Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AndroidSecureArea keys creation improvements #365

Conversation

mitrejcevski
Copy link
Contributor

Partly Fixes #360

It's a good idea to open an issue first for discussion.

  • Tests pass
  • Appropriate changes to README are included in PR

Copy link
Contributor

@davidz25 davidz25 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did a quick test of this PR and it looks like quite a lot of work remains. Observations

  • User auth timeout can not go below 1. It should be possible to set to 0 (which means "auth for every use of the key")

  • after presenting an mDL, the holder returns to the main screen even when Auto close connection preference is not checked in Settings

  • when allowLskf is unchecked, BiometricPrompt still has a Use PIN secondary button. Should not be shown.

  • Authentication Key Curve drop-down always show ["P-256", "Ed25519", "X25519"]

    • when mdoc ECDSA authentication is selected it should show ["P-256", "Ed25519"]
    • when mdoc MAC authentication is selected it should show ["P-256", "X25519"]
  • For BC keys, there's no way to choose mdoc authentication mode, this is only possible for Android Keystore keys.

    • This needs to be possible
  • Auth keys are still mismanaged as pointed out on chat last week (Aug 29). See the thread/topic starting with me saying Have you noticed how "Refresh Auth Keys" tend to just create a lot of new keys when it shouldn't?

  • It doesn't seem like there is a getAndroidHardwareCapabilities() class yet as we discussed earlier this week. It should have the following booleans to reflect the capabilities of the Android device the app is running on:

    • `attest_key``
    • secure_lock_screen
    • ecdh- curve_25519
    • strongbox
    • strongbox_ecdh
    • strongbox_25519
    • strongbox_attest_key
    • configure_user_authentication_type

@@ -161,24 +161,37 @@
<string name="document_color_blue">Blue</string>
<string name="document_color_red">Red</string>

<string name="keystore_android">Android Keystore</string>
<string name="keystore_bouncy_castle">BouncyCastle Keystore</string>
<string name="keystore_android">Android</string>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be called Android Keystore, not just Android.

userAuthenticationType: Int,
useStrongBox: Boolean,
ecCurve: Int,
validUntil: Timestamp
): AndroidKeystoreSecureArea.CreateKeySettings {

return AndroidKeystoreSecureArea.CreateKeySettings.Builder(provisioningChallenge)
.setKeyPurposes(SecureArea.KEY_PURPOSE_SIGN or SecureArea.KEY_PURPOSE_AGREE_KEY)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only pick one of them, never both. If mdoc ECDSA authentication is used, pick KEY_PURPOSE_SIGN. If mdoc MAC authentication is used, pick KEY_PURPOSE_AGREE_KEY.

provisionInfo.androidAuthKeyCurveOption.toEcCurve(),
provisionInfo.useStrongBox,
provisionInfo.validityInDays.toTimestampFromNow()
)
} else if (provisionInfo.passphrase != null) {
createBouncyCastleKey(provisionInfo.passphrase)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Delete createAndroidKey() and createBouncyCastleKey() and just call createKey() directly on the SecureArea object. In general, please try to reduce the number of places where there's SecureArea-specific codepaths - this is so it'll be easier to add support for a new SecureArea in the future.

@mitrejcevski mitrejcevski force-pushed the fix/improve-doc-creation-android-secure-area branch 5 times, most recently from fba0cc7 to 4bd4126 Compare September 15, 2023 09:58
@mitrejcevski mitrejcevski marked this pull request as ready for review September 15, 2023 10:21
@mitrejcevski
Copy link
Contributor Author

We did review the PR internally, and now we making it open. We have addressed the requested changed.
What's still missing:

  • the implementation of the class that loads the device capabilities (called KeystoreUtil, currently returning all flags hardcoded to true) - we'll need @davidz25 help to do the implementation.
  • the BoucyCastle related implementation

@mitrejcevski mitrejcevski force-pushed the fix/improve-doc-creation-android-secure-area branch 2 times, most recently from 738afa4 to fa2205d Compare September 18, 2023 11:20
@davidz25
Copy link
Contributor

I checked out the branch and did a quick testdrive, some observations

  • When changing "mdoc ECDSA authentication" to "mdoc MAC authentication" (and not changing anything else), the credential is created but we crash at presentation time. The problem is that addDocumentToResponse() doesn't check if it should use sign() or keyAgreement() depending on the purpose of the chosen authentication key (it just always uses sign()). Should be simple to fix?
  • "User authentication on" sounds a bit off, I think "Require User Authentication" is better
  • We have "Hardware Backed" in details for each Authentication Key. Seems like a leftover, I think that should probably be "Secure Area" instead?
  • The auto-close connection problem mentioned above is still there (appholder goes to main screen after first consent dialog)

@mitrejcevski mitrejcevski force-pushed the fix/improve-doc-creation-android-secure-area branch from fa2205d to 2dfa1ce Compare September 20, 2023 13:41
@mitrejcevski mitrejcevski force-pushed the fix/improve-doc-creation-android-secure-area branch from 2dfa1ce to 82a1e50 Compare September 20, 2023 14:20
Copy link
Contributor

@davidz25 davidz25 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, let's merge this

@davidz25 davidz25 merged commit 4d8893d into openwallet-foundation-labs:master Sep 21, 2023
2 checks passed
@mitrejcevski mitrejcevski deleted the fix/improve-doc-creation-android-secure-area branch October 5, 2023 06:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CredentialStore enhancements
2 participants