1 /*
2  * Copyright 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 #include <aidl/android/hardware/security/keymint/ErrorCode.h>
20 #include <aidl/android/hardware/security/keymint/IKeyMintDevice.h>
21 
22 #include <keymint_support/attestation_record.h>
23 #include <keymint_support/authorization_set.h>
24 #include <keymint_support/openssl_utils.h>
25 
26 namespace aidl::android::hardware::security::keymint {
27 
28 class AuthorizationSet;
29 
30 /**
31  * The OID for Android attestation records.  For the curious, it breaks down as follows:
32  *
33  * 1 = ISO
34  * 3 = org
35  * 6 = DoD (Huh? OIDs are weird.)
36  * 1 = IANA
37  * 4 = Private
38  * 1 = Enterprises
39  * 11129 = Google
40  * 2 = Google security
41  * 1 = certificate extension
42  * 17 = Android attestation extension.
43  */
44 static const char kAttestionRecordOid[] = "1.3.6.1.4.1.11129.2.1.17";
45 
46 enum class VerifiedBoot : uint8_t {
47     VERIFIED = 0,
48     SELF_SIGNED = 1,
49     UNVERIFIED = 2,
50     FAILED = 3,
51 };
52 
53 struct RootOfTrust {
54     SecurityLevel security_level;
55     vector<uint8_t> verified_boot_key;
56     vector<uint8_t> verified_boot_hash;
57     VerifiedBoot verified_boot_state;
58     bool device_locked;
59 };
60 
61 struct AttestationRecord {
62     RootOfTrust root_of_trust;
63     uint32_t attestation_version;
64     SecurityLevel attestation_security_level;
65     uint32_t keymint_version;
66     SecurityLevel keymint_security_level;
67     std::vector<uint8_t> attestation_challenge;
68     AuthorizationSet software_enforced;
69     AuthorizationSet hardware_enforced;
70     std::vector<uint8_t> unique_id;
71 };
72 
73 ErrorCode parse_attestation_record(const uint8_t* asn1_key_desc, size_t asn1_key_desc_len,
74                                    uint32_t* attestation_version,  //
75                                    SecurityLevel* attestation_security_level,
76                                    uint32_t* keymint_version, SecurityLevel* keymint_security_level,
77                                    std::vector<uint8_t>* attestation_challenge,
78                                    AuthorizationSet* software_enforced,
79                                    AuthorizationSet* tee_enforced,  //
80                                    std::vector<uint8_t>* unique_id);
81 
82 ErrorCode parse_root_of_trust(const uint8_t* asn1_key_desc, size_t asn1_key_desc_len,
83                               std::vector<uint8_t>* verified_boot_key,
84                               VerifiedBoot* verified_boot_state, bool* device_locked,
85                               std::vector<uint8_t>* verified_boot_hash);
86 
87 }  // namespace aidl::android::hardware::security::keymint
88