1 /*
2  * Copyright (C) 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License
15  */
16 
17 package com.example.android.asymmetricfingerprintdialog.server;
18 
19 
20 import java.security.InvalidKeyException;
21 import java.security.NoSuchAlgorithmException;
22 import java.security.PublicKey;
23 import java.security.Signature;
24 import java.security.SignatureException;
25 import java.util.HashMap;
26 import java.util.HashSet;
27 import java.util.Map;
28 import java.util.Set;
29 
30 /**
31  * A fake backend implementation of {@link StoreBackend}.
32  */
33 public class StoreBackendImpl implements StoreBackend {
34 
35     private final Map<String, PublicKey> mPublicKeys = new HashMap<>();
36     private final Set<Transaction> mReceivedTransactions = new HashSet<>();
37 
38     @Override
verify(Transaction transaction, byte[] transactionSignature)39     public boolean verify(Transaction transaction, byte[] transactionSignature) {
40         try {
41             if (mReceivedTransactions.contains(transaction)) {
42                 // It verifies the equality of the transaction including the client nonce
43                 // So attackers can't do replay attacks.
44                 return false;
45             }
46             mReceivedTransactions.add(transaction);
47             PublicKey publicKey = mPublicKeys.get(transaction.getUserId());
48             Signature verificationFunction = Signature.getInstance("SHA256withECDSA");
49             verificationFunction.initVerify(publicKey);
50             verificationFunction.update(transaction.toByteArray());
51             if (verificationFunction.verify(transactionSignature)) {
52                 // Transaction is verified with the public key associated with the user
53                 // Do some post purchase processing in the server
54                 return true;
55             }
56         } catch (NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {
57             // In a real world, better to send some error message to the user
58         }
59         return false;
60     }
61 
62     @Override
verify(Transaction transaction, String password)63     public boolean verify(Transaction transaction, String password) {
64         // As this is just a sample, we always assume that the password is right.
65         return true;
66     }
67 
68     @Override
enroll(String userId, String password, PublicKey publicKey)69     public boolean enroll(String userId, String password, PublicKey publicKey) {
70         if (publicKey != null) {
71             mPublicKeys.put(userId, publicKey);
72         }
73         // We just ignore the provided password here, but in real life, it is registered to the
74         // backend.
75         return true;
76     }
77 }
78