1 /* 2 * Copyright 2019, The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIAL_H 18 #define ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIAL_H 19 20 #include <aidl/android/hardware/identity/BnIdentityCredential.h> 21 #include <aidl/android/hardware/keymaster/HardwareAuthToken.h> 22 #include <aidl/android/hardware/keymaster/VerificationToken.h> 23 #include <android/hardware/identity/support/IdentityCredentialSupport.h> 24 25 #include <map> 26 #include <set> 27 #include <string> 28 #include <vector> 29 30 #include <cppbor.h> 31 32 #include "IdentityCredentialStore.h" 33 #include "SecureHardwareProxy.h" 34 35 namespace aidl::android::hardware::identity { 36 37 using ::aidl::android::hardware::keymaster::HardwareAuthToken; 38 using ::aidl::android::hardware::keymaster::VerificationToken; 39 using ::android::sp; 40 using ::android::hardware::identity::SecureHardwarePresentationProxy; 41 using ::std::map; 42 using ::std::set; 43 using ::std::string; 44 using ::std::vector; 45 46 class IdentityCredential : public BnIdentityCredential { 47 public: IdentityCredential(sp<SecureHardwareProxyFactory> hwProxyFactory,sp<SecureHardwarePresentationProxy> hwProxy,const vector<uint8_t> & credentialData)48 IdentityCredential(sp<SecureHardwareProxyFactory> hwProxyFactory, 49 sp<SecureHardwarePresentationProxy> hwProxy, 50 const vector<uint8_t>& credentialData) 51 : hwProxyFactory_(hwProxyFactory), 52 hwProxy_(hwProxy), 53 credentialData_(credentialData), 54 numStartRetrievalCalls_(0), 55 expectedDeviceNameSpacesSize_(0) {} 56 57 // Parses and decrypts credentialData_, return a status code from 58 // IIdentityCredentialStore. Must be called right after construction. 59 int initialize(); 60 61 // Methods from IIdentityCredential follow. 62 ndk::ScopedAStatus deleteCredential(vector<uint8_t>* outProofOfDeletionSignature) override; 63 ndk::ScopedAStatus deleteCredentialWithChallenge( 64 const vector<uint8_t>& challenge, 65 vector<uint8_t>* outProofOfDeletionSignature) override; 66 ndk::ScopedAStatus proveOwnership(const vector<uint8_t>& challenge, 67 vector<uint8_t>* outProofOfOwnershipSignature) override; 68 ndk::ScopedAStatus createEphemeralKeyPair(vector<uint8_t>* outKeyPair) override; 69 ndk::ScopedAStatus setReaderEphemeralPublicKey(const vector<uint8_t>& publicKey) override; 70 ndk::ScopedAStatus createAuthChallenge(int64_t* outChallenge) override; 71 ndk::ScopedAStatus setRequestedNamespaces( 72 const vector<RequestNamespace>& requestNamespaces) override; 73 ndk::ScopedAStatus setVerificationToken(const VerificationToken& verificationToken) override; 74 ndk::ScopedAStatus startRetrieval( 75 const vector<SecureAccessControlProfile>& accessControlProfiles, 76 const HardwareAuthToken& authToken, const vector<uint8_t>& itemsRequest, 77 const vector<uint8_t>& signingKeyBlob, const vector<uint8_t>& sessionTranscript, 78 const vector<uint8_t>& readerSignature, const vector<int32_t>& requestCounts) override; 79 ndk::ScopedAStatus startRetrieveEntryValue( 80 const string& nameSpace, const string& name, int32_t entrySize, 81 const vector<int32_t>& accessControlProfileIds) override; 82 ndk::ScopedAStatus retrieveEntryValue(const vector<uint8_t>& encryptedContent, 83 vector<uint8_t>* outContent) override; 84 ndk::ScopedAStatus finishRetrieval(vector<uint8_t>* outMac, 85 vector<uint8_t>* outDeviceNameSpaces) override; 86 ndk::ScopedAStatus generateSigningKeyPair(vector<uint8_t>* outSigningKeyBlob, 87 Certificate* outSigningKeyCertificate) override; 88 89 ndk::ScopedAStatus updateCredential( 90 shared_ptr<IWritableIdentityCredential>* outWritableCredential) override; 91 92 private: 93 ndk::ScopedAStatus deleteCredentialCommon(const vector<uint8_t>& challenge, 94 bool includeChallenge, 95 vector<uint8_t>* outProofOfDeletionSignature); 96 97 // Set by constructor 98 sp<SecureHardwareProxyFactory> hwProxyFactory_; 99 sp<SecureHardwarePresentationProxy> hwProxy_; 100 vector<uint8_t> credentialData_; 101 int numStartRetrievalCalls_; 102 103 // Set by initialize() 104 string docType_; 105 bool testCredential_; 106 vector<uint8_t> encryptedCredentialKeys_; 107 108 // Set by createEphemeralKeyPair() 109 vector<uint8_t> ephemeralPublicKey_; 110 111 // Set by setReaderEphemeralPublicKey() 112 vector<uint8_t> readerPublicKey_; 113 114 // Set by setRequestedNamespaces() 115 vector<RequestNamespace> requestNamespaces_; 116 117 // Set by setVerificationToken(). 118 VerificationToken verificationToken_; 119 120 // Set at startRetrieval() time. 121 vector<uint8_t> signingKeyBlob_; 122 vector<uint8_t> sessionTranscript_; 123 vector<uint8_t> itemsRequest_; 124 vector<int32_t> requestCountsRemaining_; 125 map<string, set<string>> requestedNameSpacesAndNames_; 126 cppbor::Map deviceNameSpacesMap_; 127 cppbor::Map currentNameSpaceDeviceNameSpacesMap_; 128 129 // Calculated at startRetrieval() time. 130 size_t expectedDeviceNameSpacesSize_; 131 vector<unsigned int> expectedNumEntriesPerNamespace_; 132 133 // Set at startRetrieveEntryValue() time. 134 string currentNameSpace_; 135 string currentName_; 136 vector<int32_t> currentAccessControlProfileIds_; 137 size_t entryRemainingBytes_; 138 vector<uint8_t> entryValue_; 139 140 void calcDeviceNameSpacesSize(uint32_t accessControlProfileMask); 141 }; 142 143 } // namespace aidl::android::hardware::identity 144 145 #endif // ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIAL_H 146