1 /*
2 * Copyright 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <keymint_support/attestation_record.h>
18
19 #include <assert.h>
20
21 #include <aidl/android/hardware/security/keymint/Tag.h>
22 #include <aidl/android/hardware/security/keymint/TagType.h>
23
24 #include <android-base/logging.h>
25
26 #include <openssl/asn1t.h>
27 #include <openssl/bn.h>
28 #include <openssl/evp.h>
29 #include <openssl/x509.h>
30
31 #include <keymint_support/authorization_set.h>
32 #include <keymint_support/openssl_utils.h>
33
34 #define AT __FILE__ ":" << __LINE__
35
36 namespace aidl::android::hardware::security::keymint {
37
38 struct stack_st_ASN1_TYPE_Delete {
operator ()aidl::android::hardware::security::keymint::stack_st_ASN1_TYPE_Delete39 void operator()(stack_st_ASN1_TYPE* p) { sk_ASN1_TYPE_free(p); }
40 };
41
42 struct ASN1_STRING_Delete {
operator ()aidl::android::hardware::security::keymint::ASN1_STRING_Delete43 void operator()(ASN1_STRING* p) { ASN1_STRING_free(p); }
44 };
45
46 struct ASN1_TYPE_Delete {
operator ()aidl::android::hardware::security::keymint::ASN1_TYPE_Delete47 void operator()(ASN1_TYPE* p) { ASN1_TYPE_free(p); }
48 };
49
50 #define ASN1_INTEGER_SET STACK_OF(ASN1_INTEGER)
51
52 typedef struct km_root_of_trust {
53 ASN1_OCTET_STRING* verified_boot_key;
54 ASN1_BOOLEAN device_locked;
55 ASN1_ENUMERATED* verified_boot_state;
56 ASN1_OCTET_STRING* verified_boot_hash;
57 } KM_ROOT_OF_TRUST;
58
59 ASN1_SEQUENCE(KM_ROOT_OF_TRUST) = {
60 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_key, ASN1_OCTET_STRING),
61 ASN1_SIMPLE(KM_ROOT_OF_TRUST, device_locked, ASN1_BOOLEAN),
62 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_state, ASN1_ENUMERATED),
63 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_hash, ASN1_OCTET_STRING),
64 } ASN1_SEQUENCE_END(KM_ROOT_OF_TRUST);
65 IMPLEMENT_ASN1_FUNCTIONS(KM_ROOT_OF_TRUST);
66
67 // Fields ordered in tag order.
68 typedef struct km_auth_list {
69 ASN1_INTEGER_SET* purpose;
70 ASN1_INTEGER* algorithm;
71 ASN1_INTEGER* key_size;
72 ASN1_INTEGER_SET* digest;
73 ASN1_INTEGER_SET* padding;
74 ASN1_INTEGER* ec_curve;
75 ASN1_INTEGER* rsa_public_exponent;
76 ASN1_INTEGER_SET* mgf_digest;
77 ASN1_NULL* rollback_resistance;
78 ASN1_NULL* early_boot_only;
79 ASN1_INTEGER* active_date_time;
80 ASN1_INTEGER* origination_expire_date_time;
81 ASN1_INTEGER* usage_expire_date_time;
82 ASN1_INTEGER* usage_count_limit;
83 ASN1_NULL* no_auth_required;
84 ASN1_INTEGER* user_auth_type;
85 ASN1_INTEGER* auth_timeout;
86 ASN1_NULL* allow_while_on_body;
87 ASN1_NULL* trusted_user_presence_required;
88 ASN1_NULL* trusted_confirmation_required;
89 ASN1_NULL* unlocked_device_required;
90 ASN1_INTEGER* creation_date_time;
91 ASN1_INTEGER* origin;
92 KM_ROOT_OF_TRUST* root_of_trust;
93 ASN1_INTEGER* os_version;
94 ASN1_INTEGER* os_patchlevel;
95 ASN1_OCTET_STRING* attestation_application_id;
96 ASN1_OCTET_STRING* attestation_id_brand;
97 ASN1_OCTET_STRING* attestation_id_device;
98 ASN1_OCTET_STRING* attestation_id_product;
99 ASN1_OCTET_STRING* attestation_id_serial;
100 ASN1_OCTET_STRING* attestation_id_imei;
101 ASN1_OCTET_STRING* attestation_id_meid;
102 ASN1_OCTET_STRING* attestation_id_manufacturer;
103 ASN1_OCTET_STRING* attestation_id_model;
104 ASN1_INTEGER* vendor_patchlevel;
105 ASN1_INTEGER* boot_patchlevel;
106 ASN1_NULL* device_unique_attestation;
107 ASN1_NULL* identity_credential;
108 ASN1_OCTET_STRING* attestation_id_second_imei;
109 } KM_AUTH_LIST;
110
111 ASN1_SEQUENCE(KM_AUTH_LIST) = {
112 ASN1_EXP_SET_OF_OPT(KM_AUTH_LIST, purpose, ASN1_INTEGER, TAG_PURPOSE.maskedTag()),
113 ASN1_EXP_OPT(KM_AUTH_LIST, algorithm, ASN1_INTEGER, TAG_ALGORITHM.maskedTag()),
114 ASN1_EXP_OPT(KM_AUTH_LIST, key_size, ASN1_INTEGER, TAG_KEY_SIZE.maskedTag()),
115 ASN1_EXP_SET_OF_OPT(KM_AUTH_LIST, digest, ASN1_INTEGER, TAG_DIGEST.maskedTag()),
116 ASN1_EXP_SET_OF_OPT(KM_AUTH_LIST, padding, ASN1_INTEGER, TAG_PADDING.maskedTag()),
117 ASN1_EXP_OPT(KM_AUTH_LIST, ec_curve, ASN1_INTEGER, TAG_EC_CURVE.maskedTag()),
118 ASN1_EXP_OPT(KM_AUTH_LIST, rsa_public_exponent, ASN1_INTEGER,
119 TAG_RSA_PUBLIC_EXPONENT.maskedTag()),
120 ASN1_EXP_SET_OF_OPT(KM_AUTH_LIST, mgf_digest, ASN1_INTEGER,
121 TAG_RSA_OAEP_MGF_DIGEST.maskedTag()),
122 ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistance, ASN1_NULL,
123 TAG_ROLLBACK_RESISTANCE.maskedTag()),
124 ASN1_EXP_OPT(KM_AUTH_LIST, early_boot_only, ASN1_NULL, TAG_EARLY_BOOT_ONLY.maskedTag()),
125 ASN1_EXP_OPT(KM_AUTH_LIST, active_date_time, ASN1_INTEGER, TAG_ACTIVE_DATETIME.maskedTag()),
126 ASN1_EXP_OPT(KM_AUTH_LIST, origination_expire_date_time, ASN1_INTEGER,
127 TAG_ORIGINATION_EXPIRE_DATETIME.maskedTag()),
128 ASN1_EXP_OPT(KM_AUTH_LIST, usage_expire_date_time, ASN1_INTEGER,
129 TAG_USAGE_EXPIRE_DATETIME.maskedTag()),
130 ASN1_EXP_OPT(KM_AUTH_LIST, usage_count_limit, ASN1_INTEGER,
131 TAG_USAGE_COUNT_LIMIT.maskedTag()),
132 ASN1_EXP_OPT(KM_AUTH_LIST, no_auth_required, ASN1_NULL, TAG_NO_AUTH_REQUIRED.maskedTag()),
133 ASN1_EXP_OPT(KM_AUTH_LIST, user_auth_type, ASN1_INTEGER, TAG_USER_AUTH_TYPE.maskedTag()),
134 ASN1_EXP_OPT(KM_AUTH_LIST, auth_timeout, ASN1_INTEGER, TAG_AUTH_TIMEOUT.maskedTag()),
135 ASN1_EXP_OPT(KM_AUTH_LIST, allow_while_on_body, ASN1_NULL,
136 TAG_ALLOW_WHILE_ON_BODY.maskedTag()),
137 ASN1_EXP_OPT(KM_AUTH_LIST, trusted_user_presence_required, ASN1_NULL,
138 TAG_TRUSTED_USER_PRESENCE_REQUIRED.maskedTag()),
139 ASN1_EXP_OPT(KM_AUTH_LIST, trusted_confirmation_required, ASN1_NULL,
140 TAG_TRUSTED_CONFIRMATION_REQUIRED.maskedTag()),
141 ASN1_EXP_OPT(KM_AUTH_LIST, unlocked_device_required, ASN1_NULL,
142 TAG_UNLOCKED_DEVICE_REQUIRED.maskedTag()),
143 ASN1_EXP_OPT(KM_AUTH_LIST, creation_date_time, ASN1_INTEGER,
144 TAG_CREATION_DATETIME.maskedTag()),
145 ASN1_EXP_OPT(KM_AUTH_LIST, origin, ASN1_INTEGER, TAG_ORIGIN.maskedTag()),
146 ASN1_EXP_OPT(KM_AUTH_LIST, root_of_trust, KM_ROOT_OF_TRUST, TAG_ROOT_OF_TRUST.maskedTag()),
147 ASN1_EXP_OPT(KM_AUTH_LIST, os_version, ASN1_INTEGER, TAG_OS_VERSION.maskedTag()),
148 ASN1_EXP_OPT(KM_AUTH_LIST, os_patchlevel, ASN1_INTEGER, TAG_OS_PATCHLEVEL.maskedTag()),
149 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_application_id, ASN1_OCTET_STRING,
150 TAG_ATTESTATION_APPLICATION_ID.maskedTag()),
151 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_brand, ASN1_OCTET_STRING,
152 TAG_ATTESTATION_ID_BRAND.maskedTag()),
153 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_device, ASN1_OCTET_STRING,
154 TAG_ATTESTATION_ID_DEVICE.maskedTag()),
155 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_product, ASN1_OCTET_STRING,
156 TAG_ATTESTATION_ID_PRODUCT.maskedTag()),
157 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_serial, ASN1_OCTET_STRING,
158 TAG_ATTESTATION_ID_SERIAL.maskedTag()),
159 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_imei, ASN1_OCTET_STRING,
160 TAG_ATTESTATION_ID_IMEI.maskedTag()),
161 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_meid, ASN1_OCTET_STRING,
162 TAG_ATTESTATION_ID_MEID.maskedTag()),
163 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_manufacturer, ASN1_OCTET_STRING,
164 TAG_ATTESTATION_ID_MANUFACTURER.maskedTag()),
165 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_model, ASN1_OCTET_STRING,
166 TAG_ATTESTATION_ID_MODEL.maskedTag()),
167 ASN1_EXP_OPT(KM_AUTH_LIST, vendor_patchlevel, ASN1_INTEGER,
168 TAG_VENDOR_PATCHLEVEL.maskedTag()),
169 ASN1_EXP_OPT(KM_AUTH_LIST, boot_patchlevel, ASN1_INTEGER, TAG_BOOT_PATCHLEVEL.maskedTag()),
170 ASN1_EXP_OPT(KM_AUTH_LIST, device_unique_attestation, ASN1_NULL,
171 TAG_DEVICE_UNIQUE_ATTESTATION.maskedTag()),
172 ASN1_EXP_OPT(KM_AUTH_LIST, identity_credential, ASN1_NULL,
173 TAG_IDENTITY_CREDENTIAL_KEY.maskedTag()),
174 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_second_imei, ASN1_OCTET_STRING,
175 TAG_ATTESTATION_ID_SECOND_IMEI.maskedTag()),
176 } ASN1_SEQUENCE_END(KM_AUTH_LIST);
177 IMPLEMENT_ASN1_FUNCTIONS(KM_AUTH_LIST);
178
179 typedef struct km_key_description {
180 ASN1_INTEGER* attestation_version;
181 ASN1_ENUMERATED* attestation_security_level;
182 ASN1_INTEGER* keymint_version;
183 ASN1_ENUMERATED* keymint_security_level;
184 ASN1_OCTET_STRING* attestation_challenge;
185 ASN1_INTEGER* unique_id;
186 KM_AUTH_LIST* software_enforced;
187 KM_AUTH_LIST* tee_enforced;
188 } KM_KEY_DESCRIPTION;
189
190 ASN1_SEQUENCE(KM_KEY_DESCRIPTION) = {
191 ASN1_SIMPLE(KM_KEY_DESCRIPTION, attestation_version, ASN1_INTEGER),
192 ASN1_SIMPLE(KM_KEY_DESCRIPTION, attestation_security_level, ASN1_ENUMERATED),
193 ASN1_SIMPLE(KM_KEY_DESCRIPTION, keymint_version, ASN1_INTEGER),
194 ASN1_SIMPLE(KM_KEY_DESCRIPTION, keymint_security_level, ASN1_ENUMERATED),
195 ASN1_SIMPLE(KM_KEY_DESCRIPTION, attestation_challenge, ASN1_OCTET_STRING),
196 ASN1_SIMPLE(KM_KEY_DESCRIPTION, unique_id, ASN1_OCTET_STRING),
197 ASN1_SIMPLE(KM_KEY_DESCRIPTION, software_enforced, KM_AUTH_LIST),
198 ASN1_SIMPLE(KM_KEY_DESCRIPTION, tee_enforced, KM_AUTH_LIST),
199 } ASN1_SEQUENCE_END(KM_KEY_DESCRIPTION);
200 IMPLEMENT_ASN1_FUNCTIONS(KM_KEY_DESCRIPTION);
201
202 template <Tag tag>
copyAuthTag(const stack_st_ASN1_INTEGER * stack,TypedTag<TagType::ENUM_REP,tag> ttag,AuthorizationSet * auth_list)203 void copyAuthTag(const stack_st_ASN1_INTEGER* stack, TypedTag<TagType::ENUM_REP, tag> ttag,
204 AuthorizationSet* auth_list) {
205 typedef typename TypedTag2ValueType<decltype(ttag)>::type ValueT;
206 for (size_t i = 0; i < sk_ASN1_INTEGER_num(stack); ++i) {
207 auth_list->push_back(
208 ttag, static_cast<ValueT>(ASN1_INTEGER_get(sk_ASN1_INTEGER_value(stack, i))));
209 }
210 }
211
212 template <Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::ENUM,tag> ttag,AuthorizationSet * auth_list)213 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::ENUM, tag> ttag,
214 AuthorizationSet* auth_list) {
215 typedef typename TypedTag2ValueType<decltype(ttag)>::type ValueT;
216 if (!asn1_int) return;
217 auth_list->push_back(ttag, static_cast<ValueT>(ASN1_INTEGER_get(asn1_int)));
218 }
219
220 template <Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::UINT,tag> ttag,AuthorizationSet * auth_list)221 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::UINT, tag> ttag,
222 AuthorizationSet* auth_list) {
223 if (!asn1_int) return;
224 auth_list->push_back(ttag, ASN1_INTEGER_get(asn1_int));
225 }
226
construct_uint_max()227 BIGNUM* construct_uint_max() {
228 BIGNUM* value = BN_new();
229 BIGNUM_Ptr one(BN_new());
230 BN_one(one.get());
231 BN_lshift(value, one.get(), 32);
232 return value;
233 }
234
BignumToUint64(BIGNUM * num)235 uint64_t BignumToUint64(BIGNUM* num) {
236 static_assert((sizeof(BN_ULONG) == sizeof(uint32_t)) || (sizeof(BN_ULONG) == sizeof(uint64_t)),
237 "This implementation only supports 32 and 64-bit BN_ULONG");
238 if (sizeof(BN_ULONG) == sizeof(uint32_t)) {
239 BIGNUM_Ptr uint_max(construct_uint_max());
240 BIGNUM_Ptr hi(BN_new()), lo(BN_new());
241 BN_CTX_Ptr ctx(BN_CTX_new());
242 BN_div(hi.get(), lo.get(), num, uint_max.get(), ctx.get());
243 return static_cast<uint64_t>(BN_get_word(hi.get())) << 32 | BN_get_word(lo.get());
244 } else if (sizeof(BN_ULONG) == sizeof(uint64_t)) {
245 return BN_get_word(num);
246 } else {
247 return 0;
248 }
249 }
250
251 template <Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::ULONG,tag> ttag,AuthorizationSet * auth_list)252 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::ULONG, tag> ttag,
253 AuthorizationSet* auth_list) {
254 if (!asn1_int) return;
255 BIGNUM_Ptr num(ASN1_INTEGER_to_BN(asn1_int, nullptr));
256 auth_list->push_back(ttag, BignumToUint64(num.get()));
257 }
258
259 template <Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::DATE,tag> ttag,AuthorizationSet * auth_list)260 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::DATE, tag> ttag,
261 AuthorizationSet* auth_list) {
262 if (!asn1_int) return;
263 BIGNUM_Ptr num(ASN1_INTEGER_to_BN(asn1_int, nullptr));
264 auth_list->push_back(ttag, BignumToUint64(num.get()));
265 }
266
267 template <Tag tag>
copyAuthTag(const ASN1_NULL * asn1_null,TypedTag<TagType::BOOL,tag> ttag,AuthorizationSet * auth_list)268 void copyAuthTag(const ASN1_NULL* asn1_null, TypedTag<TagType::BOOL, tag> ttag,
269 AuthorizationSet* auth_list) {
270 if (!asn1_null) return;
271 auth_list->push_back(ttag);
272 }
273
274 template <Tag tag>
copyAuthTag(const ASN1_OCTET_STRING * asn1_string,TypedTag<TagType::BYTES,tag> ttag,AuthorizationSet * auth_list)275 void copyAuthTag(const ASN1_OCTET_STRING* asn1_string, TypedTag<TagType::BYTES, tag> ttag,
276 AuthorizationSet* auth_list) {
277 if (!asn1_string) return;
278 vector<uint8_t> buf(asn1_string->data, asn1_string->data + asn1_string->length);
279 auth_list->push_back(ttag, buf);
280 }
281
282 // Extract the values from the specified ASN.1 record and place them in auth_list.
283 // Does nothing with root-of-trust field.
extract_auth_list(const KM_AUTH_LIST * record,AuthorizationSet * auth_list)284 static ErrorCode extract_auth_list(const KM_AUTH_LIST* record, AuthorizationSet* auth_list) {
285 if (!record) return ErrorCode::OK;
286
287 // Fields ordered in tag order.
288 copyAuthTag(record->purpose, TAG_PURPOSE, auth_list);
289 copyAuthTag(record->algorithm, TAG_ALGORITHM, auth_list);
290 copyAuthTag(record->key_size, TAG_KEY_SIZE, auth_list);
291 copyAuthTag(record->digest, TAG_DIGEST, auth_list);
292 copyAuthTag(record->padding, TAG_PADDING, auth_list);
293 copyAuthTag(record->ec_curve, TAG_EC_CURVE, auth_list);
294 copyAuthTag(record->rsa_public_exponent, TAG_RSA_PUBLIC_EXPONENT, auth_list);
295 copyAuthTag(record->mgf_digest, TAG_RSA_OAEP_MGF_DIGEST, auth_list);
296 copyAuthTag(record->rollback_resistance, TAG_ROLLBACK_RESISTANCE, auth_list);
297 copyAuthTag(record->early_boot_only, TAG_EARLY_BOOT_ONLY, auth_list);
298 copyAuthTag(record->active_date_time, TAG_ACTIVE_DATETIME, auth_list);
299 copyAuthTag(record->origination_expire_date_time, TAG_ORIGINATION_EXPIRE_DATETIME, auth_list);
300 copyAuthTag(record->usage_expire_date_time, TAG_USAGE_EXPIRE_DATETIME, auth_list);
301 copyAuthTag(record->usage_count_limit, TAG_USAGE_COUNT_LIMIT, auth_list);
302 copyAuthTag(record->no_auth_required, TAG_NO_AUTH_REQUIRED, auth_list);
303 copyAuthTag(record->user_auth_type, TAG_USER_AUTH_TYPE, auth_list);
304 copyAuthTag(record->auth_timeout, TAG_AUTH_TIMEOUT, auth_list);
305 copyAuthTag(record->allow_while_on_body, TAG_ALLOW_WHILE_ON_BODY, auth_list);
306 copyAuthTag(record->trusted_user_presence_required, TAG_TRUSTED_USER_PRESENCE_REQUIRED,
307 auth_list);
308 copyAuthTag(record->trusted_confirmation_required, TAG_TRUSTED_CONFIRMATION_REQUIRED,
309 auth_list);
310 copyAuthTag(record->unlocked_device_required, TAG_UNLOCKED_DEVICE_REQUIRED, auth_list);
311 copyAuthTag(record->creation_date_time, TAG_CREATION_DATETIME, auth_list);
312 copyAuthTag(record->origin, TAG_ORIGIN, auth_list);
313 // root_of_trust dealt with separately
314 copyAuthTag(record->os_version, TAG_OS_VERSION, auth_list);
315 copyAuthTag(record->os_patchlevel, TAG_OS_PATCHLEVEL, auth_list);
316 copyAuthTag(record->attestation_application_id, TAG_ATTESTATION_APPLICATION_ID, auth_list);
317 copyAuthTag(record->attestation_id_brand, TAG_ATTESTATION_ID_BRAND, auth_list);
318 copyAuthTag(record->attestation_id_device, TAG_ATTESTATION_ID_DEVICE, auth_list);
319 copyAuthTag(record->attestation_id_product, TAG_ATTESTATION_ID_PRODUCT, auth_list);
320 copyAuthTag(record->attestation_id_serial, TAG_ATTESTATION_ID_SERIAL, auth_list);
321 copyAuthTag(record->attestation_id_imei, TAG_ATTESTATION_ID_IMEI, auth_list);
322 copyAuthTag(record->attestation_id_meid, TAG_ATTESTATION_ID_MEID, auth_list);
323 copyAuthTag(record->attestation_id_manufacturer, TAG_ATTESTATION_ID_MANUFACTURER, auth_list);
324 copyAuthTag(record->attestation_id_model, TAG_ATTESTATION_ID_MODEL, auth_list);
325 copyAuthTag(record->vendor_patchlevel, TAG_VENDOR_PATCHLEVEL, auth_list);
326 copyAuthTag(record->boot_patchlevel, TAG_BOOT_PATCHLEVEL, auth_list);
327 copyAuthTag(record->device_unique_attestation, TAG_DEVICE_UNIQUE_ATTESTATION, auth_list);
328 copyAuthTag(record->identity_credential, TAG_IDENTITY_CREDENTIAL_KEY, auth_list);
329 copyAuthTag(record->attestation_id_second_imei, TAG_ATTESTATION_ID_SECOND_IMEI, auth_list);
330
331 return ErrorCode::OK;
332 }
333
MAKE_OPENSSL_PTR_TYPE(KM_KEY_DESCRIPTION)334 MAKE_OPENSSL_PTR_TYPE(KM_KEY_DESCRIPTION)
335
336 // Parse the DER-encoded attestation record, placing the results in keymint_version,
337 // attestation_challenge, software_enforced, tee_enforced and unique_id.
338 ErrorCode parse_attestation_record(const uint8_t* asn1_key_desc, size_t asn1_key_desc_len,
339 uint32_t* attestation_version, //
340 SecurityLevel* attestation_security_level,
341 uint32_t* keymint_version, SecurityLevel* keymint_security_level,
342 vector<uint8_t>* attestation_challenge,
343 AuthorizationSet* software_enforced,
344 AuthorizationSet* tee_enforced, //
345 vector<uint8_t>* unique_id) {
346 const uint8_t* p = asn1_key_desc;
347 KM_KEY_DESCRIPTION_Ptr record(d2i_KM_KEY_DESCRIPTION(nullptr, &p, asn1_key_desc_len));
348 if (!record.get()) return ErrorCode::UNKNOWN_ERROR;
349
350 *attestation_version = ASN1_INTEGER_get(record->attestation_version);
351 *attestation_security_level =
352 static_cast<SecurityLevel>(ASN1_ENUMERATED_get(record->attestation_security_level));
353 *keymint_version = ASN1_INTEGER_get(record->keymint_version);
354 *keymint_security_level =
355 static_cast<SecurityLevel>(ASN1_ENUMERATED_get(record->keymint_security_level));
356
357 auto& chall = record->attestation_challenge;
358 attestation_challenge->resize(chall->length);
359 memcpy(attestation_challenge->data(), chall->data, chall->length);
360 auto& uid = record->unique_id;
361 unique_id->resize(uid->length);
362 memcpy(unique_id->data(), uid->data, uid->length);
363
364 ErrorCode error = extract_auth_list(record->software_enforced, software_enforced);
365 if (error != ErrorCode::OK) return error;
366
367 return extract_auth_list(record->tee_enforced, tee_enforced);
368 }
369
parse_root_of_trust(const uint8_t * asn1_key_desc,size_t asn1_key_desc_len,vector<uint8_t> * verified_boot_key,VerifiedBoot * verified_boot_state,bool * device_locked,vector<uint8_t> * verified_boot_hash)370 ErrorCode parse_root_of_trust(const uint8_t* asn1_key_desc, size_t asn1_key_desc_len,
371 vector<uint8_t>* verified_boot_key, VerifiedBoot* verified_boot_state,
372 bool* device_locked, vector<uint8_t>* verified_boot_hash) {
373 if (!verified_boot_key || !verified_boot_state || !device_locked || !verified_boot_hash) {
374 LOG(ERROR) << AT << "null pointer input(s)";
375 return ErrorCode::INVALID_ARGUMENT;
376 }
377 const uint8_t* p = asn1_key_desc;
378 KM_KEY_DESCRIPTION_Ptr record(d2i_KM_KEY_DESCRIPTION(nullptr, &p, asn1_key_desc_len));
379 if (!record.get()) {
380 LOG(ERROR) << AT << "Failed record parsing";
381 return ErrorCode::UNKNOWN_ERROR;
382 }
383
384 KM_ROOT_OF_TRUST* root_of_trust = nullptr;
385 if (record->tee_enforced && record->tee_enforced->root_of_trust) {
386 root_of_trust = record->tee_enforced->root_of_trust;
387 } else if (record->software_enforced && record->software_enforced->root_of_trust) {
388 root_of_trust = record->software_enforced->root_of_trust;
389 } else {
390 LOG(ERROR) << AT << " Failed root of trust parsing";
391 return ErrorCode::INVALID_ARGUMENT;
392 }
393 if (!root_of_trust->verified_boot_key) {
394 LOG(ERROR) << AT << " Failed verified boot key parsing";
395 return ErrorCode::INVALID_ARGUMENT;
396 }
397
398 auto& vb_key = root_of_trust->verified_boot_key;
399 verified_boot_key->resize(vb_key->length);
400 memcpy(verified_boot_key->data(), vb_key->data, vb_key->length);
401
402 *verified_boot_state =
403 static_cast<VerifiedBoot>(ASN1_ENUMERATED_get(root_of_trust->verified_boot_state));
404 if (!verified_boot_state) {
405 LOG(ERROR) << AT << " Failed verified boot state parsing";
406 return ErrorCode::INVALID_ARGUMENT;
407 }
408
409 *device_locked = root_of_trust->device_locked;
410 if (!device_locked) {
411 LOG(ERROR) << AT << " Failed device locked parsing";
412 return ErrorCode::INVALID_ARGUMENT;
413 }
414
415 auto& vb_hash = root_of_trust->verified_boot_hash;
416 if (!vb_hash) {
417 LOG(ERROR) << AT << " Failed verified boot hash parsing";
418 return ErrorCode::INVALID_ARGUMENT;
419 }
420 verified_boot_hash->resize(vb_hash->length);
421 memcpy(verified_boot_hash->data(), vb_hash->data, vb_hash->length);
422 return ErrorCode::OK; // KM_ERROR_OK;
423 }
424
425 } // namespace aidl::android::hardware::security::keymint
426