1 /*
2 * Copyright 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <keymint_support/attestation_record.h>
18
19 #include <assert.h>
20
21 #include <aidl/android/hardware/security/keymint/Tag.h>
22 #include <aidl/android/hardware/security/keymint/TagType.h>
23
24 #include <android-base/logging.h>
25
26 #include <openssl/asn1t.h>
27 #include <openssl/bn.h>
28 #include <openssl/evp.h>
29 #include <openssl/x509.h>
30
31 #include <keymint_support/authorization_set.h>
32 #include <keymint_support/openssl_utils.h>
33
34 #define AT __FILE__ ":" << __LINE__
35
36 namespace aidl::android::hardware::security::keymint {
37
38 struct stack_st_ASN1_TYPE_Delete {
operator ()aidl::android::hardware::security::keymint::stack_st_ASN1_TYPE_Delete39 void operator()(stack_st_ASN1_TYPE* p) { sk_ASN1_TYPE_free(p); }
40 };
41
42 struct ASN1_STRING_Delete {
operator ()aidl::android::hardware::security::keymint::ASN1_STRING_Delete43 void operator()(ASN1_STRING* p) { ASN1_STRING_free(p); }
44 };
45
46 struct ASN1_TYPE_Delete {
operator ()aidl::android::hardware::security::keymint::ASN1_TYPE_Delete47 void operator()(ASN1_TYPE* p) { ASN1_TYPE_free(p); }
48 };
49
50 #define ASN1_INTEGER_SET STACK_OF(ASN1_INTEGER)
51
52 typedef struct km_root_of_trust {
53 ASN1_OCTET_STRING* verified_boot_key;
54 ASN1_BOOLEAN device_locked;
55 ASN1_ENUMERATED* verified_boot_state;
56 ASN1_OCTET_STRING* verified_boot_hash;
57 } KM_ROOT_OF_TRUST;
58
59 ASN1_SEQUENCE(KM_ROOT_OF_TRUST) = {
60 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_key, ASN1_OCTET_STRING),
61 ASN1_SIMPLE(KM_ROOT_OF_TRUST, device_locked, ASN1_BOOLEAN),
62 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_state, ASN1_ENUMERATED),
63 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_hash, ASN1_OCTET_STRING),
64 } ASN1_SEQUENCE_END(KM_ROOT_OF_TRUST);
65 IMPLEMENT_ASN1_FUNCTIONS(KM_ROOT_OF_TRUST);
66
67 // Fields ordered in tag order.
68 typedef struct km_auth_list {
69 ASN1_INTEGER_SET* purpose;
70 ASN1_INTEGER* algorithm;
71 ASN1_INTEGER* key_size;
72 ASN1_INTEGER_SET* digest;
73 ASN1_INTEGER_SET* padding;
74 ASN1_INTEGER* ec_curve;
75 ASN1_INTEGER* rsa_public_exponent;
76 ASN1_INTEGER_SET* mgf_digest;
77 ASN1_NULL* rollback_resistance;
78 ASN1_NULL* early_boot_only;
79 ASN1_INTEGER* active_date_time;
80 ASN1_INTEGER* origination_expire_date_time;
81 ASN1_INTEGER* usage_expire_date_time;
82 ASN1_INTEGER* usage_count_limit;
83 ASN1_NULL* no_auth_required;
84 ASN1_INTEGER* user_auth_type;
85 ASN1_INTEGER* auth_timeout;
86 ASN1_NULL* allow_while_on_body;
87 ASN1_NULL* trusted_user_presence_required;
88 ASN1_NULL* trusted_confirmation_required;
89 ASN1_NULL* unlocked_device_required;
90 ASN1_INTEGER* creation_date_time;
91 ASN1_INTEGER* origin;
92 KM_ROOT_OF_TRUST* root_of_trust;
93 ASN1_INTEGER* os_version;
94 ASN1_INTEGER* os_patchlevel;
95 ASN1_OCTET_STRING* attestation_application_id;
96 ASN1_OCTET_STRING* attestation_id_brand;
97 ASN1_OCTET_STRING* attestation_id_device;
98 ASN1_OCTET_STRING* attestation_id_product;
99 ASN1_OCTET_STRING* attestation_id_serial;
100 ASN1_OCTET_STRING* attestation_id_imei;
101 ASN1_OCTET_STRING* attestation_id_meid;
102 ASN1_OCTET_STRING* attestation_id_manufacturer;
103 ASN1_OCTET_STRING* attestation_id_model;
104 ASN1_INTEGER* vendor_patchlevel;
105 ASN1_INTEGER* boot_patchlevel;
106 ASN1_NULL* device_unique_attestation;
107 ASN1_NULL* identity_credential;
108 } KM_AUTH_LIST;
109
110 ASN1_SEQUENCE(KM_AUTH_LIST) = {
111 ASN1_EXP_SET_OF_OPT(KM_AUTH_LIST, purpose, ASN1_INTEGER, TAG_PURPOSE.maskedTag()),
112 ASN1_EXP_OPT(KM_AUTH_LIST, algorithm, ASN1_INTEGER, TAG_ALGORITHM.maskedTag()),
113 ASN1_EXP_OPT(KM_AUTH_LIST, key_size, ASN1_INTEGER, TAG_KEY_SIZE.maskedTag()),
114 ASN1_EXP_SET_OF_OPT(KM_AUTH_LIST, digest, ASN1_INTEGER, TAG_DIGEST.maskedTag()),
115 ASN1_EXP_SET_OF_OPT(KM_AUTH_LIST, padding, ASN1_INTEGER, TAG_PADDING.maskedTag()),
116 ASN1_EXP_OPT(KM_AUTH_LIST, ec_curve, ASN1_INTEGER, TAG_EC_CURVE.maskedTag()),
117 ASN1_EXP_OPT(KM_AUTH_LIST, rsa_public_exponent, ASN1_INTEGER,
118 TAG_RSA_PUBLIC_EXPONENT.maskedTag()),
119 ASN1_EXP_SET_OF_OPT(KM_AUTH_LIST, mgf_digest, ASN1_INTEGER,
120 TAG_RSA_OAEP_MGF_DIGEST.maskedTag()),
121 ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistance, ASN1_NULL,
122 TAG_ROLLBACK_RESISTANCE.maskedTag()),
123 ASN1_EXP_OPT(KM_AUTH_LIST, early_boot_only, ASN1_NULL, TAG_EARLY_BOOT_ONLY.maskedTag()),
124 ASN1_EXP_OPT(KM_AUTH_LIST, active_date_time, ASN1_INTEGER, TAG_ACTIVE_DATETIME.maskedTag()),
125 ASN1_EXP_OPT(KM_AUTH_LIST, origination_expire_date_time, ASN1_INTEGER,
126 TAG_ORIGINATION_EXPIRE_DATETIME.maskedTag()),
127 ASN1_EXP_OPT(KM_AUTH_LIST, usage_expire_date_time, ASN1_INTEGER,
128 TAG_USAGE_EXPIRE_DATETIME.maskedTag()),
129 ASN1_EXP_OPT(KM_AUTH_LIST, usage_count_limit, ASN1_INTEGER,
130 TAG_USAGE_COUNT_LIMIT.maskedTag()),
131 ASN1_EXP_OPT(KM_AUTH_LIST, no_auth_required, ASN1_NULL, TAG_NO_AUTH_REQUIRED.maskedTag()),
132 ASN1_EXP_OPT(KM_AUTH_LIST, user_auth_type, ASN1_INTEGER, TAG_USER_AUTH_TYPE.maskedTag()),
133 ASN1_EXP_OPT(KM_AUTH_LIST, auth_timeout, ASN1_INTEGER, TAG_AUTH_TIMEOUT.maskedTag()),
134 ASN1_EXP_OPT(KM_AUTH_LIST, allow_while_on_body, ASN1_NULL,
135 TAG_ALLOW_WHILE_ON_BODY.maskedTag()),
136 ASN1_EXP_OPT(KM_AUTH_LIST, trusted_user_presence_required, ASN1_NULL,
137 TAG_TRUSTED_USER_PRESENCE_REQUIRED.maskedTag()),
138 ASN1_EXP_OPT(KM_AUTH_LIST, trusted_confirmation_required, ASN1_NULL,
139 TAG_TRUSTED_CONFIRMATION_REQUIRED.maskedTag()),
140 ASN1_EXP_OPT(KM_AUTH_LIST, unlocked_device_required, ASN1_NULL,
141 TAG_UNLOCKED_DEVICE_REQUIRED.maskedTag()),
142 ASN1_EXP_OPT(KM_AUTH_LIST, creation_date_time, ASN1_INTEGER,
143 TAG_CREATION_DATETIME.maskedTag()),
144 ASN1_EXP_OPT(KM_AUTH_LIST, origin, ASN1_INTEGER, TAG_ORIGIN.maskedTag()),
145 ASN1_EXP_OPT(KM_AUTH_LIST, root_of_trust, KM_ROOT_OF_TRUST, TAG_ROOT_OF_TRUST.maskedTag()),
146 ASN1_EXP_OPT(KM_AUTH_LIST, os_version, ASN1_INTEGER, TAG_OS_VERSION.maskedTag()),
147 ASN1_EXP_OPT(KM_AUTH_LIST, os_patchlevel, ASN1_INTEGER, TAG_OS_PATCHLEVEL.maskedTag()),
148 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_application_id, ASN1_OCTET_STRING,
149 TAG_ATTESTATION_APPLICATION_ID.maskedTag()),
150 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_brand, ASN1_OCTET_STRING,
151 TAG_ATTESTATION_ID_BRAND.maskedTag()),
152 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_device, ASN1_OCTET_STRING,
153 TAG_ATTESTATION_ID_DEVICE.maskedTag()),
154 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_product, ASN1_OCTET_STRING,
155 TAG_ATTESTATION_ID_PRODUCT.maskedTag()),
156 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_serial, ASN1_OCTET_STRING,
157 TAG_ATTESTATION_ID_SERIAL.maskedTag()),
158 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_imei, ASN1_OCTET_STRING,
159 TAG_ATTESTATION_ID_IMEI.maskedTag()),
160 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_meid, ASN1_OCTET_STRING,
161 TAG_ATTESTATION_ID_MEID.maskedTag()),
162 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_manufacturer, ASN1_OCTET_STRING,
163 TAG_ATTESTATION_ID_MANUFACTURER.maskedTag()),
164 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_model, ASN1_OCTET_STRING,
165 TAG_ATTESTATION_ID_MODEL.maskedTag()),
166 ASN1_EXP_OPT(KM_AUTH_LIST, vendor_patchlevel, ASN1_INTEGER,
167 TAG_VENDOR_PATCHLEVEL.maskedTag()),
168 ASN1_EXP_OPT(KM_AUTH_LIST, boot_patchlevel, ASN1_INTEGER, TAG_BOOT_PATCHLEVEL.maskedTag()),
169 ASN1_EXP_OPT(KM_AUTH_LIST, device_unique_attestation, ASN1_NULL,
170 TAG_DEVICE_UNIQUE_ATTESTATION.maskedTag()),
171 ASN1_EXP_OPT(KM_AUTH_LIST, identity_credential, ASN1_NULL,
172 TAG_IDENTITY_CREDENTIAL_KEY.maskedTag()),
173 } ASN1_SEQUENCE_END(KM_AUTH_LIST);
174 IMPLEMENT_ASN1_FUNCTIONS(KM_AUTH_LIST);
175
176 typedef struct km_key_description {
177 ASN1_INTEGER* attestation_version;
178 ASN1_ENUMERATED* attestation_security_level;
179 ASN1_INTEGER* keymint_version;
180 ASN1_ENUMERATED* keymint_security_level;
181 ASN1_OCTET_STRING* attestation_challenge;
182 ASN1_INTEGER* unique_id;
183 KM_AUTH_LIST* software_enforced;
184 KM_AUTH_LIST* tee_enforced;
185 } KM_KEY_DESCRIPTION;
186
187 ASN1_SEQUENCE(KM_KEY_DESCRIPTION) = {
188 ASN1_SIMPLE(KM_KEY_DESCRIPTION, attestation_version, ASN1_INTEGER),
189 ASN1_SIMPLE(KM_KEY_DESCRIPTION, attestation_security_level, ASN1_ENUMERATED),
190 ASN1_SIMPLE(KM_KEY_DESCRIPTION, keymint_version, ASN1_INTEGER),
191 ASN1_SIMPLE(KM_KEY_DESCRIPTION, keymint_security_level, ASN1_ENUMERATED),
192 ASN1_SIMPLE(KM_KEY_DESCRIPTION, attestation_challenge, ASN1_OCTET_STRING),
193 ASN1_SIMPLE(KM_KEY_DESCRIPTION, unique_id, ASN1_OCTET_STRING),
194 ASN1_SIMPLE(KM_KEY_DESCRIPTION, software_enforced, KM_AUTH_LIST),
195 ASN1_SIMPLE(KM_KEY_DESCRIPTION, tee_enforced, KM_AUTH_LIST),
196 } ASN1_SEQUENCE_END(KM_KEY_DESCRIPTION);
197 IMPLEMENT_ASN1_FUNCTIONS(KM_KEY_DESCRIPTION);
198
199 template <Tag tag>
copyAuthTag(const stack_st_ASN1_INTEGER * stack,TypedTag<TagType::ENUM_REP,tag> ttag,AuthorizationSet * auth_list)200 void copyAuthTag(const stack_st_ASN1_INTEGER* stack, TypedTag<TagType::ENUM_REP, tag> ttag,
201 AuthorizationSet* auth_list) {
202 typedef typename TypedTag2ValueType<decltype(ttag)>::type ValueT;
203 for (size_t i = 0; i < sk_ASN1_INTEGER_num(stack); ++i) {
204 auth_list->push_back(
205 ttag, static_cast<ValueT>(ASN1_INTEGER_get(sk_ASN1_INTEGER_value(stack, i))));
206 }
207 }
208
209 template <Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::ENUM,tag> ttag,AuthorizationSet * auth_list)210 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::ENUM, tag> ttag,
211 AuthorizationSet* auth_list) {
212 typedef typename TypedTag2ValueType<decltype(ttag)>::type ValueT;
213 if (!asn1_int) return;
214 auth_list->push_back(ttag, static_cast<ValueT>(ASN1_INTEGER_get(asn1_int)));
215 }
216
217 template <Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::UINT,tag> ttag,AuthorizationSet * auth_list)218 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::UINT, tag> ttag,
219 AuthorizationSet* auth_list) {
220 if (!asn1_int) return;
221 auth_list->push_back(ttag, ASN1_INTEGER_get(asn1_int));
222 }
223
construct_uint_max()224 BIGNUM* construct_uint_max() {
225 BIGNUM* value = BN_new();
226 BIGNUM_Ptr one(BN_new());
227 BN_one(one.get());
228 BN_lshift(value, one.get(), 32);
229 return value;
230 }
231
BignumToUint64(BIGNUM * num)232 uint64_t BignumToUint64(BIGNUM* num) {
233 static_assert((sizeof(BN_ULONG) == sizeof(uint32_t)) || (sizeof(BN_ULONG) == sizeof(uint64_t)),
234 "This implementation only supports 32 and 64-bit BN_ULONG");
235 if (sizeof(BN_ULONG) == sizeof(uint32_t)) {
236 BIGNUM_Ptr uint_max(construct_uint_max());
237 BIGNUM_Ptr hi(BN_new()), lo(BN_new());
238 BN_CTX_Ptr ctx(BN_CTX_new());
239 BN_div(hi.get(), lo.get(), num, uint_max.get(), ctx.get());
240 return static_cast<uint64_t>(BN_get_word(hi.get())) << 32 | BN_get_word(lo.get());
241 } else if (sizeof(BN_ULONG) == sizeof(uint64_t)) {
242 return BN_get_word(num);
243 } else {
244 return 0;
245 }
246 }
247
248 template <Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::ULONG,tag> ttag,AuthorizationSet * auth_list)249 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::ULONG, tag> ttag,
250 AuthorizationSet* auth_list) {
251 if (!asn1_int) return;
252 BIGNUM_Ptr num(ASN1_INTEGER_to_BN(asn1_int, nullptr));
253 auth_list->push_back(ttag, BignumToUint64(num.get()));
254 }
255
256 template <Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::DATE,tag> ttag,AuthorizationSet * auth_list)257 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::DATE, tag> ttag,
258 AuthorizationSet* auth_list) {
259 if (!asn1_int) return;
260 BIGNUM_Ptr num(ASN1_INTEGER_to_BN(asn1_int, nullptr));
261 auth_list->push_back(ttag, BignumToUint64(num.get()));
262 }
263
264 template <Tag tag>
copyAuthTag(const ASN1_NULL * asn1_null,TypedTag<TagType::BOOL,tag> ttag,AuthorizationSet * auth_list)265 void copyAuthTag(const ASN1_NULL* asn1_null, TypedTag<TagType::BOOL, tag> ttag,
266 AuthorizationSet* auth_list) {
267 if (!asn1_null) return;
268 auth_list->push_back(ttag);
269 }
270
271 template <Tag tag>
copyAuthTag(const ASN1_OCTET_STRING * asn1_string,TypedTag<TagType::BYTES,tag> ttag,AuthorizationSet * auth_list)272 void copyAuthTag(const ASN1_OCTET_STRING* asn1_string, TypedTag<TagType::BYTES, tag> ttag,
273 AuthorizationSet* auth_list) {
274 if (!asn1_string) return;
275 vector<uint8_t> buf(asn1_string->data, asn1_string->data + asn1_string->length);
276 auth_list->push_back(ttag, buf);
277 }
278
279 // Extract the values from the specified ASN.1 record and place them in auth_list.
280 // Does nothing with root-of-trust field.
extract_auth_list(const KM_AUTH_LIST * record,AuthorizationSet * auth_list)281 static ErrorCode extract_auth_list(const KM_AUTH_LIST* record, AuthorizationSet* auth_list) {
282 if (!record) return ErrorCode::OK;
283
284 // Fields ordered in tag order.
285 copyAuthTag(record->purpose, TAG_PURPOSE, auth_list);
286 copyAuthTag(record->algorithm, TAG_ALGORITHM, auth_list);
287 copyAuthTag(record->key_size, TAG_KEY_SIZE, auth_list);
288 copyAuthTag(record->digest, TAG_DIGEST, auth_list);
289 copyAuthTag(record->padding, TAG_PADDING, auth_list);
290 copyAuthTag(record->ec_curve, TAG_EC_CURVE, auth_list);
291 copyAuthTag(record->rsa_public_exponent, TAG_RSA_PUBLIC_EXPONENT, auth_list);
292 copyAuthTag(record->mgf_digest, TAG_RSA_OAEP_MGF_DIGEST, auth_list);
293 copyAuthTag(record->rollback_resistance, TAG_ROLLBACK_RESISTANCE, auth_list);
294 copyAuthTag(record->early_boot_only, TAG_EARLY_BOOT_ONLY, auth_list);
295 copyAuthTag(record->active_date_time, TAG_ACTIVE_DATETIME, auth_list);
296 copyAuthTag(record->origination_expire_date_time, TAG_ORIGINATION_EXPIRE_DATETIME, auth_list);
297 copyAuthTag(record->usage_expire_date_time, TAG_USAGE_EXPIRE_DATETIME, auth_list);
298 copyAuthTag(record->usage_count_limit, TAG_USAGE_COUNT_LIMIT, auth_list);
299 copyAuthTag(record->no_auth_required, TAG_NO_AUTH_REQUIRED, auth_list);
300 copyAuthTag(record->user_auth_type, TAG_USER_AUTH_TYPE, auth_list);
301 copyAuthTag(record->auth_timeout, TAG_AUTH_TIMEOUT, auth_list);
302 copyAuthTag(record->allow_while_on_body, TAG_ALLOW_WHILE_ON_BODY, auth_list);
303 copyAuthTag(record->trusted_user_presence_required, TAG_TRUSTED_USER_PRESENCE_REQUIRED,
304 auth_list);
305 copyAuthTag(record->trusted_confirmation_required, TAG_TRUSTED_CONFIRMATION_REQUIRED,
306 auth_list);
307 copyAuthTag(record->unlocked_device_required, TAG_UNLOCKED_DEVICE_REQUIRED, auth_list);
308 copyAuthTag(record->creation_date_time, TAG_CREATION_DATETIME, auth_list);
309 copyAuthTag(record->origin, TAG_ORIGIN, auth_list);
310 // root_of_trust dealt with separately
311 copyAuthTag(record->os_version, TAG_OS_VERSION, auth_list);
312 copyAuthTag(record->os_patchlevel, TAG_OS_PATCHLEVEL, auth_list);
313 copyAuthTag(record->attestation_application_id, TAG_ATTESTATION_APPLICATION_ID, auth_list);
314 copyAuthTag(record->attestation_id_brand, TAG_ATTESTATION_ID_BRAND, auth_list);
315 copyAuthTag(record->attestation_id_device, TAG_ATTESTATION_ID_DEVICE, auth_list);
316 copyAuthTag(record->attestation_id_product, TAG_ATTESTATION_ID_PRODUCT, auth_list);
317 copyAuthTag(record->attestation_id_serial, TAG_ATTESTATION_ID_SERIAL, auth_list);
318 copyAuthTag(record->attestation_id_imei, TAG_ATTESTATION_ID_IMEI, auth_list);
319 copyAuthTag(record->attestation_id_meid, TAG_ATTESTATION_ID_MEID, auth_list);
320 copyAuthTag(record->attestation_id_manufacturer, TAG_ATTESTATION_ID_MANUFACTURER, auth_list);
321 copyAuthTag(record->attestation_id_model, TAG_ATTESTATION_ID_MODEL, auth_list);
322 copyAuthTag(record->vendor_patchlevel, TAG_VENDOR_PATCHLEVEL, auth_list);
323 copyAuthTag(record->boot_patchlevel, TAG_BOOT_PATCHLEVEL, auth_list);
324 copyAuthTag(record->device_unique_attestation, TAG_DEVICE_UNIQUE_ATTESTATION, auth_list);
325 copyAuthTag(record->identity_credential, TAG_IDENTITY_CREDENTIAL_KEY, auth_list);
326
327 return ErrorCode::OK;
328 }
329
MAKE_OPENSSL_PTR_TYPE(KM_KEY_DESCRIPTION)330 MAKE_OPENSSL_PTR_TYPE(KM_KEY_DESCRIPTION)
331
332 // Parse the DER-encoded attestation record, placing the results in keymint_version,
333 // attestation_challenge, software_enforced, tee_enforced and unique_id.
334 ErrorCode parse_attestation_record(const uint8_t* asn1_key_desc, size_t asn1_key_desc_len,
335 uint32_t* attestation_version, //
336 SecurityLevel* attestation_security_level,
337 uint32_t* keymint_version, SecurityLevel* keymint_security_level,
338 vector<uint8_t>* attestation_challenge,
339 AuthorizationSet* software_enforced,
340 AuthorizationSet* tee_enforced, //
341 vector<uint8_t>* unique_id) {
342 const uint8_t* p = asn1_key_desc;
343 KM_KEY_DESCRIPTION_Ptr record(d2i_KM_KEY_DESCRIPTION(nullptr, &p, asn1_key_desc_len));
344 if (!record.get()) return ErrorCode::UNKNOWN_ERROR;
345
346 *attestation_version = ASN1_INTEGER_get(record->attestation_version);
347 *attestation_security_level =
348 static_cast<SecurityLevel>(ASN1_ENUMERATED_get(record->attestation_security_level));
349 *keymint_version = ASN1_INTEGER_get(record->keymint_version);
350 *keymint_security_level =
351 static_cast<SecurityLevel>(ASN1_ENUMERATED_get(record->keymint_security_level));
352
353 auto& chall = record->attestation_challenge;
354 attestation_challenge->resize(chall->length);
355 memcpy(attestation_challenge->data(), chall->data, chall->length);
356 auto& uid = record->unique_id;
357 unique_id->resize(uid->length);
358 memcpy(unique_id->data(), uid->data, uid->length);
359
360 ErrorCode error = extract_auth_list(record->software_enforced, software_enforced);
361 if (error != ErrorCode::OK) return error;
362
363 return extract_auth_list(record->tee_enforced, tee_enforced);
364 }
365
parse_root_of_trust(const uint8_t * asn1_key_desc,size_t asn1_key_desc_len,vector<uint8_t> * verified_boot_key,VerifiedBoot * verified_boot_state,bool * device_locked,vector<uint8_t> * verified_boot_hash)366 ErrorCode parse_root_of_trust(const uint8_t* asn1_key_desc, size_t asn1_key_desc_len,
367 vector<uint8_t>* verified_boot_key, VerifiedBoot* verified_boot_state,
368 bool* device_locked, vector<uint8_t>* verified_boot_hash) {
369 if (!verified_boot_key || !verified_boot_state || !device_locked || !verified_boot_hash) {
370 LOG(ERROR) << AT << "null pointer input(s)";
371 return ErrorCode::INVALID_ARGUMENT;
372 }
373 const uint8_t* p = asn1_key_desc;
374 KM_KEY_DESCRIPTION_Ptr record(d2i_KM_KEY_DESCRIPTION(nullptr, &p, asn1_key_desc_len));
375 if (!record.get()) {
376 LOG(ERROR) << AT << "Failed record parsing";
377 return ErrorCode::UNKNOWN_ERROR;
378 }
379
380 KM_ROOT_OF_TRUST* root_of_trust = nullptr;
381 if (record->tee_enforced && record->tee_enforced->root_of_trust) {
382 root_of_trust = record->tee_enforced->root_of_trust;
383 } else if (record->software_enforced && record->software_enforced->root_of_trust) {
384 root_of_trust = record->software_enforced->root_of_trust;
385 } else {
386 LOG(ERROR) << AT << " Failed root of trust parsing";
387 return ErrorCode::INVALID_ARGUMENT;
388 }
389 if (!root_of_trust->verified_boot_key) {
390 LOG(ERROR) << AT << " Failed verified boot key parsing";
391 return ErrorCode::INVALID_ARGUMENT;
392 }
393
394 auto& vb_key = root_of_trust->verified_boot_key;
395 verified_boot_key->resize(vb_key->length);
396 memcpy(verified_boot_key->data(), vb_key->data, vb_key->length);
397
398 *verified_boot_state =
399 static_cast<VerifiedBoot>(ASN1_ENUMERATED_get(root_of_trust->verified_boot_state));
400 if (!verified_boot_state) {
401 LOG(ERROR) << AT << " Failed verified boot state parsing";
402 return ErrorCode::INVALID_ARGUMENT;
403 }
404
405 *device_locked = root_of_trust->device_locked;
406 if (!device_locked) {
407 LOG(ERROR) << AT << " Failed device locked parsing";
408 return ErrorCode::INVALID_ARGUMENT;
409 }
410
411 auto& vb_hash = root_of_trust->verified_boot_hash;
412 if (!vb_hash) {
413 LOG(ERROR) << AT << " Failed verified boot hash parsing";
414 return ErrorCode::INVALID_ARGUMENT;
415 }
416 verified_boot_hash->resize(vb_hash->length);
417 memcpy(verified_boot_hash->data(), vb_hash->data, vb_hash->length);
418 return ErrorCode::OK; // KM_ERROR_OK;
419 }
420
421 } // namespace aidl::android::hardware::security::keymint
422