def certify_auth_keys_send_certs(self, handler, data):
if self.state != CertifyAuthKeysSession.STATE_CERTIFY_AUTH_KEYS_CHALLENGE_RESPONSE_CALLED:
raise SessionError("called from invalid state (%d)" % (self.state))
self.state = CertifyAuthKeysSession.STATE_CERTIFY_AUTH_KEYS_SEND_CERTS_CALLED
# TODO: take from server so it's shared with tests
issuer_key = ec.generate_private_key(ec.SECP256R1(), default_backend())
issuer_cert = util.generate_x509_cert_issuer_auth(issuer_key)
auth_key_certs = data["authKeyCerts"]
static_auth_datas = []
pop_sha256 = hashlib.sha256(
self.configured_document.proof_of_provisioning).digest()
for cert in auth_key_certs:
if not util.auth_key_cert_validate(cert, self.credential_key,
pop_sha256):
raise SessionError("Auth key cert not valid")
auth_key = util.cert_chain_get_public_key(cert)
static_auth_data = util.generate_static_auth_data_for_auth_key(
self.document.doc_type, cbor.loads(self.document.name_spaces),
self.credential_key, auth_key, issuer_key, issuer_cert)
static_auth_datas.append(static_auth_data)
handler.write(
cbor.dumps({
"messageType":
"com.android.identity_credential.CertifyAuthKeysResponse",
"eSessionId": self.session_id,
"staticAuthDatas": static_auth_datas,
}))
def delete_credential(self, handler, data):
if self.state != DeleteCredentialSession.STATE_NONE:
raise SessionError("called from invalid state (%d)" % (self.state))
self.state = DeleteCredentialSession.STATE_DELETE_CREDENTIAL_CALLED
cose_credential_key = data["credentialKey"]
if not cose_credential_key:
raise SessionError("No credentialKey")
credential_key = util.from_cose_key(cose_credential_key)
if not credential_key:
raise SessionError("Error decoding COSE_Key for CredentialKey")
self.configured_document = self.server.database.lookup_configured_document_by_credential_key(
credential_key)
self.credential_key = util.cert_chain_get_public_key(
self.configured_document.credential_key_x509_cert_chain)
self.issued_document = self.server.database.lookup_issued_document_by_issued_document_id(
self.configured_document.issued_document_id)
self.document = self.server.database.lookup_document_by_document_id(
self.issued_document.document_id)
self.prove_ownership_challenge = b"FixedChallengeDelete"
handler.write(
cbor.dumps({
"messageType":
"com.android.identity_credential.DeleteCredentialProveOwnership",
"eSessionId": self.session_id,
"challenge": self.prove_ownership_challenge,
}))
def test_credential_key_cert(self):
credential_key_private = ec.generate_private_key(
ec.SECP256R1(), default_backend())
credential_key_public = credential_key_private.public_key()
cert_chain = util.generate_x509_cert_for_credential_key(
credential_key_private)
# Can't just compare the objects, we have to get the raw numbers/bytes
# and compare them
extracted_public_key = util.cert_chain_get_public_key(cert_chain)
credential_key_public_bytes = credential_key_public.public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.SubjectPublicKeyInfo)
extracted_public_key_bytes = extracted_public_key.public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.SubjectPublicKeyInfo)
self.assertEqual(credential_key_public_bytes,
extracted_public_key_bytes)
def set_certificate_chain(self, handler, data):
if self.state != ProvisioningSession.STATE_START_PROVISIONING_CALLED:
raise SessionError("called from invalid state (%d)" % (self.state))
self.state = ProvisioningSession.STATE_SET_CERTIFICATE_CHAIN_CALLED
cert_chain = data["credentialKeyCertificateChain"]
if not cert_chain:
raise SessionError("No certificate chain")
if not util.credential_key_cert_chain_validate(cert_chain,
self.challenge):
raise SessionError("Certificate chain did not validate")
self.credential_key_x509_cert_chain = cert_chain
self.credential_key = util.cert_chain_get_public_key(cert_chain)
access_control_profiles = cbor.loads(
self.document.access_control_profiles)
name_spaces = cbor.loads(self.document.name_spaces)
handler.write(
cbor.dumps({
"messageType":
"com.android.identity_credential.DataToProvisionMessage",
"eSessionId": self.session_id,
"accessControlProfiles": access_control_profiles,
"nameSpaces": name_spaces,
}))
def add_configured_documents_entry(self,
issued_document_id,
credential_key_x509_cert_chain,
proof_of_provisioning,
last_updated_timestamp,
data_timestamp):
public_key = util.cert_chain_get_public_key(credential_key_x509_cert_chain)
encoded_cose_credential_key = cbor.dumps(util.to_cose_key(public_key))
c = self.db.cursor()
c.execute("""
INSERT INTO configured_documents (configured_document_id,
issued_document_id,
credential_key_x509_cert_chain,
encoded_cose_credential_key,
proof_of_provisioning,
last_updated_timestamp,
data_timestamp)
VALUES (NULL, ?, ?, ?, ?, ?, ?)
""", (issued_document_id,
credential_key_x509_cert_chain,
encoded_cose_credential_key,
proof_of_provisioning,
last_updated_timestamp,
data_timestamp))