1 /*
2 * Copyright 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <keymasterV4_1/attestation_record.h>
18
19 #include <android-base/logging.h>
20 #include <assert.h>
21
22 #include <openssl/asn1t.h>
23 #include <openssl/bn.h>
24 #include <openssl/evp.h>
25 #include <openssl/x509.h>
26
27 #include <keymasterV4_0/authorization_set.h>
28 #include <keymasterV4_0/openssl_utils.h>
29
30 #define AT __FILE__ ":" << __LINE__
31
32 /*
33 * NOTE: The contents of this file are *extremely* similar to the contents of the V4_0 copy of the
34 * same support file. Unfortunately, small changes in the scheme mean that the schema types have to
35 * be distinct, which drives almost everything else to be different as well. In the next version we
36 * plan to abandon not just this openssl mechanism for parsing ASN.1, but ASN.1 entirely, so
37 * eventually all of this duplication can be removed.
38 */
39
40 namespace android {
41 namespace hardware {
42 namespace keymaster {
43 namespace V4_1 {
44
45 struct stack_st_ASN1_TYPE_Delete {
operator ()android::hardware::keymaster::V4_1::stack_st_ASN1_TYPE_Delete46 void operator()(stack_st_ASN1_TYPE* p) { sk_ASN1_TYPE_free(p); }
47 };
48
49 struct ASN1_STRING_Delete {
operator ()android::hardware::keymaster::V4_1::ASN1_STRING_Delete50 void operator()(ASN1_STRING* p) { ASN1_STRING_free(p); }
51 };
52
53 struct ASN1_TYPE_Delete {
operator ()android::hardware::keymaster::V4_1::ASN1_TYPE_Delete54 void operator()(ASN1_TYPE* p) { ASN1_TYPE_free(p); }
55 };
56
57 #define ASN1_INTEGER_SET STACK_OF(ASN1_INTEGER)
58
59 typedef struct km_root_of_trust {
60 ASN1_OCTET_STRING* verified_boot_key;
61 ASN1_BOOLEAN device_locked;
62 ASN1_ENUMERATED* verified_boot_state;
63 ASN1_OCTET_STRING* verified_boot_hash;
64 } KM_ROOT_OF_TRUST;
65
66 ASN1_SEQUENCE(KM_ROOT_OF_TRUST) = {
67 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_key, ASN1_OCTET_STRING),
68 ASN1_SIMPLE(KM_ROOT_OF_TRUST, device_locked, ASN1_BOOLEAN),
69 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_state, ASN1_ENUMERATED),
70 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_hash, ASN1_OCTET_STRING),
71 } ASN1_SEQUENCE_END(KM_ROOT_OF_TRUST);
72 IMPLEMENT_ASN1_FUNCTIONS(KM_ROOT_OF_TRUST);
73
74 typedef struct km_auth_list {
75 ASN1_INTEGER_SET* purpose;
76 ASN1_INTEGER* algorithm;
77 ASN1_INTEGER* key_size;
78 ASN1_INTEGER_SET* digest;
79 ASN1_INTEGER_SET* padding;
80 ASN1_INTEGER* ec_curve;
81 ASN1_INTEGER* rsa_public_exponent;
82 ASN1_INTEGER* active_date_time;
83 ASN1_INTEGER* origination_expire_date_time;
84 ASN1_INTEGER* usage_expire_date_time;
85 ASN1_NULL* no_auth_required;
86 ASN1_INTEGER* user_auth_type;
87 ASN1_INTEGER* auth_timeout;
88 ASN1_NULL* allow_while_on_body;
89 ASN1_NULL* all_applications;
90 ASN1_OCTET_STRING* application_id;
91 ASN1_INTEGER* creation_date_time;
92 ASN1_INTEGER* origin;
93 ASN1_NULL* rollback_resistance;
94 KM_ROOT_OF_TRUST* root_of_trust;
95 ASN1_INTEGER* os_version;
96 ASN1_INTEGER* os_patchlevel;
97 ASN1_OCTET_STRING* attestation_application_id;
98 ASN1_NULL* trusted_user_presence_required;
99 ASN1_NULL* trusted_confirmation_required;
100 ASN1_NULL* unlocked_device_required;
101 ASN1_INTEGER* vendor_patchlevel;
102 ASN1_INTEGER* boot_patchlevel;
103 ASN1_NULL* early_boot_only;
104 ASN1_NULL* device_unique_attestation;
105 } KM_AUTH_LIST;
106
107 ASN1_SEQUENCE(KM_AUTH_LIST) = {
108 ASN1_EXP_SET_OF_OPT(KM_AUTH_LIST, purpose, ASN1_INTEGER, TAG_PURPOSE.maskedTag()),
109 ASN1_EXP_OPT(KM_AUTH_LIST, algorithm, ASN1_INTEGER, TAG_ALGORITHM.maskedTag()),
110 ASN1_EXP_OPT(KM_AUTH_LIST, key_size, ASN1_INTEGER, TAG_KEY_SIZE.maskedTag()),
111 ASN1_EXP_SET_OF_OPT(KM_AUTH_LIST, digest, ASN1_INTEGER, TAG_DIGEST.maskedTag()),
112 ASN1_EXP_SET_OF_OPT(KM_AUTH_LIST, padding, ASN1_INTEGER, TAG_PADDING.maskedTag()),
113 ASN1_EXP_OPT(KM_AUTH_LIST, ec_curve, ASN1_INTEGER, TAG_EC_CURVE.maskedTag()),
114 ASN1_EXP_OPT(KM_AUTH_LIST, rsa_public_exponent, ASN1_INTEGER,
115 TAG_RSA_PUBLIC_EXPONENT.maskedTag()),
116 ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistance, ASN1_NULL,
117 TAG_ROLLBACK_RESISTANCE.maskedTag()),
118 ASN1_EXP_OPT(KM_AUTH_LIST, active_date_time, ASN1_INTEGER, TAG_ACTIVE_DATETIME.maskedTag()),
119 ASN1_EXP_OPT(KM_AUTH_LIST, origination_expire_date_time, ASN1_INTEGER,
120 TAG_ORIGINATION_EXPIRE_DATETIME.maskedTag()),
121 ASN1_EXP_OPT(KM_AUTH_LIST, usage_expire_date_time, ASN1_INTEGER,
122 TAG_USAGE_EXPIRE_DATETIME.maskedTag()),
123 ASN1_EXP_OPT(KM_AUTH_LIST, no_auth_required, ASN1_NULL, TAG_NO_AUTH_REQUIRED.maskedTag()),
124 ASN1_EXP_OPT(KM_AUTH_LIST, user_auth_type, ASN1_INTEGER, TAG_USER_AUTH_TYPE.maskedTag()),
125 ASN1_EXP_OPT(KM_AUTH_LIST, auth_timeout, ASN1_INTEGER, TAG_AUTH_TIMEOUT.maskedTag()),
126 ASN1_EXP_OPT(KM_AUTH_LIST, allow_while_on_body, ASN1_NULL,
127 TAG_ALLOW_WHILE_ON_BODY.maskedTag()),
128 ASN1_EXP_OPT(KM_AUTH_LIST, trusted_user_presence_required, ASN1_NULL,
129 TAG_TRUSTED_USER_PRESENCE_REQUIRED.maskedTag()),
130 ASN1_EXP_OPT(KM_AUTH_LIST, trusted_confirmation_required, ASN1_NULL,
131 TAG_TRUSTED_CONFIRMATION_REQUIRED.maskedTag()),
132 ASN1_EXP_OPT(KM_AUTH_LIST, unlocked_device_required, ASN1_NULL,
133 TAG_UNLOCKED_DEVICE_REQUIRED.maskedTag()),
134 ASN1_EXP_OPT(KM_AUTH_LIST, creation_date_time, ASN1_INTEGER,
135 TAG_CREATION_DATETIME.maskedTag()),
136 ASN1_EXP_OPT(KM_AUTH_LIST, origin, ASN1_INTEGER, TAG_ORIGIN.maskedTag()),
137 ASN1_EXP_OPT(KM_AUTH_LIST, root_of_trust, KM_ROOT_OF_TRUST, TAG_ROOT_OF_TRUST.maskedTag()),
138 ASN1_EXP_OPT(KM_AUTH_LIST, os_version, ASN1_INTEGER, TAG_OS_VERSION.maskedTag()),
139 ASN1_EXP_OPT(KM_AUTH_LIST, os_patchlevel, ASN1_INTEGER, TAG_OS_PATCHLEVEL.maskedTag()),
140 ASN1_EXP_OPT(KM_AUTH_LIST, vendor_patchlevel, ASN1_INTEGER,
141 TAG_VENDOR_PATCHLEVEL.maskedTag()),
142 ASN1_EXP_OPT(KM_AUTH_LIST, boot_patchlevel, ASN1_INTEGER, TAG_BOOT_PATCHLEVEL.maskedTag()),
143 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_application_id, ASN1_OCTET_STRING,
144 TAG_ATTESTATION_APPLICATION_ID.maskedTag()),
145 ASN1_EXP_OPT(KM_AUTH_LIST, early_boot_only, ASN1_NULL, TAG_EARLY_BOOT_ONLY.maskedTag()),
146 ASN1_EXP_OPT(KM_AUTH_LIST, device_unique_attestation, ASN1_NULL,
147 TAG_DEVICE_UNIQUE_ATTESTATION.maskedTag()),
148 } ASN1_SEQUENCE_END(KM_AUTH_LIST);
149 IMPLEMENT_ASN1_FUNCTIONS(KM_AUTH_LIST);
150
151 typedef struct km_key_description {
152 ASN1_INTEGER* attestation_version;
153 ASN1_ENUMERATED* attestation_security_level;
154 ASN1_INTEGER* keymaster_version;
155 ASN1_ENUMERATED* keymaster_security_level;
156 ASN1_OCTET_STRING* attestation_challenge;
157 KM_AUTH_LIST* software_enforced;
158 KM_AUTH_LIST* tee_enforced;
159 ASN1_INTEGER* unique_id;
160 } KM_KEY_DESCRIPTION;
161
162 ASN1_SEQUENCE(KM_KEY_DESCRIPTION) = {
163 ASN1_SIMPLE(KM_KEY_DESCRIPTION, attestation_version, ASN1_INTEGER),
164 ASN1_SIMPLE(KM_KEY_DESCRIPTION, attestation_security_level, ASN1_ENUMERATED),
165 ASN1_SIMPLE(KM_KEY_DESCRIPTION, keymaster_version, ASN1_INTEGER),
166 ASN1_SIMPLE(KM_KEY_DESCRIPTION, keymaster_security_level, ASN1_ENUMERATED),
167 ASN1_SIMPLE(KM_KEY_DESCRIPTION, attestation_challenge, ASN1_OCTET_STRING),
168 ASN1_SIMPLE(KM_KEY_DESCRIPTION, unique_id, ASN1_OCTET_STRING),
169 ASN1_SIMPLE(KM_KEY_DESCRIPTION, software_enforced, KM_AUTH_LIST),
170 ASN1_SIMPLE(KM_KEY_DESCRIPTION, tee_enforced, KM_AUTH_LIST),
171 } ASN1_SEQUENCE_END(KM_KEY_DESCRIPTION);
172 IMPLEMENT_ASN1_FUNCTIONS(KM_KEY_DESCRIPTION);
173
174 template <V4_0::Tag tag>
copyAuthTag(const stack_st_ASN1_INTEGER * stack,TypedTag<TagType::ENUM_REP,tag> ttag,AuthorizationSet * auth_list)175 void copyAuthTag(const stack_st_ASN1_INTEGER* stack, TypedTag<TagType::ENUM_REP, tag> ttag,
176 AuthorizationSet* auth_list) {
177 typedef typename V4_0::TypedTag2ValueType<decltype(ttag)>::type ValueT;
178 for (size_t i = 0; i < sk_ASN1_INTEGER_num(stack); ++i) {
179 auth_list->push_back(
180 ttag, static_cast<ValueT>(ASN1_INTEGER_get(sk_ASN1_INTEGER_value(stack, i))));
181 }
182 }
183
184 template <V4_0::Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::ENUM,tag> ttag,AuthorizationSet * auth_list)185 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::ENUM, tag> ttag,
186 AuthorizationSet* auth_list) {
187 typedef typename V4_0::TypedTag2ValueType<decltype(ttag)>::type ValueT;
188 if (!asn1_int) return;
189 auth_list->push_back(ttag, static_cast<ValueT>(ASN1_INTEGER_get(asn1_int)));
190 }
191
192 template <V4_0::Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::UINT,tag> ttag,AuthorizationSet * auth_list)193 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::UINT, tag> ttag,
194 AuthorizationSet* auth_list) {
195 if (!asn1_int) return;
196 auth_list->push_back(ttag, ASN1_INTEGER_get(asn1_int));
197 }
198
construct_uint_max()199 BIGNUM* construct_uint_max() {
200 BIGNUM* value = BN_new();
201 BIGNUM_Ptr one(BN_new());
202 BN_one(one.get());
203 BN_lshift(value, one.get(), 32);
204 return value;
205 }
206
BignumToUint64(BIGNUM * num)207 uint64_t BignumToUint64(BIGNUM* num) {
208 static_assert((sizeof(BN_ULONG) == sizeof(uint32_t)) || (sizeof(BN_ULONG) == sizeof(uint64_t)),
209 "This implementation only supports 32 and 64-bit BN_ULONG");
210 if (sizeof(BN_ULONG) == sizeof(uint32_t)) {
211 BIGNUM_Ptr uint_max(construct_uint_max());
212 BIGNUM_Ptr hi(BN_new()), lo(BN_new());
213 BN_CTX_Ptr ctx(BN_CTX_new());
214 BN_div(hi.get(), lo.get(), num, uint_max.get(), ctx.get());
215 return static_cast<uint64_t>(BN_get_word(hi.get())) << 32 | BN_get_word(lo.get());
216 } else if (sizeof(BN_ULONG) == sizeof(uint64_t)) {
217 return BN_get_word(num);
218 } else {
219 return 0;
220 }
221 }
222
223 template <V4_0::Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::ULONG,tag> ttag,AuthorizationSet * auth_list)224 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::ULONG, tag> ttag,
225 AuthorizationSet* auth_list) {
226 if (!asn1_int) return;
227 BIGNUM_Ptr num(ASN1_INTEGER_to_BN(asn1_int, nullptr));
228 auth_list->push_back(ttag, BignumToUint64(num.get()));
229 }
230
231 template <V4_0::Tag tag>
copyAuthTag(const ASN1_INTEGER * asn1_int,TypedTag<TagType::DATE,tag> ttag,AuthorizationSet * auth_list)232 void copyAuthTag(const ASN1_INTEGER* asn1_int, TypedTag<TagType::DATE, tag> ttag,
233 AuthorizationSet* auth_list) {
234 if (!asn1_int) return;
235 BIGNUM_Ptr num(ASN1_INTEGER_to_BN(asn1_int, nullptr));
236 auth_list->push_back(ttag, BignumToUint64(num.get()));
237 }
238
239 template <V4_0::Tag tag>
copyAuthTag(const ASN1_NULL * asn1_null,TypedTag<TagType::BOOL,tag> ttag,AuthorizationSet * auth_list)240 void copyAuthTag(const ASN1_NULL* asn1_null, TypedTag<TagType::BOOL, tag> ttag,
241 AuthorizationSet* auth_list) {
242 if (!asn1_null) return;
243 auth_list->push_back(ttag);
244 }
245
246 template <V4_0::Tag tag>
copyAuthTag(const ASN1_OCTET_STRING * asn1_string,TypedTag<TagType::BYTES,tag> ttag,AuthorizationSet * auth_list)247 void copyAuthTag(const ASN1_OCTET_STRING* asn1_string, TypedTag<TagType::BYTES, tag> ttag,
248 AuthorizationSet* auth_list) {
249 if (!asn1_string) return;
250 hidl_vec<uint8_t> buf;
251 buf.setToExternal(asn1_string->data, asn1_string->length);
252 auth_list->push_back(ttag, buf);
253 }
254
255 // Extract the values from the specified ASN.1 record and place them in auth_list.
extract_auth_list(const KM_AUTH_LIST * record,AuthorizationSet * auth_list)256 static ErrorCode extract_auth_list(const KM_AUTH_LIST* record, AuthorizationSet* auth_list) {
257 if (!record) return ErrorCode::OK;
258
259 copyAuthTag(record->active_date_time, TAG_ACTIVE_DATETIME, auth_list);
260 copyAuthTag(record->algorithm, TAG_ALGORITHM, auth_list);
261 copyAuthTag(record->application_id, TAG_APPLICATION_ID, auth_list);
262 copyAuthTag(record->auth_timeout, TAG_AUTH_TIMEOUT, auth_list);
263 copyAuthTag(record->creation_date_time, TAG_CREATION_DATETIME, auth_list);
264 copyAuthTag(record->digest, TAG_DIGEST, auth_list);
265 copyAuthTag(record->ec_curve, TAG_EC_CURVE, auth_list);
266 copyAuthTag(record->key_size, TAG_KEY_SIZE, auth_list);
267 copyAuthTag(record->no_auth_required, TAG_NO_AUTH_REQUIRED, auth_list);
268 copyAuthTag(record->origin, TAG_ORIGIN, auth_list);
269 copyAuthTag(record->origination_expire_date_time, TAG_ORIGINATION_EXPIRE_DATETIME, auth_list);
270 copyAuthTag(record->os_patchlevel, TAG_OS_PATCHLEVEL, auth_list);
271 copyAuthTag(record->os_version, TAG_OS_VERSION, auth_list);
272 copyAuthTag(record->padding, TAG_PADDING, auth_list);
273 copyAuthTag(record->purpose, TAG_PURPOSE, auth_list);
274 copyAuthTag(record->rollback_resistance, TAG_ROLLBACK_RESISTANCE, auth_list);
275 copyAuthTag(record->rsa_public_exponent, TAG_RSA_PUBLIC_EXPONENT, auth_list);
276 copyAuthTag(record->usage_expire_date_time, TAG_USAGE_EXPIRE_DATETIME, auth_list);
277 copyAuthTag(record->user_auth_type, TAG_USER_AUTH_TYPE, auth_list);
278 copyAuthTag(record->attestation_application_id, TAG_ATTESTATION_APPLICATION_ID, auth_list);
279 copyAuthTag(record->vendor_patchlevel, TAG_VENDOR_PATCHLEVEL, auth_list);
280 copyAuthTag(record->boot_patchlevel, TAG_BOOT_PATCHLEVEL, auth_list);
281 copyAuthTag(record->trusted_user_presence_required, TAG_TRUSTED_USER_PRESENCE_REQUIRED,
282 auth_list);
283 copyAuthTag(record->trusted_confirmation_required, TAG_TRUSTED_CONFIRMATION_REQUIRED,
284 auth_list);
285 copyAuthTag(record->unlocked_device_required, TAG_UNLOCKED_DEVICE_REQUIRED, auth_list);
286 copyAuthTag(record->early_boot_only, TAG_EARLY_BOOT_ONLY, auth_list);
287 copyAuthTag(record->device_unique_attestation, TAG_DEVICE_UNIQUE_ATTESTATION, auth_list);
288
289 return ErrorCode::OK;
290 }
291
MAKE_OPENSSL_PTR_TYPE(KM_KEY_DESCRIPTION)292 MAKE_OPENSSL_PTR_TYPE(KM_KEY_DESCRIPTION)
293
294 // Parse the DER-encoded attestation record, placing the results in keymaster_version,
295 // attestation_challenge, software_enforced, tee_enforced and unique_id.
296 std::tuple<ErrorCode, AttestationRecord> parse_attestation_record(const hidl_vec<uint8_t>& cert) {
297 const uint8_t* p = cert.data();
298 X509_Ptr x509(d2i_X509(nullptr, &p, cert.size()));
299 if (!x509.get()) {
300 LOG(ERROR) << "Error converting DER";
301 return {ErrorCode::INVALID_ARGUMENT, {}};
302 }
303
304 ASN1_OBJECT_Ptr oid(OBJ_txt2obj(kAttestionRecordOid, 1 /* dotted string format */));
305 if (!oid.get()) {
306 LOG(ERROR) << "Error parsing OID";
307 return {ErrorCode::UNKNOWN_ERROR, {}};
308 }
309
310 int location = X509_get_ext_by_OBJ(x509.get(), oid.get(), -1 /* search from beginning */);
311 if (location == -1) {
312 LOG(ERROR) << "Attestation extension not found in certificate";
313 return {ErrorCode::UNKNOWN_ERROR, {}};
314 }
315
316 X509_EXTENSION* attest_rec_ext = X509_get_ext(x509.get(), location);
317 if (!attest_rec_ext) {
318 LOG(ERROR) << "Found extension but couldn't retrieve it. Probably BoringSSL bug.";
319 return {ErrorCode::UNKNOWN_ERROR, {}};
320 }
321
322 ASN1_OCTET_STRING* attest_rec = X509_EXTENSION_get_data(attest_rec_ext);
323 if (!attest_rec_ext) {
324 LOG(ERROR) << "Attestation extension contained no data";
325 return {ErrorCode::UNKNOWN_ERROR, {}};
326 }
327
328 p = attest_rec->data;
329 KM_KEY_DESCRIPTION_Ptr record(d2i_KM_KEY_DESCRIPTION(nullptr, &p, attest_rec->length));
330 if (!record.get()) return {ErrorCode::UNKNOWN_ERROR, {}};
331
332 AttestationRecord result;
333
334 result.attestation_version = ASN1_INTEGER_get(record->attestation_version);
335 result.attestation_security_level =
336 static_cast<SecurityLevel>(ASN1_ENUMERATED_get(record->attestation_security_level));
337 result.keymaster_version = ASN1_INTEGER_get(record->keymaster_version);
338 result.keymaster_security_level =
339 static_cast<SecurityLevel>(ASN1_ENUMERATED_get(record->keymaster_security_level));
340
341 auto& chall = record->attestation_challenge;
342 result.attestation_challenge.resize(chall->length);
343 memcpy(result.attestation_challenge.data(), chall->data, chall->length);
344 auto& uid = record->unique_id;
345 result.unique_id.resize(uid->length);
346 memcpy(result.unique_id.data(), uid->data, uid->length);
347
348 ErrorCode error = extract_auth_list(record->software_enforced, &result.software_enforced);
349 if (error != ErrorCode::OK) return {error, {}};
350
351 error = extract_auth_list(record->tee_enforced, &result.hardware_enforced);
352 if (error != ErrorCode::OK) return {error, {}};
353
354 KM_ROOT_OF_TRUST* root_of_trust = nullptr;
355 if (record->tee_enforced && record->tee_enforced->root_of_trust) {
356 root_of_trust = record->tee_enforced->root_of_trust;
357 } else if (record->software_enforced && record->software_enforced->root_of_trust) {
358 root_of_trust = record->software_enforced->root_of_trust;
359 } else {
360 LOG(ERROR) << AT << " Failed root of trust parsing";
361 return {ErrorCode::INVALID_ARGUMENT, {}};
362 }
363 if (!root_of_trust->verified_boot_key) {
364 LOG(ERROR) << AT << " Failed verified boot key parsing";
365 return {ErrorCode::INVALID_ARGUMENT, {}};
366 }
367
368 RootOfTrust& rot = result.root_of_trust;
369 auto& vb_key = root_of_trust->verified_boot_key;
370 rot.verified_boot_key.resize(vb_key->length);
371 memcpy(rot.verified_boot_key.data(), vb_key->data, vb_key->length);
372
373 rot.verified_boot_state = static_cast<keymaster_verified_boot_t>(
374 ASN1_ENUMERATED_get(root_of_trust->verified_boot_state));
375 rot.device_locked = root_of_trust->device_locked;
376
377 auto& vb_hash = root_of_trust->verified_boot_hash;
378 if (!vb_hash) {
379 LOG(ERROR) << AT << " Failed verified boot hash parsing";
380 return {ErrorCode::INVALID_ARGUMENT, {}};
381 }
382 rot.verified_boot_hash.resize(vb_hash->length);
383 memcpy(rot.verified_boot_hash.data(), vb_hash->data, vb_hash->length);
384
385 return {ErrorCode::OK, result};
386 }
387
388 } // namespace V4_1
389 } // namespace keymaster
390 } // namespace hardware
391 } // namespace android
392