Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6079e88fae377e6677047407ca011b080eecd39e
frameworks_base/identity/java/android/security/identity/AccessControlProfile.java
David Zeuthen 045b6de975 Add Framework APIs for Identity Credential. 
The Identity Credential APIs provides an interface to a secure store
for user identity documents.  These APIs are deliberately fairly
general and abstract.  To the extent possible, specification of the
message formats and semantics of communication with credential
verification devices and Issuing Authorities (IAs) is out of scope for
these APIs.

The Identity Credential APIs rely on user authentication to protect
data elements in credentials which is implemented through
auth-tokens. This CL contains changes to CryptoObject to allow this.

Bug: 111446262
Test: CtsIdentityTestCases
Change-Id: I48f21a561b762d86c9ca8d229962782572412f47
2020-01-20 15:56:57 -05:00

132 lines
4.9 KiB
Java
Raw Blame History

/*
* Copyright 2020 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.security.identity;
import android.annotation.NonNull;
import java.security.cert.X509Certificate;
/**
* A class used to specify access controls.
*/
public class AccessControlProfile {
private AccessControlProfileId mAccessControlProfileId = new AccessControlProfileId(0);
private X509Certificate mReaderCertificate = null;
private boolean mUserAuthenticationRequired = true;
private long mUserAuthenticationTimeout = 0;
private AccessControlProfile() {
}
AccessControlProfileId getAccessControlProfileId() {
return mAccessControlProfileId;
}
long getUserAuthenticationTimeout() {
return mUserAuthenticationTimeout;
}
boolean isUserAuthenticationRequired() {
return mUserAuthenticationRequired;
}
X509Certificate getReaderCertificate() {
return mReaderCertificate;
}
/**
* A builder for {@link AccessControlProfile}.
*/
public static final class Builder {
private AccessControlProfile mProfile;
/**
* Each access control profile has numeric identifier that must be unique within the
* context of a Credential and may be used to reference the profile.
*
* <p>By default, the resulting {@link AccessControlProfile} will require user
* authentication with a timeout of zero, thus requiring the holder to authenticate for
* every presentation where data elements using this access control profile is used.</p>
*
* @param accessControlProfileId the access control profile identifier.
*/
public Builder(@NonNull AccessControlProfileId accessControlProfileId) {
mProfile = new AccessControlProfile();
mProfile.mAccessControlProfileId = accessControlProfileId;
}
/**
* Set whether user authentication is required.
*
* <p>This should be used sparingly since disabling user authentication on just a single
* data element can easily create a
* <a href="https://en.wikipedia.org/wiki/Relay_attack">Relay Attack</a> if the device
* on which the credential is stored is compromised.</p>
*
* @param userAuthenticationRequired Set to true if user authentication is required,
* false otherwise.
* @return The builder.
*/
public @NonNull Builder setUserAuthenticationRequired(boolean userAuthenticationRequired) {
mProfile.mUserAuthenticationRequired = userAuthenticationRequired;
return this;
}
/**
* Sets the authentication timeout to use.
*
* <p>The authentication timeout specifies the amount of time, in milliseconds, for which a
* user authentication is valid, if user authentication is required (see
* {@link #setUserAuthenticationRequired(boolean)}).</p>
*
* <p>If the timeout is zero, then authentication is always required for each reader
* session.</p>
*
* @param userAuthenticationTimeoutMillis the authentication timeout, in milliseconds.
* @return The builder.
*/
public @NonNull Builder setUserAuthenticationTimeout(long userAuthenticationTimeoutMillis) {
mProfile.mUserAuthenticationTimeout = userAuthenticationTimeoutMillis;
return this;
}
/**
* Sets the reader certificate to use when checking access control.
*
* <p>If set, this is checked against the certificate chain presented by
* reader. The access check is fulfilled only if one of the certificates
* in the chain, matches the certificate set by this method.</p>
*
* @param readerCertificate the certificate to use for the access control check.
* @return The builder.
*/
public @NonNull Builder setReaderCertificate(@NonNull X509Certificate readerCertificate) {
mProfile.mReaderCertificate = readerCertificate;
return this;
}
/**
* Creates a new {@link AccessControlProfile} from the data supplied to the builder.
*
* @return The created {@link AccessControlProfile} object.
*/
public @NonNull AccessControlProfile build() {
return mProfile;
}
}
}
Reference in New Issue View Git Blame Copy Permalink