default/libeic/EicPresentation.c

*4d7e907cSAndroid Build Coastguard Worker/*
*4d7e907cSAndroid Build Coastguard Worker * Copyright 2020, The Android Open Source Project
*4d7e907cSAndroid Build Coastguard Worker *
*4d7e907cSAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License");
*4d7e907cSAndroid Build Coastguard Worker * you may not use this file except in compliance with the License.
*4d7e907cSAndroid Build Coastguard Worker * You may obtain a copy of the License at
*4d7e907cSAndroid Build Coastguard Worker *
*4d7e907cSAndroid Build Coastguard Worker *     http://www.apache.org/licenses/LICENSE-2.0
*4d7e907cSAndroid Build Coastguard Worker *
*4d7e907cSAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software
*4d7e907cSAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS,
*4d7e907cSAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*4d7e907cSAndroid Build Coastguard Worker * See the License for the specific language governing permissions and
*4d7e907cSAndroid Build Coastguard Worker * limitations under the License.
*4d7e907cSAndroid Build Coastguard Worker */
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker#include "EicPresentation.h"
*4d7e907cSAndroid Build Coastguard Worker#include "EicCommon.h"
*4d7e907cSAndroid Build Coastguard Worker#include "EicSession.h"
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker#include <inttypes.h>
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker// Global used for assigning ids for presentation objects.
*4d7e907cSAndroid Build Coastguard Worker//
*4d7e907cSAndroid Build Coastguard Workerstatic uint32_t gPresentationLastIdAssigned = 0;
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Workerbool eicPresentationInit(EicPresentation* ctx, uint32_t sessionId, bool testCredential,
*4d7e907cSAndroid Build Coastguard Worker                         const char* docType, size_t docTypeLength,
*4d7e907cSAndroid Build Coastguard Worker                         const uint8_t* encryptedCredentialKeys,
*4d7e907cSAndroid Build Coastguard Worker                         size_t encryptedCredentialKeysSize) {
*4d7e907cSAndroid Build Coastguard Worker    uint8_t credentialKeys[EIC_CREDENTIAL_KEYS_CBOR_SIZE_FEATURE_VERSION_202101];
*4d7e907cSAndroid Build Coastguard Worker    bool expectPopSha256 = false;
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // For feature version 202009 it's 52 bytes long and for feature version 202101 it's 86
*4d7e907cSAndroid Build Coastguard Worker    // bytes (the additional data is the ProofOfProvisioning SHA-256). We need
*4d7e907cSAndroid Build Coastguard Worker    // to support loading all feature versions.
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    if (encryptedCredentialKeysSize == EIC_CREDENTIAL_KEYS_CBOR_SIZE_FEATURE_VERSION_202009 + 28) {
*4d7e907cSAndroid Build Coastguard Worker        /* do nothing */
*4d7e907cSAndroid Build Coastguard Worker    } else if (encryptedCredentialKeysSize == EIC_CREDENTIAL_KEYS_CBOR_SIZE_FEATURE_VERSION_202101 + 28) {
*4d7e907cSAndroid Build Coastguard Worker        expectPopSha256 = true;
*4d7e907cSAndroid Build Coastguard Worker    } else {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Unexpected size %zd for encryptedCredentialKeys", encryptedCredentialKeysSize);
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    eicMemSet(ctx, '\0', sizeof(EicPresentation));
*4d7e907cSAndroid Build Coastguard Worker    ctx->sessionId = sessionId;
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    if (!eicNextId(&gPresentationLastIdAssigned)) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Error getting id for object");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    ctx->id = gPresentationLastIdAssigned;
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    if (!eicOpsDecryptAes128Gcm(eicOpsGetHardwareBoundKey(testCredential), encryptedCredentialKeys,
*4d7e907cSAndroid Build Coastguard Worker                                encryptedCredentialKeysSize,
*4d7e907cSAndroid Build Coastguard Worker                                // DocType is the additionalAuthenticatedData
*4d7e907cSAndroid Build Coastguard Worker                                (const uint8_t*)docType, docTypeLength, credentialKeys)) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Error decrypting CredentialKeys");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // It's supposed to look like this;
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    // Feature version 202009:
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    //         CredentialKeys = [
*4d7e907cSAndroid Build Coastguard Worker    //              bstr,   ; storageKey, a 128-bit AES key
*4d7e907cSAndroid Build Coastguard Worker    //              bstr,   ; credentialPrivKey, the private key for credentialKey
*4d7e907cSAndroid Build Coastguard Worker    //         ]
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    // Feature version 202101:
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    //         CredentialKeys = [
*4d7e907cSAndroid Build Coastguard Worker    //              bstr,   ; storageKey, a 128-bit AES key
*4d7e907cSAndroid Build Coastguard Worker    //              bstr,   ; credentialPrivKey, the private key for credentialKey
*4d7e907cSAndroid Build Coastguard Worker    //              bstr    ; proofOfProvisioning SHA-256
*4d7e907cSAndroid Build Coastguard Worker    //         ]
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    // where storageKey is 16 bytes, credentialPrivateKey is 32 bytes, and proofOfProvisioning
*4d7e907cSAndroid Build Coastguard Worker    // SHA-256 is 32 bytes.
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    if (credentialKeys[0] != (expectPopSha256 ? 0x83 : 0x82) ||  // array of two or three elements
*4d7e907cSAndroid Build Coastguard Worker        credentialKeys[1] != 0x50 ||                             // 16-byte bstr
*4d7e907cSAndroid Build Coastguard Worker        credentialKeys[18] != 0x58 || credentialKeys[19] != 0x20) {  // 32-byte bstr
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Invalid CBOR for CredentialKeys");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    if (expectPopSha256) {
*4d7e907cSAndroid Build Coastguard Worker        if (credentialKeys[52] != 0x58 || credentialKeys[53] != 0x20) {  // 32-byte bstr
*4d7e907cSAndroid Build Coastguard Worker            eicDebug("Invalid CBOR for CredentialKeys");
*4d7e907cSAndroid Build Coastguard Worker            return false;
*4d7e907cSAndroid Build Coastguard Worker        }
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    eicMemCpy(ctx->storageKey, credentialKeys + 2, EIC_AES_128_KEY_SIZE);
*4d7e907cSAndroid Build Coastguard Worker    eicMemCpy(ctx->credentialPrivateKey, credentialKeys + 20, EIC_P256_PRIV_KEY_SIZE);
*4d7e907cSAndroid Build Coastguard Worker    ctx->testCredential = testCredential;
*4d7e907cSAndroid Build Coastguard Worker    if (expectPopSha256) {
*4d7e907cSAndroid Build Coastguard Worker        eicMemCpy(ctx->proofOfProvisioningSha256, credentialKeys + 54, EIC_SHA256_DIGEST_SIZE);
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    eicDebug("Initialized presentation with id %" PRIu32, ctx->id);
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Workerbool eicPresentationShutdown(EicPresentation* ctx) {
*4d7e907cSAndroid Build Coastguard Worker    if (ctx->id == 0) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Trying to shut down presentation with id 0");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    eicDebug("Shut down presentation with id %" PRIu32, ctx->id);
*4d7e907cSAndroid Build Coastguard Worker    eicMemSet(ctx, '\0', sizeof(EicPresentation));
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Workerbool eicPresentationGetId(EicPresentation* ctx, uint32_t* outId) {
*4d7e907cSAndroid Build Coastguard Worker    *outId = ctx->id;
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Workerbool eicPresentationGenerateSigningKeyPair(EicPresentation* ctx, const char* docType,
*4d7e907cSAndroid Build Coastguard Worker                                           size_t docTypeLength, time_t now,
*4d7e907cSAndroid Build Coastguard Worker                                           uint8_t* publicKeyCert, size_t* publicKeyCertSize,
*4d7e907cSAndroid Build Coastguard Worker                                           uint8_t signingKeyBlob[60]) {
*4d7e907cSAndroid Build Coastguard Worker    uint8_t signingKeyPriv[EIC_P256_PRIV_KEY_SIZE];
*4d7e907cSAndroid Build Coastguard Worker    uint8_t signingKeyPub[EIC_P256_PUB_KEY_SIZE];
*4d7e907cSAndroid Build Coastguard Worker    uint8_t cborBuf[64];
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // Generate the ProofOfBinding CBOR to include in the X.509 certificate in
*4d7e907cSAndroid Build Coastguard Worker    // IdentityCredentialAuthenticationKeyExtension CBOR. This CBOR is defined
*4d7e907cSAndroid Build Coastguard Worker    // by the following CDDL
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    //   ProofOfBinding = [
*4d7e907cSAndroid Build Coastguard Worker    //     "ProofOfBinding",
*4d7e907cSAndroid Build Coastguard Worker    //     bstr,                  // Contains the SHA-256 of ProofOfProvisioning
*4d7e907cSAndroid Build Coastguard Worker    //   ]
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    // This array may grow in the future if other information needs to be
*4d7e907cSAndroid Build Coastguard Worker    // conveyed.
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    // The bytes of ProofOfBinding is is represented as an OCTET_STRING
*4d7e907cSAndroid Build Coastguard Worker    // and stored at OID 1.3.6.1.4.1.11129.2.1.26.
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    EicCbor cbor;
*4d7e907cSAndroid Build Coastguard Worker    eicCborInit(&cbor, cborBuf, sizeof cborBuf);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendArray(&cbor, 2);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendStringZ(&cbor, "ProofOfBinding");
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendByteString(&cbor, ctx->proofOfProvisioningSha256, EIC_SHA256_DIGEST_SIZE);
*4d7e907cSAndroid Build Coastguard Worker    if (cbor.size > sizeof(cborBuf)) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Exceeded buffer size");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    const uint8_t* proofOfBinding = cborBuf;
*4d7e907cSAndroid Build Coastguard Worker    size_t proofOfBindingSize = cbor.size;
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    if (!eicOpsCreateEcKey(signingKeyPriv, signingKeyPub)) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Error creating signing key");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    const int secondsInOneYear = 365 * 24 * 60 * 60;
*4d7e907cSAndroid Build Coastguard Worker    time_t validityNotBefore = now;
*4d7e907cSAndroid Build Coastguard Worker    time_t validityNotAfter = now + secondsInOneYear;  // One year from now.
*4d7e907cSAndroid Build Coastguard Worker    if (!eicOpsSignEcKey(signingKeyPub, ctx->credentialPrivateKey, 1,
*4d7e907cSAndroid Build Coastguard Worker                         "Android Identity Credential Key",                 // issuer CN
*4d7e907cSAndroid Build Coastguard Worker                         "Android Identity Credential Authentication Key",  // subject CN
*4d7e907cSAndroid Build Coastguard Worker                         validityNotBefore, validityNotAfter, proofOfBinding, proofOfBindingSize,
*4d7e907cSAndroid Build Coastguard Worker                         publicKeyCert, publicKeyCertSize)) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Error creating certificate for signing key");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    uint8_t nonce[12];
*4d7e907cSAndroid Build Coastguard Worker    if (!eicOpsRandom(nonce, 12)) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Error getting random");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    if (!eicOpsEncryptAes128Gcm(ctx->storageKey, nonce, signingKeyPriv, sizeof(signingKeyPriv),
*4d7e907cSAndroid Build Coastguard Worker                                // DocType is the additionalAuthenticatedData
*4d7e907cSAndroid Build Coastguard Worker                                (const uint8_t*)docType, docTypeLength, signingKeyBlob)) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Error encrypting signing key");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Workerbool eicPresentationCreateEphemeralKeyPair(EicPresentation* ctx,
*4d7e907cSAndroid Build Coastguard Worker                                           uint8_t ephemeralPrivateKey[EIC_P256_PRIV_KEY_SIZE]) {
*4d7e907cSAndroid Build Coastguard Worker    uint8_t ephemeralPublicKey[EIC_P256_PUB_KEY_SIZE];
*4d7e907cSAndroid Build Coastguard Worker    if (!eicOpsCreateEcKey(ctx->ephemeralPrivateKey, ephemeralPublicKey)) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Error creating ephemeral key");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    eicMemCpy(ephemeralPrivateKey, ctx->ephemeralPrivateKey, EIC_P256_PRIV_KEY_SIZE);
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Workerbool eicPresentationCreateAuthChallenge(EicPresentation* ctx, uint64_t* authChallenge) {
*4d7e907cSAndroid Build Coastguard Worker    do {
*4d7e907cSAndroid Build Coastguard Worker        if (!eicOpsRandom((uint8_t*)&(ctx->authChallenge), sizeof(uint64_t))) {
*4d7e907cSAndroid Build Coastguard Worker            eicDebug("Failed generating random challenge");
*4d7e907cSAndroid Build Coastguard Worker            return false;
*4d7e907cSAndroid Build Coastguard Worker        }
*4d7e907cSAndroid Build Coastguard Worker    } while (ctx->authChallenge == EIC_KM_AUTH_CHALLENGE_UNSET);
*4d7e907cSAndroid Build Coastguard Worker    eicDebug("Created auth challenge %" PRIu64, ctx->authChallenge);
*4d7e907cSAndroid Build Coastguard Worker    *authChallenge = ctx->authChallenge;
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker// From "COSE Algorithms" registry
*4d7e907cSAndroid Build Coastguard Worker//
*4d7e907cSAndroid Build Coastguard Worker#define COSE_ALG_ECDSA_256 -7
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Workerbool eicPresentationValidateRequestMessage(EicPresentation* ctx, const uint8_t* sessionTranscript,
*4d7e907cSAndroid Build Coastguard Worker                                           size_t sessionTranscriptSize,
*4d7e907cSAndroid Build Coastguard Worker                                           const uint8_t* requestMessage, size_t requestMessageSize,
*4d7e907cSAndroid Build Coastguard Worker                                           int coseSignAlg,
*4d7e907cSAndroid Build Coastguard Worker                                           const uint8_t* readerSignatureOfToBeSigned,
*4d7e907cSAndroid Build Coastguard Worker                                           size_t readerSignatureOfToBeSignedSize) {
*4d7e907cSAndroid Build Coastguard Worker    if (ctx->sessionId != 0) {
*4d7e907cSAndroid Build Coastguard Worker        EicSession* session = eicSessionGetForId(ctx->sessionId);
*4d7e907cSAndroid Build Coastguard Worker        if (session == NULL) {
*4d7e907cSAndroid Build Coastguard Worker            eicDebug("Error looking up session for sessionId %" PRIu32, ctx->sessionId);
*4d7e907cSAndroid Build Coastguard Worker            return false;
*4d7e907cSAndroid Build Coastguard Worker        }
*4d7e907cSAndroid Build Coastguard Worker        EicSha256Ctx sha256;
*4d7e907cSAndroid Build Coastguard Worker        uint8_t sessionTranscriptSha256[EIC_SHA256_DIGEST_SIZE];
*4d7e907cSAndroid Build Coastguard Worker        eicOpsSha256Init(&sha256);
*4d7e907cSAndroid Build Coastguard Worker        eicOpsSha256Update(&sha256, sessionTranscript, sessionTranscriptSize);
*4d7e907cSAndroid Build Coastguard Worker        eicOpsSha256Final(&sha256, sessionTranscriptSha256);
*4d7e907cSAndroid Build Coastguard Worker        if (eicCryptoMemCmp(sessionTranscriptSha256, session->sessionTranscriptSha256,
*4d7e907cSAndroid Build Coastguard Worker                            EIC_SHA256_DIGEST_SIZE) != 0) {
*4d7e907cSAndroid Build Coastguard Worker            eicDebug("SessionTranscript mismatch");
*4d7e907cSAndroid Build Coastguard Worker            return false;
*4d7e907cSAndroid Build Coastguard Worker        }
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    if (ctx->readerPublicKeySize == 0) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("No public key for reader");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // Right now we only support ECDSA with SHA-256 (e.g. ES256).
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    if (coseSignAlg != COSE_ALG_ECDSA_256) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug(
*4d7e907cSAndroid Build Coastguard Worker                "COSE Signature algorithm for reader signature is %d, "
*4d7e907cSAndroid Build Coastguard Worker                "only ECDSA with SHA-256 is supported right now",
*4d7e907cSAndroid Build Coastguard Worker                coseSignAlg);
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // What we're going to verify is the COSE ToBeSigned structure which
*4d7e907cSAndroid Build Coastguard Worker    // looks like the following:
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    //   Sig_structure = [
*4d7e907cSAndroid Build Coastguard Worker    //     context : "Signature" / "Signature1" / "CounterSignature",
*4d7e907cSAndroid Build Coastguard Worker    //     body_protected : empty_or_serialized_map,
*4d7e907cSAndroid Build Coastguard Worker    //     ? sign_protected : empty_or_serialized_map,
*4d7e907cSAndroid Build Coastguard Worker    //     external_aad : bstr,
*4d7e907cSAndroid Build Coastguard Worker    //     payload : bstr
*4d7e907cSAndroid Build Coastguard Worker    //   ]
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    // So we're going to build that CBOR...
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    EicCbor cbor;
*4d7e907cSAndroid Build Coastguard Worker    eicCborInit(&cbor, NULL, 0);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendArray(&cbor, 4);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendStringZ(&cbor, "Signature1");
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // The COSE Encoded protected headers is just a single field with
*4d7e907cSAndroid Build Coastguard Worker    // COSE_LABEL_ALG (1) -> coseSignAlg (e.g. -7). For simplicitly we just
*4d7e907cSAndroid Build Coastguard Worker    // hard-code the CBOR encoding:
*4d7e907cSAndroid Build Coastguard Worker    static const uint8_t coseEncodedProtectedHeaders[] = {0xa1, 0x01, 0x26};
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendByteString(&cbor, coseEncodedProtectedHeaders,
*4d7e907cSAndroid Build Coastguard Worker                            sizeof(coseEncodedProtectedHeaders));
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // External_aad is the empty bstr
*4d7e907cSAndroid Build Coastguard Worker    static const uint8_t externalAad[0] = {};
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendByteString(&cbor, externalAad, sizeof(externalAad));
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // For the payload, the _encoded_ form follows here. We handle this by simply
*4d7e907cSAndroid Build Coastguard Worker    // opening a bstr, and then writing the CBOR. This requires us to know the
*4d7e907cSAndroid Build Coastguard Worker    // size of said bstr, ahead of time... the CBOR to be written is
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    //   ReaderAuthentication = [
*4d7e907cSAndroid Build Coastguard Worker    //      "ReaderAuthentication",
*4d7e907cSAndroid Build Coastguard Worker    //      SessionTranscript,
*4d7e907cSAndroid Build Coastguard Worker    //      ItemsRequestBytes
*4d7e907cSAndroid Build Coastguard Worker    //   ]
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    //   ItemsRequestBytes = #6.24(bstr .cbor ItemsRequest)
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    //   ReaderAuthenticationBytes = #6.24(bstr .cbor ReaderAuthentication)
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    // which is easily calculated below
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    size_t calculatedSize = 0;
*4d7e907cSAndroid Build Coastguard Worker    calculatedSize += 1;  // Array of size 3
*4d7e907cSAndroid Build Coastguard Worker    calculatedSize += 1;  // "ReaderAuthentication" less than 24 bytes
*4d7e907cSAndroid Build Coastguard Worker    calculatedSize += sizeof("ReaderAuthentication") - 1;  // Don't include trailing NUL
*4d7e907cSAndroid Build Coastguard Worker    calculatedSize += sessionTranscriptSize;               // Already CBOR encoded
*4d7e907cSAndroid Build Coastguard Worker    calculatedSize += 2;  // Semantic tag EIC_CBOR_SEMANTIC_TAG_ENCODED_CBOR (24)
*4d7e907cSAndroid Build Coastguard Worker    calculatedSize += 1 + eicCborAdditionalLengthBytesFor(requestMessageSize);
*4d7e907cSAndroid Build Coastguard Worker    calculatedSize += requestMessageSize;
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // However note that we're authenticating ReaderAuthenticationBytes which
*4d7e907cSAndroid Build Coastguard Worker    // is a tagged bstr of the bytes of ReaderAuthentication. So need to get
*4d7e907cSAndroid Build Coastguard Worker    // that in front.
*4d7e907cSAndroid Build Coastguard Worker    size_t rabCalculatedSize = 0;
*4d7e907cSAndroid Build Coastguard Worker    rabCalculatedSize += 2;  // Semantic tag EIC_CBOR_SEMANTIC_TAG_ENCODED_CBOR (24)
*4d7e907cSAndroid Build Coastguard Worker    rabCalculatedSize += 1 + eicCborAdditionalLengthBytesFor(calculatedSize);
*4d7e907cSAndroid Build Coastguard Worker    rabCalculatedSize += calculatedSize;
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // Begin the bytestring for ReaderAuthenticationBytes;
*4d7e907cSAndroid Build Coastguard Worker    eicCborBegin(&cbor, EIC_CBOR_MAJOR_TYPE_BYTE_STRING, rabCalculatedSize);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendSemantic(&cbor, EIC_CBOR_SEMANTIC_TAG_ENCODED_CBOR);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // Begins the bytestring for ReaderAuthentication;
*4d7e907cSAndroid Build Coastguard Worker    eicCborBegin(&cbor, EIC_CBOR_MAJOR_TYPE_BYTE_STRING, calculatedSize);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // And now that we know the size, let's fill it in...
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    size_t payloadOffset = cbor.size;
*4d7e907cSAndroid Build Coastguard Worker    eicCborBegin(&cbor, EIC_CBOR_MAJOR_TYPE_ARRAY, 3);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendStringZ(&cbor, "ReaderAuthentication");
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppend(&cbor, sessionTranscript, sessionTranscriptSize);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendSemantic(&cbor, EIC_CBOR_SEMANTIC_TAG_ENCODED_CBOR);
*4d7e907cSAndroid Build Coastguard Worker    eicCborBegin(&cbor, EIC_CBOR_MAJOR_TYPE_BYTE_STRING, requestMessageSize);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppend(&cbor, requestMessage, requestMessageSize);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    if (cbor.size != payloadOffset + calculatedSize) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("CBOR size is %zd but we expected %zd", cbor.size, payloadOffset + calculatedSize);
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    uint8_t toBeSignedDigest[EIC_SHA256_DIGEST_SIZE];
*4d7e907cSAndroid Build Coastguard Worker    eicCborFinal(&cbor, toBeSignedDigest);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    if (!eicOpsEcDsaVerifyWithPublicKey(
*4d7e907cSAndroid Build Coastguard Worker                toBeSignedDigest, EIC_SHA256_DIGEST_SIZE, readerSignatureOfToBeSigned,
*4d7e907cSAndroid Build Coastguard Worker                readerSignatureOfToBeSignedSize, ctx->readerPublicKey, ctx->readerPublicKeySize)) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Request message is not signed by public key");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    ctx->requestMessageValidated = true;
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker// Validates the next certificate in the reader certificate chain.
*4d7e907cSAndroid Build Coastguard Workerbool eicPresentationPushReaderCert(EicPresentation* ctx, const uint8_t* certX509,
*4d7e907cSAndroid Build Coastguard Worker                                   size_t certX509Size) {
*4d7e907cSAndroid Build Coastguard Worker    // If we had a previous certificate, use its public key to validate this certificate.
*4d7e907cSAndroid Build Coastguard Worker    if (ctx->readerPublicKeySize > 0) {
*4d7e907cSAndroid Build Coastguard Worker        if (!eicOpsX509CertSignedByPublicKey(certX509, certX509Size, ctx->readerPublicKey,
*4d7e907cSAndroid Build Coastguard Worker                                             ctx->readerPublicKeySize)) {
*4d7e907cSAndroid Build Coastguard Worker            eicDebug("Certificate is not signed by public key in the previous certificate");
*4d7e907cSAndroid Build Coastguard Worker            return false;
*4d7e907cSAndroid Build Coastguard Worker        }
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // Store the key of this certificate, this is used to validate the next certificate
*4d7e907cSAndroid Build Coastguard Worker    // and also ACPs with certificates that use the same public key...
*4d7e907cSAndroid Build Coastguard Worker    ctx->readerPublicKeySize = EIC_PRESENTATION_MAX_READER_PUBLIC_KEY_SIZE;
*4d7e907cSAndroid Build Coastguard Worker    if (!eicOpsX509GetPublicKey(certX509, certX509Size, ctx->readerPublicKey,
*4d7e907cSAndroid Build Coastguard Worker                                &ctx->readerPublicKeySize)) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Error extracting public key from certificate");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    if (ctx->readerPublicKeySize == 0) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Zero-length public key in certificate");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Workerstatic bool getChallenge(EicPresentation* ctx, uint64_t* outAuthChallenge) {
*4d7e907cSAndroid Build Coastguard Worker    // Use authChallenge from session if applicable.
*4d7e907cSAndroid Build Coastguard Worker    *outAuthChallenge = ctx->authChallenge;
*4d7e907cSAndroid Build Coastguard Worker    if (ctx->sessionId != 0) {
*4d7e907cSAndroid Build Coastguard Worker        EicSession* session = eicSessionGetForId(ctx->sessionId);
*4d7e907cSAndroid Build Coastguard Worker        if (session == NULL) {
*4d7e907cSAndroid Build Coastguard Worker            eicDebug("Error looking up session for sessionId %" PRIu32, ctx->sessionId);
*4d7e907cSAndroid Build Coastguard Worker            return false;
*4d7e907cSAndroid Build Coastguard Worker        }
*4d7e907cSAndroid Build Coastguard Worker        *outAuthChallenge = session->authChallenge;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Workerbool eicPresentationSetAuthToken(EicPresentation* ctx, uint64_t challenge, uint64_t secureUserId,
*4d7e907cSAndroid Build Coastguard Worker                                 uint64_t authenticatorId, int hardwareAuthenticatorType,
*4d7e907cSAndroid Build Coastguard Worker                                 uint64_t timeStamp, const uint8_t* mac, size_t macSize,
*4d7e907cSAndroid Build Coastguard Worker                                 uint64_t verificationTokenChallenge,
*4d7e907cSAndroid Build Coastguard Worker                                 uint64_t verificationTokenTimestamp,
*4d7e907cSAndroid Build Coastguard Worker                                 int verificationTokenSecurityLevel,
*4d7e907cSAndroid Build Coastguard Worker                                 const uint8_t* verificationTokenMac,
*4d7e907cSAndroid Build Coastguard Worker                                 size_t verificationTokenMacSize) {
*4d7e907cSAndroid Build Coastguard Worker    uint64_t authChallenge;
*4d7e907cSAndroid Build Coastguard Worker    if (!getChallenge(ctx, &authChallenge)) {
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // It doesn't make sense to accept any tokens if eicPresentationCreateAuthChallenge()
*4d7e907cSAndroid Build Coastguard Worker    // was never called.
*4d7e907cSAndroid Build Coastguard Worker    if (authChallenge == EIC_KM_AUTH_CHALLENGE_UNSET) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Trying to validate tokens when no auth-challenge was previously generated");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    // At least the verification-token must have the same challenge as what was generated.
*4d7e907cSAndroid Build Coastguard Worker    if (verificationTokenChallenge != authChallenge) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Challenge in verification token does not match the challenge "
*4d7e907cSAndroid Build Coastguard Worker                 "previously generated");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    if (!eicOpsValidateAuthToken(
*4d7e907cSAndroid Build Coastguard Worker                challenge, secureUserId, authenticatorId, hardwareAuthenticatorType, timeStamp, mac,
*4d7e907cSAndroid Build Coastguard Worker                macSize, verificationTokenChallenge, verificationTokenTimestamp,
*4d7e907cSAndroid Build Coastguard Worker                verificationTokenSecurityLevel, verificationTokenMac, verificationTokenMacSize)) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Error validating authToken");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    ctx->authTokenChallenge = challenge;
*4d7e907cSAndroid Build Coastguard Worker    ctx->authTokenSecureUserId = secureUserId;
*4d7e907cSAndroid Build Coastguard Worker    ctx->authTokenTimestamp = timeStamp;
*4d7e907cSAndroid Build Coastguard Worker    ctx->verificationTokenTimestamp = verificationTokenTimestamp;
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Workerstatic bool checkUserAuth(EicPresentation* ctx, bool userAuthenticationRequired, int timeoutMillis,
*4d7e907cSAndroid Build Coastguard Worker                          uint64_t secureUserId) {
*4d7e907cSAndroid Build Coastguard Worker    if (!userAuthenticationRequired) {
*4d7e907cSAndroid Build Coastguard Worker        return true;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    if (secureUserId != ctx->authTokenSecureUserId) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("secureUserId in profile differs from userId in authToken");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // Only ACP with auth-on-every-presentation - those with timeout == 0 - need the
*4d7e907cSAndroid Build Coastguard Worker    // challenge to match...
*4d7e907cSAndroid Build Coastguard Worker    if (timeoutMillis == 0) {
*4d7e907cSAndroid Build Coastguard Worker        uint64_t authChallenge;
*4d7e907cSAndroid Build Coastguard Worker        if (!getChallenge(ctx, &authChallenge)) {
*4d7e907cSAndroid Build Coastguard Worker            return false;
*4d7e907cSAndroid Build Coastguard Worker        }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker        if (ctx->authTokenChallenge != authChallenge) {
*4d7e907cSAndroid Build Coastguard Worker            eicDebug("Challenge in authToken (%" PRIu64
*4d7e907cSAndroid Build Coastguard Worker                     ") doesn't match the challenge "
*4d7e907cSAndroid Build Coastguard Worker                     "that was created (%" PRIu64 ") for this session",
*4d7e907cSAndroid Build Coastguard Worker                     ctx->authTokenChallenge, authChallenge);
*4d7e907cSAndroid Build Coastguard Worker            return false;
*4d7e907cSAndroid Build Coastguard Worker        }
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    uint64_t now = ctx->verificationTokenTimestamp;
*4d7e907cSAndroid Build Coastguard Worker    if (ctx->authTokenTimestamp > now) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Timestamp in authToken is in the future");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    if (timeoutMillis > 0) {
*4d7e907cSAndroid Build Coastguard Worker        if (now > ctx->authTokenTimestamp + timeoutMillis) {
*4d7e907cSAndroid Build Coastguard Worker            eicDebug("Deadline for authToken is in the past");
*4d7e907cSAndroid Build Coastguard Worker            return false;
*4d7e907cSAndroid Build Coastguard Worker        }
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Workerstatic bool checkReaderAuth(EicPresentation* ctx, const uint8_t* readerCertificate,
*4d7e907cSAndroid Build Coastguard Worker                            size_t readerCertificateSize) {
*4d7e907cSAndroid Build Coastguard Worker    uint8_t publicKey[EIC_PRESENTATION_MAX_READER_PUBLIC_KEY_SIZE];
*4d7e907cSAndroid Build Coastguard Worker    size_t publicKeySize;
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    if (readerCertificateSize == 0) {
*4d7e907cSAndroid Build Coastguard Worker        return true;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // Remember in this case certificate equality is done by comparing public
*4d7e907cSAndroid Build Coastguard Worker    // keys, not bitwise comparison of the certificates.
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    publicKeySize = EIC_PRESENTATION_MAX_READER_PUBLIC_KEY_SIZE;
*4d7e907cSAndroid Build Coastguard Worker    if (!eicOpsX509GetPublicKey(readerCertificate, readerCertificateSize, publicKey,
*4d7e907cSAndroid Build Coastguard Worker                                &publicKeySize)) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Error extracting public key from certificate");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    if (publicKeySize == 0) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Zero-length public key in certificate");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    if ((ctx->readerPublicKeySize != publicKeySize) ||
*4d7e907cSAndroid Build Coastguard Worker        (eicCryptoMemCmp(ctx->readerPublicKey, publicKey, ctx->readerPublicKeySize) != 0)) {
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker// Note: This function returns false _only_ if an error occurred check for access, _not_
*4d7e907cSAndroid Build Coastguard Worker// whether access is granted. Whether access is granted is returned in |accessGranted|.
*4d7e907cSAndroid Build Coastguard Worker//
*4d7e907cSAndroid Build Coastguard Workerbool eicPresentationValidateAccessControlProfile(EicPresentation* ctx, int id,
*4d7e907cSAndroid Build Coastguard Worker                                                 const uint8_t* readerCertificate,
*4d7e907cSAndroid Build Coastguard Worker                                                 size_t readerCertificateSize,
*4d7e907cSAndroid Build Coastguard Worker                                                 bool userAuthenticationRequired, int timeoutMillis,
*4d7e907cSAndroid Build Coastguard Worker                                                 uint64_t secureUserId, const uint8_t mac[28],
*4d7e907cSAndroid Build Coastguard Worker                                                 bool* accessGranted,
*4d7e907cSAndroid Build Coastguard Worker                                                 uint8_t* scratchSpace,
*4d7e907cSAndroid Build Coastguard Worker                                                 size_t scratchSpaceSize) {
*4d7e907cSAndroid Build Coastguard Worker    *accessGranted = false;
*4d7e907cSAndroid Build Coastguard Worker    if (id < 0 || id >= 32) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("id value of %d is out of allowed range [0, 32[", id);
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // Validate the MAC
*4d7e907cSAndroid Build Coastguard Worker    EicCbor cborBuilder;
*4d7e907cSAndroid Build Coastguard Worker    eicCborInit(&cborBuilder, scratchSpace, scratchSpaceSize);
*4d7e907cSAndroid Build Coastguard Worker    if (!eicCborCalcAccessControl(&cborBuilder, id, readerCertificate, readerCertificateSize,
*4d7e907cSAndroid Build Coastguard Worker                                  userAuthenticationRequired, timeoutMillis, secureUserId)) {
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    if (!eicOpsDecryptAes128Gcm(ctx->storageKey, mac, 28, cborBuilder.buffer, cborBuilder.size,
*4d7e907cSAndroid Build Coastguard Worker                                NULL)) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("MAC for AccessControlProfile doesn't match");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    bool passedUserAuth =
*4d7e907cSAndroid Build Coastguard Worker            checkUserAuth(ctx, userAuthenticationRequired, timeoutMillis, secureUserId);
*4d7e907cSAndroid Build Coastguard Worker    bool passedReaderAuth = checkReaderAuth(ctx, readerCertificate, readerCertificateSize);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    ctx->accessControlProfileMaskValidated |= (1U << id);
*4d7e907cSAndroid Build Coastguard Worker    if (readerCertificateSize > 0) {
*4d7e907cSAndroid Build Coastguard Worker        ctx->accessControlProfileMaskUsesReaderAuth |= (1U << id);
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    if (!passedReaderAuth) {
*4d7e907cSAndroid Build Coastguard Worker        ctx->accessControlProfileMaskFailedReaderAuth |= (1U << id);
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    if (!passedUserAuth) {
*4d7e907cSAndroid Build Coastguard Worker        ctx->accessControlProfileMaskFailedUserAuth |= (1U << id);
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    if (passedUserAuth && passedReaderAuth) {
*4d7e907cSAndroid Build Coastguard Worker        *accessGranted = true;
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Access granted for id %d", id);
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker// Helper used to append the DeviceAuthencation prelude, used for both MACing and ECDSA signing.
*4d7e907cSAndroid Build Coastguard Workerstatic size_t appendDeviceAuthentication(EicCbor* cbor, const uint8_t* sessionTranscript,
*4d7e907cSAndroid Build Coastguard Worker                                         size_t sessionTranscriptSize, const char* docType,
*4d7e907cSAndroid Build Coastguard Worker                                         size_t docTypeLength,
*4d7e907cSAndroid Build Coastguard Worker                                         size_t expectedDeviceNamespacesSize) {
*4d7e907cSAndroid Build Coastguard Worker    // For the payload, the _encoded_ form follows here. We handle this by simply
*4d7e907cSAndroid Build Coastguard Worker    // opening a bstr, and then writing the CBOR. This requires us to know the
*4d7e907cSAndroid Build Coastguard Worker    // size of said bstr, ahead of time... the CBOR to be written is
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    //   DeviceAuthentication = [
*4d7e907cSAndroid Build Coastguard Worker    //      "DeviceAuthentication",
*4d7e907cSAndroid Build Coastguard Worker    //      SessionTranscript,
*4d7e907cSAndroid Build Coastguard Worker    //      DocType,                ; DocType as used in Documents structure in OfflineResponse
*4d7e907cSAndroid Build Coastguard Worker    //      DeviceNameSpacesBytes
*4d7e907cSAndroid Build Coastguard Worker    //   ]
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    //   DeviceNameSpacesBytes = #6.24(bstr .cbor DeviceNameSpaces)
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    //   DeviceAuthenticationBytes = #6.24(bstr .cbor DeviceAuthentication)
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    // which is easily calculated below
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    size_t calculatedSize = 0;
*4d7e907cSAndroid Build Coastguard Worker    calculatedSize += 1;  // Array of size 4
*4d7e907cSAndroid Build Coastguard Worker    calculatedSize += 1;  // "DeviceAuthentication" less than 24 bytes
*4d7e907cSAndroid Build Coastguard Worker    calculatedSize += sizeof("DeviceAuthentication") - 1;  // Don't include trailing NUL
*4d7e907cSAndroid Build Coastguard Worker    calculatedSize += sessionTranscriptSize;               // Already CBOR encoded
*4d7e907cSAndroid Build Coastguard Worker    calculatedSize += 1 + eicCborAdditionalLengthBytesFor(docTypeLength) + docTypeLength;
*4d7e907cSAndroid Build Coastguard Worker    calculatedSize += 2;  // Semantic tag EIC_CBOR_SEMANTIC_TAG_ENCODED_CBOR (24)
*4d7e907cSAndroid Build Coastguard Worker    calculatedSize += 1 + eicCborAdditionalLengthBytesFor(expectedDeviceNamespacesSize);
*4d7e907cSAndroid Build Coastguard Worker    calculatedSize += expectedDeviceNamespacesSize;
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // However note that we're authenticating DeviceAuthenticationBytes which
*4d7e907cSAndroid Build Coastguard Worker    // is a tagged bstr of the bytes of DeviceAuthentication. So need to get
*4d7e907cSAndroid Build Coastguard Worker    // that in front.
*4d7e907cSAndroid Build Coastguard Worker    size_t dabCalculatedSize = 0;
*4d7e907cSAndroid Build Coastguard Worker    dabCalculatedSize += 2;  // Semantic tag EIC_CBOR_SEMANTIC_TAG_ENCODED_CBOR (24)
*4d7e907cSAndroid Build Coastguard Worker    dabCalculatedSize += 1 + eicCborAdditionalLengthBytesFor(calculatedSize);
*4d7e907cSAndroid Build Coastguard Worker    dabCalculatedSize += calculatedSize;
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // Begin the bytestring for DeviceAuthenticationBytes;
*4d7e907cSAndroid Build Coastguard Worker    eicCborBegin(cbor, EIC_CBOR_MAJOR_TYPE_BYTE_STRING, dabCalculatedSize);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendSemantic(cbor, EIC_CBOR_SEMANTIC_TAG_ENCODED_CBOR);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // Begins the bytestring for DeviceAuthentication;
*4d7e907cSAndroid Build Coastguard Worker    eicCborBegin(cbor, EIC_CBOR_MAJOR_TYPE_BYTE_STRING, calculatedSize);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendArray(cbor, 4);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendStringZ(cbor, "DeviceAuthentication");
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppend(cbor, sessionTranscript, sessionTranscriptSize);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendString(cbor, docType, docTypeLength);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // For the payload, the _encoded_ form follows here. We handle this by simply
*4d7e907cSAndroid Build Coastguard Worker    // opening a bstr, and then writing the CBOR. This requires us to know the
*4d7e907cSAndroid Build Coastguard Worker    // size of said bstr, ahead of time.
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendSemantic(cbor, EIC_CBOR_SEMANTIC_TAG_ENCODED_CBOR);
*4d7e907cSAndroid Build Coastguard Worker    eicCborBegin(cbor, EIC_CBOR_MAJOR_TYPE_BYTE_STRING, expectedDeviceNamespacesSize);
*4d7e907cSAndroid Build Coastguard Worker    size_t expectedCborSizeAtEnd = expectedDeviceNamespacesSize + cbor->size;
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    return expectedCborSizeAtEnd;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Workerbool eicPresentationPrepareDeviceAuthentication(
*4d7e907cSAndroid Build Coastguard Worker        EicPresentation* ctx, const uint8_t* sessionTranscript, size_t sessionTranscriptSize,
*4d7e907cSAndroid Build Coastguard Worker        const uint8_t* readerEphemeralPublicKey, size_t readerEphemeralPublicKeySize,
*4d7e907cSAndroid Build Coastguard Worker        const uint8_t signingKeyBlob[60], const char* docType, size_t docTypeLength,
*4d7e907cSAndroid Build Coastguard Worker        unsigned int numNamespacesWithValues, size_t expectedDeviceNamespacesSize) {
*4d7e907cSAndroid Build Coastguard Worker    if (ctx->sessionId != 0) {
*4d7e907cSAndroid Build Coastguard Worker        if (readerEphemeralPublicKeySize != 0) {
*4d7e907cSAndroid Build Coastguard Worker            eicDebug("In a session but readerEphemeralPublicKeySize is non-zero");
*4d7e907cSAndroid Build Coastguard Worker            return false;
*4d7e907cSAndroid Build Coastguard Worker        }
*4d7e907cSAndroid Build Coastguard Worker        EicSession* session = eicSessionGetForId(ctx->sessionId);
*4d7e907cSAndroid Build Coastguard Worker        if (session == NULL) {
*4d7e907cSAndroid Build Coastguard Worker            eicDebug("Error looking up session for sessionId %" PRIu32, ctx->sessionId);
*4d7e907cSAndroid Build Coastguard Worker            return false;
*4d7e907cSAndroid Build Coastguard Worker        }
*4d7e907cSAndroid Build Coastguard Worker        EicSha256Ctx sha256;
*4d7e907cSAndroid Build Coastguard Worker        uint8_t sessionTranscriptSha256[EIC_SHA256_DIGEST_SIZE];
*4d7e907cSAndroid Build Coastguard Worker        eicOpsSha256Init(&sha256);
*4d7e907cSAndroid Build Coastguard Worker        eicOpsSha256Update(&sha256, sessionTranscript, sessionTranscriptSize);
*4d7e907cSAndroid Build Coastguard Worker        eicOpsSha256Final(&sha256, sessionTranscriptSha256);
*4d7e907cSAndroid Build Coastguard Worker        if (eicCryptoMemCmp(sessionTranscriptSha256, session->sessionTranscriptSha256,
*4d7e907cSAndroid Build Coastguard Worker                            EIC_SHA256_DIGEST_SIZE) != 0) {
*4d7e907cSAndroid Build Coastguard Worker            eicDebug("SessionTranscript mismatch");
*4d7e907cSAndroid Build Coastguard Worker            return false;
*4d7e907cSAndroid Build Coastguard Worker        }
*4d7e907cSAndroid Build Coastguard Worker        readerEphemeralPublicKey = session->readerEphemeralPublicKey;
*4d7e907cSAndroid Build Coastguard Worker        readerEphemeralPublicKeySize = session->readerEphemeralPublicKeySize;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // Stash the decrypted DeviceKey in context since we'll need it later in
*4d7e907cSAndroid Build Coastguard Worker    // eicPresentationFinishRetrievalWithSignature()
*4d7e907cSAndroid Build Coastguard Worker    if (!eicOpsDecryptAes128Gcm(ctx->storageKey, signingKeyBlob, 60, (const uint8_t*)docType,
*4d7e907cSAndroid Build Coastguard Worker                                docTypeLength, ctx->deviceKeyPriv)) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Error decrypting signingKeyBlob");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // We can only do MACing if EReaderKey has been set... it might not have been set if for
*4d7e907cSAndroid Build Coastguard Worker    // example mdoc session encryption isn't in use. In that case we can still do ECDSA
*4d7e907cSAndroid Build Coastguard Worker    if (readerEphemeralPublicKeySize > 0) {
*4d7e907cSAndroid Build Coastguard Worker        if (readerEphemeralPublicKeySize != EIC_P256_PUB_KEY_SIZE) {
*4d7e907cSAndroid Build Coastguard Worker            eicDebug("Unexpected size %zd for readerEphemeralPublicKeySize",
*4d7e907cSAndroid Build Coastguard Worker                     readerEphemeralPublicKeySize);
*4d7e907cSAndroid Build Coastguard Worker            return false;
*4d7e907cSAndroid Build Coastguard Worker        }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker        uint8_t sharedSecret[EIC_P256_COORDINATE_SIZE];
*4d7e907cSAndroid Build Coastguard Worker        if (!eicOpsEcdh(readerEphemeralPublicKey, ctx->deviceKeyPriv, sharedSecret)) {
*4d7e907cSAndroid Build Coastguard Worker            eicDebug("ECDH failed");
*4d7e907cSAndroid Build Coastguard Worker            return false;
*4d7e907cSAndroid Build Coastguard Worker        }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker        EicCbor cbor;
*4d7e907cSAndroid Build Coastguard Worker        eicCborInit(&cbor, NULL, 0);
*4d7e907cSAndroid Build Coastguard Worker        eicCborAppendSemantic(&cbor, EIC_CBOR_SEMANTIC_TAG_ENCODED_CBOR);
*4d7e907cSAndroid Build Coastguard Worker        eicCborAppendByteString(&cbor, sessionTranscript, sessionTranscriptSize);
*4d7e907cSAndroid Build Coastguard Worker        uint8_t salt[EIC_SHA256_DIGEST_SIZE];
*4d7e907cSAndroid Build Coastguard Worker        eicCborFinal(&cbor, salt);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker        const uint8_t info[7] = {'E', 'M', 'a', 'c', 'K', 'e', 'y'};
*4d7e907cSAndroid Build Coastguard Worker        uint8_t derivedKey[32];
*4d7e907cSAndroid Build Coastguard Worker        if (!eicOpsHkdf(sharedSecret, EIC_P256_COORDINATE_SIZE, salt, sizeof(salt), info,
*4d7e907cSAndroid Build Coastguard Worker                        sizeof(info), derivedKey, sizeof(derivedKey))) {
*4d7e907cSAndroid Build Coastguard Worker            eicDebug("HKDF failed");
*4d7e907cSAndroid Build Coastguard Worker            return false;
*4d7e907cSAndroid Build Coastguard Worker        }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker        eicCborInitHmacSha256(&ctx->cbor, NULL, 0, derivedKey, sizeof(derivedKey));
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker        // What we're going to calculate the HMAC-SHA256 is the COSE ToBeMaced
*4d7e907cSAndroid Build Coastguard Worker        // structure which looks like the following:
*4d7e907cSAndroid Build Coastguard Worker        //
*4d7e907cSAndroid Build Coastguard Worker        // MAC_structure = [
*4d7e907cSAndroid Build Coastguard Worker        //   context : "MAC" / "MAC0",
*4d7e907cSAndroid Build Coastguard Worker        //   protected : empty_or_serialized_map,
*4d7e907cSAndroid Build Coastguard Worker        //   external_aad : bstr,
*4d7e907cSAndroid Build Coastguard Worker        //   payload : bstr
*4d7e907cSAndroid Build Coastguard Worker        // ]
*4d7e907cSAndroid Build Coastguard Worker        //
*4d7e907cSAndroid Build Coastguard Worker        eicCborAppendArray(&ctx->cbor, 4);
*4d7e907cSAndroid Build Coastguard Worker        eicCborAppendStringZ(&ctx->cbor, "MAC0");
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker        // The COSE Encoded protected headers is just a single field with
*4d7e907cSAndroid Build Coastguard Worker        // COSE_LABEL_ALG (1) -> COSE_ALG_HMAC_256_256 (5). For simplicitly we just
*4d7e907cSAndroid Build Coastguard Worker        // hard-code the CBOR encoding:
*4d7e907cSAndroid Build Coastguard Worker        static const uint8_t coseEncodedProtectedHeaders[] = {0xa1, 0x01, 0x05};
*4d7e907cSAndroid Build Coastguard Worker        eicCborAppendByteString(&ctx->cbor, coseEncodedProtectedHeaders,
*4d7e907cSAndroid Build Coastguard Worker                                sizeof(coseEncodedProtectedHeaders));
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker        // We currently don't support Externally Supplied Data (RFC 8152 section 4.3)
*4d7e907cSAndroid Build Coastguard Worker        // so external_aad is the empty bstr
*4d7e907cSAndroid Build Coastguard Worker        static const uint8_t externalAad[0] = {};
*4d7e907cSAndroid Build Coastguard Worker        eicCborAppendByteString(&ctx->cbor, externalAad, sizeof(externalAad));
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker        // Append DeviceAuthentication prelude and open the DeviceSigned map...
*4d7e907cSAndroid Build Coastguard Worker        ctx->expectedCborSizeAtEnd =
*4d7e907cSAndroid Build Coastguard Worker                appendDeviceAuthentication(&ctx->cbor, sessionTranscript, sessionTranscriptSize,
*4d7e907cSAndroid Build Coastguard Worker                                           docType, docTypeLength, expectedDeviceNamespacesSize);
*4d7e907cSAndroid Build Coastguard Worker        eicCborAppendMap(&ctx->cbor, numNamespacesWithValues);
*4d7e907cSAndroid Build Coastguard Worker        ctx->buildCbor = true;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // Now do the same for ECDSA signatures...
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    eicCborInit(&ctx->cborEcdsa, NULL, 0);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendArray(&ctx->cborEcdsa, 4);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendStringZ(&ctx->cborEcdsa, "Signature1");
*4d7e907cSAndroid Build Coastguard Worker    static const uint8_t coseEncodedProtectedHeadersEcdsa[] = {0xa1, 0x01, 0x26};
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendByteString(&ctx->cborEcdsa, coseEncodedProtectedHeadersEcdsa,
*4d7e907cSAndroid Build Coastguard Worker                            sizeof(coseEncodedProtectedHeadersEcdsa));
*4d7e907cSAndroid Build Coastguard Worker    static const uint8_t externalAadEcdsa[0] = {};
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendByteString(&ctx->cborEcdsa, externalAadEcdsa, sizeof(externalAadEcdsa));
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // Append DeviceAuthentication prelude and open the DeviceSigned map...
*4d7e907cSAndroid Build Coastguard Worker    ctx->expectedCborEcdsaSizeAtEnd =
*4d7e907cSAndroid Build Coastguard Worker            appendDeviceAuthentication(&ctx->cborEcdsa, sessionTranscript, sessionTranscriptSize,
*4d7e907cSAndroid Build Coastguard Worker                                       docType, docTypeLength, expectedDeviceNamespacesSize);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendMap(&ctx->cborEcdsa, numNamespacesWithValues);
*4d7e907cSAndroid Build Coastguard Worker    ctx->buildCborEcdsa = true;
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Workerbool eicPresentationStartRetrieveEntries(EicPresentation* ctx) {
*4d7e907cSAndroid Build Coastguard Worker    // HAL may use this object multiple times to retrieve data so need to reset various
*4d7e907cSAndroid Build Coastguard Worker    // state objects here.
*4d7e907cSAndroid Build Coastguard Worker    ctx->requestMessageValidated = false;
*4d7e907cSAndroid Build Coastguard Worker    ctx->buildCbor = false;
*4d7e907cSAndroid Build Coastguard Worker    ctx->buildCborEcdsa = false;
*4d7e907cSAndroid Build Coastguard Worker    ctx->accessControlProfileMaskValidated = 0;
*4d7e907cSAndroid Build Coastguard Worker    ctx->accessControlProfileMaskUsesReaderAuth = 0;
*4d7e907cSAndroid Build Coastguard Worker    ctx->accessControlProfileMaskFailedReaderAuth = 0;
*4d7e907cSAndroid Build Coastguard Worker    ctx->accessControlProfileMaskFailedUserAuth = 0;
*4d7e907cSAndroid Build Coastguard Worker    ctx->readerPublicKeySize = 0;
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard WorkerEicAccessCheckResult eicPresentationStartRetrieveEntryValue(
*4d7e907cSAndroid Build Coastguard Worker        EicPresentation* ctx, const char* nameSpace, size_t nameSpaceLength,
*4d7e907cSAndroid Build Coastguard Worker        const char* name, size_t nameLength,
*4d7e907cSAndroid Build Coastguard Worker        unsigned int newNamespaceNumEntries, int32_t entrySize,
*4d7e907cSAndroid Build Coastguard Worker        const uint8_t* accessControlProfileIds, size_t numAccessControlProfileIds,
*4d7e907cSAndroid Build Coastguard Worker        uint8_t* scratchSpace, size_t scratchSpaceSize) {
*4d7e907cSAndroid Build Coastguard Worker    (void)entrySize;
*4d7e907cSAndroid Build Coastguard Worker    uint8_t* additionalDataCbor = scratchSpace;
*4d7e907cSAndroid Build Coastguard Worker    size_t additionalDataCborBufferSize = scratchSpaceSize;
*4d7e907cSAndroid Build Coastguard Worker    size_t additionalDataCborSize;
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    if (newNamespaceNumEntries > 0) {
*4d7e907cSAndroid Build Coastguard Worker        eicCborAppendString(&ctx->cbor, nameSpace, nameSpaceLength);
*4d7e907cSAndroid Build Coastguard Worker        eicCborAppendMap(&ctx->cbor, newNamespaceNumEntries);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker        eicCborAppendString(&ctx->cborEcdsa, nameSpace, nameSpaceLength);
*4d7e907cSAndroid Build Coastguard Worker        eicCborAppendMap(&ctx->cborEcdsa, newNamespaceNumEntries);
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // We'll need to calc and store a digest of additionalData to check that it's the same
*4d7e907cSAndroid Build Coastguard Worker    // additionalData being passed in for every eicPresentationRetrieveEntryValue() call...
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    ctx->accessCheckOk = false;
*4d7e907cSAndroid Build Coastguard Worker    if (!eicCborCalcEntryAdditionalData(accessControlProfileIds, numAccessControlProfileIds,
*4d7e907cSAndroid Build Coastguard Worker                                        nameSpace, nameSpaceLength, name, nameLength,
*4d7e907cSAndroid Build Coastguard Worker                                        additionalDataCbor, additionalDataCborBufferSize,
*4d7e907cSAndroid Build Coastguard Worker                                        &additionalDataCborSize,
*4d7e907cSAndroid Build Coastguard Worker                                        ctx->additionalDataSha256)) {
*4d7e907cSAndroid Build Coastguard Worker        return EIC_ACCESS_CHECK_RESULT_FAILED;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    if (numAccessControlProfileIds == 0) {
*4d7e907cSAndroid Build Coastguard Worker        return EIC_ACCESS_CHECK_RESULT_NO_ACCESS_CONTROL_PROFILES;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // Access is granted if at least one of the profiles grants access.
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    // If an item is configured without any profiles, access is denied.
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    EicAccessCheckResult result = EIC_ACCESS_CHECK_RESULT_FAILED;
*4d7e907cSAndroid Build Coastguard Worker    for (size_t n = 0; n < numAccessControlProfileIds; n++) {
*4d7e907cSAndroid Build Coastguard Worker        int id = accessControlProfileIds[n];
*4d7e907cSAndroid Build Coastguard Worker        uint32_t idBitMask = (1 << id);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker        // If the access control profile wasn't validated, this is an error and we
*4d7e907cSAndroid Build Coastguard Worker        // fail immediately.
*4d7e907cSAndroid Build Coastguard Worker        bool validated = ((ctx->accessControlProfileMaskValidated & idBitMask) != 0);
*4d7e907cSAndroid Build Coastguard Worker        if (!validated) {
*4d7e907cSAndroid Build Coastguard Worker            eicDebug("No ACP for profile id %d", id);
*4d7e907cSAndroid Build Coastguard Worker            return EIC_ACCESS_CHECK_RESULT_FAILED;
*4d7e907cSAndroid Build Coastguard Worker        }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker        // Otherwise, we _did_ validate the profile. If none of the checks
*4d7e907cSAndroid Build Coastguard Worker        // failed, we're done
*4d7e907cSAndroid Build Coastguard Worker        bool failedUserAuth = ((ctx->accessControlProfileMaskFailedUserAuth & idBitMask) != 0);
*4d7e907cSAndroid Build Coastguard Worker        bool failedReaderAuth = ((ctx->accessControlProfileMaskFailedReaderAuth & idBitMask) != 0);
*4d7e907cSAndroid Build Coastguard Worker        if (!failedUserAuth && !failedReaderAuth) {
*4d7e907cSAndroid Build Coastguard Worker            result = EIC_ACCESS_CHECK_RESULT_OK;
*4d7e907cSAndroid Build Coastguard Worker            break;
*4d7e907cSAndroid Build Coastguard Worker        }
*4d7e907cSAndroid Build Coastguard Worker        // One of the checks failed, convey which one
*4d7e907cSAndroid Build Coastguard Worker        if (failedUserAuth) {
*4d7e907cSAndroid Build Coastguard Worker            result = EIC_ACCESS_CHECK_RESULT_USER_AUTHENTICATION_FAILED;
*4d7e907cSAndroid Build Coastguard Worker        } else {
*4d7e907cSAndroid Build Coastguard Worker            result = EIC_ACCESS_CHECK_RESULT_READER_AUTHENTICATION_FAILED;
*4d7e907cSAndroid Build Coastguard Worker        }
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    eicDebug("Result %d for name %s", result, name);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    if (result == EIC_ACCESS_CHECK_RESULT_OK) {
*4d7e907cSAndroid Build Coastguard Worker        eicCborAppendString(&ctx->cbor, name, nameLength);
*4d7e907cSAndroid Build Coastguard Worker        eicCborAppendString(&ctx->cborEcdsa, name, nameLength);
*4d7e907cSAndroid Build Coastguard Worker        ctx->accessCheckOk = true;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    return result;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker// Note: |content| must be big enough to hold |encryptedContentSize| - 28 bytes.
*4d7e907cSAndroid Build Coastguard Workerbool eicPresentationRetrieveEntryValue(EicPresentation* ctx, const uint8_t* encryptedContent,
*4d7e907cSAndroid Build Coastguard Worker                                       size_t encryptedContentSize, uint8_t* content,
*4d7e907cSAndroid Build Coastguard Worker                                       const char* nameSpace, size_t nameSpaceLength,
*4d7e907cSAndroid Build Coastguard Worker                                       const char* name, size_t nameLength,
*4d7e907cSAndroid Build Coastguard Worker                                       const uint8_t* accessControlProfileIds,
*4d7e907cSAndroid Build Coastguard Worker                                       size_t numAccessControlProfileIds,
*4d7e907cSAndroid Build Coastguard Worker                                       uint8_t* scratchSpace,
*4d7e907cSAndroid Build Coastguard Worker                                       size_t scratchSpaceSize) {
*4d7e907cSAndroid Build Coastguard Worker    uint8_t* additionalDataCbor = scratchSpace;
*4d7e907cSAndroid Build Coastguard Worker    size_t additionalDataCborBufferSize = scratchSpaceSize;
*4d7e907cSAndroid Build Coastguard Worker    size_t additionalDataCborSize;
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    uint8_t calculatedSha256[EIC_SHA256_DIGEST_SIZE];
*4d7e907cSAndroid Build Coastguard Worker    if (!eicCborCalcEntryAdditionalData(accessControlProfileIds, numAccessControlProfileIds,
*4d7e907cSAndroid Build Coastguard Worker                                        nameSpace, nameSpaceLength, name, nameLength,
*4d7e907cSAndroid Build Coastguard Worker                                        additionalDataCbor, additionalDataCborBufferSize,
*4d7e907cSAndroid Build Coastguard Worker                                        &additionalDataCborSize,
*4d7e907cSAndroid Build Coastguard Worker                                        calculatedSha256)) {
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    if (eicCryptoMemCmp(calculatedSha256, ctx->additionalDataSha256, EIC_SHA256_DIGEST_SIZE) != 0) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("SHA-256 mismatch of additionalData");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    if (!ctx->accessCheckOk) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Attempting to retrieve a value for which access is not granted");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    if (!eicOpsDecryptAes128Gcm(ctx->storageKey, encryptedContent, encryptedContentSize,
*4d7e907cSAndroid Build Coastguard Worker                                additionalDataCbor, additionalDataCborSize, content)) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Error decrypting content");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppend(&ctx->cbor, content, encryptedContentSize - 28);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppend(&ctx->cborEcdsa, content, encryptedContentSize - 28);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Workerbool eicPresentationFinishRetrieval(EicPresentation* ctx, uint8_t* digestToBeMaced,
*4d7e907cSAndroid Build Coastguard Worker                                    size_t* digestToBeMacedSize) {
*4d7e907cSAndroid Build Coastguard Worker    if (!ctx->buildCbor) {
*4d7e907cSAndroid Build Coastguard Worker        *digestToBeMacedSize = 0;
*4d7e907cSAndroid Build Coastguard Worker        return true;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    if (*digestToBeMacedSize != 32) {
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // This verifies that the correct expectedDeviceNamespacesSize value was
*4d7e907cSAndroid Build Coastguard Worker    // passed in at eicPresentationCalcMacKey() time.
*4d7e907cSAndroid Build Coastguard Worker    if (ctx->cbor.size != ctx->expectedCborSizeAtEnd) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("CBOR size is %zd, was expecting %zd", ctx->cbor.size, ctx->expectedCborSizeAtEnd);
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    eicCborFinal(&ctx->cbor, digestToBeMaced);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Workerbool eicPresentationFinishRetrievalWithSignature(EicPresentation* ctx, uint8_t* digestToBeMaced,
*4d7e907cSAndroid Build Coastguard Worker                                                 size_t* digestToBeMacedSize,
*4d7e907cSAndroid Build Coastguard Worker                                                 uint8_t* signatureOfToBeSigned,
*4d7e907cSAndroid Build Coastguard Worker                                                 size_t* signatureOfToBeSignedSize) {
*4d7e907cSAndroid Build Coastguard Worker    if (!eicPresentationFinishRetrieval(ctx, digestToBeMaced, digestToBeMacedSize)) {
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    if (!ctx->buildCborEcdsa) {
*4d7e907cSAndroid Build Coastguard Worker        *signatureOfToBeSignedSize = 0;
*4d7e907cSAndroid Build Coastguard Worker        return true;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    if (*signatureOfToBeSignedSize != EIC_ECDSA_P256_SIGNATURE_SIZE) {
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // This verifies that the correct expectedDeviceNamespacesSize value was
*4d7e907cSAndroid Build Coastguard Worker    // passed in at eicPresentationCalcMacKey() time.
*4d7e907cSAndroid Build Coastguard Worker    if (ctx->cborEcdsa.size != ctx->expectedCborEcdsaSizeAtEnd) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("CBOR ECDSA size is %zd, was expecting %zd", ctx->cborEcdsa.size,
*4d7e907cSAndroid Build Coastguard Worker                 ctx->expectedCborEcdsaSizeAtEnd);
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    uint8_t cborSha256[EIC_SHA256_DIGEST_SIZE];
*4d7e907cSAndroid Build Coastguard Worker    eicCborFinal(&ctx->cborEcdsa, cborSha256);
*4d7e907cSAndroid Build Coastguard Worker    if (!eicOpsEcDsa(ctx->deviceKeyPriv, cborSha256, signatureOfToBeSigned)) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Error signing DeviceAuthentication");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    eicDebug("set the signature");
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Workerbool eicPresentationDeleteCredential(EicPresentation* ctx, const char* docType, size_t docTypeLength,
*4d7e907cSAndroid Build Coastguard Worker                                     const uint8_t* challenge, size_t challengeSize,
*4d7e907cSAndroid Build Coastguard Worker                                     bool includeChallenge,
*4d7e907cSAndroid Build Coastguard Worker                                     size_t proofOfDeletionCborSize,
*4d7e907cSAndroid Build Coastguard Worker                                     uint8_t signatureOfToBeSigned[EIC_ECDSA_P256_SIGNATURE_SIZE]) {
*4d7e907cSAndroid Build Coastguard Worker    EicCbor cbor;
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    eicCborInit(&cbor, NULL, 0);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // What we're going to sign is the COSE ToBeSigned structure which
*4d7e907cSAndroid Build Coastguard Worker    // looks like the following:
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    // Sig_structure = [
*4d7e907cSAndroid Build Coastguard Worker    //   context : "Signature" / "Signature1" / "CounterSignature",
*4d7e907cSAndroid Build Coastguard Worker    //   body_protected : empty_or_serialized_map,
*4d7e907cSAndroid Build Coastguard Worker    //   ? sign_protected : empty_or_serialized_map,
*4d7e907cSAndroid Build Coastguard Worker    //   external_aad : bstr,
*4d7e907cSAndroid Build Coastguard Worker    //   payload : bstr
*4d7e907cSAndroid Build Coastguard Worker    //  ]
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendArray(&cbor, 4);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendStringZ(&cbor, "Signature1");
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // The COSE Encoded protected headers is just a single field with
*4d7e907cSAndroid Build Coastguard Worker    // COSE_LABEL_ALG (1) -> COSE_ALG_ECSDA_256 (-7). For simplicitly we just
*4d7e907cSAndroid Build Coastguard Worker    // hard-code the CBOR encoding:
*4d7e907cSAndroid Build Coastguard Worker    static const uint8_t coseEncodedProtectedHeaders[] = {0xa1, 0x01, 0x26};
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendByteString(&cbor, coseEncodedProtectedHeaders,
*4d7e907cSAndroid Build Coastguard Worker                            sizeof(coseEncodedProtectedHeaders));
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // We currently don't support Externally Supplied Data (RFC 8152 section 4.3)
*4d7e907cSAndroid Build Coastguard Worker    // so external_aad is the empty bstr
*4d7e907cSAndroid Build Coastguard Worker    static const uint8_t externalAad[0] = {};
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendByteString(&cbor, externalAad, sizeof(externalAad));
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // For the payload, the _encoded_ form follows here. We handle this by simply
*4d7e907cSAndroid Build Coastguard Worker    // opening a bstr, and then writing the CBOR. This requires us to know the
*4d7e907cSAndroid Build Coastguard Worker    // size of said bstr, ahead of time.
*4d7e907cSAndroid Build Coastguard Worker    eicCborBegin(&cbor, EIC_CBOR_MAJOR_TYPE_BYTE_STRING, proofOfDeletionCborSize);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // Finally, the CBOR that we're actually signing.
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendArray(&cbor, includeChallenge ? 4 : 3);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendStringZ(&cbor, "ProofOfDeletion");
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendString(&cbor, docType, docTypeLength);
*4d7e907cSAndroid Build Coastguard Worker    if (includeChallenge) {
*4d7e907cSAndroid Build Coastguard Worker        eicCborAppendByteString(&cbor, challenge, challengeSize);
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendBool(&cbor, ctx->testCredential);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    uint8_t cborSha256[EIC_SHA256_DIGEST_SIZE];
*4d7e907cSAndroid Build Coastguard Worker    eicCborFinal(&cbor, cborSha256);
*4d7e907cSAndroid Build Coastguard Worker    if (!eicOpsEcDsa(ctx->credentialPrivateKey, cborSha256, signatureOfToBeSigned)) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Error signing proofOfDeletion");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Workerbool eicPresentationProveOwnership(EicPresentation* ctx, const char* docType,
*4d7e907cSAndroid Build Coastguard Worker                                   size_t docTypeLength, bool testCredential,
*4d7e907cSAndroid Build Coastguard Worker                                   const uint8_t* challenge, size_t challengeSize,
*4d7e907cSAndroid Build Coastguard Worker                                   size_t proofOfOwnershipCborSize,
*4d7e907cSAndroid Build Coastguard Worker                                   uint8_t signatureOfToBeSigned[EIC_ECDSA_P256_SIGNATURE_SIZE]) {
*4d7e907cSAndroid Build Coastguard Worker    EicCbor cbor;
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    eicCborInit(&cbor, NULL, 0);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // What we're going to sign is the COSE ToBeSigned structure which
*4d7e907cSAndroid Build Coastguard Worker    // looks like the following:
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    // Sig_structure = [
*4d7e907cSAndroid Build Coastguard Worker    //   context : "Signature" / "Signature1" / "CounterSignature",
*4d7e907cSAndroid Build Coastguard Worker    //   body_protected : empty_or_serialized_map,
*4d7e907cSAndroid Build Coastguard Worker    //   ? sign_protected : empty_or_serialized_map,
*4d7e907cSAndroid Build Coastguard Worker    //   external_aad : bstr,
*4d7e907cSAndroid Build Coastguard Worker    //   payload : bstr
*4d7e907cSAndroid Build Coastguard Worker    //  ]
*4d7e907cSAndroid Build Coastguard Worker    //
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendArray(&cbor, 4);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendStringZ(&cbor, "Signature1");
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // The COSE Encoded protected headers is just a single field with
*4d7e907cSAndroid Build Coastguard Worker    // COSE_LABEL_ALG (1) -> COSE_ALG_ECSDA_256 (-7). For simplicitly we just
*4d7e907cSAndroid Build Coastguard Worker    // hard-code the CBOR encoding:
*4d7e907cSAndroid Build Coastguard Worker    static const uint8_t coseEncodedProtectedHeaders[] = {0xa1, 0x01, 0x26};
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendByteString(&cbor, coseEncodedProtectedHeaders,
*4d7e907cSAndroid Build Coastguard Worker                            sizeof(coseEncodedProtectedHeaders));
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // We currently don't support Externally Supplied Data (RFC 8152 section 4.3)
*4d7e907cSAndroid Build Coastguard Worker    // so external_aad is the empty bstr
*4d7e907cSAndroid Build Coastguard Worker    static const uint8_t externalAad[0] = {};
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendByteString(&cbor, externalAad, sizeof(externalAad));
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // For the payload, the _encoded_ form follows here. We handle this by simply
*4d7e907cSAndroid Build Coastguard Worker    // opening a bstr, and then writing the CBOR. This requires us to know the
*4d7e907cSAndroid Build Coastguard Worker    // size of said bstr, ahead of time.
*4d7e907cSAndroid Build Coastguard Worker    eicCborBegin(&cbor, EIC_CBOR_MAJOR_TYPE_BYTE_STRING, proofOfOwnershipCborSize);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    // Finally, the CBOR that we're actually signing.
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendArray(&cbor, 4);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendStringZ(&cbor, "ProofOfOwnership");
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendString(&cbor, docType, docTypeLength);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendByteString(&cbor, challenge, challengeSize);
*4d7e907cSAndroid Build Coastguard Worker    eicCborAppendBool(&cbor, testCredential);
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    uint8_t cborSha256[EIC_SHA256_DIGEST_SIZE];
*4d7e907cSAndroid Build Coastguard Worker    eicCborFinal(&cbor, cborSha256);
*4d7e907cSAndroid Build Coastguard Worker    if (!eicOpsEcDsa(ctx->credentialPrivateKey, cborSha256, signatureOfToBeSigned)) {
*4d7e907cSAndroid Build Coastguard Worker        eicDebug("Error signing proofOfDeletion");
*4d7e907cSAndroid Build Coastguard Worker        return false;
*4d7e907cSAndroid Build Coastguard Worker    }
*4d7e907cSAndroid Build Coastguard Worker
*4d7e907cSAndroid Build Coastguard Worker    return true;
*4d7e907cSAndroid Build Coastguard Worker}