Port credstore to IdentityCredential AIDL.

Bug: 111446262
Test: atest android.security.identity.cts
Test: VtsHalIdentityTargetTest
Test: android.hardware.identity-support-lib-test
Change-Id: I338b35f57f2bb7345c3f8f0c608c7a6213a0dc6b
diff --git a/identity/Android.bp b/identity/Android.bp
index ad9bd72..c0f1635 100644
--- a/identity/Android.bp
+++ b/identity/Android.bp
@@ -27,8 +27,6 @@
     ],
     init_rc: ["credstore.rc"],
     shared_libs: [
-        "android.hardware.identity@1.0",
-        "android.hardware.keymaster@4.0",
         "libbase",
         "libbinder",
         "libkeystore_aidl",
@@ -40,6 +38,8 @@
         "libkeystore-attestation-application-id",
     ],
     static_libs: [
+        "android.hardware.identity-cpp",
+        "android.hardware.keymaster-cpp",
         "libcppbor",
     ]
 }
diff --git a/identity/Credential.cpp b/identity/Credential.cpp
index 6b03309..604d262 100644
--- a/identity/Credential.cpp
+++ b/identity/Credential.cpp
@@ -42,21 +42,17 @@
 
 using android::security::keystore::IKeystoreService;
 
-using ::android::hardware::hidl_vec;
-
-using ::android::hardware::identity::V1_0::Result;
-using ::android::hardware::identity::V1_0::ResultCode;
-using ::android::hardware::identity::V1_0::SecureAccessControlProfile;
-
 using ::android::hardware::identity::support::ecKeyPairGetPkcs12;
 using ::android::hardware::identity::support::ecKeyPairGetPrivateKey;
 using ::android::hardware::identity::support::ecKeyPairGetPublicKey;
 using ::android::hardware::identity::support::sha256;
 
 using android::hardware::keymaster::V4_0::HardwareAuthToken;
+using AidlHardwareAuthToken = android::hardware::keymaster::HardwareAuthToken;
 
-Credential::Credential(const std::string& dataPath, const std::string& credentialName)
-    : dataPath_(dataPath), credentialName_(credentialName) {}
+Credential::Credential(CipherSuite cipherSuite, const std::string& dataPath,
+                       const std::string& credentialName)
+    : cipherSuite_(cipherSuite), dataPath_(dataPath), credentialName_(credentialName) {}
 
 Credential::~Credential() {}
 
@@ -71,15 +67,16 @@
 
     data_ = data;
 
-    Result result;
     sp<IIdentityCredential> halBinder;
-    halStoreBinder->getCredential(
-        data_->getCredentialData(),
-        [&](const Result& _result, const sp<IIdentityCredential>& _halBinder) {
-            result = _result;
-            halBinder = _halBinder;
-        });
-    if (result.code != ResultCode::OK) {
+    Status status =
+        halStoreBinder->getCredential(cipherSuite_, data_->getCredentialData(), &halBinder);
+    if (!status.isOk() && status.exceptionCode() == binder::Status::EX_SERVICE_SPECIFIC) {
+        int code = status.serviceSpecificErrorCode();
+        if (code == IIdentityCredentialStore::STATUS_CIPHER_SUITE_NOT_SUPPORTED) {
+            return halStatusToError(status, ICredentialStore::ERROR_CIPHER_SUITE_NOT_SUPPORTED);
+        }
+    }
+    if (!status.isOk()) {
         LOG(ERROR) << "Error getting HAL binder";
         return Status::fromServiceSpecificError(ICredentialStore::ERROR_GENERIC);
     }
@@ -104,16 +101,10 @@
             "No suitable authentication key available");
     }
 
-    Result result;
-    uint64_t challenge;
-    halBinder_->createAuthChallenge([&](const Result& _result, uint64_t _challenge) {
-        result = _result;
-        challenge = _challenge;
-    });
-    if (result.code != ResultCode::OK) {
-        LOG(ERROR) << "createAuthChallenge() failed " << ((int)result.code) << ": "
-                   << result.message;
-        return halResultToGenericError(result);
+    int64_t challenge;
+    Status status = halBinder_->createAuthChallenge(&challenge);
+    if (!status.isOk()) {
+        return halStatusToGenericError(status);
     }
     if (challenge == 0) {
         return Status::fromServiceSpecificError(ICredentialStore::ERROR_GENERIC,
@@ -160,7 +151,7 @@
     //
     // Also go through and figure out which access control profiles to include
     // in the startRetrieval() call.
-    vector<uint16_t> requestCounts;
+    vector<int32_t> requestCounts;
     const vector<SecureAccessControlProfile>& allProfiles = data_->getSecureAccessControlProfiles();
     vector<bool> includeProfile(allProfiles.size());
     for (const RequestNamespaceParcel& rns : requestNamespaces) {
@@ -172,8 +163,8 @@
 
             optional<EntryData> data = data_->getEntryData(rns.namespaceName, rep.name);
             if (data) {
-                for (uint16_t id : data.value().accessControlProfileIds) {
-                    if (id >= includeProfile.size()) {
+                for (int32_t id : data.value().accessControlProfileIds) {
+                    if (id >= int32_t(includeProfile.size())) {
                         LOG(ERROR) << "Invalid accessControlProfileId " << id << " for "
                                    << rns.namespaceName << ": " << rep.name;
                         return Status::fromServiceSpecificError(
@@ -227,7 +218,7 @@
     }
 
     // Only get an authToken if it's actually needed.
-    HardwareAuthToken authToken;
+    AidlHardwareAuthToken aidlAuthToken;
     if (userAuthNeeded) {
         vector<uint8_t> authTokenBytes;
         if (!getAuthTokenFromKeystore(selectedChallenge_, data_->getSecureUserId(),
@@ -237,34 +228,36 @@
                                                     "Error getting auth token from keystore");
         }
         if (authTokenBytes.size() > 0) {
-            authToken =
+            HardwareAuthToken authToken =
                 android::hardware::keymaster::V4_0::support::hidlVec2AuthToken(authTokenBytes);
+            // Convert from HIDL to AIDL...
+            aidlAuthToken.challenge = int64_t(authToken.challenge);
+            aidlAuthToken.userId = int64_t(authToken.userId);
+            aidlAuthToken.authenticatorId = int64_t(authToken.authenticatorId);
+            aidlAuthToken.authenticatorType =
+                ::android::hardware::keymaster::HardwareAuthenticatorType(
+                    int32_t(authToken.authenticatorType));
+            aidlAuthToken.timestamp.milliSeconds = int64_t(authToken.timestamp);
+            aidlAuthToken.mac = authToken.mac;
         }
     }
 
-    Result result;
-    halBinder_->startRetrieval(selectedProfiles, authToken, requestMessage, sessionTranscript,
-                               readerSignature, requestCounts,
-                               [&](const Result& _result) { result = _result; });
-    if (result.code == ResultCode::EPHEMERAL_PUBLIC_KEY_NOT_FOUND) {
-        LOG(ERROR) << "startRetrieval() failed " << ((int)result.code) << ": " << result.message;
-        return Status::fromServiceSpecificError(
-            ICredentialStore::ERROR_EPHEMERAL_PUBLIC_KEY_NOT_FOUND, result.message.c_str());
-    } else if (result.code == ResultCode::READER_SIGNATURE_CHECK_FAILED) {
-        LOG(ERROR) << "startRetrieval() failed " << ((int)result.code) << ": " << result.message;
-        return Status::fromServiceSpecificError(ICredentialStore::ERROR_INVALID_READER_SIGNATURE,
-                                                result.message.c_str());
-    } else if (result.code == ResultCode::INVALID_ITEMS_REQUEST_MESSAGE) {
-        LOG(ERROR) << "startRetrieval() failed " << ((int)result.code) << ": " << result.message;
-        return Status::fromServiceSpecificError(
-            ICredentialStore::ERROR_INVALID_ITEMS_REQUEST_MESSAGE, result.message.c_str());
-    } else if (result.code == ResultCode::SESSION_TRANSCRIPT_MISMATCH) {
-        LOG(ERROR) << "startRetrieval() failed " << ((int)result.code) << ": " << result.message;
-        return Status::fromServiceSpecificError(ICredentialStore::ERROR_SESSION_TRANSCRIPT_MISMATCH,
-                                                result.message.c_str());
-    } else if (result.code != ResultCode::OK) {
-        LOG(ERROR) << "startRetrieval() failed " << ((int)result.code) << ": " << result.message;
-        return halResultToGenericError(result);
+    Status status = halBinder_->startRetrieval(selectedProfiles, aidlAuthToken, requestMessage,
+                                               sessionTranscript, readerSignature, requestCounts);
+    if (!status.isOk() && status.exceptionCode() == binder::Status::EX_SERVICE_SPECIFIC) {
+        int code = status.serviceSpecificErrorCode();
+        if (code == IIdentityCredentialStore::STATUS_EPHEMERAL_PUBLIC_KEY_NOT_FOUND) {
+            return halStatusToError(status, ICredentialStore::ERROR_EPHEMERAL_PUBLIC_KEY_NOT_FOUND);
+        } else if (code == IIdentityCredentialStore::STATUS_READER_SIGNATURE_CHECK_FAILED) {
+            return halStatusToError(status, ICredentialStore::ERROR_INVALID_READER_SIGNATURE);
+        } else if (code == IIdentityCredentialStore::STATUS_INVALID_ITEMS_REQUEST_MESSAGE) {
+            return halStatusToError(status, ICredentialStore::ERROR_INVALID_ITEMS_REQUEST_MESSAGE);
+        } else if (code == IIdentityCredentialStore::STATUS_SESSION_TRANSCRIPT_MISMATCH) {
+            return halStatusToError(status, ICredentialStore::ERROR_SESSION_TRANSCRIPT_MISMATCH);
+        }
+    }
+    if (!status.isOk()) {
+        return halStatusToGenericError(status);
     }
 
     for (const RequestNamespaceParcel& rns : requestNamespaces) {
@@ -282,43 +275,41 @@
                 continue;
             }
 
-            halBinder_->startRetrieveEntryValue(rns.namespaceName, rep.name, data.value().size,
-                                                data.value().accessControlProfileIds,
-                                                [&](const Result& _result) { result = _result; });
-            if (result.code == ResultCode::USER_AUTHENTICATION_FAILED) {
-                resultEntryParcel.status = STATUS_USER_AUTHENTICATION_FAILED;
-                resultNamespaceParcel.entries.push_back(resultEntryParcel);
-                continue;
-            } else if (result.code == ResultCode::READER_AUTHENTICATION_FAILED) {
-                resultEntryParcel.status = STATUS_READER_AUTHENTICATION_FAILED;
-                resultNamespaceParcel.entries.push_back(resultEntryParcel);
-                continue;
-            } else if (result.code == ResultCode::NOT_IN_REQUEST_MESSAGE) {
-                resultEntryParcel.status = STATUS_NOT_IN_REQUEST_MESSAGE;
-                resultNamespaceParcel.entries.push_back(resultEntryParcel);
-                continue;
-            } else if (result.code == ResultCode::NO_ACCESS_CONTROL_PROFILES) {
-                resultEntryParcel.status = STATUS_NO_ACCESS_CONTROL_PROFILES;
-                resultNamespaceParcel.entries.push_back(resultEntryParcel);
-                continue;
-            } else if (result.code != ResultCode::OK) {
-                LOG(ERROR) << "startRetrieveEntryValue() failed " << ((int)result.code) << ": "
-                           << result.message;
-                return halResultToGenericError(result);
+            status =
+                halBinder_->startRetrieveEntryValue(rns.namespaceName, rep.name, data.value().size,
+                                                    data.value().accessControlProfileIds);
+            if (!status.isOk() && status.exceptionCode() == binder::Status::EX_SERVICE_SPECIFIC) {
+                int code = status.serviceSpecificErrorCode();
+                if (code == IIdentityCredentialStore::STATUS_USER_AUTHENTICATION_FAILED) {
+                    resultEntryParcel.status = STATUS_USER_AUTHENTICATION_FAILED;
+                    resultNamespaceParcel.entries.push_back(resultEntryParcel);
+                    continue;
+                } else if (code == IIdentityCredentialStore::STATUS_READER_AUTHENTICATION_FAILED) {
+                    resultEntryParcel.status = STATUS_READER_AUTHENTICATION_FAILED;
+                    resultNamespaceParcel.entries.push_back(resultEntryParcel);
+                    continue;
+                } else if (code == IIdentityCredentialStore::STATUS_NOT_IN_REQUEST_MESSAGE) {
+                    resultEntryParcel.status = STATUS_NOT_IN_REQUEST_MESSAGE;
+                    resultNamespaceParcel.entries.push_back(resultEntryParcel);
+                    continue;
+                } else if (code == IIdentityCredentialStore::STATUS_NO_ACCESS_CONTROL_PROFILES) {
+                    resultEntryParcel.status = STATUS_NO_ACCESS_CONTROL_PROFILES;
+                    resultNamespaceParcel.entries.push_back(resultEntryParcel);
+                    continue;
+                }
+            }
+            if (!status.isOk()) {
+                return halStatusToGenericError(status);
             }
 
             vector<uint8_t> value;
             for (const auto& encryptedChunk : data.value().encryptedChunks) {
-                halBinder_->retrieveEntryValue(
-                    encryptedChunk, [&](const Result& _result, const hidl_vec<uint8_t>& chunk) {
-                        result = _result;
-                        value.insert(value.end(), chunk.begin(), chunk.end());
-                    });
-                if (result.code != ResultCode::OK) {
-                    LOG(ERROR) << "retrieveEntryValue failed() " << ((int)result.code) << ": "
-                               << result.message;
-                    return halResultToGenericError(result);
+                vector<uint8_t> chunk;
+                status = halBinder_->retrieveEntryValue(encryptedChunk, &chunk);
+                if (!status.isOk()) {
+                    return halStatusToGenericError(status);
                 }
+                value.insert(value.end(), chunk.begin(), chunk.end());
             }
 
             resultEntryParcel.status = STATUS_OK;
@@ -347,19 +338,12 @@
     if (authKey != nullptr) {
         signingKeyBlob = authKey->keyBlob;
     }
-    halBinder_->finishRetrieval(signingKeyBlob, [&](const Result& _result,
-                                                    const hidl_vec<uint8_t>& _mac,
-                                                    const hidl_vec<uint8_t>& _deviceNameSpaces) {
-        result = _result;
-        ret.mac = _mac;
-        ret.deviceNameSpaces = _deviceNameSpaces;
-        if (authKey != nullptr) {
-            ret.staticAuthenticationData = authKey->staticAuthenticationData;
-        }
-    });
-    if (result.code != ResultCode::OK) {
-        LOG(ERROR) << "finishRetrieval failed() " << ((int)result.code) << ": " << result.message;
-        return halResultToGenericError(result);
+    status = halBinder_->finishRetrieval(signingKeyBlob, &ret.mac, &ret.deviceNameSpaces);
+    if (!status.isOk()) {
+        return halStatusToGenericError(status);
+    }
+    if (authKey != nullptr) {
+        ret.staticAuthenticationData = authKey->staticAuthenticationData;
     }
 
     // Ensure useCount is updated on disk.
@@ -375,36 +359,24 @@
 }
 
 Status Credential::deleteCredential(vector<uint8_t>* _aidl_return) {
-    Result result;
-    halBinder_->deleteCredential(
-        [&](const Result& _result, const hidl_vec<uint8_t>& _proofOfDeletionSignature) {
-            result = _result;
-            *_aidl_return = _proofOfDeletionSignature;
-        });
-    if (result.code != ResultCode::OK) {
-        LOG(ERROR) << "deleteCredential failed() " << ((int)result.code) << ": " << result.message;
-        return halResultToGenericError(result);
+    vector<uint8_t> proofOfDeletionSignature;
+    Status status = halBinder_->deleteCredential(&proofOfDeletionSignature);
+    if (!status.isOk()) {
+        return halStatusToGenericError(status);
     }
     if (!data_->deleteCredential()) {
         return Status::fromServiceSpecificError(ICredentialStore::ERROR_GENERIC,
                                                 "Error deleting credential data on disk");
     }
+    *_aidl_return = proofOfDeletionSignature;
     return Status::ok();
 }
 
 Status Credential::createEphemeralKeyPair(vector<uint8_t>* _aidl_return) {
-    Result result;
-
     vector<uint8_t> keyPair;
-    halBinder_->createEphemeralKeyPair(
-        [&](const Result& _result, const hidl_vec<uint8_t>& _keyPair) {
-            result = _result;
-            keyPair = _keyPair;
-        });
-    if (result.code != ResultCode::OK) {
-        LOG(ERROR) << "createEphemeralKeyPair failed() " << ((int)result.code) << ": "
-                   << result.message;
-        return halResultToGenericError(result);
+    Status status = halBinder_->createEphemeralKeyPair(&keyPair);
+    if (!status.isOk()) {
+        return halStatusToGenericError(status);
     }
 
     optional<vector<uint8_t>> pkcs12Bytes = ecKeyPairGetPkcs12(keyPair,
@@ -423,13 +395,9 @@
 }
 
 Status Credential::setReaderEphemeralPublicKey(const vector<uint8_t>& publicKey) {
-    Result result;
-    halBinder_->setReaderEphemeralPublicKey(publicKey,
-                                            [&](const Result& _result) { result = _result; });
-    if (result.code != ResultCode::OK) {
-        LOG(ERROR) << "setReaderEphemeralPublicKey failed() " << ((int)result.code) << ": "
-                   << result.message;
-        return halResultToGenericError(result);
+    Status status = halBinder_->setReaderEphemeralPublicKey(publicKey);
+    if (!status.isOk()) {
+        return halStatusToGenericError(status);
     }
     return Status::ok();
 }
diff --git a/identity/Credential.h b/identity/Credential.h
index 356d75f..a0d9063 100644
--- a/identity/Credential.h
+++ b/identity/Credential.h
@@ -22,8 +22,7 @@
 
 #include <android/security/identity/BnCredential.h>
 
-#include <android/hardware/identity/1.0/IIdentityCredentialStore.h>
-#include <android/hardware/identity/1.0/types.h>
+#include <android/hardware/identity/IIdentityCredentialStore.h>
 
 #include "CredentialData.h"
 
@@ -36,12 +35,13 @@
 using ::std::string;
 using ::std::vector;
 
-using ::android::hardware::identity::V1_0::IIdentityCredential;
-using ::android::hardware::identity::V1_0::IIdentityCredentialStore;
+using ::android::hardware::identity::CipherSuite;
+using ::android::hardware::identity::IIdentityCredential;
+using ::android::hardware::identity::IIdentityCredentialStore;
 
 class Credential : public BnCredential {
   public:
-    Credential(const string& dataPath, const string& credentialName);
+    Credential(CipherSuite cipherSuite, const string& dataPath, const string& credentialName);
     ~Credential();
 
     Status loadCredential(sp<IIdentityCredentialStore> halStoreBinder);
@@ -70,6 +70,7 @@
     Status getAuthenticationDataUsageCount(vector<int32_t>* _aidl_return) override;
 
   private:
+    CipherSuite cipherSuite_;
     string dataPath_;
     string credentialName_;
 
diff --git a/identity/CredentialData.cpp b/identity/CredentialData.cpp
index 99dd04b..b4e6641 100644
--- a/identity/CredentialData.cpp
+++ b/identity/CredentialData.cpp
@@ -37,8 +37,6 @@
 namespace security {
 namespace identity {
 
-using android::hardware::identity::V1_0::Result;
-using android::hardware::identity::V1_0::ResultCode;
 using std::optional;
 
 string CredentialData::calculateCredentialFileName(const string& dataPath, uid_t ownerUid,
@@ -88,7 +86,7 @@
     for (const SecureAccessControlProfile& sacp : secureAccessControlProfiles_) {
         cppbor::Array array;
         array.add(sacp.id);
-        array.add((const vector<uint8_t>&)sacp.readerCertificate);
+        array.add(sacp.readerCertificate.encodedCertificate);
         array.add(sacp.userAuthenticationRequired);
         array.add(sacp.timeoutMillis);
         array.add(sacp.secureUserId);
@@ -107,7 +105,7 @@
         cppbor::Array entryDataArray;
         entryDataArray.add(entryData.size);
         cppbor::Array idsArray;
-        for (uint16_t id : entryData.accessControlProfileIds) {
+        for (int32_t id : entryData.accessControlProfileIds) {
             idsArray.add(id);
         }
         entryDataArray.add(std::move(idsArray));
@@ -159,7 +157,7 @@
     }
     SecureAccessControlProfile sacp;
     sacp.id = itemId->value();
-    sacp.readerCertificate = itemReaderCertificate->value();
+    sacp.readerCertificate.encodedCertificate = itemReaderCertificate->value();
     sacp.userAuthenticationRequired = itemUserAuthenticationRequired->value();
     sacp.timeoutMillis = itemTimeoutMillis->value();
     sacp.secureUserId = itesecureUserId_->value();
@@ -195,14 +193,14 @@
     return authKeyData;
 }
 
-vector<uint16_t> parseAccessControlProfileIds(const cppbor::Item& item) {
+vector<int32_t> parseAccessControlProfileIds(const cppbor::Item& item) {
     const cppbor::Array* array = item.asArray();
     if (array == nullptr) {
         LOG(ERROR) << "The accessControlProfileIds member is not an array";
         return {};
     }
 
-    vector<uint16_t> accessControlProfileIds;
+    vector<int32_t> accessControlProfileIds;
     for (size_t n = 0; n < array->size(); n++) {
         const cppbor::Int* itemInt = ((*array)[n])->asInt();
         if (itemInt == nullptr) {
@@ -336,7 +334,7 @@
                 }
                 uint64_t entrySize = ecEntrySizeItem->value();
 
-                optional<vector<uint16_t>> accessControlProfileIds =
+                optional<vector<int32_t>> accessControlProfileIds =
                     parseAccessControlProfileIds(*(*ecEntryArrayItem)[1]);
                 if (!accessControlProfileIds) {
                     LOG(ERROR) << "Error parsing access control profile ids";
@@ -391,8 +389,13 @@
         }
     }
 
-    if (credentialData_.size() == 0 || attestationCertificate_.size() == 0) {
-        LOG(ERROR) << "Missing credentialData or attestationCertificate";
+    if (credentialData_.size() == 0) {
+        LOG(ERROR) << "Missing credentialData";
+        return false;
+    }
+
+    if (attestationCertificate_.size() == 0) {
+        LOG(ERROR) << "Missing attestationCertificate";
         return false;
     }
 
@@ -511,8 +514,8 @@
     return candidate;
 }
 
-optional<vector<vector<uint8_t>>> CredentialData::getAuthKeysNeedingCertification(
-    const sp<android::hardware::identity::V1_0::IIdentityCredential>& halBinder) {
+optional<vector<vector<uint8_t>>>
+CredentialData::getAuthKeysNeedingCertification(const sp<IIdentityCredential>& halBinder) {
 
     vector<vector<uint8_t>> keysNeedingCert;
 
@@ -520,22 +523,14 @@
         bool newKeyNeeded = (data.certificate.size() == 0) || (data.useCount >= maxUsesPerKey_);
         bool certificationPending = (data.pendingCertificate.size() > 0);
         if (newKeyNeeded && !certificationPending) {
-            Result result;
             vector<uint8_t> signingKeyBlob;
-            vector<uint8_t> signingKeyCertificate;
-            halBinder->generateSigningKeyPair(
-                [&](const Result& _result,
-                    const android::hardware::hidl_vec<uint8_t> _signingKeyBlob,
-                    const android::hardware::hidl_vec<uint8_t> _signingKeyCertificate) {
-                    result = _result;
-                    signingKeyBlob = _signingKeyBlob;
-                    signingKeyCertificate = _signingKeyCertificate;
-                });
-            if (result.code != ResultCode::OK) {
+            Certificate signingKeyCertificate;
+            if (!halBinder->generateSigningKeyPair(&signingKeyBlob, &signingKeyCertificate)
+                     .isOk()) {
                 LOG(ERROR) << "Error generating signing key-pair";
                 return {};
             }
-            data.pendingCertificate = signingKeyCertificate;
+            data.pendingCertificate = signingKeyCertificate.encodedCertificate;
             data.pendingKeyBlob = signingKeyBlob;
             certificationPending = true;
         }
diff --git a/identity/CredentialData.h b/identity/CredentialData.h
index 39e41f8..7995828 100644
--- a/identity/CredentialData.h
+++ b/identity/CredentialData.h
@@ -25,14 +25,16 @@
 #include <utility>
 #include <vector>
 
-#include <android/hardware/identity/1.0/IIdentityCredential.h>
-#include <android/hardware/identity/1.0/types.h>
+#include <android/hardware/identity/IIdentityCredential.h>
+#include <android/hardware/identity/SecureAccessControlProfile.h>
 
 namespace android {
 namespace security {
 namespace identity {
 
-using ::android::hardware::identity::V1_0::SecureAccessControlProfile;
+using ::android::hardware::identity::Certificate;
+using ::android::hardware::identity::IIdentityCredential;
+using ::android::hardware::identity::SecureAccessControlProfile;
 using ::std::map;
 using ::std::optional;
 using ::std::pair;
@@ -44,7 +46,7 @@
     EntryData() {}
 
     uint64_t size = 0;
-    vector<uint16_t> accessControlProfileIds;
+    vector<int32_t> accessControlProfileIds;
     vector<vector<uint8_t>> encryptedChunks;
 };
 
@@ -108,8 +110,8 @@
     // the authentication and increases its use-count.
     const AuthKeyData* selectAuthKey(bool allowUsingExhaustedKeys);
 
-    optional<vector<vector<uint8_t>>> getAuthKeysNeedingCertification(
-        const sp<android::hardware::identity::V1_0::IIdentityCredential>& halBinder);
+    optional<vector<vector<uint8_t>>>
+    getAuthKeysNeedingCertification(const sp<IIdentityCredential>& halBinder);
 
     bool storeStaticAuthenticationData(const vector<uint8_t>& authenticationKey,
                                        const vector<uint8_t>& staticAuthData);
diff --git a/identity/CredentialStore.cpp b/identity/CredentialStore.cpp
index b13a7b0..e3a825b 100644
--- a/identity/CredentialStore.cpp
+++ b/identity/CredentialStore.cpp
@@ -23,6 +23,7 @@
 #include <binder/IPCThreadState.h>
 
 #include "Credential.h"
+#include "CredentialData.h"
 #include "CredentialStore.h"
 #include "Util.h"
 #include "WritableCredential.h"
@@ -31,39 +32,20 @@
 namespace security {
 namespace identity {
 
-using ::android::hardware::hidl_string;
-using ::android::hardware::hidl_vec;
-using ::android::hardware::identity::V1_0::Result;
-using ::android::hardware::identity::V1_0::ResultCode;
-
-using ::android::hardware::identity::V1_0::IWritableIdentityCredential;
-
 CredentialStore::CredentialStore(const std::string& dataPath, sp<IIdentityCredentialStore> hal)
     : dataPath_(dataPath), hal_(hal) {}
 
 bool CredentialStore::init() {
-    Result result;
-    hal_->getHardwareInformation([&](const Result& _result, const hidl_string& credentialStoreName,
-                                     const hidl_string& credentialStoreAuthorName,
-                                     uint32_t _dataChunkSize, bool _isDirectAccess,
-                                     const hidl_vec<hidl_string>& _supportedDocTypes) {
-        result = _result;
-        dataChunkSize_ = _dataChunkSize;
-        isDirectAccess_ = _isDirectAccess;
-        supportedDocTypes_.clear();
-        for (auto& docType : _supportedDocTypes) {
-            supportedDocTypes_.push_back(docType);
-        }
-        LOG(INFO) << "Connected to Identity Credential HAL with name '" << credentialStoreName
-                  << "' authored by '" << credentialStoreAuthorName << "' with chunk size "
-                  << _dataChunkSize << " and directoAccess set to "
-                  << (_isDirectAccess ? "true" : "false");
-    });
-    if (result.code != ResultCode::OK) {
-        LOG(ERROR) << "Error getting hardware information: " << (int)result.code << ": "
-                   << result.message;
+    Status status = hal_->getHardwareInformation(&hwInfo_);
+    if (!status.isOk()) {
+        LOG(ERROR) << "Error getting hardware information: " << status.toString8();
         return false;
     }
+
+    LOG(INFO) << "Connected to Identity Credential HAL with name '" << hwInfo_.credentialStoreName
+              << "' authored by '" << hwInfo_.credentialStoreAuthorName << "' with chunk size "
+              << hwInfo_.dataChunkSize << " and directoAccess set to "
+              << (hwInfo_.isDirectAccess ? "true" : "false");
     return true;
 }
 
@@ -71,8 +53,8 @@
 
 Status CredentialStore::getSecurityHardwareInfo(SecurityHardwareInfoParcel* _aidl_return) {
     SecurityHardwareInfoParcel info;
-    info.directAccess = isDirectAccess_;
-    info.supportedDocTypes = supportedDocTypes_;
+    info.directAccess = hwInfo_.isDirectAccess;
+    info.supportedDocTypes = hwInfo_.supportedDocTypes;
     *_aidl_return = info;
     return Status::ok();
 };
@@ -92,37 +74,26 @@
                                                 "Credential with given name already exists");
     }
 
-    if (supportedDocTypes_.size() > 0) {
-        if (std::find(supportedDocTypes_.begin(), supportedDocTypes_.end(), docType) ==
-            supportedDocTypes_.end()) {
+    if (hwInfo_.supportedDocTypes.size() > 0) {
+        if (std::find(hwInfo_.supportedDocTypes.begin(), hwInfo_.supportedDocTypes.end(),
+                      docType) == hwInfo_.supportedDocTypes.end()) {
             return Status::fromServiceSpecificError(ERROR_DOCUMENT_TYPE_NOT_SUPPORTED,
                                                     "No support for given document type");
         }
     }
 
-    Result result;
     sp<IWritableIdentityCredential> halWritableCredential;
-    hal_->createCredential(
-        docType, false,
-        [&](const Result& _result, const sp<IWritableIdentityCredential>& _halWritableCredential) {
-            result = _result;
-            halWritableCredential = _halWritableCredential;
-        });
-    if (result.code != ResultCode::OK) {
-        return halResultToGenericError(result);
+    Status status = hal_->createCredential(docType, false, &halWritableCredential);
+    if (!status.isOk()) {
+        return halStatusToGenericError(status);
     }
 
     sp<IWritableCredential> writableCredential = new WritableCredential(
-        dataPath_, credentialName, docType, dataChunkSize_, halWritableCredential);
+        dataPath_, credentialName, docType, hwInfo_.dataChunkSize, halWritableCredential);
     *_aidl_return = writableCredential;
     return Status::ok();
 }
 
-// Keep in sync with IdentityCredentialStore.java
-//
-
-const int CIPHERSUITE_ECDHE_HKDF_ECDSA_WITH_AES_256_GCM_SHA256 = 1;
-
 Status CredentialStore::getCredentialByName(const std::string& credentialName, int32_t cipherSuite,
                                             sp<ICredential>* _aidl_return) {
     *_aidl_return = nullptr;
@@ -139,13 +110,9 @@
                                                 "Credential with given name doesn't exist");
     }
 
-    // We only support a single cipher-suite right now.
-    if (cipherSuite != CIPHERSUITE_ECDHE_HKDF_ECDSA_WITH_AES_256_GCM_SHA256) {
-        return Status::fromServiceSpecificError(ERROR_CIPHER_SUITE_NOT_SUPPORTED,
-                                                "Cipher suite not supported");
-    }
-
-    sp<Credential> credential = new Credential(dataPath_, credentialName);
+    // Note: IdentityCredentialStore.java's CipherSuite enumeration and CipherSuite from the
+    // HAL is manually kept in sync. So this cast is safe.
+    sp<Credential> credential = new Credential(CipherSuite(cipherSuite), dataPath_, credentialName);
 
     Status loadStatus = credential->loadCredential(hal_);
     if (!loadStatus.isOk()) {
diff --git a/identity/CredentialStore.h b/identity/CredentialStore.h
index 8d679a2..24b2b4d 100644
--- a/identity/CredentialStore.h
+++ b/identity/CredentialStore.h
@@ -20,8 +20,7 @@
 #include <string>
 #include <vector>
 
-#include <android/hardware/identity/1.0/IIdentityCredentialStore.h>
-#include <android/hardware/identity/1.0/types.h>
+#include <android/hardware/identity/IIdentityCredentialStore.h>
 
 #include <android/security/identity/BnCredentialStore.h>
 
@@ -35,7 +34,8 @@
 using ::std::unique_ptr;
 using ::std::vector;
 
-using ::android::hardware::identity::V1_0::IIdentityCredentialStore;
+using ::android::hardware::identity::HardwareInformation;
+using ::android::hardware::identity::IIdentityCredentialStore;
 
 class CredentialStore : public BnCredentialStore {
   public:
@@ -58,9 +58,7 @@
 
     sp<IIdentityCredentialStore> hal_;
 
-    bool isDirectAccess_;
-    vector<string> supportedDocTypes_;
-    size_t dataChunkSize_;
+    HardwareInformation hwInfo_;
 };
 
 }  // namespace identity
diff --git a/identity/CredentialStoreFactory.cpp b/identity/CredentialStoreFactory.cpp
index 947adf3..5c3bf36 100644
--- a/identity/CredentialStoreFactory.cpp
+++ b/identity/CredentialStoreFactory.cpp
@@ -19,28 +19,29 @@
 #include <android-base/logging.h>
 
 #include <binder/IPCThreadState.h>
+#include <binder/IServiceManager.h>
 
-#include "CredentialStore.h"
+//#include "CredentialStore.h"
 #include "CredentialStoreFactory.h"
 
 namespace android {
 namespace security {
 namespace identity {
 
-using ::android::hardware::hidl_string;
-using ::android::hardware::hidl_vec;
-using ::android::hardware::identity::V1_0::IIdentityCredentialStore;
-using ::android::hardware::identity::V1_0::Result;
-using ::android::hardware::identity::V1_0::ResultCode;
+using ::android::hardware::identity::IIdentityCredentialStore;
 
 CredentialStoreFactory::CredentialStoreFactory(const std::string& dataPath) : dataPath_(dataPath) {}
 
 CredentialStoreFactory::~CredentialStoreFactory() {}
 
-CredentialStore* CredentialStoreFactory::createCredentialStore(const string& serviceName) {
-    sp<IIdentityCredentialStore> hal = IIdentityCredentialStore::tryGetService(serviceName);
+CredentialStore* CredentialStoreFactory::createCredentialStore(const string& instanceName) {
+    String16 serviceName =
+        IIdentityCredentialStore::descriptor + String16("/") + String16(instanceName.c_str());
+    sp<IIdentityCredentialStore> hal =
+        android::waitForDeclaredService<IIdentityCredentialStore>(serviceName);
     if (hal.get() == nullptr) {
-        LOG(ERROR) << "Error get hal for store with service name '" << serviceName << "'";
+        LOG(ERROR) << "Error getting HAL for IdentityCredentialStore store with service name '"
+                   << serviceName << "'";
         return nullptr;
     }
 
@@ -51,7 +52,6 @@
         delete store;
         return nullptr;
     }
-
     return store;
 }
 
diff --git a/identity/CredentialStoreFactory.h b/identity/CredentialStoreFactory.h
index 3aef618..b944b26 100644
--- a/identity/CredentialStoreFactory.h
+++ b/identity/CredentialStoreFactory.h
@@ -38,7 +38,7 @@
                               sp<ICredentialStore>* _aidl_return) override;
 
   private:
-    CredentialStore* createCredentialStore(const string& serviceName);
+    CredentialStore* createCredentialStore(const string& instanceName);
 
     string dataPath_;
 
diff --git a/identity/Util.cpp b/identity/Util.cpp
index 70e7105..a962dc3 100644
--- a/identity/Util.cpp
+++ b/identity/Util.cpp
@@ -35,10 +35,16 @@
 
 using ::android::base::StringPrintf;
 
-Status halResultToGenericError(const Result& result) {
-    string message =
-        StringPrintf("HAL failed with code %d: %s", int(result.code), result.message.c_str());
-    return Status::fromServiceSpecificError(ICredentialStore::ERROR_GENERIC, message.c_str());
+Status halStatusToError(const Status& halStatus, int credStoreError) {
+    string message = StringPrintf(
+        "HAL failed with exception code %d (%s), service-specific error code %d, message '%s'",
+        halStatus.exceptionCode(), Status::exceptionToString(halStatus.exceptionCode()).c_str(),
+        halStatus.serviceSpecificErrorCode(), halStatus.exceptionMessage().c_str());
+    return Status::fromServiceSpecificError(credStoreError, message.c_str());
+}
+
+Status halStatusToGenericError(const Status& halStatus) {
+    return halStatusToError(halStatus, ICredentialStore::ERROR_GENERIC);
 }
 
 optional<vector<uint8_t>> fileGetContents(const string& path) {
diff --git a/identity/Util.h b/identity/Util.h
index bb0e275..12953f7 100644
--- a/identity/Util.h
+++ b/identity/Util.h
@@ -20,8 +20,6 @@
 #include <string>
 #include <vector>
 
-#include <android/hardware/identity/1.0/IIdentityCredentialStore.h>
-#include <android/hardware/identity/1.0/types.h>
 #include <binder/Status.h>
 
 namespace android {
@@ -33,9 +31,13 @@
 using ::std::vector;
 
 using ::android::binder::Status;
-using ::android::hardware::identity::V1_0::Result;
 
-Status halResultToGenericError(const Result& result);
+// Converts a HAL status to a credstore service-specific error with code
+// ICredentialStore::ERROR_GENERIC.
+Status halStatusToGenericError(const Status& halStatus);
+
+// Converts a HAL status to a credstore service-specific error of a given value
+Status halStatusToError(const Status& halStatus, int credStoreError);
 
 // Helper function to atomically write |data| into file at |path|.
 //
diff --git a/identity/WritableCredential.cpp b/identity/WritableCredential.cpp
index 86c604d..dec95a6 100644
--- a/identity/WritableCredential.cpp
+++ b/identity/WritableCredential.cpp
@@ -34,11 +34,7 @@
 
 using ::std::pair;
 
-using ::android::hardware::hidl_vec;
-
-using ::android::hardware::identity::V1_0::Result;
-using ::android::hardware::identity::V1_0::ResultCode;
-using ::android::hardware::identity::V1_0::SecureAccessControlProfile;
+using ::android::hardware::identity::SecureAccessControlProfile;
 
 using ::android::hardware::identity::support::chunkVector;
 
@@ -51,8 +47,6 @@
 WritableCredential::~WritableCredential() {}
 
 Status WritableCredential::ensureAttestationCertificateExists(const vector<uint8_t>& challenge) {
-    vector<uint8_t> attestationCertificate;
-
     if (!attestationCertificate_.empty()) {
         return Status::ok();
     }
@@ -65,21 +59,21 @@
                                                 "Failed gathering AttestionApplicationId");
     }
 
-    Result result;
-    halBinder_->getAttestationCertificate(
-        asn1AttestationId.value(), challenge,
-        [&](const Result& _result, const hidl_vec<hidl_vec<uint8_t>>& _splitCerts) {
-            result = _result;
-            vector<vector<uint8_t>> splitCerts;
-            std::copy(_splitCerts.begin(), _splitCerts.end(), std::back_inserter(splitCerts));
-            attestationCertificate =
-                ::android::hardware::identity::support::certificateChainJoin(splitCerts);
-        });
-    if (result.code != ResultCode::OK) {
+    vector<Certificate> certificateChain;
+    Status status = halBinder_->getAttestationCertificate(asn1AttestationId.value(), challenge,
+                                                          &certificateChain);
+    if (!status.isOk()) {
         LOG(ERROR) << "Error calling getAttestationCertificate()";
-        return halResultToGenericError(result);
+        return halStatusToGenericError(status);
     }
-    attestationCertificate_ = attestationCertificate;
+
+    vector<vector<uint8_t>> splitCerts;
+    for (const auto& cert : certificateChain) {
+        splitCerts.push_back(cert.encodedCertificate);
+    }
+    attestationCertificate_ =
+        ::android::hardware::identity::support::certificateChainJoin(splitCerts);
+
     return Status::ok();
 }
 
@@ -114,56 +108,51 @@
 
     data.setAttestationCertificate(attestationCertificate_);
 
-    vector<uint16_t> entryCounts;
+    vector<int32_t> entryCounts;
     for (const EntryNamespaceParcel& ensParcel : entryNamespaces) {
         entryCounts.push_back(ensParcel.entries.size());
     }
 
-    Result result;
-    halBinder_->startPersonalization(accessControlProfiles.size(), entryCounts,
-                                     [&](const Result& _result) { result = _result; });
-    if (result.code != ResultCode::OK) {
-        return halResultToGenericError(result);
+    Status status = halBinder_->startPersonalization(accessControlProfiles.size(), entryCounts);
+    if (!status.isOk()) {
+        return halStatusToGenericError(status);
     }
 
     for (const AccessControlProfileParcel& acpParcel : accessControlProfiles) {
-        halBinder_->addAccessControlProfile(
-            acpParcel.id, acpParcel.readerCertificate, acpParcel.userAuthenticationRequired,
-            acpParcel.userAuthenticationTimeoutMillis, secureUserId,
-            [&](const Result& _result, const SecureAccessControlProfile& profile) {
-                data.addSecureAccessControlProfile(profile);
-                result = _result;
-            });
-        if (result.code != ResultCode::OK) {
-            return halResultToGenericError(result);
+        Certificate certificate;
+        certificate.encodedCertificate = acpParcel.readerCertificate;
+        SecureAccessControlProfile profile;
+        status = halBinder_->addAccessControlProfile(
+            acpParcel.id, certificate, acpParcel.userAuthenticationRequired,
+            acpParcel.userAuthenticationTimeoutMillis, secureUserId, &profile);
+        if (!status.isOk()) {
+            return halStatusToGenericError(status);
         }
+        data.addSecureAccessControlProfile(profile);
     }
 
     for (const EntryNamespaceParcel& ensParcel : entryNamespaces) {
         for (const EntryParcel& eParcel : ensParcel.entries) {
             vector<vector<uint8_t>> chunks = chunkVector(eParcel.value, dataChunkSize_);
 
-            vector<uint16_t> ids;
+            vector<int32_t> ids;
             std::copy(eParcel.accessControlProfileIds.begin(),
                       eParcel.accessControlProfileIds.end(), std::back_inserter(ids));
 
-            halBinder_->beginAddEntry(ids, ensParcel.namespaceName, eParcel.name,
-                                      eParcel.value.size(),
-                                      [&](const Result& _result) { result = _result; });
-            if (result.code != ResultCode::OK) {
-                return halResultToGenericError(result);
+            status = halBinder_->beginAddEntry(ids, ensParcel.namespaceName, eParcel.name,
+                                               eParcel.value.size());
+            if (!status.isOk()) {
+                return halStatusToGenericError(status);
             }
 
             vector<vector<uint8_t>> encryptedChunks;
             for (const auto& chunk : chunks) {
-                halBinder_->addEntryValue(
-                    chunk, [&](const Result& _result, const hidl_vec<uint8_t>& encryptedContent) {
-                        result = _result;
-                        encryptedChunks.push_back(encryptedContent);
-                    });
-                if (result.code != ResultCode::OK) {
-                    return halResultToGenericError(result);
+                vector<uint8_t> encryptedChunk;
+                status = halBinder_->addEntryValue(chunk, &encryptedChunk);
+                if (!status.isOk()) {
+                    return halStatusToGenericError(status);
                 }
+                encryptedChunks.push_back(encryptedChunk);
             }
             EntryData eData;
             eData.size = eParcel.value.size();
@@ -175,17 +164,11 @@
 
     vector<uint8_t> credentialData;
     vector<uint8_t> proofOfProvisioningSignature;
-    halBinder_->finishAddingEntries([&](const Result& _result,
-                                        const hidl_vec<uint8_t>& _credentialData,
-                                        const hidl_vec<uint8_t>& _proofOfProvisioningSignature) {
-        data.setCredentialData(_credentialData);
-        result = _result;
-        credentialData = _credentialData;
-        proofOfProvisioningSignature = _proofOfProvisioningSignature;
-    });
-    if (result.code != ResultCode::OK) {
-        return halResultToGenericError(result);
+    status = halBinder_->finishAddingEntries(&credentialData, &proofOfProvisioningSignature);
+    if (!status.isOk()) {
+        return halStatusToGenericError(status);
     }
+    data.setCredentialData(credentialData);
 
     if (!data.saveToDisk()) {
         return Status::fromServiceSpecificError(ICredentialStore::ERROR_GENERIC,
diff --git a/identity/WritableCredential.h b/identity/WritableCredential.h
index 47987ce..8b5e19e 100644
--- a/identity/WritableCredential.h
+++ b/identity/WritableCredential.h
@@ -22,15 +22,14 @@
 
 #include <android/security/identity/BnWritableCredential.h>
 
-#include <android/hardware/identity/1.0/IIdentityCredentialStore.h>
-#include <android/hardware/identity/1.0/types.h>
+#include <android/hardware/identity/IIdentityCredentialStore.h>
 
 namespace android {
 namespace security {
 namespace identity {
 
 using ::android::binder::Status;
-using ::android::hardware::identity::V1_0::IWritableIdentityCredential;
+using ::android::hardware::identity::IWritableIdentityCredential;
 using ::std::string;
 using ::std::vector;