be32113307
Revert "Add dependency on keymint cpp lib" Revert "Allow default identity service to call keymint" Revert submission 1956689-add rkp to identity-default Reason for revert: Broke git-master. Will resubmit later. Reverted Changes: I96dcf3027:Add remote key provisioning to the IC HAL Id686ac33a:Add dependency on keymint cpp lib Ib368a2a00:Log to logd in the default identity service I7d2906de0:Refactor IC support for RKP Iae0f14f1c:Fix formatting of identity credential aidl I01d086a4b:Allow default identity service to call keymint Change-Id: I76a898c04090c5befe5fb5a5d07ec2e397fdd8b3
149 lines
5.2 KiB
C++
149 lines
5.2 KiB
C++
/*
|
|
* Copyright 2021, The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#define LOG_TAG "PresentationSession"
|
|
|
|
#include "PresentationSession.h"
|
|
#include "IdentityCredentialStore.h"
|
|
|
|
#include <android/hardware/identity/support/IdentityCredentialSupport.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <android-base/logging.h>
|
|
#include <android-base/stringprintf.h>
|
|
|
|
#include <cppbor.h>
|
|
#include <cppbor_parse.h>
|
|
|
|
#include "FakeSecureHardwareProxy.h"
|
|
#include "IdentityCredential.h"
|
|
#include "PresentationSession.h"
|
|
|
|
namespace aidl::android::hardware::identity {
|
|
|
|
using ::std::optional;
|
|
|
|
using namespace ::android::hardware::identity;
|
|
|
|
PresentationSession::~PresentationSession() {}
|
|
|
|
int PresentationSession::initialize() {
|
|
if (!hwProxy_->initialize()) {
|
|
LOG(ERROR) << "hwProxy->initialize failed";
|
|
return IIdentityCredentialStore::STATUS_FAILED;
|
|
}
|
|
|
|
optional<uint64_t> id = hwProxy_->getId();
|
|
if (!id) {
|
|
LOG(ERROR) << "Error getting id for session";
|
|
return IIdentityCredentialStore::STATUS_FAILED;
|
|
}
|
|
id_ = id.value();
|
|
|
|
optional<vector<uint8_t>> ephemeralKeyPriv = hwProxy_->getEphemeralKeyPair();
|
|
if (!ephemeralKeyPriv) {
|
|
LOG(ERROR) << "Error getting ephemeral private key for session";
|
|
return IIdentityCredentialStore::STATUS_FAILED;
|
|
}
|
|
optional<vector<uint8_t>> ephemeralKeyPair =
|
|
support::ecPrivateKeyToKeyPair(ephemeralKeyPriv.value());
|
|
if (!ephemeralKeyPair) {
|
|
LOG(ERROR) << "Error creating ephemeral key-pair";
|
|
return IIdentityCredentialStore::STATUS_FAILED;
|
|
}
|
|
ephemeralKeyPair_ = ephemeralKeyPair.value();
|
|
|
|
optional<uint64_t> authChallenge = hwProxy_->getAuthChallenge();
|
|
if (!authChallenge) {
|
|
LOG(ERROR) << "Error getting authChallenge for session";
|
|
return IIdentityCredentialStore::STATUS_FAILED;
|
|
}
|
|
authChallenge_ = authChallenge.value();
|
|
|
|
return IIdentityCredentialStore::STATUS_OK;
|
|
}
|
|
|
|
ndk::ScopedAStatus PresentationSession::getEphemeralKeyPair(vector<uint8_t>* outKeyPair) {
|
|
*outKeyPair = ephemeralKeyPair_;
|
|
return ndk::ScopedAStatus::ok();
|
|
}
|
|
|
|
ndk::ScopedAStatus PresentationSession::getAuthChallenge(int64_t* outChallenge) {
|
|
*outChallenge = authChallenge_;
|
|
return ndk::ScopedAStatus::ok();
|
|
}
|
|
|
|
ndk::ScopedAStatus PresentationSession::setReaderEphemeralPublicKey(
|
|
const vector<uint8_t>& publicKey) {
|
|
// We expect the reader ephemeral public key to be same size and curve
|
|
// as the ephemeral key we generated (e.g. P-256 key), otherwise ECDH
|
|
// won't work. So its length should be 65 bytes and it should be
|
|
// starting with 0x04.
|
|
if (publicKey.size() != 65 || publicKey[0] != 0x04) {
|
|
return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
|
|
IIdentityCredentialStore::STATUS_FAILED,
|
|
"Reader public key is not in expected format"));
|
|
}
|
|
readerPublicKey_ = publicKey;
|
|
vector<uint8_t> pubKeyP256(publicKey.begin() + 1, publicKey.end());
|
|
if (!hwProxy_->setReaderEphemeralPublicKey(pubKeyP256)) {
|
|
return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
|
|
IIdentityCredentialStore::STATUS_FAILED,
|
|
"Error setting readerEphemeralPublicKey for session"));
|
|
}
|
|
return ndk::ScopedAStatus::ok();
|
|
}
|
|
|
|
ndk::ScopedAStatus PresentationSession::setSessionTranscript(
|
|
const vector<uint8_t>& sessionTranscript) {
|
|
sessionTranscript_ = sessionTranscript;
|
|
if (!hwProxy_->setSessionTranscript(sessionTranscript)) {
|
|
return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
|
|
IIdentityCredentialStore::STATUS_FAILED,
|
|
"Error setting SessionTranscript for session"));
|
|
}
|
|
return ndk::ScopedAStatus::ok();
|
|
}
|
|
|
|
ndk::ScopedAStatus PresentationSession::getCredential(
|
|
const vector<uint8_t>& credentialData, shared_ptr<IIdentityCredential>* outCredential) {
|
|
shared_ptr<PresentationSession> p = ref<PresentationSession>();
|
|
shared_ptr<IdentityCredential> credential =
|
|
ndk::SharedRefBase::make<IdentityCredential>(hwProxyFactory_, credentialData, p);
|
|
int ret = credential->initialize();
|
|
if (ret != IIdentityCredentialStore::STATUS_OK) {
|
|
return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
|
|
ret, "Error initializing IdentityCredential"));
|
|
}
|
|
*outCredential = std::move(credential);
|
|
|
|
return ndk::ScopedAStatus::ok();
|
|
}
|
|
|
|
uint64_t PresentationSession::getSessionId() {
|
|
return id_;
|
|
}
|
|
|
|
vector<uint8_t> PresentationSession::getSessionTranscript() {
|
|
return sessionTranscript_;
|
|
}
|
|
|
|
vector<uint8_t> PresentationSession::getReaderEphemeralPublicKey() {
|
|
return readerPublicKey_;
|
|
}
|
|
|
|
} // namespace aidl::android::hardware::identity
|