1 /*
2 * Copyright 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <keymasterV4_1/attestation_record.h>
18
19 #include <android-base/logging.h>
20 #include <assert.h>
21
22 #include <openssl/asn1t.h>
23 #include <openssl/bn.h>
24 #include <openssl/evp.h>
25 #include <openssl/x509.h>
26
27 #include <keymasterV4_0/authorization_set.h>
28 #include <keymasterV4_0/openssl_utils.h>
29
30 #define AT __FILE__ ":" << __LINE__
31
32 /*
33 * NOTE: The contents of this file are *extremely* similar to the contents of the V4_0 copy of the
34 * same support file. Unfortunately, small changes in the scheme mean that the schema types have to
35 * be distinct, which drives almost everything else to be different as well. In the next version we
36 * plan to abandon not just this openssl mechanism for parsing ASN.1, but ASN.1 entirely, so
37 * eventually all of this duplication can be removed.
38 */
39
40 namespace android {
41 namespace hardware {
42 namespace keymaster {
43 namespace V4_1 {
44
45 struct stack_st_ASN1_TYPE_Delete {
operator ()android::hardware::keymaster::V4_1::stack_st_ASN1_TYPE_Delete46 void operator()(stack_st_ASN1_TYPE* p) { sk_ASN1_TYPE_free(p); }
47 };
48
49 struct ASN1_STRING_Delete {
operator ()android::hardware::keymaster::V4_1::ASN1_STRING_Delete50 void operator()(ASN1_STRING* p) { ASN1_STRING_free(p); }
51 };
52
53 struct ASN1_TYPE_Delete {
operator ()android::hardware::keymaster::V4_1::ASN1_TYPE_Delete54 void operator()(ASN1_TYPE* p) { ASN1_TYPE_free(p); }
55 };
56
57 #define ASN1_INTEGER_SET STACK_OF(ASN1_INTEGER)
58
59 typedef struct km_root_of_trust {
60 ASN1_OCTET_STRING* verified_boot_key;
61 ASN1_BOOLEAN device_locked;
62 ASN1_ENUMERATED* verified_boot_state;
63 ASN1_OCTET_STRING* verified_boot_hash;
64 } KM_ROOT_OF_TRUST;
65
66 ASN1_SEQUENCE(KM_ROOT_OF_TRUST) = {
67 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_key, ASN1_OCTET_STRING),
68 ASN1_SIMPLE(KM_ROOT_OF_TRUST, device_locked, ASN1_BOOLEAN),
69 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_state, ASN1_ENUMERATED),
70 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_hash, ASN1_OCTET_STRING),
71 } ASN1_SEQUENCE_END(KM_ROOT_OF_TRUST);
72 IMPLEMENT_ASN1_FUNCTIONS(KM_ROOT_OF_TRUST);
73
74 typedef struct km_auth_list {
75 ASN1_INTEGER_SET* purpose;
76 ASN1_INTEGER* algorithm;
77 ASN1_INTEGER* key_size;
78 ASN1_INTEGER_SET* digest;
79 ASN1_INTEGER_SET* padding;
80 ASN1_INTEGER* ec_curve;
81 ASN1_INTEGER* rsa_public_exponent;
82 ASN1_INTEGER* active_date_time;
83 ASN1_INTEGER* origination_expire_date_time;
84 ASN1_INTEGER* usage_expire_date_time;
85 ASN1_NULL* no_auth_required;
86 ASN1_INTEGER* user_auth_type;
87 ASN1_INTEGER* auth_timeout;
88 ASN1_NULL* allow_while_on_body;
89 ASN1_NULL* all_applications;
90 ASN1_OCTET_STRING* application_id;
91 ASN1_INTEGER* creation_date_time;
92 ASN1_INTEGER* origin;
93 ASN1_NULL* rollback_resistance;
94 KM_ROOT_OF_TRUST* root_of_trust;
95 ASN1_INTEGER* os_version;
96 ASN1_INTEGER* os_patchlevel;
97 ASN1_OCTET_STRING* attestation_application_id;
98 ASN1_NULL* trusted_user_presence_required;
99 ASN1_NULL* trusted_confirmation_required;
100 ASN1_NULL* unlocked_device_required;
101 ASN1_INTEGER* vendor_patchlevel;
102 ASN1_INTEGER* boot_patchlevel;
103 ASN1_NULL* early_boot_only;
104 ASN1_NULL* device_unique_attestation;
105 ASN1_NULL* identity_credential_key;
106 } KM_AUTH_LIST;
107
108 ASN1_SEQUENCE(KM_AUTH_LIST) = {
109 ASN1_EXP_SET_OF_OPT(KM_AUTH_LIST, purpose, ASN1_INTEGER, TAG_PURPOSE.maskedTag()),
110 ASN1_EXP_OPT(KM_AUTH_LIST, algorithm, ASN1_INTEGER, TAG_ALGORITHM.maskedTag()),
111 ASN1_EXP_OPT(KM_AUTH_LIST, key_size, ASN1_INTEGER, TAG_KEY_SIZE.maskedTag()),
112 ASN1_EXP_SET_OF_OPT(KM_AUTH_LIST, digest, ASN1_INTEGER, TAG_DIGEST.maskedTag()),
113 ASN1_EXP_SET_OF_OPT(KM_AUTH_LIST, padding, ASN1_INTEGER, TAG_PADDING.maskedTag()),
114 ASN1_EXP_OPT(KM_AUTH_LIST, ec_curve, ASN1_INTEGER, TAG_EC_CURVE.maskedTag()),
115 ASN1_EXP_OPT(KM_AUTH_LIST, rsa_public_exponent, ASN1_INTEGER,
116 TAG_RSA_PUBLIC_EXPONENT.maskedTag()),
117 ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistance, ASN1_NULL,
118 TAG_ROLLBACK_RESISTANCE.maskedTag()),
119 ASN1_EXP_OPT(KM_AUTH_LIST, active_date_time, ASN1_INTEGER, TAG_ACTIVE_DATETIME.maskedTag()),
120 ASN1_EXP_OPT(KM_AUTH_LIST, origination_expire_date_time, ASN1_INTEGER,
121 TAG_ORIGINATION_EXPIRE_DATETIME.maskedTag()),
122 ASN1_EXP_OPT(KM_AUTH_LIST, usage_expire_date_time, ASN1_INTEGER,
123 TAG_USAGE_EXPIRE_DATETIME.maskedTag()),
124 ASN1_EXP_OPT(KM_AUTH_LIST, no_auth_required, ASN1_NULL, TAG_NO_AUTH_REQUIRED.maskedTag()),
125 ASN1_EXP_OPT(KM_AUTH_LIST, user_auth_type, ASN1_INTEGER, TAG_USER_AUTH_TYPE.maskedTag()),
126 ASN1_EXP_OPT(KM_AUTH_LIST, auth_timeout, ASN1_INTEGER, TAG_AUTH_TIMEOUT.maskedTag()),
127 ASN1_EXP_OPT(KM_AUTH_LIST, allow_while_on_body, ASN1_NULL,
128 TAG_ALLOW_WHILE_ON_BODY.maskedTag()),
129 ASN1_EXP_OPT(KM_AUTH_LIST, trusted_user_presence_required, ASN1_NULL,
130 TAG_TRUSTED_USER_PRESENCE_REQUIRED.maskedTag()),
131 ASN1_EXP_OPT(KM_AUTH_LIST, trusted_confirmation_required, ASN1_NULL,
132 TAG_TRUSTED_CONFIRMATION_REQUIRED.maskedTag()),
133 ASN1_EXP_OPT(KM_AUTH_LIST, unlocked_device_required, ASN1_NULL,
134 TAG_UNLOCKED_DEVICE_REQUIRED.maskedTag()),
135 ASN1_EXP_OPT(KM_AUTH_LIST, creation_date_time, ASN1_INTEGER,
136 TAG_CREATION_DATETIME.maskedTag()),
137 ASN1_EXP_OPT(KM_AUTH_LIST, origin, ASN1_INTEGER, TAG_ORIGIN.maskedTag()),
138 ASN1_EXP_OPT(KM_AUTH_LIST, root_of_trust, KM_ROOT_OF_TRUST, TAG_ROOT_OF_TRUST.maskedTag()),
139 ASN1_EXP_OPT(KM_AUTH_LIST, os_version, ASN1_INTEGER, TAG_OS_VERSION.maskedTag()),
140 ASN1_EXP_OPT(KM_AUTH_LIST, os_patchlevel, ASN1_INTEGER, TAG_OS_PATCHLEVEL.maskedTag()),
141 ASN1_EXP_OPT(KM_AUTH_LIST, vendor_patchlevel, ASN1_INTEGER,
142 TAG_VENDOR_PATCHLEVEL.maskedTag()),
143 ASN1_EXP_OPT(KM_AUTH_LIST, boot_patchlevel, ASN1_INTEGER, TAG_BOOT_PATCHLEVEL.maskedTag()),
144 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_application_id, ASN1_OCTET_STRING,
145 TAG_ATTESTATION_APPLICATION_ID.maskedTag()),
146 ASN1_EXP_OPT(KM_AUTH_LIST, early_boot_only, ASN1_NULL, TAG_EARLY_BOOT_ONLY.maskedTag()),
147 ASN1_EXP_OPT(KM_AUTH_LIST, device_unique_attestation, ASN1_NULL,
148 TAG_DEVICE_UNIQUE_ATTESTATION.maskedTag()),
149 ASN1_EXP_OPT(KM_AUTH_LIST, identity_credential_key, ASN1_NULL,
150 TAG_IDENTITY_CREDENTIAL_KEY.maskedTag()),
151 } ASN1_SEQUENCE_END(KM_AUTH_LIST);
152 IMPLEMENT_ASN1_FUNCTIONS(KM_AUTH_LIST);
153
154 typedef struct km_key_description {
155 ASN1_INTEGER* attestation_version;
156 ASN1_ENUMERATED* attestation_security_level;
157 ASN1_INTEGER* keymaster_version;
158 ASN1_ENUMERATED* keymaster_security_level;
159 ASN1_OCTET_STRING* attestation_challenge;
160 KM_AUTH_LIST* software_enforced;
161 KM_AUTH_LIST* tee_enforced;
162 ASN1_INTEGER* unique_id;
163 } KM_KEY_DESCRIPTION;
164
165 ASN1_SEQUENCE(KM_KEY_DESCRIPTION) = {
166 ASN1_SIMPLE(KM_KEY_DESCRIPTION, attestation_version, ASN1_INTEGER),
167 ASN1_SIMPLE(KM_KEY_DESCRIPTION, attestation_security_level, ASN1_ENUMERATED),
168 ASN1_SIMPLE(KM_KEY_DESCRIPTION, keymaster_version, ASN1_INTEGER),
169 ASN1_SIMPLE(KM_KEY_DESCRIPTION, keymaster_security_level, ASN1_ENUMERATED),
170 ASN1_SIMPLE(KM_KEY_DESCRIPTION, attestation_challenge, ASN1_OCTET_STRING),
171 ASN1_SIMPLE(KM_KEY_DESCRIPTION, unique_id, ASN1_OCTET_STRING),
172 ASN1_SIMPLE(KM_KEY_DESCRIPTION, software_enforced, KM_AUTH_LIST),
173 ASN1_SIMPLE(KM_KEY_DESCRIPTION, tee_enforced, KM_AUTH_LIST),
174 } ASN1_SEQUENCE_END(KM_KEY_DESCRIPTION);
175 IMPLEMENT_ASN1_FUNCTIONS(KM_KEY_DESCRIPTION);
176
177 template <V4_0::Tag tag>
copyAuthTag(const stack_st_ASN1_INTEGER * stack,TypedTag<TagType::ENUM_REP,tag> ttag,AuthorizationSet * auth_list)178 void copyAuthTag(const stack_st_ASN1_INTEGER* stack, TypedTag<TagType::ENUM_REP, tag> ttag,
179 AuthorizationSet* auth_list) {
180 typedef typename V4_0::TypedTag2ValueType<decltype(ttag)>::type ValueT;
181 for (size_t i = 0; i < sk_ASN1_INTEGER_num(stack); ++i) {
182 auth_list->push_back(
183 ttag, static_cast<ValueT>(ASN1_INTEGER_get(sk_ASN1_INTEGER_value(stack, i))));
184 }
185 }
186
187 template <V4_0::Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::ENUM,tag> ttag,AuthorizationSet * auth_list)188 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::ENUM, tag> ttag,
189 AuthorizationSet* auth_list) {
190 typedef typename V4_0::TypedTag2ValueType<decltype(ttag)>::type ValueT;
191 if (!asn1_int) return;
192 auth_list->push_back(ttag, static_cast<ValueT>(ASN1_INTEGER_get(asn1_int)));
193 }
194
195 template <V4_0::Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::UINT,tag> ttag,AuthorizationSet * auth_list)196 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::UINT, tag> ttag,
197 AuthorizationSet* auth_list) {
198 if (!asn1_int) return;
199 auth_list->push_back(ttag, ASN1_INTEGER_get(asn1_int));
200 }
201
construct_uint_max()202 BIGNUM* construct_uint_max() {
203 BIGNUM* value = BN_new();
204 BIGNUM_Ptr one(BN_new());
205 BN_one(one.get());
206 BN_lshift(value, one.get(), 32);
207 return value;
208 }
209
BignumToUint64(BIGNUM * num)210 uint64_t BignumToUint64(BIGNUM* num) {
211 static_assert((sizeof(BN_ULONG) == sizeof(uint32_t)) || (sizeof(BN_ULONG) == sizeof(uint64_t)),
212 "This implementation only supports 32 and 64-bit BN_ULONG");
213 if (sizeof(BN_ULONG) == sizeof(uint32_t)) {
214 BIGNUM_Ptr uint_max(construct_uint_max());
215 BIGNUM_Ptr hi(BN_new()), lo(BN_new());
216 BN_CTX_Ptr ctx(BN_CTX_new());
217 BN_div(hi.get(), lo.get(), num, uint_max.get(), ctx.get());
218 return static_cast<uint64_t>(BN_get_word(hi.get())) << 32 | BN_get_word(lo.get());
219 } else if (sizeof(BN_ULONG) == sizeof(uint64_t)) {
220 return BN_get_word(num);
221 } else {
222 return 0;
223 }
224 }
225
226 template <V4_0::Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::ULONG,tag> ttag,AuthorizationSet * auth_list)227 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::ULONG, tag> ttag,
228 AuthorizationSet* auth_list) {
229 if (!asn1_int) return;
230 BIGNUM_Ptr num(ASN1_INTEGER_to_BN(asn1_int, nullptr));
231 auth_list->push_back(ttag, BignumToUint64(num.get()));
232 }
233
234 template <V4_0::Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::DATE,tag> ttag,AuthorizationSet * auth_list)235 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::DATE, tag> ttag,
236 AuthorizationSet* auth_list) {
237 if (!asn1_int) return;
238 BIGNUM_Ptr num(ASN1_INTEGER_to_BN(asn1_int, nullptr));
239 auth_list->push_back(ttag, BignumToUint64(num.get()));
240 }
241
242 template <V4_0::Tag tag>
copyAuthTag(const ASN1_NULL * asn1_null,TypedTag<TagType::BOOL,tag> ttag,AuthorizationSet * auth_list)243 void copyAuthTag(const ASN1_NULL* asn1_null, TypedTag<TagType::BOOL, tag> ttag,
244 AuthorizationSet* auth_list) {
245 if (!asn1_null) return;
246 auth_list->push_back(ttag);
247 }
248
249 template <V4_0::Tag tag>
copyAuthTag(const ASN1_OCTET_STRING * asn1_string,TypedTag<TagType::BYTES,tag> ttag,AuthorizationSet * auth_list)250 void copyAuthTag(const ASN1_OCTET_STRING* asn1_string, TypedTag<TagType::BYTES, tag> ttag,
251 AuthorizationSet* auth_list) {
252 if (!asn1_string) return;
253 hidl_vec<uint8_t> buf;
254 buf.setToExternal(asn1_string->data, asn1_string->length);
255 auth_list->push_back(ttag, buf);
256 }
257
258 // Extract the values from the specified ASN.1 record and place them in auth_list.
extract_auth_list(const KM_AUTH_LIST * record,AuthorizationSet * auth_list)259 static ErrorCode extract_auth_list(const KM_AUTH_LIST* record, AuthorizationSet* auth_list) {
260 if (!record) return ErrorCode::OK;
261
262 copyAuthTag(record->active_date_time, TAG_ACTIVE_DATETIME, auth_list);
263 copyAuthTag(record->algorithm, TAG_ALGORITHM, auth_list);
264 copyAuthTag(record->application_id, TAG_APPLICATION_ID, auth_list);
265 copyAuthTag(record->auth_timeout, TAG_AUTH_TIMEOUT, auth_list);
266 copyAuthTag(record->creation_date_time, TAG_CREATION_DATETIME, auth_list);
267 copyAuthTag(record->digest, TAG_DIGEST, auth_list);
268 copyAuthTag(record->ec_curve, TAG_EC_CURVE, auth_list);
269 copyAuthTag(record->key_size, TAG_KEY_SIZE, auth_list);
270 copyAuthTag(record->no_auth_required, TAG_NO_AUTH_REQUIRED, auth_list);
271 copyAuthTag(record->origin, TAG_ORIGIN, auth_list);
272 copyAuthTag(record->origination_expire_date_time, TAG_ORIGINATION_EXPIRE_DATETIME, auth_list);
273 copyAuthTag(record->os_patchlevel, TAG_OS_PATCHLEVEL, auth_list);
274 copyAuthTag(record->os_version, TAG_OS_VERSION, auth_list);
275 copyAuthTag(record->padding, TAG_PADDING, auth_list);
276 copyAuthTag(record->purpose, TAG_PURPOSE, auth_list);
277 copyAuthTag(record->rollback_resistance, TAG_ROLLBACK_RESISTANCE, auth_list);
278 copyAuthTag(record->rsa_public_exponent, TAG_RSA_PUBLIC_EXPONENT, auth_list);
279 copyAuthTag(record->usage_expire_date_time, TAG_USAGE_EXPIRE_DATETIME, auth_list);
280 copyAuthTag(record->user_auth_type, TAG_USER_AUTH_TYPE, auth_list);
281 copyAuthTag(record->attestation_application_id, TAG_ATTESTATION_APPLICATION_ID, auth_list);
282 copyAuthTag(record->vendor_patchlevel, TAG_VENDOR_PATCHLEVEL, auth_list);
283 copyAuthTag(record->boot_patchlevel, TAG_BOOT_PATCHLEVEL, auth_list);
284 copyAuthTag(record->trusted_user_presence_required, TAG_TRUSTED_USER_PRESENCE_REQUIRED,
285 auth_list);
286 copyAuthTag(record->trusted_confirmation_required, TAG_TRUSTED_CONFIRMATION_REQUIRED,
287 auth_list);
288 copyAuthTag(record->unlocked_device_required, TAG_UNLOCKED_DEVICE_REQUIRED, auth_list);
289 copyAuthTag(record->early_boot_only, TAG_EARLY_BOOT_ONLY, auth_list);
290 copyAuthTag(record->device_unique_attestation, TAG_DEVICE_UNIQUE_ATTESTATION, auth_list);
291 copyAuthTag(record->identity_credential_key, TAG_IDENTITY_CREDENTIAL_KEY, auth_list);
292
293 return ErrorCode::OK;
294 }
295
MAKE_OPENSSL_PTR_TYPE(KM_KEY_DESCRIPTION)296 MAKE_OPENSSL_PTR_TYPE(KM_KEY_DESCRIPTION)
297
298 // Parse the DER-encoded attestation record, placing the results in keymaster_version,
299 // attestation_challenge, software_enforced, tee_enforced and unique_id.
300 std::tuple<ErrorCode, AttestationRecord> parse_attestation_record(const hidl_vec<uint8_t>& cert) {
301 const uint8_t* p = cert.data();
302 X509_Ptr x509(d2i_X509(nullptr, &p, cert.size()));
303 if (!x509.get()) {
304 LOG(ERROR) << "Error converting DER";
305 return {ErrorCode::INVALID_ARGUMENT, {}};
306 }
307
308 ASN1_OBJECT_Ptr oid(OBJ_txt2obj(kAttestionRecordOid, 1 /* dotted string format */));
309 if (!oid.get()) {
310 LOG(ERROR) << "Error parsing OID";
311 return {ErrorCode::UNKNOWN_ERROR, {}};
312 }
313
314 int location = X509_get_ext_by_OBJ(x509.get(), oid.get(), -1 /* search from beginning */);
315 if (location == -1) {
316 LOG(ERROR) << "Attestation extension not found in certificate";
317 return {ErrorCode::UNKNOWN_ERROR, {}};
318 }
319
320 X509_EXTENSION* attest_rec_ext = X509_get_ext(x509.get(), location);
321 if (!attest_rec_ext) {
322 LOG(ERROR) << "Found extension but couldn't retrieve it. Probably BoringSSL bug.";
323 return {ErrorCode::UNKNOWN_ERROR, {}};
324 }
325
326 ASN1_OCTET_STRING* attest_rec = X509_EXTENSION_get_data(attest_rec_ext);
327 if (!attest_rec_ext) {
328 LOG(ERROR) << "Attestation extension contained no data";
329 return {ErrorCode::UNKNOWN_ERROR, {}};
330 }
331
332 p = attest_rec->data;
333 KM_KEY_DESCRIPTION_Ptr record(d2i_KM_KEY_DESCRIPTION(nullptr, &p, attest_rec->length));
334 if (!record.get()) {
335 LOG(ERROR) << "Unable to get key description";
336 return {ErrorCode::UNKNOWN_ERROR, {}};
337 }
338
339 AttestationRecord result;
340
341 result.attestation_version = ASN1_INTEGER_get(record->attestation_version);
342 result.attestation_security_level =
343 static_cast<SecurityLevel>(ASN1_ENUMERATED_get(record->attestation_security_level));
344 result.keymaster_version = ASN1_INTEGER_get(record->keymaster_version);
345 result.keymaster_security_level =
346 static_cast<SecurityLevel>(ASN1_ENUMERATED_get(record->keymaster_security_level));
347
348 auto& chall = record->attestation_challenge;
349 result.attestation_challenge.resize(chall->length);
350 memcpy(result.attestation_challenge.data(), chall->data, chall->length);
351 auto& uid = record->unique_id;
352 result.unique_id.resize(uid->length);
353 memcpy(result.unique_id.data(), uid->data, uid->length);
354
355 ErrorCode error = extract_auth_list(record->software_enforced, &result.software_enforced);
356 if (error != ErrorCode::OK) return {error, {}};
357
358 error = extract_auth_list(record->tee_enforced, &result.hardware_enforced);
359 if (error != ErrorCode::OK) return {error, {}};
360
361 KM_ROOT_OF_TRUST* root_of_trust = nullptr;
362 SecurityLevel root_of_trust_security_level = SecurityLevel::TRUSTED_ENVIRONMENT;
363 if (record->tee_enforced && record->tee_enforced->root_of_trust) {
364 root_of_trust = record->tee_enforced->root_of_trust;
365 } else if (record->software_enforced && record->software_enforced->root_of_trust) {
366 root_of_trust = record->software_enforced->root_of_trust;
367 root_of_trust_security_level = SecurityLevel::SOFTWARE;
368 } else {
369 LOG(ERROR) << AT << " Failed root of trust parsing";
370 return {ErrorCode::INVALID_ARGUMENT, {}};
371 }
372 if (!root_of_trust->verified_boot_key) {
373 LOG(ERROR) << AT << " Failed verified boot key parsing";
374 return {ErrorCode::INVALID_ARGUMENT, {}};
375 }
376
377 RootOfTrust& rot = result.root_of_trust;
378 auto& vb_key = root_of_trust->verified_boot_key;
379 rot.verified_boot_key.resize(vb_key->length);
380 memcpy(rot.verified_boot_key.data(), vb_key->data, vb_key->length);
381
382 rot.verified_boot_state = static_cast<keymaster_verified_boot_t>(
383 ASN1_ENUMERATED_get(root_of_trust->verified_boot_state));
384 rot.device_locked = root_of_trust->device_locked;
385 rot.security_level = root_of_trust_security_level;
386
387 auto& vb_hash = root_of_trust->verified_boot_hash;
388 if (!vb_hash) {
389 LOG(ERROR) << AT << " Failed verified boot hash parsing";
390 return {ErrorCode::INVALID_ARGUMENT, {}};
391 }
392 rot.verified_boot_hash.resize(vb_hash->length);
393 memcpy(rot.verified_boot_hash.data(), vb_hash->data, vb_hash->length);
394
395 return {ErrorCode::OK, result};
396 }
397
398 } // namespace V4_1
399 } // namespace keymaster
400 } // namespace hardware
401 } // namespace android
402