Package com.android.identity

Class HardwarePresentationSession

    • Method Detail

      • getEphemeralKeyPair

        @NonNull
public java.security.KeyPair getEphemeralKeyPair()
        Description copied from class: PresentationSession
        Gets the ephemeral key pair to use to establish a secure channel with the verifier.

        Applications should use this key-pair for the communications channel with the verifier using a protocol / cipher-suite appropriate for the application. One example of such a protocol is the one used for Mobile Driving Licenses, see ISO 18013-5.

        Specified by:
        getEphemeralKeyPair in class PresentationSession
        Returns:
        ephemeral key pair to use to establish a secure channel with a reader.

      • setSessionTranscript

        public void setSessionTranscript​(@NonNull
                                 byte[] sessionTranscript)
        Description copied from class: PresentationSession
        Set the session transcript.

        If called, this must be called before any calls to PresentationSession.getCredentialData(String, CredentialDataRequest).

        The X and Y coordinates of the public part of the key-pair returned by PresentationSession.getEphemeralKeyPair() must appear somewhere in the bytes of the passed in CBOR. Each of these coordinates must appear encoded with the most significant bits first and use the exact amount of bits indicated by the key size of the ephemeral keys. For example, if the ephemeral key is using the P-256 curve then the 32 bytes for the X coordinate encoded with the most significant bits first must appear somewhere and ditto for the 32 bytes for the Y coordinate.

        This method can only be called once per PresentationSession instance.

        Specified by:
        setSessionTranscript in class PresentationSession
        Parameters:
        sessionTranscript - the session transcript.

      • getCredentialData

        @Nullable
public CredentialDataResult getCredentialData​(@NonNull
                                              java.lang.String credentialName,
                                              @NonNull
                                              CredentialDataRequest request)
                                       throws NoAuthenticationKeyAvailableException,
                                              InvalidReaderSignatureException,
                                              InvalidRequestMessageException,
                                              EphemeralPublicKeyNotFoundException
        Description copied from class: PresentationSession
        Retrieves data from a named credential in the current presentation session.

        If an access control check fails for one of the requested entries or if the entry doesn't exist, the entry is simply not returned. The application can detect this by using the CredentialDataResult.Entries.getStatus(String, String) method on each of the requested entries.

        The application should not make any assumptions on whether user authentication is needed. Instead, the application should request the data elements values first and then examine the returned CredentialDataResult. If CredentialDataResult.Entries.STATUS_USER_AUTHENTICATION_FAILED is returned the application should call PresentationSession.getCryptoObject() and use the returned BiometricPrompt.CryptoObject with a BiometricPrompt. Upon successful authentication the application may call PresentationSession.getCredentialData(String, CredentialDataRequest) again.

        It is permissible to call this method multiple times using the same credential name. If this is done the same auth-key will be used.

        If the reader signature is set in the request parameter (via the CredentialDataRequest.Builder.setReaderSignature(byte[]) method) it must contain the bytes of a COSE_Sign1 structure as defined in RFC 8152. For the payload nil shall be used and the detached payload is the ReaderAuthenticationBytes CBOR described below. 

             ReaderAuthentication = [
       "ReaderAuthentication",
       SessionTranscript,
       ItemsRequestBytes
     ]

     ItemsRequestBytes = #6.24(bstr .cbor ItemsRequest)

     ReaderAuthenticationBytes = #6.24(bstr .cbor ReaderAuthentication)

        where ItemsRequestBytes are the bytes of the request message set in the request parameter (via the CredentialDataRequest.Builder.setRequestMessage(byte[]) method).

        The public key corresponding to the key used to make the signature, can be found in the x5chain unprotected header element of the COSE_Sign1 structure (as as described in draft-ietf-cose-x509-08). There will be at least one certificate in said element and there may be more (and if so, each certificate must be signed by its successor).

        Data elements protected by reader authentication are returned if, and only if, requestMessage is signed by the top-most certificate in the reader's certificate chain, and the data element is configured with an AccessControlProfile configured with an X.509 certificate for a key which appear in the certificate chain.

        Note that the request message CBOR is used only for enforcing reader authentication, it's not used for determining which entries this API will return. The application is expected to have parsed the request message and filtered it according to user preference and/or consent.

        Specified by:
        getCredentialData in class PresentationSession
        Parameters:
        credentialName - the name of the credential to retrieve.
        request - the data to retrieve from the credential
        Returns:
        If the credential wasn't found, returns null. Otherwise a CredentialDataResult object containing entry data organized by namespace and a cryptographically authenticated representation of the same data, bound to the current session.
        Throws:
        NoAuthenticationKeyAvailableException - if authentication keys were never provisioned for the credential or if they are expired or exhausted their use-count.
        InvalidReaderSignatureException - if the reader signature is invalid, or it doesn't contain a certificate chain, or if the signature failed to validate.
        InvalidRequestMessageException - if the requestMessage is malformed.
        EphemeralPublicKeyNotFoundException - if the ephemeral public key was not found in the session transcript.

      • getCryptoObject

        @Nullable
public androidx.biometric.BiometricPrompt.CryptoObject getCryptoObject()
        Description copied from class: PresentationSession
        Gets a BiometricPrompt.CryptoObject which can be used with this PresentationSession.

        If IdentityCredential is hardware-backed, the returned BiometricPrompt.CryptoObject is associated android.security.identity.PresentationSession object from the Android Framework. If it's not hardware-backed it's not defined which kind of object it's associated with. Because of this, this method is the preferred way to obtain a BiometricPrompt.CryptoObject rather than to construct it manually.

        If no biometrics are enrolled on the device or if the device doesn't support biometrics the value null may be returned. This just means the application won't have a BiometricPrompt.CryptoObject to pass to BiometricPrompt and will have to pass null instead.

        Specified by:
        getCryptoObject in class PresentationSession
        Returns:
        A BiometricPrompt.CryptoObject which can be used with BiometricPrompt.