- Generated by
1.16.1
|
CDC Badge OS
Firmware for the CDC Badge v1.0 hardware security key
|
FIDO2 storage layer using secure-element ECC slots, R-Memory, and NVS counters. More...
#include "mod_fido2/fido2_storage.h"#include "mod_fido2/fido2_common.h"#include "cdc_hal/ISecureElement.h"#include "cdc_log.h"#include "esp_attr.h"#include <mbedtls/sha256.h>#include <nvs_flash.h>#include <nvs.h>#include <string.h>Go to the source code of this file.
Classes | |
| struct | cdc::mod_fido2::fido2_stored_cred_t |
Namespaces | |
| namespace | cdc |
| namespace | cdc::mod_fido2 |
Macros | |
| #define | FIDO2_RMEM_MAGIC "FID2" |
| Persistent storage layout definitions. | |
| #define | FIDO2_RMEM_MAGIC_LEN 4 |
| #define | NVS_NAMESPACE "fido2" |
| #define | NVS_KEY_COUNTER "auth_cnt" |
| #define | FIDO2_STORED_SIZE sizeof(fido2_stored_cred_t) |
| #define | FIDO2_FLAG_RESIDENT 0x01 |
| Stored-credential flag bits. | |
Functions | |
| void | fido2_storage_set_slot_range (uint8_t ecc_start, uint8_t ecc_end, uint16_t rmem_start, uint16_t rmem_end) |
| Configures FIDO2 storage slot ranges. | |
| uint8_t | fido2_storage_ecc_start (void) |
| Returns configured ECC start slot. | |
| uint8_t | fido2_storage_ecc_end (void) |
| Returns configured ECC end slot. | |
| uint16_t | fido2_storage_rmem_start (void) |
| Returns configured RMEM start slot. | |
| uint16_t | fido2_storage_rmem_end (void) |
| Returns configured RMEM end slot. | |
| static bool | slot_range_valid (void) |
| Validates slot-range configuration. | |
| static uint16_t | ecc_count (void) |
| Returns number of configured logical ECC slots. | |
| static uint16_t | rmem_count (void) |
| Returns number of configured logical RMEM slots. | |
| static bool | slot_logical_valid (uint8_t slot) |
| Checks whether logical slot index is within range. | |
| static uint8_t | ecc_slot_for_logical (uint8_t slot) |
| Maps logical slot to physical ECC slot. | |
| static uint16_t | rmem_slot_for_logical (uint8_t slot) |
| Maps logical slot to physical RMEM slot. | |
| static bool | read_rmem_credential (uint8_t logical_slot, fido2_stored_cred_t *stored) |
| Internal helper functions for slot and cache management. | |
| static void | update_cache_from_stored (uint8_t slot, const fido2_stored_cred_t *stored, bool is_resident) |
| Updates cache entry from stored credential payload. | |
| static void | erase_slot_data (uint8_t logical_slot) |
| Erases ECC key material and R-Memory data for a logical slot. | |
| static uint8_t * | encode_der_integer (uint8_t *p, const uint8_t *mpi) |
| Encodes a single ECDSA P-256 component (R or S) as a DER INTEGER. | |
| static uint8_t | raw_sig_to_der (const uint8_t raw_sig[FIDO2_SIG_SIZE], uint8_t *der_sig) |
| Converts raw 64-byte ECDSA signature (R||S) to DER sequence format. | |
| static bool | write_rmem_credential (uint8_t logical_slot, const fido2_stored_cred_t *stored) |
| Writes credential metadata to R-Memory after erasing the destination slot. | |
| void | fido2_storage_counter_load (void) |
| NVS-backed global authentication counter operations. | |
| uint32_t | fido2_storage_counter_get (void) |
| Returns current global authentication counter. | |
| bool | fido2_storage_counter_increment (void) |
| Increments and persists global authentication counter. | |
| bool | fido2_storage_counter_flush (void) |
| No-op flush retained for API stability; per-increment path commits. | |
| uint8_t | fido2_storage_init (void) |
| Initialization and cache rebuild routines. | |
| uint8_t | fido2_storage_count (void) |
| Credential lookup operations using in-memory cache only. | |
| bool | fido2_storage_slot_used (uint8_t slot) |
| Checks whether logical slot is occupied. | |
| int8_t | fido2_storage_find_free_slot (void) |
| Finds first unused logical slot. | |
| uint8_t | fido2_storage_find_by_rp (const uint8_t *rp_id_hash, uint8_t *out_slots, uint8_t max_slots) |
| Finds credentials matching RP hash. | |
| uint8_t | fido2_storage_find_by_rp_resident (const uint8_t *rp_id_hash, uint8_t *out_slots, uint8_t max_slots) |
| Finds resident credentials matching RP hash. | |
| bool | fido2_storage_is_resident (uint8_t slot) |
| Returns resident-key flag for slot. | |
| int8_t | fido2_storage_find_by_rp_user (const uint8_t *rp_id_hash, const uint8_t *user_id, uint8_t user_id_len) |
| Finds credential by RP hash and user handle for replacement logic. | |
| int8_t | fido2_storage_find_slot_by_cred_id (const uint8_t *cred_id, uint16_t cred_id_len) |
| Resolves and verifies logical slot from credential-id blob. | |
| bool | fido2_storage_get_user (uint8_t slot, uint8_t *user_id, uint8_t *user_id_len, char *user_name, size_t user_name_max) |
| Loads user handle and optional user name for a credential slot. | |
| bool | fido2_storage_verify_cred_id (uint8_t slot, const uint8_t *cred_id) |
| Verifies credential-id for logical slot. | |
| bool | fido2_storage_get_cred_id (uint8_t slot, uint8_t *out_cred_id) |
| Builds credential-id blob for logical slot. | |
| bool | fido2_storage_get_credential (uint8_t slot, fido2_credential_info_t *info) |
| Credential create/read/delete operations. | |
| uint8_t | fido2_storage_get_curve (uint8_t slot) |
| Returns stored curve identifier for slot. | |
| bool | fido2_storage_create_credential (const char *rp_id, const uint8_t *rp_id_hash, const uint8_t *user_id, uint8_t user_id_len, const char *user_name, bool resident_key, uint8_t cred_protect, uint8_t curve, uint8_t *out_slot, uint8_t *out_cred_id, uint8_t *out_pubkey) |
| Creates or replaces credential in secure-element storage. | |
| bool | fido2_storage_delete_credential (uint8_t slot) |
| Deletes credential and associated slot data. | |
| uint32_t | fido2_storage_increment_sign_count (uint8_t slot) |
| Increments per-credential sign counter and persists metadata. | |
| bool | fido2_storage_sign (uint8_t slot, const uint8_t *msg, uint16_t msg_len, uint8_t *signature, uint8_t *sig_len) |
| Signing operations requiring secure-element access. | |
| bool | fido2_storage_sign_raw (uint8_t slot, const uint8_t *msg, uint16_t msg_len, uint8_t *signature, uint8_t *sig_len) |
| Signs message and returns raw signature (EdDSA/ECDSA). | |
| bool | fido2_storage_sign_der (uint8_t slot, const uint8_t *msg, uint16_t msg_len, uint8_t *signature, uint8_t *sig_len) |
| Signs data and returns DER-encoded signature for U2F compatibility. | |
| bool | fido2_storage_get_pubkey (uint8_t slot, uint8_t *pubkey) |
| Reads public key from secure-element slot. | |
| void | sha256 (const uint8_t *data, size_t len, uint8_t out[32]) |
Variables | |
| static const char * | TAG = "FIDO2" |
| struct { | |
| bool initialized | |
| uint32_t auth_counter | |
| bool counter_loaded | |
| struct { | |
| bool valid | |
| uint8_t rp_id_hash [32] | |
| char rp_id [FIDO2_RP_ID_MAX_LEN] | |
| char user_name [FIDO2_USER_NAME_MAX_LEN] | |
| uint8_t user_id [FIDO2_USER_ID_MAX_LEN] | |
| uint8_t user_id_len | |
| uint32_t sign_count | |
| bool resident | |
| uint8_t cred_protect | |
| uint8_t curve | |
| } creds [FIDO2_MAX_CREDENTIALS] | |
| uint8_t cred_count | |
| } | g_storage = {} |
| Runtime storage/cache state. | |
| static uint8_t | s_ecc_start = 0 |
| static uint8_t | s_ecc_end = 0 |
| static uint16_t | s_rmem_start = 0 |
| static uint16_t | s_rmem_end = 0 |
| static constexpr uint8_t | DER_TAG_SEQUENCE = 0x30 |
| DER ASN.1 tags used for ECDSA signature encoding. | |
| static constexpr uint8_t | DER_TAG_INTEGER = 0x02 |
| static constexpr uint8_t | DER_INTEGER_MSB_MASK = 0x80 |
| MSB mask used to detect when DER INTEGER needs a 0x00 padding byte. | |
FIDO2 storage layer using secure-element ECC slots, R-Memory, and NVS counters.
Definition in file fido2_storage.cpp.
| #define FIDO2_FLAG_RESIDENT 0x01 |
Stored-credential flag bits.
Definition at line 55 of file fido2_storage.cpp.
Referenced by fido2_storage_create_credential(), and fido2_storage_init().
| #define FIDO2_RMEM_MAGIC "FID2" |
Persistent storage layout definitions.
Definition at line 22 of file fido2_storage.cpp.
Referenced by fido2_storage_create_credential(), and read_rmem_credential().
| #define FIDO2_RMEM_MAGIC_LEN 4 |
Definition at line 23 of file fido2_storage.cpp.
Referenced by fido2_storage_create_credential(), and read_rmem_credential().
| #define FIDO2_STORED_SIZE sizeof(fido2_stored_cred_t) |
Definition at line 52 of file fido2_storage.cpp.
Referenced by read_rmem_credential(), and write_rmem_credential().
| #define NVS_KEY_COUNTER "auth_cnt" |
Definition at line 25 of file fido2_storage.cpp.
Referenced by fido2_storage_counter_increment(), and fido2_storage_counter_load().
| #define NVS_NAMESPACE "fido2" |
Definition at line 24 of file fido2_storage.cpp.
Referenced by fido2_storage_counter_increment(), fido2_storage_counter_load(), load_state_from_nvs(), and save_state_to_nvs().
|
static |
Returns number of configured logical ECC slots.
Definition at line 137 of file fido2_storage.cpp.
References s_ecc_end, s_ecc_start, and slot_range_valid().
Referenced by fido2_storage_find_by_rp(), fido2_storage_find_by_rp_resident(), fido2_storage_find_by_rp_user(), fido2_storage_find_free_slot(), fido2_storage_init(), and slot_logical_valid().
|
static |
Maps logical slot to physical ECC slot.
| slot | Logical slot index. |
Definition at line 166 of file fido2_storage.cpp.
References s_ecc_start.
Referenced by erase_slot_data(), fido2_storage_create_credential(), fido2_storage_get_pubkey(), fido2_storage_sign(), fido2_storage_sign_der(), and fido2_storage_sign_raw().
|
static |
Encodes a single ECDSA P-256 component (R or S) as a DER INTEGER.
| p | Output cursor (advances past written bytes). |
| mpi | Big-endian magnitude buffer of length FIDO2_SIG_COMPONENT_SIZE. |
Strips leading zero bytes (keeping at least one) and prepends a 0x00 padding byte when the MSB is set, ensuring the integer remains non-negative in DER.
Definition at line 267 of file fido2_storage.cpp.
References DER_INTEGER_MSB_MASK, DER_TAG_INTEGER, and FIDO2_SIG_COMPONENT_SIZE.
Referenced by raw_sig_to_der().
|
static |
Erases ECC key material and R-Memory data for a logical slot.
| logical_slot | Logical credential slot index. |
Definition at line 241 of file fido2_storage.cpp.
References ecc_slot_for_logical(), cdc::hal::getSecureElementInstance(), and rmem_slot_for_logical().
Referenced by fido2_storage_create_credential(), and fido2_storage_delete_credential().
| uint8_t fido2_storage_count | ( | void | ) |
Credential lookup operations using in-memory cache only.
Returns number of cached credentials.
Definition at line 469 of file fido2_storage.cpp.
References g_storage.
Referenced by fido2_get_available_slots(), and fido2_get_credential_count().
| bool fido2_storage_counter_flush | ( | void | ) |
No-op flush retained for API stability; per-increment path commits.
Definition at line 413 of file fido2_storage.cpp.
Referenced by cdc::mod_fido2::Fido2Module::stop().
| uint32_t fido2_storage_counter_get | ( | void | ) |
Returns current global authentication counter.
Definition at line 366 of file fido2_storage.cpp.
References fido2_storage_counter_load(), and g_storage.
Referenced by fido2_get_auth_counter().
| bool fido2_storage_counter_increment | ( | void | ) |
Increments and persists global authentication counter.
Definition at line 377 of file fido2_storage.cpp.
References fido2_storage_counter_load(), g_storage, LOG_E, NVS_KEY_COUNTER, NVS_NAMESPACE, and TAG.
Referenced by fido2_increment_auth_counter().
| void fido2_storage_counter_load | ( | void | ) |
NVS-backed global authentication counter operations.
Loads global authentication counter from NVS.
Definition at line 336 of file fido2_storage.cpp.
References g_storage, LOG_I, LOG_W, NVS_KEY_COUNTER, NVS_NAMESPACE, and TAG.
Referenced by fido2_storage_counter_get(), fido2_storage_counter_increment(), and fido2_storage_init().
| bool fido2_storage_create_credential | ( | const char * | rp_id, |
| const uint8_t * | rp_id_hash, | ||
| const uint8_t * | user_id, | ||
| uint8_t | user_id_len, | ||
| const char * | user_name, | ||
| bool | resident_key, | ||
| uint8_t | cred_protect, | ||
| uint8_t | curve, | ||
| uint8_t * | out_slot, | ||
| uint8_t * | out_cred_id, | ||
| uint8_t * | out_pubkey ) |
Creates or replaces credential in secure-element storage.
| rp_id | Relying-party id string. |
| rp_id_hash | RP ID hash (32 bytes). |
| user_id | User handle bytes. |
| user_id_len | User handle length. |
| user_name | User display name. |
| resident_key | Resident-key flag. |
| cred_protect | Credential protection policy. |
| curve | Requested key curve. |
| out_slot | Output logical slot. |
| out_cred_id | Output credential-id. |
| out_pubkey | Output public key bytes. |
Definition at line 759 of file fido2_storage.cpp.
References CDC_CURVE_ED25519, cred_protect, curve, ecc_slot_for_logical(), cdc::hal::ED25519, erase_slot_data(), FIDO2_CRED_ID_LEN, FIDO2_FLAG_RESIDENT, FIDO2_RMEM_MAGIC, FIDO2_RMEM_MAGIC_LEN, FIDO2_RP_ID_MAX_LEN, fido2_storage_find_by_rp_user(), fido2_storage_find_free_slot(), FIDO2_USER_ID_MAX_LEN, FIDO2_USER_NAME_MAX_LEN, g_storage, cdc::hal::getSecureElementInstance(), LOG_D, LOG_E, LOG_I, cdc::hal::OK, cdc::hal::P256, rp_id, rp_id_hash, TAG, update_cache_from_stored(), user_id, user_id_len, user_name, and write_rmem_credential().
Referenced by cdc::mod_fido2::create_credential_and_respond(), and u2f_register().
| bool fido2_storage_delete_credential | ( | uint8_t | slot | ) |
Deletes credential and associated slot data.
| slot | Logical slot index. |
Definition at line 892 of file fido2_storage.cpp.
References erase_slot_data(), g_storage, LOG_I, slot_logical_valid(), and TAG.
Referenced by ctap2_cred_management(), fido2_delete_credential(), fido2_factory_reset(), cdc::mod_fido2::mc_rollback_credential(), and u2f_register().
| uint8_t fido2_storage_ecc_end | ( | void | ) |
Returns configured ECC end slot.
Definition at line 111 of file fido2_storage.cpp.
References s_ecc_end.
Referenced by fido2_get_available_slots().
| uint8_t fido2_storage_ecc_start | ( | void | ) |
Returns configured ECC start slot.
Definition at line 105 of file fido2_storage.cpp.
References s_ecc_start.
Referenced by fido2_get_available_slots(), and cdc::mod_fido2::showDetail().
| uint8_t fido2_storage_find_by_rp | ( | const uint8_t * | rp_id_hash, |
| uint8_t * | out_slots, | ||
| uint8_t | max_slots ) |
Finds credentials matching RP hash.
| rp_id_hash | RP ID hash (32 bytes). |
| out_slots | Output slot array. |
| max_slots | Maximum writable slots. |
Definition at line 504 of file fido2_storage.cpp.
References ecc_count(), FIDO2_MAX_CREDENTIALS, g_storage, and rp_id_hash.
Referenced by cdc::mod_fido2::check_appid_exclude(), fido2_find_credentials_by_rp(), and ga_find_credentials().
| uint8_t fido2_storage_find_by_rp_resident | ( | const uint8_t * | rp_id_hash, |
| uint8_t * | out_slots, | ||
| uint8_t | max_slots ) |
Finds resident credentials matching RP hash.
| rp_id_hash | RP ID hash (32 bytes). |
| out_slots | Output slot array. |
| max_slots | Maximum writable slots. |
Definition at line 526 of file fido2_storage.cpp.
References ecc_count(), FIDO2_MAX_CREDENTIALS, g_storage, LOG_D, rp_id_hash, and TAG.
| int8_t fido2_storage_find_by_rp_user | ( | const uint8_t * | rp_id_hash, |
| const uint8_t * | user_id, | ||
| uint8_t | user_id_len ) |
Finds credential by RP hash and user handle for replacement logic.
| rp_id_hash | RP ID hash (32 bytes). |
| user_id | User handle bytes. |
| user_id_len | User handle length. |
Definition at line 564 of file fido2_storage.cpp.
References ecc_count(), FIDO2_MAX_CREDENTIALS, g_storage, LOG_D, rp_id_hash, TAG, user_id, and user_id_len.
Referenced by cdc::mod_fido2::ctap2_make_credential(), and fido2_storage_create_credential().
| int8_t fido2_storage_find_free_slot | ( | void | ) |
Finds first unused logical slot.
Definition at line 487 of file fido2_storage.cpp.
References ecc_count(), FIDO2_MAX_CREDENTIALS, and g_storage.
Referenced by fido2_storage_create_credential().
| int8_t fido2_storage_find_slot_by_cred_id | ( | const uint8_t * | cred_id, |
| uint16_t | cred_id_len ) |
Resolves and verifies logical slot from credential-id blob.
| cred_id | Credential ID bytes. |
| cred_id_len | Credential ID length. |
Definition at line 598 of file fido2_storage.cpp.
References FIDO2_CRED_ID_LEN, fido2_storage_get_cred_id(), g_storage, and slot_logical_valid().
Referenced by ctap2_cred_management(), ga_parse_allow_list(), and u2f_authenticate().
| bool fido2_storage_get_cred_id | ( | uint8_t | slot, |
| uint8_t * | out_cred_id ) |
Builds credential-id blob for logical slot.
| slot | Logical slot index. |
| out_cred_id | Output credential-id buffer. |
Definition at line 679 of file fido2_storage.cpp.
References FIDO2_CRED_ID_LEN, g_storage, LOG_E, read_rmem_credential(), slot_logical_valid(), and TAG.
Referenced by cred_mgmt_encode_credential(), ctap2_get_assertion(), ctap2_get_next_assertion(), fido2_storage_find_slot_by_cred_id(), and fido2_storage_verify_cred_id().
| bool fido2_storage_get_credential | ( | uint8_t | slot, |
| fido2_credential_info_t * | info ) |
Credential create/read/delete operations.
Returns cached credential metadata for slot.
| slot | Logical slot index. |
| info | Output credential info. |
Definition at line 706 of file fido2_storage.cpp.
References FIDO2_RP_ID_MAX_LEN, fido2_storage_get_user(), FIDO2_USER_NAME_MAX_LEN, g_storage, slot_logical_valid(), and user_id_len.
Referenced by cred_mgmt_count_unique_rps(), cred_mgmt_encode_credential(), cred_mgmt_encode_rp(), cred_mgmt_find_creds_for_rp(), ctap2_get_assertion(), ctap2_get_next_assertion(), fido2_get_credential_info(), ga_find_credentials(), and u2f_authenticate().
| uint8_t fido2_storage_get_curve | ( | uint8_t | slot | ) |
Returns stored curve identifier for slot.
| slot | Logical slot index. |
Definition at line 737 of file fido2_storage.cpp.
References g_storage, and slot_logical_valid().
| bool fido2_storage_get_pubkey | ( | uint8_t | slot, |
| uint8_t * | pubkey ) |
Reads public key from secure-element slot.
| slot | Logical slot index. |
| pubkey | Output public-key buffer. |
Definition at line 1062 of file fido2_storage.cpp.
References curve, ecc_slot_for_logical(), cdc::hal::getSecureElementInstance(), cdc::hal::OK, cdc::hal::P256, and slot_logical_valid().
Referenced by cred_mgmt_encode_credential(), cred_mgmt_slot_has_key(), and cdc::mod_fido2::showDetail().
| bool fido2_storage_get_user | ( | uint8_t | slot, |
| uint8_t * | user_id, | ||
| uint8_t * | user_id_len, | ||
| char * | user_name, | ||
| size_t | user_name_max ) |
Loads user handle and optional user name for a credential slot.
| slot | Logical slot index. |
| user_id | Output user-handle buffer. |
| user_id_len | Output user-handle length. |
| user_name | Output user-name buffer. |
| user_name_max | User-name buffer size. |
Definition at line 627 of file fido2_storage.cpp.
References FIDO2_USER_ID_MAX_LEN, FIDO2_USER_NAME_MAX_LEN, g_storage, read_rmem_credential(), slot_logical_valid(), user_id, user_id_len, and user_name.
Referenced by fido2_storage_get_credential().
| uint32_t fido2_storage_increment_sign_count | ( | uint8_t | slot | ) |
Increments per-credential sign counter and persists metadata.
| slot | Logical slot index. |
Definition at line 915 of file fido2_storage.cpp.
References g_storage, LOG_E, read_rmem_credential(), slot_logical_valid(), TAG, and write_rmem_credential().
Referenced by ctap2_get_assertion(), ctap2_get_next_assertion(), and u2f_authenticate().
| uint8_t fido2_storage_init | ( | void | ) |
Initialization and cache rebuild routines.
Initializes FIDO2 storage cache from secure element and NVS.
Definition at line 423 of file fido2_storage.cpp.
References ecc_count(), FIDO2_FLAG_RESIDENT, FIDO2_MAX_CREDENTIALS, fido2_storage_counter_load(), g_storage, cdc::hal::getSecureElementInstance(), LOG_D, LOG_E, LOG_I, read_rmem_credential(), rmem_count(), slot_range_valid(), TAG, and update_cache_from_stored().
Referenced by fido2_init().
| bool fido2_storage_is_resident | ( | uint8_t | slot | ) |
Returns resident-key flag for slot.
| slot | Logical slot index. |
Definition at line 552 of file fido2_storage.cpp.
References g_storage, and slot_logical_valid().
Referenced by cred_mgmt_count_unique_rps(), cred_mgmt_find_creds_for_rp(), and ctap2_cred_management().
| uint16_t fido2_storage_rmem_end | ( | void | ) |
Returns configured RMEM end slot.
Definition at line 123 of file fido2_storage.cpp.
References s_rmem_end.
| uint16_t fido2_storage_rmem_start | ( | void | ) |
Returns configured RMEM start slot.
Definition at line 117 of file fido2_storage.cpp.
References s_rmem_start.
| void fido2_storage_set_slot_range | ( | uint8_t | ecc_start, |
| uint8_t | ecc_end, | ||
| uint16_t | rmem_start, | ||
| uint16_t | rmem_end ) |
Configures FIDO2 storage slot ranges.
| ecc_start | First ECC slot. |
| ecc_end | Last ECC slot. |
| rmem_start | First RMEM slot. |
| rmem_end | Last RMEM slot. |
Definition at line 93 of file fido2_storage.cpp.
References s_ecc_end, s_ecc_start, s_rmem_end, and s_rmem_start.
Referenced by cdc::mod_fido2::Fido2Module::init().
| bool fido2_storage_sign | ( | uint8_t | slot, |
| const uint8_t * | msg, | ||
| uint16_t | msg_len, | ||
| uint8_t * | signature, | ||
| uint8_t * | sig_len ) |
Signing operations requiring secure-element access.
Signs message hash with ECDSA and returns DER signature.
| slot | Logical slot index. |
| Message transfer (badge-to-badge) | Message bytes. |
| msg_len | Message length. |
| signature | Output signature buffer. |
| sig_len | Output signature length. |
Definition at line 947 of file fido2_storage.cpp.
References ecc_slot_for_logical(), FIDO2_SIG_SIZE, g_storage, cdc::hal::getSecureElementInstance(), LOG_D, LOG_E, cdc::hal::OK, raw_sig_to_der(), slot_logical_valid(), and TAG.
| bool fido2_storage_sign_der | ( | uint8_t | slot, |
| const uint8_t * | msg, | ||
| uint16_t | msg_len, | ||
| uint8_t * | signature, | ||
| uint8_t * | sig_len ) |
Signs data and returns DER-encoded signature for U2F compatibility.
Signs message hash and returns DER-encoded ECDSA signature.
| slot | Logical slot index. |
| Message transfer (badge-to-badge) | Message bytes. |
| msg_len | Message length. |
| signature | Output DER buffer. |
| sig_len | Output DER length. |
Definition at line 1030 of file fido2_storage.cpp.
References ecc_slot_for_logical(), FIDO2_SIG_SIZE, g_storage, cdc::hal::getSecureElementInstance(), LOG_D, LOG_E, cdc::hal::OK, raw_sig_to_der(), slot_logical_valid(), and TAG.
| bool fido2_storage_sign_raw | ( | uint8_t | slot, |
| const uint8_t * | msg, | ||
| uint16_t | msg_len, | ||
| uint8_t * | signature, | ||
| uint8_t * | sig_len ) |
Signs message and returns raw signature (EdDSA/ECDSA).
| slot | Logical slot index. |
| Message transfer (badge-to-badge) | Message bytes. |
| msg_len | Message length. |
| signature | Output raw signature buffer. |
| sig_len | Output signature length. |
Definition at line 982 of file fido2_storage.cpp.
References CDC_CURVE_ED25519, curve, ecc_slot_for_logical(), FIDO2_SIG_SIZE, g_storage, cdc::hal::getSecureElementInstance(), LOG_D, LOG_E, cdc::hal::OK, slot_logical_valid(), and TAG.
Referenced by ctap2_get_next_assertion(), ga_sign_assertion(), and u2f_authenticate().
| bool fido2_storage_slot_used | ( | uint8_t | slot | ) |
Checks whether logical slot is occupied.
| slot | Logical slot index. |
Definition at line 478 of file fido2_storage.cpp.
References g_storage, and slot_logical_valid().
Referenced by fido2_factory_reset(), and fido2_get_credential_info().
| bool fido2_storage_verify_cred_id | ( | uint8_t | slot, |
| const uint8_t * | cred_id ) |
Verifies credential-id for logical slot.
| slot | Logical slot index. |
| cred_id | Credential ID bytes. |
Definition at line 664 of file fido2_storage.cpp.
References FIDO2_CRED_ID_LEN, and fido2_storage_get_cred_id().
|
static |
Converts raw 64-byte ECDSA signature (R||S) to DER sequence format.
Converts a raw 64-byte ECDSA signature into DER encoding.
| raw_sig | Input raw signature buffer (R || S). |
| der_sig | Output buffer that receives DER-encoded signature data. |
Definition at line 294 of file fido2_storage.cpp.
References DER_TAG_SEQUENCE, encode_der_integer(), FIDO2_SIG_COMPONENT_SIZE, and FIDO2_SIG_SIZE.
Referenced by fido2_storage_sign(), and fido2_storage_sign_der().
|
static |
Internal helper functions for slot and cache management.
Reads a stored credential from R-Memory and validates its magic header.
| logical_slot | Logical credential slot index. |
| stored | Output structure receiving the stored credential payload. |
Definition at line 189 of file fido2_storage.cpp.
References FIDO2_RMEM_MAGIC, FIDO2_RMEM_MAGIC_LEN, FIDO2_STORED_SIZE, cdc::hal::getSecureElementInstance(), cdc::hal::OK, and rmem_slot_for_logical().
Referenced by fido2_storage_get_cred_id(), fido2_storage_get_user(), fido2_storage_increment_sign_count(), and fido2_storage_init().
|
static |
Returns number of configured logical RMEM slots.
Definition at line 146 of file fido2_storage.cpp.
References s_rmem_end, s_rmem_start, and slot_range_valid().
Referenced by fido2_storage_init().
|
static |
Maps logical slot to physical RMEM slot.
| slot | Logical slot index. |
Definition at line 175 of file fido2_storage.cpp.
References s_rmem_start, and slot_range_valid().
Referenced by erase_slot_data(), read_rmem_credential(), and write_rmem_credential().
|
inline |
Definition at line 29 of file fido2_common.h.
|
static |
Checks whether logical slot index is within range.
| slot | Logical slot index. |
Definition at line 156 of file fido2_storage.cpp.
References ecc_count().
Referenced by fido2_storage_delete_credential(), fido2_storage_find_slot_by_cred_id(), fido2_storage_get_cred_id(), fido2_storage_get_credential(), fido2_storage_get_curve(), fido2_storage_get_pubkey(), fido2_storage_get_user(), fido2_storage_increment_sign_count(), fido2_storage_is_resident(), fido2_storage_sign(), fido2_storage_sign_der(), fido2_storage_sign_raw(), and fido2_storage_slot_used().
|
static |
Validates slot-range configuration.
Definition at line 129 of file fido2_storage.cpp.
References s_ecc_end, s_ecc_start, s_rmem_end, and s_rmem_start.
Referenced by ecc_count(), fido2_storage_init(), rmem_count(), and rmem_slot_for_logical().
|
static |
Updates cache entry from stored credential payload.
Updates in-memory cache entry from persisted credential structure.
| slot | Logical slot index. |
| stored | Stored credential payload. |
| is_resident | Resident-key flag. |
Definition at line 220 of file fido2_storage.cpp.
References FIDO2_RP_ID_MAX_LEN, FIDO2_USER_NAME_MAX_LEN, and g_storage.
Referenced by fido2_storage_create_credential(), and fido2_storage_init().
|
static |
Writes credential metadata to R-Memory after erasing the destination slot.
| logical_slot | Logical credential slot index. |
| stored | Credential payload to persist. |
Definition at line 314 of file fido2_storage.cpp.
References FIDO2_STORED_SIZE, cdc::hal::getSecureElementInstance(), LOG_E, cdc::hal::OK, rmem_slot_for_logical(), and TAG.
Referenced by fido2_storage_create_credential(), and fido2_storage_increment_sign_count().
| uint32_t auth_counter |
Definition at line 61 of file fido2_storage.cpp.
| bool counter_loaded |
Definition at line 62 of file fido2_storage.cpp.
| uint8_t cred_count |
Definition at line 78 of file fido2_storage.cpp.
| uint8_t cred_protect |
Definition at line 74 of file fido2_storage.cpp.
Referenced by ctap2_build_auth_data_for_cred(), and fido2_storage_create_credential().
| struct { ... } creds[FIDO2_MAX_CREDENTIALS] |
Referenced by ctap2_get_assertion(), and ga_find_credentials().
| uint8_t curve |
Definition at line 75 of file fido2_storage.cpp.
Referenced by cdc::mod_gpg::calculateFingerprintV4(), cdc::mod_gpg::calculateFingerprintV5(), cmd_generate_keypair(), cmd_get_data(), cdc::mod_gpg::cmd_gpg_generate(), cmd_internal_authenticate(), cmd_pso_cds(), cdc::mod_fido2::create_credential_and_respond(), ctap2_build_attested_cred(), cdc::mod_fido2::ctap2_make_credential(), cdc::hal::ISecureElement::eccGenerate(), cdc::hal::Tropic01Element::eccGenerate(), cdc::hal::ISecureElement::eccGetPublicKey(), cdc::hal::Tropic01Element::eccGetPublicKey(), cdc::hal::ISecureElement::eccImport(), cdc::hal::Tropic01Element::eccImport(), encode_pubkey_with_prefix(), fido2_storage_create_credential(), fido2_storage_get_pubkey(), fido2_storage_sign_raw(), generate_hardware_key(), get_algo_attr(), gpg_export_pubkey_pem(), gpg_generate_key(), host_ecc_generate(), key_fingerprint_generate(), se_ecc_key_generate(), se_ecc_key_read(), u2f_init_attestation(), cdc::core::verify_payload_signature(), verify_state_signature(), cdc::plugin_manager::w_host_ecc_generate(), cdc::plugin_manager::w_host_ecc_import(), and cdc::plugin_manager::w_host_ecc_pubkey().
|
staticconstexpr |
MSB mask used to detect when DER INTEGER needs a 0x00 padding byte.
Definition at line 256 of file fido2_storage.cpp.
Referenced by encode_der_integer().
|
staticconstexpr |
Definition at line 254 of file fido2_storage.cpp.
Referenced by encode_der_integer().
|
staticconstexpr |
DER ASN.1 tags used for ECDSA signature encoding.
Definition at line 253 of file fido2_storage.cpp.
Referenced by raw_sig_to_der().
| struct { ... } g_storage |
Runtime storage/cache state.
Referenced by fido2_storage_count(), fido2_storage_counter_get(), fido2_storage_counter_increment(), fido2_storage_counter_load(), fido2_storage_create_credential(), fido2_storage_delete_credential(), fido2_storage_find_by_rp(), fido2_storage_find_by_rp_resident(), fido2_storage_find_by_rp_user(), fido2_storage_find_free_slot(), fido2_storage_find_slot_by_cred_id(), fido2_storage_get_cred_id(), fido2_storage_get_credential(), fido2_storage_get_curve(), fido2_storage_get_user(), fido2_storage_increment_sign_count(), fido2_storage_init(), fido2_storage_is_resident(), fido2_storage_sign(), fido2_storage_sign_der(), fido2_storage_sign_raw(), fido2_storage_slot_used(), and update_cache_from_stored().
| bool initialized |
Definition at line 60 of file fido2_storage.cpp.
| bool resident |
Definition at line 73 of file fido2_storage.cpp.
| char rp_id[FIDO2_RP_ID_MAX_LEN] |
Definition at line 68 of file fido2_storage.cpp.
Referenced by client_pin_get_pin_uv_auth_token(), fido2_request_user_presence(), fido2_storage_create_credential(), cdc::mod_fido2::fido2_ui_user_presence_callback(), cdc::mod_fido2::is_browser_probe(), u2f_register(), and wait_for_user_presence().
| uint8_t rp_id_hash[32] |
Definition at line 67 of file fido2_storage.cpp.
Referenced by build_authenticator_data(), cred_mgmt_find_creds_for_rp(), ctap2_build_auth_data_for_cred(), ctap2_cred_management(), fido2_find_credentials_by_rp(), fido2_get_credential_info(), fido2_storage_create_credential(), fido2_storage_find_by_rp(), fido2_storage_find_by_rp_resident(), and fido2_storage_find_by_rp_user().
|
static |
Definition at line 82 of file fido2_storage.cpp.
Referenced by ecc_count(), fido2_storage_ecc_end(), fido2_storage_set_slot_range(), and slot_range_valid().
|
static |
Definition at line 81 of file fido2_storage.cpp.
Referenced by ecc_count(), ecc_slot_for_logical(), fido2_storage_ecc_start(), fido2_storage_set_slot_range(), and slot_range_valid().
|
static |
Definition at line 84 of file fido2_storage.cpp.
Referenced by fido2_storage_rmem_end(), fido2_storage_set_slot_range(), rmem_count(), and slot_range_valid().
|
static |
Definition at line 83 of file fido2_storage.cpp.
Referenced by fido2_storage_rmem_start(), fido2_storage_set_slot_range(), rmem_count(), rmem_slot_for_logical(), and slot_range_valid().
| uint32_t sign_count |
Definition at line 72 of file fido2_storage.cpp.
Referenced by build_authenticator_data(), ctap2_get_assertion(), and ctap2_get_next_assertion().
|
static |
Definition at line 18 of file fido2_storage.cpp.
| uint8_t user_id[FIDO2_USER_ID_MAX_LEN] |
Definition at line 70 of file fido2_storage.cpp.
Referenced by fido2_storage_create_credential(), fido2_storage_find_by_rp_user(), fido2_storage_get_user(), gpg_set_pending_user_id(), cdc::mod_gpg::gpgCrossSignDigest(), cdc::mod_gpg::onWizardCurve(), and u2f_register().
| uint8_t user_id_len |
Definition at line 71 of file fido2_storage.cpp.
Referenced by fido2_storage_create_credential(), fido2_storage_find_by_rp_user(), fido2_storage_get_credential(), and fido2_storage_get_user().
| char user_name[FIDO2_USER_NAME_MAX_LEN] |
Definition at line 69 of file fido2_storage.cpp.
Referenced by fido2_request_user_presence(), fido2_storage_create_credential(), fido2_storage_get_user(), cdc::mod_fido2::fido2_ui_user_presence_callback(), and wait_for_user_presence().
| bool valid |
Definition at line 66 of file fido2_storage.cpp.
Referenced by checkBuildProfileAndWipeNvs(), cdc::mod_2fa::OathCodeView::onKey(), and cdc::ui::ListView::onKey().
1.16.1