python POST request with TOTP for HMAC SHA512


I'm supposed to send data trough a POST with HMAC-SHA-512 with a TOTP password protection.
I can't get this to work and I don't understand why, I really need help with this.

The code :

import httplib2
import hmac
import hashlib
import time
import sys
import struct
import json

root = ""
content_type = "application/json"
userid = ""
secret_suffix = "SECRETSUFFIX"
shared_secret = userid+secret_suffix

timestep = 30
T0 = 0

def HOTP(K, C, digits=10):
    K is the shared key
    C is the counter value
    digits control the response length
    K_bytes = str.encode(K)
    C_bytes = struct.pack(">Q", C)
    hmac_sha512 = = K_bytes, msg=C_bytes, digestmod=hashlib.sha512).hexdigest()
    return Truncate(hmac_sha512)[-digits:]

def Truncate(hmac_sha512):
    """truncate sha512 value"""
    offset = int(hmac_sha512[-1], 16)
    binary = int(hmac_sha512[(offset *2):((offset*2)+8)], 16) & 0x7FFFFFFF
    return str(binary)

def TOTP(K, digits=10, timeref = 0, timestep = 30):
    """TOTP, time-based variant of HOTP
    digits control the response length
    the C in HOTP is replaced by ( (currentTime - timeref) / timestep )
    C = int ( time.time() - timeref ) // timestep
    return HOTP(K, C, digits = digits)

data = { "github_url": "", "contact_email": "" }

passwd = TOTP(shared_secret, 10, T0, timestep) 

h = httplib2.Http()
h.add_credentials( userid, passwd )
header = {"content-type": "application/json"}
resp, content = h.request(root, "POST", headers = header, body = json.dumps(data))

The instructions :


First, construct a JSON string like below:

{ "github_url": "", "contact_email": "EMAIL" }

Fill in your email address for EMAIL, and the path to your secret gist for YOUR_ACCOUNT/GIST_ID. Be sure you have double-checked your email address; we will contact you by email.

Then, make an HTTP POST request to the following URL with the JSON string as the body part.

Content type

The Content-Type: of the request must be application/json. Authorization

The URL is protected by HTTP Basic Authentication, which is explained on Chapter 2 of RFC2617, so you have to provide an Authorization: header field in your POST request

For the userid of HTTP Basic Authentication, use the same email address you put in the JSON string.
For the password, provide a 10-digit time-based one time password conforming to RFC6238 TOTP.

Authorization password

For generating the TOTP password, you will need to use the following setup:

You have to read RFC6238 (and the errata too!) and get a correct one time password by yourself.
TOTP's Time Step X is 30 seconds. T0 is 0.
Use HMAC-SHA-512 for the hash function, instead of the default HMAC-SHA-1.
Token shared secret is the userid followed by ASCII string value "SECRETSUFFIX" (not including double quotations).

I keep getting :

"message": "Access denied: Invalid token
asked on Stack Overflow Jun 8, 2020 by satbom

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0