1 /*
2  * Copyright 2019, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIAL_H
18 #define ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIAL_H
19 
20 #include <aidl/android/hardware/identity/BnIdentityCredential.h>
21 #include <aidl/android/hardware/keymaster/HardwareAuthToken.h>
22 #include <aidl/android/hardware/keymaster/VerificationToken.h>
23 #include <android/hardware/identity/support/IdentityCredentialSupport.h>
24 
25 #include <map>
26 #include <set>
27 #include <string>
28 #include <vector>
29 
30 #include <cppbor/cppbor.h>
31 
32 namespace aidl::android::hardware::identity {
33 
34 using ::aidl::android::hardware::keymaster::HardwareAuthToken;
35 using ::aidl::android::hardware::keymaster::VerificationToken;
36 using ::std::map;
37 using ::std::set;
38 using ::std::string;
39 using ::std::vector;
40 
41 class IdentityCredential : public BnIdentityCredential {
42   public:
IdentityCredential(const vector<uint8_t> & credentialData)43     IdentityCredential(const vector<uint8_t>& credentialData)
44         : credentialData_(credentialData),
45           numStartRetrievalCalls_(0),
46           authChallenge_(0),
47           expectedDeviceNameSpacesSize_(0) {}
48 
49     // Parses and decrypts credentialData_, return a status code from
50     // IIdentityCredentialStore. Must be called right after construction.
51     int initialize();
52 
53     // Methods from IIdentityCredential follow.
54     ndk::ScopedAStatus deleteCredential(vector<int8_t>* outProofOfDeletionSignature) override;
55     ndk::ScopedAStatus createEphemeralKeyPair(vector<int8_t>* outKeyPair) override;
56     ndk::ScopedAStatus setReaderEphemeralPublicKey(const vector<int8_t>& publicKey) override;
57     ndk::ScopedAStatus createAuthChallenge(int64_t* outChallenge) override;
58     ndk::ScopedAStatus setRequestedNamespaces(
59             const vector<RequestNamespace>& requestNamespaces) override;
60     ndk::ScopedAStatus setVerificationToken(const VerificationToken& verificationToken) override;
61     ndk::ScopedAStatus startRetrieval(
62             const vector<SecureAccessControlProfile>& accessControlProfiles,
63             const HardwareAuthToken& authToken, const vector<int8_t>& itemsRequest,
64             const vector<int8_t>& signingKeyBlob, const vector<int8_t>& sessionTranscript,
65             const vector<int8_t>& readerSignature, const vector<int32_t>& requestCounts) override;
66     ndk::ScopedAStatus startRetrieveEntryValue(
67             const string& nameSpace, const string& name, int32_t entrySize,
68             const vector<int32_t>& accessControlProfileIds) override;
69     ndk::ScopedAStatus retrieveEntryValue(const vector<int8_t>& encryptedContent,
70                                           vector<int8_t>* outContent) override;
71     ndk::ScopedAStatus finishRetrieval(vector<int8_t>* outMac,
72                                        vector<int8_t>* outDeviceNameSpaces) override;
73     ndk::ScopedAStatus generateSigningKeyPair(vector<int8_t>* outSigningKeyBlob,
74                                               Certificate* outSigningKeyCertificate) override;
75 
76   private:
77     // Set by constructor
78     vector<uint8_t> credentialData_;
79     int numStartRetrievalCalls_;
80 
81     // Set by initialize()
82     string docType_;
83     bool testCredential_;
84     vector<uint8_t> storageKey_;
85     vector<uint8_t> credentialPrivKey_;
86 
87     // Set by createEphemeralKeyPair()
88     vector<uint8_t> ephemeralPublicKey_;
89 
90     // Set by setReaderEphemeralPublicKey()
91     vector<uint8_t> readerPublicKey_;
92 
93     // Set by createAuthChallenge()
94     uint64_t authChallenge_;
95 
96     // Set by setRequestedNamespaces()
97     vector<RequestNamespace> requestNamespaces_;
98 
99     // Set by setVerificationToken().
100     VerificationToken verificationToken_;
101 
102     // Set at startRetrieval() time.
103     map<int32_t, int> profileIdToAccessCheckResult_;
104     vector<uint8_t> signingKeyBlob_;
105     vector<uint8_t> sessionTranscript_;
106     std::unique_ptr<cppbor::Item> sessionTranscriptItem_;
107     vector<uint8_t> itemsRequest_;
108     vector<int32_t> requestCountsRemaining_;
109     map<string, set<string>> requestedNameSpacesAndNames_;
110     cppbor::Map deviceNameSpacesMap_;
111     cppbor::Map currentNameSpaceDeviceNameSpacesMap_;
112 
113     // Calculated at startRetrieval() time.
114     size_t expectedDeviceNameSpacesSize_;
115 
116     // Set at startRetrieveEntryValue() time.
117     string currentNameSpace_;
118     string currentName_;
119     size_t entryRemainingBytes_;
120     vector<uint8_t> entryValue_;
121     vector<uint8_t> entryAdditionalData_;
122 
123     size_t calcDeviceNameSpacesSize();
124 };
125 
126 }  // namespace aidl::android::hardware::identity
127 
128 #endif  // ANDROID_HARDWARE_IDENTITY_IDENTITYCREDENTIAL_H
129