Do some nitpicking cleanup of the twofactor code and documentation.
diff --git a/cryptography/hazmat/primitives/twofactor/hotp.py b/cryptography/hazmat/primitives/twofactor/hotp.py
index e806c7e..24f5f46 100644
--- a/cryptography/hazmat/primitives/twofactor/hotp.py
+++ b/cryptography/hazmat/primitives/twofactor/hotp.py
@@ -24,7 +24,6 @@
class HOTP(object):
def __init__(self, key, length, algorithm, backend):
-
if len(key) < 16:
raise ValueError("Key length has to be at least 128 bits.")
diff --git a/cryptography/hazmat/primitives/twofactor/totp.py b/cryptography/hazmat/primitives/twofactor/totp.py
index be84b47..0630de6 100644
--- a/cryptography/hazmat/primitives/twofactor/totp.py
+++ b/cryptography/hazmat/primitives/twofactor/totp.py
@@ -20,7 +20,6 @@
class TOTP(object):
def __init__(self, key, length, algorithm, time_step, backend):
-
self._time_step = time_step
self._hotp = HOTP(key, length, algorithm, backend)
diff --git a/docs/hazmat/primitives/twofactor.rst b/docs/hazmat/primitives/twofactor.rst
index 06be151..3df1a14 100644
--- a/docs/hazmat/primitives/twofactor.rst
+++ b/docs/hazmat/primitives/twofactor.rst
@@ -19,8 +19,8 @@
HOTP objects take a ``key``, ``length`` and ``algorithm`` parameter. The
``key`` should be randomly generated bytes and is recommended to be 160
- bits in length. The ``length`` parameter controls the length of the generated
- one time password and must be >= 6 and <= 8.
+ bits in length. The ``length`` parameter controls the length of the
+ generated one time password and must be >= 6 and <= 8.
This is an implementation of :rfc:`4226`.
@@ -45,44 +45,48 @@
:param backend: A
:class:`~cryptography.hazmat.backends.interfaces.HMACBackend`
provider.
- :raises ValueError: This is raised if the provided ``key`` is shorter than 128 bits
- or if the ``length`` parameter is not 6, 7 or 8.
- :raises UnsupportedAlgorithm: This is raised if the provided ``algorithm`` is not
- :class:`~cryptography.hazmat.primitives.hashes.SHA1()`,
- :class:`~cryptography.hazmat.primitives.hashes.SHA256()`
- or :class:`~cryptography.hazmat.primitives.hashes.SHA512()`.
+ :raises ValueError: This is raised if the provided ``key`` is shorter than
+ 128 bits or if the ``length`` parameter is not 6, 7 or 8.
+ :raises UnsupportedAlgorithm: This is raised if the provided ``algorithm``
+ is not :class:`~cryptography.hazmat.primitives.hashes.SHA1()`,
+ :class:`~cryptography.hazmat.primitives.hashes.SHA256()` or
+ :class:`~cryptography.hazmat.primitives.hashes.SHA512()`.
.. method:: generate(counter)
- :param int counter: The counter value used to generate the one time password.
+ :param int counter: The counter value used to generate the one time
+ password.
:return bytes: A one time password value.
.. method:: verify(hotp, counter)
:param bytes hotp: The one time password value to validate.
:param int counter: The counter value to validate against.
- :raises cryptography.exceptions.InvalidToken: This is raised when the supplied HOTP
- does not match the expected HOTP.
+ :raises cryptography.exceptions.InvalidToken: This is raised when the
+ supplied HOTP does not match the expected HOTP.
Throttling
~~~~~~~~~~
-Due to the fact that the HOTP algorithm generates rather short tokens that are 6 - 8 digits
-long, brute force attacks are possible. It is highly recommended that the server that
-validates the token implement a throttling scheme that locks out the account for a period of
-time after a number of failed attempts. The number of allowed attempts should be as low as
-possible while still ensuring that usability is not significantly impacted.
+Due to the fact that the HOTP algorithm generates rather short tokens that are
+6 - 8 digits long, brute force attacks are possible. It is highly recommended
+that the server that validates the token implement a throttling scheme that
+locks out the account for a period of time after a number of failed attempts.
+The number of allowed attempts should be as low as possible while still
+ensuring that usability is not significantly impacted.
Re-synchronization of the Counter
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-The server's counter value should only be incremented on a successful HOTP authentication.
-However, the counter on the client is incremented every time a new HOTP value is requested.
-This can lead to the counter value being out of synchronization between the client and server.
+The server's counter value should only be incremented on a successful HOTP
+authentication. However, the counter on the client is incremented every time a
+new HOTP value is requested. This can lead to the counter value being out of
+synchronization between the client and server.
-Due to this, it is highly recommended that the server sets a look-ahead window that allows the
-server to calculate the next ``x`` HOTP values and check them against the supplied HOTP value.
-This can be accomplished with something similar to the following code.
+Due to this, it is highly recommended that the server sets a look-ahead window
+that allows the server to calculate the next ``x`` HOTP values and check them
+against the supplied HOTP value. This can be accomplished with something
+similar to the following code.
.. code-block:: python
@@ -91,7 +95,7 @@
correct_counter = None
otp = HOTP(key, 6, default_backend())
- for count in range(counter, counter+look_ahead):
+ for count in range(counter, counter + look_ahead):
try:
otp.verify(hotp, count)
correct_counter = count
@@ -136,12 +140,12 @@
:param backend: A
:class:`~cryptography.hazmat.backends.interfaces.HMACBackend`
provider.
- :raises ValueError: This is raised if the provided ``key`` is shorter than 128 bits
- or if the ``length`` parameter is not 6, 7 or 8.
- :raises UnsupportedAlgorithm: This is raised if the provided ``algorithm`` is not
- :class:`~cryptography.hazmat.primitives.hashes.SHA1()`,
- :class:`~cryptography.hazmat.primitives.hashes.SHA256()`
- or :class:`~cryptography.hazmat.primitives.hashes.SHA512()`.
+ :raises ValueError: This is raised if the provided ``key`` is shorter than
+ 128 bits or if the ``length`` parameter is not 6, 7 or 8.
+ :raises UnsupportedAlgorithm: This is raised if the provided ``algorithm``
+ is not :class:`~cryptography.hazmat.primitives.hashes.SHA1()`,
+ :class:`~cryptography.hazmat.primitives.hashes.SHA256()` or
+ :class:`~cryptography.hazmat.primitives.hashes.SHA512()`.
.. method:: generate(time)
@@ -152,5 +156,5 @@
:param bytes totp: The one time password value to validate.
:param int time: The time value to validate against.
- :raises cryptography.exceptions.InvalidToken: This is raised when the supplied TOTP
- does not match the expected TOTP.
+ :raises cryptography.exceptions.InvalidToken: This is raised when the
+ supplied TOTP does not match the expected TOTP.
diff --git a/tests/hazmat/primitives/twofactor/test_hotp.py b/tests/hazmat/primitives/twofactor/test_hotp.py
index 8f687eb..7c58427 100644
--- a/tests/hazmat/primitives/twofactor/test_hotp.py
+++ b/tests/hazmat/primitives/twofactor/test_hotp.py
@@ -31,7 +31,6 @@
)
@pytest.mark.hmac
class TestHOTP(object):
-
def test_invalid_key_length(self, backend):
secret = os.urandom(10)
diff --git a/tests/hazmat/primitives/twofactor/test_totp.py b/tests/hazmat/primitives/twofactor/test_totp.py
index 8877a70..a4a108b 100644
--- a/tests/hazmat/primitives/twofactor/test_totp.py
+++ b/tests/hazmat/primitives/twofactor/test_totp.py
@@ -24,7 +24,6 @@
@pytest.mark.hmac
class TestTOTP(object):
-
@pytest.mark.supported(
only_if=lambda backend: backend.hmac_supported(hashes.SHA1()),
skip_message="Does not support HMAC-SHA1."