• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2019, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIAL_H
18 #define ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIAL_H
19 
20 #include <aidl/android/hardware/identity/BnIdentityCredential.h>
21 #include <aidl/android/hardware/keymaster/HardwareAuthToken.h>
22 #include <aidl/android/hardware/keymaster/VerificationToken.h>
23 #include <android/hardware/identity/support/IdentityCredentialSupport.h>
24 
25 #include <map>
26 #include <set>
27 #include <string>
28 #include <vector>
29 
30 #include <cppbor.h>
31 
32 #include "IdentityCredentialStore.h"
33 #include "PresentationSession.h"
34 #include "SecureHardwareProxy.h"
35 
36 namespace aidl::android::hardware::identity {
37 
38 using ::aidl::android::hardware::keymaster::HardwareAuthToken;
39 using ::aidl::android::hardware::keymaster::VerificationToken;
40 using ::android::sp;
41 using ::android::hardware::identity::SecureHardwarePresentationProxy;
42 using ::std::map;
43 using ::std::set;
44 using ::std::string;
45 using ::std::vector;
46 
47 class IdentityCredential : public BnIdentityCredential {
48   public:
IdentityCredential(sp<SecureHardwareProxyFactory> hwProxyFactory,const vector<uint8_t> & credentialData,std::shared_ptr<PresentationSession> session,HardwareInformation hardwareInformation)49     IdentityCredential(sp<SecureHardwareProxyFactory> hwProxyFactory,
50                        const vector<uint8_t>& credentialData,
51                        std::shared_ptr<PresentationSession> session,
52                        HardwareInformation hardwareInformation)
53         : hwProxyFactory_(hwProxyFactory),
54           credentialData_(credentialData),
55           session_(std::move(session)),
56           numStartRetrievalCalls_(0),
57           hardwareInformation_(std::move(hardwareInformation)),
58           expectedDeviceNameSpacesSize_(0) {}
59 
60     // Parses and decrypts credentialData_, return a status code from
61     // IIdentityCredentialStore. Must be called right after construction.
62     int initialize();
63 
64     // Methods from IIdentityCredential follow.
65     ndk::ScopedAStatus deleteCredential(vector<uint8_t>* outProofOfDeletionSignature) override;
66     ndk::ScopedAStatus deleteCredentialWithChallenge(
67             const vector<uint8_t>& challenge,
68             vector<uint8_t>* outProofOfDeletionSignature) override;
69     ndk::ScopedAStatus proveOwnership(const vector<uint8_t>& challenge,
70                                       vector<uint8_t>* outProofOfOwnershipSignature) override;
71     ndk::ScopedAStatus createEphemeralKeyPair(vector<uint8_t>* outKeyPair) override;
72     ndk::ScopedAStatus setReaderEphemeralPublicKey(const vector<uint8_t>& publicKey) override;
73     ndk::ScopedAStatus createAuthChallenge(int64_t* outChallenge) override;
74     ndk::ScopedAStatus setRequestedNamespaces(
75             const vector<RequestNamespace>& requestNamespaces) override;
76     ndk::ScopedAStatus setVerificationToken(const VerificationToken& verificationToken) override;
77     ndk::ScopedAStatus startRetrieval(
78             const vector<SecureAccessControlProfile>& accessControlProfiles,
79             const HardwareAuthToken& authToken, const vector<uint8_t>& itemsRequest,
80             const vector<uint8_t>& signingKeyBlob, const vector<uint8_t>& sessionTranscript,
81             const vector<uint8_t>& readerSignature, const vector<int32_t>& requestCounts) override;
82     ndk::ScopedAStatus startRetrieveEntryValue(
83             const string& nameSpace, const string& name, int32_t entrySize,
84             const vector<int32_t>& accessControlProfileIds) override;
85     ndk::ScopedAStatus retrieveEntryValue(const vector<uint8_t>& encryptedContent,
86                                           vector<uint8_t>* outContent) override;
87     ndk::ScopedAStatus finishRetrieval(vector<uint8_t>* outMac,
88                                        vector<uint8_t>* outDeviceNameSpaces) override;
89     ndk::ScopedAStatus generateSigningKeyPair(vector<uint8_t>* outSigningKeyBlob,
90                                               Certificate* outSigningKeyCertificate) override;
91 
92     ndk::ScopedAStatus updateCredential(
93             shared_ptr<IWritableIdentityCredential>* outWritableCredential) override;
94 
95   private:
96     ndk::ScopedAStatus deleteCredentialCommon(const vector<uint8_t>& challenge,
97                                               bool includeChallenge,
98                                               vector<uint8_t>* outProofOfDeletionSignature);
99 
100     // Creates and initializes hwProxy_.
101     ndk::ScopedAStatus ensureHwProxy();
102 
103     // Set by constructor
104     sp<SecureHardwareProxyFactory> hwProxyFactory_;
105     vector<uint8_t> credentialData_;
106     shared_ptr<PresentationSession> session_;
107     int numStartRetrievalCalls_;
108     HardwareInformation hardwareInformation_;
109 
110     // Set by initialize()
111     string docType_;
112     bool testCredential_;
113     vector<uint8_t> encryptedCredentialKeys_;
114 
115     // Set by ensureHwProxy()
116     sp<SecureHardwarePresentationProxy> hwProxy_;
117 
118     // Set by createEphemeralKeyPair()
119     vector<uint8_t> ephemeralPublicKey_;
120 
121     // Set by setReaderEphemeralPublicKey()
122     vector<uint8_t> readerPublicKey_;
123 
124     // Set by setRequestedNamespaces()
125     vector<RequestNamespace> requestNamespaces_;
126 
127     // Set by setVerificationToken().
128     VerificationToken verificationToken_;
129 
130     // Set at startRetrieval() time.
131     vector<uint8_t> signingKeyBlob_;
132     vector<uint8_t> sessionTranscript_;
133     vector<uint8_t> itemsRequest_;
134     vector<int32_t> requestCountsRemaining_;
135     map<string, set<string>> requestedNameSpacesAndNames_;
136     cppbor::Map deviceNameSpacesMap_;
137     cppbor::Map currentNameSpaceDeviceNameSpacesMap_;
138 
139     // Calculated at startRetrieval() time.
140     size_t expectedDeviceNameSpacesSize_;
141     vector<unsigned int> expectedNumEntriesPerNamespace_;
142 
143     // Set at startRetrieveEntryValue() time.
144     string currentNameSpace_;
145     string currentName_;
146     vector<int32_t> currentAccessControlProfileIds_;
147     size_t entryRemainingBytes_;
148     vector<uint8_t> entryValue_;
149 
150     void calcDeviceNameSpacesSize(uint32_t accessControlProfileMask);
151 };
152 
153 }  // namespace aidl::android::hardware::identity
154 
155 #endif  // ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIAL_H
156