1 /* 2 * Copyright 2019, The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIAL_H 18 #define ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIAL_H 19 20 #include <aidl/android/hardware/identity/BnIdentityCredential.h> 21 #include <aidl/android/hardware/keymaster/HardwareAuthToken.h> 22 #include <aidl/android/hardware/keymaster/VerificationToken.h> 23 #include <android/hardware/identity/support/IdentityCredentialSupport.h> 24 25 #include <map> 26 #include <set> 27 #include <string> 28 #include <vector> 29 30 #include <cppbor.h> 31 32 #include "IdentityCredentialStore.h" 33 #include "SecureHardwareProxy.h" 34 35 namespace aidl::android::hardware::identity { 36 37 using ::aidl::android::hardware::keymaster::HardwareAuthToken; 38 using ::aidl::android::hardware::keymaster::VerificationToken; 39 using ::android::sp; 40 using ::android::hardware::identity::SecureHardwarePresentationProxy; 41 using ::std::map; 42 using ::std::set; 43 using ::std::string; 44 using ::std::vector; 45 46 class IdentityCredential : public BnIdentityCredential { 47 public: IdentityCredential(sp<SecureHardwareProxyFactory> hwProxyFactory,sp<SecureHardwarePresentationProxy> hwProxy,const vector<uint8_t> & credentialData)48 IdentityCredential(sp<SecureHardwareProxyFactory> hwProxyFactory, 49 sp<SecureHardwarePresentationProxy> hwProxy, 50 const vector<uint8_t>& credentialData) 51 : hwProxyFactory_(hwProxyFactory), 52 hwProxy_(hwProxy), 53 credentialData_(credentialData), 54 numStartRetrievalCalls_(0), 55 expectedDeviceNameSpacesSize_(0) {} 56 57 // Parses and decrypts credentialData_, return a status code from 58 // IIdentityCredentialStore. Must be called right after construction. 59 int initialize(); 60 61 // Methods from IIdentityCredential follow. 62 ndk::ScopedAStatus deleteCredential( 63 vector<uint8_t>* outProofOfDeletionSignature) override; 64 ndk::ScopedAStatus deleteCredentialWithChallenge( 65 const vector<uint8_t>& challenge, 66 vector<uint8_t>* outProofOfDeletionSignature) override; 67 ndk::ScopedAStatus proveOwnership( 68 const vector<uint8_t>& challenge, 69 vector<uint8_t>* outProofOfOwnershipSignature) override; 70 ndk::ScopedAStatus createEphemeralKeyPair( 71 vector<uint8_t>* outKeyPair) override; 72 ndk::ScopedAStatus setReaderEphemeralPublicKey( 73 const vector<uint8_t>& publicKey) override; 74 ndk::ScopedAStatus createAuthChallenge(int64_t* outChallenge) override; 75 ndk::ScopedAStatus setRequestedNamespaces( 76 const vector<RequestNamespace>& requestNamespaces) override; 77 ndk::ScopedAStatus setVerificationToken( 78 const VerificationToken& verificationToken) override; 79 ndk::ScopedAStatus startRetrieval( 80 const vector<SecureAccessControlProfile>& accessControlProfiles, 81 const HardwareAuthToken& authToken, const vector<uint8_t>& itemsRequest, 82 const vector<uint8_t>& signingKeyBlob, 83 const vector<uint8_t>& sessionTranscript, 84 const vector<uint8_t>& readerSignature, 85 const vector<int32_t>& requestCounts) override; 86 ndk::ScopedAStatus startRetrieveEntryValue( 87 const string& nameSpace, const string& name, int32_t entrySize, 88 const vector<int32_t>& accessControlProfileIds) override; 89 ndk::ScopedAStatus retrieveEntryValue(const vector<uint8_t>& encryptedContent, 90 vector<uint8_t>* outContent) override; 91 ndk::ScopedAStatus finishRetrieval( 92 vector<uint8_t>* outMac, vector<uint8_t>* outDeviceNameSpaces) override; 93 ndk::ScopedAStatus generateSigningKeyPair( 94 vector<uint8_t>* outSigningKeyBlob, 95 Certificate* outSigningKeyCertificate) override; 96 97 ndk::ScopedAStatus updateCredential( 98 shared_ptr<IWritableIdentityCredential>* outWritableCredential) override; 99 100 private: 101 ndk::ScopedAStatus deleteCredentialCommon( 102 const vector<uint8_t>& challenge, bool includeChallenge, 103 vector<uint8_t>* outProofOfDeletionSignature); 104 105 // Set by constructor 106 sp<SecureHardwareProxyFactory> hwProxyFactory_; 107 sp<SecureHardwarePresentationProxy> hwProxy_; 108 vector<uint8_t> credentialData_; 109 int numStartRetrievalCalls_; 110 111 // Set by initialize() 112 string docType_; 113 bool testCredential_; 114 vector<uint8_t> encryptedCredentialKeys_; 115 116 // Set by createEphemeralKeyPair() 117 vector<uint8_t> ephemeralPublicKey_; 118 119 // Set by setReaderEphemeralPublicKey() 120 vector<uint8_t> readerPublicKey_; 121 122 // Set by setRequestedNamespaces() 123 vector<RequestNamespace> requestNamespaces_; 124 125 // Set by setVerificationToken(). 126 VerificationToken verificationToken_; 127 128 // Set at startRetrieval() time. 129 vector<uint8_t> signingKeyBlob_; 130 vector<uint8_t> sessionTranscript_; 131 vector<uint8_t> itemsRequest_; 132 vector<int32_t> requestCountsRemaining_; 133 map<string, set<string>> requestedNameSpacesAndNames_; 134 cppbor::Map deviceNameSpacesMap_; 135 cppbor::Map currentNameSpaceDeviceNameSpacesMap_; 136 137 // Calculated at startRetrieval() time. 138 size_t expectedDeviceNameSpacesSize_; 139 vector<unsigned int> expectedNumEntriesPerNamespace_; 140 141 // Set at startRetrieveEntryValue() time. 142 string currentNameSpace_; 143 string currentName_; 144 vector<int32_t> currentAccessControlProfileIds_; 145 size_t entryRemainingBytes_; 146 vector<uint8_t> entryValue_; 147 148 void calcDeviceNameSpacesSize(uint32_t accessControlProfileMask); 149 }; 150 151 } // namespace aidl::android::hardware::identity 152 153 #endif // ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIAL_H 154