1*4d7e907cSAndroid Build Coastguard Worker /* 2*4d7e907cSAndroid Build Coastguard Worker * Copyright 2020, The Android Open Source Project 3*4d7e907cSAndroid Build Coastguard Worker * 4*4d7e907cSAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License"); 5*4d7e907cSAndroid Build Coastguard Worker * you may not use this file except in compliance with the License. 6*4d7e907cSAndroid Build Coastguard Worker * You may obtain a copy of the License at 7*4d7e907cSAndroid Build Coastguard Worker * 8*4d7e907cSAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0 9*4d7e907cSAndroid Build Coastguard Worker * 10*4d7e907cSAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software 11*4d7e907cSAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS, 12*4d7e907cSAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13*4d7e907cSAndroid Build Coastguard Worker * See the License for the specific language governing permissions and 14*4d7e907cSAndroid Build Coastguard Worker * limitations under the License. 15*4d7e907cSAndroid Build Coastguard Worker */ 16*4d7e907cSAndroid Build Coastguard Worker 17*4d7e907cSAndroid Build Coastguard Worker #ifndef ANDROID_HARDWARE_IDENTITY_SECUREHARDWAREPROXY_H 18*4d7e907cSAndroid Build Coastguard Worker #define ANDROID_HARDWARE_IDENTITY_SECUREHARDWAREPROXY_H 19*4d7e907cSAndroid Build Coastguard Worker 20*4d7e907cSAndroid Build Coastguard Worker #include <utils/RefBase.h> 21*4d7e907cSAndroid Build Coastguard Worker #include <optional> 22*4d7e907cSAndroid Build Coastguard Worker #include <string> 23*4d7e907cSAndroid Build Coastguard Worker #include <utility> 24*4d7e907cSAndroid Build Coastguard Worker #include <vector> 25*4d7e907cSAndroid Build Coastguard Worker 26*4d7e907cSAndroid Build Coastguard Worker namespace android::hardware::identity { 27*4d7e907cSAndroid Build Coastguard Worker 28*4d7e907cSAndroid Build Coastguard Worker using ::android::RefBase; 29*4d7e907cSAndroid Build Coastguard Worker using ::std::optional; 30*4d7e907cSAndroid Build Coastguard Worker using ::std::pair; 31*4d7e907cSAndroid Build Coastguard Worker using ::std::string; 32*4d7e907cSAndroid Build Coastguard Worker using ::std::vector; 33*4d7e907cSAndroid Build Coastguard Worker 34*4d7e907cSAndroid Build Coastguard Worker // These classes are used to communicate with Secure Hardware. They mimic the 35*4d7e907cSAndroid Build Coastguard Worker // API in libEmbeddedIC 1:1 (except for using C++ types) as each call is intended 36*4d7e907cSAndroid Build Coastguard Worker // to be forwarded to the Secure Hardware. 37*4d7e907cSAndroid Build Coastguard Worker // 38*4d7e907cSAndroid Build Coastguard Worker // Instances are instantiated when a provisioning or presentation session 39*4d7e907cSAndroid Build Coastguard Worker // starts. When the session is complete, the shutdown() method is called. 40*4d7e907cSAndroid Build Coastguard Worker // 41*4d7e907cSAndroid Build Coastguard Worker 42*4d7e907cSAndroid Build Coastguard Worker // Forward declare. 43*4d7e907cSAndroid Build Coastguard Worker // 44*4d7e907cSAndroid Build Coastguard Worker class SecureHardwareProvisioningProxy; 45*4d7e907cSAndroid Build Coastguard Worker class SecureHardwareSessionProxy; 46*4d7e907cSAndroid Build Coastguard Worker class SecureHardwarePresentationProxy; 47*4d7e907cSAndroid Build Coastguard Worker 48*4d7e907cSAndroid Build Coastguard Worker // This is a class used to create proxies. 49*4d7e907cSAndroid Build Coastguard Worker // 50*4d7e907cSAndroid Build Coastguard Worker class SecureHardwareProxyFactory : public RefBase { 51*4d7e907cSAndroid Build Coastguard Worker public: SecureHardwareProxyFactory()52*4d7e907cSAndroid Build Coastguard Worker SecureHardwareProxyFactory() {} ~SecureHardwareProxyFactory()53*4d7e907cSAndroid Build Coastguard Worker virtual ~SecureHardwareProxyFactory() {} 54*4d7e907cSAndroid Build Coastguard Worker 55*4d7e907cSAndroid Build Coastguard Worker virtual sp<SecureHardwareProvisioningProxy> createProvisioningProxy() = 0; 56*4d7e907cSAndroid Build Coastguard Worker virtual sp<SecureHardwareSessionProxy> createSessionProxy() = 0; 57*4d7e907cSAndroid Build Coastguard Worker virtual sp<SecureHardwarePresentationProxy> createPresentationProxy() = 0; 58*4d7e907cSAndroid Build Coastguard Worker }; 59*4d7e907cSAndroid Build Coastguard Worker 60*4d7e907cSAndroid Build Coastguard Worker // The proxy used for provisioning. 61*4d7e907cSAndroid Build Coastguard Worker // 62*4d7e907cSAndroid Build Coastguard Worker class SecureHardwareProvisioningProxy : public RefBase { 63*4d7e907cSAndroid Build Coastguard Worker public: SecureHardwareProvisioningProxy()64*4d7e907cSAndroid Build Coastguard Worker SecureHardwareProvisioningProxy() {} ~SecureHardwareProvisioningProxy()65*4d7e907cSAndroid Build Coastguard Worker virtual ~SecureHardwareProvisioningProxy() {} 66*4d7e907cSAndroid Build Coastguard Worker 67*4d7e907cSAndroid Build Coastguard Worker virtual bool initialize(bool testCredential) = 0; 68*4d7e907cSAndroid Build Coastguard Worker 69*4d7e907cSAndroid Build Coastguard Worker virtual bool initializeForUpdate(bool testCredential, const string& docType, 70*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& encryptedCredentialKeys) = 0; 71*4d7e907cSAndroid Build Coastguard Worker 72*4d7e907cSAndroid Build Coastguard Worker virtual optional<uint32_t> getId() = 0; 73*4d7e907cSAndroid Build Coastguard Worker 74*4d7e907cSAndroid Build Coastguard Worker virtual bool shutdown() = 0; 75*4d7e907cSAndroid Build Coastguard Worker 76*4d7e907cSAndroid Build Coastguard Worker // Returns public key certificate chain with attestation. 77*4d7e907cSAndroid Build Coastguard Worker // 78*4d7e907cSAndroid Build Coastguard Worker // This must return an entire certificate chain and its implementation must 79*4d7e907cSAndroid Build Coastguard Worker // be coordinated with the implementation of eicOpsCreateCredentialKey() on 80*4d7e907cSAndroid Build Coastguard Worker // the TA side (which may return just a single certificate or the entire 81*4d7e907cSAndroid Build Coastguard Worker // chain). 82*4d7e907cSAndroid Build Coastguard Worker virtual optional<vector<uint8_t>> createCredentialKey(const vector<uint8_t>& challenge, 83*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& applicationId) = 0; 84*4d7e907cSAndroid Build Coastguard Worker 85*4d7e907cSAndroid Build Coastguard Worker // Returns public key certificate with a remotely provisioned attestation key. 86*4d7e907cSAndroid Build Coastguard Worker // 87*4d7e907cSAndroid Build Coastguard Worker // This returns a single certificate that is signed by the given |attestationKeyBlob|. 88*4d7e907cSAndroid Build Coastguard Worker // The implementation of eicOpsCreateCredentialKey() on the TA side must coordinate 89*4d7e907cSAndroid Build Coastguard Worker // with its corresponding keymint implementation to sign using the attestation key. The 90*4d7e907cSAndroid Build Coastguard Worker // |attestationKeyCert| parameter is the certificates for |attestationKeyBlob|, 91*4d7e907cSAndroid Build Coastguard Worker // formatted as concatenated, DER-encoded, X.509 certificates. 92*4d7e907cSAndroid Build Coastguard Worker virtual optional<vector<uint8_t>> createCredentialKeyUsingRkp( 93*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& challenge, const vector<uint8_t>& applicationId, 94*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& attestationKeyBlob, 95*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& attestationKeyCert) = 0; 96*4d7e907cSAndroid Build Coastguard Worker 97*4d7e907cSAndroid Build Coastguard Worker virtual bool startPersonalization(int accessControlProfileCount, const vector<int>& entryCounts, 98*4d7e907cSAndroid Build Coastguard Worker const string& docType, 99*4d7e907cSAndroid Build Coastguard Worker size_t expectedProofOfProvisioningSize) = 0; 100*4d7e907cSAndroid Build Coastguard Worker 101*4d7e907cSAndroid Build Coastguard Worker // Returns MAC (28 bytes). 102*4d7e907cSAndroid Build Coastguard Worker virtual optional<vector<uint8_t>> addAccessControlProfile( 103*4d7e907cSAndroid Build Coastguard Worker int id, const vector<uint8_t>& readerCertificate, bool userAuthenticationRequired, 104*4d7e907cSAndroid Build Coastguard Worker uint64_t timeoutMillis, uint64_t secureUserId) = 0; 105*4d7e907cSAndroid Build Coastguard Worker 106*4d7e907cSAndroid Build Coastguard Worker virtual bool beginAddEntry(const vector<int>& accessControlProfileIds, const string& nameSpace, 107*4d7e907cSAndroid Build Coastguard Worker const string& name, uint64_t entrySize) = 0; 108*4d7e907cSAndroid Build Coastguard Worker 109*4d7e907cSAndroid Build Coastguard Worker // Returns encryptedContent. 110*4d7e907cSAndroid Build Coastguard Worker virtual optional<vector<uint8_t>> addEntryValue(const vector<int>& accessControlProfileIds, 111*4d7e907cSAndroid Build Coastguard Worker const string& nameSpace, const string& name, 112*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& content) = 0; 113*4d7e907cSAndroid Build Coastguard Worker 114*4d7e907cSAndroid Build Coastguard Worker // Returns signatureOfToBeSigned (EIC_ECDSA_P256_SIGNATURE_SIZE bytes). 115*4d7e907cSAndroid Build Coastguard Worker virtual optional<vector<uint8_t>> finishAddingEntries() = 0; 116*4d7e907cSAndroid Build Coastguard Worker 117*4d7e907cSAndroid Build Coastguard Worker // Returns encryptedCredentialKeys (80 bytes). 118*4d7e907cSAndroid Build Coastguard Worker virtual optional<vector<uint8_t>> finishGetCredentialData(const string& docType) = 0; 119*4d7e907cSAndroid Build Coastguard Worker }; 120*4d7e907cSAndroid Build Coastguard Worker 121*4d7e907cSAndroid Build Coastguard Worker enum AccessCheckResult { 122*4d7e907cSAndroid Build Coastguard Worker kOk, 123*4d7e907cSAndroid Build Coastguard Worker kFailed, 124*4d7e907cSAndroid Build Coastguard Worker kNoAccessControlProfiles, 125*4d7e907cSAndroid Build Coastguard Worker kUserAuthenticationFailed, 126*4d7e907cSAndroid Build Coastguard Worker kReaderAuthenticationFailed, 127*4d7e907cSAndroid Build Coastguard Worker }; 128*4d7e907cSAndroid Build Coastguard Worker 129*4d7e907cSAndroid Build Coastguard Worker // The proxy used for sessions. 130*4d7e907cSAndroid Build Coastguard Worker // 131*4d7e907cSAndroid Build Coastguard Worker class SecureHardwareSessionProxy : public RefBase { 132*4d7e907cSAndroid Build Coastguard Worker public: SecureHardwareSessionProxy()133*4d7e907cSAndroid Build Coastguard Worker SecureHardwareSessionProxy() {} 134*4d7e907cSAndroid Build Coastguard Worker ~SecureHardwareSessionProxy()135*4d7e907cSAndroid Build Coastguard Worker virtual ~SecureHardwareSessionProxy() {} 136*4d7e907cSAndroid Build Coastguard Worker 137*4d7e907cSAndroid Build Coastguard Worker virtual bool initialize() = 0; 138*4d7e907cSAndroid Build Coastguard Worker 139*4d7e907cSAndroid Build Coastguard Worker virtual optional<uint32_t> getId() = 0; 140*4d7e907cSAndroid Build Coastguard Worker 141*4d7e907cSAndroid Build Coastguard Worker virtual bool shutdown() = 0; 142*4d7e907cSAndroid Build Coastguard Worker 143*4d7e907cSAndroid Build Coastguard Worker virtual optional<uint64_t> getAuthChallenge() = 0; 144*4d7e907cSAndroid Build Coastguard Worker 145*4d7e907cSAndroid Build Coastguard Worker // Returns private key 146*4d7e907cSAndroid Build Coastguard Worker virtual optional<vector<uint8_t>> getEphemeralKeyPair() = 0; 147*4d7e907cSAndroid Build Coastguard Worker 148*4d7e907cSAndroid Build Coastguard Worker virtual bool setReaderEphemeralPublicKey(const vector<uint8_t>& readerEphemeralPublicKey) = 0; 149*4d7e907cSAndroid Build Coastguard Worker 150*4d7e907cSAndroid Build Coastguard Worker virtual bool setSessionTranscript(const vector<uint8_t>& sessionTranscript) = 0; 151*4d7e907cSAndroid Build Coastguard Worker }; 152*4d7e907cSAndroid Build Coastguard Worker 153*4d7e907cSAndroid Build Coastguard Worker // The proxy used for presentation. 154*4d7e907cSAndroid Build Coastguard Worker // 155*4d7e907cSAndroid Build Coastguard Worker class SecureHardwarePresentationProxy : public RefBase { 156*4d7e907cSAndroid Build Coastguard Worker public: SecureHardwarePresentationProxy()157*4d7e907cSAndroid Build Coastguard Worker SecureHardwarePresentationProxy() {} ~SecureHardwarePresentationProxy()158*4d7e907cSAndroid Build Coastguard Worker virtual ~SecureHardwarePresentationProxy() {} 159*4d7e907cSAndroid Build Coastguard Worker 160*4d7e907cSAndroid Build Coastguard Worker virtual bool initialize(uint32_t sessionId, bool testCredential, const string& docType, 161*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& encryptedCredentialKeys) = 0; 162*4d7e907cSAndroid Build Coastguard Worker 163*4d7e907cSAndroid Build Coastguard Worker virtual optional<uint32_t> getId() = 0; 164*4d7e907cSAndroid Build Coastguard Worker 165*4d7e907cSAndroid Build Coastguard Worker virtual bool shutdown() = 0; 166*4d7e907cSAndroid Build Coastguard Worker 167*4d7e907cSAndroid Build Coastguard Worker // Returns publicKeyCert (1st component) and signingKeyBlob (2nd component) 168*4d7e907cSAndroid Build Coastguard Worker virtual optional<pair<vector<uint8_t>, vector<uint8_t>>> generateSigningKeyPair( 169*4d7e907cSAndroid Build Coastguard Worker const string& docType, time_t now) = 0; 170*4d7e907cSAndroid Build Coastguard Worker 171*4d7e907cSAndroid Build Coastguard Worker // Returns private key 172*4d7e907cSAndroid Build Coastguard Worker virtual optional<vector<uint8_t>> createEphemeralKeyPair() = 0; 173*4d7e907cSAndroid Build Coastguard Worker 174*4d7e907cSAndroid Build Coastguard Worker virtual optional<uint64_t> createAuthChallenge() = 0; 175*4d7e907cSAndroid Build Coastguard Worker 176*4d7e907cSAndroid Build Coastguard Worker virtual bool startRetrieveEntries() = 0; 177*4d7e907cSAndroid Build Coastguard Worker 178*4d7e907cSAndroid Build Coastguard Worker virtual bool setAuthToken(uint64_t challenge, uint64_t secureUserId, uint64_t authenticatorId, 179*4d7e907cSAndroid Build Coastguard Worker int hardwareAuthenticatorType, uint64_t timeStamp, 180*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& mac, uint64_t verificationTokenChallenge, 181*4d7e907cSAndroid Build Coastguard Worker uint64_t verificationTokenTimestamp, 182*4d7e907cSAndroid Build Coastguard Worker int verificationTokenSecurityLevel, 183*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& verificationTokenMac) = 0; 184*4d7e907cSAndroid Build Coastguard Worker 185*4d7e907cSAndroid Build Coastguard Worker virtual bool pushReaderCert(const vector<uint8_t>& certX509) = 0; 186*4d7e907cSAndroid Build Coastguard Worker 187*4d7e907cSAndroid Build Coastguard Worker virtual optional<bool> validateAccessControlProfile(int id, 188*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& readerCertificate, 189*4d7e907cSAndroid Build Coastguard Worker bool userAuthenticationRequired, 190*4d7e907cSAndroid Build Coastguard Worker int timeoutMillis, uint64_t secureUserId, 191*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& mac) = 0; 192*4d7e907cSAndroid Build Coastguard Worker 193*4d7e907cSAndroid Build Coastguard Worker virtual bool validateRequestMessage(const vector<uint8_t>& sessionTranscript, 194*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& requestMessage, int coseSignAlg, 195*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& readerSignatureOfToBeSigned) = 0; 196*4d7e907cSAndroid Build Coastguard Worker 197*4d7e907cSAndroid Build Coastguard Worker virtual bool prepareDeviceAuthentication(const vector<uint8_t>& sessionTranscript, 198*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& readerEphemeralPublicKey, 199*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& signingKeyBlob, 200*4d7e907cSAndroid Build Coastguard Worker const string& docType, 201*4d7e907cSAndroid Build Coastguard Worker unsigned int numNamespacesWithValues, 202*4d7e907cSAndroid Build Coastguard Worker size_t expectedDeviceNamespacesSize) = 0; 203*4d7e907cSAndroid Build Coastguard Worker 204*4d7e907cSAndroid Build Coastguard Worker virtual AccessCheckResult startRetrieveEntryValue( 205*4d7e907cSAndroid Build Coastguard Worker const string& nameSpace, const string& name, unsigned int newNamespaceNumEntries, 206*4d7e907cSAndroid Build Coastguard Worker int32_t entrySize, const vector<int32_t>& accessControlProfileIds) = 0; 207*4d7e907cSAndroid Build Coastguard Worker 208*4d7e907cSAndroid Build Coastguard Worker virtual optional<vector<uint8_t>> retrieveEntryValue( 209*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& encryptedContent, const string& nameSpace, const string& name, 210*4d7e907cSAndroid Build Coastguard Worker const vector<int32_t>& accessControlProfileIds) = 0; 211*4d7e907cSAndroid Build Coastguard Worker 212*4d7e907cSAndroid Build Coastguard Worker virtual optional<vector<uint8_t>> finishRetrieval(); 213*4d7e907cSAndroid Build Coastguard Worker virtual optional<pair<vector<uint8_t>, vector<uint8_t>>> finishRetrievalWithSignature(); 214*4d7e907cSAndroid Build Coastguard Worker 215*4d7e907cSAndroid Build Coastguard Worker virtual optional<vector<uint8_t>> deleteCredential(const string& docType, 216*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& challenge, 217*4d7e907cSAndroid Build Coastguard Worker bool includeChallenge, 218*4d7e907cSAndroid Build Coastguard Worker size_t proofOfDeletionCborSize) = 0; 219*4d7e907cSAndroid Build Coastguard Worker 220*4d7e907cSAndroid Build Coastguard Worker virtual optional<vector<uint8_t>> proveOwnership(const string& docType, bool testCredential, 221*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& challenge, 222*4d7e907cSAndroid Build Coastguard Worker size_t proofOfOwnershipCborSize) = 0; 223*4d7e907cSAndroid Build Coastguard Worker }; 224*4d7e907cSAndroid Build Coastguard Worker 225*4d7e907cSAndroid Build Coastguard Worker } // namespace android::hardware::identity 226*4d7e907cSAndroid Build Coastguard Worker 227*4d7e907cSAndroid Build Coastguard Worker #endif // ANDROID_HARDWARE_IDENTITY_SECUREHARDWAREPROXY_H 228