openwallet-foundation-labs
diff --git a/‎appholder/src/main/java/com/android/identity/wallet/GetCredentialActivity.kt
+12-11 b/‎appholder/src/main/java/com/android/identity/wallet/GetCredentialActivity.kt
+12-11
diff --git a/‎appverifier/src/main/java/com/android/mdl/appreader/fragment/RequestOptionsFragment.kt
+8-5 b/‎appverifier/src/main/java/com/android/mdl/appreader/fragment/RequestOptionsFragment.kt
+8-5
diff --git a/‎appverifier/src/main/java/com/android/mdl/appreader/fragment/ShowDeviceResponseFragment.kt
+17-5 b/‎appverifier/src/main/java/com/android/mdl/appreader/fragment/ShowDeviceResponseFragment.kt
+17-5
diff --git a/‎gradle/libs.versions.toml
+2 b/‎gradle/libs.versions.toml
+2
diff --git a/‎identity-android/build.gradle
-1 b/‎identity-android/build.gradle
-1
@@ -9,13 +9,14 @@ import androidx.biometric.BiometricManager
 import androidx.biometric.BiometricPrompt
 import androidx.fragment.app.FragmentActivity
 import com.android.identity.android.mdoc.util.CredmanUtil
-import com.android.identity.android.mdoc.util.CredmanUtil.Companion.generateClientIdHash
-import com.android.identity.android.mdoc.util.CredmanUtil.Companion.generatePublicKeyHash
 import com.android.identity.android.securearea.AndroidKeystoreKeyUnlockData
 import com.android.identity.document.Credential
 import com.android.identity.document.DocumentRequest
 import com.android.identity.document.NameSpacedData
 import com.android.identity.crypto.Algorithm
+import com.android.identity.crypto.Crypto
+import com.android.identity.crypto.EcCurve
+import com.android.identity.crypto.EcPublicKeyDoubleCoordinate
 import com.android.identity.mdoc.mso.StaticAuthDataParser
 import com.android.identity.mdoc.response.DeviceResponseGenerator
 import com.android.identity.mdoc.response.DocumentGenerator
@@ -30,12 +31,10 @@ import com.android.identity.wallet.util.log
 import com.google.android.gms.identitycredentials.GetCredentialResponse
 import com.google.android.gms.identitycredentials.IntentHelper
 import com.google.android.gms.identitycredentials.IntentHelper.EXTRA_CREDENTIAL_ID
-import com.google.android.gms.identitycredentials.IntentHelper.extractCallingAppInfo
 import com.google.android.gms.identitycredentials.IntentHelper.extractGetCredentialRequest
 import com.google.android.gms.identitycredentials.IntentHelper.setGetCredentialException
 import com.google.android.gms.identitycredentials.IntentHelper.setGetCredentialResponse
 import org.json.JSONObject
-import java.security.PublicKey
 import java.util.StringTokenizer
 
 class GetCredentialActivity : FragmentActivity() {
@@ -201,7 +200,8 @@ class GetCredentialActivity : FragmentActivity() {
 
                 // Covert nonce and publicKey
                 val nonce = Base64.decode(nonceBase64, Base64.NO_WRAP or Base64.URL_SAFE)
-                val readerPublicKey = CredmanUtil.publicKeyFromUncompressed(
+                val readerPublicKey = EcPublicKeyDoubleCoordinate.fromUncompressedPointEncoding(
+                    EcCurve.P256,
                     Base64.decode(readerPublicKeyBase64, Base64.NO_WRAP or Base64.URL_SAFE)
                 )
 
@@ -227,20 +227,21 @@ class GetCredentialActivity : FragmentActivity() {
                     CredmanUtil.generateAndroidSessionTranscript(
                         nonce,
                         callingPackageName,
-                        generatePublicKeyHash(readerPublicKey)
+                        Crypto.digest(Algorithm.SHA256, readerPublicKey.asUncompressedPointEncoding)
                     )
                 } else {
                     CredmanUtil.generateBrowserSessionTranscript(
                         nonce,
                         callingOrigin,
-                        generatePublicKeyHash(readerPublicKey)
+                        Crypto.digest(Algorithm.SHA256, readerPublicKey.asUncompressedPointEncoding)
                     )
                 }
                 // Create ISO DeviceResponse
                 createMDocDeviceResponse(credentialId, dataElements, encodedSessionTranscript) { deviceResponse ->
                     // The Preview protocol HPKE encrypts the response.
-                    val credmanUtil = CredmanUtil(readerPublicKey, null)
-                    val (cipherText, encapsulatedPublicKey) = credmanUtil.encrypt(
+                    val (cipherText, encapsulatedPublicKey) = Crypto.hpkeEncrypt(
+                        Algorithm.HPKE_BASE_P256_SHA256_AES128GCM,
+                        readerPublicKey,
                         deviceResponse,
                         encodedSessionTranscript
                     )
@@ -307,13 +308,13 @@ class GetCredentialActivity : FragmentActivity() {
                     CredmanUtil.generateAndroidSessionTranscript(
                         nonce,
                         callingPackageName,
-                        generateClientIdHash(clientID)
+                        Crypto.digest(Algorithm.SHA256, clientID.toByteArray())
                     )
                 } else {
                     CredmanUtil.generateBrowserSessionTranscript(
                         nonce,
                         callingOrigin,
-                        generateClientIdHash(clientID)
+                        Crypto.digest(Algorithm.SHA256, clientID.toByteArray())
                     )
                 }
                 // Create ISO DeviceResponse
 
@@ -154,10 +154,6 @@ class RequestOptionsFragment() : Fragment() {
 
         // Generate the readerKey.
         val readerKey = Crypto.createEcPrivateKey(EcCurve.P256)
-        val readerKeyPair = KeyPair(
-            readerKey.publicKey.javaPublicKey,
-            readerKey.javaPrivateKey
-        )
 
         // TODO: Right now we just request the first of potentially multiple documents, it
         //  would be nice to request each document in sequence and then display all the
@@ -206,7 +202,14 @@ class RequestOptionsFragment() : Fragment() {
 
                         requireActivity().runOnUiThread {
                             findNavController().navigate(RequestOptionsFragmentDirections
-                                .toShowDeviceResponse(bundle, readerKeyPair))
+                                .toShowDeviceResponse(
+                                    bundle,
+                                    KeyPair(
+                                        readerKey.publicKey.javaPublicKey,
+                                        readerKey.javaPrivateKey
+                                    )
+                                )
+                            )
                         }
                     } catch (e: GetCredentialException) {
                         Logger.e(TAG, "An error occurred", e)
 
@@ -19,8 +19,13 @@ import androidx.navigation.fragment.findNavController
 import androidx.navigation.fragment.navArgs
 import com.android.identity.android.mdoc.util.CredmanUtil
 import com.android.identity.cbor.Cbor
+import com.android.identity.crypto.Algorithm
+import com.android.identity.crypto.Crypto
+import com.android.identity.crypto.EcCurve
+import com.android.identity.crypto.EcPublicKeyDoubleCoordinate
 import com.android.identity.crypto.javaPublicKey
 import com.android.identity.crypto.javaX509Certificates
+import com.android.identity.crypto.toEcPrivateKey
 import com.android.identity.mdoc.response.DeviceResponseParser
 import com.android.mdl.appreader.R
 import com.android.mdl.appreader.VerifierApp
@@ -76,22 +81,29 @@ class ShowDeviceResponseFragment : Fragment() {
         val responseJson = JSONObject(args.bundle.getString("responseJson")!!)
         val nonce = args.bundle.getByteArray("nonce")!!
         val requestIdentityKeyPair = args.requestIdentityKeyPair
+        val requestIdentityKey = requestIdentityKeyPair.private.toEcPrivateKey(
+            requestIdentityKeyPair.public,
+            EcCurve.P256
+        )
 
         val encryptedCredentialDocumentBase64 = responseJson.getString("token")!!
         val encryptedCredentialDocument = Base64.decode(encryptedCredentialDocumentBase64, Base64.URL_SAFE or Base64.NO_WRAP )
 
         val (cipherText, encapsulatedPublicKey) = CredmanUtil.parseCredentialDocument(encryptedCredentialDocument)
 
+        val uncompressed = (requestIdentityKey.publicKey as EcPublicKeyDoubleCoordinate).asUncompressedPointEncoding
         val encodedSessionTranscript = CredmanUtil.generateAndroidSessionTranscript(
             nonce,
             requireContext().packageName,
-            CredmanUtil.generatePublicKeyHash(requestIdentityKeyPair.public)
+            Crypto.digest(Algorithm.SHA256, uncompressed)
         )
 
-        val credmanUtil = CredmanUtil(requestIdentityKeyPair.public, requestIdentityKeyPair.private)
-        val encodedDeviceResponse = credmanUtil.decrypt(cipherText,
-            encapsulatedPublicKey as ECPublicKey,
-            encodedSessionTranscript)
+        val encodedDeviceResponse = Crypto.hpkeDecrypt(
+            Algorithm.HPKE_BASE_P256_SHA256_AES128GCM,
+            requestIdentityKey,
+            cipherText,
+            encodedSessionTranscript,
+            encapsulatedPublicKey)
 
         val parser = DeviceResponseParser(encodedDeviceResponse, encodedSessionTranscript)
         val deviceResponse = parser.parse()
 
@@ -48,6 +48,7 @@
     org-jetbrains-kotlin-jvm = "1.8.20"
     accompanist-permissions = "0.34.0"
     ktlint = "12.1.0"
+    tink = "1.9.0"
 
 [libraries]
     androidx-core-ktx = { module = "androidx.core:core-ktx", version.ref = "core-ktx" }
@@ -126,6 +127,7 @@
     play-services-tasks = { module = "com.google.android.gms:play-services-tasks", version = "18.0.2" }
 
     accompanist-permissions = { group = "com.google.accompanist", name = "accompanist-permissions", version.ref = "accompanist-permissions"}
+    tink = { group = "com.google.crypto.tink", name = "tink-android", version.ref = "tink"}
 
     ktlint-gradle = { module = "org.jlleitschuh.gradle:ktlint-gradle", version.ref = "ktlint" }
 
 
@@ -40,7 +40,6 @@ dependencies {
     implementation libs.volley
     implementation libs.kotlinx.datetime
     implementation libs.kotlinx.io.bytestring
-    implementation 'com.google.crypto.tink:tink-android:1.9.0'
 
     testImplementation libs.androidx.test.espresso
     testImplementation libs.androidx.test.ext.junit