identity: Add support for ECDSA auth and don't require session encryption.
This adds a new method which allows applications to use mdoc ECDSA
authentication instead of mdoc MAC authentication. Additionally, also
relax requirements on SessionTranscript so the APIs can be used even
when mdoc session encryption isn't being used.
Also add new VTS test to check for this.
Since this is new API, bump API version to 5 and the Identity
Credential feature version to 202301.
Bug: 241912421
Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Change-Id: I4085a89be0382c10f5449e13c6a92a46c74c225d
diff --git a/identity/aidl/default/FakeSecureHardwareProxy.cpp b/identity/aidl/default/FakeSecureHardwareProxy.cpp
index 9b9a749..8551ab7 100644
--- a/identity/aidl/default/FakeSecureHardwareProxy.cpp
+++ b/identity/aidl/default/FakeSecureHardwareProxy.cpp
@@ -596,10 +596,10 @@
return eicPresentationStartRetrieveEntries(&ctx_);
}
-bool FakeSecureHardwarePresentationProxy::calcMacKey(
+bool FakeSecureHardwarePresentationProxy::prepareDeviceAuthentication(
const vector<uint8_t>& sessionTranscript, const vector<uint8_t>& readerEphemeralPublicKey,
const vector<uint8_t>& signingKeyBlob, const string& docType,
- unsigned int numNamespacesWithValues, size_t expectedProofOfProvisioningSize) {
+ unsigned int numNamespacesWithValues, size_t expectedDeviceNamespacesSize) {
if (!validateId(__func__)) {
return false;
}
@@ -608,10 +608,10 @@
eicDebug("Unexpected size %zd of signingKeyBlob, expected 60", signingKeyBlob.size());
return false;
}
- return eicPresentationCalcMacKey(&ctx_, sessionTranscript.data(), sessionTranscript.size(),
- readerEphemeralPublicKey.data(), signingKeyBlob.data(),
- docType.c_str(), docType.size(), numNamespacesWithValues,
- expectedProofOfProvisioningSize);
+ return eicPresentationPrepareDeviceAuthentication(
+ &ctx_, sessionTranscript.data(), sessionTranscript.size(),
+ readerEphemeralPublicKey.data(), readerEphemeralPublicKey.size(), signingKeyBlob.data(),
+ docType.c_str(), docType.size(), numNamespacesWithValues, expectedDeviceNamespacesSize);
}
AccessCheckResult FakeSecureHardwarePresentationProxy::startRetrieveEntryValue(
@@ -673,6 +673,25 @@
return content;
}
+optional<pair<vector<uint8_t>, vector<uint8_t>>>
+FakeSecureHardwarePresentationProxy::finishRetrievalWithSignature() {
+ if (!validateId(__func__)) {
+ return std::nullopt;
+ }
+
+ vector<uint8_t> mac(32);
+ size_t macSize = 32;
+ vector<uint8_t> ecdsaSignature(EIC_ECDSA_P256_SIGNATURE_SIZE);
+ size_t ecdsaSignatureSize = EIC_ECDSA_P256_SIGNATURE_SIZE;
+ if (!eicPresentationFinishRetrievalWithSignature(&ctx_, mac.data(), &macSize,
+ ecdsaSignature.data(), &ecdsaSignatureSize)) {
+ return std::nullopt;
+ }
+ mac.resize(macSize);
+ ecdsaSignature.resize(ecdsaSignatureSize);
+ return std::make_pair(mac, ecdsaSignature);
+}
+
optional<vector<uint8_t>> FakeSecureHardwarePresentationProxy::finishRetrieval() {
if (!validateId(__func__)) {
return std::nullopt;