The test values of the RFC specify:
Appendix D - HOTP Algorithm: Test Values
The following test data uses the ASCII string
"12345678901234567890" for the secret:
Secret = 0x3132333435363738393031323334353637383930
Table 1 details for each count, the intermediate HMAC value.
Count Hexadecimal HMAC-SHA-1(secret, count)
0 cc93cf18508d94934c64b65d8ba7667fb7cde4b0
1 75a48a19d4cbe100644e8ac1397eea747a2d33ab
So if I try to get the HMAC for 0 in ruby I get:
[20] pry(AuthyOTP)> secret_key = "12345678901234567890"
=> "12345678901234567890"
[22] pry(AuthyOTP)> OpenSSL::HMAC.hexdigest(digest, secret_key, "0")
=> "32a67f374525d32d0ce13e3db42b5b4a3f370cce"
I was expected to get cc93cf18508d94934c64b65d8ba7667fb7cde4b0
So I wrote an implementation in java, and I get the same:
Calculation OTP for movingFactor = 0
2. Calculate Hash =
32a67f374525d32d0ce13e3db42b5b4a3f370cce
So what is the hexadecimal SHA1-HMAC of "0" when the secret is "12345678901234567890" ?
RFC4226 is correct.
You are confusing a character strings with bytes. You are not suppose to compute the hmac-sha1 of '0', you are suppose to compute the hmac-sha1 of an 8 byte integer that starts out at 0. In java, that would be the hmac-sha1 of byte [] counter = {0, 0, 0, 0, 0, 0, 0, 0};