1*4d7e907cSAndroid Build Coastguard Worker /* 2*4d7e907cSAndroid Build Coastguard Worker * Copyright 2019, The Android Open Source Project 3*4d7e907cSAndroid Build Coastguard Worker * 4*4d7e907cSAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License"); 5*4d7e907cSAndroid Build Coastguard Worker * you may not use this file except in compliance with the License. 6*4d7e907cSAndroid Build Coastguard Worker * You may obtain a copy of the License at 7*4d7e907cSAndroid Build Coastguard Worker * 8*4d7e907cSAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0 9*4d7e907cSAndroid Build Coastguard Worker * 10*4d7e907cSAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software 11*4d7e907cSAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS, 12*4d7e907cSAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13*4d7e907cSAndroid Build Coastguard Worker * See the License for the specific language governing permissions and 14*4d7e907cSAndroid Build Coastguard Worker * limitations under the License. 15*4d7e907cSAndroid Build Coastguard Worker */ 16*4d7e907cSAndroid Build Coastguard Worker 17*4d7e907cSAndroid Build Coastguard Worker #ifndef ANDROID_HARDWARE_IDENTITY_WRITABLEIDENTITYCREDENTIAL_H 18*4d7e907cSAndroid Build Coastguard Worker #define ANDROID_HARDWARE_IDENTITY_WRITABLEIDENTITYCREDENTIAL_H 19*4d7e907cSAndroid Build Coastguard Worker 20*4d7e907cSAndroid Build Coastguard Worker #include <aidl/android/hardware/identity/BnWritableIdentityCredential.h> 21*4d7e907cSAndroid Build Coastguard Worker #include <android/hardware/identity/support/IdentityCredentialSupport.h> 22*4d7e907cSAndroid Build Coastguard Worker 23*4d7e907cSAndroid Build Coastguard Worker #include <cppbor.h> 24*4d7e907cSAndroid Build Coastguard Worker #include <set> 25*4d7e907cSAndroid Build Coastguard Worker 26*4d7e907cSAndroid Build Coastguard Worker #include "IdentityCredentialStore.h" 27*4d7e907cSAndroid Build Coastguard Worker #include "SecureHardwareProxy.h" 28*4d7e907cSAndroid Build Coastguard Worker 29*4d7e907cSAndroid Build Coastguard Worker namespace aidl::android::hardware::identity { 30*4d7e907cSAndroid Build Coastguard Worker 31*4d7e907cSAndroid Build Coastguard Worker using ::android::sp; 32*4d7e907cSAndroid Build Coastguard Worker using ::android::hardware::identity::SecureHardwareProvisioningProxy; 33*4d7e907cSAndroid Build Coastguard Worker using ::std::optional; 34*4d7e907cSAndroid Build Coastguard Worker using ::std::set; 35*4d7e907cSAndroid Build Coastguard Worker using ::std::string; 36*4d7e907cSAndroid Build Coastguard Worker using ::std::vector; 37*4d7e907cSAndroid Build Coastguard Worker 38*4d7e907cSAndroid Build Coastguard Worker class WritableIdentityCredential : public BnWritableIdentityCredential { 39*4d7e907cSAndroid Build Coastguard Worker public: 40*4d7e907cSAndroid Build Coastguard Worker // For a new credential, call initialize() right after construction. 41*4d7e907cSAndroid Build Coastguard Worker // 42*4d7e907cSAndroid Build Coastguard Worker // For an updated credential, call initializeForUpdate() right after construction. 43*4d7e907cSAndroid Build Coastguard Worker // WritableIdentityCredential(sp<SecureHardwareProvisioningProxy> hwProxy,const string & docType,bool testCredential,HardwareInformation hardwareInformation)44*4d7e907cSAndroid Build Coastguard Worker WritableIdentityCredential(sp<SecureHardwareProvisioningProxy> hwProxy, const string& docType, 45*4d7e907cSAndroid Build Coastguard Worker bool testCredential, HardwareInformation hardwareInformation) 46*4d7e907cSAndroid Build Coastguard Worker : hwProxy_(hwProxy), 47*4d7e907cSAndroid Build Coastguard Worker docType_(docType), 48*4d7e907cSAndroid Build Coastguard Worker testCredential_(testCredential), 49*4d7e907cSAndroid Build Coastguard Worker hardwareInformation_(std::move(hardwareInformation)) {} 50*4d7e907cSAndroid Build Coastguard Worker 51*4d7e907cSAndroid Build Coastguard Worker ~WritableIdentityCredential(); 52*4d7e907cSAndroid Build Coastguard Worker 53*4d7e907cSAndroid Build Coastguard Worker // Creates the Credential Key. Returns false on failure. 54*4d7e907cSAndroid Build Coastguard Worker bool initialize(); 55*4d7e907cSAndroid Build Coastguard Worker 56*4d7e907cSAndroid Build Coastguard Worker // Used when updating a credential. Returns false on failure. 57*4d7e907cSAndroid Build Coastguard Worker bool initializeForUpdate(const vector<uint8_t>& encryptedCredentialKeys); 58*4d7e907cSAndroid Build Coastguard Worker 59*4d7e907cSAndroid Build Coastguard Worker // Methods from IWritableIdentityCredential follow. 60*4d7e907cSAndroid Build Coastguard Worker ndk::ScopedAStatus getAttestationCertificate(const vector<uint8_t>& attestationApplicationId, 61*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& attestationChallenge, 62*4d7e907cSAndroid Build Coastguard Worker vector<Certificate>* outCertificateChain) override; 63*4d7e907cSAndroid Build Coastguard Worker 64*4d7e907cSAndroid Build Coastguard Worker ndk::ScopedAStatus setExpectedProofOfProvisioningSize( 65*4d7e907cSAndroid Build Coastguard Worker int32_t expectedProofOfProvisioningSize) override; 66*4d7e907cSAndroid Build Coastguard Worker 67*4d7e907cSAndroid Build Coastguard Worker ndk::ScopedAStatus startPersonalization(int32_t accessControlProfileCount, 68*4d7e907cSAndroid Build Coastguard Worker const vector<int32_t>& entryCounts) override; 69*4d7e907cSAndroid Build Coastguard Worker 70*4d7e907cSAndroid Build Coastguard Worker ndk::ScopedAStatus addAccessControlProfile( 71*4d7e907cSAndroid Build Coastguard Worker int32_t id, const Certificate& readerCertificate, bool userAuthenticationRequired, 72*4d7e907cSAndroid Build Coastguard Worker int64_t timeoutMillis, int64_t secureUserId, 73*4d7e907cSAndroid Build Coastguard Worker SecureAccessControlProfile* outSecureAccessControlProfile) override; 74*4d7e907cSAndroid Build Coastguard Worker 75*4d7e907cSAndroid Build Coastguard Worker ndk::ScopedAStatus beginAddEntry(const vector<int32_t>& accessControlProfileIds, 76*4d7e907cSAndroid Build Coastguard Worker const string& nameSpace, const string& name, 77*4d7e907cSAndroid Build Coastguard Worker int32_t entrySize) override; 78*4d7e907cSAndroid Build Coastguard Worker ndk::ScopedAStatus addEntryValue(const vector<uint8_t>& content, 79*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t>* outEncryptedContent) override; 80*4d7e907cSAndroid Build Coastguard Worker 81*4d7e907cSAndroid Build Coastguard Worker ndk::ScopedAStatus finishAddingEntries( 82*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t>* outCredentialData, 83*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t>* outProofOfProvisioningSignature) override; 84*4d7e907cSAndroid Build Coastguard Worker 85*4d7e907cSAndroid Build Coastguard Worker ndk::ScopedAStatus setRemotelyProvisionedAttestationKey( 86*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& attestationKeyBlob, 87*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& attestationCertificateChain) override; 88*4d7e907cSAndroid Build Coastguard Worker 89*4d7e907cSAndroid Build Coastguard Worker private: 90*4d7e907cSAndroid Build Coastguard Worker // Set by constructor. 91*4d7e907cSAndroid Build Coastguard Worker sp<SecureHardwareProvisioningProxy> hwProxy_; 92*4d7e907cSAndroid Build Coastguard Worker string docType_; 93*4d7e907cSAndroid Build Coastguard Worker bool testCredential_; 94*4d7e907cSAndroid Build Coastguard Worker HardwareInformation hardwareInformation_; 95*4d7e907cSAndroid Build Coastguard Worker 96*4d7e907cSAndroid Build Coastguard Worker // This is set in initialize(). 97*4d7e907cSAndroid Build Coastguard Worker bool startPersonalizationCalled_; 98*4d7e907cSAndroid Build Coastguard Worker bool firstEntry_; 99*4d7e907cSAndroid Build Coastguard Worker 100*4d7e907cSAndroid Build Coastguard Worker // This is set in getAttestationCertificate(). 101*4d7e907cSAndroid Build Coastguard Worker bool getAttestationCertificateAlreadyCalled_ = false; 102*4d7e907cSAndroid Build Coastguard Worker 103*4d7e907cSAndroid Build Coastguard Worker // These fields are initialized during startPersonalization() 104*4d7e907cSAndroid Build Coastguard Worker size_t numAccessControlProfileRemaining_; 105*4d7e907cSAndroid Build Coastguard Worker vector<int32_t> remainingEntryCounts_; 106*4d7e907cSAndroid Build Coastguard Worker cppbor::Array signedDataAccessControlProfiles_; 107*4d7e907cSAndroid Build Coastguard Worker cppbor::Map signedDataNamespaces_; 108*4d7e907cSAndroid Build Coastguard Worker cppbor::Array signedDataCurrentNamespace_; 109*4d7e907cSAndroid Build Coastguard Worker size_t expectedProofOfProvisioningSize_; 110*4d7e907cSAndroid Build Coastguard Worker 111*4d7e907cSAndroid Build Coastguard Worker // This field is initialized in addAccessControlProfile 112*4d7e907cSAndroid Build Coastguard Worker set<int32_t> accessControlProfileIds_; 113*4d7e907cSAndroid Build Coastguard Worker 114*4d7e907cSAndroid Build Coastguard Worker // These fields are initialized during beginAddEntry() 115*4d7e907cSAndroid Build Coastguard Worker size_t entryRemainingBytes_; 116*4d7e907cSAndroid Build Coastguard Worker string entryNameSpace_; 117*4d7e907cSAndroid Build Coastguard Worker string entryName_; 118*4d7e907cSAndroid Build Coastguard Worker vector<int32_t> entryAccessControlProfileIds_; 119*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> entryBytes_; 120*4d7e907cSAndroid Build Coastguard Worker set<string> allNameSpaces_; 121*4d7e907cSAndroid Build Coastguard Worker 122*4d7e907cSAndroid Build Coastguard Worker // Remotely provisioned attestation data, set via setRemotelyProvisionedAttestationKey 123*4d7e907cSAndroid Build Coastguard Worker optional<vector<uint8_t>> attestationKeyBlob_; 124*4d7e907cSAndroid Build Coastguard Worker optional<vector<vector<uint8_t>>> attestationCertificateChain_; 125*4d7e907cSAndroid Build Coastguard Worker }; 126*4d7e907cSAndroid Build Coastguard Worker 127*4d7e907cSAndroid Build Coastguard Worker } // namespace aidl::android::hardware::identity 128*4d7e907cSAndroid Build Coastguard Worker 129*4d7e907cSAndroid Build Coastguard Worker #endif // ANDROID_HARDWARE_IDENTITY_WRITABLEIDENTITYCREDENTIAL_H 130