| /* |
| * Copyright 2021 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package android.security.identity; |
| |
| |
| import android.annotation.NonNull; |
| import android.annotation.Nullable; |
| import android.content.Context; |
| |
| import java.io.ByteArrayInputStream; |
| import java.io.IOException; |
| import java.security.InvalidKeyException; |
| import java.security.KeyPair; |
| import java.security.KeyStore; |
| import java.security.KeyStoreException; |
| import java.security.NoSuchAlgorithmException; |
| import java.security.PrivateKey; |
| import java.security.PublicKey; |
| import java.security.UnrecoverableKeyException; |
| import java.security.cert.Certificate; |
| import java.security.cert.CertificateException; |
| import java.util.LinkedHashMap; |
| import java.util.Map; |
| |
| class CredstorePresentationSession extends PresentationSession { |
| private static final String TAG = "CredstorePresentationSession"; |
| |
| private @IdentityCredentialStore.Ciphersuite int mCipherSuite; |
| private Context mContext; |
| private CredstoreIdentityCredentialStore mStore; |
| private ISession mBinder; |
| private Map<String, CredstoreIdentityCredential> mCredentialCache = new LinkedHashMap<>(); |
| private KeyPair mEphemeralKeyPair = null; |
| private byte[] mSessionTranscript = null; |
| private boolean mOperationHandleSet = false; |
| private long mOperationHandle = 0; |
| private int mFeatureVersion = 0; |
| |
| CredstorePresentationSession(Context context, |
| @IdentityCredentialStore.Ciphersuite int cipherSuite, |
| CredstoreIdentityCredentialStore store, |
| ISession binder, |
| int featureVersion) { |
| mContext = context; |
| mCipherSuite = cipherSuite; |
| mStore = store; |
| mBinder = binder; |
| mFeatureVersion = featureVersion; |
| } |
| |
| private void ensureEphemeralKeyPair() { |
| if (mEphemeralKeyPair != null) { |
| return; |
| } |
| try { |
| // This PKCS#12 blob is generated in credstore, using BoringSSL. |
| // |
| // The main reason for this convoluted approach and not just sending the decomposed |
| // key-pair is that this would require directly using (device-side) BouncyCastle which |
| // is tricky due to various API hiding efforts. So instead we have credstore generate |
| // this PKCS#12 blob. The blob is encrypted with no password (sadly, also, BoringSSL |
| // doesn't support not using encryption when building a PKCS#12 blob). |
| // |
| byte[] pkcs12 = mBinder.getEphemeralKeyPair(); |
| String alias = "ephemeralKey"; |
| char[] password = {}; |
| |
| KeyStore ks = KeyStore.getInstance("PKCS12"); |
| ByteArrayInputStream bais = new ByteArrayInputStream(pkcs12); |
| ks.load(bais, password); |
| PrivateKey privKey = (PrivateKey) ks.getKey(alias, password); |
| |
| Certificate cert = ks.getCertificate(alias); |
| PublicKey pubKey = cert.getPublicKey(); |
| |
| mEphemeralKeyPair = new KeyPair(pubKey, privKey); |
| } catch (android.os.ServiceSpecificException e) { |
| throw new RuntimeException("Unexpected ServiceSpecificException with code " |
| + e.errorCode, e); |
| } catch (android.os.RemoteException |
| | KeyStoreException |
| | CertificateException |
| | UnrecoverableKeyException |
| | NoSuchAlgorithmException |
| | IOException e) { |
| throw new RuntimeException("Unexpected exception ", e); |
| } |
| } |
| |
| @Override |
| public @NonNull KeyPair getEphemeralKeyPair() { |
| ensureEphemeralKeyPair(); |
| return mEphemeralKeyPair; |
| } |
| |
| @Override |
| public void setReaderEphemeralPublicKey(@NonNull PublicKey readerEphemeralPublicKey) |
| throws InvalidKeyException { |
| try { |
| byte[] uncompressedForm = |
| Util.publicKeyEncodeUncompressedForm(readerEphemeralPublicKey); |
| mBinder.setReaderEphemeralPublicKey(uncompressedForm); |
| } catch (android.os.RemoteException e) { |
| throw new RuntimeException("Unexpected RemoteException ", e); |
| } catch (android.os.ServiceSpecificException e) { |
| throw new RuntimeException("Unexpected ServiceSpecificException with code " |
| + e.errorCode, e); |
| } |
| } |
| |
| @Override |
| public void setSessionTranscript(@NonNull byte[] sessionTranscript) { |
| try { |
| mBinder.setSessionTranscript(sessionTranscript); |
| mSessionTranscript = sessionTranscript; |
| } catch (android.os.RemoteException e) { |
| throw new RuntimeException("Unexpected RemoteException ", e); |
| } catch (android.os.ServiceSpecificException e) { |
| throw new RuntimeException("Unexpected ServiceSpecificException with code " |
| + e.errorCode, e); |
| } |
| } |
| |
| @Override |
| public @Nullable CredentialDataResult getCredentialData(@NonNull String credentialName, |
| @NonNull CredentialDataRequest request) |
| throws NoAuthenticationKeyAvailableException, InvalidReaderSignatureException, |
| InvalidRequestMessageException, EphemeralPublicKeyNotFoundException { |
| try { |
| // Cache the IdentityCredential to satisfy the property that AuthKey usage counts are |
| // incremented on only the _first_ getCredentialData() call. |
| // |
| CredstoreIdentityCredential credential = mCredentialCache.get(credentialName); |
| if (credential == null) { |
| ICredential credstoreCredential = |
| mBinder.getCredentialForPresentation(credentialName); |
| credential = new CredstoreIdentityCredential(mContext, credentialName, |
| mCipherSuite, credstoreCredential, |
| this, mFeatureVersion); |
| mCredentialCache.put(credentialName, credential); |
| |
| credential.setAllowUsingExhaustedKeys(request.isAllowUsingExhaustedKeys()); |
| credential.setAllowUsingExpiredKeys(request.isAllowUsingExpiredKeys()); |
| credential.setIncrementKeyUsageCount(request.isIncrementUseCount()); |
| } |
| |
| ResultData deviceSignedResult = credential.getEntries( |
| request.getRequestMessage(), |
| request.getDeviceSignedEntriesToRequest(), |
| mSessionTranscript, |
| request.getReaderSignature()); |
| |
| // By design this second getEntries() call consumes the same auth-key. |
| |
| ResultData issuerSignedResult = credential.getEntries( |
| request.getRequestMessage(), |
| request.getIssuerSignedEntriesToRequest(), |
| mSessionTranscript, |
| request.getReaderSignature()); |
| |
| return new CredstoreCredentialDataResult(deviceSignedResult, issuerSignedResult); |
| |
| } catch (SessionTranscriptMismatchException e) { |
| throw new RuntimeException("Unexpected ", e); |
| } catch (android.os.RemoteException e) { |
| throw new RuntimeException("Unexpected RemoteException ", e); |
| } catch (android.os.ServiceSpecificException e) { |
| if (e.errorCode == ICredentialStore.ERROR_NO_SUCH_CREDENTIAL) { |
| return null; |
| } else { |
| throw new RuntimeException("Unexpected ServiceSpecificException with code " |
| + e.errorCode, e); |
| } |
| } |
| } |
| |
| /** |
| * Called by android.hardware.biometrics.CryptoObject#getOpId() to get an |
| * operation handle. |
| * |
| * @hide |
| */ |
| @Override |
| public long getCredstoreOperationHandle() { |
| if (!mOperationHandleSet) { |
| try { |
| mOperationHandle = mBinder.getAuthChallenge(); |
| mOperationHandleSet = true; |
| } catch (android.os.RemoteException e) { |
| throw new RuntimeException("Unexpected RemoteException ", e); |
| } catch (android.os.ServiceSpecificException e) { |
| if (e.errorCode == ICredentialStore.ERROR_NO_AUTHENTICATION_KEY_AVAILABLE) { |
| // The NoAuthenticationKeyAvailableException will be thrown when |
| // the caller proceeds to call getEntries(). |
| } |
| throw new RuntimeException("Unexpected ServiceSpecificException with code " |
| + e.errorCode, e); |
| } |
| } |
| return mOperationHandle; |
| } |
| |
| } |
