user_otp.c

Example of using OTP to authenticate HSM users.

See Note on examples.

#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <dinamo.h>
 
/* Connection parameters */
#define HSM_USR_ADM "master"
#define HSM_USR "user"
#define HSM_IP "127.0.0.1"
#define HSM_PWD "12345678"
 
int NewHsmUser(HSESSIONCTX hSession, const char *szUser, const char *szPwd)
{
    int nRet = 0;
    struct USER_INFO stUserInfo = { 0 };
 
    /* Fills in the user structure */
 
    strncpy(stUserInfo. szUserId, szUser, sizeof(stUserInfo.szUserId));
    strncpy(stUserInfo. szPassword, szPwd, sizeof(stUserInfo.szPassword));
 
    /* Creates a new user in HSM */
 
    nRet = DCreateUser(hSession, stUserInfo);
    if (nRet)
    {
        printf("DCreateUser : Failed! %d.\n", nRet);
        return nRet;
    }
 
    return 0;
}
 
int main(void)
{
    int nRet = 0;
    struct AUTH_PWD_EX  stAuthInfoAdm   = {0};
    struct AUTH_PWD_EX  stAuthInfoUser  = { 0 };
    HSESSIONCTX hSessionAdm = NULL;
    HSESSIONCTX hSessionUser = NULL;
    OATH_SA_v1          stTokenParam    = { 0 };
 
    const char cszOTP[] = "992271";
 
    /*
    * Seed used to generate the HOTP Blob.
    *
    * This seed can be transformed from binary to Base32
    * and imported into the client (Google Authenticator, for example).
    *
    */
    BYTE pbOtpKey[20] =
    {
        0xD5, 0x17, 0xED, 0x40, 0x1D, 0xF3, 0x03, 0x38, 0x37, 0xE0, 0x8B, 0x62, 0x55, 0xBE, 0xDB, 0xF9,
        0x52, 0x0E, 0xF8, 0x8E,
    };
 
    /*
        Fills in the structure of the administrator user
    */
    strncpy(stAuthInfoAdm. szAddr, HSM_IP, sizeof(stAuthInfoAdm.szAddr));
    strncpy(stAuthInfoAdm. szUserId, HSM_USR_ADM, sizeof(stAuthInfoAdm.szUserId));
    strncpy(stAuthInfoAdm. szPassword, HSM_PWD, sizeof(stAuthInfoAdm.szPassword));
    stAuthInfoAdm. nPort = DEFAULT_PORT;
    stAuthInfoAdm. nStrongAuthLen = 0;
    stAuthInfoAdm. pbStrongAuth = NULL;
    stAuthInfoAdm. dwAuthType = SA_AUTH_NONE;
 
    DInitialize(0);
 
    /*
        Connect with a user with admin permissions
        to associate an otp token with an ordinary user.
    */
 
    nRet = DOpenSession(&hSessionAdm,
                        SS_USR_PWD_EX,
                        (BYTE *) &stAuthInfoAdm,
                        sizeof(struct AUTH_PWD_EX),
                        CACHE_BYPASS | LB_BYPASS | ENCRYPTED_CONN );
 
    if(nRet)
    {
        printf("DOpenSession (adm) : Failed! %d.\n", nRet);
        goto clean;
    }
 
    /* Creates an ordinary test user */
 
    nRet = NewHsmUser(hSessionAdm, HSM_USR, HSM_PWD);
    if (nRet)
    {
        printf("NewHsmUser : Failed! %d.\n", nRet);
        goto clean;
    }
 
    /* Associates the token with the common user. */
 
    stTokenParam.type = OATH _SA_v1_type_SHA1;
    memcpy(stTokenParam.key, pbOtpKey, sizeof(pbOtpKey));
    stTokenParam.key_len = sizeof(pbOtpKey);
    stTokenParam.truncation_offset = OATH _SA_v1_HOTP_DYN_TRUNC_OFF;
 
    nRet = DAssignToken(hSessionAdm,
                        HSM_USR,
                        AT_OATH_TOKEN,
                        (BYTE *)&stTokenParam,
                        sizeof(stTokenParam));
    if( nRet )
    {
        printf("DAssignToken : Failed! %d.\n", nRet);
        goto clean;
    }
 
    /*
        Fills in the structure of the average user.
    */
    strncpy(stAuthInfoUser.szAddr, HSM_IP, sizeof(stAuthInfoUser.szAddr));
    strncpy(stAuthInfoUser.szUserId, HSM_USR, sizeof(stAuthInfoUser.szUserId));
    strncpy(stAuthInfoUser.szPassword, HSM_PWD, sizeof(stAuthInfoUser.szPassword));
    stAuthInfoUser.nPort = DEFAULT_PORT;
    stAuthInfoUser.pbStrongAuth =(BYTE *)cszOTP;
    stAuthInfoUser.nStrongAuthLen = (int)sizeof(cszOTP) - 1;
    stAuthInfoUser.dwAuthType = SA_AUTH_OTP;
 
    nRet = DOpenSession(&hSessionUser,
                        SS_USR_PWD_EX,
                        (BYTE *)&stAuthInfoUser,
                        sizeof(struct AUTH_PWD_EX),
                        CACHE_BYPASS | LB_BYPASS | ENCRYPTED_CONN);
 
    if (nRet)
    {
        printf("DOpenSession (user) : Failed! %d.\n", nRet);
        goto clean;
    }
 
    /*
        Re-synchronizes the common user's OTP token.
        Use when the HOTP(event) token is not synchronized.
 
        2 consecutive OTPs are passed for the HSM to adjust the event window
    */
    nRet = DOATHResync( hSessionAdm,
                        HSM_USR,
                        "758993",
                        "864532",
                        0);
    if (nRet)
    {
        printf("DOATHResync : Failed! %d.\n", nRet);
        goto clean;
    }
 
 
    /*
        Disassociates the token from the ordinary user.
    */
    nRet = DUnassignToken( hSessionAdm,
                            AT_OATH_TOKEN,
                            HSM_USR);
    if (nRet)
    {
        printf("DUnassignToken : Failed! %d.\n", nRet);
        goto clean;
    }
 
    clean:
 
    DCloseSession(&hSessionUser, 0);
 
    // Remove o usuário criado
    if (hSessionAdm != NULL)
    {
        DRemoveUser(hSessionAdm, HSM_USR);
    }
 
    DCloseSession(&hSessionAdm, 0);
 
    DFinalize();
 
    return nRet;
}