Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 1eb12b29728adcbbe5b8694f671c67b8a624fe4a / . / identity / aidl / default / common / SecureHardwareProxy.h
blob: a5804442303e8a7fe04916e8923d94153d50e3ae [file] [log] [blame]
David Zeuthen630de2a2020-05-11 14:04:54 -0400[diff] [blame]1/*
2 * Copyright 2020, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#ifndef ANDROID_HARDWARE_IDENTITY_SECUREHARDWAREPROXY_H
18#define ANDROID_HARDWARE_IDENTITY_SECUREHARDWAREPROXY_H
19
20#include <utils/RefBase.h>
21#include <optional>
22#include <string>
23#include <utility>
24#include <vector>
25
26namespace android::hardware::identity {
27
28using ::android::RefBase;
29using ::std::optional;
30using ::std::pair;
31using ::std::string;
32using ::std::vector;
33
34// These classes are used to communicate with Secure Hardware. They mimic the
35// API in libEmbeddedIC 1:1 (except for using C++ types) as each call is intended
36// to be forwarded to the Secure Hardware.
37//
38// Instances are instantiated when a provisioning or presentation session
39// starts. When the session is complete, the shutdown() method is called.
40//
41
42// Forward declare.
43//
44class SecureHardwareProvisioningProxy;
David Zeuthen1eb12b22021-09-11 13:59:43 -0400[diff] [blame^]45class SecureHardwareSessionProxy;
David Zeuthen630de2a2020-05-11 14:04:54 -0400[diff] [blame]46class SecureHardwarePresentationProxy;
47
48// This is a class used to create proxies.
49//
50class SecureHardwareProxyFactory : public RefBase {
51 public:
52 SecureHardwareProxyFactory() {}
53 virtual ~SecureHardwareProxyFactory() {}
54
55 virtual sp<SecureHardwareProvisioningProxy> createProvisioningProxy() = 0;
David Zeuthen1eb12b22021-09-11 13:59:43 -0400[diff] [blame^]56 virtual sp<SecureHardwareSessionProxy> createSessionProxy() = 0;
David Zeuthen630de2a2020-05-11 14:04:54 -0400[diff] [blame]57 virtual sp<SecureHardwarePresentationProxy> createPresentationProxy() = 0;
58};
59
60// The proxy used for provisioning.
61//
62class SecureHardwareProvisioningProxy : public RefBase {
63 public:
64 SecureHardwareProvisioningProxy() {}
65 virtual ~SecureHardwareProvisioningProxy() {}
66
67 virtual bool initialize(bool testCredential) = 0;
68
David Zeuthen1eb12b22021-09-11 13:59:43 -0400[diff] [blame^]69 virtual bool initializeForUpdate(bool testCredential, const string& docType,
70 const vector<uint8_t>& encryptedCredentialKeys) = 0;
71
72 virtual optional<uint32_t> getId() = 0;
73
74 virtual bool shutdown() = 0;
David Zeuthen49f2d252020-10-16 11:27:24 -0400[diff] [blame]75
David Zeuthen630de2a2020-05-11 14:04:54 -0400[diff] [blame]76 // Returns public key certificate chain with attestation.
77 //
78 // This must return an entire certificate chain and its implementation must
79 // be coordinated with the implementation of eicOpsCreateCredentialKey() on
80 // the TA side (which may return just a single certificate or the entire
81 // chain).
82 virtual optional<vector<uint8_t>> createCredentialKey(const vector<uint8_t>& challenge,
83 const vector<uint8_t>& applicationId) = 0;
84
David Zeuthen1eb12b22021-09-11 13:59:43 -0400[diff] [blame^]85 virtual bool startPersonalization(int accessControlProfileCount, const vector<int>& entryCounts,
David Zeuthen630de2a2020-05-11 14:04:54 -0400[diff] [blame]86 const string& docType,
87 size_t expectedProofOfProvisioningSize) = 0;
88
89 // Returns MAC (28 bytes).
90 virtual optional<vector<uint8_t>> addAccessControlProfile(
91 int id, const vector<uint8_t>& readerCertificate, bool userAuthenticationRequired,
92 uint64_t timeoutMillis, uint64_t secureUserId) = 0;
93
94 virtual bool beginAddEntry(const vector<int>& accessControlProfileIds, const string& nameSpace,
95 const string& name, uint64_t entrySize) = 0;
96
97 // Returns encryptedContent.
98 virtual optional<vector<uint8_t>> addEntryValue(const vector<int>& accessControlProfileIds,
99 const string& nameSpace, const string& name,
100 const vector<uint8_t>& content) = 0;
101
102 // Returns signatureOfToBeSigned (EIC_ECDSA_P256_SIGNATURE_SIZE bytes).
103 virtual optional<vector<uint8_t>> finishAddingEntries() = 0;
104
105 // Returns encryptedCredentialKeys (80 bytes).
106 virtual optional<vector<uint8_t>> finishGetCredentialData(const string& docType) = 0;
David Zeuthen630de2a2020-05-11 14:04:54 -0400[diff] [blame]107};
108
109enum AccessCheckResult {
110 kOk,
111 kFailed,
112 kNoAccessControlProfiles,
113 kUserAuthenticationFailed,
114 kReaderAuthenticationFailed,
115};
116
David Zeuthen1eb12b22021-09-11 13:59:43 -0400[diff] [blame^]117// The proxy used for sessions.
118//
119class SecureHardwareSessionProxy : public RefBase {
120 public:
121 SecureHardwareSessionProxy() {}
122
123 virtual ~SecureHardwareSessionProxy() {}
124
125 virtual bool initialize() = 0;
126
127 virtual optional<uint32_t> getId() = 0;
128
129 virtual bool shutdown() = 0;
130
131 virtual optional<uint64_t> getAuthChallenge() = 0;
132
133 // Returns private key
134 virtual optional<vector<uint8_t>> getEphemeralKeyPair() = 0;
135
136 virtual bool setReaderEphemeralPublicKey(const vector<uint8_t>& readerEphemeralPublicKey) = 0;
137
138 virtual bool setSessionTranscript(const vector<uint8_t>& sessionTranscript) = 0;
139};
140
David Zeuthen630de2a2020-05-11 14:04:54 -0400[diff] [blame]141// The proxy used for presentation.
142//
143class SecureHardwarePresentationProxy : public RefBase {
144 public:
145 SecureHardwarePresentationProxy() {}
146 virtual ~SecureHardwarePresentationProxy() {}
147
David Zeuthen1eb12b22021-09-11 13:59:43 -0400[diff] [blame^]148 virtual bool initialize(uint32_t sessionId, bool testCredential, const string& docType,
149 const vector<uint8_t>& encryptedCredentialKeys) = 0;
150
151 virtual optional<uint32_t> getId() = 0;
152
153 virtual bool shutdown() = 0;
David Zeuthen630de2a2020-05-11 14:04:54 -0400[diff] [blame]154
155 // Returns publicKeyCert (1st component) and signingKeyBlob (2nd component)
David Zeuthen1eb12b22021-09-11 13:59:43 -0400[diff] [blame^]156 virtual optional<pair<vector<uint8_t>, vector<uint8_t>>> generateSigningKeyPair(
157 const string& docType, time_t now) = 0;
David Zeuthen630de2a2020-05-11 14:04:54 -0400[diff] [blame]158
159 // Returns private key
160 virtual optional<vector<uint8_t>> createEphemeralKeyPair() = 0;
161
162 virtual optional<uint64_t> createAuthChallenge() = 0;
163
164 virtual bool startRetrieveEntries() = 0;
165
166 virtual bool setAuthToken(uint64_t challenge, uint64_t secureUserId, uint64_t authenticatorId,
167 int hardwareAuthenticatorType, uint64_t timeStamp,
168 const vector<uint8_t>& mac, uint64_t verificationTokenChallenge,
169 uint64_t verificationTokenTimestamp,
170 int verificationTokenSecurityLevel,
171 const vector<uint8_t>& verificationTokenMac) = 0;
172
173 virtual bool pushReaderCert(const vector<uint8_t>& certX509) = 0;
174
175 virtual optional<bool> validateAccessControlProfile(int id,
176 const vector<uint8_t>& readerCertificate,
177 bool userAuthenticationRequired,
178 int timeoutMillis, uint64_t secureUserId,
179 const vector<uint8_t>& mac) = 0;
180
181 virtual bool validateRequestMessage(const vector<uint8_t>& sessionTranscript,
182 const vector<uint8_t>& requestMessage, int coseSignAlg,
183 const vector<uint8_t>& readerSignatureOfToBeSigned) = 0;
184
185 virtual bool calcMacKey(const vector<uint8_t>& sessionTranscript,
186 const vector<uint8_t>& readerEphemeralPublicKey,
187 const vector<uint8_t>& signingKeyBlob, const string& docType,
188 unsigned int numNamespacesWithValues,
189 size_t expectedProofOfProvisioningSize) = 0;
190
191 virtual AccessCheckResult startRetrieveEntryValue(
192 const string& nameSpace, const string& name, unsigned int newNamespaceNumEntries,
193 int32_t entrySize, const vector<int32_t>& accessControlProfileIds) = 0;
194
195 virtual optional<vector<uint8_t>> retrieveEntryValue(
196 const vector<uint8_t>& encryptedContent, const string& nameSpace, const string& name,
197 const vector<int32_t>& accessControlProfileIds) = 0;
198
199 virtual optional<vector<uint8_t>> finishRetrieval();
200
201 virtual optional<vector<uint8_t>> deleteCredential(const string& docType,
David Zeuthen49f2d252020-10-16 11:27:24 -0400[diff] [blame]202 const vector<uint8_t>& challenge,
203 bool includeChallenge,
David Zeuthen630de2a2020-05-11 14:04:54 -0400[diff] [blame]204 size_t proofOfDeletionCborSize) = 0;
205
David Zeuthen49f2d252020-10-16 11:27:24 -0400[diff] [blame]206 virtual optional<vector<uint8_t>> proveOwnership(const string& docType, bool testCredential,
207 const vector<uint8_t>& challenge,
208 size_t proofOfOwnershipCborSize) = 0;
David Zeuthen630de2a2020-05-11 14:04:54 -0400[diff] [blame]209};
210
211} // namespace android::hardware::identity
212
213#endif // ANDROID_HARDWARE_IDENTITY_SECUREHARDWAREPROXY_H