Keystore 2.0: Implement APC service.
This patch implements the Android Protected Confirmation service in
Keystore 2.0. This includes a C++ wrapper around the HIDL confirmationui
interface which will stay a HIDL interface for now.
This patch also includes the new AIDL specification.
This patch lacks death listener registration b/176491050.
Bug: 159341464
Bug: 173546269
Test: None
Change-Id: Ida4af108e86b538ab64d1dea4809cfa3b36f74cd
diff --git a/keystore2/aidl/Android.bp b/keystore2/aidl/Android.bp
index 00be2b7..3051173 100644
--- a/keystore2/aidl/Android.bp
+++ b/keystore2/aidl/Android.bp
@@ -14,9 +14,7 @@
aidl_interface {
name: "android.security.attestationmanager",
- srcs: [
- "android/security/attestationmanager/*.aidl",
- ],
+ srcs: [ "android/security/attestationmanager/*.aidl", ],
imports: [ "android.hardware.security.keymint" ],
unstable: true,
backend: {
@@ -47,3 +45,16 @@
},
}
+aidl_interface {
+ name: "android.security.apc",
+ srcs: [ "android/security/apc/*.aidl" ],
+ unstable: true,
+ backend: {
+ java: {
+ enabled: true,
+ },
+ rust: {
+ enabled: true,
+ },
+ },
+}
diff --git a/keystore2/aidl/android/security/apc/IConfirmationCallback.aidl b/keystore2/aidl/android/security/apc/IConfirmationCallback.aidl
new file mode 100644
index 0000000..f47d7f5
--- /dev/null
+++ b/keystore2/aidl/android/security/apc/IConfirmationCallback.aidl
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.apc;
+
+import android.security.apc.ResponseCode;
+
+/**
+ * This callback interface must be implemented by the client to receive the result of the user
+ * confirmation.
+ */
+interface IConfirmationCallback {
+ /**
+ * This callback gets called by the implementing service when a pending confirmation prompt
+ * gets finalized.
+ *
+ * @param result
+ * - ResponseCode.OK On success. In this case dataConfirmed must be non null.
+ * - ResponseCode.CANCELLED If the user cancelled the prompt. In this case dataConfirmed must
+ * be null.
+ * - ResponseCode.ABORTED If the client called IProtectedConfirmation.cancelPrompt() or if the
+ * prompt was cancelled by the system due to an asynchronous event. In this case
+ * dataConfirmed must be null.
+ *
+ * @param dataConfirmed This is the message that was confirmed and for which a confirmation
+ * token is now available in implementing service. A subsequent attempt to sign this
+ * message with a confirmation bound key will succeed. The message is a CBOR map
+ * including the prompt text and the extra data.
+ */
+ oneway void onCompleted(in ResponseCode result, in @nullable byte[] dataConfirmed);
+}
diff --git a/keystore2/aidl/android/security/apc/IProtectedConfirmation.aidl b/keystore2/aidl/android/security/apc/IProtectedConfirmation.aidl
new file mode 100644
index 0000000..26ccf0f
--- /dev/null
+++ b/keystore2/aidl/android/security/apc/IProtectedConfirmation.aidl
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.apc;
+
+import android.security.apc.IConfirmationCallback;
+
+interface IProtectedConfirmation {
+
+ /**
+ * When set in the uiOptionFlags parameter of presentPrompt, indicates to the implementation
+ * that it shall use inverted color mode.
+ */
+ const int FLAG_UI_OPTION_INVERTED = 1;
+ /**
+ * When set in the uiOptionFlags parameter of presentPrompt, indicates to the implementation
+ * that it shall use magnified font mode.
+ */
+ const int FLAG_UI_OPTION_MAGNIFIED = 2;
+
+ /**
+ * Present the confirmation prompt. The caller must implement IConfirmationCallback and pass
+ * it to this function as listener.
+ *
+ * @param listener Must implement IConfirmationCallback. Doubles as session identifier when
+ * passed to cancelPrompt.
+ * @param promptText The text that will be displayed to the user using the protected
+ * confirmation UI.
+ * @param extraData Extra data, e.g., a nonce, that will be included in the to-be-signed
+ * message.
+ * @param locale The locale string is used to select the language for the instructions
+ * displayed by the confirmation prompt.
+ * @param uiOptionFlags Bitwise combination of FLAG_UI_OPTION_* see above.
+ *
+ * Service specific error codes:
+ * - ResponseCode.OPERATION_PENDING If another prompt is already pending.
+ * - ResponseCode.SYSTEM_ERROR An unexpected error occurred.
+ */
+ void presentPrompt(in IConfirmationCallback listener, in String promptText,
+ in byte[] extraData, in String locale, in int uiOptionFlags);
+
+ /**
+ * Cancel an ongoing prompt.
+ *
+ * @param listener Must implement IConfirmationCallback, although in this context this binder
+ * token is only used to identify the session that is to be cancelled.
+ *
+ * Service specific error code:
+ * - ResponseCode.IGNORED If the listener does not represent an ongoing prompt session.
+ */
+ void cancelPrompt(IConfirmationCallback listener);
+
+ /**
+ * Returns true if the device supports Android Protected Confirmation.
+ */
+ boolean isSupported();
+}
diff --git a/keystore2/aidl/android/security/apc/ResponseCode.aidl b/keystore2/aidl/android/security/apc/ResponseCode.aidl
new file mode 100644
index 0000000..7ae3e1c
--- /dev/null
+++ b/keystore2/aidl/android/security/apc/ResponseCode.aidl
@@ -0,0 +1,59 @@
+/*
+ * Copyright 2020, The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.apc;
+
+/**
+ * Used as service specific exception code by IProtectedConfirmation and as result
+ * code by IConfirmationCallback
+ */
+@Backing(type="int")
+enum ResponseCode {
+ /**
+ * The prompt completed successfully with the user confirming the message (callback result).
+ */
+ OK = 0,
+ /**
+ * The user cancelled the TUI (callback result).
+ */
+ CANCELLED = 1,
+ /**
+ * The prompt was aborted (callback result). This may happen when the app cancels the prompt,
+ * or when the prompt was cancelled due to an unexpected asynchronous event, such as an
+ * incoming phone call.
+ */
+ ABORTED = 2,
+ /**
+ * Another prompt cannot be started because another prompt is pending.
+ */
+ OPERATION_PENDING = 3,
+ /**
+ * The request was ignored.
+ */
+ IGNORED = 4,
+ /**
+ * An unexpected system error occurred.
+ */
+ SYSTEM_ERROR = 5,
+ /**
+ * Backend is not implemented.
+ */
+ UNIMPLEMENTED = 6,
+ /**
+ * Permission Denied.
+ */
+ PERMISSION_DENIED = 30,
+}