1; encrypted_key_material is AES-GCM encrypted with:
2; - key derived as described below
3; - plaintext is the CBOR-serialization of `KeyMaterial`
4; - nonce value is fixed, all zeroes
5; - no additional data
6;
7; Key derivation uses HKDF (RFC 5869) with HMAC-SHA256 to generate an AES-256 key:
8; - input keying material = a root key held in hardware
9; - salt = absent
10; - info = the following three or four chunks of context data concatenated:
11;    - content of `EncryptedKeyBlob.key_derivation_input` (a random nonce)
12;    - CBOR-serialization of `EncryptedKeyBlob.characteristics`
13;    - CBOR-serialized array of additional hidden `KeyParam` items associated with the key, specifically:
14;        - [Tag_ApplicationId, bstr] if required
15;        - [Tag_ApplicationData, bstr] if required
16;        - [Tag_RootOfTrust, bstr .cbor RootOfTrustInfo]
17;    - (if secure storage is available) CBOR serialization of the `SecureDeletionData` structure, with:
18;        - `factory_reset_secret` always populated
19;        - `secure_deletion_secret` populated with:
20;           - all zeroes (if `EncryptedKeyBlob.secure_deletion_slot` is empty)
21;           - the contents of the slot (if `EncryptedKeyBlob.secure_deletion_slot` is non-empty)
22EncryptedKeyBlob = &(
23    [0, EncryptedKeyBlobV1] ; Version::V1
24)
25Version = &(
26    Version_V1: 0,
27)
28EncryptedKeyBlobV1 = [
29    characteristics: [* KeyCharacteristics],
30    key_derivation_input: bstr .size 32,
31    kek_context: bstr,
32    encrypted_key_material: #6.16(Cose_Encrypt0),
33    secure_deletion_slot: [? SecureDeletionSlot],
34]
35KeyCharacteristics = [
36    security_level: SecurityLevel,
37    authorizations: [* KeyParam],
38]
39Cose_Encrypt0 = [ protected: bstr, unprotected: { * (int / tstr) => any }, ciphertext: bstr / nil ]
40KeyMaterial = &(
41  ; For each variant the `bool` second entry indicates whether the bstr for the key material
42  ; is opaque (true), or explicit (false).
43  [32, bool, bstr], ; Algorithm_Aes
44  [33, bool, bstr], ; Algorithm_TripleDes
45  [128, bool, bstr], ; Algorithm_Hmac
46  ; An explicit RSA key is in the form of an ASN.1 DER encoding of a PKCS#1 `RSAPrivateKey`
47  ; structure, as specified by RFC 3447 sections A.1.2 and 3.2.
48  [1, bool, bstr], ; Algorithm_Rsa
49  ; An explicit EC key for a NIST curve is in the form of an ASN.1 DER encoding of a
50  ; `ECPrivateKey` structure, as specified by RFC 5915 section 3.
51  ; An explicit EC key for curve 25519 is the raw key bytes.
52  [3, bool, [EcCurve, CurveType, bstr]], ; Algorithm_Ec
53)
54SecureDeletionSlot = int
55SecureDeletionData = [
56    factory_reset_secret: bstr .size 32,
57    secure_deletion_secret: bstr .size 16,
58]
59RootOfTrustInfo = [
60    verified_boot_key: bstr,
61    device_boot_locked: bool,
62    verified_boot_state: VerifiedBootState,
63]
64VerifiedBootState = &(
65    VerifiedBootState_Verified: 0,
66    VerifiedBootState_SelfSigned: 1,
67    VerifiedBootState_Unverified: 2,
68    VerifiedBootState_Failed: 3,
69)
70SecurityLevel = &(
71    SecurityLevel_Software: 0,
72    SecurityLevel_TrustedEnvironment: 1,
73    SecurityLevel_Strongbox: 2,
74    SecurityLevel_Keystore: 100,
75)
76KeyParam = &(
77    [268435458, Algorithm], ; Tag_Algorithm
78    [536870916, BlockMode], ; Tag_BlockMode
79    [536870918, PaddingMode], ; Tag_Padding
80    [536870917, Digest], ; Tag_Digest
81    [268435466, EcCurve], ; Tag_EcCurve
82    [268436158, KeyOrigin], ; Tag_Origin
83    [536870913, KeyPurpose], ; Tag_Purpose
84    [805306371, KeySizeInBits], ; Tag_KeySize
85    [1879048199, bstr], ; Tag_CallerNonce
86    [805306376, int], ; Tag_MinMacLength
87    [1342177480, RsaExponent], ; Tag_RsaPublicExponent
88    [1879048394, true], ; Tag_IncludeUniqueId
89    [536871115, Digest], ; Tag_RsaOaepMgfDigest
90    [1879048494, true], ; Tag_BootloaderOnly
91    [1879048495, true], ; Tag_RollbackResistance
92    [1879048497, true], ; Tag_EarlyBootOnly
93    [1610613136, DateTime], ; Tag_ActiveDatetime
94    [1610613137, DateTime], ; Tag_OriginationExpireDatetime
95    [1610613138, DateTime], ; Tag_UsageExpireDatetime
96    [805306772, int], ; Tag_MaxUsesPerBoot
97    [805306773, int], ; Tag_UsageCountLimit
98    [805306869, int], ; Tag_UserId
99    [-1610612234, int], ; Tag_UserSecureId
100    [1879048695, true], ; Tag_NoAuthRequired
101    [268435960, int], ; Tag_UserAuthType
102    [805306873, int], ; Tag_AuthTimeout
103    [1879048698, true], ; Tag_AllowWhileOnBody
104    [1879048699, true], ; Tag_TrustedUserPresenceRequired
105    [1879048700, true], ; Tag_TrustedConfirmationRequired
106    [1879048701, true], ; Tag_UnlockedDeviceRequired
107    [-1879047591, bstr], ; Tag_ApplicationId
108    [-1879047492, bstr], ; Tag_ApplicationData
109    [1610613437, DateTime], ; Tag_CreationDatetime
110    [-1879047488, bstr], ; Tag_RootOfTrust
111    [805307073, int], ; Tag_OsVersion
112    [805307074, int], ; Tag_OsPatchlevel
113    [-1879047484, bstr], ; Tag_AttestationChallenge
114    [-1879047483, bstr], ; Tag_AttestationApplicationId
115    [-1879047482, bstr], ; Tag_AttestationIdBrand
116    [-1879047481, bstr], ; Tag_AttestationIdDevice
117    [-1879047480, bstr], ; Tag_AttestationIdProduct
118    [-1879047479, bstr], ; Tag_AttestationIdSerial
119    [-1879047478, bstr], ; Tag_AttestationIdImei
120    [-1879047469, bstr], ; Tag_AttestationIdSecondImei
121    [-1879047477, bstr], ; Tag_AttestationIdMeid
122    [-1879047476, bstr], ; Tag_AttestationIdManufacturer
123    [-1879047475, bstr], ; Tag_AttestationIdModel
124    [805307086, int], ; Tag_VendorPatchlevel
125    [805307087, int], ; Tag_BootPatchlevel
126    [1879048912, true], ; Tag_DeviceUniqueAttestation
127    [1879048914, true], ; Tag_StorageKey
128    [-1879047191, bstr], ; Tag_Nonce
129    [805307371, int], ; Tag_MacLength
130    [1879049196, true], ; Tag_ResetSinceIdRotation
131    [-2147482642, bstr], ; Tag_CertificateSerial
132    [-1879047185, bstr], ; Tag_CertificateSubject
133    [1610613744, DateTime], ; Tag_CertificateNotBefore
134    [1610613745, DateTime], ; Tag_CertificateNotAfter
135    [805307378, int], ; Tag_MaxBootLevel
136)
137Tag = &(
138    Tag_Invalid: 0,
139    Tag_Purpose: 536870913,
140    Tag_Algorithm: 268435458,
141    Tag_KeySize: 805306371,
142    Tag_BlockMode: 536870916,
143    Tag_Digest: 536870917,
144    Tag_Padding: 536870918,
145    Tag_CallerNonce: 1879048199,
146    Tag_MinMacLength: 805306376,
147    Tag_EcCurve: 268435466,
148    Tag_RsaPublicExponent: 1342177480,
149    Tag_IncludeUniqueId: 1879048394,
150    Tag_RsaOaepMgfDigest: 536871115,
151    Tag_BootloaderOnly: 1879048494,
152    Tag_RollbackResistance: 1879048495,
153    Tag_HardwareType: 268435760,
154    Tag_EarlyBootOnly: 1879048497,
155    Tag_ActiveDatetime: 1610613136,
156    Tag_OriginationExpireDatetime: 1610613137,
157    Tag_UsageExpireDatetime: 1610613138,
158    Tag_MinSecondsBetweenOps: 805306771,
159    Tag_MaxUsesPerBoot: 805306772,
160    Tag_UsageCountLimit: 805306773,
161    Tag_UserId: 805306869,
162    Tag_UserSecureId: -1610612234,
163    Tag_NoAuthRequired: 1879048695,
164    Tag_UserAuthType: 268435960,
165    Tag_AuthTimeout: 805306873,
166    Tag_AllowWhileOnBody: 1879048698,
167    Tag_TrustedUserPresenceRequired: 1879048699,
168    Tag_TrustedConfirmationRequired: 1879048700,
169    Tag_UnlockedDeviceRequired: 1879048701,
170    Tag_ApplicationId: -1879047591,
171    Tag_ApplicationData: -1879047492,
172    Tag_CreationDatetime: 1610613437,
173    Tag_Origin: 268436158,
174    Tag_RootOfTrust: -1879047488,
175    Tag_OsVersion: 805307073,
176    Tag_OsPatchlevel: 805307074,
177    Tag_UniqueId: -1879047485,
178    Tag_AttestationChallenge: -1879047484,
179    Tag_AttestationApplicationId: -1879047483,
180    Tag_AttestationIdBrand: -1879047482,
181    Tag_AttestationIdDevice: -1879047481,
182    Tag_AttestationIdProduct: -1879047480,
183    Tag_AttestationIdSerial: -1879047479,
184    Tag_AttestationIdImei: -1879047478,
185    Tag_AttestationIdMeid: -1879047477,
186    Tag_AttestationIdManufacturer: -1879047476,
187    Tag_AttestationIdModel: -1879047475,
188    Tag_VendorPatchlevel: 805307086,
189    Tag_BootPatchlevel: 805307087,
190    Tag_DeviceUniqueAttestation: 1879048912,
191    Tag_IdentityCredentialKey: 1879048913,
192    Tag_StorageKey: 1879048914,
193    Tag_AttestationIdSecondImei: -1879047469,
194    Tag_AssociatedData: -1879047192,
195    Tag_Nonce: -1879047191,
196    Tag_MacLength: 805307371,
197    Tag_ResetSinceIdRotation: 1879049196,
198    Tag_ConfirmationToken: -1879047187,
199    Tag_CertificateSerial: -2147482642,
200    Tag_CertificateSubject: -1879047185,
201    Tag_CertificateNotBefore: 1610613744,
202    Tag_CertificateNotAfter: 1610613745,
203    Tag_MaxBootLevel: 805307378,
204)
205Algorithm = &(
206    Algorithm_Rsa: 1,
207    Algorithm_Ec: 3,
208    Algorithm_Aes: 32,
209    Algorithm_TripleDes: 33,
210    Algorithm_Hmac: 128,
211)
212BlockMode = &(
213    BlockMode_Ecb: 1,
214    BlockMode_Cbc: 2,
215    BlockMode_Ctr: 3,
216    BlockMode_Gcm: 32,
217)
218Digest = &(
219    Digest_None: 0,
220    Digest_Md5: 1,
221    Digest_Sha1: 2,
222    Digest_Sha224: 3,
223    Digest_Sha256: 4,
224    Digest_Sha384: 5,
225    Digest_Sha512: 6,
226)
227EcCurve = &(
228    EcCurve_P224: 0,
229    EcCurve_P256: 1,
230    EcCurve_P384: 2,
231    EcCurve_P521: 3,
232    EcCurve_Curve25519: 4,
233)
234CurveType = &(
235    CurveType_Nist: 0,
236    CurveType_EdDsa: 1,
237    CurveType_Xdh: 2,
238)
239KeyOrigin = &(
240    KeyOrigin_Generated: 0,
241    KeyOrigin_Derived: 1,
242    KeyOrigin_Imported: 2,
243    KeyOrigin_Reserved: 3,
244    KeyOrigin_SecurelyImported: 4,
245)
246KeyPurpose = &(
247    KeyPurpose_Encrypt: 0,
248    KeyPurpose_Decrypt: 1,
249    KeyPurpose_Sign: 2,
250    KeyPurpose_Verify: 3,
251    KeyPurpose_WrapKey: 5,
252    KeyPurpose_AgreeKey: 6,
253    KeyPurpose_AttestKey: 7,
254)
255HardwareAuthenticatorType = &(
256    HardwareAuthenticatorType_None: 0,
257    HardwareAuthenticatorType_Password: 1,
258    HardwareAuthenticatorType_Fingerprint: 2,
259    HardwareAuthenticatorType_Any: -1,
260)
261PaddingMode = &(
262    PaddingMode_None: 1,
263    PaddingMode_RsaOaep: 2,
264    PaddingMode_RsaPss: 3,
265    PaddingMode_RsaPkcs115Encrypt: 4,
266    PaddingMode_RsaPkcs115Sign: 5,
267    PaddingMode_Pkcs7: 64,
268)
269DateTime = int
270KeySizeInBits = int
271RsaExponent = int
272
273