Rework BouncyCastleSecureArea.

First of all, rename this to SoftwareSecureArea since there is no need to leak the fact that we're currently using BouncyCastle which could change in the future. Instead of always using self-signed keys, make it possible to specify the attestation key to use at key creation time. Without this we cannot easily support curves which cannot be used for signing (for example X25519). Modify holder app to create an attestation root on demand. Introduce attestation extension so SoftwareSecureArea keys also can convey the attestation challenge. The OID for this has been reserved (it's 1.3.6.1.4.1.11129.2.1.39) and we can extend this if needed. Add code for dealing with this and use it in SoftwareSecureArea. Show the curve of DeviceKey in the reader app. Make sure we use the BouncyCastle library bundled with the app instead of the Conscrypt-based implementation that may come with the OS. Do this for both wallet and reader app. This has been manually test with mdocs using both ECDSA and MAC authentication with all curves except Ed25519, X25519, Ed448, and X448. These curves still have some serialization problems, we'll revisit this in a future PR. The app still uses the name "Bouncy Castle", we'll address that in a future PR. Test: Manually tested. Test: All unit tests pass.
openwallet-foundation-labs · Oct 20, 2023 · 57fb165 · 57fb165
1 parent 9b37ddc
commit 57fb165
Show file tree

Hide file tree

Showing 13 changed files with 517 additions and 266 deletions.
diff --git a/appholder/src/main/java/com/android/identity/wallet/HolderApp.kt b/appholder/src/main/java/com/android/identity/wallet/HolderApp.kt
@@ -6,12 +6,18 @@ import com.android.identity.util.Logger
 import com.android.identity.wallet.util.PeriodicKeysRefreshWorkRequest
 import com.android.identity.wallet.util.PreferencesHelper
 import com.google.android.material.color.DynamicColors
+import org.bouncycastle.jce.provider.BouncyCastleProvider
+import java.security.Security
 
 class HolderApp: Application() {
 
     override fun onCreate() {
         super.onCreate()
         Logger.setLogPrinter(AndroidLogPrinter())
+        // This is needed to prefer BouncyCastle bundled with the app instead of the Conscrypt
+        // based implementation included in the OS itself.
+        Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME)
+        Security.insertProviderAt(BouncyCastleProvider(), 1)
         DynamicColors.applyToActivitiesIfAvailable(this)
         PreferencesHelper.initialize(this)
         PeriodicKeysRefreshWorkRequest(this).schedulePeriodicKeysRefreshing()

diff --git a/...er/src/main/java/com/android/identity/wallet/authconfirmation/AuthConfirmationFragment.kt b/...er/src/main/java/com/android/identity/wallet/authconfirmation/AuthConfirmationFragment.kt
@@ -20,7 +20,7 @@ import androidx.lifecycle.repeatOnLifecycle
 import androidx.navigation.fragment.findNavController
 import androidx.navigation.fragment.navArgs
 import com.android.identity.android.securearea.AndroidKeystoreSecureArea
-import com.android.identity.securearea.BouncyCastleSecureArea
+import com.android.identity.securearea.SoftwareSecureArea
 import com.android.identity.securearea.SecureArea.ALGORITHM_ES256
 import com.android.identity.wallet.R
 import com.android.identity.wallet.authprompt.UserAuthPromptBuilder
@@ -161,7 +161,7 @@ class AuthConfirmationFragment : BottomSheetDialogFragment() {
     }
 
     private fun onPassphraseProvided(passphrase: String) {
-        val unlockData = BouncyCastleSecureArea.KeyUnlockData(passphrase)
+        val unlockData = SoftwareSecureArea.KeyUnlockData(passphrase)
         val result = viewModel.sendResponseForSelection(unlockData)
         onSendResponseResult(result)
     }

diff --git a/appholder/src/main/java/com/android/identity/wallet/util/ProvisioningUtil.kt b/appholder/src/main/java/com/android/identity/wallet/util/ProvisioningUtil.kt
@@ -12,10 +12,12 @@ import com.android.identity.internal.Util
 import com.android.identity.mdoc.mso.MobileSecurityObjectGenerator
 import com.android.identity.mdoc.mso.StaticAuthDataGenerator
 import com.android.identity.mdoc.util.MdocUtil
-import com.android.identity.securearea.BouncyCastleSecureArea
 import com.android.identity.securearea.SecureArea
+import com.android.identity.securearea.SecureArea.KeyLockedException
 import com.android.identity.securearea.SecureArea.KeyPurpose
 import com.android.identity.securearea.SecureAreaRepository
+import com.android.identity.securearea.SoftwareSecureArea
+import com.android.identity.storage.EphemeralStorageEngine
 import com.android.identity.util.Timestamp
 import com.android.identity.wallet.document.DocumentInformation
 import com.android.identity.wallet.document.KeysAndCertificates
@@ -25,6 +27,8 @@ import com.android.identity.wallet.selfsigned.ProvisionInfo
 import com.android.identity.wallet.util.DocumentData.MICOV_DOCTYPE
 import com.android.identity.wallet.util.DocumentData.MVR_DOCTYPE
 import java.io.File
+import java.security.KeyPair
+import java.security.PrivateKey
 import java.security.cert.X509Certificate
 import java.time.Instant
 import java.time.ZoneId
@@ -45,16 +49,40 @@ class ProvisioningUtil private constructor(
     private val androidKeystoreSecureArea: SecureArea
         get() = AndroidKeystoreSecureArea(context, storageEngine)
 
-    private val bouncyCastleSecureArea: SecureArea
-        get() = BouncyCastleSecureArea(storageEngine)
+    private val softwareSecureArea: SecureArea
+        get() = SoftwareSecureArea(storageEngine)
 
     val credentialStore by lazy(LazyThreadSafetyMode.SYNCHRONIZED) {
         val keystoreEngineRepository = SecureAreaRepository()
         keystoreEngineRepository.addImplementation(androidKeystoreSecureArea)
-        keystoreEngineRepository.addImplementation(bouncyCastleSecureArea)
+        keystoreEngineRepository.addImplementation(softwareSecureArea)
         CredentialStore(storageEngine, keystoreEngineRepository)
     }
 
+    private lateinit var softwareAttestationKey: PrivateKey
+    private lateinit var softwareAttestationKeySignatureAlgorithm: String
+    private lateinit var softwareAttestationKeyCertification: List<X509Certificate>
+
+    private fun initSoftwareAttestationKey() {
+        val secureArea = SoftwareSecureArea(EphemeralStorageEngine())
+            val now = Timestamp.now()
+            secureArea.createKey(
+                "SoftwareAttestationRoot",
+                SoftwareSecureArea.CreateKeySettings.Builder("".toByteArray())
+                    .setEcCurve(SecureArea.EC_CURVE_P256)
+                    .setKeyPurposes(SecureArea.KEY_PURPOSE_SIGN)
+                    .setSubject("CN=Software Attestation Root")
+                    .setValidityPeriod(
+                        now,
+                        Timestamp.ofEpochMilli(now.toEpochMilli() + 10L * 86400 * 365 * 1000)
+                    )
+                    .build()
+            )
+        softwareAttestationKey = secureArea.getPrivateKey("SoftwareAttestationRoot", null)
+        softwareAttestationKeySignatureAlgorithm = "SHA256withECDSA"
+        softwareAttestationKeyCertification = secureArea.getKeyInfo("SoftwareAttestationRoot").attestation
+    }
+
     fun provisionSelfSigned(
         nameSpacedData: NameSpacedData,
         provisionInfo: ProvisionInfo,
@@ -217,8 +245,8 @@ class ProvisioningUtil private constructor(
                 )
             }
 
-            is BouncyCastleSecureArea -> {
-                val keyInfo = credential.credentialSecureArea.getKeyInfo(credential.credentialKeyAlias) as BouncyCastleSecureArea.KeyInfo
+            is SoftwareSecureArea -> {
+                val keyInfo = credential.credentialSecureArea.getKeyInfo(credential.credentialKeyAlias) as SoftwareSecureArea.KeyInfo
                 createBouncyCastleKeystoreSettings(
                     mDocAuthOption = AddSelfSignedScreenState.MdocAuthStateOption.valueOf(mDocAuthOption),
                     ecCurve = keyInfo.ecCurve
@@ -266,13 +294,18 @@ class ProvisioningUtil private constructor(
         passphrase: String? = null,
         mDocAuthOption: AddSelfSignedScreenState.MdocAuthStateOption,
         ecCurve: Int
-    ): BouncyCastleSecureArea.CreateKeySettings {
+    ): SoftwareSecureArea.CreateKeySettings {
+        if (!this::softwareAttestationKey.isInitialized) {
+            initSoftwareAttestationKey()
+        }
         val keyPurpose = mDocAuthOption.toKeyPurpose()
-        val builder = BouncyCastleSecureArea.CreateKeySettings.Builder()
+        val builder = SoftwareSecureArea.CreateKeySettings.Builder("DoNotCare".toByteArray())
+            .setAttestationKey(softwareAttestationKey,
+                softwareAttestationKeySignatureAlgorithm, softwareAttestationKeyCertification)
             .setPassphraseRequired(passphrase != null, passphrase)
             .setKeyPurposes(keyPurpose)
             .setEcCurve(ecCurve)
-            .setKeyPurposes(SecureArea.KEY_PURPOSE_SIGN or SecureArea.KEY_PURPOSE_AGREE_KEY)
+            .setKeyPurposes(mDocAuthOption.toKeyPurpose())
         return builder.build()
     }
 
@@ -351,7 +384,7 @@ class ProvisioningUtil private constructor(
         private fun SecureArea.toSecureAreaState(): SecureAreaImplementationState {
             return when (this) {
                 is AndroidKeystoreSecureArea -> SecureAreaImplementationState.Android
-                is BouncyCastleSecureArea -> SecureAreaImplementationState.BouncyCastle
+                is SoftwareSecureArea -> SecureAreaImplementationState.BouncyCastle
                 else -> throw IllegalStateException("Unknown Secure Area Implementation")
             }
         }

diff --git a/appverifier/src/main/java/com/android/mdl/appreader/VerifierApp.kt b/appverifier/src/main/java/com/android/mdl/appreader/VerifierApp.kt
@@ -6,6 +6,8 @@ import com.android.identity.util.Logger
 import androidx.preference.PreferenceManager
 import com.android.mdl.appreader.settings.UserPreferences
 import com.google.android.material.color.DynamicColors
+import org.bouncycastle.jce.provider.BouncyCastleProvider
+import java.security.Security
 
 class VerifierApp : Application() {
 
@@ -17,6 +19,10 @@ class VerifierApp : Application() {
     override fun onCreate() {
         super.onCreate()
         Logger.setLogPrinter(AndroidLogPrinter())
+        // This is needed to prefer BouncyCastle bundled with the app instead of the Conscrypt
+        // based implementation included in the OS itself.
+        Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME)
+        Security.insertProviderAt(BouncyCastleProvider(), 1)
         DynamicColors.applyToActivitiesIfAvailable(this)
         userPreferencesInstance = userPreferences
         Logger.setDebugEnabled(userPreferences.isDebugLoggingEnabled())

diff --git a/appverifier/src/main/java/com/android/mdl/appreader/fragment/ShowDocumentFragment.kt b/appverifier/src/main/java/com/android/mdl/appreader/fragment/ShowDocumentFragment.kt
@@ -16,6 +16,7 @@ import androidx.activity.OnBackPressedCallback
 import androidx.annotation.AttrRes
 import androidx.fragment.app.Fragment
 import androidx.navigation.fragment.findNavController
+import com.android.identity.internal.Util
 import com.android.identity.mdoc.response.DeviceResponseParser
 import com.android.identity.securearea.SecureArea
 import com.android.identity.securearea.SecureArea.EcCurve
@@ -262,6 +263,7 @@ class ShowDocumentFragment : Fragment() {
             // Just show the SHA-1 of DeviceKey since all we're interested in here is whether
             // we saw the same key earlier.
             sb.append("<h6>DeviceKey</h6>")
+            sb.append("${getFormattedCheck(true)}Curve: <b>${curveNameFor(Util.getCurve(doc.deviceKey))}</b><br>")
             val deviceKeySha1 = FormatUtil.encodeToString(
                 MessageDigest.getInstance("SHA-1").digest(doc.deviceKey.encoded)
             )

diff --git a/appverifier/src/main/java/com/android/mdl/appreader/readercertgen/CertificateGenerator.java b/appverifier/src/main/java/com/android/mdl/appreader/readercertgen/CertificateGenerator.java
@@ -38,8 +38,6 @@ private CertificateGenerator() {
 
 	static X509Certificate generateCertificate(DataMaterial data, CertificateMaterial certMaterial, KeyMaterial keyMaterial)
 			throws CertIOException, CertificateException, OperatorCreationException {
-		Provider bcProvider = new BouncyCastleProvider();
-		Security.addProvider(bcProvider);
 
 		Optional<X509Certificate> issuerCert = keyMaterial.issuerCertificate();
 

diff --git a/identity/src/main/java/com/android/identity/securearea/AttestationExtension.kt b/identity/src/main/java/com/android/identity/securearea/AttestationExtension.kt
@@ -0,0 +1,79 @@
+package com.android.identity.securearea
+
+import co.nstant.`in`.cbor.CborBuilder
+import co.nstant.`in`.cbor.CborDecoder
+import co.nstant.`in`.cbor.CborEncoder
+import co.nstant.`in`.cbor.CborException
+import co.nstant.`in`.cbor.model.ByteString
+import co.nstant.`in`.cbor.model.DataItem
+import co.nstant.`in`.cbor.model.Map
+import co.nstant.`in`.cbor.model.UnicodeString
+import java.io.ByteArrayInputStream
+import java.io.ByteArrayOutputStream
+
+/**
+ * X.509 Extension which may be used by [SecureArea] implementations.
+ *
+ * The main purpose of the extension is to define a place to include the
+ * challenge passed at key creation time, for freshness.
+ *
+ * If used, the extension must be put in X.509 certificate for the created
+ * key (that is, included in the first certificate in the attestation for the key)
+ * at the OID defined by [ATTESTATION_OID] and the payload should be an
+ * OCTET STRING containing the bytes of the CBOR conforming to the following CDDL:
+ *
+ * ```
+ * Attestation = {
+ *   "challenge" : bstr,   ; contains the challenge
+ * }
+ * ```
+ *
+ * This map may be extended in the future with additional fields.
+ */
+object AttestationExtension {
+    /**
+     * The OID for the attestation extension.
+     */
+    const val ATTESTATION_OID = "1.3.6.1.4.1.11129.2.1.39"
+
+    /**
+     * Generates the payload of the attestation extension.
+     *
+     * @param challenge the challenge to include
+     * @return the bytes of the CBOR for the extension.
+     */
+    @JvmStatic
+    fun encode(challenge: ByteArray): ByteArray {
+        val baos = ByteArrayOutputStream()
+        try {
+            CborEncoder(baos).nonCanonical().encode(
+                CborBuilder()
+                    .addMap()
+                    .put("challenge", challenge)
+                    .end()
+                    .build().get(0)
+            )
+        } catch (e: CborException) {
+            throw IllegalStateException("Unexpected failure encoding data", e)
+        }
+        return baos.toByteArray()
+    }
+
+    /**
+     * Extracts the challenge from the attestation extension.
+     *
+     * @param attestationExtension the bytes of the CBOR for the extension.
+     * @return the challenge value.
+     */
+    @JvmStatic
+    fun decode(attestationExtension: ByteArray): ByteArray {
+        val dataItems: List<DataItem> = try {
+            val bais = ByteArrayInputStream(attestationExtension)
+            CborDecoder(bais).decode()
+        } catch (e: CborException) {
+            throw IllegalArgumentException("Error decoding CBOR", e)
+        }
+        return ((dataItems[0] as Map).get(UnicodeString("challenge")) as ByteString).bytes
+    }
+
+}
diff --git a/identity/src/main/java/com/android/identity/securearea/SecureArea.java b/identity/src/main/java/com/android/identity/securearea/SecureArea.java
@@ -227,7 +227,7 @@ public interface SecureArea {
     /**
      * Class with information about a key.
      *
-     * <p>Concrete {@link SecureArea} implementations may subclass this to provide
+     * <p>Concrete {@link SecureArea} implementations may subclass this to provide additional
      * implementation-specific information about the key.
      */
     class KeyInfo {
@@ -247,7 +247,7 @@ protected KeyInfo(@NonNull List<X509Certificate> attestation,
         }
 
         /**
-         * Gets the attestation for a key.
+         * Gets the attestation for the key.
          *
          * @return A list of certificates representing a certificate chain.
          */