openwallet-foundation-labs
diff --git a/‎appholder/src/main/java/com/android/identity/wallet/GetCredentialActivity.kt
+6-8 b/‎appholder/src/main/java/com/android/identity/wallet/GetCredentialActivity.kt
+6-8
diff --git a/‎appholder/src/main/java/com/android/identity/wallet/support/AndroidKeystoreSecureAreaSupport.kt
+2-2 b/‎appholder/src/main/java/com/android/identity/wallet/support/AndroidKeystoreSecureAreaSupport.kt
+2-2
diff --git a/‎appholder/src/main/java/com/android/identity/wallet/support/SecureAreaSupport.kt
+2-2 b/‎appholder/src/main/java/com/android/identity/wallet/support/SecureAreaSupport.kt
+2-2
diff --git a/‎appholder/src/main/java/com/android/identity/wallet/support/SecureAreaSupportNull.kt
+2-2 b/‎appholder/src/main/java/com/android/identity/wallet/support/SecureAreaSupportNull.kt
+2-2
diff --git a/‎appholder/src/main/java/com/android/identity/wallet/support/SoftwareKeystoreSecureAreaSupport.kt
+2-2 b/‎appholder/src/main/java/com/android/identity/wallet/support/SoftwareKeystoreSecureAreaSupport.kt
+2-2
diff --git a/‎appholder/src/main/java/com/android/identity/wallet/transfer/AddDocumentToResponseResult.kt
+2-2 b/‎appholder/src/main/java/com/android/identity/wallet/transfer/AddDocumentToResponseResult.kt
+2-2
diff --git a/‎appholder/src/main/java/com/android/identity/wallet/transfer/TransferManager.kt
+8-4 b/‎appholder/src/main/java/com/android/identity/wallet/transfer/TransferManager.kt
+8-4
diff --git a/‎appholder/src/main/java/com/android/identity/wallet/util/ProvisioningUtil.kt
+5-2 b/‎appholder/src/main/java/com/android/identity/wallet/util/ProvisioningUtil.kt
+5-2
diff --git a/‎appholder/src/main/java/com/android/identity/wallet/viewmodel/TransferDocumentViewModel.kt
+2-2 b/‎appholder/src/main/java/com/android/identity/wallet/viewmodel/TransferDocumentViewModel.kt
+2-2
diff --git a/‎identity-android/src/androidTest/java/com/android/identity/android/document/AndroidKeystoreSecureAreaDocumentStoreTest.kt
+3-1 b/‎identity-android/src/androidTest/java/com/android/identity/android/document/AndroidKeystoreSecureAreaDocumentStoreTest.kt
+3-1
diff --git a/‎identity-android/src/androidTest/java/com/android/identity/android/mdoc/deviceretrieval/DeviceRetrievalHelperTest.kt
+11-9 b/‎identity-android/src/androidTest/java/com/android/identity/android/mdoc/deviceretrieval/DeviceRetrievalHelperTest.kt
+11-9
diff --git a/‎identity-mdoc/src/test/java/com/android/identity/mdoc/response/DeviceResponseGeneratorTest.kt
+6-3 b/‎identity-mdoc/src/test/java/com/android/identity/mdoc/response/DeviceResponseGeneratorTest.kt
+6-3
@@ -10,7 +10,7 @@ import androidx.biometric.BiometricPrompt
 import androidx.fragment.app.FragmentActivity
 import com.android.identity.android.mdoc.util.CredmanUtil
 import com.android.identity.android.securearea.AndroidKeystoreKeyUnlockData
-import com.android.identity.document.Credential
+import com.android.identity.credential.MdocCredential
 import com.android.identity.document.DocumentRequest
 import com.android.identity.document.NameSpacedData
 import com.android.identity.crypto.Algorithm
@@ -36,7 +36,7 @@ import java.security.PublicKey
 class GetCredentialActivity : FragmentActivity() {
 
     fun addDeviceNamespaces(documentGenerator : DocumentGenerator,
-                            authKey : Credential,
+                            authKey : MdocCredential,
                             unlockData: KeyUnlockData?) {
         documentGenerator.setDeviceNamespacesSignature(
             NameSpacedData.Builder().build(),
@@ -46,7 +46,7 @@ class GetCredentialActivity : FragmentActivity() {
             Algorithm.ES256)
     }
 
-    fun doBiometricAuth(authKey : Credential,
+    fun doBiometricAuth(authKey : MdocCredential,
                         forceLskf : Boolean,
                         onBiometricAuthCompleted: (unlockData: KeyUnlockData?) -> Unit) {
         var title = "To share your credential we need to check that it's you."
@@ -164,11 +164,9 @@ class GetCredentialActivity : FragmentActivity() {
 
         val credential = document.findCredential(
             ProvisioningUtil.CREDENTIAL_DOMAIN,
+            MdocCredential.CREDENTIAL_TYPE,
             Timestamp.now()
-        )
-        if (credential == null) {
-            throw IllegalStateException("No credential")
-        }
+        ) as MdocCredential? ?: throw IllegalStateException("No credential")
         val staticAuthData = StaticAuthDataParser(credential.issuerProvidedData).parse()
         val mergedIssuerNamespaces = MdocUtil.mergeIssuerNamesSpaces(
             documentRequest, nameSpacedData, staticAuthData
@@ -197,7 +195,7 @@ class GetCredentialActivity : FragmentActivity() {
         }
     }
 
-    fun completeResponse(authKey: Credential,
+    fun completeResponse(authKey: MdocCredential,
                          deviceResponseGenerator: DeviceResponseGenerator,
                          documentGenerator: DocumentGenerator,
                          requesterIdentity: PublicKey,
 
@@ -21,7 +21,7 @@ import com.android.identity.android.securearea.UserAuthenticationType
 import com.android.identity.android.securearea.userAuthenticationTypeSet
 import com.android.identity.cbor.Cbor
 import com.android.identity.cbor.CborMap
-import com.android.identity.document.Credential
+import com.android.identity.credential.MdocCredential
 import com.android.identity.crypto.Algorithm
 import com.android.identity.securearea.CreateKeySettings
 import com.android.identity.crypto.EcCurve
@@ -51,7 +51,7 @@ class AndroidKeystoreSecureAreaSupport(
     )
 
     override fun Fragment.unlockKey(
-        authKey: Credential,
+        authKey: MdocCredential,
         onKeyUnlocked: (unlockData: KeyUnlockData?) -> Unit,
         onUnlockFailure: (wasCancelled: Boolean) -> Unit
     ) {
 
@@ -4,7 +4,7 @@ import android.content.Context
 import androidx.compose.runtime.Composable
 import androidx.fragment.app.Fragment
 import com.android.identity.android.securearea.AndroidKeystoreSecureArea
-import com.android.identity.document.Credential
+import com.android.identity.credential.MdocCredential
 import com.android.identity.document.Document
 import com.android.identity.securearea.CreateKeySettings
 import com.android.identity.securearea.KeyUnlockData
@@ -35,7 +35,7 @@ interface SecureAreaSupport {
      * there is a provided way to navigate using the [findNavController] function.
      */
     fun Fragment.unlockKey(
-        authKey: Credential,
+        authKey: MdocCredential,
         onKeyUnlocked: (unlockData: KeyUnlockData?) -> Unit,
         onUnlockFailure: (wasCancelled: Boolean) -> Unit
     )
 
@@ -11,7 +11,7 @@ import androidx.compose.runtime.remember
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.unit.dp
 import androidx.fragment.app.Fragment
-import com.android.identity.document.Credential
+import com.android.identity.credential.MdocCredential
 import com.android.identity.securearea.CreateKeySettings
 import com.android.identity.securearea.KeyUnlockData
 import com.android.identity.util.Timestamp
@@ -40,7 +40,7 @@ class SecureAreaSupportNull : SecureAreaSupport {
     }
 
     override fun Fragment.unlockKey(
-        authKey: Credential,
+        authKey: MdocCredential,
         onKeyUnlocked: (unlockData: KeyUnlockData?) -> Unit,
         onUnlockFailure: (wasCancelled: Boolean) -> Unit
     ) {
 
@@ -20,7 +20,7 @@ import androidx.lifecycle.repeatOnLifecycle
 import androidx.navigation.fragment.findNavController
 import co.nstant.`in`.cbor.CborBuilder
 import com.android.identity.cbor.Cbor
-import com.android.identity.document.Credential
+import com.android.identity.credential.MdocCredential
 import com.android.identity.crypto.Algorithm
 import com.android.identity.crypto.CertificateChain
 import com.android.identity.crypto.Crypto
@@ -56,7 +56,7 @@ class SoftwareKeystoreSecureAreaSupport : SecureAreaSupport {
     private val screenState = SoftwareKeystoreSecureAreaSupportState()
 
     override fun Fragment.unlockKey(
-        authKey: Credential,
+        authKey: MdocCredential,
         onKeyUnlocked: (unlockData: KeyUnlockData?) -> Unit,
         onUnlockFailure: (wasCancelled: Boolean) -> Unit
     ) {
 
@@ -1,6 +1,6 @@
 package com.android.identity.wallet.transfer
 
-import com.android.identity.document.Credential
+import com.android.identity.credential.MdocCredential
 
 sealed class AddDocumentToResponseResult {
 
@@ -9,6 +9,6 @@ sealed class AddDocumentToResponseResult {
     ) : AddDocumentToResponseResult()
 
     data class DocumentLocked(
-        val authKey: Credential
+        val authKey: MdocCredential
     ) : AddDocumentToResponseResult()
 }
@@ -9,7 +9,7 @@ import android.view.View
 import android.widget.ImageView
 import androidx.lifecycle.LiveData
 import androidx.lifecycle.MutableLiveData
-import com.android.identity.document.Credential
+import com.android.identity.credential.MdocCredential
 import com.android.identity.document.DocumentRequest
 import com.android.identity.document.NameSpacedData
 import com.android.identity.mdoc.mso.StaticAuthDataParser
@@ -163,7 +163,7 @@ class TransferManager private constructor(private val context: Context) {
         docType: String,
         issuerSignedEntriesToRequest: MutableMap<String, Collection<String>>,
         deviceResponseGenerator: DeviceResponseGenerator,
-        authKey: Credential?,
+        authKey: MdocCredential?,
         authKeyUnlockData: KeyUnlockData?,
     ) = suspendCancellableCoroutine { continuation ->
         var result: AddDocumentToResponseResult
@@ -181,11 +181,15 @@ class TransferManager private constructor(private val context: Context) {
 
         val request = DocumentRequest(dataElements)
 
-        val credentialToUse: Credential
+        val credentialToUse: MdocCredential
         if (authKey != null) {
             credentialToUse = authKey
         } else {
-            credentialToUse = document.findCredential(ProvisioningUtil.CREDENTIAL_DOMAIN, Timestamp.now())
+            credentialToUse = document.findCredential(
+                ProvisioningUtil.CREDENTIAL_DOMAIN,
+                MdocCredential.CREDENTIAL_TYPE,
+                Timestamp.now()
+            ) as MdocCredential?
                 ?: throw IllegalStateException("No credential available")
         }
 
 
@@ -14,6 +14,7 @@ import com.android.identity.cbor.Tagged
 import com.android.identity.cbor.toDataItem
 import com.android.identity.cose.Cose
 import com.android.identity.cose.CoseNumberLabel
+import com.android.identity.credential.MdocCredential
 import com.android.identity.document.Document
 import com.android.identity.document.DocumentUtil
 import com.android.identity.document.NameSpacedData
@@ -117,7 +118,8 @@ class ProvisioningUtil private constructor(
             validUntil
         )
 
-        val pendingCredsCount = DocumentUtil.managedCredentialHelper(
+        val pendingCredsCount = DocumentUtil.managedSecureAreaBoundCredentialHelper(
+            MdocCredential.CREDENTIAL_TYPE,
             document,
             secureArea,
             settings,
@@ -132,7 +134,8 @@ class ProvisioningUtil private constructor(
             return
         }
 
-        for (pendingCred in document.pendingCredentials) {
+        for (pendingCred in document.pendingCredentials.filter { it.credentialType == MdocCredential.CREDENTIAL_TYPE }) {
+            pendingCred as MdocCredential
             val msoGenerator = MobileSecurityObjectGenerator(
                 "SHA-256",
                 docType,
 
@@ -8,7 +8,7 @@ import androidx.lifecycle.AndroidViewModel
 import androidx.lifecycle.LiveData
 import androidx.lifecycle.MutableLiveData
 import androidx.lifecycle.viewModelScope
-import com.android.identity.document.Credential
+import com.android.identity.credential.MdocCredential
 import com.android.identity.mdoc.request.DeviceRequestParser
 import com.android.identity.mdoc.response.DeviceResponseGenerator
 import com.android.identity.securearea.KeyUnlockData
@@ -102,7 +102,7 @@ class TransferDocumentViewModel(val app: Application) : AndroidViewModel(app) {
 
     fun sendResponseForSelection(
         onResultReady: (result: AddDocumentToResponseResult) -> Unit,
-        authKey: Credential? = null,
+        authKey: MdocCredential? = null,
         authKeyUnlockData: KeyUnlockData? = null
     ) {
         val elementsToSend = signedElements.collect()
 
@@ -21,6 +21,7 @@ import com.android.identity.android.securearea.AndroidKeystoreCreateKeySettings
 import com.android.identity.android.securearea.AndroidKeystoreSecureArea
 import com.android.identity.android.securearea.UserAuthenticationType
 import com.android.identity.android.storage.AndroidStorageEngine
+import com.android.identity.credential.MdocCredential
 import com.android.identity.document.Document
 import com.android.identity.document.DocumentStore
 import com.android.identity.crypto.javaX509Certificate
@@ -65,7 +66,8 @@ class AndroidKeystoreSecureAreaDocumentStoreTest {
 
         // Create pending credential and check its attestation
         val authKeyChallenge = byteArrayOf(20, 21, 22)
-        val pendingCredential = document.createCredential(
+        val pendingCredential = document.createSecureAreaBoundCredential(
+            MdocCredential.CREDENTIAL_TYPE,
             CREDENTIAL_DOMAIN,
             secureArea,
             AndroidKeystoreCreateKeySettings.Builder(authKeyChallenge)
 
@@ -32,7 +32,8 @@ import com.android.identity.cose.Cose
 import com.android.identity.cose.Cose.coseSign1Sign
 import com.android.identity.cose.CoseLabel
 import com.android.identity.cose.CoseNumberLabel
-import com.android.identity.document.Credential
+import com.android.identity.credential.MdocCredential
+import com.android.identity.credential.SecureAreaBoundCredential
 import com.android.identity.document.Document
 import com.android.identity.document.DocumentStore
 import com.android.identity.document.NameSpacedData
@@ -96,7 +97,7 @@ class DeviceRetrievalHelperTest {
     private lateinit var mSecureArea: SecureArea
     private lateinit var mSecureAreaRepository: SecureAreaRepository
     private lateinit var mDocument: Document
-    private lateinit var mCredential: Credential
+    private lateinit var mMdocCredential: SecureAreaBoundCredential
     private lateinit var mTimeSigned: Timestamp
     private lateinit var mTimeValidityBegin: Timestamp
     private lateinit var mTimeValidityEnd: Timestamp
@@ -135,21 +136,22 @@ class DeviceRetrievalHelperTest {
         mTimeSigned = ofEpochMilli(nowMillis)
         mTimeValidityBegin = ofEpochMilli(nowMillis + 3600 * 1000)
         mTimeValidityEnd = ofEpochMilli(nowMillis + 10 * 86400 * 1000)
-        mCredential = mDocument.createCredential(
+        mMdocCredential = mDocument.createSecureAreaBoundCredential(
+            MdocCredential.CREDENTIAL_TYPE,
             CREDENTIAL_DOMAIN,
             mSecureArea,
             SoftwareCreateKeySettings.Builder(ByteArray(0))
                 .setKeyPurposes(setOf(KeyPurpose.SIGN, KeyPurpose.AGREE_KEY))
                 .build(),
             null
         )
-        Assert.assertFalse(mCredential.isCertified)
+        Assert.assertFalse(mMdocCredential.isCertified)
 
         // Generate an MSO and issuer-signed data for this credential.
         val msoGenerator = MobileSecurityObjectGenerator(
             "SHA-256",
             MDL_DOCTYPE,
-            mCredential.attestation.certificates[0].publicKey
+            mMdocCredential.attestation.certificates[0].publicKey
         )
         msoGenerator.setValidityInfo(mTimeSigned, mTimeValidityBegin, mTimeValidityEnd, null)
         val issuerNameSpaces = generateIssuerNameSpaces(
@@ -213,7 +215,7 @@ class DeviceRetrievalHelperTest {
         ).generate()
 
         // Now that we have issuer-provided authentication data we certify the credential.
-        mCredential.certify(
+        mMdocCredential.certify(
             issuerProvidedAuthenticationData,
             mTimeValidityBegin,
             mTimeValidityEnd
@@ -377,7 +379,7 @@ class DeviceRetrievalHelperTest {
                     val generator = DeviceResponseGenerator(
                         Constants.DEVICE_RESPONSE_STATUS_OK
                     )
-                    val staticAuthData = StaticAuthDataParser(mCredential.issuerProvidedData)
+                    val staticAuthData = StaticAuthDataParser(mMdocCredential.issuerProvidedData)
                         .parse()
                     val deviceSignedData = NameSpacedData.Builder().build()
                     val mergedIssuerNamespaces: Map<String, List<ByteArray>> =
@@ -395,8 +397,8 @@ class DeviceRetrievalHelperTest {
                             .setIssuerNamespaces(mergedIssuerNamespaces)
                             .setDeviceNamespacesSignature(
                                 deviceSignedData,
-                                mCredential.secureArea,
-                                mCredential.alias,
+                                mMdocCredential.secureArea,
+                                mMdocCredential.alias,
                                 null,
                                 Algorithm.ES256
                             )
 
@@ -24,7 +24,8 @@ import com.android.identity.cbor.toDataItem
 import com.android.identity.cose.Cose
 import com.android.identity.cose.CoseLabel
 import com.android.identity.cose.CoseNumberLabel
-import com.android.identity.document.Credential
+import com.android.identity.credential.MdocCredential
+import com.android.identity.credential.SecureAreaBoundCredential
 import com.android.identity.document.Document
 import com.android.identity.document.DocumentRequest
 import com.android.identity.document.DocumentRequest.DataElement
@@ -62,7 +63,7 @@ class DeviceResponseGeneratorTest {
     private lateinit var secureArea: SecureArea
     private lateinit var secureAreaRepository: SecureAreaRepository
 
-    private lateinit  var authKey: Credential
+    private lateinit  var authKey: SecureAreaBoundCredential
     private lateinit  var document: Document
     private lateinit  var timeSigned: Timestamp
     private lateinit  var timeValidityBegin: Timestamp
@@ -83,6 +84,7 @@ class DeviceResponseGeneratorTest {
 
     // This isn't really used, we only use a single domain.
     private val AUTH_KEY_DOMAIN = "domain"
+    private val MDOC_CREDENTIAL_IDENTIFIER = "MdocCredential"
 
     @Throws(Exception::class)
     private fun provisionDocument() {
@@ -117,7 +119,8 @@ class DeviceResponseGeneratorTest {
         timeSigned = Timestamp.ofEpochMilli(nowMillis)
         timeValidityBegin = Timestamp.ofEpochMilli(nowMillis + 3600 * 1000)
         timeValidityEnd = Timestamp.ofEpochMilli(nowMillis + 10 * 86400 * 1000)
-        authKey = document.createCredential(
+        authKey = document.createSecureAreaBoundCredential(
+            MdocCredential.CREDENTIAL_TYPE,
             AUTH_KEY_DOMAIN,
             secureArea,
             SoftwareCreateKeySettings.Builder(ByteArray(0))