AndroidSecureArea keys creation enhancements

openwallet-foundation-labs · Sep 13, 2023 · fba0cc7 · fba0cc7
1 parent 0289a71
commit fba0cc7
Show file tree

Hide file tree

Showing 24 changed files with 1,081 additions and 244 deletions.
diff --git a/appholder/src/main/java/com/android/mdl/app/adapter/DocumentAdapter.kt b/appholder/src/main/java/com/android/mdl/app/adapter/DocumentAdapter.kt
@@ -60,7 +60,7 @@ class DocumentAdapter : ListAdapter<DocumentInformation, RecyclerView.ViewHolder
         }
 
         private fun navigateToDetail(document: DocumentInformation, view: View) {
-            val direction = SelectDocumentFragmentDirections.toDocumentDetail(document.userVisibleName)
+            val direction = SelectDocumentFragmentDirections.toDocumentDetail(document.docName)
             if (view.findNavController().currentDestination?.id == R.id.wallet) {
                 view.findNavController().navigate(direction)
             }

diff --git a/appholder/src/main/java/com/android/mdl/app/authconfirmation/AuthConfirmationFragment.kt b/appholder/src/main/java/com/android/mdl/app/authconfirmation/AuthConfirmationFragment.kt
@@ -19,6 +19,8 @@ import androidx.lifecycle.lifecycleScope
 import androidx.lifecycle.repeatOnLifecycle
 import androidx.navigation.fragment.findNavController
 import androidx.navigation.fragment.navArgs
+import com.android.identity.android.securearea.AndroidKeystoreSecureArea
+import com.android.identity.securearea.SecureArea.ALGORITHM_ES256
 import com.android.mdl.app.R
 import com.android.mdl.app.authprompt.UserAuthPromptBuilder
 import com.android.mdl.app.theme.HolderAppTheme
@@ -112,26 +114,38 @@ class AuthConfirmationFragment : BottomSheetDialogFragment() {
 
     private fun sendResponse() {
         isSendingInProgress.value = true
-        when (viewModel.sendResponseForSelection()) {
-            is AddDocumentToResponseResult.UserAuthRequired -> requestUserAuth(false)
-            is AddDocumentToResponseResult.PassphraseRequired -> requestPassphrase()
-            else -> findNavController().navigateUp()
-        }
+        val result = viewModel.sendResponseForSelection()
+        onSendResponseResult(result)
     }
 
-    private fun requestUserAuth(forceLskf: Boolean) {
+    private fun requestUserAuth(
+        allowLskfUnlock: Boolean,
+        allowBiometricUnlock: Boolean,
+        forceLskf: Boolean = !allowBiometricUnlock
+    ) {
         val userAuthRequest = UserAuthPromptBuilder.requestUserAuth(this)
             .withTitle(getString(R.string.bio_auth_title))
-            .withNegativeButton(getString(R.string.bio_auth_use_pin))
             .withSuccessCallback { authenticationSucceeded() }
-            .withCancelledCallback { retryForcingPinUse() }
+            .withCancelledCallback {
+                if (allowLskfUnlock) {
+                    retryForcingPinUse(allowLskfUnlock, allowBiometricUnlock)
+                } else {
+                    cancelAuthorization()
+                }
+            }
             .withFailureCallback { authenticationFailed() }
             .setForceLskf(forceLskf)
-            .build()
-        val cryptoObject = viewModel.getCryptoObject()
-        userAuthRequest.authenticate(cryptoObject)
+        if (allowLskfUnlock) {
+            userAuthRequest.withNegativeButton(getString(R.string.bio_auth_use_pin))
+        } else {
+            userAuthRequest.withNegativeButton("Cancel")
+        }
+        val cryptoObject = androidKeyUnlockData?.getCryptoObjectForSigning(ALGORITHM_ES256)
+        userAuthRequest.build().authenticate(cryptoObject)
     }
 
+    private var androidKeyUnlockData: AndroidKeystoreSecureArea.KeyUnlockData? = null
+
     private fun getSubtitle(): String {
         val readerCommonName = arguments.readerCommonName
         val readerIsTrusted = arguments.readerIsTrusted
@@ -147,23 +161,48 @@ class AuthConfirmationFragment : BottomSheetDialogFragment() {
     }
 
     private fun authenticationSucceeded(passphrase: String) {
-        viewModel.sendResponseForSelection(true, passphrase)
+        viewModel.sendResponseForSelection()
         findNavController().navigateUp()
     }
 
     private fun authenticationSucceeded() {
         try {
-            viewModel.sendResponseForSelection(true)
+            val result = viewModel.sendResponseForSelection(keyUnlockData = androidKeyUnlockData)
+            onSendResponseResult(result)
             findNavController().navigateUp()
         } catch (e: Exception) {
             val message = "Send response error: ${e.message}"
             log(message, e)
-            Toast.makeText(requireContext(), message, Toast.LENGTH_SHORT).show()
+            toast(message)
         }
     }
 
-    private fun retryForcingPinUse() {
-        val runnable = { requestUserAuth(true) }
+    private fun onSendResponseResult(result: AddDocumentToResponseResult) {
+        when (result) {
+            is AddDocumentToResponseResult.UserAuthRequired -> {
+                val keyUnlockData = AndroidKeystoreSecureArea.KeyUnlockData(result.keyAlias)
+                androidKeyUnlockData = keyUnlockData
+                requestUserAuth(
+                    result.allowLSKFUnlocking,
+                    result.allowBiometricUnlocking
+                )
+            }
+
+            is AddDocumentToResponseResult.PassphraseRequired -> {
+                requestPassphrase()
+            }
+
+            is AddDocumentToResponseResult.DocumentAdded -> {
+                if (result.signingKeyUsageLimitPassed) {
+                    toast("Using previously used Auth Key")
+                }
+                findNavController().navigateUp()
+            }
+        }
+    }
+
+    private fun retryForcingPinUse(allowLsfk: Boolean, allowBiometric: Boolean) {
+        val runnable = { requestUserAuth(allowLsfk, allowBiometric, true) }
         // Without this delay, the prompt won't reshow
         Handler(Looper.getMainLooper()).postDelayed(runnable, 100)
     }
@@ -177,4 +216,8 @@ class AuthConfirmationFragment : BottomSheetDialogFragment() {
             .openPassphrasePrompt()
         findNavController().navigate(destination)
     }
+
+    private fun toast(message: String, duration: Int = Toast.LENGTH_SHORT) {
+        Toast.makeText(requireContext(), message, duration).show()
+    }
 }
diff --git a/appholder/src/main/java/com/android/mdl/app/authconfirmation/RequestedDocumentData.kt b/appholder/src/main/java/com/android/mdl/app/authconfirmation/RequestedDocumentData.kt
@@ -5,7 +5,6 @@ import com.android.identity.mdoc.request.DeviceRequestParser
 data class RequestedDocumentData(
     val userReadableName: String,
     val identityCredentialName: String,
-    val needsAuth: Boolean,
     val requestedElements: ArrayList<RequestedElement>,
     val requestedDocument: DeviceRequestParser.DocumentRequest
 )
diff --git a/appholder/src/main/java/com/android/mdl/app/authconfirmation/SignedDocumentData.kt b/appholder/src/main/java/com/android/mdl/app/authconfirmation/SignedDocumentData.kt
@@ -4,8 +4,6 @@ class SignedDocumentData(
     private val signedElements: List<RequestedElement>,
     val identityCredentialName: String,
     val documentType: String,
-    val readerAuth: ByteArray?,
-    val itemsRequest: ByteArray
 ) {
 
     fun issuerSignedEntries(): MutableMap<String, Collection<String>> {

diff --git a/appholder/src/main/java/com/android/mdl/app/authconfirmation/SignedElementsCollection.kt b/appholder/src/main/java/com/android/mdl/app/authconfirmation/SignedElementsCollection.kt
@@ -19,11 +19,9 @@ class SignedElementsCollection {
         return requestedDocuments.keys.map { namespace ->
             val document = requestedDocuments.getValue(namespace)
             SignedDocumentData(
-                signedElements,
-                document.userReadableName,
-                document.requestedDocument.docType,
-                document.requestedDocument.readerAuth,
-                document.requestedDocument.itemsRequest
+                signedElements = signedElements,
+                identityCredentialName = document.identityCredentialName,
+                documentType = document.requestedDocument.docType,
             )
         }
     }

diff --git a/appholder/src/main/java/com/android/mdl/app/composables/Preview.kt b/appholder/src/main/java/com/android/mdl/app/composables/Preview.kt
@@ -0,0 +1,8 @@
+package com.android.mdl.app.composables
+
+import android.content.res.Configuration
+import androidx.compose.ui.tooling.preview.Preview
+
+@Preview(name = "Light", uiMode = Configuration.UI_MODE_NIGHT_NO)
+@Preview(name = "Dark", uiMode = Configuration.UI_MODE_NIGHT_YES)
+annotation class PreviewLightDark
diff --git a/appholder/src/main/java/com/android/mdl/app/document/DocumentInformation.kt b/appholder/src/main/java/com/android/mdl/app/document/DocumentInformation.kt
@@ -2,11 +2,13 @@ package com.android.mdl.app.document
 
 data class DocumentInformation(
     val userVisibleName: String,
+    val docName: String,
     val docType: String,
     val dateProvisioned: String,
     val selfSigned: Boolean,
     val documentColor: Int,
     val maxUsagesPerKey: Int,
+    val lastTimeUsed: String,
     val authKeys: List<KeyData>
 ) {
 
@@ -15,7 +17,10 @@ data class DocumentInformation(
         val validFrom: String,
         val validUntil: String,
         val issuerDataBytesCount: Int,
-        val usagesCount: Int
+        val usagesCount: Int,
+        val keyPurposes: Int,
+        val ecCurve: Int,
+        val isHardwareBacked: Boolean
     )
 }
 
diff --git a/appholder/src/main/java/com/android/mdl/app/document/DocumentManager.kt b/appholder/src/main/java/com/android/mdl/app/document/DocumentManager.kt
@@ -11,8 +11,8 @@ import com.android.identity.*
 import com.android.identity.android.legacy.*
 import com.android.identity.credential.Credential
 import com.android.identity.credential.NameSpacedData
-import com.android.mdl.app.keystore.CredentialUtil
-import com.android.mdl.app.keystore.CredentialUtil.Companion.toDocumentInformation
+import com.android.mdl.app.util.CredentialUtil
+import com.android.mdl.app.util.CredentialUtil.Companion.toDocumentInformation
 import com.android.mdl.app.selfsigned.SelfSignedDocumentData
 import com.android.mdl.app.util.DocumentData
 import com.android.mdl.app.util.DocumentData.EU_PID_DOCTYPE