identity/aidl/android/hardware/identity/SecureAccessControlProfile.aidl - platform/hardware/interfaces - Git at Google

 /*
  * Copyright 2020 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package android.hardware.identity;

 import android.hardware.identity.Certificate;

 @VintfStability
 parcelable SecureAccessControlProfile {
     /**
      * id is a numeric identifier that must be unique within the context of a Credential and may be
      * used to reference the profile.
      */
     int id;

     /**
      * readerCertificate, if non-empty, specifies a single X.509 certificate (not a chain
      * of certificates) that must be used to authenticate requests. For details about how
      * this is done, see the readerSignature parameter of IIdentityCredential.startRetrieval.
      */
     Certificate readerCertificate;

     /**
      * if true, the user is required to authenticate to allow requests.  Required authentication
      * fressness is specified by timeout below.
      *
      */
     boolean userAuthenticationRequired;

     /**
      * Timeout specifies the amount of time, in milliseconds, for which a user authentication (see
      * above) is valid, if userAuthenticationRequired is set to true.  If userAuthenticationRequired
      * is true and timout is zero then authentication is required for each reader session.
      *
      * If userAuthenticationRequired is false, timeout must be zero.
      */
     long timeoutMillis;

     /**
      * secureUserId must be non-zero if userAuthenticationRequired is true.
      * It is not related to any Android user ID or UID, but is created in the
      * Gatekeeper application in the secure environment.
      */
     long secureUserId;

     /**
      * The mac is used to authenticate the access control profile.  It contains:
      *
      *      AES-GCM-ENC(storageKey, R, {}, AccessControlProfile)
      *
      *  where AccessControlProfile is the CBOR map:
      *
      *      AccessControlProfile = {
      *          "id": uint,
      *          ? "readerCertificate" : bstr,
      *          ? (
      *              "userAuthenticationRequired" : bool,
      *              "timeoutMillis" : uint,
      *              "secureUserId" : uint
      *          )
      *      }
      */
     byte[] mac;
 }
	/*
	* Copyright 2020 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package android.hardware.identity;

	import android.hardware.identity.Certificate;

	@VintfStability
	parcelable SecureAccessControlProfile {
	/**
	* id is a numeric identifier that must be unique within the context of a Credential and may be
	* used to reference the profile.
	*/
	int id;

	/**
	* readerCertificate, if non-empty, specifies a single X.509 certificate (not a chain
	* of certificates) that must be used to authenticate requests. For details about how
	* this is done, see the readerSignature parameter of IIdentityCredential.startRetrieval.
	*/
	Certificate readerCertificate;

	/**
	* if true, the user is required to authenticate to allow requests. Required authentication
	* fressness is specified by timeout below.
	*
	*/
	boolean userAuthenticationRequired;

	/**
	* Timeout specifies the amount of time, in milliseconds, for which a user authentication (see
	* above) is valid, if userAuthenticationRequired is set to true. If userAuthenticationRequired
	* is true and timout is zero then authentication is required for each reader session.
	*
	* If userAuthenticationRequired is false, timeout must be zero.
	*/
	long timeoutMillis;

	/**
	* secureUserId must be non-zero if userAuthenticationRequired is true.
	* It is not related to any Android user ID or UID, but is created in the
	* Gatekeeper application in the secure environment.
	*/
	long secureUserId;

	/**
	* The mac is used to authenticate the access control profile. It contains:
	*
	* AES-GCM-ENC(storageKey, R, {}, AccessControlProfile)
	*
	* where AccessControlProfile is the CBOR map:
	*
	* AccessControlProfile = {
	* "id": uint,
	* ? "readerCertificate" : bstr,
	* ? (
	* "userAuthenticationRequired" : bool,
	* "timeoutMillis" : uint,
	* "secureUserId" : uint
	* )
	* }
	*/
	byte[] mac;
	}