TrustManager in Identity Library and UI in Verifier

appverifier/src/main/java/com/android/mdl/appreader/VerifierApp.kt

@@ -1,9 +1,12 @@
 package com.android.mdl.appreader
 
 import android.app.Application
+import android.content.Context
 import com.android.identity.android.util.AndroidLogPrinter
 import com.android.identity.util.Logger
 import androidx.preference.PreferenceManager
+import com.android.identity.storage.GenericStorageEngine
+import com.android.identity.trustmanagement.TrustManager
 import com.android.mdl.appreader.settings.UserPreferences
 import com.google.android.material.color.DynamicColors
 import org.bouncycastle.jce.provider.BouncyCastleProvider
@@ -16,6 +19,10 @@ class VerifierApp : Application() {
         UserPreferences(sharedPreferences)
     }
 
+    private val trustManager by lazy {
+        TrustManager(GenericStorageEngine(getDir("Certificates", Context.MODE_PRIVATE)))
+    }
+
     override fun onCreate() {
         super.onCreate()
         Logger.setLogPrinter(AndroidLogPrinter())
@@ -26,11 +33,13 @@ class VerifierApp : Application() {
         DynamicColors.applyToActivitiesIfAvailable(this)
         userPreferencesInstance = userPreferences
         Logger.setDebugEnabled(userPreferences.isDebugLoggingEnabled())
+        trustManagerInstance = trustManager
     }
 
     companion object {
 
         private lateinit var userPreferencesInstance: UserPreferences
+        lateinit var trustManagerInstance: TrustManager
 
         fun isDebugLogEnabled(): Boolean {
             return userPreferencesInstance.isDebugLoggingEnabled()

appverifier/src/main/java/com/android/mdl/appreader/fragment/ShowDocumentFragment.kt

@@ -19,13 +19,13 @@ import androidx.navigation.fragment.findNavController
 import com.android.identity.internal.Util
 import com.android.identity.mdoc.response.DeviceResponseParser
 import com.android.identity.securearea.SecureArea
-import com.android.identity.securearea.SecureArea.EcCurve
+import com.android.identity.trustmanagement.CustomValidators
+import com.android.identity.trustmanagement.getCommonName
 import com.android.mdl.appreader.R
+import com.android.mdl.appreader.VerifierApp
 import com.android.mdl.appreader.databinding.FragmentShowDocumentBinding
-import com.android.mdl.appreader.issuerauth.SimpleIssuerTrustStore
 import com.android.mdl.appreader.transfer.TransferManager
 import com.android.mdl.appreader.util.FormatUtil
-import com.android.mdl.appreader.util.KeysAndCertificates
 import com.android.mdl.appreader.util.TransferStatus
 import com.android.mdl.appreader.util.logDebug
 import java.security.MessageDigest
@@ -176,11 +176,6 @@ class ShowDocumentFragment : Fragment() {
     }
 
     private fun formatTextResult(documents: Collection<DeviceResponseParser.Document>): String {
-        // Create the trustManager to validate the DS Certificate against the list of known
-        // certificates in the app
-        val simpleIssuerTrustStore =
-            SimpleIssuerTrustStore(KeysAndCertificates.getTrustedIssuerCertificates(requireContext()))
-
         val sb = StringBuffer()
 
         for (doc in documents) {
@@ -206,35 +201,21 @@ class ShowDocumentFragment : Fragment() {
                 0xFFFFFF and requireContext().theme.attr(R.attr.colorPrimary).data
             )
             sb.append("<h3>Doctype: <font color=\"$color\">${doc.docType}</font></h3>")
-            val certPath =
-                simpleIssuerTrustStore.createCertificationTrustPath(doc.issuerCertificateChain.toList())
-            val isDSTrusted = simpleIssuerTrustStore.validateCertificationTrustPath(certPath)
-            // Use the issuer certificate chain if we could not build the certificate trust path
-            val certChain = if (certPath?.isNotEmpty() == true) {
-                certPath
-            } else {
-                doc.issuerCertificateChain.toList()
+            var certChain = doc.issuerCertificateChain.toList()
+            val customValidators = CustomValidators.getByDocType(doc.docType)
+            val result = VerifierApp.trustManagerInstance.verify(
+                chain = certChain,
+                customValidators = customValidators
+            )
+            if (result.trustChain.any()){
+                certChain = result.trustChain
             }
-
-            val issuerItems = certChain.last().issuerX500Principal.name.split(",")
-            var cnFound = false
-            val commonName = StringBuffer()
-            for (issuerItem in issuerItems) {
-                when {
-                    issuerItem.contains("CN=") -> {
-                        val (key, value) = issuerItem.split("=", limit = 2)
-                        commonName.append(value)
-                        cnFound = true
-                    }
-                    // Common Name value with ',' symbols would be treated as set of items
-                    // Append all parts of CN field if any before next issuer item
-                    cnFound && !issuerItem.contains("=") -> commonName.append(", $issuerItem")
-                    // Ignore any next issuer items only after we've collected required
-                    cnFound -> break
-                }
+            if (!result.isTrusted) {
+                sb.append("${getFormattedCheck(false)}Error in certificate chain validation: ${result.error}<br>")
             }
 
-            sb.append("${getFormattedCheck(isDSTrusted)}Issuer’s DS Key Recognized: ($commonName)<br>")
+            val commonName = certChain.last().issuerX500Principal.getCommonName("")
+            sb.append("${getFormattedCheck(result.isTrusted)}Issuer’s DS Key Recognized: ($commonName)<br>")
             sb.append("${getFormattedCheck(doc.issuerSignedAuthenticated)}Issuer Signed Authenticated<br>")
             var macOrSignatureString = "MAC"
             if (doc.deviceSignedAuthenticatedViaSignature)