1 /*
2  * Copyright 2019, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef ANDROID_HARDWARE_IDENTITY_WRITABLEIDENTITYCREDENTIAL_H
18 #define ANDROID_HARDWARE_IDENTITY_WRITABLEIDENTITYCREDENTIAL_H
19 
20 #include <aidl/android/hardware/identity/BnWritableIdentityCredential.h>
21 #include <android/hardware/identity/support/IdentityCredentialSupport.h>
22 
23 #include <cppbor.h>
24 #include <set>
25 
26 #include "IdentityCredentialStore.h"
27 #include "SecureHardwareProxy.h"
28 
29 namespace aidl::android::hardware::identity {
30 
31 using ::android::sp;
32 using ::android::hardware::identity::SecureHardwareProvisioningProxy;
33 using ::std::set;
34 using ::std::string;
35 using ::std::vector;
36 
37 class WritableIdentityCredential : public BnWritableIdentityCredential {
38  public:
39   // For a new credential, call initialize() right after construction.
40   //
41   // For an updated credential, call initializeForUpdate() right after
42   // construction.
43   //
WritableIdentityCredential(sp<SecureHardwareProvisioningProxy> hwProxy,const string & docType,bool testCredential)44   WritableIdentityCredential(sp<SecureHardwareProvisioningProxy> hwProxy,
45                              const string& docType, bool testCredential)
46       : hwProxy_(hwProxy), docType_(docType), testCredential_(testCredential) {}
47 
48   ~WritableIdentityCredential();
49 
50   // Creates the Credential Key. Returns false on failure.
51   bool initialize();
52 
53   // Used when updating a credential. Returns false on failure.
54   bool initializeForUpdate(const vector<uint8_t>& encryptedCredentialKeys);
55 
56   // Methods from IWritableIdentityCredential follow.
57   ndk::ScopedAStatus getAttestationCertificate(
58       const vector<uint8_t>& attestationApplicationId,
59       const vector<uint8_t>& attestationChallenge,
60       vector<Certificate>* outCertificateChain) override;
61 
62   ndk::ScopedAStatus setExpectedProofOfProvisioningSize(
63       int32_t expectedProofOfProvisioningSize) override;
64 
65   ndk::ScopedAStatus startPersonalization(
66       int32_t accessControlProfileCount,
67       const vector<int32_t>& entryCounts) override;
68 
69   ndk::ScopedAStatus addAccessControlProfile(
70       int32_t id, const Certificate& readerCertificate,
71       bool userAuthenticationRequired, int64_t timeoutMillis,
72       int64_t secureUserId,
73       SecureAccessControlProfile* outSecureAccessControlProfile) override;
74 
75   ndk::ScopedAStatus beginAddEntry(
76       const vector<int32_t>& accessControlProfileIds, const string& nameSpace,
77       const string& name, int32_t entrySize) override;
78   ndk::ScopedAStatus addEntryValue(
79       const vector<uint8_t>& content,
80       vector<uint8_t>* outEncryptedContent) override;
81 
82   ndk::ScopedAStatus finishAddingEntries(
83       vector<uint8_t>* outCredentialData,
84       vector<uint8_t>* outProofOfProvisioningSignature) override;
85 
86  private:
87   // Set by constructor.
88   sp<SecureHardwareProvisioningProxy> hwProxy_;
89   string docType_;
90   bool testCredential_;
91 
92   // This is set in initialize().
93   bool startPersonalizationCalled_;
94   bool firstEntry_;
95 
96   // This is set in getAttestationCertificate().
97   bool getAttestationCertificateAlreadyCalled_ = false;
98 
99   // These fields are initialized during startPersonalization()
100   size_t numAccessControlProfileRemaining_;
101   vector<int32_t> remainingEntryCounts_;
102   cppbor::Array signedDataAccessControlProfiles_;
103   cppbor::Map signedDataNamespaces_;
104   cppbor::Array signedDataCurrentNamespace_;
105   size_t expectedProofOfProvisioningSize_;
106 
107   // This field is initialized in addAccessControlProfile
108   set<int32_t> accessControlProfileIds_;
109 
110   // These fields are initialized during beginAddEntry()
111   size_t entryRemainingBytes_;
112   string entryNameSpace_;
113   string entryName_;
114   vector<int32_t> entryAccessControlProfileIds_;
115   vector<uint8_t> entryBytes_;
116   set<string> allNameSpaces_;
117 };
118 
119 }  // namespace aidl::android::hardware::identity
120 
121 #endif  // ANDROID_HARDWARE_IDENTITY_WRITABLEIDENTITYCREDENTIAL_H
122