diff options
author | David Zeuthen <zeuthen@google.com> | 2020-10-16 11:50:13 -0400 |
---|---|---|
committer | David Zeuthen <zeuthen@google.com> | 2021-01-22 18:37:03 -0500 |
commit | 472e6c8e18c800b0b650bd8697e17ce65c1f3608 (patch) | |
tree | 471569d2a83c6aa0bbc43328f05d0e2cd51ee28b /identity/WritableCredential.cpp | |
parent | 507171614b09405ec1660ed7726d6869745b128c (diff) | |
download | security-472e6c8e18c800b0b650bd8697e17ce65c1f3608.tar.gz |
Credstore changes for Android 12
- Add Credential.proveOwership()
- Add Credential.deleteWithChallenge()
- Add Credential.updateCredential()
- Add Credential.storeStaticAuthenticationDataWithExpirationDate()
- Store this on disk. For entries stored without this parameter
assume they never expire.
- Add allowUsingExpiredKeys to Credential.selectAuthKey() and
Credential.getEntries()
- Unless set to true, never select an expired key
- Introduce ERROR_NOT_SUPPORTED and return this if HAL does not
support operation
Bug: 170146643
Test: atest android.security.identity.cts
Change-Id: Ic5dafc6498c9c59b82942def9d348d974f008589
Diffstat (limited to 'identity/WritableCredential.cpp')
-rw-r--r-- | identity/WritableCredential.cpp | 43 |
1 files changed, 34 insertions, 9 deletions
diff --git a/identity/WritableCredential.cpp b/identity/WritableCredential.cpp index a932dcf5..d0688b8d 100644 --- a/identity/WritableCredential.cpp +++ b/identity/WritableCredential.cpp @@ -39,13 +39,19 @@ using ::android::hardware::identity::SecureAccessControlProfile; using ::android::hardware::identity::support::chunkVector; WritableCredential::WritableCredential(const string& dataPath, const string& credentialName, - const string& docType, size_t dataChunkSize, - sp<IWritableIdentityCredential> halBinder) - : dataPath_(dataPath), credentialName_(credentialName), docType_(docType), - dataChunkSize_(dataChunkSize), halBinder_(halBinder) {} + const string& docType, bool isUpdate, + HardwareInformation hwInfo, + sp<IWritableIdentityCredential> halBinder, int halApiVersion) + : dataPath_(dataPath), credentialName_(credentialName), docType_(docType), isUpdate_(isUpdate), + hwInfo_(std::move(hwInfo)), halBinder_(halBinder), halApiVersion_(halApiVersion) {} WritableCredential::~WritableCredential() {} +void WritableCredential::setCredentialUpdatedCallback( + std::function<void()>&& onCredentialUpdatedCallback) { + onCredentialUpdatedCallback_ = onCredentialUpdatedCallback; +} + Status WritableCredential::ensureAttestationCertificateExists(const vector<uint8_t>& challenge) { if (!attestationCertificate_.empty()) { return Status::ok(); @@ -79,7 +85,10 @@ Status WritableCredential::ensureAttestationCertificateExists(const vector<uint8 Status WritableCredential::getCredentialKeyCertificateChain(const vector<uint8_t>& challenge, vector<uint8_t>* _aidl_return) { - + if (isUpdate_) { + return Status::fromServiceSpecificError(ICredentialStore::ERROR_GENERIC, + "Cannot be called for an update"); + } Status ensureStatus = ensureAttestationCertificateExists(challenge); if (!ensureStatus.isOk()) { return ensureStatus; @@ -89,6 +98,15 @@ Status WritableCredential::getCredentialKeyCertificateChain(const vector<uint8_t return Status::ok(); } +void WritableCredential::setAttestationCertificate(const vector<uint8_t>& attestationCertificate) { + attestationCertificate_ = attestationCertificate; +} + +void WritableCredential::setAvailableAuthenticationKeys(int keyCount, int maxUsesPerKey) { + keyCount_ = keyCount; + maxUsesPerKey_ = maxUsesPerKey; +} + ssize_t WritableCredential::calcExpectedProofOfProvisioningSize( const vector<AccessControlProfileParcel>& accessControlProfiles, const vector<EntryNamespaceParcel>& entryNamespaces) { @@ -149,9 +167,12 @@ Status WritableCredential::personalize(const vector<AccessControlProfileParcel>& accessControlProfiles, const vector<EntryNamespaceParcel>& entryNamespaces, int64_t secureUserId, vector<uint8_t>* _aidl_return) { - Status ensureStatus = ensureAttestationCertificateExists({0x00}); // Challenge cannot be empty. - if (!ensureStatus.isOk()) { - return ensureStatus; + if (!isUpdate_) { + Status ensureStatus = + ensureAttestationCertificateExists({0x00}); // Challenge cannot be empty. + if (!ensureStatus.isOk()) { + return ensureStatus; + } } uid_t callingUid = android::IPCThreadState::self()->getCallingUid(); @@ -203,7 +224,7 @@ WritableCredential::personalize(const vector<AccessControlProfileParcel>& access for (const EntryNamespaceParcel& ensParcel : entryNamespaces) { for (const EntryParcel& eParcel : ensParcel.entries) { - vector<vector<uint8_t>> chunks = chunkVector(eParcel.value, dataChunkSize_); + vector<vector<uint8_t>> chunks = chunkVector(eParcel.value, hwInfo_.dataChunkSize); vector<int32_t> ids; std::copy(eParcel.accessControlProfileIds.begin(), @@ -240,11 +261,15 @@ WritableCredential::personalize(const vector<AccessControlProfileParcel>& access } data.setCredentialData(credentialData); + data.setAvailableAuthenticationKeys(keyCount_, maxUsesPerKey_); + if (!data.saveToDisk()) { return Status::fromServiceSpecificError(ICredentialStore::ERROR_GENERIC, "Error saving credential data to disk"); } + onCredentialUpdatedCallback_(); + *_aidl_return = proofOfProvisioningSignature; return Status::ok(); } |