Loading current.txt +1 −1 Original line number Original line Diff line number Diff line Loading @@ -660,7 +660,7 @@ db47f4ceceb1f06c656f39caa70c557b0f8471ef59fd58611bea667ffca20101 android.hardwar 0589e410f519e36514e7ece18f283f022df0f70efd2c12821d822f67f74aba98 android.hardware.identity@1.0::types 0589e410f519e36514e7ece18f283f022df0f70efd2c12821d822f67f74aba98 android.hardware.identity@1.0::types bbeee9604128ede83ee755b67e73b5ad29e6e1dbac9ec41fea6ffe2745b0c50a android.hardware.identity@1.0::IIdentityCredential bbeee9604128ede83ee755b67e73b5ad29e6e1dbac9ec41fea6ffe2745b0c50a android.hardware.identity@1.0::IIdentityCredential 96ce8aad80f4c476f25261f790d357c117e79e18474c7dadd850dac704bbe65e android.hardware.identity@1.0::IIdentityCredentialStore 96ce8aad80f4c476f25261f790d357c117e79e18474c7dadd850dac704bbe65e android.hardware.identity@1.0::IIdentityCredentialStore 6e1e28a96c90ba78d47257faea3f3bb4e6360affbbfa5822f0dc31211f9266ff android.hardware.identity@1.0::IWritableIdentityCredential 8da9c938e58f7d636ddd2f92c646f99d9a9e79612e6441b6380ab12744251873 android.hardware.identity@1.0::IWritableIdentityCredential 27ae3724053940462114228872b3ffaf0b8e6177d5ba97f5a76339d12b8a99dd android.hardware.keymaster@4.1::IKeymasterDevice 27ae3724053940462114228872b3ffaf0b8e6177d5ba97f5a76339d12b8a99dd android.hardware.keymaster@4.1::IKeymasterDevice adb0efdf1462e9b2e742c0dcadd598666aac551f178be06e755bfcdf5797abd0 android.hardware.keymaster@4.1::IOperation adb0efdf1462e9b2e742c0dcadd598666aac551f178be06e755bfcdf5797abd0 android.hardware.keymaster@4.1::IOperation ddcf89cd8ee2df0d32aee55050826446fb64f7aafde0a7cd946c64f61b1a364c android.hardware.keymaster@4.1::types ddcf89cd8ee2df0d32aee55050826446fb64f7aafde0a7cd946c64f61b1a364c android.hardware.keymaster@4.1::types Loading identity/1.0/IWritableIdentityCredential.hal +44 −8 Original line number Original line Diff line number Diff line Loading @@ -26,20 +26,56 @@ interface IWritableIdentityCredential { * characteristics to an issuing authority. Must not be called more than once. * characteristics to an issuing authority. Must not be called more than once. * * * The certificate chain must be generated using Keymaster Attestation * The certificate chain must be generated using Keymaster Attestation * (see https://source.android.com/security/keystore/attestation) and must also * (see https://source.android.com/security/keystore/attestation) with the * have the Tag::IDENTITY_CREDENTIAL_KEY tag from KeyMaster 4.1 set. This tag indicates * following additional requirements: * that this key is an Identity Credential key (which can only sign/MAC very * * specific messages) and not an Android Keystore key (which can be used to sign/MAC * - The attestationVersion field in the attestation extension must be at least 3. * anything). * * - The attestationSecurityLevel field must be set to either Software (0), * TrustedEnvironment (1), or StrongBox (2) depending on how attestation is * implemented. Only the default AOSP implementation of this HAL may use * value 0 (additionally, this implementation must not be used on production * devices). * * - The keymasterVersion field in the attestation extension must be set to (10*major + minor) * where major and minor are the Identity Credential interface major and minor versions. * Specifically for this version of the interface (1.0) this value is 10. * * - The keymasterSecurityLevel field in the attestation extension must be set to * either Software (0), TrustedEnvironment (1), or StrongBox (2) depending on how * the Trusted Application backing the HAL implementation is implemented. Only * the default AOSP implementation of this HAL may use value 0 (additionally, this * implementation must not be used on production devices) * * - The attestationChallenge field must be set to the passed-in challenge. * * - The uniqueId field must be empty. * * - The softwareEnforced field in the attestation extension must include * Tag::ATTESTATION_APPLICATION_ID which must be set to the bytes of the passed-in * attestationApplicationId. * * - The teeEnforced field in the attestation extension must include * Tag::IDENTITY_CREDENTIAL_KEY. This tag indicates that the key is an Identity * Credential key (which can only sign/MAC very specific messages) and not an Android * Keystore key (which can be used to sign/MAC anything). * * Additional authorizations may be needed in the softwareEnforced and teeEnforced * fields - the above is not an exhaustive list. * * @param attestationApplicationId is the DER encoded value to be stored * in Tag::ATTESTATION_APPLICATION_ID. This schema is described in * https://developer.android.com/training/articles/security-key-attestation#certificate_schema_attestationid * * * @param attestationChallenge a challenge set by the issuer to ensure freshness. * @param attestationChallenge a challenge set by the issuer to ensure freshness. * * * @return result is OK on success, FAILED if an error occurred. * @return result is OK on success, FAILED if an error occurred. * * * @return certificate is the X.509 certificate chain for the credentialKey * @return certificateChain is the X.509 certificate chain for the credentialKey */ */ getAttestationCertificate(vec<uint8_t> attestationChallenge) getAttestationCertificate(vec<uint8_t> attestationApplicationId, generates(Result result, vec<uint8_t> certificate); vec<uint8_t> attestationChallenge) generates(Result result, vec<vec<uint8_t>> certificateChain); /** /** * Start the personalization process. * Start the personalization process. Loading identity/1.0/default/WritableIdentityCredential.cpp +15 −1 Original line number Original line Diff line number Diff line Loading @@ -108,7 +108,12 @@ bool WritableIdentityCredential::initialize() { return true; return true; } } // TODO: use |attestationApplicationId| and |attestationChallenge| and also // ensure the returned certificate chain satisfy the requirements listed in // the docs for IWritableIdentityCredential::getAttestationCertificate() // Return<void> WritableIdentityCredential::getAttestationCertificate( Return<void> WritableIdentityCredential::getAttestationCertificate( const hidl_vec<uint8_t>& /* attestationApplicationId */, const hidl_vec<uint8_t>& /* attestationChallenge */, const hidl_vec<uint8_t>& /* attestationChallenge */, getAttestationCertificate_cb _hidl_cb) { getAttestationCertificate_cb _hidl_cb) { // For now, we dynamically generate an attestion key on each and every // For now, we dynamically generate an attestion key on each and every Loading Loading @@ -181,7 +186,16 @@ Return<void> WritableIdentityCredential::getAttestationCertificate( certificateChain.insert(certificateChain.end(), attestationKeyCertificate.value().begin(), certificateChain.insert(certificateChain.end(), attestationKeyCertificate.value().begin(), attestationKeyCertificate.value().end()); attestationKeyCertificate.value().end()); _hidl_cb(support::resultOK(), certificateChain); optional<vector<vector<uint8_t>>> splitCertChain = support::certificateChainSplit(certificateChain); if (!splitCertChain) { _hidl_cb(support::result(ResultCode::FAILED, "Error splitting certificate chain"), {}); return Void(); } hidl_vec<hidl_vec<uint8_t>> ret; ret.resize(splitCertChain.value().size()); std::copy(splitCertChain.value().begin(), splitCertChain.value().end(), ret.begin()); _hidl_cb(support::resultOK(), ret); return Void(); return Void(); } } Loading identity/1.0/default/WritableIdentityCredential.h +2 −1 Original line number Original line Diff line number Diff line Loading @@ -51,7 +51,8 @@ class WritableIdentityCredential : public IWritableIdentityCredential { // Methods from ::android::hardware::identity::IWritableIdentityCredential // Methods from ::android::hardware::identity::IWritableIdentityCredential // follow. // follow. Return<void> getAttestationCertificate(const hidl_vec<uint8_t>& attestationChallenge, Return<void> getAttestationCertificate(const hidl_vec<uint8_t>& attestationApplicationId, const hidl_vec<uint8_t>& attestationChallenge, getAttestationCertificate_cb _hidl_cb) override; getAttestationCertificate_cb _hidl_cb) override; Return<void> startPersonalization(uint16_t accessControlProfileCount, Return<void> startPersonalization(uint16_t accessControlProfileCount, Loading identity/1.0/vts/functional/VtsHalIdentityCredentialTargetTest.cpp +8 −3 Original line number Original line Diff line number Diff line Loading @@ -201,13 +201,18 @@ TEST_P(IdentityCredentialStoreHidlTest, createAndRetrieveCredential) { ASSERT_NE(writableCredential, nullptr); ASSERT_NE(writableCredential, nullptr); string challenge = "attestationChallenge"; string challenge = "attestationChallenge"; // TODO: set it to something random and check it's in the cert chain vector<uint8_t> attestationApplicationId = {}; vector<uint8_t> attestationChallenge(challenge.begin(), challenge.end()); vector<uint8_t> attestationChallenge(challenge.begin(), challenge.end()); vector<uint8_t> attestationCertificate; vector<uint8_t> attestationCertificate; writableCredential->getAttestationCertificate( writableCredential->getAttestationCertificate( attestationChallenge, attestationApplicationId, attestationChallenge, [&](const Result& _result, const hidl_vec<uint8_t>& _attestationCertificate) { [&](const Result& _result, const hidl_vec<hidl_vec<uint8_t>>& _splitCertChain) { result = _result; result = _result; attestationCertificate = _attestationCertificate; vector<vector<uint8_t>> splitCerts; std::copy(_splitCertChain.begin(), _splitCertChain.end(), std::back_inserter(splitCerts)); attestationCertificate = support::certificateChainJoin(splitCerts); }); }); EXPECT_EQ("", result.message); EXPECT_EQ("", result.message); ASSERT_EQ(ResultCode::OK, result.code); ASSERT_EQ(ResultCode::OK, result.code); Loading Loading
current.txt +1 −1 Original line number Original line Diff line number Diff line Loading @@ -660,7 +660,7 @@ db47f4ceceb1f06c656f39caa70c557b0f8471ef59fd58611bea667ffca20101 android.hardwar 0589e410f519e36514e7ece18f283f022df0f70efd2c12821d822f67f74aba98 android.hardware.identity@1.0::types 0589e410f519e36514e7ece18f283f022df0f70efd2c12821d822f67f74aba98 android.hardware.identity@1.0::types bbeee9604128ede83ee755b67e73b5ad29e6e1dbac9ec41fea6ffe2745b0c50a android.hardware.identity@1.0::IIdentityCredential bbeee9604128ede83ee755b67e73b5ad29e6e1dbac9ec41fea6ffe2745b0c50a android.hardware.identity@1.0::IIdentityCredential 96ce8aad80f4c476f25261f790d357c117e79e18474c7dadd850dac704bbe65e android.hardware.identity@1.0::IIdentityCredentialStore 96ce8aad80f4c476f25261f790d357c117e79e18474c7dadd850dac704bbe65e android.hardware.identity@1.0::IIdentityCredentialStore 6e1e28a96c90ba78d47257faea3f3bb4e6360affbbfa5822f0dc31211f9266ff android.hardware.identity@1.0::IWritableIdentityCredential 8da9c938e58f7d636ddd2f92c646f99d9a9e79612e6441b6380ab12744251873 android.hardware.identity@1.0::IWritableIdentityCredential 27ae3724053940462114228872b3ffaf0b8e6177d5ba97f5a76339d12b8a99dd android.hardware.keymaster@4.1::IKeymasterDevice 27ae3724053940462114228872b3ffaf0b8e6177d5ba97f5a76339d12b8a99dd android.hardware.keymaster@4.1::IKeymasterDevice adb0efdf1462e9b2e742c0dcadd598666aac551f178be06e755bfcdf5797abd0 android.hardware.keymaster@4.1::IOperation adb0efdf1462e9b2e742c0dcadd598666aac551f178be06e755bfcdf5797abd0 android.hardware.keymaster@4.1::IOperation ddcf89cd8ee2df0d32aee55050826446fb64f7aafde0a7cd946c64f61b1a364c android.hardware.keymaster@4.1::types ddcf89cd8ee2df0d32aee55050826446fb64f7aafde0a7cd946c64f61b1a364c android.hardware.keymaster@4.1::types Loading
identity/1.0/IWritableIdentityCredential.hal +44 −8 Original line number Original line Diff line number Diff line Loading @@ -26,20 +26,56 @@ interface IWritableIdentityCredential { * characteristics to an issuing authority. Must not be called more than once. * characteristics to an issuing authority. Must not be called more than once. * * * The certificate chain must be generated using Keymaster Attestation * The certificate chain must be generated using Keymaster Attestation * (see https://source.android.com/security/keystore/attestation) and must also * (see https://source.android.com/security/keystore/attestation) with the * have the Tag::IDENTITY_CREDENTIAL_KEY tag from KeyMaster 4.1 set. This tag indicates * following additional requirements: * that this key is an Identity Credential key (which can only sign/MAC very * * specific messages) and not an Android Keystore key (which can be used to sign/MAC * - The attestationVersion field in the attestation extension must be at least 3. * anything). * * - The attestationSecurityLevel field must be set to either Software (0), * TrustedEnvironment (1), or StrongBox (2) depending on how attestation is * implemented. Only the default AOSP implementation of this HAL may use * value 0 (additionally, this implementation must not be used on production * devices). * * - The keymasterVersion field in the attestation extension must be set to (10*major + minor) * where major and minor are the Identity Credential interface major and minor versions. * Specifically for this version of the interface (1.0) this value is 10. * * - The keymasterSecurityLevel field in the attestation extension must be set to * either Software (0), TrustedEnvironment (1), or StrongBox (2) depending on how * the Trusted Application backing the HAL implementation is implemented. Only * the default AOSP implementation of this HAL may use value 0 (additionally, this * implementation must not be used on production devices) * * - The attestationChallenge field must be set to the passed-in challenge. * * - The uniqueId field must be empty. * * - The softwareEnforced field in the attestation extension must include * Tag::ATTESTATION_APPLICATION_ID which must be set to the bytes of the passed-in * attestationApplicationId. * * - The teeEnforced field in the attestation extension must include * Tag::IDENTITY_CREDENTIAL_KEY. This tag indicates that the key is an Identity * Credential key (which can only sign/MAC very specific messages) and not an Android * Keystore key (which can be used to sign/MAC anything). * * Additional authorizations may be needed in the softwareEnforced and teeEnforced * fields - the above is not an exhaustive list. * * @param attestationApplicationId is the DER encoded value to be stored * in Tag::ATTESTATION_APPLICATION_ID. This schema is described in * https://developer.android.com/training/articles/security-key-attestation#certificate_schema_attestationid * * * @param attestationChallenge a challenge set by the issuer to ensure freshness. * @param attestationChallenge a challenge set by the issuer to ensure freshness. * * * @return result is OK on success, FAILED if an error occurred. * @return result is OK on success, FAILED if an error occurred. * * * @return certificate is the X.509 certificate chain for the credentialKey * @return certificateChain is the X.509 certificate chain for the credentialKey */ */ getAttestationCertificate(vec<uint8_t> attestationChallenge) getAttestationCertificate(vec<uint8_t> attestationApplicationId, generates(Result result, vec<uint8_t> certificate); vec<uint8_t> attestationChallenge) generates(Result result, vec<vec<uint8_t>> certificateChain); /** /** * Start the personalization process. * Start the personalization process. Loading
identity/1.0/default/WritableIdentityCredential.cpp +15 −1 Original line number Original line Diff line number Diff line Loading @@ -108,7 +108,12 @@ bool WritableIdentityCredential::initialize() { return true; return true; } } // TODO: use |attestationApplicationId| and |attestationChallenge| and also // ensure the returned certificate chain satisfy the requirements listed in // the docs for IWritableIdentityCredential::getAttestationCertificate() // Return<void> WritableIdentityCredential::getAttestationCertificate( Return<void> WritableIdentityCredential::getAttestationCertificate( const hidl_vec<uint8_t>& /* attestationApplicationId */, const hidl_vec<uint8_t>& /* attestationChallenge */, const hidl_vec<uint8_t>& /* attestationChallenge */, getAttestationCertificate_cb _hidl_cb) { getAttestationCertificate_cb _hidl_cb) { // For now, we dynamically generate an attestion key on each and every // For now, we dynamically generate an attestion key on each and every Loading Loading @@ -181,7 +186,16 @@ Return<void> WritableIdentityCredential::getAttestationCertificate( certificateChain.insert(certificateChain.end(), attestationKeyCertificate.value().begin(), certificateChain.insert(certificateChain.end(), attestationKeyCertificate.value().begin(), attestationKeyCertificate.value().end()); attestationKeyCertificate.value().end()); _hidl_cb(support::resultOK(), certificateChain); optional<vector<vector<uint8_t>>> splitCertChain = support::certificateChainSplit(certificateChain); if (!splitCertChain) { _hidl_cb(support::result(ResultCode::FAILED, "Error splitting certificate chain"), {}); return Void(); } hidl_vec<hidl_vec<uint8_t>> ret; ret.resize(splitCertChain.value().size()); std::copy(splitCertChain.value().begin(), splitCertChain.value().end(), ret.begin()); _hidl_cb(support::resultOK(), ret); return Void(); return Void(); } } Loading
identity/1.0/default/WritableIdentityCredential.h +2 −1 Original line number Original line Diff line number Diff line Loading @@ -51,7 +51,8 @@ class WritableIdentityCredential : public IWritableIdentityCredential { // Methods from ::android::hardware::identity::IWritableIdentityCredential // Methods from ::android::hardware::identity::IWritableIdentityCredential // follow. // follow. Return<void> getAttestationCertificate(const hidl_vec<uint8_t>& attestationChallenge, Return<void> getAttestationCertificate(const hidl_vec<uint8_t>& attestationApplicationId, const hidl_vec<uint8_t>& attestationChallenge, getAttestationCertificate_cb _hidl_cb) override; getAttestationCertificate_cb _hidl_cb) override; Return<void> startPersonalization(uint16_t accessControlProfileCount, Return<void> startPersonalization(uint16_t accessControlProfileCount, Loading
identity/1.0/vts/functional/VtsHalIdentityCredentialTargetTest.cpp +8 −3 Original line number Original line Diff line number Diff line Loading @@ -201,13 +201,18 @@ TEST_P(IdentityCredentialStoreHidlTest, createAndRetrieveCredential) { ASSERT_NE(writableCredential, nullptr); ASSERT_NE(writableCredential, nullptr); string challenge = "attestationChallenge"; string challenge = "attestationChallenge"; // TODO: set it to something random and check it's in the cert chain vector<uint8_t> attestationApplicationId = {}; vector<uint8_t> attestationChallenge(challenge.begin(), challenge.end()); vector<uint8_t> attestationChallenge(challenge.begin(), challenge.end()); vector<uint8_t> attestationCertificate; vector<uint8_t> attestationCertificate; writableCredential->getAttestationCertificate( writableCredential->getAttestationCertificate( attestationChallenge, attestationApplicationId, attestationChallenge, [&](const Result& _result, const hidl_vec<uint8_t>& _attestationCertificate) { [&](const Result& _result, const hidl_vec<hidl_vec<uint8_t>>& _splitCertChain) { result = _result; result = _result; attestationCertificate = _attestationCertificate; vector<vector<uint8_t>> splitCerts; std::copy(_splitCertChain.begin(), _splitCertChain.end(), std::back_inserter(splitCerts)); attestationCertificate = support::certificateChainJoin(splitCerts); }); }); EXPECT_EQ("", result.message); EXPECT_EQ("", result.message); ASSERT_EQ(ResultCode::OK, result.code); ASSERT_EQ(ResultCode::OK, result.code); Loading
