This structure - along with the session transcript - may be cryptographically * authenticated to prove to the reader that the data is from a trusted credential and * {@link #getDeviceMac()} can be used to get a MAC. * *
The CBOR structure which is cryptographically authenticated is the * {@code DeviceAuthenticationBytes} structure according to the following * CDDL schema: * *
* DeviceAuthentication = [
* "DeviceAuthentication",
* SessionTranscript,
* DocType,
* DeviceNameSpacesBytes
* ]
*
* DocType = tstr
* SessionTranscript = any
* DeviceNameSpacesBytes = #6.24(bstr .cbor DeviceNameSpaces)
* DeviceAuthenticationBytes = #6.24(bstr .cbor DeviceAuthentication)
*
*
* where * *
* DeviceNameSpaces = {
* * NameSpace => DeviceSignedItems
* }
*
* DeviceSignedItems = {
* + DataItemName => DataItemValue
* }
*
* NameSpace = tstr
* DataItemName = tstr
* DataItemValue = any
*
*
* The returned data is the binary encoding of the {@code DeviceNameSpaces} structure * as defined above. * * @return The bytes of the {@code DeviceNameSpaces} CBOR structure. */ public abstract @NonNull byte[] getDeviceNameSpaces(); /** * Returns a message authentication code over the {@code DeviceAuthenticationBytes} CBOR * specified in {@link #getDeviceNameSpaces()}, to prove to the reader that the data * is from a trusted credential. * *
The MAC proves to the reader that the data is from a trusted credential. This code is * produced by using the key agreement and key derivation function from the ciphersuite * with the authentication private key and the reader ephemeral public key to compute a * shared message authentication code (MAC) key, then using the MAC function from the * ciphersuite to compute a MAC of the authenticated data. See section 9.2.3.5 of * ISO/IEC 18013-5 for details of this operation. * *
If the session transcript or reader ephemeral key wasn't set on the {@link * PresentationSession} used to obtain this data no message authencation code will be produced * and this method will return {@code null}. * * @return A COSE_Mac0 structure with the message authentication code as described above * or {@code null} if the conditions specified above are not met. */ public abstract @Nullable byte[] getDeviceMac(); /** * Returns a signature over the {@code DeviceAuthenticationBytes} CBOR * specified in {@link #getDeviceNameSpaces()}, to prove to the reader that the data * is from a trusted credential. * *
The signature is made using the authentication private key. See section 9.1.3.4 of * ISO/IEC 18013-5:2021 for details of this operation. * *
If the session transcript or reader ephemeral key wasn't set on the {@link * PresentationSession} used to obtain this data no signature will be produced and this method * will return {@code null}. * *
This is only implemented in feature version 202301 or later. If not implemented, the call
* fails with {@link UnsupportedOperationException}. See
* {@link android.content.pm.PackageManager#FEATURE_IDENTITY_CREDENTIAL_HARDWARE} for known
* feature versions.
*
* @return A COSE_Sign1 structure as described above or {@code null} if the conditions
* specified above are not met.
*/
public @Nullable byte[] getDeviceSignature() {
throw new UnsupportedOperationException();
}
/**
* Returns the static authentication data associated with the dynamic authentication
* key used to MAC the data returned by {@link #getDeviceNameSpaces()}.
*
* @return The static authentication data associated with dynamic authentication key used to
* MAC the data.
*/
public abstract @NonNull byte[] getStaticAuthenticationData();
/**
* Gets the device-signed entries that was returned.
*
* @return an object to examine the entries returned.
*/
public abstract @NonNull Entries getDeviceSignedEntries();
/**
* Gets the issuer-signed entries that was returned.
*
* @return an object to examine the entries returned.
*/
public abstract @NonNull Entries getIssuerSignedEntries();
/**
* A class for representing data elements returned.
*/
public interface Entries {
/** Value was successfully retrieved. */
int STATUS_OK = 0;
/** The entry does not exist. */
int STATUS_NO_SUCH_ENTRY = 1;
/** The entry was not requested. */
int STATUS_NOT_REQUESTED = 2;
/** The entry wasn't in the request message. */
int STATUS_NOT_IN_REQUEST_MESSAGE = 3;
/** The entry was not retrieved because user authentication failed. */
int STATUS_USER_AUTHENTICATION_FAILED = 4;
/** The entry was not retrieved because reader authentication failed. */
int STATUS_READER_AUTHENTICATION_FAILED = 5;
/**
* The entry was not retrieved because it was configured without any access
* control profile.
*/
int STATUS_NO_ACCESS_CONTROL_PROFILES = 6;
/**
* Gets the names of namespaces with retrieved entries.
*
* @return collection of name of namespaces containing retrieved entries. May be empty if no
* data was retrieved.
*/
@NonNull Collection This includes the name of entries that wasn't successfully retrieved.
*
* @param namespaceName the namespace name to get entries for.
* @return A collection of names for the given namespace or the empty collection if no
* entries was returned for the given name space.
*/
@NonNull Collection This only return entries for which {@link #getStatus(String, String)} will return
* {@link #STATUS_OK}.
*
* @param namespaceName the namespace name to get entries for.
* @return The entries in the given namespace that were successfully rerieved or the
* empty collection if no entries was returned for the given name space.
*/
@NonNull Collection This returns {@link #STATUS_OK} if the value was retrieved, {@link
* #STATUS_NO_SUCH_ENTRY} if the given entry wasn't retrieved, {@link
* #STATUS_NOT_REQUESTED} if it wasn't requested, {@link #STATUS_NOT_IN_REQUEST_MESSAGE} if
* the request message was set but the entry wasn't present in the request message, {@link
* #STATUS_USER_AUTHENTICATION_FAILED} if the value wasn't retrieved because the necessary
* user authentication wasn't performed, {@link #STATUS_READER_AUTHENTICATION_FAILED} if
* the supplied reader certificate chain didn't match the set of certificates the entry was
* provisioned with, or {@link #STATUS_NO_ACCESS_CONTROL_PROFILES} if the entry was
* configured without any access control profiles.
*
* @param namespaceName the namespace name of the entry.
* @param name the name of the entry to get the value for.
* @return the status indicating whether the value was retrieved and if not, why.
*/
@Status int getStatus(@NonNull String namespaceName, @NonNull String name);
/**
* Gets the raw CBOR data for the value of an entry.
*
* This should only be called on an entry for which the {@link #getStatus(String,
* String)} method returns {@link #STATUS_OK}.
*
* @param namespaceName the namespace name of the entry.
* @param name the name of the entry to get the value for.
* @return the raw CBOR data or {@code null} if no entry with the given name exists.
*/
@Nullable byte[] getEntry(@NonNull String namespaceName, @NonNull String name);
/**
* The type of the entry status.
* @hide
*/
@Retention(SOURCE)
@IntDef({STATUS_OK, STATUS_NO_SUCH_ENTRY, STATUS_NOT_REQUESTED,
STATUS_NOT_IN_REQUEST_MESSAGE, STATUS_USER_AUTHENTICATION_FAILED,
STATUS_READER_AUTHENTICATION_FAILED, STATUS_NO_ACCESS_CONTROL_PROFILES})
@interface Status {}
}
}