Google Authenticator 作为目前市面上最老的二步验证 App 之一,到 2024 年已经有了超过 10 年的历史。在多年的更新中,Google 也终于将导出和与 Google 账户同步的功能加入到了这款 App。
但,Google Authenticator 的导出功能仅仅可用于这款 App 本身,如果很不凑巧你想移植过去的二步验证 App 不支持从 Google Authenticator 导入,苦逼的登录每一个开启了二步验证的账户然后重新添加认证器似乎成为了唯二的解决方案。另外一个方案就是换个验证器。
假设你自己开发的二步验证器需要兼容从 Google Authenticator 过来的用户,又或是仅仅需要移植到新的验证器,那么从 Google Authenticator 导出的二维码中提取出信息就是这篇文章的核心。
二维码探秘
根据下面步骤我们可以得到 Google Authenticator 的移植二维码
- 菜单
- 转移账号
- 导出账号
- 选择要导出的账号后下一步
将二维码扫描进行处理,会得到类似于下面的结果
otpauth-migration://offline?data=Ci8KCke7Wn1dzBf7B4QSG3RvdHBAYXV0aGVudGljYXRpb250ZXN0LmNvbSABKAEwAgoqChTjrWUfiCuBHIAj%2Br0YbS8oSrOLqBIMdGVzdC1hY2NvdW50IAEoATACEAEYASAAKNyAq4%2F4%2F%2F%2F%2F%2FwE%3D
这是一段工整的 URL Scheme,足够快就可以发现一个叫做 data 的参数,后面跟着的字符串就是接下来我们需要进行处理的数据。
一段 Base64
Ci8KCke7Wn1dzBf7B4QSG3RvdHBAYXV0aGVudGljYXRpb250ZXN0LmNvbSABKAEwAgoqChTjrWUfiCuBHIAj%2Br0YbS8oSrOLqBIMdGVzdC1hY2NvdW50IAEoATACEAEYASAAKNyAq4%2F4%2F%2F%2F%2F%2FwE%3D
这是一段经过编码的 Base64 字符串,在将 Base64 还原成原数据前还需要进行解码。
打开手边的浏览器里的 Console,使用 JavaScript 的 decodeURIComponent 函数就可以得到新的,解码后的 Base64 字符串。
Ci8KCke7Wn1dzBf7B4QSG3RvdHBAYXV0aGVudGljYXRpb250ZXN0LmNvbSABKAEwAgoqChTjrWUfiCuBHIAj+r0YbS8oSrOLqBIMdGVzdC1hY2NvdW50IAEoATACEAEYASAAKNyAq4/4/////wE=
接着去 Google 类似于 Base64 to bin,或者 Base64 to file 等相关的关键词。其目的是先将该 Base64 解码后的原结果保存成一个文件内。但如果你所使用的语言或者环境提供了较为方便的 Base64 Decode 操作,也可以考虑跳过这步。
我用的是 Base64 Guru 提供的 Base64 to File,可以将 Base64 Decode 后的结果直接下载为一个文件。
这份文件在十六进制下应该呈现如下:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 0A 2F 0A 0A 47 BB 5A 7D 5D CC 17 FB 07 84 12 1B ./..G»Z}]Ì.û.„..
00000010 74 6F 74 70 40 61 75 74 68 65 6E 74 69 63 61 74 totp@authenticat
00000020 69 6F 6E 74 65 73 74 2E 63 6F 6D 20 01 28 01 30 iontest.com .(.0
00000030 02 0A 2A 0A 14 E3 AD 65 1F 88 2B 81 1C 80 23 FA ..*..ã.e.ˆ+..€#ú
00000040 BD 18 6D 2F 28 4A B3 8B A8 12 0C 74 65 73 74 2D ½.m/(J³‹¨..test-
00000050 61 63 63 6F 75 6E 74 20 01 28 01 30 02 10 01 18 account .(.0....
00000060 01 20 00 28 DC 80 AB 8F F8 FF FF FF FF 01 . .(Ü€«.øÿÿÿÿ.
而这份文件正是经过 Google 自己的 Protocol Buffers 编码后的结果。
反序列化 Protocol Buffers
一个名为 Chris van Marle 的用户在 GitHub 上传了一个名为 OtpMigration.proto 的 Google Authenticator 导出数据的数据结构定义;下面的 Proto 文件需要复制到本地当作备用。
// Unofficial protobuf definition of Google Authenticator Migration exports
// Based on Google Authenticator 5.10
// Chris van Marle 04-06-2020
syntax = "proto2";
message MigrationPayload {
repeated OtpParameters otp_parameters = 1;
optional int32 version = 2;
optional int32 batch_size = 3;
optional int32 batch_index = 4;
optional int32 batch_id = 5;
}
message OtpParameters {
optional bytes secret = 1;
optional string name = 2;
optional string issuer = 3;
optional Algorithm algorithm = 4;
optional DigitCount digits = 5;
optional OtpType type = 6;
optional int64 counter = 7;
}
enum Algorithm {
ALGORITHM_TYPE_UNSPECIFIED = 0;
SHA1 = 1;
SHA256 = 2;
SHA512 = 3;
MD5 = 4;
}
enum DigitCount {
DIGIT_COUNT_UNSPECIFIED = 0;
SIX = 1;
EIGHT = 2;
}
enum OtpType {
OTP_TYPE_UNSPECIFIED = 0;
HOTP = 1;
TOTP = 2;
}
如果你对 Protocol Buffers 足够了解,其实就已经能跳过下面的内容了。
为了可以在特定的语言中使用 Protocol Buffers,需要先安装 protoc 的编译器用于生成在特定语言中序列化和反序列化的代码文件。在 macOS 中如果有 Homebrew 可以直接通过 brew install protobuf 安装;在 Windows 中可以通过 Protocol Buffers 的 GitHub Release 下载二进制文件,然后添加到环境变量中。 安装完毕后在 Terminal 中使用 protoc 命令,应该能看到以下输出结果。
Parse PROTO_FILES and generate output based on the options given:
-IPATH, --proto_path=PATH Specify the directory in which to search for
imports. May be specified multiple times;
directories will be searched in order. If not
given, the current working directory is used.
If not found in any of the these directories,
the --descriptor_set_in descriptors will be
checked for required proto file.
--version Show version info and exit.
-h, --help Show this text and exit.
--encode=MESSAGE_TYPE Read a text-format message of the given type
from standard input and write it in binary
to standard output. The message type must
be defined in PROTO_FILES or their imports.
--deterministic_output When using --encode, ensure map fields are
deterministically ordered. Note that this order
is not canonical, and changes across builds or
releases of protoc.
--decode=MESSAGE_TYPE Read a binary message of the given type from
standard input and write it in text format
to standard output. The message type must
be defined in PROTO_FILES or their imports.
--decode_raw Read an arbitrary protocol message from
standard input and write the raw tag/value
pairs in text format to standard output. No
PROTO_FILES should be given when using this
flag.
--descriptor_set_in=FILES Specifies a delimited list of FILES
each containing a FileDescriptorSet (a
protocol buffer defined in descriptor.proto).
The FileDescriptor for each of the PROTO_FILES
provided will be loaded from these
FileDescriptorSets. If a FileDescriptor
appears multiple times, the first occurrence
will be used.
-oFILE, Writes a FileDescriptorSet (a protocol buffer,
--descriptor_set_out=FILE defined in descriptor.proto) containing all of
the input files to FILE.
--include_imports When using --descriptor_set_out, also include
all dependencies of the input files in the
set, so that the set is self-contained.
--include_source_info When using --descriptor_set_out, do not strip
SourceCodeInfo from the FileDescriptorProto.
This results in vastly larger descriptors that
include information about the original
location of each decl in the source file as
well as surrounding comments.
--retain_options When using --descriptor_set_out, do not strip
any options from the FileDescriptorProto.
This results in potentially larger descriptors
that include information about options that were
only meant to be useful during compilation.
--dependency_out=FILE Write a dependency output file in the format
expected by make. This writes the transitive
set of input file paths to FILE
--error_format=FORMAT Set the format in which to print errors.
FORMAT may be 'gcc' (the default) or 'msvs'
(Microsoft Visual Studio format).
--fatal_warnings Make warnings be fatal (similar to -Werr in
gcc). This flag will make protoc return
with a non-zero exit code if any warnings
are generated.
--print_free_field_numbers Print the free field numbers of the messages
defined in the given proto files. Extension ranges
are counted as occupied fields numbers.
--enable_codegen_trace Enables tracing which parts of protoc are
responsible for what codegen output. Not supported
by all backends or on all platforms.
--plugin=EXECUTABLE Specifies a plugin executable to use.
Normally, protoc searches the PATH for
plugins, but you may specify additional
executables not in the path using this flag.
Additionally, EXECUTABLE may be of the form
NAME=PATH, in which case the given plugin name
is mapped to the given executable even if
the executable's own name differs.
--cpp_out=OUT_DIR Generate C++ header and source.
--csharp_out=OUT_DIR Generate C# source file.
--java_out=OUT_DIR Generate Java source file.
--kotlin_out=OUT_DIR Generate Kotlin file.
--objc_out=OUT_DIR Generate Objective-C header and source.
--php_out=OUT_DIR Generate PHP source file.
--pyi_out=OUT_DIR Generate python pyi stub.
--python_out=OUT_DIR Generate Python source file.
--ruby_out=OUT_DIR Generate Ruby source file.
--rust_out=OUT_DIR Generate Rust sources.
@<filename> Read options and filenames from file. If a
relative file path is specified, the file
will be searched in the working directory.
The --proto_path option will not affect how
this argument file is searched. Content of
the file will be expanded in the position of
@<filename> as in the argument list. Note
that shell expansion is not applied to the
content of the file (i.e., you cannot use
quotes, wildcards, escapes, commands, etc.).
Each line corresponds to a single argument,
even if it contains spaces.
最后一步就可以通过特定的语言去对 Proto 文件进行访问了。
浅尝辄止
以 C# 作为示例的情况下,需要将上述的 Proto 文件拷贝到当前项目下。并且使用 protoc 编译出当前语言的代码文件。
protoc --csharp_out=. .\OtpMigration.proto
命令执行完之后当前项目下应当会生成出 OtpMigration.cs 的 C# 文件,并且可以通过里面的 MigrationPayload 类中的成员反序列化数据。
using var input = File.OpenRead("C:\\Users\\xyfbs\\source\\repos\\GMigration\\payload.bin");
var payload = MigrationPayload.Parser.ParseFrom(input);
foreach (var item in payload.OtpParameters)
Console.WriteLine($"Type: {item.Type}, Algo: {item.Algorithm}, Secret: {item.Secret.ToStringUtf8()}");
不过,Secret 数据要使用之前 ( 例如转换成 QR Code ) 需要先对数据进行 Base32 Encoding。