diff options
author | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-02-19 23:18:16 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-02-19 23:18:16 +0000 |
commit | 124b3af2850bf6d72cadeb44014685d0c3741c6e (patch) | |
tree | 3686970fe309d754e6d91d2a1656f1fc6a27ee92 /keymaster | |
parent | 66814ea2e7e8f46878b7b867df0760ada4887cb5 (diff) | |
parent | e216d2b09c07f097c6caeed2bdfa76e2a759751a (diff) | |
download | platform_hardware_interfaces-124b3af2850bf6d72cadeb44014685d0c3741c6e.tar.gz platform_hardware_interfaces-124b3af2850bf6d72cadeb44014685d0c3741c6e.tar.bz2 platform_hardware_interfaces-124b3af2850bf6d72cadeb44014685d0c3741c6e.zip |
Merge "Port IdentityCredential HAL to AIDL." am: 6a83338df9 am: 02a80f6aab am: e216d2b09c
Change-Id: Iee51e1c0cb87eefef0c4a0208bb231ea67bb215d
Diffstat (limited to 'keymaster')
4 files changed, 161 insertions, 0 deletions
diff --git a/keymaster/aidl/Android.bp b/keymaster/aidl/Android.bp new file mode 100644 index 0000000000..a2d73ead08 --- /dev/null +++ b/keymaster/aidl/Android.bp @@ -0,0 +1,18 @@ +aidl_interface { + name: "android.hardware.keymaster", + vendor_available: true, + srcs: [ + "android/hardware/keymaster/*.aidl", + ], + stability: "vintf", + backend: { + java: { + platform_apis: true, + }, + ndk: { + vndk: { + enabled: true, + }, + }, + }, +} diff --git a/keymaster/aidl/android/hardware/keymaster/HardwareAuthToken.aidl b/keymaster/aidl/android/hardware/keymaster/HardwareAuthToken.aidl new file mode 100644 index 0000000000..58602aaa49 --- /dev/null +++ b/keymaster/aidl/android/hardware/keymaster/HardwareAuthToken.aidl @@ -0,0 +1,89 @@ +/* + * Copyright 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.hardware.keymaster; + +import android.hardware.keymaster.Timestamp; +import android.hardware.keymaster.HardwareAuthenticatorType; + +/** + * HardwareAuthToken is used to prove successful user authentication, to unlock the use of a key. + * + * HardwareAuthTokens are produced by other secure environment applications, notably GateKeeper and + * Fingerprint, in response to successful user authentication events. These tokens are passed to + * begin(), update(), and finish() to prove that authentication occurred. See those methods for + * more details. It is up to the caller to determine which of the generated auth tokens is + * appropriate for a given key operation. + */ +@VintfStability +parcelable HardwareAuthToken { + + /** + * challenge is a value that's used to enable authentication tokens to authorize specific + * events. The primary use case for challenge is to authorize an IKeymasterDevice cryptographic + * operation, for keys that require authentication per operation. See begin() for details. + */ + long challenge; + + /** + * userId is the a "secure" user ID. It is not related to any Android user ID or UID, but is + * created in the Gatekeeper application in the secure environment. + */ + long userId; + + /** + * authenticatorId is the a "secure" user ID. It is not related to any Android user ID or UID, + * but is created in an authentication application in the secure environment, such as the + * Fingerprint application. + */ + long authenticatorId; // Secure authenticator ID. + + /** + * authenticatorType describes the type of authentication that took place, e.g. password or + * fingerprint. + */ + HardwareAuthenticatorType authenticatorType; + + /** + * timestamp indicates when the user authentication took place, in milliseconds since some + * starting point (generally the most recent device boot) which all of the applications within + * one secure environment must agree upon. This timestamp is used to determine whether or not + * the authentication occurred recently enough to unlock a key (see Tag::AUTH_TIMEOUT). + */ + Timestamp timestamp; + + /** + * MACs are computed with a backward-compatible method, used by Keymaster 3.0, Gatekeeper 1.0 + * and Fingerprint 1.0, as well as pre-treble HALs. + * + * The MAC is Constants::AUTH_TOKEN_MAC_LENGTH bytes in length and is computed as follows: + * + * HMAC_SHA256( + * H, 0 || challenge || user_id || authenticator_id || authenticator_type || timestamp) + * + * where ``||'' represents concatenation, the leading zero is a single byte, and all integers + * are represented as unsigned values, the full width of the type. The challenge, userId and + * authenticatorId values are in machine order, but authenticatorType and timestamp are in + * network order (big-endian). This odd construction is compatible with the hw_auth_token_t + * structure, + * + * Note that mac is a vec rather than an array, not because it's actually variable-length but + * because it could be empty. As documented in the IKeymasterDevice::begin, + * IKeymasterDevice::update and IKeymasterDevice::finish doc comments, an empty mac indicates + * that this auth token is empty. + */ + byte[] mac; +} diff --git a/keymaster/aidl/android/hardware/keymaster/HardwareAuthenticatorType.aidl b/keymaster/aidl/android/hardware/keymaster/HardwareAuthenticatorType.aidl new file mode 100644 index 0000000000..314185829f --- /dev/null +++ b/keymaster/aidl/android/hardware/keymaster/HardwareAuthenticatorType.aidl @@ -0,0 +1,32 @@ +/* + * Copyright 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.hardware.keymaster; + +/** + * Hardware authentication type, used by HardwareAuthTokens to specify the mechanism used to + * authentiate the user, and in KeyCharacteristics to specify the allowable mechanisms for + * authenticating to activate a key. + */ +@VintfStability +@Backing(type="int") +enum HardwareAuthenticatorType { + NONE = 0, + PASSWORD = 1 << 0, + FINGERPRINT = 1 << 1, + // Additional entries must be powers of 2. + ANY = 0xFFFFFFFF, +} diff --git a/keymaster/aidl/android/hardware/keymaster/Timestamp.aidl b/keymaster/aidl/android/hardware/keymaster/Timestamp.aidl new file mode 100644 index 0000000000..4b2f108887 --- /dev/null +++ b/keymaster/aidl/android/hardware/keymaster/Timestamp.aidl @@ -0,0 +1,22 @@ +/* + * Copyright 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.hardware.keymaster; + +@VintfStability +parcelable Timestamp { + long milliSeconds; +} |