commit fdf7f52a1d20e2c1f9bd03e363692f3562d1f287
author David Zeuthen <zeuthen@google.com> Wed Oct 05 13:21:05 2022 -0400
committer David Zeuthen <zeuthen@google.com> Fri Dec 09 02:57:18 2022 -0500
tree 31c4d404ca141d9f2bb09366e9755a11661781e1
parent 670ca4f29dcf767ba2e66718fd1ca36c7f3e6464

identity: Add support for ECDSA auth and don't require session encryption.

This change uses new API in Identity Credential HAL version 5 and
later to obtain the mdoc ECDSA authentication signature and pass it to
the framework API.

Bug: 241912421
Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Change-Id: I4bb8ba8c4a46a91791af9e0e48c81894d896a2d0

identity/Credential.cpp

diff --git a/identity/Credential.cpp b/identity/Credential.cpp
index c67fe4a..cbeb508 100644
--- a/identity/Credential.cpp
+++ b/identity/Credential.cpp
@@ -554,9 +554,18 @@
         ret.resultNamespaces.push_back(resultNamespaceParcel);
     }
 
-    status = halBinder->finishRetrieval(&ret.mac, &ret.deviceNameSpaces);
-    if (!status.isOk()) {
-        return halStatusToGenericError(status);
+    // API version 5 (feature version 202301) supports both MAC and ECDSA signature.
+    if (halApiVersion_ >= 5) {
+        status = halBinder->finishRetrievalWithSignature(&ret.mac, &ret.deviceNameSpaces,
+                                                         &ret.signature);
+        if (!status.isOk()) {
+            return halStatusToGenericError(status);
+        }
+    } else {
+        status = halBinder->finishRetrieval(&ret.mac, &ret.deviceNameSpaces);
+        if (!status.isOk()) {
+            return halStatusToGenericError(status);
+        }
     }
     ret.staticAuthenticationData = selectedAuthKeyStaticAuthData_;