Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / a42dee61cefd6083648face2d7fb56ffba0f60dd / . / keystore2 / tests / ffi_test_utils.cpp
blob: 7fbfb8b2e350d73cd5bfe388a78a8d924c1d3eb4 [file] [log] [blame]
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]1#include "ffi_test_utils.hpp"
2
3#include <iostream>
4
Rajesh Nyamagoud28abde62023-04-01 01:32:32 +0000[diff] [blame]5#include <android-base/logging.h>
6
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]7#include <KeyMintAidlTestBase.h>
8#include <aidl/android/hardware/security/keymint/ErrorCode.h>
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]9#include <keymaster/UniquePtr.h>
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]10
11#include <vector>
12
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]13#include <hardware/keymaster_defs.h>
14#include <keymaster/android_keymaster_utils.h>
15#include <keymaster/keymaster_tags.h>
16
17#include <keymaster/km_openssl/attestation_record.h>
18#include <keymaster/km_openssl/openssl_err.h>
19#include <keymaster/km_openssl/openssl_utils.h>
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]20
Rajesh Nyamagouda42dee62022-04-22 21:15:55 +0000[diff] [blame^]21#include <android-base/logging.h>
22
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]23using aidl::android::hardware::security::keymint::ErrorCode;
24
25#define TAG_SEQUENCE 0x30
26#define LENGTH_MASK 0x80
27#define LENGTH_VALUE_MASK 0x7F
28
Rajesh Nyamagoud28abde62023-04-01 01:32:32 +0000[diff] [blame]29/* EVP_PKEY_from_keystore is from system/security/keystore-engine. */
30extern "C" EVP_PKEY* EVP_PKEY_from_keystore(const char* key_id);
31
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]32/**
33 * ASN.1 structure for `KeyDescription` Schema.
34 * See `IKeyMintDevice.aidl` for documentation of the `KeyDescription` schema.
35 * KeyDescription ::= SEQUENCE(
36 * keyFormat INTEGER, # Values from KeyFormat enum.
37 * keyParams AuthorizationList,
38 * )
39 */
40typedef struct key_description {
41 ASN1_INTEGER* key_format;
42 keymaster::KM_AUTH_LIST* key_params;
43} TEST_KEY_DESCRIPTION;
44
45ASN1_SEQUENCE(TEST_KEY_DESCRIPTION) = {
46 ASN1_SIMPLE(TEST_KEY_DESCRIPTION, key_format, ASN1_INTEGER),
47 ASN1_SIMPLE(TEST_KEY_DESCRIPTION, key_params, keymaster::KM_AUTH_LIST),
48} ASN1_SEQUENCE_END(TEST_KEY_DESCRIPTION);
49DECLARE_ASN1_FUNCTIONS(TEST_KEY_DESCRIPTION);
50
51/**
52 * ASN.1 structure for `SecureKeyWrapper` Schema.
53 * See `IKeyMintDevice.aidl` for documentation of the `SecureKeyWrapper` schema.
54 * SecureKeyWrapper ::= SEQUENCE(
55 * version INTEGER, # Contains value 0
56 * encryptedTransportKey OCTET_STRING,
57 * initializationVector OCTET_STRING,
58 * keyDescription KeyDescription,
59 * encryptedKey OCTET_STRING,
60 * tag OCTET_STRING
61 * )
62 */
63typedef struct secure_key_wrapper {
64 ASN1_INTEGER* version;
65 ASN1_OCTET_STRING* encrypted_transport_key;
66 ASN1_OCTET_STRING* initialization_vector;
67 TEST_KEY_DESCRIPTION* key_desc;
68 ASN1_OCTET_STRING* encrypted_key;
69 ASN1_OCTET_STRING* tag;
70} TEST_SECURE_KEY_WRAPPER;
71
72ASN1_SEQUENCE(TEST_SECURE_KEY_WRAPPER) = {
73 ASN1_SIMPLE(TEST_SECURE_KEY_WRAPPER, version, ASN1_INTEGER),
74 ASN1_SIMPLE(TEST_SECURE_KEY_WRAPPER, encrypted_transport_key, ASN1_OCTET_STRING),
75 ASN1_SIMPLE(TEST_SECURE_KEY_WRAPPER, initialization_vector, ASN1_OCTET_STRING),
76 ASN1_SIMPLE(TEST_SECURE_KEY_WRAPPER, key_desc, TEST_KEY_DESCRIPTION),
77 ASN1_SIMPLE(TEST_SECURE_KEY_WRAPPER, encrypted_key, ASN1_OCTET_STRING),
78 ASN1_SIMPLE(TEST_SECURE_KEY_WRAPPER, tag, ASN1_OCTET_STRING),
79} ASN1_SEQUENCE_END(TEST_SECURE_KEY_WRAPPER);
80DECLARE_ASN1_FUNCTIONS(TEST_SECURE_KEY_WRAPPER);
81
82IMPLEMENT_ASN1_FUNCTIONS(TEST_SECURE_KEY_WRAPPER);
83IMPLEMENT_ASN1_FUNCTIONS(TEST_KEY_DESCRIPTION);
84
85struct TEST_KEY_DESCRIPTION_Delete {
86 void operator()(TEST_KEY_DESCRIPTION* p) { TEST_KEY_DESCRIPTION_free(p); }
87};
88struct TEST_SECURE_KEY_WRAPPER_Delete {
89 void operator()(TEST_SECURE_KEY_WRAPPER* p) { TEST_SECURE_KEY_WRAPPER_free(p); }
90};
91
Rajesh Nyamagoud28abde62023-04-01 01:32:32 +0000[diff] [blame]92const std::string keystore2_grant_id_prefix("ks2_keystore-engine_grant_id:");
93
Rajesh Nyamagoud4d483372022-02-09 01:38:23 +0000[diff] [blame]94/* This function extracts a certificate from the certs_chain_buffer at the given
95 * offset. Each DER encoded certificate starts with TAG_SEQUENCE followed by the
96 * total length of the certificate. The length of the certificate is determined
97 * as per ASN.1 encoding rules for the length octets.
98 *
99 * @param certs_chain_buffer: buffer containing DER encoded X.509 certificates
100 * arranged sequentially.
101 * @data_size: Length of the DER encoded X.509 certificates buffer.
102 * @index: DER encoded X.509 certificates buffer offset.
103 * @cert: Encoded certificate to be extracted from buffer as outcome.
104 * @return: ErrorCode::OK on success, otherwise ErrorCode::UNKNOWN_ERROR.
105 */
106ErrorCode
107extractCertFromCertChainBuffer(uint8_t* certs_chain_buffer, int certs_chain_buffer_size, int& index,
108 aidl::android::hardware::security::keymint::Certificate& cert) {
109 if (index >= certs_chain_buffer_size) {
110 return ErrorCode::UNKNOWN_ERROR;
111 }
112
113 uint32_t length = 0;
114 std::vector<uint8_t> cert_bytes;
115 if (certs_chain_buffer[index] == TAG_SEQUENCE) {
116 // Short form. One octet. Bit 8 has value "0" and bits 7-1 give the length.
117 if (0 == (certs_chain_buffer[index + 1] & LENGTH_MASK)) {
118 length = (uint32_t)certs_chain_buffer[index];
119 // Add SEQ and Length fields
120 length += 2;
121 } else {
122 // Long form. Two to 127 octets. Bit 8 of first octet has value "1" and
123 // bits 7-1 give the number of additional length octets. Second and following
124 // octets give the actual length.
125 int additionalBytes = certs_chain_buffer[index + 1] & LENGTH_VALUE_MASK;
126 if (additionalBytes == 0x01) {
127 length = certs_chain_buffer[index + 2];
128 // Add SEQ and Length fields
129 length += 3;
130 } else if (additionalBytes == 0x02) {
131 length = (certs_chain_buffer[index + 2] << 8 | certs_chain_buffer[index + 3]);
132 // Add SEQ and Length fields
133 length += 4;
134 } else if (additionalBytes == 0x04) {
135 length = certs_chain_buffer[index + 2] << 24;
136 length |= certs_chain_buffer[index + 3] << 16;
137 length |= certs_chain_buffer[index + 4] << 8;
138 length |= certs_chain_buffer[index + 5];
139 // Add SEQ and Length fields
140 length += 6;
141 } else {
142 // Length is larger than uint32_t max limit.
143 return ErrorCode::UNKNOWN_ERROR;
144 }
145 }
146 cert_bytes.insert(cert_bytes.end(), (certs_chain_buffer + index),
147 (certs_chain_buffer + index + length));
148 index += length;
149
150 for (int i = 0; i < cert_bytes.size(); i++) {
151 cert.encodedCertificate = std::move(cert_bytes);
152 }
153 } else {
154 // SEQUENCE TAG MISSING.
155 return ErrorCode::UNKNOWN_ERROR;
156 }
157
158 return ErrorCode::OK;
159}
160
161ErrorCode getCertificateChain(
162 rust::Vec<rust::u8>& chainBuffer,
163 std::vector<aidl::android::hardware::security::keymint::Certificate>& certChain) {
164 uint8_t* data = chainBuffer.data();
165 int index = 0;
166 int data_size = chainBuffer.size();
167
168 while (index < data_size) {
169 aidl::android::hardware::security::keymint::Certificate cert =
170 aidl::android::hardware::security::keymint::Certificate();
171 if (extractCertFromCertChainBuffer(data, data_size, index, cert) != ErrorCode::OK) {
172 return ErrorCode::UNKNOWN_ERROR;
173 }
174 certChain.push_back(std::move(cert));
175 }
176 return ErrorCode::OK;
177}
178
179bool validateCertChain(rust::Vec<rust::u8> cert_buf, uint32_t cert_len, bool strict_issuer_check) {
180 std::vector<aidl::android::hardware::security::keymint::Certificate> cert_chain =
181 std::vector<aidl::android::hardware::security::keymint::Certificate>();
182 if (cert_len <= 0) {
183 return false;
184 }
185 if (getCertificateChain(cert_buf, cert_chain) != ErrorCode::OK) {
186 return false;
187 }
188
189 for (int i = 0; i < cert_chain.size(); i++) {
190 std::cout << cert_chain[i].toString() << "\n";
191 }
192 auto result = aidl::android::hardware::security::keymint::test::ChainSignaturesAreValid(
193 cert_chain, strict_issuer_check);
194
195 if (result == testing::AssertionSuccess()) return true;
196
197 return false;
198}
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]199
200/**
201 * Below mentioned key parameters are used to create authorization list of
202 * secure key.
203 * Algorithm: AES-256
204 * Padding: PKCS7
205 * Blockmode: ECB
206 * Purpose: Encrypt, Decrypt
207 */
208keymaster::AuthorizationSet build_wrapped_key_auth_list() {
209 return keymaster::AuthorizationSet(keymaster::AuthorizationSetBuilder()
210 .AesEncryptionKey(256)
211 .Authorization(keymaster::TAG_BLOCK_MODE, KM_MODE_ECB)
212 .Authorization(keymaster::TAG_PADDING, KM_PAD_PKCS7)
213 .Authorization(keymaster::TAG_NO_AUTH_REQUIRED));
214}
215
216/**
217 * Creates ASN.1 DER-encoded data corresponding to `KeyDescription` schema as
218 * AAD. See `IKeyMintDevice.aidl` for documentation of the `KeyDescription` schema.
219 */
220CxxResult buildAsn1DerEncodedWrappedKeyDescription() {
221 CxxResult cxx_result{};
222 keymaster_error_t error;
223 cxx_result.error = KM_ERROR_OK;
224
225 keymaster::UniquePtr<TEST_KEY_DESCRIPTION, TEST_KEY_DESCRIPTION_Delete> key_description(
226 TEST_KEY_DESCRIPTION_new());
227 if (!key_description.get()) {
228 cxx_result.error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
229 return cxx_result;
230 }
231
232 // Fill secure key authorizations.
233 keymaster::AuthorizationSet auth_list = build_wrapped_key_auth_list();
234 error = build_auth_list(auth_list, key_description->key_params);
235 if (error != KM_ERROR_OK) {
236 cxx_result.error = error;
237 return cxx_result;
238 }
239
240 // Fill secure key format.
241 if (!ASN1_INTEGER_set(key_description->key_format, KM_KEY_FORMAT_RAW)) {
242 cxx_result.error = keymaster::TranslateLastOpenSslError();
243 return cxx_result;
244 }
245
246 // Perform ASN.1 DER encoding of KeyDescription.
Rajesh Nyamagoudcebd79d2023-01-12 16:22:00 +0000[diff] [blame]247 int asn1_data_len = i2d_TEST_KEY_DESCRIPTION(key_description.get(), nullptr);
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]248 if (asn1_data_len < 0) {
249 cxx_result.error = keymaster::TranslateLastOpenSslError();
250 return cxx_result;
251 }
252 std::vector<uint8_t> asn1_data(asn1_data_len, 0);
253
254 if (!asn1_data.data()) {
255 cxx_result.error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
256 return cxx_result;
257 }
258
259 uint8_t* p = asn1_data.data();
260 asn1_data_len = i2d_TEST_KEY_DESCRIPTION(key_description.get(), &p);
261 if (asn1_data_len < 0) {
262 cxx_result.error = keymaster::TranslateLastOpenSslError();
263 return cxx_result;
264 }
265
266 std::move(asn1_data.begin(), asn1_data.end(), std::back_inserter(cxx_result.data));
267
268 return cxx_result;
269}
270
271/**
272 * Creates wrapped key material to import in ASN.1 DER-encoded data corresponding to
273 * `SecureKeyWrapper` schema. See `IKeyMintDevice.aidl` for documentation of the `SecureKeyWrapper`
274 * schema.
275 */
276CxxResult createWrappedKey(rust::Vec<rust::u8> encrypted_secure_key,
277 rust::Vec<rust::u8> encrypted_transport_key, rust::Vec<rust::u8> iv,
278 rust::Vec<rust::u8> tag) {
279 CxxResult cxx_result{};
280 keymaster_error_t error;
281 cxx_result.error = KM_ERROR_OK;
282
283 uint8_t* enc_secure_key_data = encrypted_secure_key.data();
284 int enc_secure_key_size = encrypted_secure_key.size();
285
286 uint8_t* iv_data = iv.data();
287 int iv_size = iv.size();
288
289 uint8_t* tag_data = tag.data();
290 int tag_size = tag.size();
291
292 uint8_t* enc_transport_key_data = encrypted_transport_key.data();
293 int enc_transport_key_size = encrypted_transport_key.size();
294
295 keymaster::UniquePtr<TEST_SECURE_KEY_WRAPPER, TEST_SECURE_KEY_WRAPPER_Delete> sec_key_wrapper(
296 TEST_SECURE_KEY_WRAPPER_new());
297 if (!sec_key_wrapper.get()) {
298 cxx_result.error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
299 return cxx_result;
300 }
301
302 // Fill version = 0
303 if (!ASN1_INTEGER_set(sec_key_wrapper->version, 0)) {
304 cxx_result.error = keymaster::TranslateLastOpenSslError();
305 return cxx_result;
306 }
307
308 // Fill encrypted transport key.
309 if (enc_transport_key_size &&
310 !ASN1_OCTET_STRING_set(sec_key_wrapper->encrypted_transport_key, enc_transport_key_data,
311 enc_transport_key_size)) {
312 cxx_result.error = keymaster::TranslateLastOpenSslError();
313 return cxx_result;
314 }
315
316 // Fill encrypted secure key.
317 if (enc_secure_key_size && !ASN1_OCTET_STRING_set(sec_key_wrapper->encrypted_key,
318 enc_secure_key_data, enc_secure_key_size)) {
319 cxx_result.error = keymaster::TranslateLastOpenSslError();
320 return cxx_result;
321 }
322
323 // Fill secure key authorization list.
324 keymaster::AuthorizationSet auth_list = build_wrapped_key_auth_list();
325 error = build_auth_list(auth_list, sec_key_wrapper->key_desc->key_params);
326 if (error != KM_ERROR_OK) {
327 cxx_result.error = error;
328 return cxx_result;
329 }
330
331 // Fill secure key format.
332 if (!ASN1_INTEGER_set(sec_key_wrapper->key_desc->key_format, KM_KEY_FORMAT_RAW)) {
333 cxx_result.error = keymaster::TranslateLastOpenSslError();
334 return cxx_result;
335 }
336
337 // Fill initialization vector used for encrypting secure key.
338 if (iv_size &&
339 !ASN1_OCTET_STRING_set(sec_key_wrapper->initialization_vector, iv_data, iv_size)) {
340 cxx_result.error = keymaster::TranslateLastOpenSslError();
341 return cxx_result;
342 }
343
344 // Fill GCM-tag, extracted during secure key encryption.
345 if (tag_size && !ASN1_OCTET_STRING_set(sec_key_wrapper->tag, tag_data, tag_size)) {
346 cxx_result.error = keymaster::TranslateLastOpenSslError();
347 return cxx_result;
348 }
349
350 // ASN.1 DER-encoding of secure key wrapper.
Rajesh Nyamagoudcebd79d2023-01-12 16:22:00 +0000[diff] [blame]351 int asn1_data_len = i2d_TEST_SECURE_KEY_WRAPPER(sec_key_wrapper.get(), nullptr);
Rajesh Nyamagoudc946cc42022-04-12 22:49:11 +0000[diff] [blame]352 if (asn1_data_len < 0) {
353 cxx_result.error = keymaster::TranslateLastOpenSslError();
354 return cxx_result;
355 }
356 std::vector<uint8_t> asn1_data(asn1_data_len, 0);
357
358 if (!asn1_data.data()) {
359 cxx_result.error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
360 return cxx_result;
361 }
362
363 uint8_t* p = asn1_data.data();
364 asn1_data_len = i2d_TEST_SECURE_KEY_WRAPPER(sec_key_wrapper.get(), &p);
365 if (asn1_data_len < 0) {
366 cxx_result.error = keymaster::TranslateLastOpenSslError();
367 return cxx_result;
368 }
369
370 std::move(asn1_data.begin(), asn1_data.end(), std::back_inserter(cxx_result.data));
371
372 return cxx_result;
373}
Rajesh Nyamagoud28abde62023-04-01 01:32:32 +0000[diff] [blame]374
375/**
376 * Perform EC/RSA sign operation using `EVP_PKEY`.
377 */
378bool performSignData(const char* data, size_t data_len, EVP_PKEY* pkey, unsigned char** signature,
379 size_t* signature_len) {
380 // Create the signing context
381 EVP_MD_CTX* md_ctx = EVP_MD_CTX_new();
382 if (md_ctx == NULL) {
383 LOG(ERROR) << "Failed to create signing context";
384 return false;
385 }
386
387 // Initialize the signing operation
388 if (EVP_DigestSignInit(md_ctx, NULL, EVP_sha256(), NULL, pkey) != 1) {
389 LOG(ERROR) << "Failed to initialize signing operation";
390 EVP_MD_CTX_free(md_ctx);
391 return false;
392 }
393
394 // Sign the data
395 if (EVP_DigestSignUpdate(md_ctx, data, data_len) != 1) {
396 LOG(ERROR) << "Failed to sign data";
397 EVP_MD_CTX_free(md_ctx);
398 return false;
399 }
400
401 // Determine the length of the signature
402 if (EVP_DigestSignFinal(md_ctx, NULL, signature_len) != 1) {
403 LOG(ERROR) << "Failed to determine signature length";
404 EVP_MD_CTX_free(md_ctx);
405 return false;
406 }
407
408 // Allocate memory for the signature
409 *signature = (unsigned char*)malloc(*signature_len);
410 if (*signature == NULL) {
411 LOG(ERROR) << "Failed to allocate memory for the signature";
412 EVP_MD_CTX_free(md_ctx);
413 return false;
414 }
415
416 // Perform the final signing operation
417 if (EVP_DigestSignFinal(md_ctx, *signature, signature_len) != 1) {
418 LOG(ERROR) << "Failed to perform signing operation";
419 free(*signature);
420 EVP_MD_CTX_free(md_ctx);
421 return false;
422 }
423
424 EVP_MD_CTX_free(md_ctx);
425 return true;
426}
427
428/**
429 * Perform EC/RSA verify operation using `EVP_PKEY`.
430 */
431int performVerifySignature(const char* data, size_t data_len, EVP_PKEY* pkey,
432 const unsigned char* signature, size_t signature_len) {
433 // Create the verification context
434 EVP_MD_CTX* md_ctx = EVP_MD_CTX_new();
435 if (md_ctx == NULL) {
436 LOG(ERROR) << "Failed to create verification context";
437 return false;
438 }
439
440 // Initialize the verification operation
441 if (EVP_DigestVerifyInit(md_ctx, NULL, EVP_sha256(), NULL, pkey) != 1) {
442 LOG(ERROR) << "Failed to initialize verification operation";
443 EVP_MD_CTX_free(md_ctx);
444 return false;
445 }
446
447 // Verify the data
448 if (EVP_DigestVerifyUpdate(md_ctx, data, data_len) != 1) {
449 LOG(ERROR) << "Failed to verify data";
450 EVP_MD_CTX_free(md_ctx);
451 return false;
452 }
453
454 // Perform the verification operation
455 int ret = EVP_DigestVerifyFinal(md_ctx, signature, signature_len);
456 EVP_MD_CTX_free(md_ctx);
457
458 return ret == 1;
459}
460
461/**
462 * Extract the `EVP_PKEY` for the given KeyMint Key and perform Sign/Verify operations
463 * using extracted `EVP_PKEY`.
464 */
465bool performCryptoOpUsingKeystoreEngine(int64_t grant_id) {
466 const int KEY_ID_LEN = 20;
467 char key_id[KEY_ID_LEN] = "";
468 snprintf(key_id, KEY_ID_LEN, "%" PRIx64, grant_id);
469 std::string str_key = std::string(keystore2_grant_id_prefix) + key_id;
470 bool result = false;
471
472#if defined(OPENSSL_IS_BORINGSSL)
473 EVP_PKEY* evp = EVP_PKEY_from_keystore(str_key.c_str());
474 if (!evp) {
475 LOG(ERROR) << "Error while loading a key from keystore-engine";
476 return false;
477 }
478
479 int algo_type = EVP_PKEY_id(evp);
480 if (algo_type != EVP_PKEY_RSA && algo_type != EVP_PKEY_EC) {
481 LOG(ERROR) << "Unsupported Algorithm. Only RSA and EC are allowed.";
482 EVP_PKEY_free(evp);
483 return false;
484 }
485
486 unsigned char* signature = NULL;
487 size_t signature_len = 0;
488 const char* INPUT_DATA = "MY MESSAGE FOR SIGN";
489 size_t data_len = strlen(INPUT_DATA);
490 if (!performSignData(INPUT_DATA, data_len, evp, &signature, &signature_len)) {
491 LOG(ERROR) << "Failed to sign data";
492 EVP_PKEY_free(evp);
493 return false;
494 }
495
496 result = performVerifySignature(INPUT_DATA, data_len, evp, signature, signature_len);
497 if (!result) {
498 LOG(ERROR) << "Signature verification failed";
499 } else {
500 LOG(INFO) << "Signature verification success";
501 }
502
503 free(signature);
504 EVP_PKEY_free(evp);
505#endif
506 return result;
507}
Rajesh Nyamagouda42dee62022-04-22 21:15:55 +0000[diff] [blame^]508
509CxxResult getValueFromAttestRecord(rust::Vec<rust::u8> cert_buf, int32_t tag) {
510 CxxResult cxx_result{};
511 cxx_result.error = KM_ERROR_OK;
512
513 uint8_t* cert_data = cert_buf.data();
514 int cert_data_size = cert_buf.size();
515
516 std::vector<uint8_t> cert_bytes;
517 cert_bytes.insert(cert_bytes.end(), cert_data, (cert_data + cert_data_size));
518
519 aidl::android::hardware::security::keymint::X509_Ptr cert(
520 aidl::android::hardware::security::keymint::test::parse_cert_blob(cert_bytes));
521 if (!cert.get()) {
522 cxx_result.error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
523 return cxx_result;
524 }
525
526 ASN1_OCTET_STRING* attest_rec =
527 aidl::android::hardware::security::keymint::test::get_attestation_record(cert.get());
528 if (!attest_rec) {
529 cxx_result.error = keymaster::TranslateLastOpenSslError();
530 return cxx_result;
531 }
532
533 aidl::android::hardware::security::keymint::AuthorizationSet att_sw_enforced;
534 aidl::android::hardware::security::keymint::AuthorizationSet att_hw_enforced;
535 uint32_t att_attestation_version;
536 uint32_t att_keymint_version;
537 aidl::android::hardware::security::keymint::SecurityLevel att_attestation_security_level;
538 aidl::android::hardware::security::keymint::SecurityLevel att_keymint_security_level;
539 std::vector<uint8_t> att_challenge;
540 std::vector<uint8_t> att_unique_id;
541 std::vector<uint8_t> att_app_id;
542
543 auto error = aidl::android::hardware::security::keymint::parse_attestation_record(
544 attest_rec->data, attest_rec->length, &att_attestation_version,
545 &att_attestation_security_level, &att_keymint_version, &att_keymint_security_level,
546 &att_challenge, &att_sw_enforced, &att_hw_enforced, &att_unique_id);
547 EXPECT_EQ(ErrorCode::OK, error);
548 if (error != ErrorCode::OK) {
549 cxx_result.error = static_cast<int32_t>(error);
550 return cxx_result;
551 }
552
553 aidl::android::hardware::security::keymint::Tag auth_tag =
554 static_cast<aidl::android::hardware::security::keymint::Tag>(tag);
555
556 if (auth_tag == aidl::android::hardware::security::keymint::Tag::ATTESTATION_APPLICATION_ID) {
557 int pos = att_sw_enforced.find(
558 aidl::android::hardware::security::keymint::Tag::ATTESTATION_APPLICATION_ID);
559 if (pos == -1) {
560 cxx_result.error = KM_ERROR_ATTESTATION_APPLICATION_ID_MISSING;
561 return cxx_result;
562 }
563 aidl::android::hardware::security::keymint::KeyParameter param = att_sw_enforced[pos];
564 std::vector<uint8_t> val =
565 param.value.get<aidl::android::hardware::security::keymint::KeyParameterValue::blob>();
566 std::move(val.begin(), val.end(), std::back_inserter(cxx_result.data));
567 return cxx_result;
568 }
569
570 if (auth_tag == aidl::android::hardware::security::keymint::Tag::ATTESTATION_CHALLENGE) {
571 if (att_challenge.size() == 0) {
572 cxx_result.error = KM_ERROR_ATTESTATION_CHALLENGE_MISSING;
573 return cxx_result;
574 }
575 std::move(att_challenge.begin(), att_challenge.end(), std::back_inserter(cxx_result.data));
576 return cxx_result;
577 }
578
579 if (auth_tag == aidl::android::hardware::security::keymint::Tag::UNIQUE_ID) {
580 if (att_unique_id.size() == 0) {
581 cxx_result.error = KM_ERROR_UNSUPPORTED_TAG;
582 return cxx_result;
583 }
584 std::move(att_unique_id.begin(), att_unique_id.end(), std::back_inserter(cxx_result.data));
585 return cxx_result;
586 }
587
588 int pos = att_hw_enforced.find(auth_tag);
589 if (pos == -1) {
590 cxx_result.error = KM_ERROR_UNSUPPORTED_TAG;
591 return cxx_result;
592 }
593 aidl::android::hardware::security::keymint::KeyParameter param = att_hw_enforced[pos];
594 std::vector<uint8_t> val =
595 param.value.get<aidl::android::hardware::security::keymint::KeyParameterValue::blob>();
596 std::move(val.begin(), val.end(), std::back_inserter(cxx_result.data));
597 return cxx_result;
598}