1 /*
2  * Copyright 2019, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef ANDROID_HARDWARE_IDENTITY_WRITABLEIDENTITYCREDENTIAL_H
18 #define ANDROID_HARDWARE_IDENTITY_WRITABLEIDENTITYCREDENTIAL_H
19 
20 #include <aidl/android/hardware/identity/BnWritableIdentityCredential.h>
21 #include <android/hardware/identity/support/IdentityCredentialSupport.h>
22 
23 #include <cppbor.h>
24 #include <set>
25 
26 #include "IdentityCredentialStore.h"
27 #include "SecureHardwareProxy.h"
28 
29 namespace aidl::android::hardware::identity {
30 
31 using ::android::sp;
32 using ::android::hardware::identity::SecureHardwareProvisioningProxy;
33 using ::std::optional;
34 using ::std::set;
35 using ::std::string;
36 using ::std::vector;
37 
38 class WritableIdentityCredential : public BnWritableIdentityCredential {
39   public:
40     // For a new credential, call initialize() right after construction.
41     //
42     // For an updated credential, call initializeForUpdate() right after construction.
43     //
WritableIdentityCredential(sp<SecureHardwareProvisioningProxy> hwProxy,const string & docType,bool testCredential,HardwareInformation hardwareInformation)44     WritableIdentityCredential(sp<SecureHardwareProvisioningProxy> hwProxy, const string& docType,
45                                bool testCredential, HardwareInformation hardwareInformation)
46         : hwProxy_(hwProxy),
47           docType_(docType),
48           testCredential_(testCredential),
49           hardwareInformation_(std::move(hardwareInformation)) {}
50 
51     ~WritableIdentityCredential();
52 
53     // Creates the Credential Key. Returns false on failure.
54     bool initialize();
55 
56     // Used when updating a credential. Returns false on failure.
57     bool initializeForUpdate(const vector<uint8_t>& encryptedCredentialKeys);
58 
59     // Methods from IWritableIdentityCredential follow.
60     ndk::ScopedAStatus getAttestationCertificate(const vector<uint8_t>& attestationApplicationId,
61                                                  const vector<uint8_t>& attestationChallenge,
62                                                  vector<Certificate>* outCertificateChain) override;
63 
64     ndk::ScopedAStatus setExpectedProofOfProvisioningSize(
65             int32_t expectedProofOfProvisioningSize) override;
66 
67     ndk::ScopedAStatus startPersonalization(int32_t accessControlProfileCount,
68                                             const vector<int32_t>& entryCounts) override;
69 
70     ndk::ScopedAStatus addAccessControlProfile(
71             int32_t id, const Certificate& readerCertificate, bool userAuthenticationRequired,
72             int64_t timeoutMillis, int64_t secureUserId,
73             SecureAccessControlProfile* outSecureAccessControlProfile) override;
74 
75     ndk::ScopedAStatus beginAddEntry(const vector<int32_t>& accessControlProfileIds,
76                                      const string& nameSpace, const string& name,
77                                      int32_t entrySize) override;
78     ndk::ScopedAStatus addEntryValue(const vector<uint8_t>& content,
79                                      vector<uint8_t>* outEncryptedContent) override;
80 
81     ndk::ScopedAStatus finishAddingEntries(
82             vector<uint8_t>* outCredentialData,
83             vector<uint8_t>* outProofOfProvisioningSignature) override;
84 
85     ndk::ScopedAStatus setRemotelyProvisionedAttestationKey(
86             const vector<uint8_t>& attestationKeyBlob,
87             const vector<uint8_t>& attestationCertificateChain) override;
88 
89   private:
90     // Set by constructor.
91     sp<SecureHardwareProvisioningProxy> hwProxy_;
92     string docType_;
93     bool testCredential_;
94     HardwareInformation hardwareInformation_;
95 
96     // This is set in initialize().
97     bool startPersonalizationCalled_;
98     bool firstEntry_;
99 
100     // This is set in getAttestationCertificate().
101     bool getAttestationCertificateAlreadyCalled_ = false;
102 
103     // These fields are initialized during startPersonalization()
104     size_t numAccessControlProfileRemaining_;
105     vector<int32_t> remainingEntryCounts_;
106     cppbor::Array signedDataAccessControlProfiles_;
107     cppbor::Map signedDataNamespaces_;
108     cppbor::Array signedDataCurrentNamespace_;
109     size_t expectedProofOfProvisioningSize_;
110 
111     // This field is initialized in addAccessControlProfile
112     set<int32_t> accessControlProfileIds_;
113 
114     // These fields are initialized during beginAddEntry()
115     size_t entryRemainingBytes_;
116     string entryNameSpace_;
117     string entryName_;
118     vector<int32_t> entryAccessControlProfileIds_;
119     vector<uint8_t> entryBytes_;
120     set<string> allNameSpaces_;
121 
122     // Remotely provisioned attestation data, set via setRemotelyProvisionedAttestationKey
123     optional<vector<uint8_t>> attestationKeyBlob_;
124     optional<vector<vector<uint8_t>>> attestationCertificateChain_;
125 };
126 
127 }  // namespace aidl::android::hardware::identity
128 
129 #endif  // ANDROID_HARDWARE_IDENTITY_WRITABLEIDENTITYCREDENTIAL_H
130