platform_system_security/identity/CredentialData.h
David Zeuthen 045a2c87e0 identity: Add multi-document presentation support.
Also fix a bug so the same AuthKey is used for several getEntries()
calls on a credential. This matches the behavior in the Jetpack.

Bug: 197965513
Test: New CTS tests and new screen in CtsVerifier
Change-Id: I344f44b5655f0977ee650b518ce669e3c8a7b47a
2022-01-10 17:38:04 -05:00

153 lines
4.7 KiB
C++

/*
* Copyright (c) 2019, The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef SYSTEM_SECURITY_CREDENTIAL_DATA_H_
#define SYSTEM_SECURITY_CREDENTIAL_DATA_H_
#include <sys/types.h>
#include <unistd.h>
#include <map>
#include <string>
#include <utility>
#include <vector>
#include <android/hardware/identity/IIdentityCredential.h>
#include <android/hardware/identity/SecureAccessControlProfile.h>
namespace android {
namespace security {
namespace identity {
using ::android::hardware::identity::Certificate;
using ::android::hardware::identity::IIdentityCredential;
using ::android::hardware::identity::SecureAccessControlProfile;
using ::std::map;
using ::std::optional;
using ::std::pair;
using ::std::string;
using ::std::tuple;
using ::std::vector;
struct EntryData {
EntryData() {}
uint64_t size = 0;
vector<int32_t> accessControlProfileIds;
vector<vector<uint8_t>> encryptedChunks;
};
struct AuthKeyData {
AuthKeyData() {}
vector<uint8_t> certificate;
vector<uint8_t> keyBlob;
int64_t expirationDateMillisSinceEpoch = 0;
vector<uint8_t> staticAuthenticationData;
vector<uint8_t> pendingCertificate;
vector<uint8_t> pendingKeyBlob;
int useCount = 0;
};
class CredentialData : public RefBase {
public:
CredentialData(const string& dataPath, uid_t ownerUid, const string& name);
static string calculateCredentialFileName(const string& dataPath, uid_t ownerUid,
const string& name);
static optional<bool> credentialExists(const string& dataPath, uid_t ownerUid,
const string& name);
void setSecureUserId(int64_t secureUserId);
void setCredentialData(const vector<uint8_t>& credentialData);
void setAttestationCertificate(const vector<uint8_t>& attestationCertificate);
void
addSecureAccessControlProfile(const SecureAccessControlProfile& secureAccessControlProfile);
void addEntryData(const string& namespaceName, const string& entryName, const EntryData& data);
bool saveToDisk() const;
bool loadFromDisk();
bool deleteCredential();
void setAvailableAuthenticationKeys(int keyCount, int maxUsesPerKey);
// Getters
int64_t getSecureUserId();
const vector<uint8_t>& getCredentialData() const;
const vector<uint8_t>& getAttestationCertificate() const;
const vector<SecureAccessControlProfile>& getSecureAccessControlProfiles() const;
bool hasEntryData(const string& namespaceName, const string& entryName) const;
optional<EntryData> getEntryData(const string& namespaceName, const string& entryName) const;
const vector<AuthKeyData>& getAuthKeyDatas() const;
pair<int /* keyCount */, int /*maxUsersPerKey */> getAvailableAuthenticationKeys();
// Returns |nullptr| if a suitable key cannot be found. Otherwise returns
// the authentication and increases its use-count.
const AuthKeyData* selectAuthKey(bool allowUsingExhaustedKeys, bool allowUsingExpiredKeys,
bool incrementUsageCount);
optional<vector<vector<uint8_t>>>
getAuthKeysNeedingCertification(const sp<IIdentityCredential>& halBinder);
bool storeStaticAuthenticationData(const vector<uint8_t>& authenticationKey,
int64_t expirationDateMillisSinceEpoch,
const vector<uint8_t>& staticAuthData);
private:
AuthKeyData* findAuthKey_(bool allowUsingExhaustedKeys, bool allowUsingExpiredKeys);
// Set by constructor.
//
string dataPath_;
uid_t ownerUid_;
string name_;
// Calculated at construction time, from |dataPath_|, |ownerUid_|, |name_|.
string fileName_;
// Data serialized in CBOR from here:
//
int64_t secureUserId_;
vector<uint8_t> credentialData_;
vector<uint8_t> attestationCertificate_;
vector<SecureAccessControlProfile> secureAccessControlProfiles_;
map<string, EntryData> idToEncryptedChunks_;
int keyCount_ = 0;
int maxUsesPerKey_ = 1;
vector<AuthKeyData> authKeyDatas_; // Always |keyCount_| long.
};
} // namespace identity
} // namespace security
} // namespace android
#endif // SYSTEM_SECURITY_CREDENTIAL_DATA_H_