user_otp.c

Example of using OTP to authenticate HSM users.

See Note on examples.

#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <dinamo.h>
 
/* Parametros da conexao */
#define   HSM_USR_ADM   "master"
#define   HSM_USR       "user"
#define   HSM_IP        "127.0.0.1"
#define   HSM_PWD       "12345678"
 
int NewHsmUser(HSESSIONCTX hSession, const char *szUser, const char *szPwd)
{
    int nRet = 0;
    struct USER_INFO stUserInfo = { 0 };
 
    /* Preenche a estrutura de usuário */
 
    strncpy(stUserInfo.szUserId, szUser, sizeof(stUserInfo.szUserId));
    strncpy(stUserInfo.szPassword, szPwd, sizeof(stUserInfo.szPassword));
 
    /* Cria um novo usuário no HSM */
 
    nRet = DCreateUser(hSession, stUserInfo);
    if (nRet)
    {
        printf("DCreateUser : Failed! %d.\n", nRet);
        return nRet;
    }
 
    return 0;
}
 
int main(void)
{
    int                 nRet            = 0;
    struct AUTH_PWD_EX  stAuthInfoAdm   = {0};
    struct AUTH_PWD_EX  stAuthInfoUser  = { 0 };
    HSESSIONCTX         hSessionAdm     = NULL;
    HSESSIONCTX         hSessionUser    = NULL;
    OATH_SA_v1          stTokenParam    = { 0 };
 
    const char cszOTP[] = "992271";
 
    /*
    * Semente utilizada para gerar o Blob HOTP.
    *
    * Esta semente pode ser transformada de binário para Base32
    * e importada no client(Google Authenticator, por exemplo).
    *
    */
    BYTE pbOtpKey[20] =
    {
        0xD5, 0x17, 0xED, 0x40, 0x1D, 0xF3, 0x03, 0x38, 0x37, 0xE0, 0x8B, 0x62, 0x55, 0xBE, 0xDB, 0xF9,
        0x52, 0x0E, 0xF8, 0x8E,
    };
 
    /*
        Preenche a estrutura do usuario administrador
    */
    strncpy(stAuthInfoAdm.szAddr, HSM_IP, sizeof(stAuthInfoAdm.szAddr));
    strncpy(stAuthInfoAdm.szUserId, HSM_USR_ADM, sizeof(stAuthInfoAdm.szUserId));
    strncpy(stAuthInfoAdm.szPassword, HSM_PWD, sizeof(stAuthInfoAdm.szPassword));
    stAuthInfoAdm.nPort = DEFAULT_PORT;
    stAuthInfoAdm.nStrongAuthLen = 0;
    stAuthInfoAdm.pbStrongAuth = NULL;
    stAuthInfoAdm.dwAuthType = SA_AUTH_NONE;
 
    DInitialize(0);
 
    /*
        Conecta com um usuário com permissões de administração
        para associar um token otp a um usuário comum.
    */
 
    nRet = DOpenSession(&hSessionAdm,
                        SS_USR_PWD_EX,
                        (BYTE *) &stAuthInfoAdm,
                        sizeof(struct AUTH_PWD_EX),
                        CACHE_BYPASS | LB_BYPASS | ENCRYPTED_CONN  );
 
    if(nRet)
    {
        printf("DOpenSession (adm) : Failed! %d.\n", nRet);
        goto clean;
    }
 
    /* Cria um usuário comum de teste */
 
    nRet = NewHsmUser(hSessionAdm, HSM_USR, HSM_PWD);
    if (nRet)
    {
        printf("NewHsmUser : Failed! %d.\n", nRet);
        goto clean;
    }
 
    /*  Associa o token ao usuário comum. */
 
    stTokenParam.type = OATH_SA_v1_type_SHA1;
    memcpy(stTokenParam.key, pbOtpKey, sizeof(pbOtpKey));
    stTokenParam.key_len = sizeof(pbOtpKey);
    stTokenParam.truncation_offset = OATH_SA_v1_HOTP_DYN_TRUNC_OFF;
 
    nRet = DAssignToken(hSessionAdm,
                        HSM_USR,
                        AT_OATH_TOKEN,
                        (BYTE *)&stTokenParam,
                        sizeof(stTokenParam));
    if( nRet )
    {
        printf("DAssignToken : Failed! %d.\n", nRet);
        goto clean;
    }
 
    /*
        Preenche a estrutura do usuário comum.
    */
    strncpy(stAuthInfoUser.szAddr, HSM_IP, sizeof(stAuthInfoUser.szAddr));
    strncpy(stAuthInfoUser.szUserId, HSM_USR, sizeof(stAuthInfoUser.szUserId));
    strncpy(stAuthInfoUser.szPassword, HSM_PWD, sizeof(stAuthInfoUser.szPassword));
    stAuthInfoUser.nPort = DEFAULT_PORT;
    stAuthInfoUser.pbStrongAuth = (BYTE *)cszOTP;
    stAuthInfoUser.nStrongAuthLen = (int)sizeof(cszOTP) - 1;
    stAuthInfoUser.dwAuthType = SA_AUTH_OTP;
 
    nRet = DOpenSession(&hSessionUser,
                        SS_USR_PWD_EX,
                        (BYTE *)&stAuthInfoUser,
                        sizeof(struct AUTH_PWD_EX),
                        CACHE_BYPASS | LB_BYPASS | ENCRYPTED_CONN);
 
    if (nRet)
    {
        printf("DOpenSession (user) : Failed! %d.\n", nRet);
        goto clean;
    }
 
    /*
        Re-sincroniza o token OTP do usuário comum.
        Usar quando o token HOTP(evento) não estiver sincronizado.
 
        Passa-se 2 OTPs consecutivos para que o HSM ajuste a janela de eventos
    */
    nRet = DOATHResync( hSessionAdm,
                        HSM_USR,
                        "758993",
                        "864532",
                        0);
    if (nRet)
    {
        printf("DOATHResync : Failed! %d.\n", nRet);
        goto clean;
    }
 
 
    /*
        Desassocia o token do usuário comum.
    */
    nRet = DUnassignToken(  hSessionAdm,
                            AT_OATH_TOKEN,
                            HSM_USR);
    if (nRet)
    {
        printf("DUnassignToken : Failed! %d.\n", nRet);
        goto clean;
    }
 
    clean:
 
    DCloseSession(&hSessionUser, 0);
 
    // Remove o usuário criado
    if (hSessionAdm != NULL)
    {
        DRemoveUser(hSessionAdm, HSM_USR);
    }
 
    DCloseSession(&hSessionAdm, 0);
 
    DFinalize();
 
    return nRet;
}