1 /*
2  * Copyright (C) 2021 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package android.ext.services.displayhash;
18 
19 import android.graphics.Rect;
20 import android.os.Build;
21 import android.os.Parcel;
22 import android.util.Log;
23 
24 import androidx.annotation.RequiresApi;
25 
26 import java.security.InvalidKeyException;
27 import java.security.NoSuchAlgorithmException;
28 import java.util.Arrays;
29 
30 import javax.crypto.Mac;
31 import javax.crypto.spec.SecretKeySpec;
32 
33 @RequiresApi(Build.VERSION_CODES.S)
34 class HmacKeyManager {
35     private static final String TAG = DisplayHashingServiceImpl.TAG;
36     private static final String ALGORITHM = "HmacSHA256";
37 
HmacKeyManager()38     HmacKeyManager() { }
39 
generateHmac(byte[] salt, long timestamp, Rect bounds, int hashAlgorithm, byte[] imageHash)40     byte[] generateHmac(byte[] salt, long timestamp, Rect bounds, int hashAlgorithm,
41             byte[] imageHash) {
42         try {
43             Mac mac = Mac.getInstance(ALGORITHM);
44             SecretKeySpec keySpec = new SecretKeySpec(salt, ALGORITHM);
45             mac.init(keySpec);
46 
47             final VerificationObject object = new VerificationObject(timestamp, bounds,
48                     hashAlgorithm, imageHash);
49             mac.update(object.convertToBytes());
50 
51             return mac.doFinal();
52         } catch (NoSuchAlgorithmException | InvalidKeyException e) {
53             Log.e(TAG, "Failed to generate HMAC", e);
54             return null;
55         }
56     }
57 
verifyHmac(byte[] salt, long timestamp, Rect bounds, int hashAlgorithm, byte[] imageHash, byte[] hmac)58     boolean verifyHmac(byte[] salt, long timestamp, Rect bounds,
59             int hashAlgorithm, byte[] imageHash, byte[] hmac) {
60         if (hmac == null || hmac.length != 32) {
61             return false;
62         }
63 
64         byte[] calculatedHmac = generateHmac(salt, timestamp, bounds, hashAlgorithm,
65                 imageHash);
66         return Arrays.equals(hmac, calculatedHmac);
67     }
68 
69     private static class VerificationObject {
70         private final long mTimestamp;
71         private final Rect mBounds;
72         private final int mHashAlgorithm;
73         private final byte[] mImageHash;
74 
VerificationObject(long timestamp, Rect bounds, int hashAlgorithm, byte[] imageHash)75         VerificationObject(long timestamp, Rect bounds, int hashAlgorithm, byte[] imageHash) {
76             mTimestamp = timestamp;
77             mBounds = bounds;
78             mHashAlgorithm = hashAlgorithm;
79             mImageHash = imageHash;
80         }
81 
convertToBytes()82         byte[] convertToBytes() {
83             Parcel parcel = Parcel.obtain();
84             parcel.writeLong(mTimestamp);
85             parcel.writeParcelable(mBounds, 0);
86             parcel.writeInt(mHashAlgorithm);
87             parcel.writeByteArray(mImageHash);
88             byte[] bytes = parcel.marshall();
89             parcel.recycle();
90             return bytes;
91         }
92     }
93 }
94