cdc-badge-os/api/OathStore_8h_source.html

#pragma once


#include "cdc_core/IModule.h"

#include "cdc_core/SlotManager.h"

#include <cstdint>

#include <cstddef>

#include <ctime>


namespace cdc::mod_2fa {


enum class OathAlgorithm : uint8_t {

    SHA1 = 0,

    SHA256 = 1,

    SHA512 = 2

};


enum class OathType : uint8_t {

    TOTP = 0,

    HOTP = 1,

    CR = 2

};


namespace OathFlag {

    constexpr uint8_t TOUCH_REQUIRED = 0x01;

    constexpr uint8_t USB_CR_SLOT = 0x02;

}


struct OathEntry {

    uint8_t type;

    char name[16 + 1];

    char issuer[32 + 1];

    uint8_t secret[64];

    uint8_t secretLen;

    uint8_t algorithm;

    uint8_t digits;

    uint32_t period;

    uint64_t counter;

    uint8_t flags;

};


class OathStore {

public:

    static constexpr uint8_t NAME_LEN = 16;

    static constexpr uint8_t ISSUER_LEN = 32;

    static constexpr uint8_t SECRET_LEN = 64;

    static constexpr uint8_t DEFAULT_DIGITS = 6;

    static constexpr uint32_t DEFAULT_PERIOD = 30;


    bool readAccount(uint16_t slot, OathEntry* out);

    bool addAccount(uint8_t type, const char* name, const char* issuer,

                    const char* secretBase32, uint8_t digits, uint32_t period,

                    uint8_t algorithm, uint64_t counter, uint8_t flags = 0);

    bool updateAccount(uint16_t slot, uint8_t type, const char* name, const char* issuer,

                       const char* secretBase32, uint8_t digits, uint32_t period,

                       uint8_t algorithm, uint64_t counter, uint8_t flags = 0);

    bool deleteAccount(uint16_t slot);


    int challengeResponse(const char* entryName, const uint8_t* challenge, size_t clen,

                          uint8_t* out, bool* touchRequiredOut = nullptr);


    int challengeResponseUsbSlot(const uint8_t* challenge, size_t clen, uint8_t* out,

                                 bool* touchRequiredOut = nullptr);


    bool findUsbCrSlot(uint16_t* slotOut) const;


    void clearUsbCrFlagExcept(uint16_t keepSlot);


    bool findByName(const char* name, uint16_t* slotOut) const;


    int8_t generateCode(uint16_t slot, char* codeOut, size_t codeOutLen);


    bool isTimeValid() const;

    uint8_t timeRemaining(uint32_t period) const;


    static OathStore& instance();


    void setSlotRange(const cdc::core::IModule::SlotRange& range);

    uint16_t capacity() const { return slots_.capacity(); }


    bool toPhysicalSlot(uint16_t logicalIndex, uint16_t* slotOut) const {

        return slots_.toPhysicalSlot(logicalIndex, slotOut);

    }


    bool toLogicalSlot(uint16_t slot, uint16_t* logicalIndexOut) const {

        return slots_.toLogicalSlot(slot, logicalIndexOut);

    }


    bool hasSlotRange() const { return slots_.hasSlotRange(); }

    uint8_t moduleId() const { return slots_.moduleId(); }

    uint16_t rmemStart() const { return slots_.rmemStart(); }

    uint16_t rmemEnd() const { return slots_.rmemEnd(); }


private:

    OathStore() = default;


    uint32_t generate(const uint8_t* secret, size_t secretLen, uint64_t counter,

                      uint8_t digits, OathAlgorithm algorithm) const;

    bool hmacCompute(OathAlgorithm algo, const uint8_t* key, size_t keyLen,

                     const uint8_t* data, size_t dataLen,

                     uint8_t* output, size_t* outputLen) const;

    bool persistCounter(uint16_t slot, const OathEntry& entry, uint64_t counter);


    cdc::core::SlotManager slots_;

};


} // namespace cdc::mod_2fa

IModule.h

SlotManager.h

name
char name[cdc::hal::ISecureElement::RMEM_NAME_LEN]
Definition TropicStorage.h:2

flags
uint8_t flags
Definition TropicStorage.h:1

cdc::core::SlotManager
Manages logical-to-physical RMEM slot mapping for module storage layers.
Definition SlotManager.h:19

cdc::mod_2fa::OathStore
Definition OathStore.h:55

cdc::mod_2fa::OathStore::challengeResponseUsbSlot
int challengeResponseUsbSlot(const uint8_t *challenge, size_t clen, uint8_t *out, bool *touchRequiredOut=nullptr)
Computes the raw HMAC challenge-response for the USB-CR slot entry.
Definition OathStore.cpp:721

cdc::mod_2fa::OathStore::toPhysicalSlot
bool toPhysicalSlot(uint16_t logicalIndex, uint16_t *slotOut) const
Definition OathStore.h:154

cdc::mod_2fa::OathStore::isTimeValid
bool isTimeValid() const
Returns whether system time is considered valid for TOTP.
Definition OathStore.cpp:573

cdc::mod_2fa::OathStore::clearUsbCrFlagExcept
void clearUsbCrFlagExcept(uint16_t keepSlot)
Clears the USB-CR-slot flag on every entry except keepSlot.
Definition OathStore.cpp:741

cdc::mod_2fa::OathStore::challengeResponse
int challengeResponse(const char *entryName, const uint8_t *challenge, size_t clen, uint8_t *out, bool *touchRequiredOut=nullptr)
Computes the raw HMAC challenge-response for a CR entry by name.
Definition OathStore.cpp:634

cdc::mod_2fa::OathStore::NAME_LEN
static constexpr uint8_t NAME_LEN
Definition OathStore.h:57

cdc::mod_2fa::OathStore::SECRET_LEN
static constexpr uint8_t SECRET_LEN
Definition OathStore.h:59

cdc::mod_2fa::OathStore::hasSlotRange
bool hasSlotRange() const
Definition OathStore.h:160

cdc::mod_2fa::OathStore::rmemEnd
uint16_t rmemEnd() const
Definition OathStore.h:163

cdc::mod_2fa::OathStore::toLogicalSlot
bool toLogicalSlot(uint16_t slot, uint16_t *logicalIndexOut) const
Definition OathStore.h:157

cdc::mod_2fa::OathStore::moduleId
uint8_t moduleId() const
Definition OathStore.h:161

cdc::mod_2fa::OathStore::findUsbCrSlot
bool findUsbCrSlot(uint16_t *slotOut) const
Finds the logical slot of the CR entry flagged as the USB-CR slot.
Definition OathStore.cpp:679

cdc::mod_2fa::OathStore::addAccount
bool addAccount(uint8_t type, const char *name, const char *issuer, const char *secretBase32, uint8_t digits, uint32_t period, uint8_t algorithm, uint64_t counter, uint8_t flags=0)
Adds a new OATH entry from a Base32 secret.
Definition OathStore.cpp:289

cdc::mod_2fa::OathStore::instance
static OathStore & instance()
Returns singleton OATH store instance.
Definition OathStore.cpp:149

cdc::mod_2fa::OathStore::DEFAULT_DIGITS
static constexpr uint8_t DEFAULT_DIGITS
Definition OathStore.h:60

cdc::mod_2fa::OathStore::generateCode
int8_t generateCode(uint16_t slot, char *codeOut, size_t codeOutLen)
Renders the current code for an entry into codeOut.
Definition OathStore.cpp:520

cdc::mod_2fa::OathStore::capacity
uint16_t capacity() const
Definition OathStore.h:153

cdc::mod_2fa::OathStore::updateAccount
bool updateAccount(uint16_t slot, uint8_t type, const char *name, const char *issuer, const char *secretBase32, uint8_t digits, uint32_t period, uint8_t algorithm, uint64_t counter, uint8_t flags=0)
Updates an existing OATH entry.
Definition OathStore.cpp:337

cdc::mod_2fa::OathStore::rmemStart
uint16_t rmemStart() const
Definition OathStore.h:162

cdc::mod_2fa::OathStore::DEFAULT_PERIOD
static constexpr uint32_t DEFAULT_PERIOD
Definition OathStore.h:61

cdc::mod_2fa::OathStore::timeRemaining
uint8_t timeRemaining(uint32_t period) const
Returns seconds remaining in current TOTP time step.
Definition OathStore.cpp:564

cdc::mod_2fa::OathStore::setSlotRange
void setSlotRange(const cdc::core::IModule::SlotRange &range)
Configures logical-to-physical slot mapping for OATH entries.
Definition OathStore.cpp:158

cdc::mod_2fa::OathStore::ISSUER_LEN
static constexpr uint8_t ISSUER_LEN
Definition OathStore.h:58

cdc::mod_2fa::OathStore::findByName
bool findByName(const char *name, uint16_t *slotOut) const
Finds a logical slot index by account name.
Definition OathStore.cpp:586

cdc::mod_2fa::OathStore::readAccount
bool readAccount(uint16_t slot, OathEntry *out)
Reads one OATH entry from secure-element storage.
Definition OathStore.cpp:168

cdc::mod_2fa::OathStore::deleteAccount
bool deleteAccount(uint16_t slot)
Deletes account in logical slot.
Definition OathStore.cpp:370

cdc::mod_2fa::OathFlag
Per-entry flag bits stored in OathEntry::flags.
Definition OathStore.h:32

cdc::mod_2fa::OathFlag::USB_CR_SLOT
constexpr uint8_t USB_CR_SLOT
Designate this CR entry as the USB OTP-HID slot-2 responder.
Definition OathStore.h:36

cdc::mod_2fa::OathFlag::TOUCH_REQUIRED
constexpr uint8_t TOUCH_REQUIRED
Require an on-device touch confirmation before answering a CR request.
Definition OathStore.h:34

cdc::mod_2fa
Definition ble_chalresp.h:5

cdc::mod_2fa::OathType
OathType
OATH entry type discriminator.
Definition OathStore.h:23

cdc::mod_2fa::OathType::CR
@ CR
Definition OathStore.h:26

cdc::mod_2fa::OathType::HOTP
@ HOTP
Definition OathStore.h:25

cdc::mod_2fa::OathType::TOTP
@ TOTP
Definition OathStore.h:24

cdc::mod_2fa::OathAlgorithm
OathAlgorithm
Hash algorithm used by an OATH entry's HMAC engine.
Definition OathStore.h:14

cdc::mod_2fa::OathAlgorithm::SHA1
@ SHA1
Definition OathStore.h:15

cdc::mod_2fa::OathAlgorithm::SHA256
@ SHA256
Definition OathStore.h:16

cdc::mod_2fa::OathAlgorithm::SHA512
@ SHA512
Definition OathStore.h:17

cdc::core::IModule::SlotRange
Definition IModule.h:63

cdc::mod_2fa::OathEntry
Unified OATH credential record (TOTP, HOTP, and reserved CR).
Definition OathStore.h:42

cdc::mod_2fa::OathEntry::digits
uint8_t digits
Output digit count (TOTP/HOTP).
Definition OathStore.h:49

cdc::mod_2fa::OathEntry::secret
uint8_t secret[64]
Raw HMAC key.
Definition OathStore.h:46

cdc::mod_2fa::OathEntry::algorithm
uint8_t algorithm
OathAlgorithm value.
Definition OathStore.h:48

cdc::mod_2fa::OathEntry::secretLen
uint8_t secretLen
Valid bytes in secret.
Definition OathStore.h:47

cdc::mod_2fa::OathEntry::counter
uint64_t counter
Moving factor (HOTP only).
Definition OathStore.h:51

cdc::mod_2fa::OathEntry::type
uint8_t type
OathType discriminator.
Definition OathStore.h:43

cdc::mod_2fa::OathEntry::period
uint32_t period
TOTP step in seconds (TOTP only).
Definition OathStore.h:50

cdc::mod_2fa::OathEntry::issuer
char issuer[32+1]
Optional issuer text.
Definition OathStore.h:45

cdc::mod_2fa::OathEntry::name
char name[16+1]
Account label.
Definition OathStore.h:44

cdc::mod_2fa::OathEntry::flags
uint8_t flags
Reserved entry flags.
Definition OathStore.h:52