hotp_via_ndef icon indicating copy to clipboard operation
hotp_via_ndef copied to clipboard

Published 20 hours ago verified publisher icon petrs

OTP is not generated, counter is always returned

Open gregorjohannson opened this issue 5 years ago • 3 comments

Installation of the applet is successfully done on a JC 3.0.4 card from Idemia (Oberthur), following GP spec 2.2.1.

Any plaintext or URL is saved successfully as the payload and returned to a phone on request.

However, regardless of setting a valid otpauth URL from the Wiki example (otpauth://hotp/[email protected]?secret=GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ) the code is not being generated, and only the plain incremented counter is returned every time.

Any ideas would be helpful that could lead me to why codes are not being generated on my card.

gregorjohannson avatar Apr 16 '19 20:04 gregorjohannson

Right now I was playing around with it: I was getting the same error when

  • you use the referenced NFC writer app, and write first the payload
  • then you check if the demo counter works
  • then you use the same session of NFC writer to write secret (another URL)

HOTP does not work, only the counter. But if you enter both secret and payload simultaneously and write it just once, it works. IMHO, the writer app writes the payload twice since if you perform the last step with the same session, both tags are on the display, overwriting the HMAC generator instance.

Without much knowledge or insight into the code I think that the last step creates the HMAC generator and when the payload is written again (since the writer keeps it in the write menu as well), it replaces the HMAC generator again with the demo counter. I did not test it much because I don't have time now, will update if I find some more on it...

EDIT: it seems it works only if both tags are written simultaneously, the first record in order must be the secret, the second the payload...weird

Aiosa avatar May 21 '21 17:05 Aiosa

Well, after some debugging, I found out that the applet works if you first upload the secret:

  • otpauth://hotp/?secret=[BASE32 SECRET HERE]=&digits=6

and then you upload the URL payload:

  • [YOUR URL HERE WITH PARAMS]&code=

Both tags must be uploaded separately (i.e. not simultaneously as possible with NFC Tools https://play.google.com/store/apps/details?id=com.wakdev.wdnfc&hl=cs&gl=US)

The initialization might be indeed painful if you do not follow this exact order. Otherwise, the applet is sweet.

Aiosa avatar Jul 11 '21 13:07 Aiosa

@Aiosa thank you for debugging this and finding the working steps - would you be willing to add this info into readme.md? (just create PR)

petrs avatar Jul 22 '21 06:07 petrs