diff --git a/identity/aidl/default/IdentityCredential.cpp b/identity/aidl/default/IdentityCredential.cpp index 341fae6e93..aaae1f6ae5 100644 --- a/identity/aidl/default/IdentityCredential.cpp +++ b/identity/aidl/default/IdentityCredential.cpp @@ -102,7 +102,7 @@ int IdentityCredential::initialize() { } ndk::ScopedAStatus IdentityCredential::deleteCredential( - vector* outProofOfDeletionSignature) { + vector* outProofOfDeletionSignature) { cppbor::Array array = {"ProofOfDeletion", docType_, testCredential_}; vector proofOfDeletion = array.encode(); @@ -115,11 +115,11 @@ ndk::ScopedAStatus IdentityCredential::deleteCredential( IIdentityCredentialStore::STATUS_FAILED, "Error signing data")); } - *outProofOfDeletionSignature = byteStringToSigned(signature.value()); + *outProofOfDeletionSignature = signature.value(); return ndk::ScopedAStatus::ok(); } -ndk::ScopedAStatus IdentityCredential::createEphemeralKeyPair(vector* outKeyPair) { +ndk::ScopedAStatus IdentityCredential::createEphemeralKeyPair(vector* outKeyPair) { optional> kp = support::createEcKeyPair(); if (!kp) { return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( @@ -135,13 +135,13 @@ ndk::ScopedAStatus IdentityCredential::createEphemeralKeyPair(vector* ou } ephemeralPublicKey_ = publicKey.value(); - *outKeyPair = byteStringToSigned(kp.value()); + *outKeyPair = kp.value(); return ndk::ScopedAStatus::ok(); } ndk::ScopedAStatus IdentityCredential::setReaderEphemeralPublicKey( - const vector& publicKey) { - readerPublicKey_ = byteStringToUnsigned(publicKey); + const vector& publicKey) { + readerPublicKey_ = publicKey; return ndk::ScopedAStatus::ok(); } @@ -169,8 +169,8 @@ ndk::ScopedAStatus IdentityCredential::createAuthChallenge(int64_t* outChallenge // ahead of time. bool checkReaderAuthentication(const SecureAccessControlProfile& profile, const vector& readerCertificateChain) { - optional> acpPubKey = support::certificateChainGetTopMostKey( - byteStringToUnsigned(profile.readerCertificate.encodedCertificate)); + optional> acpPubKey = + support::certificateChainGetTopMostKey(profile.readerCertificate.encodedCertificate); if (!acpPubKey) { LOG(ERROR) << "Error extracting public key from readerCertificate in profile"; return false; @@ -255,13 +255,9 @@ bool checkUserAuthentication(const SecureAccessControlProfile& profile, ndk::ScopedAStatus IdentityCredential::startRetrieval( const vector& accessControlProfiles, - const HardwareAuthToken& authToken, const vector& itemsRequestS, - const vector& signingKeyBlobS, const vector& sessionTranscriptS, - const vector& readerSignatureS, const vector& requestCounts) { - auto sessionTranscript = byteStringToUnsigned(sessionTranscriptS); - auto itemsRequest = byteStringToUnsigned(itemsRequestS); - auto readerSignature = byteStringToUnsigned(readerSignatureS); - + const HardwareAuthToken& authToken, const vector& itemsRequest, + const vector& signingKeyBlob, const vector& sessionTranscript, + const vector& readerSignature, const vector& requestCounts) { if (sessionTranscript.size() > 0) { auto [item, _, message] = cppbor::parse(sessionTranscript); if (item == nullptr) { @@ -498,7 +494,7 @@ ndk::ScopedAStatus IdentityCredential::startRetrieval( currentNameSpace_ = ""; itemsRequest_ = itemsRequest; - signingKeyBlob_ = byteStringToUnsigned(signingKeyBlobS); + signingKeyBlob_ = signingKeyBlob; numStartRetrievalCalls_ += 1; return ndk::ScopedAStatus::ok(); @@ -605,10 +601,8 @@ ndk::ScopedAStatus IdentityCredential::startRetrieveEntryValue( return ndk::ScopedAStatus::ok(); } -ndk::ScopedAStatus IdentityCredential::retrieveEntryValue(const vector& encryptedContentS, - vector* outContent) { - auto encryptedContent = byteStringToUnsigned(encryptedContentS); - +ndk::ScopedAStatus IdentityCredential::retrieveEntryValue(const vector& encryptedContent, + vector* outContent) { optional> content = support::decryptAes128Gcm(storageKey_, encryptedContent, entryAdditionalData_); if (!content) { @@ -647,12 +641,12 @@ ndk::ScopedAStatus IdentityCredential::retrieveEntryValue(const vector& currentNameSpaceDeviceNameSpacesMap_.add(currentName_, std::move(entryValueItem)); } - *outContent = byteStringToSigned(content.value()); + *outContent = content.value(); return ndk::ScopedAStatus::ok(); } -ndk::ScopedAStatus IdentityCredential::finishRetrieval(vector* outMac, - vector* outDeviceNameSpaces) { +ndk::ScopedAStatus IdentityCredential::finishRetrieval(vector* outMac, + vector* outDeviceNameSpaces) { if (currentNameSpaceDeviceNameSpacesMap_.size() > 0) { deviceNameSpacesMap_.add(currentNameSpace_, std::move(currentNameSpaceDeviceNameSpacesMap_)); @@ -704,13 +698,13 @@ ndk::ScopedAStatus IdentityCredential::finishRetrieval(vector* outMac, } } - *outMac = byteStringToSigned(mac.value_or(vector({}))); - *outDeviceNameSpaces = byteStringToSigned(encodedDeviceNameSpaces); + *outMac = mac.value_or(vector({})); + *outDeviceNameSpaces = encodedDeviceNameSpaces; return ndk::ScopedAStatus::ok(); } ndk::ScopedAStatus IdentityCredential::generateSigningKeyPair( - vector* outSigningKeyBlob, Certificate* outSigningKeyCertificate) { + vector* outSigningKeyBlob, Certificate* outSigningKeyCertificate) { string serialDecimal = "0"; // TODO: set serial to something unique string issuer = "Android Open Source Project"; string subject = "Android IdentityCredential Reference Implementation"; @@ -758,9 +752,9 @@ ndk::ScopedAStatus IdentityCredential::generateSigningKeyPair( return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( IIdentityCredentialStore::STATUS_FAILED, "Error encrypting signingKey")); } - *outSigningKeyBlob = byteStringToSigned(encryptedSigningKey.value()); + *outSigningKeyBlob = encryptedSigningKey.value(); *outSigningKeyCertificate = Certificate(); - outSigningKeyCertificate->encodedCertificate = byteStringToSigned(certificate.value()); + outSigningKeyCertificate->encodedCertificate = certificate.value(); return ndk::ScopedAStatus::ok(); } diff --git a/identity/aidl/default/IdentityCredential.h b/identity/aidl/default/IdentityCredential.h index fc29254f4b..6072afe04f 100644 --- a/identity/aidl/default/IdentityCredential.h +++ b/identity/aidl/default/IdentityCredential.h @@ -47,23 +47,23 @@ class IdentityCredential : public BnIdentityCredential { int initialize(); // Methods from IIdentityCredential follow. - ndk::ScopedAStatus deleteCredential(vector* outProofOfDeletionSignature) override; - ndk::ScopedAStatus createEphemeralKeyPair(vector* outKeyPair) override; - ndk::ScopedAStatus setReaderEphemeralPublicKey(const vector& publicKey) override; + ndk::ScopedAStatus deleteCredential(vector* outProofOfDeletionSignature) override; + ndk::ScopedAStatus createEphemeralKeyPair(vector* outKeyPair) override; + ndk::ScopedAStatus setReaderEphemeralPublicKey(const vector& publicKey) override; ndk::ScopedAStatus createAuthChallenge(int64_t* outChallenge) override; ndk::ScopedAStatus startRetrieval( const vector& accessControlProfiles, - const HardwareAuthToken& authToken, const vector& itemsRequest, - const vector& signingKeyBlob, const vector& sessionTranscript, - const vector& readerSignature, const vector& requestCounts) override; + const HardwareAuthToken& authToken, const vector& itemsRequest, + const vector& signingKeyBlob, const vector& sessionTranscript, + const vector& readerSignature, const vector& requestCounts) override; ndk::ScopedAStatus startRetrieveEntryValue( const string& nameSpace, const string& name, int32_t entrySize, const vector& accessControlProfileIds) override; - ndk::ScopedAStatus retrieveEntryValue(const vector& encryptedContent, - vector* outContent) override; - ndk::ScopedAStatus finishRetrieval(vector* outMac, - vector* outDeviceNameSpaces) override; - ndk::ScopedAStatus generateSigningKeyPair(vector* outSigningKeyBlob, + ndk::ScopedAStatus retrieveEntryValue(const vector& encryptedContent, + vector* outContent) override; + ndk::ScopedAStatus finishRetrieval(vector* outMac, + vector* outDeviceNameSpaces) override; + ndk::ScopedAStatus generateSigningKeyPair(vector* outSigningKeyBlob, Certificate* outSigningKeyCertificate) override; private: diff --git a/identity/aidl/default/IdentityCredentialStore.cpp b/identity/aidl/default/IdentityCredentialStore.cpp index 1efb4b4937..30dc6f330b 100644 --- a/identity/aidl/default/IdentityCredentialStore.cpp +++ b/identity/aidl/default/IdentityCredentialStore.cpp @@ -51,7 +51,7 @@ ndk::ScopedAStatus IdentityCredentialStore::createCredential( } ndk::ScopedAStatus IdentityCredentialStore::getCredential( - CipherSuite cipherSuite, const vector& credentialData, + CipherSuite cipherSuite, const vector& credentialData, shared_ptr* outCredential) { // We only support CIPHERSUITE_ECDHE_HKDF_ECDSA_WITH_AES_256_GCM_SHA256 right now. if (cipherSuite != CipherSuite::CIPHERSUITE_ECDHE_HKDF_ECDSA_WITH_AES_256_GCM_SHA256) { @@ -60,8 +60,8 @@ ndk::ScopedAStatus IdentityCredentialStore::getCredential( "Unsupported cipher suite")); } - vector data = vector(credentialData.begin(), credentialData.end()); - shared_ptr credential = ndk::SharedRefBase::make(data); + shared_ptr credential = + ndk::SharedRefBase::make(credentialData); auto ret = credential->initialize(); if (ret != IIdentityCredentialStore::STATUS_OK) { return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( diff --git a/identity/aidl/default/IdentityCredentialStore.h b/identity/aidl/default/IdentityCredentialStore.h index a2051130b0..4f3a42139f 100644 --- a/identity/aidl/default/IdentityCredentialStore.h +++ b/identity/aidl/default/IdentityCredentialStore.h @@ -39,7 +39,7 @@ class IdentityCredentialStore : public BnIdentityCredentialStore { const string& docType, bool testCredential, shared_ptr* outWritableCredential) override; - ndk::ScopedAStatus getCredential(CipherSuite cipherSuite, const vector& credentialData, + ndk::ScopedAStatus getCredential(CipherSuite cipherSuite, const vector& credentialData, shared_ptr* outCredential) override; }; diff --git a/identity/aidl/default/Util.cpp b/identity/aidl/default/Util.cpp index a0f86bedcd..66b9f13d89 100644 --- a/identity/aidl/default/Util.cpp +++ b/identity/aidl/default/Util.cpp @@ -39,21 +39,12 @@ const vector& getHardwareBoundKey() { return hardwareBoundKey; } -vector byteStringToUnsigned(const vector& value) { - return vector(value.begin(), value.end()); -} - -vector byteStringToSigned(const vector& value) { - return vector(value.begin(), value.end()); -} - vector secureAccessControlProfileEncodeCbor(const SecureAccessControlProfile& profile) { cppbor::Map map; map.add("id", profile.id); if (profile.readerCertificate.encodedCertificate.size() > 0) { - map.add("readerCertificate", - cppbor::Bstr(byteStringToUnsigned(profile.readerCertificate.encodedCertificate))); + map.add("readerCertificate", cppbor::Bstr(profile.readerCertificate.encodedCertificate)); } if (profile.userAuthenticationRequired) { @@ -94,7 +85,7 @@ bool secureAccessControlProfileCheckMac(const SecureAccessControlProfile& profil if (!mac) { return false; } - if (mac.value() != byteStringToUnsigned(profile.mac)) { + if (mac.value() != profile.mac) { return false; } return true; diff --git a/identity/aidl/default/Util.h b/identity/aidl/default/Util.h index ee41ad1aac..9fccba2c72 100644 --- a/identity/aidl/default/Util.h +++ b/identity/aidl/default/Util.h @@ -49,10 +49,6 @@ bool secureAccessControlProfileCheckMac(const SecureAccessControlProfile& profil vector entryCreateAdditionalData(const string& nameSpace, const string& name, const vector accessControlProfileIds); -vector byteStringToUnsigned(const vector& value); - -vector byteStringToSigned(const vector& value); - } // namespace aidl::android::hardware::identity #endif // ANDROID_HARDWARE_IDENTITY_UTIL_H diff --git a/identity/aidl/default/WritableIdentityCredential.cpp b/identity/aidl/default/WritableIdentityCredential.cpp index 89f7f35696..bce913aeec 100644 --- a/identity/aidl/default/WritableIdentityCredential.cpp +++ b/identity/aidl/default/WritableIdentityCredential.cpp @@ -53,8 +53,8 @@ bool WritableIdentityCredential::initialize() { // attestation certificate with current time and expires one year from now. The // certificate shall contain all values as specified in hal. ndk::ScopedAStatus WritableIdentityCredential::getAttestationCertificate( - const vector& attestationApplicationId, // - const vector& attestationChallenge, // + const vector& attestationApplicationId, // + const vector& attestationChallenge, // vector* outCertificateChain) { if (!credentialPrivKey_.empty() || !credentialPubKey_.empty() || !certificateChain_.empty()) { return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( @@ -97,7 +97,7 @@ ndk::ScopedAStatus WritableIdentityCredential::getAttestationCertificate( *outCertificateChain = vector(); for (const vector& cert : certificateChain_) { Certificate c = Certificate(); - c.encodedCertificate = byteStringToSigned(cert); + c.encodedCertificate = cert; outCertificateChain->push_back(std::move(c)); } return ndk::ScopedAStatus::ok(); @@ -146,14 +146,13 @@ ndk::ScopedAStatus WritableIdentityCredential::addAccessControlProfile( return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage( IIdentityCredentialStore::STATUS_FAILED, "Error calculating MAC for profile")); } - profile.mac = byteStringToSigned(mac.value()); + profile.mac = mac.value(); cppbor::Map profileMap; profileMap.add("id", profile.id); if (profile.readerCertificate.encodedCertificate.size() > 0) { - profileMap.add( - "readerCertificate", - cppbor::Bstr(byteStringToUnsigned(profile.readerCertificate.encodedCertificate))); + profileMap.add("readerCertificate", + cppbor::Bstr(profile.readerCertificate.encodedCertificate)); } if (profile.userAuthenticationRequired) { profileMap.add("userAuthenticationRequired", profile.userAuthenticationRequired); @@ -223,9 +222,8 @@ ndk::ScopedAStatus WritableIdentityCredential::beginAddEntry( return ndk::ScopedAStatus::ok(); } -ndk::ScopedAStatus WritableIdentityCredential::addEntryValue(const vector& contentS, - vector* outEncryptedContent) { - auto content = byteStringToUnsigned(contentS); +ndk::ScopedAStatus WritableIdentityCredential::addEntryValue(const vector& content, + vector* outEncryptedContent) { size_t contentSize = content.size(); if (contentSize > IdentityCredentialStore::kGcmChunkSize) { @@ -280,7 +278,7 @@ ndk::ScopedAStatus WritableIdentityCredential::addEntryValue(const vector& hardwareBoundKey, const strin } ndk::ScopedAStatus WritableIdentityCredential::finishAddingEntries( - vector* outCredentialData, vector* outProofOfProvisioningSignature) { + vector* outCredentialData, vector* outProofOfProvisioningSignature) { if (signedDataCurrentNamespace_.size() > 0) { signedDataNamespaces_.add(entryNameSpace_, std::move(signedDataCurrentNamespace_)); } @@ -364,8 +362,8 @@ ndk::ScopedAStatus WritableIdentityCredential::finishAddingEntries( IIdentityCredentialStore::STATUS_FAILED, "Error generating CredentialData")); } - *outCredentialData = byteStringToSigned(credentialData); - *outProofOfProvisioningSignature = byteStringToSigned(signature.value()); + *outCredentialData = credentialData; + *outProofOfProvisioningSignature = signature.value(); return ndk::ScopedAStatus::ok(); } diff --git a/identity/aidl/default/WritableIdentityCredential.h b/identity/aidl/default/WritableIdentityCredential.h index b182862862..4b6fca8d91 100644 --- a/identity/aidl/default/WritableIdentityCredential.h +++ b/identity/aidl/default/WritableIdentityCredential.h @@ -37,8 +37,8 @@ class WritableIdentityCredential : public BnWritableIdentityCredential { bool initialize(); // Methods from IWritableIdentityCredential follow. - ndk::ScopedAStatus getAttestationCertificate(const vector& attestationApplicationId, - const vector& attestationChallenge, + ndk::ScopedAStatus getAttestationCertificate(const vector& attestationApplicationId, + const vector& attestationChallenge, vector* outCertificateChain) override; ndk::ScopedAStatus startPersonalization(int32_t accessControlProfileCount, @@ -53,12 +53,12 @@ class WritableIdentityCredential : public BnWritableIdentityCredential { const string& nameSpace, const string& name, int32_t entrySize) override; - ndk::ScopedAStatus addEntryValue(const vector& content, - vector* outEncryptedContent) override; + ndk::ScopedAStatus addEntryValue(const vector& content, + vector* outEncryptedContent) override; ndk::ScopedAStatus finishAddingEntries( - vector* outCredentialData, - vector* outProofOfProvisioningSignature) override; + vector* outCredentialData, + vector* outProofOfProvisioningSignature) override; // private: string docType_; diff --git a/rebootescrow/aidl/default/RebootEscrow.cpp b/rebootescrow/aidl/default/RebootEscrow.cpp index dbc09215b3..8e5e97c80c 100644 --- a/rebootescrow/aidl/default/RebootEscrow.cpp +++ b/rebootescrow/aidl/default/RebootEscrow.cpp @@ -28,7 +28,7 @@ namespace rebootescrow { using ::android::base::unique_fd; -ndk::ScopedAStatus RebootEscrow::storeKey(const std::vector& kek) { +ndk::ScopedAStatus RebootEscrow::storeKey(const std::vector& ukek) { int rawFd = TEMP_FAILURE_RETRY(::open(devicePath_.c_str(), O_WRONLY | O_NOFOLLOW | O_CLOEXEC)); unique_fd fd(rawFd); if (fd.get() < 0) { @@ -36,7 +36,6 @@ ndk::ScopedAStatus RebootEscrow::storeKey(const std::vector& kek) { return ndk::ScopedAStatus(AStatus_fromExceptionCode(EX_UNSUPPORTED_OPERATION)); } - std::vector ukek(kek.begin(), kek.end()); auto encoded = hadamard::EncodeKey(ukek); if (!::android::base::WriteFully(fd, encoded.data(), encoded.size())) { @@ -47,7 +46,7 @@ ndk::ScopedAStatus RebootEscrow::storeKey(const std::vector& kek) { return ndk::ScopedAStatus::ok(); } -ndk::ScopedAStatus RebootEscrow::retrieveKey(std::vector* _aidl_return) { +ndk::ScopedAStatus RebootEscrow::retrieveKey(std::vector* _aidl_return) { int rawFd = TEMP_FAILURE_RETRY(::open(devicePath_.c_str(), O_RDONLY | O_NOFOLLOW | O_CLOEXEC)); unique_fd fd(rawFd); if (fd.get() < 0) { @@ -63,8 +62,7 @@ ndk::ScopedAStatus RebootEscrow::retrieveKey(std::vector* _aidl_return) auto keyBytes = hadamard::DecodeKey(encodedBytes); - std::vector signedKeyBytes(keyBytes.begin(), keyBytes.end()); - *_aidl_return = signedKeyBytes; + *_aidl_return = keyBytes; return ndk::ScopedAStatus::ok(); } diff --git a/rebootescrow/aidl/default/include/rebootescrow-impl/RebootEscrow.h b/rebootescrow/aidl/default/include/rebootescrow-impl/RebootEscrow.h index 00ff16b2ea..cdbeb67eba 100644 --- a/rebootescrow/aidl/default/include/rebootescrow-impl/RebootEscrow.h +++ b/rebootescrow/aidl/default/include/rebootescrow-impl/RebootEscrow.h @@ -26,8 +26,8 @@ namespace rebootescrow { class RebootEscrow : public BnRebootEscrow { public: explicit RebootEscrow(const std::string& devicePath) : devicePath_(devicePath) {} - ndk::ScopedAStatus storeKey(const std::vector& kek) override; - ndk::ScopedAStatus retrieveKey(std::vector* _aidl_return) override; + ndk::ScopedAStatus storeKey(const std::vector& kek) override; + ndk::ScopedAStatus retrieveKey(std::vector* _aidl_return) override; private: const std::string devicePath_;