1 /*
2 * Copyright 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <keymasterV4_0/attestation_record.h>
18
19 #include <android-base/logging.h>
20 #include <assert.h>
21
22 #include <openssl/asn1t.h>
23 #include <openssl/bn.h>
24 #include <openssl/evp.h>
25 #include <openssl/x509.h>
26
27 #include <keymasterV4_0/authorization_set.h>
28 #include <keymasterV4_0/openssl_utils.h>
29
30 #define AT __FILE__ ":" << __LINE__
31
32 namespace android {
33 namespace hardware {
34 namespace keymaster {
35 namespace V4_0 {
36
37 struct stack_st_ASN1_TYPE_Delete {
operator ()android::hardware::keymaster::V4_0::stack_st_ASN1_TYPE_Delete38 void operator()(stack_st_ASN1_TYPE* p) { sk_ASN1_TYPE_free(p); }
39 };
40
41 struct ASN1_STRING_Delete {
operator ()android::hardware::keymaster::V4_0::ASN1_STRING_Delete42 void operator()(ASN1_STRING* p) { ASN1_STRING_free(p); }
43 };
44
45 struct ASN1_TYPE_Delete {
operator ()android::hardware::keymaster::V4_0::ASN1_TYPE_Delete46 void operator()(ASN1_TYPE* p) { ASN1_TYPE_free(p); }
47 };
48
49 #define ASN1_INTEGER_SET STACK_OF(ASN1_INTEGER)
50
51 typedef struct km_root_of_trust {
52 ASN1_OCTET_STRING* verified_boot_key;
53 ASN1_BOOLEAN device_locked;
54 ASN1_ENUMERATED* verified_boot_state;
55 ASN1_OCTET_STRING* verified_boot_hash;
56 } KM_ROOT_OF_TRUST;
57
58 ASN1_SEQUENCE(KM_ROOT_OF_TRUST) = {
59 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_key, ASN1_OCTET_STRING),
60 ASN1_SIMPLE(KM_ROOT_OF_TRUST, device_locked, ASN1_BOOLEAN),
61 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_state, ASN1_ENUMERATED),
62 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_hash, ASN1_OCTET_STRING),
63 } ASN1_SEQUENCE_END(KM_ROOT_OF_TRUST);
64 IMPLEMENT_ASN1_FUNCTIONS(KM_ROOT_OF_TRUST);
65
66 typedef struct km_auth_list {
67 ASN1_INTEGER_SET* purpose;
68 ASN1_INTEGER* algorithm;
69 ASN1_INTEGER* key_size;
70 ASN1_INTEGER_SET* digest;
71 ASN1_INTEGER_SET* padding;
72 ASN1_INTEGER* ec_curve;
73 ASN1_INTEGER* rsa_public_exponent;
74 ASN1_NULL* rollback_resistance;
75 ASN1_INTEGER* active_date_time;
76 ASN1_INTEGER* origination_expire_date_time;
77 ASN1_INTEGER* usage_expire_date_time;
78 ASN1_NULL* no_auth_required;
79 ASN1_INTEGER* user_auth_type;
80 ASN1_INTEGER* auth_timeout;
81 ASN1_NULL* allow_while_on_body;
82 ASN1_NULL* trusted_user_presence_required;
83 ASN1_NULL* trusted_confirmation_required;
84 ASN1_NULL* unlocked_device_required;
85 ASN1_NULL* all_applications;
86 ASN1_OCTET_STRING* application_id;
87 ASN1_INTEGER* creation_date_time;
88 ASN1_INTEGER* origin;
89 KM_ROOT_OF_TRUST* root_of_trust;
90 ASN1_INTEGER* os_version;
91 ASN1_INTEGER* os_patchlevel;
92 ASN1_OCTET_STRING* attestation_application_id;
93 ASN1_OCTET_STRING* attestation_id_brand;
94 ASN1_OCTET_STRING* attestation_id_device;
95 ASN1_OCTET_STRING* attestation_id_product;
96 ASN1_OCTET_STRING* attestation_id_serial;
97 ASN1_OCTET_STRING* attestation_id_imei;
98 ASN1_OCTET_STRING* attestation_id_meid;
99 ASN1_OCTET_STRING* attestation_id_manufacturer;
100 ASN1_OCTET_STRING* attestation_id_model;
101 ASN1_INTEGER* vendor_patchlevel;
102 ASN1_INTEGER* boot_patchlevel;
103 } KM_AUTH_LIST;
104
105 ASN1_SEQUENCE(KM_AUTH_LIST) = {
106 ASN1_EXP_SET_OF_OPT(KM_AUTH_LIST, purpose, ASN1_INTEGER, TAG_PURPOSE.maskedTag()),
107 ASN1_EXP_OPT(KM_AUTH_LIST, algorithm, ASN1_INTEGER, TAG_ALGORITHM.maskedTag()),
108 ASN1_EXP_OPT(KM_AUTH_LIST, key_size, ASN1_INTEGER, TAG_KEY_SIZE.maskedTag()),
109 ASN1_EXP_SET_OF_OPT(KM_AUTH_LIST, digest, ASN1_INTEGER, TAG_DIGEST.maskedTag()),
110 ASN1_EXP_SET_OF_OPT(KM_AUTH_LIST, padding, ASN1_INTEGER, TAG_PADDING.maskedTag()),
111 ASN1_EXP_OPT(KM_AUTH_LIST, ec_curve, ASN1_INTEGER, TAG_EC_CURVE.maskedTag()),
112 ASN1_EXP_OPT(KM_AUTH_LIST, rsa_public_exponent, ASN1_INTEGER,
113 TAG_RSA_PUBLIC_EXPONENT.maskedTag()),
114 ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistance, ASN1_NULL,
115 TAG_ROLLBACK_RESISTANCE.maskedTag()),
116
117 ASN1_EXP_OPT(KM_AUTH_LIST, active_date_time, ASN1_INTEGER, TAG_ACTIVE_DATETIME.maskedTag()),
118 ASN1_EXP_OPT(KM_AUTH_LIST, origination_expire_date_time, ASN1_INTEGER,
119 TAG_ORIGINATION_EXPIRE_DATETIME.maskedTag()),
120 ASN1_EXP_OPT(KM_AUTH_LIST, usage_expire_date_time, ASN1_INTEGER,
121 TAG_USAGE_EXPIRE_DATETIME.maskedTag()),
122 ASN1_EXP_OPT(KM_AUTH_LIST, no_auth_required, ASN1_NULL, TAG_NO_AUTH_REQUIRED.maskedTag()),
123 ASN1_EXP_OPT(KM_AUTH_LIST, user_auth_type, ASN1_INTEGER, TAG_USER_AUTH_TYPE.maskedTag()),
124 ASN1_EXP_OPT(KM_AUTH_LIST, auth_timeout, ASN1_INTEGER, TAG_AUTH_TIMEOUT.maskedTag()),
125 ASN1_EXP_OPT(KM_AUTH_LIST, allow_while_on_body, ASN1_NULL,
126 TAG_ALLOW_WHILE_ON_BODY.maskedTag()),
127 ASN1_EXP_OPT(KM_AUTH_LIST, trusted_user_presence_required, ASN1_NULL,
128 TAG_TRUSTED_USER_PRESENCE_REQUIRED.maskedTag()),
129 ASN1_EXP_OPT(KM_AUTH_LIST, trusted_confirmation_required, ASN1_NULL,
130 TAG_TRUSTED_CONFIRMATION_REQUIRED.maskedTag()),
131 ASN1_EXP_OPT(KM_AUTH_LIST, unlocked_device_required, ASN1_NULL,
132 TAG_UNLOCKED_DEVICE_REQUIRED.maskedTag()),
133 ASN1_EXP_OPT(KM_AUTH_LIST, creation_date_time, ASN1_INTEGER,
134 TAG_CREATION_DATETIME.maskedTag()),
135 ASN1_EXP_OPT(KM_AUTH_LIST, origin, ASN1_INTEGER, TAG_ORIGIN.maskedTag()),
136 ASN1_EXP_OPT(KM_AUTH_LIST, root_of_trust, KM_ROOT_OF_TRUST, TAG_ROOT_OF_TRUST.maskedTag()),
137 ASN1_EXP_OPT(KM_AUTH_LIST, os_version, ASN1_INTEGER, TAG_OS_VERSION.maskedTag()),
138 ASN1_EXP_OPT(KM_AUTH_LIST, os_patchlevel, ASN1_INTEGER, TAG_OS_PATCHLEVEL.maskedTag()),
139 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_application_id, ASN1_OCTET_STRING,
140 TAG_ATTESTATION_APPLICATION_ID.maskedTag()),
141 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_brand, ASN1_OCTET_STRING,
142 TAG_ATTESTATION_ID_BRAND.maskedTag()),
143 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_device, ASN1_OCTET_STRING,
144 TAG_ATTESTATION_ID_DEVICE.maskedTag()),
145 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_product, ASN1_OCTET_STRING,
146 TAG_ATTESTATION_ID_PRODUCT.maskedTag()),
147 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_serial, ASN1_OCTET_STRING,
148 TAG_ATTESTATION_ID_SERIAL.maskedTag()),
149 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_imei, ASN1_OCTET_STRING,
150 TAG_ATTESTATION_ID_IMEI.maskedTag()),
151 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_meid, ASN1_OCTET_STRING,
152 TAG_ATTESTATION_ID_MEID.maskedTag()),
153 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_manufacturer, ASN1_OCTET_STRING,
154 TAG_ATTESTATION_ID_MANUFACTURER.maskedTag()),
155 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_model, ASN1_OCTET_STRING,
156 TAG_ATTESTATION_ID_MODEL.maskedTag()),
157 ASN1_EXP_OPT(KM_AUTH_LIST, vendor_patchlevel, ASN1_INTEGER,
158 TAG_VENDOR_PATCHLEVEL.maskedTag()),
159 ASN1_EXP_OPT(KM_AUTH_LIST, boot_patchlevel, ASN1_INTEGER, TAG_BOOT_PATCHLEVEL.maskedTag()),
160 } ASN1_SEQUENCE_END(KM_AUTH_LIST);
161 IMPLEMENT_ASN1_FUNCTIONS(KM_AUTH_LIST);
162
163 typedef struct km_key_description {
164 ASN1_INTEGER* attestation_version;
165 ASN1_ENUMERATED* attestation_security_level;
166 ASN1_INTEGER* keymaster_version;
167 ASN1_ENUMERATED* keymaster_security_level;
168 ASN1_OCTET_STRING* attestation_challenge;
169 KM_AUTH_LIST* software_enforced;
170 KM_AUTH_LIST* tee_enforced;
171 ASN1_INTEGER* unique_id;
172 } KM_KEY_DESCRIPTION;
173
174 ASN1_SEQUENCE(KM_KEY_DESCRIPTION) = {
175 ASN1_SIMPLE(KM_KEY_DESCRIPTION, attestation_version, ASN1_INTEGER),
176 ASN1_SIMPLE(KM_KEY_DESCRIPTION, attestation_security_level, ASN1_ENUMERATED),
177 ASN1_SIMPLE(KM_KEY_DESCRIPTION, keymaster_version, ASN1_INTEGER),
178 ASN1_SIMPLE(KM_KEY_DESCRIPTION, keymaster_security_level, ASN1_ENUMERATED),
179 ASN1_SIMPLE(KM_KEY_DESCRIPTION, attestation_challenge, ASN1_OCTET_STRING),
180 ASN1_SIMPLE(KM_KEY_DESCRIPTION, unique_id, ASN1_OCTET_STRING),
181 ASN1_SIMPLE(KM_KEY_DESCRIPTION, software_enforced, KM_AUTH_LIST),
182 ASN1_SIMPLE(KM_KEY_DESCRIPTION, tee_enforced, KM_AUTH_LIST),
183 } ASN1_SEQUENCE_END(KM_KEY_DESCRIPTION);
184 IMPLEMENT_ASN1_FUNCTIONS(KM_KEY_DESCRIPTION);
185
186 template <Tag tag>
copyAuthTag(const stack_st_ASN1_INTEGER * stack,TypedTag<TagType::ENUM_REP,tag> ttag,AuthorizationSet * auth_list)187 void copyAuthTag(const stack_st_ASN1_INTEGER* stack, TypedTag<TagType::ENUM_REP, tag> ttag,
188 AuthorizationSet* auth_list) {
189 typedef typename TypedTag2ValueType<decltype(ttag)>::type ValueT;
190 for (size_t i = 0; i < sk_ASN1_INTEGER_num(stack); ++i) {
191 auth_list->push_back(
192 ttag, static_cast<ValueT>(ASN1_INTEGER_get(sk_ASN1_INTEGER_value(stack, i))));
193 }
194 }
195
196 template <Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::ENUM,tag> ttag,AuthorizationSet * auth_list)197 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::ENUM, tag> ttag,
198 AuthorizationSet* auth_list) {
199 typedef typename TypedTag2ValueType<decltype(ttag)>::type ValueT;
200 if (!asn1_int) return;
201 auth_list->push_back(ttag, static_cast<ValueT>(ASN1_INTEGER_get(asn1_int)));
202 }
203
204 template <Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::UINT,tag> ttag,AuthorizationSet * auth_list)205 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::UINT, tag> ttag,
206 AuthorizationSet* auth_list) {
207 if (!asn1_int) return;
208 auth_list->push_back(ttag, ASN1_INTEGER_get(asn1_int));
209 }
210
construct_uint_max()211 BIGNUM* construct_uint_max() {
212 BIGNUM* value = BN_new();
213 BIGNUM_Ptr one(BN_new());
214 BN_one(one.get());
215 BN_lshift(value, one.get(), 32);
216 return value;
217 }
218
BignumToUint64(BIGNUM * num)219 uint64_t BignumToUint64(BIGNUM* num) {
220 static_assert((sizeof(BN_ULONG) == sizeof(uint32_t)) || (sizeof(BN_ULONG) == sizeof(uint64_t)),
221 "This implementation only supports 32 and 64-bit BN_ULONG");
222 if (sizeof(BN_ULONG) == sizeof(uint32_t)) {
223 BIGNUM_Ptr uint_max(construct_uint_max());
224 BIGNUM_Ptr hi(BN_new()), lo(BN_new());
225 BN_CTX_Ptr ctx(BN_CTX_new());
226 BN_div(hi.get(), lo.get(), num, uint_max.get(), ctx.get());
227 return static_cast<uint64_t>(BN_get_word(hi.get())) << 32 | BN_get_word(lo.get());
228 } else if (sizeof(BN_ULONG) == sizeof(uint64_t)) {
229 return BN_get_word(num);
230 } else {
231 return 0;
232 }
233 }
234
235 template <Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::ULONG,tag> ttag,AuthorizationSet * auth_list)236 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::ULONG, tag> ttag,
237 AuthorizationSet* auth_list) {
238 if (!asn1_int) return;
239 BIGNUM_Ptr num(ASN1_INTEGER_to_BN(asn1_int, nullptr));
240 auth_list->push_back(ttag, BignumToUint64(num.get()));
241 }
242
243 template <Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::DATE,tag> ttag,AuthorizationSet * auth_list)244 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::DATE, tag> ttag,
245 AuthorizationSet* auth_list) {
246 if (!asn1_int) return;
247 BIGNUM_Ptr num(ASN1_INTEGER_to_BN(asn1_int, nullptr));
248 auth_list->push_back(ttag, BignumToUint64(num.get()));
249 }
250
251 template <Tag tag>
copyAuthTag(const ASN1_NULL * asn1_null,TypedTag<TagType::BOOL,tag> ttag,AuthorizationSet * auth_list)252 void copyAuthTag(const ASN1_NULL* asn1_null, TypedTag<TagType::BOOL, tag> ttag,
253 AuthorizationSet* auth_list) {
254 if (!asn1_null) return;
255 auth_list->push_back(ttag);
256 }
257
258 template <Tag tag>
copyAuthTag(const ASN1_OCTET_STRING * asn1_string,TypedTag<TagType::BYTES,tag> ttag,AuthorizationSet * auth_list)259 void copyAuthTag(const ASN1_OCTET_STRING* asn1_string, TypedTag<TagType::BYTES, tag> ttag,
260 AuthorizationSet* auth_list) {
261 if (!asn1_string) return;
262 hidl_vec<uint8_t> buf;
263 buf.setToExternal(asn1_string->data, asn1_string->length);
264 auth_list->push_back(ttag, buf);
265 }
266
267 // Extract the values from the specified ASN.1 record and place them in auth_list.
extract_auth_list(const KM_AUTH_LIST * record,AuthorizationSet * auth_list)268 static ErrorCode extract_auth_list(const KM_AUTH_LIST* record, AuthorizationSet* auth_list) {
269 if (!record) return ErrorCode::OK;
270
271 copyAuthTag(record->active_date_time, TAG_ACTIVE_DATETIME, auth_list);
272 copyAuthTag(record->algorithm, TAG_ALGORITHM, auth_list);
273 copyAuthTag(record->application_id, TAG_APPLICATION_ID, auth_list);
274 copyAuthTag(record->auth_timeout, TAG_AUTH_TIMEOUT, auth_list);
275 copyAuthTag(record->creation_date_time, TAG_CREATION_DATETIME, auth_list);
276 copyAuthTag(record->digest, TAG_DIGEST, auth_list);
277 copyAuthTag(record->ec_curve, TAG_EC_CURVE, auth_list);
278 copyAuthTag(record->key_size, TAG_KEY_SIZE, auth_list);
279 copyAuthTag(record->no_auth_required, TAG_NO_AUTH_REQUIRED, auth_list);
280 copyAuthTag(record->origin, TAG_ORIGIN, auth_list);
281 copyAuthTag(record->origination_expire_date_time, TAG_ORIGINATION_EXPIRE_DATETIME, auth_list);
282 copyAuthTag(record->os_patchlevel, TAG_OS_PATCHLEVEL, auth_list);
283 copyAuthTag(record->os_version, TAG_OS_VERSION, auth_list);
284 copyAuthTag(record->padding, TAG_PADDING, auth_list);
285 copyAuthTag(record->purpose, TAG_PURPOSE, auth_list);
286 copyAuthTag(record->rollback_resistance, TAG_ROLLBACK_RESISTANCE, auth_list);
287 copyAuthTag(record->rsa_public_exponent, TAG_RSA_PUBLIC_EXPONENT, auth_list);
288 copyAuthTag(record->usage_expire_date_time, TAG_USAGE_EXPIRE_DATETIME, auth_list);
289 copyAuthTag(record->user_auth_type, TAG_USER_AUTH_TYPE, auth_list);
290 copyAuthTag(record->attestation_application_id, TAG_ATTESTATION_APPLICATION_ID, auth_list);
291 copyAuthTag(record->attestation_id_brand, TAG_ATTESTATION_ID_BRAND, auth_list);
292 copyAuthTag(record->attestation_id_device, TAG_ATTESTATION_ID_DEVICE, auth_list);
293 copyAuthTag(record->attestation_id_product, TAG_ATTESTATION_ID_PRODUCT, auth_list);
294 copyAuthTag(record->attestation_id_serial, TAG_ATTESTATION_ID_SERIAL, auth_list);
295 copyAuthTag(record->attestation_id_imei, TAG_ATTESTATION_ID_IMEI, auth_list);
296 copyAuthTag(record->attestation_id_meid, TAG_ATTESTATION_ID_MEID, auth_list);
297 copyAuthTag(record->attestation_id_manufacturer, TAG_ATTESTATION_ID_MANUFACTURER, auth_list);
298 copyAuthTag(record->attestation_id_model, TAG_ATTESTATION_ID_MODEL, auth_list);
299 copyAuthTag(record->vendor_patchlevel, TAG_VENDOR_PATCHLEVEL, auth_list);
300 copyAuthTag(record->boot_patchlevel, TAG_BOOT_PATCHLEVEL, auth_list);
301 copyAuthTag(record->trusted_user_presence_required, TAG_TRUSTED_USER_PRESENCE_REQUIRED,
302 auth_list);
303 copyAuthTag(record->trusted_confirmation_required, TAG_TRUSTED_CONFIRMATION_REQUIRED,
304 auth_list);
305 copyAuthTag(record->unlocked_device_required, TAG_UNLOCKED_DEVICE_REQUIRED, auth_list);
306
307 return ErrorCode::OK;
308 }
309
MAKE_OPENSSL_PTR_TYPE(KM_KEY_DESCRIPTION)310 MAKE_OPENSSL_PTR_TYPE(KM_KEY_DESCRIPTION)
311
312 // Parse the DER-encoded attestation record, placing the results in keymaster_version,
313 // attestation_challenge, software_enforced, tee_enforced and unique_id.
314 ErrorCode parse_attestation_record(const uint8_t* asn1_key_desc, size_t asn1_key_desc_len,
315 uint32_t* attestation_version, //
316 SecurityLevel* attestation_security_level,
317 uint32_t* keymaster_version,
318 SecurityLevel* keymaster_security_level,
319 hidl_vec<uint8_t>* attestation_challenge,
320 AuthorizationSet* software_enforced,
321 AuthorizationSet* tee_enforced, //
322 hidl_vec<uint8_t>* unique_id) {
323 const uint8_t* p = asn1_key_desc;
324 KM_KEY_DESCRIPTION_Ptr record(d2i_KM_KEY_DESCRIPTION(nullptr, &p, asn1_key_desc_len));
325 if (!record.get()) return ErrorCode::UNKNOWN_ERROR;
326
327 *attestation_version = ASN1_INTEGER_get(record->attestation_version);
328 *attestation_security_level =
329 static_cast<SecurityLevel>(ASN1_ENUMERATED_get(record->attestation_security_level));
330 *keymaster_version = ASN1_INTEGER_get(record->keymaster_version);
331 *keymaster_security_level =
332 static_cast<SecurityLevel>(ASN1_ENUMERATED_get(record->keymaster_security_level));
333
334 auto& chall = record->attestation_challenge;
335 attestation_challenge->resize(chall->length);
336 memcpy(attestation_challenge->data(), chall->data, chall->length);
337 auto& uid = record->unique_id;
338 unique_id->resize(uid->length);
339 memcpy(unique_id->data(), uid->data, uid->length);
340
341 ErrorCode error = extract_auth_list(record->software_enforced, software_enforced);
342 if (error != ErrorCode::OK) return error;
343
344 return extract_auth_list(record->tee_enforced, tee_enforced);
345 }
346
parse_root_of_trust(const uint8_t * asn1_key_desc,size_t asn1_key_desc_len,hidl_vec<uint8_t> * verified_boot_key,keymaster_verified_boot_t * verified_boot_state,bool * device_locked,hidl_vec<uint8_t> * verified_boot_hash)347 ErrorCode parse_root_of_trust(const uint8_t* asn1_key_desc, size_t asn1_key_desc_len,
348 hidl_vec<uint8_t>* verified_boot_key,
349 keymaster_verified_boot_t* verified_boot_state, bool* device_locked,
350 hidl_vec<uint8_t>* verified_boot_hash) {
351 if (!verified_boot_key || !verified_boot_state || !device_locked || !verified_boot_hash) {
352 LOG(ERROR) << AT << "null pointer input(s)";
353 return ErrorCode::INVALID_ARGUMENT;
354 }
355 const uint8_t* p = asn1_key_desc;
356 KM_KEY_DESCRIPTION_Ptr record(d2i_KM_KEY_DESCRIPTION(nullptr, &p, asn1_key_desc_len));
357 if (!record.get()) {
358 LOG(ERROR) << AT << "Failed record parsing";
359 return ErrorCode::UNKNOWN_ERROR;
360 }
361
362 KM_ROOT_OF_TRUST* root_of_trust = nullptr;
363 if (record->tee_enforced && record->tee_enforced->root_of_trust) {
364 root_of_trust = record->tee_enforced->root_of_trust;
365 } else if (record->software_enforced && record->software_enforced->root_of_trust) {
366 root_of_trust = record->software_enforced->root_of_trust;
367 } else {
368 LOG(ERROR) << AT << " Failed root of trust parsing";
369 return ErrorCode::INVALID_ARGUMENT;
370 }
371 if (!root_of_trust->verified_boot_key) {
372 LOG(ERROR) << AT << " Failed verified boot key parsing";
373 return ErrorCode::INVALID_ARGUMENT;
374 }
375
376 auto& vb_key = root_of_trust->verified_boot_key;
377 verified_boot_key->resize(vb_key->length);
378 memcpy(verified_boot_key->data(), vb_key->data, vb_key->length);
379
380 *verified_boot_state = static_cast<keymaster_verified_boot_t>(
381 ASN1_ENUMERATED_get(root_of_trust->verified_boot_state));
382 if (!verified_boot_state) {
383 LOG(ERROR) << AT << " Failed verified boot state parsing";
384 return ErrorCode::INVALID_ARGUMENT;
385 }
386
387 *device_locked = root_of_trust->device_locked;
388 if (!device_locked) {
389 LOG(ERROR) << AT << " Failed device locked parsing";
390 return ErrorCode::INVALID_ARGUMENT;
391 }
392
393 auto& vb_hash = root_of_trust->verified_boot_hash;
394 if (!vb_hash) {
395 LOG(ERROR) << AT << " Failed verified boot hash parsing";
396 return ErrorCode::INVALID_ARGUMENT;
397 }
398 verified_boot_hash->resize(vb_hash->length);
399 memcpy(verified_boot_hash->data(), vb_hash->data, vb_hash->length);
400 return ErrorCode::OK; // KM_ERROR_OK;
401 }
402
403 } // namespace V4_0
404 } // namespace keymaster
405 } // namespace hardware
406 } // namespace android
407