1 /*
2  * Copyright (c) 2019, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef SYSTEM_SECURITY_CREDENTIAL_H_
18 #define SYSTEM_SECURITY_CREDENTIAL_H_
19 
20 #include <string>
21 #include <vector>
22 
23 #include <android/security/identity/BnCredential.h>
24 
25 #include <android/hardware/identity/IIdentityCredentialStore.h>
26 
27 #include "CredentialData.h"
28 
29 namespace android {
30 namespace security {
31 namespace identity {
32 
33 using ::android::sp;
34 using ::android::binder::Status;
35 using ::std::string;
36 using ::std::vector;
37 
38 using ::android::hardware::identity::CipherSuite;
39 using ::android::hardware::identity::HardwareInformation;
40 using ::android::hardware::identity::IIdentityCredential;
41 using ::android::hardware::identity::IIdentityCredentialStore;
42 using ::android::hardware::identity::IPresentationSession;
43 using ::android::hardware::identity::RequestDataItem;
44 using ::android::hardware::identity::RequestNamespace;
45 
46 class Credential : public BnCredential {
47   public:
48     Credential(CipherSuite cipherSuite, const string& dataPath, const string& credentialName,
49                uid_t callingUid, HardwareInformation hwInfo,
50                sp<IIdentityCredentialStore> halStoreBinder,
51                sp<IPresentationSession> halSessionBinder, int halApiVersion);
52     ~Credential();
53 
54     Status ensureOrReplaceHalBinder();
55     void writableCredentialPersonalized();
56 
57     // ICredential overrides
58     Status createEphemeralKeyPair(vector<uint8_t>* _aidl_return) override;
59 
60     Status setReaderEphemeralPublicKey(const vector<uint8_t>& publicKey) override;
61 
62     Status deleteCredential(vector<uint8_t>* _aidl_return) override;
63 
64     Status deleteWithChallenge(const vector<uint8_t>& challenge,
65                                vector<uint8_t>* _aidl_return) override;
66 
67     Status proveOwnership(const vector<uint8_t>& challenge, vector<uint8_t>* _aidl_return) override;
68 
69     Status getCredentialKeyCertificateChain(vector<uint8_t>* _aidl_return) override;
70 
71     Status selectAuthKey(bool allowUsingExhaustedKeys, bool allowUsingExpiredKeys,
72                          bool incrementUsageCount, int64_t* _aidl_return) override;
73 
74     Status getEntries(const vector<uint8_t>& requestMessage,
75                       const vector<RequestNamespaceParcel>& requestNamespaces,
76                       const vector<uint8_t>& sessionTranscript,
77                       const vector<uint8_t>& readerSignature, bool allowUsingExhaustedKeys,
78                       bool allowUsingExpiredKeys, bool incrementUsageCount,
79                       GetEntriesResultParcel* _aidl_return) override;
80 
81     Status setAvailableAuthenticationKeys(int32_t keyCount, int32_t maxUsesPerKey,
82                                           int64_t minValidTimeMillis) override;
83     Status getAuthKeysNeedingCertification(vector<AuthKeyParcel>* _aidl_return) override;
84     Status storeStaticAuthenticationData(const AuthKeyParcel& authenticationKey,
85                                          const vector<uint8_t>& staticAuthData) override;
86     Status
87     storeStaticAuthenticationDataWithExpiration(const AuthKeyParcel& authenticationKey,
88                                                 int64_t expirationDateMillisSinceEpoch,
89                                                 const vector<uint8_t>& staticAuthData) override;
90     Status getAuthenticationDataUsageCount(vector<int32_t>* _aidl_return) override;
91     Status getAuthenticationDataExpirations(vector<int64_t>* _aidl_return) override;
92 
93     Status update(sp<IWritableCredential>* _aidl_return) override;
94 
95   private:
96     CipherSuite cipherSuite_;
97     string dataPath_;
98     string credentialName_;
99     uid_t callingUid_;
100     HardwareInformation hwInfo_;
101     sp<IIdentityCredentialStore> halStoreBinder_;
102     sp<IPresentationSession> halSessionBinder_;
103 
104     uint64_t selectedChallenge_ = 0;
105 
106     sp<IIdentityCredential> halBinder_;
107     int halApiVersion_;
108 
109     // This is used to cache the selected AuthKey to ensure the same AuthKey is used across
110     // multiple getEntries() calls.
111     //
112     bool selectedAuthKey_ = false;
113     vector<uint8_t> selectedAuthKeySigningKeyBlob_;
114     vector<uint8_t> selectedAuthKeyStaticAuthData_;
115 
116     bool ensureChallenge();
117 
118     ssize_t
119     calcExpectedDeviceNameSpacesSize(const vector<uint8_t>& requestMessage,
120                                      const vector<RequestNamespaceParcel>& requestNamespaces,
121                                      uint32_t authorizedAcps);
122 };
123 
124 }  // namespace identity
125 }  // namespace security
126 }  // namespace android
127 
128 #endif  // SYSTEM_SECURITY_IDENTITY_CREDENTIAL_H_
129