1 /* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 #pragma once 17 18 #include <memory> 19 20 #include <aidl/android/hardware/gatekeeper/BnGatekeeper.h> 21 #include <gatekeeper/gatekeeper_messages.h> 22 23 #include "common/libs/security/gatekeeper_channel_sharedfd.h" 24 25 namespace aidl::android::hardware::gatekeeper { 26 27 using aidl::android::hardware::gatekeeper::GatekeeperEnrollResponse; 28 using aidl::android::hardware::gatekeeper::GatekeeperVerifyResponse; 29 using aidl::android::hardware::gatekeeper::IGatekeeper; 30 using ::gatekeeper::ENROLL; 31 using ::gatekeeper::EnrollRequest; 32 using ::gatekeeper::EnrollResponse; 33 using ::gatekeeper::gatekeeper_error_t; 34 using ::gatekeeper::GateKeeperMessage; 35 using ::gatekeeper::VERIFY; 36 using ::gatekeeper::VerifyRequest; 37 using ::gatekeeper::VerifyResponse; 38 39 class RemoteGateKeeperDevice : public BnGatekeeper { 40 public: 41 explicit RemoteGateKeeperDevice( 42 cuttlefish::SharedFdGatekeeperChannel* gatekeeper_channel); 43 ~RemoteGateKeeperDevice(); 44 /** 45 * Enrolls password_payload, which should be derived from a user selected pin 46 * or password, with the authentication factor private key used only for 47 * enrolling authentication factor data. 48 * 49 * Returns: 0 on success or an error code less than 0 on error. 50 * On error, enrolled_password_handle will not be allocated. 51 */ 52 ::ndk::ScopedAStatus enroll( 53 int32_t uid, const std::vector<uint8_t>& currentPasswordHandle, 54 const std::vector<uint8_t>& currentPassword, 55 const std::vector<uint8_t>& desiredPassword, 56 GatekeeperEnrollResponse* _aidl_return) override; 57 /** 58 * Verifies provided_password matches enrolled_password_handle. 59 * 60 * Implementations of this module may retain the result of this call 61 * to attest to the recency of authentication. 62 * 63 * On success, writes the address of a verification token to auth_token, 64 * usable to attest password verification to other trusted services. Clients 65 * may pass NULL for this value. 66 * 67 * Returns: 0 on success or an error code less than 0 on error 68 * On error, verification token will not be allocated 69 */ 70 ::ndk::ScopedAStatus verify( 71 int32_t uid, int64_t challenge, 72 const std::vector<uint8_t>& enrolledPasswordHandle, 73 const std::vector<uint8_t>& providedPassword, 74 GatekeeperVerifyResponse* _aidl_return) override; 75 76 ::ndk::ScopedAStatus deleteAllUsers() override; 77 78 ::ndk::ScopedAStatus deleteUser(int32_t uid) override; 79 80 private: 81 cuttlefish::SharedFdGatekeeperChannel* gatekeeper_channel_; 82 83 gatekeeper_error_t Send(uint32_t command, const GateKeeperMessage& request, 84 GateKeeperMessage* response); 85 Send(const EnrollRequest & request,EnrollResponse * response)86 gatekeeper_error_t Send(const EnrollRequest& request, 87 EnrollResponse* response) { 88 return Send(ENROLL, request, response); 89 } 90 Send(const VerifyRequest & request,VerifyResponse * response)91 gatekeeper_error_t Send(const VerifyRequest& request, VerifyResponse* response) { 92 return Send(VERIFY, request, response); 93 } 94 95 int error_; 96 }; 97 98 } // namespace aidl::android::hardware::gatekeeper 99