-
Notifications
You must be signed in to change notification settings - Fork 88
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
First of all, rename this to SoftwareSecureArea since there is no need to leak the fact that we're currently using BouncyCastle which could change in the future. Instead of always using self-signed keys, make it possible to specify the attestation key to use at key creation time. Without this we cannot easily support curves which cannot be used for signing (for example X25519). Modify holder app to create an attestation root on demand. Introduce attestation extension so SoftwareSecureArea keys also can convey the attestation challenge. The OID for this has been reserved (it's 1.3.6.1.4.1.11129.2.1.39) and we can extend this if needed. Add code for dealing with this and use it in SoftwareSecureArea. Show the curve of DeviceKey in the reader app. Make sure we use the BouncyCastle library bundled with the app instead of the Conscrypt-based implementation that may come with the OS. Do this for both wallet and reader app. This has been manually test with mdocs using both ECDSA and MAC authentication with all curves except Ed25519, X25519, Ed448, and X448. These curves still have some serialization problems, we'll revisit this in a future PR. The app still uses the name "Bouncy Castle", we'll address that in a future PR. Also update to the latest available BouncyCastle, version 1.70. Test: Manually tested. Test: All unit tests pass.
- Loading branch information
Showing
14 changed files
with
518 additions
and
267 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
79 changes: 79 additions & 0 deletions
79
identity/src/main/java/com/android/identity/securearea/AttestationExtension.kt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
package com.android.identity.securearea | ||
|
||
import co.nstant.`in`.cbor.CborBuilder | ||
import co.nstant.`in`.cbor.CborDecoder | ||
import co.nstant.`in`.cbor.CborEncoder | ||
import co.nstant.`in`.cbor.CborException | ||
import co.nstant.`in`.cbor.model.ByteString | ||
import co.nstant.`in`.cbor.model.DataItem | ||
import co.nstant.`in`.cbor.model.Map | ||
import co.nstant.`in`.cbor.model.UnicodeString | ||
import java.io.ByteArrayInputStream | ||
import java.io.ByteArrayOutputStream | ||
|
||
/** | ||
* X.509 Extension which may be used by [SecureArea] implementations. | ||
* | ||
* The main purpose of the extension is to define a place to include the | ||
* challenge passed at key creation time, for freshness. | ||
* | ||
* If used, the extension must be put in X.509 certificate for the created | ||
* key (that is, included in the first certificate in the attestation for the key) | ||
* at the OID defined by [ATTESTATION_OID] and the payload should be an | ||
* OCTET STRING containing the bytes of the CBOR conforming to the following CDDL: | ||
* | ||
* ``` | ||
* Attestation = { | ||
* "challenge" : bstr, ; contains the challenge | ||
* } | ||
* ``` | ||
* | ||
* This map may be extended in the future with additional fields. | ||
*/ | ||
object AttestationExtension { | ||
/** | ||
* The OID for the attestation extension. | ||
*/ | ||
const val ATTESTATION_OID = "1.3.6.1.4.1.11129.2.1.39" | ||
|
||
/** | ||
* Generates the payload of the attestation extension. | ||
* | ||
* @param challenge the challenge to include | ||
* @return the bytes of the CBOR for the extension. | ||
*/ | ||
@JvmStatic | ||
fun encode(challenge: ByteArray): ByteArray { | ||
val baos = ByteArrayOutputStream() | ||
try { | ||
CborEncoder(baos).nonCanonical().encode( | ||
CborBuilder() | ||
.addMap() | ||
.put("challenge", challenge) | ||
.end() | ||
.build().get(0) | ||
) | ||
} catch (e: CborException) { | ||
throw IllegalStateException("Unexpected failure encoding data", e) | ||
} | ||
return baos.toByteArray() | ||
} | ||
|
||
/** | ||
* Extracts the challenge from the attestation extension. | ||
* | ||
* @param attestationExtension the bytes of the CBOR for the extension. | ||
* @return the challenge value. | ||
*/ | ||
@JvmStatic | ||
fun decode(attestationExtension: ByteArray): ByteArray { | ||
val dataItems: List<DataItem> = try { | ||
val bais = ByteArrayInputStream(attestationExtension) | ||
CborDecoder(bais).decode() | ||
} catch (e: CborException) { | ||
throw IllegalArgumentException("Error decoding CBOR", e) | ||
} | ||
return ((dataItems[0] as Map).get(UnicodeString("challenge")) as ByteString).bytes | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.