Merge pull request #1990 from tonyseek/key-uri

Add "get_provisioning_uri" utility for HOTP/TOTP.

3 files changed, 42 insertions, 0 deletions

diff --git a/src/cryptography/hazmat/primitives/twofactor/hotp.py b/src/cryptography/hazmat/primitives/twofactor/hotp.py
index ba228b40..8c0cec14 100644
--- a/src/cryptography/hazmat/primitives/twofactor/hotp.py
+++ b/src/cryptography/hazmat/primitives/twofactor/hotp.py
@@ -15,6 +15,7 @@ from cryptography.hazmat.backends.interfaces import HMACBackend
 from cryptography.hazmat.primitives import constant_time, hmac
 from cryptography.hazmat.primitives.hashes import SHA1, SHA256, SHA512
 from cryptography.hazmat.primitives.twofactor import InvalidToken
+from cryptography.hazmat.primitives.twofactor.utils import _generate_uri
 
 
 class HOTP(object):
@@ -59,3 +60,8 @@ class HOTP(object):
         offset = six.indexbytes(hmac_value, len(hmac_value) - 1) & 0b1111
         p = hmac_value[offset:offset + 4]
         return struct.unpack(">I", p)[0] & 0x7fffffff
+
+    def get_provisioning_uri(self, account_name, counter, issuer):
+        return _generate_uri(self, 'hotp', account_name, issuer, [
+            ('counter', int(counter)),
+        ])
diff --git a/src/cryptography/hazmat/primitives/twofactor/totp.py b/src/cryptography/hazmat/primitives/twofactor/totp.py
index 03df9292..98493b6d 100644
--- a/src/cryptography/hazmat/primitives/twofactor/totp.py
+++ b/src/cryptography/hazmat/primitives/twofactor/totp.py
@@ -11,6 +11,7 @@ from cryptography.hazmat.backends.interfaces import HMACBackend
 from cryptography.hazmat.primitives import constant_time
 from cryptography.hazmat.primitives.twofactor import InvalidToken
 from cryptography.hazmat.primitives.twofactor.hotp import HOTP
+from cryptography.hazmat.primitives.twofactor.utils import _generate_uri
 
 
 class TOTP(object):
@@ -31,3 +32,8 @@ class TOTP(object):
     def verify(self, totp, time):
         if not constant_time.bytes_eq(self.generate(time), totp):
             raise InvalidToken("Supplied TOTP value does not match.")
+
+    def get_provisioning_uri(self, account_name, issuer):
+        return _generate_uri(self._hotp, 'totp', account_name, issuer, [
+            ('period', int(self._time_step)),
+        ])
diff --git a/src/cryptography/hazmat/primitives/twofactor/utils.py b/src/cryptography/hazmat/primitives/twofactor/utils.py
new file mode 100644
index 00000000..91d2e148
--- /dev/null
+++ b/src/cryptography/hazmat/primitives/twofactor/utils.py
@@ -0,0 +1,30 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import base64
+
+from six.moves.urllib.parse import quote, urlencode
+
+
+def _generate_uri(hotp, type_name, account_name, issuer, extra_parameters):
+    parameters = [
+        ('digits', hotp._length),
+        ('secret', base64.b32encode(hotp._key)),
+        ('algorithm', hotp._algorithm.name.upper()),
+    ]
+
+    if issuer is not None:
+        parameters.append(('issuer', issuer))
+
+    parameters.extend(extra_parameters)
+
+    uriparts = {
+        'type': type_name,
+        'label': ('%s:%s' % (quote(issuer), quote(account_name)) if issuer
+                  else quote(account_name)),
+        'parameters': urlencode(parameters),
+    }
+    return 'otpauth://{type}/{label}?{parameters}'.format(**uriparts)