1 /*
2  * Copyright 2019, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIAL_H
18 #define ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIAL_H
19 
20 #include <aidl/android/hardware/identity/BnIdentityCredential.h>
21 #include <aidl/android/hardware/keymaster/HardwareAuthToken.h>
22 #include <aidl/android/hardware/keymaster/VerificationToken.h>
23 #include <android/hardware/identity/support/IdentityCredentialSupport.h>
24 
25 #include <map>
26 #include <set>
27 #include <string>
28 #include <vector>
29 
30 #include <cppbor.h>
31 
32 #include "IdentityCredentialStore.h"
33 #include "PresentationSession.h"
34 #include "SecureHardwareProxy.h"
35 
36 namespace aidl::android::hardware::identity {
37 
38 using ::aidl::android::hardware::keymaster::HardwareAuthToken;
39 using ::aidl::android::hardware::keymaster::VerificationToken;
40 using ::android::sp;
41 using ::android::hardware::identity::SecureHardwarePresentationProxy;
42 using ::std::map;
43 using ::std::set;
44 using ::std::string;
45 using ::std::vector;
46 
47 class IdentityCredential : public BnIdentityCredential {
48   public:
IdentityCredential(sp<SecureHardwareProxyFactory> hwProxyFactory,const vector<uint8_t> & credentialData,std::shared_ptr<PresentationSession> session,HardwareInformation hardwareInformation)49     IdentityCredential(sp<SecureHardwareProxyFactory> hwProxyFactory,
50                        const vector<uint8_t>& credentialData,
51                        std::shared_ptr<PresentationSession> session,
52                        HardwareInformation hardwareInformation)
53         : hwProxyFactory_(hwProxyFactory),
54           credentialData_(credentialData),
55           session_(std::move(session)),
56           numStartRetrievalCalls_(0),
57           hardwareInformation_(std::move(hardwareInformation)),
58           expectedDeviceNameSpacesSize_(0) {}
59 
60     // Parses and decrypts credentialData_, return a status code from
61     // IIdentityCredentialStore. Must be called right after construction.
62     int initialize();
63 
64     // Methods from IIdentityCredential follow.
65     ndk::ScopedAStatus deleteCredential(vector<uint8_t>* outProofOfDeletionSignature) override;
66     ndk::ScopedAStatus deleteCredentialWithChallenge(
67             const vector<uint8_t>& challenge,
68             vector<uint8_t>* outProofOfDeletionSignature) override;
69     ndk::ScopedAStatus proveOwnership(const vector<uint8_t>& challenge,
70                                       vector<uint8_t>* outProofOfOwnershipSignature) override;
71     ndk::ScopedAStatus createEphemeralKeyPair(vector<uint8_t>* outKeyPair) override;
72     ndk::ScopedAStatus setReaderEphemeralPublicKey(const vector<uint8_t>& publicKey) override;
73     ndk::ScopedAStatus createAuthChallenge(int64_t* outChallenge) override;
74     ndk::ScopedAStatus setRequestedNamespaces(
75             const vector<RequestNamespace>& requestNamespaces) override;
76     ndk::ScopedAStatus setVerificationToken(const VerificationToken& verificationToken) override;
77     ndk::ScopedAStatus startRetrieval(
78             const vector<SecureAccessControlProfile>& accessControlProfiles,
79             const HardwareAuthToken& authToken, const vector<uint8_t>& itemsRequest,
80             const vector<uint8_t>& signingKeyBlob, const vector<uint8_t>& sessionTranscript,
81             const vector<uint8_t>& readerSignature, const vector<int32_t>& requestCounts) override;
82     ndk::ScopedAStatus startRetrieveEntryValue(
83             const string& nameSpace, const string& name, int32_t entrySize,
84             const vector<int32_t>& accessControlProfileIds) override;
85     ndk::ScopedAStatus retrieveEntryValue(const vector<uint8_t>& encryptedContent,
86                                           vector<uint8_t>* outContent) override;
87     ndk::ScopedAStatus finishRetrieval(vector<uint8_t>* outMac,
88                                        vector<uint8_t>* outDeviceNameSpaces) override;
89     ndk::ScopedAStatus generateSigningKeyPair(vector<uint8_t>* outSigningKeyBlob,
90                                               Certificate* outSigningKeyCertificate) override;
91 
92     ndk::ScopedAStatus updateCredential(
93             shared_ptr<IWritableIdentityCredential>* outWritableCredential) override;
94 
95     ndk::ScopedAStatus finishRetrievalWithSignature(vector<uint8_t>* outMac,
96                                                     vector<uint8_t>* outDeviceNameSpaces,
97                                                     vector<uint8_t>* outEcdsaSignature) override;
98 
99   private:
100     ndk::ScopedAStatus deleteCredentialCommon(const vector<uint8_t>& challenge,
101                                               bool includeChallenge,
102                                               vector<uint8_t>* outProofOfDeletionSignature);
103 
104     // Creates and initializes hwProxy_.
105     ndk::ScopedAStatus ensureHwProxy();
106 
107     // Set by constructor
108     sp<SecureHardwareProxyFactory> hwProxyFactory_;
109     vector<uint8_t> credentialData_;
110     shared_ptr<PresentationSession> session_;
111     int numStartRetrievalCalls_;
112     HardwareInformation hardwareInformation_;
113 
114     // Set by initialize()
115     string docType_;
116     bool testCredential_;
117     vector<uint8_t> encryptedCredentialKeys_;
118 
119     // Set by ensureHwProxy()
120     sp<SecureHardwarePresentationProxy> hwProxy_;
121 
122     // Set by createEphemeralKeyPair()
123     vector<uint8_t> ephemeralPublicKey_;
124 
125     // Set by setReaderEphemeralPublicKey()
126     vector<uint8_t> readerPublicKey_;
127 
128     // Set by setRequestedNamespaces()
129     vector<RequestNamespace> requestNamespaces_;
130 
131     // Set by setVerificationToken().
132     VerificationToken verificationToken_;
133 
134     // Set at startRetrieval() time.
135     vector<uint8_t> signingKeyBlob_;
136     vector<uint8_t> sessionTranscript_;
137     vector<uint8_t> itemsRequest_;
138     vector<int32_t> requestCountsRemaining_;
139     map<string, set<string>> requestedNameSpacesAndNames_;
140     cppbor::Map deviceNameSpacesMap_;
141     cppbor::Map currentNameSpaceDeviceNameSpacesMap_;
142 
143     // Calculated at startRetrieval() time.
144     size_t expectedDeviceNameSpacesSize_;
145     vector<unsigned int> expectedNumEntriesPerNamespace_;
146 
147     // Set at startRetrieveEntryValue() time.
148     string currentNameSpace_;
149     string currentName_;
150     vector<int32_t> currentAccessControlProfileIds_;
151     size_t entryRemainingBytes_;
152     vector<uint8_t> entryValue_;
153 
154     void calcDeviceNameSpacesSize(uint32_t accessControlProfileMask);
155 };
156 
157 }  // namespace aidl::android::hardware::identity
158 
159 #endif  // ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIAL_H
160