From b3bd9e73c7e65f988d09be0c5003227efe3b07e4 Mon Sep 17 00:00:00 2001
From: Olivier Jaquemet <olivier.jaquemet@gmail.com>
Date: Wed, 26 Feb 2020 13:53:21 +0100
Subject: [PATCH 1/2] Fix #24 - Limit the extensibility of classes and methods

Apply Guideline 4-5 / EXTEND-5: Limit the extensibility of classes and
methods from the Secure Coding Guidelines for Java SE
https://www.oracle.com/technetwork/java/seccodeguide-139067.html#4-5
---
 .../java/dev/samstevens/totp/code/DefaultCodeGenerator.java     | 2 +-
 src/main/java/dev/samstevens/totp/code/DefaultCodeVerifier.java | 2 +-
 .../dev/samstevens/totp/exceptions/CodeGenerationException.java | 2 +-
 .../dev/samstevens/totp/exceptions/QrGenerationException.java   | 2 +-
 .../dev/samstevens/totp/exceptions/TimeProviderException.java   | 2 +-
 src/main/java/dev/samstevens/totp/qr/QrData.java                | 2 +-
 src/main/java/dev/samstevens/totp/qr/ZxingPngQrGenerator.java   | 2 +-
 .../dev/samstevens/totp/recovery/RecoveryCodeGenerator.java     | 2 +-
 .../java/dev/samstevens/totp/secret/DefaultSecretGenerator.java | 2 +-
 src/main/java/dev/samstevens/totp/time/NtpTimeProvider.java     | 2 +-
 src/main/java/dev/samstevens/totp/time/SystemTimeProvider.java  | 2 +-
 src/main/java/dev/samstevens/totp/util/Utils.java               | 2 +-
 12 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/src/main/java/dev/samstevens/totp/code/DefaultCodeGenerator.java b/src/main/java/dev/samstevens/totp/code/DefaultCodeGenerator.java
index d83f893..5841caa 100644
--- a/src/main/java/dev/samstevens/totp/code/DefaultCodeGenerator.java
+++ b/src/main/java/dev/samstevens/totp/code/DefaultCodeGenerator.java
@@ -8,7 +8,7 @@
 import java.security.InvalidParameterException;
 import java.security.NoSuchAlgorithmException;
 
-public class DefaultCodeGenerator implements CodeGenerator {
+public final class DefaultCodeGenerator implements CodeGenerator {
 
     private final HashingAlgorithm algorithm;
     private final int digits;
diff --git a/src/main/java/dev/samstevens/totp/code/DefaultCodeVerifier.java b/src/main/java/dev/samstevens/totp/code/DefaultCodeVerifier.java
index 7fdfd33..0aacb29 100644
--- a/src/main/java/dev/samstevens/totp/code/DefaultCodeVerifier.java
+++ b/src/main/java/dev/samstevens/totp/code/DefaultCodeVerifier.java
@@ -3,7 +3,7 @@
 import dev.samstevens.totp.exceptions.CodeGenerationException;
 import dev.samstevens.totp.time.TimeProvider;
 
-public class DefaultCodeVerifier implements CodeVerifier {
+public final class DefaultCodeVerifier implements CodeVerifier {
 
     private final CodeGenerator codeGenerator;
     private final TimeProvider timeProvider;
diff --git a/src/main/java/dev/samstevens/totp/exceptions/CodeGenerationException.java b/src/main/java/dev/samstevens/totp/exceptions/CodeGenerationException.java
index 51b3d34..9154b76 100644
--- a/src/main/java/dev/samstevens/totp/exceptions/CodeGenerationException.java
+++ b/src/main/java/dev/samstevens/totp/exceptions/CodeGenerationException.java
@@ -1,6 +1,6 @@
 package dev.samstevens.totp.exceptions;
 
-public class CodeGenerationException extends Exception {
+public final class CodeGenerationException extends Exception {
     public CodeGenerationException(String message, Throwable cause) {
         super(message, cause);
     }
diff --git a/src/main/java/dev/samstevens/totp/exceptions/QrGenerationException.java b/src/main/java/dev/samstevens/totp/exceptions/QrGenerationException.java
index 7a887c3..a57bdcc 100644
--- a/src/main/java/dev/samstevens/totp/exceptions/QrGenerationException.java
+++ b/src/main/java/dev/samstevens/totp/exceptions/QrGenerationException.java
@@ -1,6 +1,6 @@
 package dev.samstevens.totp.exceptions;
 
-public class QrGenerationException extends Exception {
+public final class QrGenerationException extends Exception {
     public QrGenerationException(String message, Throwable cause) {
         super(message, cause);
     }
diff --git a/src/main/java/dev/samstevens/totp/exceptions/TimeProviderException.java b/src/main/java/dev/samstevens/totp/exceptions/TimeProviderException.java
index 77a0691..93fa319 100644
--- a/src/main/java/dev/samstevens/totp/exceptions/TimeProviderException.java
+++ b/src/main/java/dev/samstevens/totp/exceptions/TimeProviderException.java
@@ -1,6 +1,6 @@
 package dev.samstevens.totp.exceptions;
 
-public class TimeProviderException extends RuntimeException {
+public final class TimeProviderException extends RuntimeException {
     public TimeProviderException(String message, Throwable cause) {
         super(message, cause);
     }
diff --git a/src/main/java/dev/samstevens/totp/qr/QrData.java b/src/main/java/dev/samstevens/totp/qr/QrData.java
index bc2b750..1d76333 100644
--- a/src/main/java/dev/samstevens/totp/qr/QrData.java
+++ b/src/main/java/dev/samstevens/totp/qr/QrData.java
@@ -7,7 +7,7 @@
 import java.nio.charset.StandardCharsets;
 
 @SuppressWarnings("WeakerAccess")
-public class QrData {
+public final class QrData {
 
     private final String type;
     private final String label;
diff --git a/src/main/java/dev/samstevens/totp/qr/ZxingPngQrGenerator.java b/src/main/java/dev/samstevens/totp/qr/ZxingPngQrGenerator.java
index e292749..a0e4c42 100644
--- a/src/main/java/dev/samstevens/totp/qr/ZxingPngQrGenerator.java
+++ b/src/main/java/dev/samstevens/totp/qr/ZxingPngQrGenerator.java
@@ -8,7 +8,7 @@
 import dev.samstevens.totp.exceptions.QrGenerationException;
 import java.io.ByteArrayOutputStream;
 
-public class ZxingPngQrGenerator implements QrGenerator {
+public final class ZxingPngQrGenerator implements QrGenerator {
 
     private final Writer writer;
     private int imageSize = 350;
diff --git a/src/main/java/dev/samstevens/totp/recovery/RecoveryCodeGenerator.java b/src/main/java/dev/samstevens/totp/recovery/RecoveryCodeGenerator.java
index 625405a..2030b85 100644
--- a/src/main/java/dev/samstevens/totp/recovery/RecoveryCodeGenerator.java
+++ b/src/main/java/dev/samstevens/totp/recovery/RecoveryCodeGenerator.java
@@ -6,7 +6,7 @@
 import java.util.Arrays;
 import java.util.Random;
 
-public class RecoveryCodeGenerator {
+public final class RecoveryCodeGenerator {
 
     private Random random = new SecureRandom();
     private Base32 codec = new Base32();
diff --git a/src/main/java/dev/samstevens/totp/secret/DefaultSecretGenerator.java b/src/main/java/dev/samstevens/totp/secret/DefaultSecretGenerator.java
index 853a431..cdf99a7 100644
--- a/src/main/java/dev/samstevens/totp/secret/DefaultSecretGenerator.java
+++ b/src/main/java/dev/samstevens/totp/secret/DefaultSecretGenerator.java
@@ -4,7 +4,7 @@
 import java.security.SecureRandom;
 
 @SuppressWarnings("WeakerAccess")
-public class DefaultSecretGenerator implements SecretGenerator {
+public final class DefaultSecretGenerator implements SecretGenerator {
 
     private final SecureRandom randomBytes = new SecureRandom();
     private final static Base32 encoder = new Base32();
diff --git a/src/main/java/dev/samstevens/totp/time/NtpTimeProvider.java b/src/main/java/dev/samstevens/totp/time/NtpTimeProvider.java
index 078b21e..bad5f06 100644
--- a/src/main/java/dev/samstevens/totp/time/NtpTimeProvider.java
+++ b/src/main/java/dev/samstevens/totp/time/NtpTimeProvider.java
@@ -6,7 +6,7 @@
 import java.net.InetAddress;
 import java.net.UnknownHostException;
 
-public class NtpTimeProvider implements TimeProvider {
+public final class NtpTimeProvider implements TimeProvider {
 
     private final NTPUDPClient client;
     private final InetAddress ntpHost;
diff --git a/src/main/java/dev/samstevens/totp/time/SystemTimeProvider.java b/src/main/java/dev/samstevens/totp/time/SystemTimeProvider.java
index 3d01f78..9d9de85 100644
--- a/src/main/java/dev/samstevens/totp/time/SystemTimeProvider.java
+++ b/src/main/java/dev/samstevens/totp/time/SystemTimeProvider.java
@@ -3,7 +3,7 @@
 import dev.samstevens.totp.exceptions.TimeProviderException;
 import java.time.Instant;
 
-public class SystemTimeProvider implements TimeProvider {
+public final class SystemTimeProvider implements TimeProvider {
     @Override
     public long getTime() throws TimeProviderException {
         return Instant.now().getEpochSecond();
diff --git a/src/main/java/dev/samstevens/totp/util/Utils.java b/src/main/java/dev/samstevens/totp/util/Utils.java
index b7f72a5..77eef7c 100644
--- a/src/main/java/dev/samstevens/totp/util/Utils.java
+++ b/src/main/java/dev/samstevens/totp/util/Utils.java
@@ -2,7 +2,7 @@
 
 import org.apache.commons.codec.binary.Base64;
 
-public class Utils {
+public final class Utils {
     private static Base64 base64Codec = new Base64();
 
     // Class not meant to be instantiated

From dafb15ddcf1512f308d7cd76d111d2928338153d Mon Sep 17 00:00:00 2001
From: Olivier Jaquemet <olivier.jaquemet@gmail.com>
Date: Fri, 28 Feb 2020 10:41:44 +0100
Subject: [PATCH 2/2] final classes : allow inheritance for default
 implementation classes

Be a little more openminded in applying
Guideline 4-5 / EXTEND-5: Limit the extensibility of classes and
methods from the Secure Coding Guidelines for Java SE
https://www.oracle.com/technetwork/java/seccodeguide-139067.html#4-5

Rule is :
"Design classes and methods for inheritance" or "declare them final"
This commit reverts use of final classes for default implementation
of as it was clearly design for inheritance and should be kept this way
---
 .../java/dev/samstevens/totp/code/DefaultCodeGenerator.java     | 2 +-
 src/main/java/dev/samstevens/totp/code/DefaultCodeVerifier.java | 2 +-
 src/main/java/dev/samstevens/totp/qr/ZxingPngQrGenerator.java   | 2 +-
 .../dev/samstevens/totp/recovery/RecoveryCodeGenerator.java     | 2 +-
 .../java/dev/samstevens/totp/secret/DefaultSecretGenerator.java | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/main/java/dev/samstevens/totp/code/DefaultCodeGenerator.java b/src/main/java/dev/samstevens/totp/code/DefaultCodeGenerator.java
index 5841caa..d83f893 100644
--- a/src/main/java/dev/samstevens/totp/code/DefaultCodeGenerator.java
+++ b/src/main/java/dev/samstevens/totp/code/DefaultCodeGenerator.java
@@ -8,7 +8,7 @@
 import java.security.InvalidParameterException;
 import java.security.NoSuchAlgorithmException;
 
-public final class DefaultCodeGenerator implements CodeGenerator {
+public class DefaultCodeGenerator implements CodeGenerator {
 
     private final HashingAlgorithm algorithm;
     private final int digits;
diff --git a/src/main/java/dev/samstevens/totp/code/DefaultCodeVerifier.java b/src/main/java/dev/samstevens/totp/code/DefaultCodeVerifier.java
index 0aacb29..7fdfd33 100644
--- a/src/main/java/dev/samstevens/totp/code/DefaultCodeVerifier.java
+++ b/src/main/java/dev/samstevens/totp/code/DefaultCodeVerifier.java
@@ -3,7 +3,7 @@
 import dev.samstevens.totp.exceptions.CodeGenerationException;
 import dev.samstevens.totp.time.TimeProvider;
 
-public final class DefaultCodeVerifier implements CodeVerifier {
+public class DefaultCodeVerifier implements CodeVerifier {
 
     private final CodeGenerator codeGenerator;
     private final TimeProvider timeProvider;
diff --git a/src/main/java/dev/samstevens/totp/qr/ZxingPngQrGenerator.java b/src/main/java/dev/samstevens/totp/qr/ZxingPngQrGenerator.java
index a0e4c42..e292749 100644
--- a/src/main/java/dev/samstevens/totp/qr/ZxingPngQrGenerator.java
+++ b/src/main/java/dev/samstevens/totp/qr/ZxingPngQrGenerator.java
@@ -8,7 +8,7 @@
 import dev.samstevens.totp.exceptions.QrGenerationException;
 import java.io.ByteArrayOutputStream;
 
-public final class ZxingPngQrGenerator implements QrGenerator {
+public class ZxingPngQrGenerator implements QrGenerator {
 
     private final Writer writer;
     private int imageSize = 350;
diff --git a/src/main/java/dev/samstevens/totp/recovery/RecoveryCodeGenerator.java b/src/main/java/dev/samstevens/totp/recovery/RecoveryCodeGenerator.java
index 2030b85..625405a 100644
--- a/src/main/java/dev/samstevens/totp/recovery/RecoveryCodeGenerator.java
+++ b/src/main/java/dev/samstevens/totp/recovery/RecoveryCodeGenerator.java
@@ -6,7 +6,7 @@
 import java.util.Arrays;
 import java.util.Random;
 
-public final class RecoveryCodeGenerator {
+public class RecoveryCodeGenerator {
 
     private Random random = new SecureRandom();
     private Base32 codec = new Base32();
diff --git a/src/main/java/dev/samstevens/totp/secret/DefaultSecretGenerator.java b/src/main/java/dev/samstevens/totp/secret/DefaultSecretGenerator.java
index cdf99a7..853a431 100644
--- a/src/main/java/dev/samstevens/totp/secret/DefaultSecretGenerator.java
+++ b/src/main/java/dev/samstevens/totp/secret/DefaultSecretGenerator.java
@@ -4,7 +4,7 @@
 import java.security.SecureRandom;
 
 @SuppressWarnings("WeakerAccess")
-public final class DefaultSecretGenerator implements SecretGenerator {
+public class DefaultSecretGenerator implements SecretGenerator {
 
     private final SecureRandom randomBytes = new SecureRandom();
     private final static Base32 encoder = new Base32();