1 /*
2 * Copyright 2019, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "Util"
18
19 #include "Util.h"
20
21 #include <android/hardware/identity/support/IdentityCredentialSupport.h>
22
23 #include <string.h>
24
25 #include <android-base/logging.h>
26
27 #include <cppbor.h>
28 #include <cppbor_parse.h>
29
30 namespace aidl::android::hardware::identity {
31
32 using namespace ::android::hardware::identity;
33
34 // This is not a very random HBK but that's OK because this is the SW
35 // implementation where it can't be kept secret.
36 vector<uint8_t> hardwareBoundKey = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15};
37
getHardwareBoundKey()38 const vector<uint8_t>& getHardwareBoundKey() {
39 return hardwareBoundKey;
40 }
41
secureAccessControlProfileEncodeCbor(const SecureAccessControlProfile & profile)42 vector<uint8_t> secureAccessControlProfileEncodeCbor(const SecureAccessControlProfile& profile) {
43 cppbor::Map map;
44 map.add("id", profile.id);
45
46 if (profile.readerCertificate.encodedCertificate.size() > 0) {
47 map.add("readerCertificate", cppbor::Bstr(profile.readerCertificate.encodedCertificate));
48 }
49
50 if (profile.userAuthenticationRequired) {
51 map.add("userAuthenticationRequired", profile.userAuthenticationRequired);
52 map.add("timeoutMillis", profile.timeoutMillis);
53 map.add("secureUserId", profile.secureUserId);
54 }
55
56 return map.encode();
57 }
58
secureAccessControlProfileCalcMac(const SecureAccessControlProfile & profile,const vector<uint8_t> & storageKey)59 optional<vector<uint8_t>> secureAccessControlProfileCalcMac(
60 const SecureAccessControlProfile& profile, const vector<uint8_t>& storageKey) {
61 vector<uint8_t> cborData = secureAccessControlProfileEncodeCbor(profile);
62
63 optional<vector<uint8_t>> nonce = support::getRandom(12);
64 if (!nonce) {
65 return {};
66 }
67 optional<vector<uint8_t>> macO =
68 support::encryptAes128Gcm(storageKey, nonce.value(), {}, cborData);
69 if (!macO) {
70 return {};
71 }
72 return macO.value();
73 }
74
secureAccessControlProfileCheckMac(const SecureAccessControlProfile & profile,const vector<uint8_t> & storageKey)75 bool secureAccessControlProfileCheckMac(const SecureAccessControlProfile& profile,
76 const vector<uint8_t>& storageKey) {
77 vector<uint8_t> cborData = secureAccessControlProfileEncodeCbor(profile);
78
79 if (profile.mac.size() < support::kAesGcmIvSize) {
80 return false;
81 }
82 vector<uint8_t> nonce =
83 vector<uint8_t>(profile.mac.begin(), profile.mac.begin() + support::kAesGcmIvSize);
84 optional<vector<uint8_t>> mac = support::encryptAes128Gcm(storageKey, nonce, {}, cborData);
85 if (!mac) {
86 return false;
87 }
88 if (mac.value() != profile.mac) {
89 return false;
90 }
91 return true;
92 }
93
entryCreateAdditionalData(const string & nameSpace,const string & name,const vector<int32_t> accessControlProfileIds)94 vector<uint8_t> entryCreateAdditionalData(const string& nameSpace, const string& name,
95 const vector<int32_t> accessControlProfileIds) {
96 cppbor::Map map;
97 map.add("Namespace", nameSpace);
98 map.add("Name", name);
99
100 cppbor::Array acpIds;
101 for (auto id : accessControlProfileIds) {
102 acpIds.add(id);
103 }
104 map.add("AccessControlProfileIds", std::move(acpIds));
105 return map.encode();
106 }
107
108 } // namespace aidl::android::hardware::identity
109