1 /*
2  * Copyright 2019, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef ANDROID_HARDWARE_IDENTITY_WRITABLEIDENTITYCREDENTIAL_H
18 #define ANDROID_HARDWARE_IDENTITY_WRITABLEIDENTITYCREDENTIAL_H
19 
20 #include <aidl/android/hardware/identity/BnWritableIdentityCredential.h>
21 #include <android/hardware/identity/support/IdentityCredentialSupport.h>
22 
23 #include <cppbor.h>
24 #include <set>
25 
26 #include "IdentityCredentialStore.h"
27 #include "SecureHardwareProxy.h"
28 
29 namespace aidl::android::hardware::identity {
30 
31 using ::android::sp;
32 using ::android::hardware::identity::SecureHardwareProvisioningProxy;
33 using ::std::set;
34 using ::std::string;
35 using ::std::vector;
36 
37 class WritableIdentityCredential : public BnWritableIdentityCredential {
38   public:
39     // For a new credential, call initialize() right after construction.
40     //
41     // For an updated credential, call initializeForUpdate() right after construction.
42     //
WritableIdentityCredential(sp<SecureHardwareProvisioningProxy> hwProxy,const string & docType,bool testCredential)43     WritableIdentityCredential(sp<SecureHardwareProvisioningProxy> hwProxy, const string& docType,
44                                bool testCredential)
45         : hwProxy_(hwProxy), docType_(docType), testCredential_(testCredential) {}
46 
47     ~WritableIdentityCredential();
48 
49     // Creates the Credential Key. Returns false on failure.
50     bool initialize();
51 
52     // Used when updating a credential. Returns false on failure.
53     bool initializeForUpdate(const vector<uint8_t>& encryptedCredentialKeys);
54 
55     // Methods from IWritableIdentityCredential follow.
56     ndk::ScopedAStatus getAttestationCertificate(const vector<uint8_t>& attestationApplicationId,
57                                                  const vector<uint8_t>& attestationChallenge,
58                                                  vector<Certificate>* outCertificateChain) override;
59 
60     ndk::ScopedAStatus setExpectedProofOfProvisioningSize(
61             int32_t expectedProofOfProvisioningSize) override;
62 
63     ndk::ScopedAStatus startPersonalization(int32_t accessControlProfileCount,
64                                             const vector<int32_t>& entryCounts) override;
65 
66     ndk::ScopedAStatus addAccessControlProfile(
67             int32_t id, const Certificate& readerCertificate, bool userAuthenticationRequired,
68             int64_t timeoutMillis, int64_t secureUserId,
69             SecureAccessControlProfile* outSecureAccessControlProfile) override;
70 
71     ndk::ScopedAStatus beginAddEntry(const vector<int32_t>& accessControlProfileIds,
72                                      const string& nameSpace, const string& name,
73                                      int32_t entrySize) override;
74     ndk::ScopedAStatus addEntryValue(const vector<uint8_t>& content,
75                                      vector<uint8_t>* outEncryptedContent) override;
76 
77     ndk::ScopedAStatus finishAddingEntries(
78             vector<uint8_t>* outCredentialData,
79             vector<uint8_t>* outProofOfProvisioningSignature) override;
80 
81   private:
82     // Set by constructor.
83     sp<SecureHardwareProvisioningProxy> hwProxy_;
84     string docType_;
85     bool testCredential_;
86 
87     // This is set in initialize().
88     bool startPersonalizationCalled_;
89     bool firstEntry_;
90 
91     // This is set in getAttestationCertificate().
92     bool getAttestationCertificateAlreadyCalled_ = false;
93 
94     // These fields are initialized during startPersonalization()
95     size_t numAccessControlProfileRemaining_;
96     vector<int32_t> remainingEntryCounts_;
97     cppbor::Array signedDataAccessControlProfiles_;
98     cppbor::Map signedDataNamespaces_;
99     cppbor::Array signedDataCurrentNamespace_;
100     size_t expectedProofOfProvisioningSize_;
101 
102     // This field is initialized in addAccessControlProfile
103     set<int32_t> accessControlProfileIds_;
104 
105     // These fields are initialized during beginAddEntry()
106     size_t entryRemainingBytes_;
107     string entryNameSpace_;
108     string entryName_;
109     vector<int32_t> entryAccessControlProfileIds_;
110     vector<uint8_t> entryBytes_;
111     set<string> allNameSpaces_;
112 };
113 
114 }  // namespace aidl::android::hardware::identity
115 
116 #endif  // ANDROID_HARDWARE_IDENTITY_WRITABLEIDENTITYCREDENTIAL_H
117