Using a key with TOTP

This code documentation outlines the process of creating a cryptographic key and associating a Time-Based One-Time Password (TOTP) access control mechanism. Additionally, it demonstrates how to utilize the TOTP access control for signing a payload securely.

Typescript

import {
  AccessControl,
  AccessControlTotp,
  AuthenticityClient,
  KeyClient,
  KeyProtectionLevel,
  KeyType,
  Managed,
  ManagedKeyParams,
  RecordClient,
  Signer,
} from '@bloock/sdk';

// initialize the Key Client
const keyClient = new KeyClient();
// initialize the Authenticity Client
const authenticityClient = new AuthenticityClient();
// initialize the Record Client
const recordClient = new RecordClient();
// initialize the protection key level
const keyProtection = KeyProtectionLevel.SOFTWARE;

// Generate a Rsa2048 key
const keyType = KeyType.Rsa2048;
const _key = await keyClient.newManagedKey(
  new ManagedKeyParams(keyProtection, keyType)
);

// Create a TOTP access control for the created key
const totp = await keyClient.setupTotpAccessControl(new Managed(_key));

console.log(totp.secretQr); // base64url encoded string with the TOTP setup QRCode. You can scan this QR with your TOTP application client.
console.log(totp.secret); // secret code that you can use instead of the QRCode to setup your TOTP application client.
console.log(totp.recoveryCodes); // recovery codes you need to save, so you could use in case you loose your access control.

const record = await recordClient.fromString('Hello world').build();

// How to sign using the TOTP access control
const accessCode = new AccessControlTotp('code digit'); // get the code from your TOTP application (Google Authenticator). Ej: 731 049
await authenticityClient.sign(
  record,
  new Signer(_key, undefined, new AccessControl(accessCode))
);

// Recover in case you lose your access control
const _totpRecovered = await keyClient.recoverTotpAccessControl(
  new Managed(_key),
  totp.recoveryCodes[0] // recovery code you saved previously
);

Python

from bloock.client.record import RecordClient
from bloock.client.key import KeyClient
from bloock.client.authenticity import AuthenticityClient
from bloock.entity.key.key_protection_level import KeyProtectionLevel
from bloock.entity.key.managed_key_params import ManagedKeyParams
from bloock.entity.key.key_type import KeyType
from bloock.entity.key.managed import Managed
from bloock.entity.key.access_control_totp import AccessControlTotp
from bloock.entity.authenticity.signer import Signer

# initialize the Key Client
key_client = KeyClient()
# initialize the Authenticity Client
authenticity_client = AuthenticityClient()
# initialize the Record Client
record_client = RecordClient()
# initialize the protection key level
protection = KeyProtectionLevel.SOFTWARE

# Generate a Rsa2048 key
key_type = KeyType.Rsa2048
key = key_client.new_managed_key(ManagedKeyParams(protection, key_type))

# Create a TOTP access control for the created key
totp = key_client.setup_totp_access_control(Managed(key))

# base64url encoded string with the TOTP setup QRCode.
# You can scan this QR with your TOTP application client.
print(totp.secret_qr)
# secret code that you can use instead of the QRCode to setup your TOTP application client.
print(totp.secret)
# recovery codes you need to save, so you could use in case you loose your access control.
print(totp.recovery_codes)

record = record_client.from_string("Hello world").build()

# How to sign using the TOTP access control
access_control = AccessControlTotp("code digit")
authenticity_client.sign(record, Signer(key, None, access_control))

# Recover in case you lose your access control
totpRecovered = key_client.recover_totp_access_control(Managed(key), totp.recovery_codes[0])

Java

import com.bloock.sdk.client.AuthenticityClient;
import com.bloock.sdk.client.KeyClient;
import com.bloock.sdk.client.RecordClient;
import com.bloock.sdk.entity.authenticity.Signer;
import com.bloock.sdk.entity.key.AccessControl;
import com.bloock.sdk.entity.key.AccessControlTotp;
import com.bloock.sdk.entity.key.KeyProtectionLevel;
import com.bloock.sdk.entity.key.KeyType;
import com.bloock.sdk.entity.key.Managed;
import com.bloock.sdk.entity.key.ManagedKey;
import com.bloock.sdk.entity.key.ManagedKeyParams;
import com.bloock.sdk.entity.key.TotpAccessControlReceipt;
import com.bloock.sdk.entity.record.Record;

public class NewManagedKeyTotp {
  public static void main(String[] args) throws Exception {
        // initialize the Key Client
        KeyClient keyClient = new KeyClient();
        // initialize the Authenticity Client
        AuthenticityClient authenticityClient = new AuthenticityClient();
        // initialize the Record Client
        RecordClient recordClient = new RecordClient();
        // initialize the protection key level
        KeyProtectionLevel keyProtectionLevel = KeyProtectionLevel.SOFTWARE;

        // Generate a Rsa2048 key
        KeyType keyType = KeyType.Rsa2048;
        ManagedKey key = keyClient.newManagedKey(new ManagedKeyParams(keyProtectionLevel, keyType));

        // Create a TOTP access control for the created key
        TotpAccessControlReceipt totp = keyClient.setupTotpAccessControl(new Managed(key));

        // base64url encoded string with the TOTP setup QRCode. You can scan this QR with your TOTP application client.
        System.out.println(totp.getSecretQr());
        // secret code that you can use instead of the QRCode to setup your TOTP application client.
        System.out.println(totp.getSecret());
        // recovery codes you need to save, so you could use in case you loose your access control.
        System.out.println(totp.getRecoveryCodes());

        Record record = recordClient.fromString("Hello world").build();

        // How to sign using the TOTP access control
        AccessControlTotp accessControl = new AccessControlTotp("code digit");
        authenticityClient.sign(record, new Signer(key, null, new AccessControl(accessControl)));

        // Recover in case you lose your access control
        TotpAccessControlReceipt totpRecovered = keyClient.recoverTotpAccessControl(new Managed(key), totp.getRecoveryCodes().get(0));
  }
}

PHP

<?php

use Bloock\Client\AuthenticityClient;
use Bloock\Client\KeyClient;
use Bloock\Client\RecordClient;
use Bloock\Entity\Authenticity\Signer;
use Bloock\Entity\Key\AccessControl;
use Bloock\Entity\Key\AccessControlTotp;
use Bloock\Entity\Key\KeyProtectionLevel;
use Bloock\Entity\Key\KeyType;
use Bloock\Entity\Key\Managed;
use Bloock\Entity\Key\ManagedKeyParams;

require 'vendor/autoload.php';

// initialize the Key Client
$keyClient = new KeyClient();
// initialize the Authenticity Client
$authenticityClient = new AuthenticityClient();
// initialize the Record Client
$recordClient = new RecordClient();
// initialize the protection key level
$keyProtection = KeyProtectionLevel::SOFTWARE;

// Generate a Rsa2048 key
$key = $keyClient->newManagedKey(new ManagedKeyParams($keyProtection, KeyType::Rsa2048));

// Create a TOTP access control for the created key
$totp = $keyClient->setupTotpAccessControl(new Managed($key));

$varSecretQR = $totp->getSecretQr(); // base64url encoded string with the TOTP setup QRCode. You can scan this QR with your TOTP application client.
$varSecret = $totp->getSecret(); // secret code that you can use instead of the QRCode to setup your TOTP application client.
$varRecoveryCodes = $totp->getRecoveryCodes(); // recovery codes you need to save, so you could use in case you loose your access control.

$record = $recordClient->fromString("Hello world")->build();

// How to sign using the TOTP access control
$accessControl = new AccessControlTotp("code digit"); // get the code from your TOTP application (Google Authenticator). Ej: 731 049
$authenticityClient->sign($record, new Signer($key, null, new AccessControl($accessControl)));

// Recover in case you lose your access control
$totpRecovered = $keyClient->recoverTotpAccessControl(new Managed($key), "recovery code"); // recovery code you saved previously

Golang

package main

import (
	"log"

	"github.com/bloock/bloock-sdk-go/v2/client"
	"github.com/bloock/bloock-sdk-go/v2/entity/authenticity"
	"github.com/bloock/bloock-sdk-go/v2/entity/key"
)

func main() {
	// initialize the Key Client
	keyClient := client.NewKeyClient()
	// initialize the Authenticity Client
	authenticityClient := client.NewAuthenticityClient()
	// initialize the Record Client
	recordClient := client.NewRecordClient()
	// initialize the protection key level
	keyProtection := key.KEY_PROTECTION_SOFTWARE

	// Generate a Rsa2048 key
	keyType := key.Rsa2048
	_key, err := keyClient.NewManagedKey(key.ManagedKeyParams{
		KeyType:    keyType,
		Protection: keyProtection,
	})
	if err != nil {
		log.Fatalln(err)
	}

	// Create a TOTP access control for the created key
	totp, err := keyClient.SetupTotpAccessControl(key.Managed{ManagedKey: &_key})
	if err != nil {
		log.Fatalln(err)
	}

	log.Println(totp.SecretQr)      // base64url encoded string with the TOTP setup QRCode. You can scan this QR with your TOTP application client.
	log.Println(totp.Secret)        // secret code that you can use instead of the QRCode to setup your TOTP application client.
	log.Println(totp.RecoveryCodes) // recovery codes you need to save, so you could use in case you loose your access control.

	record, err := recordClient.FromString("Hello world").Build()
	if err != nil {
		log.Fatalln(err)
	}

	// How to sign using the TOTP access control
	accessControl := key.NewAccessControlTotp("code digit") // get the code from your TOTP application (Google Authenticator). Ej: 731 049
	_, err = authenticityClient.Sign(record, authenticity.NewSignerWithManagedKey(_key, nil, &key.AccessControl{AccessControlTotp: accessControl}))
	if err != nil {
		log.Fatalln(err)
	}

	// Recover in case you lose your access control
	_, err = keyClient.RecoverTotpAccessControl(key.Managed{ManagedKey: &_key}, totp.RecoveryCodes[0]) // recovery code you saved previously
	if err != nil {
		log.Fatalln(err)
	}
}