1 /*
2 * Copyright (c) 2025-2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <stdio.h>
17 #include <string.h>
18 #include "openssl/x509.h"
19 #include "openssl/asn1t.h"
20 #include "openssl/types.h"
21 #include <openssl/asn1.h>
22 #include <openssl/x509.h>
23 #include <openssl/pem.h>
24 #include <openssl/err.h>
25 #include "cf_log.h"
26 #include "cf_memory.h"
27 #include "cf_result.h"
28 #include "attestation_common.h"
29 #include "attestation_cert_ext_legacy.h"
30
31 static const uint8_t KEY_DESCRIPTION_OID[] = {0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x01, 0x11};
32
33 typedef enum {
34 VERIFIED_BOOT_STATE_VERIFIED = 0,
35 VERIFIED_BOOT_STATE_SELF_SIGNED = 1,
36 VERIFIED_BOOT_STATE_UNVERIFIED = 2,
37 VERIFIED_BOOT_STATE_FAILED = 3
38 } VerifiedBootState;
39
40 typedef struct {
41 ASN1_OCTET_STRING *verifiedBootKey;
42 ASN1_BOOLEAN *deviceLocked;
43 ASN1_ENUMERATED *verifiedBootState;
44 ASN1_OCTET_STRING *verifiedBootHash;
45 } RootOfTrust;
46
47 typedef struct {
48 STACK_OF(ASN1_INTEGER) *purpose;
49 ASN1_INTEGER *algorithm;
50 ASN1_INTEGER *keySize;
51 STACK_OF(ASN1_INTEGER) *digest;
52 STACK_OF(ASN1_INTEGER) *padding;
53 ASN1_INTEGER *ecCurve;
54 ASN1_INTEGER *rsaPublicExponent;
55 STACK_OF(ASN1_INTEGER) *mgfDigest;
56
57 ASN1_NULL *rollbackResistance;
58 ASN1_NULL *earlyBootOnly;
59 ASN1_NULL *noAuthRequired;
60 ASN1_NULL *allowWhileOnBody;
61 ASN1_NULL *trustedUserPresenceRequired;
62 ASN1_NULL *trustedConfirmationRequired;
63 ASN1_NULL *unlockedDeviceRequired;
64 ASN1_NULL *deviceUniqueAttestation;
65
66 ASN1_INTEGER *activeDateTime;
67 ASN1_INTEGER *originationExpireDateTime;
68 ASN1_INTEGER *usageExpireDateTime;
69 ASN1_INTEGER *usageCountLimit;
70 ASN1_INTEGER *userAuthType;
71 ASN1_INTEGER *authTimeout;
72 ASN1_INTEGER *creationDateTime;
73 ASN1_INTEGER *origin;
74 ASN1_INTEGER *osVersion;
75 ASN1_INTEGER *osPatchLevel;
76 ASN1_INTEGER *bootPatchLevel;
77
78 RootOfTrust *rootOfTrust;
79
80 ASN1_OCTET_STRING *attestationApplicationId;
81 ASN1_TYPE *attestationIdBrand; // compatible OCTET_STRING and UTF8STRING
82 ASN1_TYPE *attestationIdDevice;
83 ASN1_TYPE *attestationIdProduct;
84 ASN1_TYPE *attestationIdSerial;
85 ASN1_TYPE *attestationIdImei;
86 ASN1_TYPE *attestationIdMeid;
87 ASN1_TYPE *attestationIdManufacturer;
88 ASN1_TYPE *attestationIdModel;
89 ASN1_TYPE *attestationIdSecondImei;
90 ASN1_TYPE *moduleHash;
91 ASN1_TYPE *attestationIdSocid;
92 ASN1_TYPE *attestationIdUdid;
93 } AuthorizationList;
94
95 typedef struct {
96 ASN1_INTEGER *attestationVersion;
97 ASN1_ENUMERATED *attestationSecurityLevel;
98 ASN1_INTEGER *keyMintVersion;
99 ASN1_ENUMERATED *keyMintSecurityLevel;
100 ASN1_OCTET_STRING *attestationChallenge;
101 ASN1_OCTET_STRING *uniqueId;
102 AuthorizationList *softwareEnforced;
103 AuthorizationList *hardwareEnforced;
104 } KeyDescription;
105
106 DECLARE_ASN1_FUNCTIONS(RootOfTrust)
107 DECLARE_ASN1_FUNCTIONS(AuthorizationList)
108 DECLARE_ASN1_FUNCTIONS(KeyDescription)
109
110 IMPLEMENT_ASN1_FUNCTIONS(RootOfTrust)
111 IMPLEMENT_ASN1_FUNCTIONS(AuthorizationList)
112 IMPLEMENT_ASN1_FUNCTIONS(KeyDescription)
113
114 ASN1_SEQUENCE(RootOfTrust) = {
115 ASN1_SIMPLE(RootOfTrust, verifiedBootKey, ASN1_OCTET_STRING),
116 ASN1_SIMPLE(RootOfTrust, deviceLocked, ASN1_BOOLEAN),
117 ASN1_SIMPLE(RootOfTrust, verifiedBootState, ASN1_ENUMERATED),
118 ASN1_SIMPLE(RootOfTrust, verifiedBootHash, ASN1_OCTET_STRING)
119 } ASN1_SEQUENCE_END(RootOfTrust)
120
121 #define TAG_PURPOSE 1
122 #define TAG_ALGORITHM 2
123 #define TAG_KEY_SIZE 3
124 #define TAG_DIGEST 5
125 #define TAG_PADDING 6
126 #define TAG_EC_CURVE 10
127 #define TAG_RSA_PUBLIC_EXPONENT 200
128 #define TAG_MGF_DIGEST 203
129 #define TAG_ROLLBACK_RESISTANCE 303
130 #define TAG_EARLY_BOOT_ONLY 305
131 #define TAG_ACTIVE_DATETIME 400
132 #define TAG_ORIGINATION_EXPIRE_DATETIME 401
133 #define TAG_USAGE_EXPIRE_DATETIME 402
134 #define TAG_USAGE_COUNT_LIMIT 405
135 #define TAG_NO_AUTH_REQUIRED 503
136 #define TAG_USER_AUTH_TYPE 504
137 #define TAG_AUTH_TIMEOUT 505
138 #define TAG_ALLOW_WHILE_ON_BODY 506
139 #define TAG_TRUSTED_USER_PRESENCE_REQUIRED 507
140 #define TAG_TRUSTED_CONFIRMATION_REQUIRED 508
141 #define TAG_UNLOCKED_DEVICE_REQUIRED 509
142 #define TAG_CREATION_DATETIME 701
143 #define TAG_ORIGIN 702
144 #define TAG_ROOT_OF_TRUST 704
145 #define TAG_OS_VERSION 705
146 #define TAG_OS_PATCH_LEVEL 706
147 #define TAG_ATTESTATION_APPLICATION_ID 709
148 #define TAG_ATTESTATION_ID_BRAND 710
149 #define TAG_ATTESTATION_ID_DEVICE 711
150 #define TAG_ATTESTATION_ID_PRODUCT 712
151 #define TAG_ATTESTATION_ID_SERIAL 713
152 #define TAG_ATTESTATION_ID_IMEI 714
153 #define TAG_ATTESTATION_ID_MEID 715
154 #define TAG_ATTESTATION_ID_MANUFACTURER 716
155 #define TAG_ATTESTATION_ID_MODEL 717
156 #define TAG_ATTESTATION_ID_SOCID 718 // self defined
157 #define TAG_BOOT_PATCH_LEVEL 719
158 #define TAG_DEVICE_UNIQUE_ATTESTATION 720
159 #define TAG_ATTESTATION_ID_SECOND_IMEI 723
160 #define TAG_MODULE_HASH 724
161 #define TAG_ATTESTATION_ID_UDID 10006
162
163 ASN1_SEQUENCE(AuthorizationList) = {
164 ASN1_EXP_SET_OF_OPT(AuthorizationList, purpose, ASN1_INTEGER, TAG_PURPOSE),
165 ASN1_EXP_OPT(AuthorizationList, algorithm, ASN1_INTEGER, TAG_ALGORITHM),
166 ASN1_EXP_OPT(AuthorizationList, keySize, ASN1_INTEGER, TAG_KEY_SIZE),
167 ASN1_EXP_SET_OF_OPT(AuthorizationList, digest, ASN1_INTEGER, TAG_DIGEST),
168 ASN1_EXP_SET_OF_OPT(AuthorizationList, padding, ASN1_INTEGER, TAG_PADDING),
169 ASN1_EXP_OPT(AuthorizationList, ecCurve, ASN1_INTEGER, TAG_EC_CURVE),
170 ASN1_EXP_OPT(AuthorizationList, rsaPublicExponent, ASN1_INTEGER, TAG_RSA_PUBLIC_EXPONENT),
171 ASN1_EXP_SET_OF_OPT(AuthorizationList, mgfDigest, ASN1_INTEGER, TAG_MGF_DIGEST),
172 ASN1_EXP_OPT(AuthorizationList, rollbackResistance, ASN1_NULL, TAG_ROLLBACK_RESISTANCE),
173 ASN1_EXP_OPT(AuthorizationList, earlyBootOnly, ASN1_NULL, TAG_EARLY_BOOT_ONLY),
174 ASN1_EXP_OPT(AuthorizationList, activeDateTime, ASN1_INTEGER, TAG_ACTIVE_DATETIME),
175 ASN1_EXP_OPT(AuthorizationList, originationExpireDateTime, ASN1_INTEGER, TAG_ORIGINATION_EXPIRE_DATETIME),
176 ASN1_EXP_OPT(AuthorizationList, usageExpireDateTime, ASN1_INTEGER, TAG_USAGE_EXPIRE_DATETIME),
177 ASN1_EXP_OPT(AuthorizationList, usageCountLimit, ASN1_INTEGER, TAG_USAGE_COUNT_LIMIT),
178 ASN1_EXP_OPT(AuthorizationList, noAuthRequired, ASN1_NULL, TAG_NO_AUTH_REQUIRED),
179 ASN1_EXP_OPT(AuthorizationList, userAuthType, ASN1_INTEGER, TAG_USER_AUTH_TYPE),
180 ASN1_EXP_OPT(AuthorizationList, authTimeout, ASN1_INTEGER, TAG_AUTH_TIMEOUT),
181 ASN1_EXP_OPT(AuthorizationList, allowWhileOnBody, ASN1_NULL, TAG_ALLOW_WHILE_ON_BODY),
182 ASN1_EXP_OPT(AuthorizationList, trustedUserPresenceRequired, ASN1_NULL, TAG_TRUSTED_USER_PRESENCE_REQUIRED),
183 ASN1_EXP_OPT(AuthorizationList, trustedConfirmationRequired, ASN1_NULL, TAG_TRUSTED_CONFIRMATION_REQUIRED),
184 ASN1_EXP_OPT(AuthorizationList, unlockedDeviceRequired, ASN1_NULL, TAG_UNLOCKED_DEVICE_REQUIRED),
185 ASN1_EXP_OPT(AuthorizationList, creationDateTime, ASN1_INTEGER, TAG_CREATION_DATETIME),
186 ASN1_EXP_OPT(AuthorizationList, origin, ASN1_INTEGER, TAG_ORIGIN),
187 ASN1_EXP_OPT(AuthorizationList, rootOfTrust, RootOfTrust, TAG_ROOT_OF_TRUST),
188 ASN1_EXP_OPT(AuthorizationList, osVersion, ASN1_INTEGER, TAG_OS_VERSION),
189 ASN1_EXP_OPT(AuthorizationList, osPatchLevel, ASN1_INTEGER, TAG_OS_PATCH_LEVEL),
190 ASN1_EXP_OPT(AuthorizationList, attestationApplicationId, ASN1_OCTET_STRING, TAG_ATTESTATION_APPLICATION_ID),
191 ASN1_EXP_OPT(AuthorizationList, attestationIdBrand, ASN1_ANY, TAG_ATTESTATION_ID_BRAND),
192 ASN1_EXP_OPT(AuthorizationList, attestationIdDevice, ASN1_ANY, TAG_ATTESTATION_ID_DEVICE),
193 ASN1_EXP_OPT(AuthorizationList, attestationIdProduct, ASN1_ANY, TAG_ATTESTATION_ID_PRODUCT),
194 ASN1_EXP_OPT(AuthorizationList, attestationIdSerial, ASN1_ANY, TAG_ATTESTATION_ID_SERIAL),
195 ASN1_EXP_OPT(AuthorizationList, attestationIdImei, ASN1_ANY, TAG_ATTESTATION_ID_IMEI),
196 ASN1_EXP_OPT(AuthorizationList, attestationIdMeid, ASN1_ANY, TAG_ATTESTATION_ID_MEID),
197 ASN1_EXP_OPT(AuthorizationList, attestationIdManufacturer, ASN1_ANY, TAG_ATTESTATION_ID_MANUFACTURER),
198 ASN1_EXP_OPT(AuthorizationList, attestationIdModel, ASN1_ANY, TAG_ATTESTATION_ID_MODEL),
199 ASN1_EXP_OPT(AuthorizationList, attestationIdSocid, ASN1_ANY, TAG_ATTESTATION_ID_SOCID),
200 ASN1_EXP_OPT(AuthorizationList, bootPatchLevel, ASN1_INTEGER, TAG_BOOT_PATCH_LEVEL),
201 ASN1_EXP_OPT(AuthorizationList, deviceUniqueAttestation, ASN1_NULL, TAG_DEVICE_UNIQUE_ATTESTATION),
202 ASN1_EXP_OPT(AuthorizationList, attestationIdSecondImei, ASN1_ANY, TAG_ATTESTATION_ID_SECOND_IMEI),
203 ASN1_EXP_OPT(AuthorizationList, moduleHash, ASN1_ANY, TAG_MODULE_HASH),
204 ASN1_EXP_OPT(AuthorizationList, attestationIdUdid, ASN1_ANY, TAG_ATTESTATION_ID_UDID)
205 } ASN1_SEQUENCE_END(AuthorizationList)
206
207 ASN1_SEQUENCE(KeyDescription) = {
208 ASN1_SIMPLE(KeyDescription, attestationVersion, ASN1_INTEGER),
209 ASN1_SIMPLE(KeyDescription, attestationSecurityLevel, ASN1_ENUMERATED),
210 ASN1_SIMPLE(KeyDescription, keyMintVersion, ASN1_INTEGER),
211 ASN1_SIMPLE(KeyDescription, keyMintSecurityLevel, ASN1_ENUMERATED),
212 ASN1_SIMPLE(KeyDescription, attestationChallenge, ASN1_OCTET_STRING),
213 ASN1_SIMPLE(KeyDescription, uniqueId, ASN1_OCTET_STRING),
214 ASN1_SIMPLE(KeyDescription, softwareEnforced, AuthorizationList),
215 ASN1_SIMPLE(KeyDescription, hardwareEnforced, AuthorizationList)
216 } ASN1_SEQUENCE_END(KeyDescription)
217
218 struct LegacyKeyDescription {
219 KeyDescription *keyDescription;
220 CfInt64Array *purpose;
221 CfInt64Array *digest;
222 CfInt64Array *padding;
223 };
224
ParseKeyDescription(X509_EXTENSION * extension,KeyDescription ** keyDescription)225 CfResult ParseKeyDescription(X509_EXTENSION *extension, KeyDescription **keyDescription)
226 {
227 ASN1_OCTET_STRING *extValue = X509_EXTENSION_get_data(extension);
228 if (extValue == NULL) {
229 LOGE("X509_EXTENSION_get_data failed\n");
230 return CF_ERR_CRYPTO_OPERATION;
231 }
232
233 int extValueLen = ASN1_STRING_length(extValue);
234 const unsigned char *data = ASN1_STRING_get0_data(extValue);
235 KeyDescription *keyDesc = d2i_KeyDescription(NULL, &data, extValueLen);
236 if (keyDesc == NULL) {
237 LOGE("d2i_KeyDescription failed\n");
238 return CF_ERR_CRYPTO_OPERATION;
239 }
240 *keyDescription = keyDesc;
241 return CF_SUCCESS;
242 }
243
ParseInt64Array(STACK_OF (ASN1_INTEGER)* data,CfInt64Array ** out)244 static CfResult ParseInt64Array(STACK_OF(ASN1_INTEGER) *data, CfInt64Array **out)
245 {
246 if (data == NULL) {
247 return CF_SUCCESS;
248 }
249
250 int count = sk_ASN1_INTEGER_num(data);
251 if (count == 0) {
252 return CF_SUCCESS;
253 }
254
255 CfInt64Array *array = (CfInt64Array *)CfMalloc(sizeof(CfInt64Array), 0);
256 if (array == NULL) {
257 LOGE("Malloc failed\n");
258 return CF_ERR_MALLOC;
259 }
260
261 array->data = (int64_t *)CfMalloc(sizeof(int64_t) * count, 0);
262 if (array->data == NULL) {
263 LOGE("Malloc failed\n");
264 CfFree(array);
265 array = NULL;
266 return CF_ERR_MALLOC;
267 }
268
269 int i;
270 for (i = 0; i < count; i++) {
271 ASN1_INTEGER *asn1Integer = sk_ASN1_INTEGER_value(data, i);
272 if (ASN1_INTEGER_get_int64(&array->data[i], asn1Integer) != 1) {
273 LOGE("ASN1_INTEGER_get_int64 failed\n");
274 CfFree(array->data);
275 array->data = NULL;
276 CfFree(array);
277 array = NULL;
278 return CF_ERR_CRYPTO_OPERATION;
279 }
280 }
281 array->size = (uint32_t)count;
282 *out = array;
283 return CF_SUCCESS;
284 }
285
ParseSetOfItems(LegacyKeyDescription * legacyKeyDescription)286 static CfResult ParseSetOfItems(LegacyKeyDescription *legacyKeyDescription)
287 {
288 if (legacyKeyDescription == NULL || legacyKeyDescription->keyDescription == NULL) {
289 return CF_ERR_EXTENSION_NOT_EXIST;
290 }
291 AuthorizationList *hardwareEnforced = legacyKeyDescription->keyDescription->hardwareEnforced;
292 if (hardwareEnforced == NULL) {
293 return CF_ERR_EXTENSION_NOT_EXIST;
294 }
295
296 CfResult ret = ParseInt64Array(hardwareEnforced->purpose, &legacyKeyDescription->purpose);
297 if (ret != CF_SUCCESS) {
298 return ret;
299 }
300
301 ret = ParseInt64Array(hardwareEnforced->digest, &legacyKeyDescription->digest);
302 if (ret != CF_SUCCESS) {
303 return ret;
304 }
305 return ParseInt64Array(hardwareEnforced->padding, &legacyKeyDescription->padding);
306 }
307
FreeHmKeyDescription(LegacyKeyDescription * legacy)308 void FreeHmKeyDescription(LegacyKeyDescription *legacy)
309 {
310 if (legacy == NULL) {
311 return;
312 }
313
314 if (legacy->purpose != NULL) {
315 CfFree(legacy->purpose->data);
316 legacy->purpose->data = NULL;
317 CfFree(legacy->purpose);
318 legacy->purpose = NULL;
319 }
320 if (legacy->digest != NULL) {
321 CfFree(legacy->digest->data);
322 legacy->digest->data = NULL;
323 CfFree(legacy->digest);
324 legacy->digest = NULL;
325 }
326 if (legacy->padding != NULL) {
327 CfFree(legacy->padding->data);
328 legacy->padding->data = NULL;
329 CfFree(legacy->padding);
330 legacy->padding = NULL;
331 }
332 KeyDescription_free(legacy->keyDescription);
333 legacy->keyDescription = NULL;
334 CfFree(legacy);
335 }
336
GetHmKeyDescription(const X509 * cert,LegacyKeyDescription ** legacy)337 CfResult GetHmKeyDescription(const X509 *cert, LegacyKeyDescription **legacy)
338 {
339 if (cert == NULL || legacy == NULL) {
340 return CF_NULL_POINTER;
341 }
342
343 X509_EXTENSION *extension = NULL;
344 CfResult ret = FindCertExt(cert, KEY_DESCRIPTION_OID, sizeof(KEY_DESCRIPTION_OID), &extension);
345 if (ret != CF_SUCCESS) {
346 LOGE("keyDescription is not exist\n");
347 return ret;
348 }
349
350 LegacyKeyDescription *out = (LegacyKeyDescription *)CfMalloc(sizeof(LegacyKeyDescription), 0);
351 if (out == NULL) {
352 LOGE("Malloc failed\n");
353 return CF_ERR_MALLOC;
354 }
355
356 ret = ParseKeyDescription(extension, &out->keyDescription);
357 if (ret != CF_SUCCESS) {
358 LOGE("ParseKeyDescription failed, ret = %{public}d\n", ret);
359 CfFree(out);
360 out = NULL;
361 return ret;
362 }
363
364 ret = ParseSetOfItems(out);
365 if (ret != CF_SUCCESS) {
366 LOGE("ParseSetOfItems failed, ret = %{public}d\n", ret);
367 FreeHmKeyDescription(out);
368 out = NULL;
369 return ret;
370 }
371 *legacy = out;
372 return CF_SUCCESS;
373 }
374
GetOctetString(ASN1_OCTET_STRING * octetString,CfBlob * out)375 static CfResult GetOctetString(ASN1_OCTET_STRING *octetString, CfBlob *out)
376 {
377 if (octetString == NULL) {
378 return CF_ERR_EXTENSION_NOT_EXIST;
379 }
380 out->size = (uint32_t)ASN1_STRING_length(octetString);
381 out->data = (uint8_t *)ASN1_STRING_get0_data(octetString);
382 return CF_SUCCESS;
383 }
384
GetInt64(ASN1_INTEGER * in,int64_t * v)385 static CfResult GetInt64(ASN1_INTEGER *in, int64_t *v)
386 {
387 if (in == NULL) {
388 return CF_ERR_EXTENSION_NOT_EXIST;
389 }
390 CfResult ret = ASN1_INTEGER_get_int64(v, in);
391 if (ret != 1) {
392 return CF_ERR_CRYPTO_OPERATION;
393 }
394 return CF_SUCCESS;
395 }
396
GetNull(ASN1_NULL * in)397 static CfResult GetNull(ASN1_NULL *in)
398 {
399 if (in == NULL) {
400 return CF_ERR_EXTENSION_NOT_EXIST;
401 }
402
403 return CF_SUCCESS;
404 }
405
GetEnum(ASN1_INTEGER * in,int64_t * v)406 static CfResult GetEnum(ASN1_INTEGER *in, int64_t *v)
407 {
408 if (in == NULL) {
409 return CF_ERR_EXTENSION_NOT_EXIST;
410 }
411 CfResult ret = ASN1_ENUMERATED_get_int64(v, in);
412 if (ret != 1) {
413 return CF_ERR_CRYPTO_OPERATION;
414 }
415 return CF_SUCCESS;
416 }
417
GetInt64Array(CfInt64Array * src,CfInt64Array * dst)418 static CfResult GetInt64Array(CfInt64Array *src, CfInt64Array *dst)
419 {
420 if (src == NULL) {
421 return CF_ERR_EXTENSION_NOT_EXIST;
422 }
423 dst->size = src->size;
424 dst->data = src->data;
425 return CF_SUCCESS;
426 }
427
GetKeyDescriptionInfo(LegacyKeyDescription * legacy,HmAttestationCertExtType type,HmAttestationCertExt * ext)428 static CfResult GetKeyDescriptionInfo(LegacyKeyDescription *legacy, HmAttestationCertExtType type,
429 HmAttestationCertExt *ext)
430 {
431 KeyDescription *keyDescription = legacy->keyDescription;
432 switch (type) {
433 case LEGACY_VERSION:
434 return GetInt64(keyDescription->attestationVersion, &ext->int64Value);
435 case LEGACY_SECURITY_LEVEL:
436 return GetEnum(keyDescription->attestationSecurityLevel, &ext->int64Value);
437 case LEGACY_KM_VERSION:
438 return GetInt64(keyDescription->keyMintVersion, &ext->int64Value);
439 case LEGACY_KM_SECURITY_LEVEL:
440 return GetEnum(keyDescription->keyMintSecurityLevel, &ext->int64Value);
441 case LEGACY_CHALLENGE:
442 return GetOctetString(keyDescription->attestationChallenge, &ext->blob);
443 case LEGACY_UNIQUE_ID:
444 return GetOctetString(keyDescription->uniqueId, &ext->blob);
445 default:
446 return CF_ERR_PARAMETER_CHECK;
447 }
448 }
449
GetAuthorizationInfoBase(LegacyKeyDescription * legacy,HmAttestationCertExtType type,HmAttestationCertExt * ext)450 static CfResult GetAuthorizationInfoBase(LegacyKeyDescription *legacy, HmAttestationCertExtType type,
451 HmAttestationCertExt *ext)
452 {
453 AuthorizationList *hardwareEnforced = legacy->keyDescription->hardwareEnforced;
454 if (hardwareEnforced == NULL) {
455 return CF_ERR_EXTENSION_NOT_EXIST;
456 }
457 switch (type) {
458 case KM_TAG_PURPOSE:
459 return GetInt64Array(legacy->purpose, &ext->int64Array);
460 case KM_TAG_ALGORITHM:
461 return GetInt64(hardwareEnforced->algorithm, &ext->int64Value);
462 case KM_TAG_KEY_SIZE:
463 return GetInt64(hardwareEnforced->keySize, &ext->int64Value);
464 case KM_TAG_KEY_DIGEST:
465 return GetInt64Array(legacy->digest, &ext->int64Array);
466 case KM_TAG_KEY_PADDING:
467 return GetInt64Array(legacy->padding, &ext->int64Array);
468 case KM_TAG_EC_CURVE:
469 return GetInt64(hardwareEnforced->ecCurve, &ext->int64Value);
470 case KM_TAG_RSA_PUBLIC_EXPONENT:
471 return GetInt64(hardwareEnforced->rsaPublicExponent, &ext->int64Value);
472 case KM_TAG_NO_AUTH_REQUIRED:
473 return GetNull(hardwareEnforced->noAuthRequired);
474 case KM_TAG_USER_AUTH_TYPE:
475 return GetInt64(hardwareEnforced->userAuthType, &ext->int64Value);
476 case KM_TAG_CREATION_DATETIME:
477 return GetInt64(hardwareEnforced->creationDateTime, &ext->int64Value);
478 case KM_TAG_ORIGIN:
479 return GetInt64(hardwareEnforced->origin, &ext->int64Value);
480 case KM_TAG_OS_VERSION:
481 return GetInt64(hardwareEnforced->osVersion, &ext->int64Value);
482 case KM_TAG_OS_PATCH_LEVEL:
483 return GetInt64(hardwareEnforced->osPatchLevel, &ext->int64Value);
484 default:
485 return CF_ERR_PARAMETER_CHECK;
486 }
487 }
488
GetAuthorizationInfoEx(LegacyKeyDescription * legacy,HmAttestationCertExtType type,HmAttestationCertExt * ext)489 static CfResult GetAuthorizationInfoEx(LegacyKeyDescription *legacy, HmAttestationCertExtType type,
490 HmAttestationCertExt *ext)
491 {
492 AuthorizationList *hardwareEnforced = legacy->keyDescription->hardwareEnforced;
493 if (hardwareEnforced == NULL) {
494 return CF_ERR_EXTENSION_NOT_EXIST;
495 }
496 switch (type) {
497 case KM_TAG_ATTESTATION_ID_BRAND:
498 return GetOctectOrUtf8Data(hardwareEnforced->attestationIdBrand, &ext->blob);
499 case KM_TAG_ATTESTATION_ID_DEVICE:
500 return GetOctectOrUtf8Data(hardwareEnforced->attestationIdDevice, &ext->blob);
501 case KM_TAG_ATTESTATION_ID_PRODUCT:
502 return GetOctectOrUtf8Data(hardwareEnforced->attestationIdProduct, &ext->blob);
503 case KM_TAG_ATTESTATION_ID_SERIAL:
504 return GetOctectOrUtf8Data(hardwareEnforced->attestationIdSerial, &ext->blob);
505 case KM_TAG_ATTESTATION_ID_IMEI:
506 return GetOctectOrUtf8Data(hardwareEnforced->attestationIdImei, &ext->blob);
507 case KM_TAG_ATTESTATION_ID_MEID:
508 return GetOctectOrUtf8Data(hardwareEnforced->attestationIdMeid, &ext->blob);
509 case KM_TAG_ATTESTATION_ID_MANUFACTURER:
510 return GetOctectOrUtf8Data(hardwareEnforced->attestationIdManufacturer, &ext->blob);
511 case KM_TAG_ATTESTATION_ID_MODEL:
512 return GetOctectOrUtf8Data(hardwareEnforced->attestationIdModel, &ext->blob);
513 case KM_TAG_ATTESTATION_ID_SOCID:
514 return GetOctectOrUtf8Data(hardwareEnforced->attestationIdSocid, &ext->blob);
515 case KM_TAG_ATTESTATION_ID_UDID:
516 return GetOctectOrUtf8Data(hardwareEnforced->attestationIdUdid, &ext->blob);
517 default:
518 return CF_ERR_PARAMETER_CHECK;
519 }
520 }
521
GetKeyDescriptionExt(LegacyKeyDescription * legacy,HmAttestationCertExtType type,HmAttestationCertExt * ext)522 CfResult GetKeyDescriptionExt(LegacyKeyDescription *legacy, HmAttestationCertExtType type, HmAttestationCertExt *ext)
523 {
524 if (legacy == NULL || legacy->keyDescription == NULL) {
525 return CF_ERR_EXTENSION_NOT_EXIST;
526 }
527 if (type >= LEGACY_VERSION && type <= LEGACY_UNIQUE_ID) {
528 return GetKeyDescriptionInfo(legacy, type, ext);
529 }
530 if (type >= KM_TAG_PURPOSE && type <= KM_TAG_OS_PATCH_LEVEL) {
531 return GetAuthorizationInfoBase(legacy, type, ext);
532 }
533 if (type >= KM_TAG_ATTESTATION_ID_BRAND && type <= KM_TAG_ATTESTATION_ID_UDID) {
534 return GetAuthorizationInfoEx(legacy, type, ext);
535 }
536 return CF_ERR_PARAMETER_CHECK;
537 }
538