diff options
Diffstat (limited to 'guest/hals/identity/RemoteSecureHardwareProxy.h')
-rw-r--r-- | guest/hals/identity/RemoteSecureHardwareProxy.h | 169 |
1 files changed, 169 insertions, 0 deletions
diff --git a/guest/hals/identity/RemoteSecureHardwareProxy.h b/guest/hals/identity/RemoteSecureHardwareProxy.h new file mode 100644 index 000000000..39cb42269 --- /dev/null +++ b/guest/hals/identity/RemoteSecureHardwareProxy.h @@ -0,0 +1,169 @@ +/* + * Copyright 2021, The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef ANDROID_HARDWARE_IDENTITY_FAKESECUREHARDWAREPROXY_H +#define ANDROID_HARDWARE_IDENTITY_FAKESECUREHARDWAREPROXY_H + +#include <libeic.h> + +#include "SecureHardwareProxy.h" + +namespace android::hardware::identity { + +// This implementation uses libEmbeddedIC in-process. +// +class RemoteSecureHardwareProvisioningProxy + : public SecureHardwareProvisioningProxy { + public: + RemoteSecureHardwareProvisioningProxy(); + virtual ~RemoteSecureHardwareProvisioningProxy(); + + bool initialize(bool testCredential) override; + + bool initializeForUpdate(bool testCredential, string docType, + vector<uint8_t> encryptedCredentialKeys) override; + + bool shutdown() override; + + // Returns public key certificate. + optional<vector<uint8_t>> createCredentialKey( + const vector<uint8_t>& challenge, + const vector<uint8_t>& applicationId) override; + + bool startPersonalization(int accessControlProfileCount, + vector<int> entryCounts, const string& docType, + size_t expectedProofOfProvisioningSize) override; + + // Returns MAC (28 bytes). + optional<vector<uint8_t>> addAccessControlProfile( + int id, const vector<uint8_t>& readerCertificate, + bool userAuthenticationRequired, uint64_t timeoutMillis, + uint64_t secureUserId) override; + + bool beginAddEntry(const vector<int>& accessControlProfileIds, + const string& nameSpace, const string& name, + uint64_t entrySize) override; + + // Returns encryptedContent. + optional<vector<uint8_t>> addEntryValue( + const vector<int>& accessControlProfileIds, const string& nameSpace, + const string& name, const vector<uint8_t>& content) override; + + // Returns signatureOfToBeSigned (EIC_ECDSA_P256_SIGNATURE_SIZE bytes). + optional<vector<uint8_t>> finishAddingEntries() override; + + // Returns encryptedCredentialKeys (80 bytes). + optional<vector<uint8_t>> finishGetCredentialData( + const string& docType) override; + + protected: + EicProvisioning ctx_; +}; + +// This implementation uses libEmbeddedIC in-process. +// +class RemoteSecureHardwarePresentationProxy + : public SecureHardwarePresentationProxy { + public: + RemoteSecureHardwarePresentationProxy(); + virtual ~RemoteSecureHardwarePresentationProxy(); + + bool initialize(bool testCredential, string docType, + vector<uint8_t> encryptedCredentialKeys) override; + + // Returns publicKeyCert (1st component) and signingKeyBlob (2nd component) + optional<pair<vector<uint8_t>, vector<uint8_t>>> generateSigningKeyPair( + string docType, time_t now) override; + + // Returns private key + optional<vector<uint8_t>> createEphemeralKeyPair() override; + + optional<uint64_t> createAuthChallenge() override; + + bool startRetrieveEntries() override; + + bool setAuthToken(uint64_t challenge, uint64_t secureUserId, + uint64_t authenticatorId, int hardwareAuthenticatorType, + uint64_t timeStamp, const vector<uint8_t>& mac, + uint64_t verificationTokenChallenge, + uint64_t verificationTokenTimestamp, + int verificationTokenSecurityLevel, + const vector<uint8_t>& verificationTokenMac) override; + + bool pushReaderCert(const vector<uint8_t>& certX509) override; + + optional<bool> validateAccessControlProfile( + int id, const vector<uint8_t>& readerCertificate, + bool userAuthenticationRequired, int timeoutMillis, uint64_t secureUserId, + const vector<uint8_t>& mac) override; + + bool validateRequestMessage( + const vector<uint8_t>& sessionTranscript, + const vector<uint8_t>& requestMessage, int coseSignAlg, + const vector<uint8_t>& readerSignatureOfToBeSigned) override; + + bool calcMacKey(const vector<uint8_t>& sessionTranscript, + const vector<uint8_t>& readerEphemeralPublicKey, + const vector<uint8_t>& signingKeyBlob, const string& docType, + unsigned int numNamespacesWithValues, + size_t expectedProofOfProvisioningSize) override; + + AccessCheckResult startRetrieveEntryValue( + const string& nameSpace, const string& name, + unsigned int newNamespaceNumEntries, int32_t entrySize, + const vector<int32_t>& accessControlProfileIds) override; + + optional<vector<uint8_t>> retrieveEntryValue( + const vector<uint8_t>& encryptedContent, const string& nameSpace, + const string& name, + const vector<int32_t>& accessControlProfileIds) override; + + optional<vector<uint8_t>> finishRetrieval() override; + + optional<vector<uint8_t>> deleteCredential( + const string& docType, const vector<uint8_t>& challenge, + bool includeChallenge, size_t proofOfDeletionCborSize) override; + + optional<vector<uint8_t>> proveOwnership( + const string& docType, bool testCredential, + const vector<uint8_t>& challenge, + size_t proofOfOwnershipCborSize) override; + + bool shutdown() override; + + protected: + EicPresentation ctx_; +}; + +// Factory implementation. +// +class RemoteSecureHardwareProxyFactory : public SecureHardwareProxyFactory { + public: + RemoteSecureHardwareProxyFactory() {} + virtual ~RemoteSecureHardwareProxyFactory() {} + + sp<SecureHardwareProvisioningProxy> createProvisioningProxy() override { + return new RemoteSecureHardwareProvisioningProxy(); + } + + sp<SecureHardwarePresentationProxy> createPresentationProxy() override { + return new RemoteSecureHardwarePresentationProxy(); + } +}; + +} // namespace android::hardware::identity + +#endif // ANDROID_HARDWARE_IDENTITY_FAKESECUREHARDWAREPROXY_H |