Fix secret not being case-insensitive

onetimepass/base32.py

@@ -0,0 +1,24 @@
+import base64
+import functools
+
+# > Optional casefold is a flag specifying whether a lowercase alphabet is
+# > acceptable as input. For security purposes, the default is False.
+# > —https://docs.python.org/3/library/base64.html#base64.b32decode
+#
+# We prefer to avoid using something that is disabled by default for security
+# purposes, but some services, unfortunately, provide the secret in lowercase
+# (e.g. Google!), so not doing that would make the application not working for
+# those.
+#
+# The reason that they provide the secret in lowercase may come from the
+# official spec being ambiguous:
+#
+# > The Base 32 encoding is designed to represent arbitrary sequences of octets
+# > in a form that needs to be **case insensitive**
+# > […]
+# > These characters […] are selected from US-ASCII digits and **uppercase letters**.
+# > —https://datatracker.ietf.org/doc/html/rfc3548#section-5
+#
+# It mentions using uppercase letters, but also the value being case-insensitive.
+# The reason is just a guess, though
+decode = functools.partial(base64.b32decode, casefold=True)

onetimepass/db/models.py

@@ -1,12 +1,12 @@
 from __future__ import annotations
 
-import base64
 import binascii
 import datetime
 import typing
 
 from pydantic import validator
 
+from onetimepass import base32
 from onetimepass import settings
 from onetimepass.base_model import BaseModel
 from onetimepass.db import exceptions
@@ -81,7 +81,7 @@ class AliasSchema(BaseModel):
     @validator("secret")
     def valid_base32_secret(cls, v):
         try:
-            base64.b32decode(v)
+            base32.decode(v)
         except binascii.Error as e:
             raise ValueError(f"invalid Base32 value; {e}")
         return v

onetimepass/otp.py

@@ -1,4 +1,3 @@
-import base64
 import binascii
 import datetime
 import functools
@@ -12,6 +11,7 @@
 import pydantic
 from rich.console import Console
 
+from onetimepass import base32
 from onetimepass import master_key
 from onetimepass import otp_algorithm
 from onetimepass import settings
@@ -158,7 +158,7 @@ def show(ctx: click.Context, alias: str, wait: int | None, minimum_verbose: bool
         if wait is not None:
             remaining_seconds = otp_algorithm.get_seconds_remaining(
                 otp_algorithm.TOTPParameters(
-                    secret=base64.b32decode(alias_data.secret),
+                    secret=base32.decode(alias_data.secret),
                     digits_count=alias_data.digits_count,
                     hash_algorithm=alias_data.hash_algorithm,
                     time_step_seconds=alias_data.params.time_step_seconds,
@@ -169,7 +169,7 @@ def show(ctx: click.Context, alias: str, wait: int | None, minimum_verbose: bool
                     time.sleep(remaining_seconds)
         # Reinitialize parameters to get valid result
         params = otp_algorithm.TOTPParameters(
-            secret=base64.b32decode(alias_data.secret),
+            secret=base32.decode(alias_data.secret),
             digits_count=alias_data.digits_count,
             hash_algorithm=alias_data.hash_algorithm,
             time_step_seconds=alias_data.params.time_step_seconds,
@@ -187,7 +187,7 @@ def show(ctx: click.Context, alias: str, wait: int | None, minimum_verbose: bool
     elif alias_data.otp_type == OTPType.HOTP:
         alias_data.params.counter += 1
         params = otp_algorithm.HOTPParameters(
-            secret=base64.b32decode(alias_data.secret),
+            secret=base32.decode(alias_data.secret),
             digits_count=alias_data.digits_count,
             hash_algorithm=alias_data.hash_algorithm,
             counter=alias_data.params.counter,