1 /*
2  * Copyright 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 #include <aidl/android/hardware/security/keymint/ErrorCode.h>
20 #include <aidl/android/hardware/security/keymint/IKeyMintDevice.h>
21 
22 #include <keymint_support/attestation_record.h>
23 #include <keymint_support/authorization_set.h>
24 #include <keymint_support/openssl_utils.h>
25 
26 namespace aidl::android::hardware::security::keymint {
27 
28 class AuthorizationSet;
29 
30 /**
31  * The OID for Android attestation records.  For the curious, it breaks down as follows:
32  *
33  * 1 = ISO
34  * 3 = org
35  * 6 = DoD (Huh? OIDs are weird.)
36  * 1 = IANA
37  * 4 = Private
38  * 1 = Enterprises
39  * 11129 = Google
40  * 2 = Google security
41  * 1 = certificate extension
42  * 17 = Android attestation extension.
43  */
44 static const char kAttestionRecordOid[] = "1.3.6.1.4.1.11129.2.1.17";
45 
46 static const char kCrlDPOid[] = "2.5.29.31";  // Standard CRL Distribution Points extension.
47 
48 enum class VerifiedBoot : uint8_t {
49     VERIFIED = 0,
50     SELF_SIGNED = 1,
51     UNVERIFIED = 2,
52     FAILED = 3,
53 };
54 
55 struct RootOfTrust {
56     SecurityLevel security_level;
57     vector<uint8_t> verified_boot_key;
58     vector<uint8_t> verified_boot_hash;
59     VerifiedBoot verified_boot_state;
60     bool device_locked;
61 };
62 
63 struct AttestationRecord {
64     RootOfTrust root_of_trust;
65     uint32_t attestation_version;
66     SecurityLevel attestation_security_level;
67     uint32_t keymint_version;
68     SecurityLevel keymint_security_level;
69     std::vector<uint8_t> attestation_challenge;
70     AuthorizationSet software_enforced;
71     AuthorizationSet hardware_enforced;
72     std::vector<uint8_t> unique_id;
73 };
74 
75 ErrorCode parse_attestation_record(const uint8_t* asn1_key_desc, size_t asn1_key_desc_len,
76                                    uint32_t* attestation_version,  //
77                                    SecurityLevel* attestation_security_level,
78                                    uint32_t* keymint_version, SecurityLevel* keymint_security_level,
79                                    std::vector<uint8_t>* attestation_challenge,
80                                    AuthorizationSet* software_enforced,
81                                    AuthorizationSet* tee_enforced,  //
82                                    std::vector<uint8_t>* unique_id);
83 
84 ErrorCode parse_root_of_trust(const uint8_t* asn1_key_desc, size_t asn1_key_desc_len,
85                               std::vector<uint8_t>* verified_boot_key,
86                               VerifiedBoot* verified_boot_state, bool* device_locked,
87                               std::vector<uint8_t>* verified_boot_hash);
88 
89 }  // namespace aidl::android::hardware::security::keymint
90