/* * Copyright 2021, The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #ifndef ANDROID_HARDWARE_IDENTITY_FAKESECUREHARDWAREPROXY_H #define ANDROID_HARDWARE_IDENTITY_FAKESECUREHARDWAREPROXY_H #include #include "SecureHardwareProxy.h" namespace android::hardware::identity { // This implementation uses libEmbeddedIC in-process. // class RemoteSecureHardwareProvisioningProxy : public SecureHardwareProvisioningProxy { public: RemoteSecureHardwareProvisioningProxy(); virtual ~RemoteSecureHardwareProvisioningProxy(); bool initialize(bool testCredential) override; bool initializeForUpdate(bool testCredential, string docType, vector encryptedCredentialKeys) override; bool shutdown() override; // Returns public key certificate. optional> createCredentialKey( const vector& challenge, const vector& applicationId) override; bool startPersonalization(int accessControlProfileCount, vector entryCounts, const string& docType, size_t expectedProofOfProvisioningSize) override; // Returns MAC (28 bytes). optional> addAccessControlProfile( int id, const vector& readerCertificate, bool userAuthenticationRequired, uint64_t timeoutMillis, uint64_t secureUserId) override; bool beginAddEntry(const vector& accessControlProfileIds, const string& nameSpace, const string& name, uint64_t entrySize) override; // Returns encryptedContent. optional> addEntryValue( const vector& accessControlProfileIds, const string& nameSpace, const string& name, const vector& content) override; // Returns signatureOfToBeSigned (EIC_ECDSA_P256_SIGNATURE_SIZE bytes). optional> finishAddingEntries() override; // Returns encryptedCredentialKeys (80 bytes). optional> finishGetCredentialData( const string& docType) override; protected: EicProvisioning ctx_; }; // This implementation uses libEmbeddedIC in-process. // class RemoteSecureHardwarePresentationProxy : public SecureHardwarePresentationProxy { public: RemoteSecureHardwarePresentationProxy(); virtual ~RemoteSecureHardwarePresentationProxy(); bool initialize(bool testCredential, string docType, vector encryptedCredentialKeys) override; // Returns publicKeyCert (1st component) and signingKeyBlob (2nd component) optional, vector>> generateSigningKeyPair( string docType, time_t now) override; // Returns private key optional> createEphemeralKeyPair() override; optional createAuthChallenge() override; bool startRetrieveEntries() override; bool setAuthToken(uint64_t challenge, uint64_t secureUserId, uint64_t authenticatorId, int hardwareAuthenticatorType, uint64_t timeStamp, const vector& mac, uint64_t verificationTokenChallenge, uint64_t verificationTokenTimestamp, int verificationTokenSecurityLevel, const vector& verificationTokenMac) override; bool pushReaderCert(const vector& certX509) override; optional validateAccessControlProfile( int id, const vector& readerCertificate, bool userAuthenticationRequired, int timeoutMillis, uint64_t secureUserId, const vector& mac) override; bool validateRequestMessage( const vector& sessionTranscript, const vector& requestMessage, int coseSignAlg, const vector& readerSignatureOfToBeSigned) override; bool calcMacKey(const vector& sessionTranscript, const vector& readerEphemeralPublicKey, const vector& signingKeyBlob, const string& docType, unsigned int numNamespacesWithValues, size_t expectedProofOfProvisioningSize) override; AccessCheckResult startRetrieveEntryValue( const string& nameSpace, const string& name, unsigned int newNamespaceNumEntries, int32_t entrySize, const vector& accessControlProfileIds) override; optional> retrieveEntryValue( const vector& encryptedContent, const string& nameSpace, const string& name, const vector& accessControlProfileIds) override; optional> finishRetrieval() override; optional> deleteCredential( const string& docType, const vector& challenge, bool includeChallenge, size_t proofOfDeletionCborSize) override; optional> proveOwnership( const string& docType, bool testCredential, const vector& challenge, size_t proofOfOwnershipCborSize) override; bool shutdown() override; protected: EicPresentation ctx_; }; // Factory implementation. // class RemoteSecureHardwareProxyFactory : public SecureHardwareProxyFactory { public: RemoteSecureHardwareProxyFactory() {} virtual ~RemoteSecureHardwareProxyFactory() {} sp createProvisioningProxy() override { return new RemoteSecureHardwareProvisioningProxy(); } sp createPresentationProxy() override { return new RemoteSecureHardwarePresentationProxy(); } }; } // namespace android::hardware::identity #endif // ANDROID_HARDWARE_IDENTITY_FAKESECUREHARDWAREPROXY_H