base32.DecodeString expects length 8 for the buffer (#11887)

Add padding to the input key to ensure it reaches that length.

builtin/logical/totp/backend_test.go

@@ -786,6 +786,40 @@ func TestBackend_urlPassedNonGeneratedKeyMissingAccountNameandIssuer(t *testing.
 	})
 }
 
+func TestBackend_urlPassedNonGeneratedKeyMissingAccountNameandIssuerandPadding(t *testing.T) {
+	config := logical.TestBackendConfig()
+	config.StorageView = &logical.InmemStorage{}
+	b, err := Factory(context.Background(), config)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	urlString := "otpauth://totp/?secret=GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQGEZAU&algorithm=SHA512&digits=6&period=60"
+
+	keyData := map[string]interface{}{
+		"url":      urlString,
+		"generate": false,
+	}
+
+	expected := map[string]interface{}{
+		"issuer":       "",
+		"account_name": "",
+		"digits":       otplib.DigitsSix,
+		"period":       60,
+		"algorithm":    otplib.AlgorithmSHA512,
+		"key":          "GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQGEZAU===",
+	}
+
+	logicaltest.Test(t, logicaltest.TestCase{
+		LogicalBackend: b,
+		Steps: []logicaltest.TestStep{
+			testAccStepCreateKey(t, "test", keyData, false),
+			testAccStepReadKey(t, "test", expected),
+			testAccStepReadCreds(t, b, config.StorageView, "test", expected),
+		},
+	})
+}
+
 func TestBackend_generatedKeyInvalidSkew(t *testing.T) {
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}

builtin/logical/totp/path_keys.go

@@ -375,6 +375,10 @@ func (b *backend) pathKeyCreate(ctx context.Context, req *logical.Request, data
 			return logical.ErrorResponse("the key value is required"), nil
 		}
 
+		if i := len(keyString) % 8; i != 0 {
+			keyString += strings.Repeat("=", 8-i)
+		}
+
 		_, err := base32.StdEncoding.DecodeString(strings.ToUpper(keyString))
 		if err != nil {
 			return logical.ErrorResponse(fmt.Sprintf(

changelog/11887.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+secret/totp: pad input key to ensure length is a multiple of 8
+```