tequilaOS/platform_system_security
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_security/identity/Credential.h
David Zeuthen c239db4114 identity: Add support for setting minimum validity period for AuthKey. 
This change adds support for specifying that an AuthKey should be
replaced if it's going to expire within a certain amount of time
configurable by the application. This also adds a way for the
application to learn about the expiration time of currently configured
AuthKeys.

Combined these two changes allow an application to get a perfect
picture of which AuthKeys are available, when they expire, and allows
the application to refresh AuthKeys well ahead of expiration dates.

Also remove checking storeStaticAuthenticationDataWithExpiration() is
only available on HAL version 3 and later (feature version 202101 and
later). This works on any HAL version.

Bug: 241912421
Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Change-Id: Ic8274088035c31f73ad61645ee5e0281b3460837
2022-12-09 02:58:18 -05:00

128 lines
4.9 KiB
C++
Raw Blame History

/*
* Copyright (c) 2019, The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef SYSTEM_SECURITY_CREDENTIAL_H_
#define SYSTEM_SECURITY_CREDENTIAL_H_
#include <string>
#include <vector>
#include <android/security/identity/BnCredential.h>
#include <android/hardware/identity/IIdentityCredentialStore.h>
#include "CredentialData.h"
namespace android {
namespace security {
namespace identity {
using ::android::sp;
using ::android::binder::Status;
using ::std::string;
using ::std::vector;
using ::android::hardware::identity::CipherSuite;
using ::android::hardware::identity::HardwareInformation;
using ::android::hardware::identity::IIdentityCredential;
using ::android::hardware::identity::IIdentityCredentialStore;
using ::android::hardware::identity::IPresentationSession;
using ::android::hardware::identity::RequestDataItem;
using ::android::hardware::identity::RequestNamespace;
class Credential : public BnCredential {
public:
Credential(CipherSuite cipherSuite, const string& dataPath, const string& credentialName,
uid_t callingUid, HardwareInformation hwInfo,
sp<IIdentityCredentialStore> halStoreBinder,
sp<IPresentationSession> halSessionBinder, int halApiVersion);
~Credential();
Status ensureOrReplaceHalBinder();
void writableCredentialPersonalized();
// ICredential overrides
Status createEphemeralKeyPair(vector<uint8_t>* _aidl_return) override;
Status setReaderEphemeralPublicKey(const vector<uint8_t>& publicKey) override;
Status deleteCredential(vector<uint8_t>* _aidl_return) override;
Status deleteWithChallenge(const vector<uint8_t>& challenge,
vector<uint8_t>* _aidl_return) override;
Status proveOwnership(const vector<uint8_t>& challenge, vector<uint8_t>* _aidl_return) override;
Status getCredentialKeyCertificateChain(vector<uint8_t>* _aidl_return) override;
Status selectAuthKey(bool allowUsingExhaustedKeys, bool allowUsingExpiredKeys,
bool incrementUsageCount, int64_t* _aidl_return) override;
Status getEntries(const vector<uint8_t>& requestMessage,
const vector<RequestNamespaceParcel>& requestNamespaces,
const vector<uint8_t>& sessionTranscript,
const vector<uint8_t>& readerSignature, bool allowUsingExhaustedKeys,
bool allowUsingExpiredKeys, bool incrementUsageCount,
GetEntriesResultParcel* _aidl_return) override;
Status setAvailableAuthenticationKeys(int32_t keyCount, int32_t maxUsesPerKey,
int64_t minValidTimeMillis) override;
Status getAuthKeysNeedingCertification(vector<AuthKeyParcel>* _aidl_return) override;
Status storeStaticAuthenticationData(const AuthKeyParcel& authenticationKey,
const vector<uint8_t>& staticAuthData) override;
Status
storeStaticAuthenticationDataWithExpiration(const AuthKeyParcel& authenticationKey,
int64_t expirationDateMillisSinceEpoch,
const vector<uint8_t>& staticAuthData) override;
Status getAuthenticationDataUsageCount(vector<int32_t>* _aidl_return) override;
Status getAuthenticationDataExpirations(vector<int64_t>* _aidl_return) override;
Status update(sp<IWritableCredential>* _aidl_return) override;
private:
CipherSuite cipherSuite_;
string dataPath_;
string credentialName_;
uid_t callingUid_;
HardwareInformation hwInfo_;
sp<IIdentityCredentialStore> halStoreBinder_;
sp<IPresentationSession> halSessionBinder_;
uint64_t selectedChallenge_ = 0;
sp<IIdentityCredential> halBinder_;
int halApiVersion_;
// This is used to cache the selected AuthKey to ensure the same AuthKey is used across
// multiple getEntries() calls.
//
bool selectedAuthKey_ = false;
vector<uint8_t> selectedAuthKeySigningKeyBlob_;
vector<uint8_t> selectedAuthKeyStaticAuthData_;
bool ensureChallenge();
ssize_t
calcExpectedDeviceNameSpacesSize(const vector<uint8_t>& requestMessage,
const vector<RequestNamespaceParcel>& requestNamespaces,
uint32_t authorizedAcps);
};
} // namespace identity
} // namespace security
} // namespace android
#endif // SYSTEM_SECURITY_IDENTITY_CREDENTIAL_H_
Reference in a new issue View git blame Copy permalink