncy Castle provider must be added as a valid provider and must also be configured to operate in FIPS mode:
System.setProperty("org.bouncycastle.fips.approved_only","true");
Security.addProvider(new BouncyCastleFipsProvider());
When UseFIPSCompliantAPI is true, SSL enabled classes can optionally be configured to use the TLS Bouncy Castle library. When SSLProvider is set to sslpAutomatic (default) or sslpInternal an internal TLS implementation is used, but all cryptographic operations are offloaded to the BCFIPS provider in order to achieve FIPS compliant operation. If SSLProvider is set to sslpPlatform the Bouncy Castle JSSE will be used in place of the internal TLS implementation.
To enable the use of the Bouncy Castle JSSE take the following steps in addition to the steps above. Both the Bouncy Castle FIPS provider and the Bouncy Castle JSSE must be configured to use the Bouncy Castle TLS library in FIPS mode. Obtain the Bouncy Castle TLS library from https://www.bouncycastle.org/fips-java/. The jar file should then be installed in a JRE search path.
In the application where the component will be used the following classes must be imported:
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
//required to use BCJSSE when SSLProvider is set to sslpPlatform
import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
The Bouncy Castle provider must be added as a valid provider and must also be configured to operate in FIPS mode:
System.setProperty("org.bouncycastle.fips.approved_only","true");
Security.addProvider(new BouncyCastleFipsProvider());
//required to use BCJSSE when SSLProvider is set to sslpPlatform
Security.addProvider(new BouncyCastleJsseProvider("fips:BCFIPS"));
//optional - configure logging level of BCJSSE
Logger.getLogger("org.bouncycastle.jsse").setLevel(java.util.logging.Level.OFF);
//configure the class to use BCJSSE
component.setSSLProvider(1); //platform
component.config("UseFIPSCompliantAPI=true");
Note: TLS 1.3 support requires the Bouncy Castle TLS library version 1.0.14 or later.
FIPS mode can be enabled by setting the UseFIPSCompliantAPI configuration setting to true. This is a static setting which applies to all instances of all classes of the toolkit within the process. It is recommended to enable or disable this setting once before the component has been used to establish a connection. Enabling FIPS while an instance of the component is active and connected may result in unexpected behavior.
For more details please see the FIPS 140-2 Compliance article.
Note: Enabling FIPS-compliance requires a special license; please contact sales@nsoftware.com for details.
Setting this setting to true tells the class to use the internal implementation instead of using the system security libraries.
This setting is set to false by default on all platforms.
Trappable Errors (Hotp Class)
HOTP Errors
| 114 Can't create password. | |
| 115 Can't validate password. |