1 /*
2 * Copyright (c) 2022-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #ifdef HKS_CONFIG_FILE
17 #include HKS_CONFIG_FILE
18 #else
19 #endif
20
21 #include "dcm_attest.h"
22 #include "dcm_attest_utils.h"
23
24 #include <stddef.h>
25 #include <sys/time.h>
26
27 #include "dcm_certs_and_key.h"
28 #include "hks_common_check.h"
29 #include "hks_crypto_adapter.h"
30 #include "hks_crypto_hal.h"
31 #include "hks_keyblob.h"
32 #include "hks_log.h"
33 #include "hks_mem.h"
34 #include "hks_param.h"
35 #include "hks_secure_access.h"
36 #include "hks_template.h"
37 #include "securec.h"
38
39 #define ID_HUKS_BASE 0x2B, 0x06, 0x01, 0x04, 0x01, 0x8F, 0x5B
40 #define ID_HUKS_BASE_SIZE 0x07
41
42 #define ID_HUKS_PRODUCT ID_HUKS_BASE, 0x02
43 #define ID_HUKS_PRODUCT_SIZE (ID_HUKS_BASE_SIZE + 1)
44
45 #define ID_HUKS_PKI ID_HUKS_PRODUCT, 0x82, 0x78
46 #define ID_HUKS_PKI_SIZE (ID_HUKS_PRODUCT_SIZE + 2)
47
48 #define ID_HUKS_PKI_CERT_EXT ID_HUKS_PKI, 0x01
49 #define ID_HUKS_PKI_CERT_EXT_SIZE (ID_HUKS_PKI_SIZE + 1)
50
51 #define ID_HUKS_PKI_DEVICE_SECURITY_LEVEL ID_HUKS_PKI_CERT_EXT, 0x01
52 #define ID_HUKS_PKI_DEVICE_SECURITY_LEVEL_SIZE (ID_HUKS_PKI_CERT_EXT_SIZE + 1)
53
54 #define ID_HUKS_PKI_ATTESTATION ID_HUKS_PKI_CERT_EXT, 0x02
55 #define ID_HUKS_PKI_ATTESTATION_SIZE (ID_HUKS_PKI_CERT_EXT_SIZE + 1)
56
57 #define ID_HUKS_ATTESTATION_BASE ID_HUKS_PKI, 0x02
58 #define ID_HUKS_ATTESTATION_BASE_SIZE (ID_HUKS_PKI_SIZE + 1)
59
60 #define ID_KEY_PROPERTIES ID_HUKS_ATTESTATION_BASE, 0x01
61 #define ID_KEY_PROPERTIES_SIZE (ID_HUKS_ATTESTATION_BASE_SIZE + 1)
62
63 #define ID_SYSTEM_PROPERTIES ID_HUKS_ATTESTATION_BASE, 0x02
64 #define ID_SYSTEM_PROPERTIES_SIZE (ID_HUKS_ATTESTATION_BASE_SIZE + 1)
65
66 #define ID_SYSTEM_PROPERTIY_OS ID_SYSTEM_PROPERTIES, 0x02
67 #define ID_SYSTEM_PROPERTIY_OS_SIZE (ID_SYSTEM_PROPERTIES_SIZE + 1)
68
69 #define ID_SYSTEM_PROPERTIY_OS_VERSION ID_SYSTEM_PROPERTIY_OS, 0x04
70 #define ID_SYSTEM_PROPERTIY_OS_VERSION_SIZE (ID_SYSTEM_PROPERTIY_OS_SIZE + 1)
71 DECLARE_TAG(hksOsVersion, ID_SYSTEM_PROPERTIY_OS_VERSION);
72 DECLARE_OID(hksOsVersion);
73
74 #define ID_SYSTEM_PROPERTIY_OS_SEC_INFO ID_SYSTEM_PROPERTIY_OS, 0x05
75 #define ID_SYSTEM_PROPERTIY_OS_SEC_INFO_SIZE (ID_SYSTEM_PROPERTIY_OS_SIZE + 1)
76 DECLARE_TAG(hksSecInfo, ID_SYSTEM_PROPERTIY_OS_SEC_INFO);
77 DECLARE_OID(hksSecInfo);
78
79 #define ID_PRIVACY_PROPERTIES ID_SYSTEM_PROPERTIES, 0x04
80 #define ID_PRIVACY_PROPERTIES_SIZE (ID_SYSTEM_PROPERTIES_SIZE + 1)
81
82 #define ID_PRIVACY_PROPERTIY_IMEI ID_PRIVACY_PROPERTIES, 0x01
83 #define ID_PRIVACY_PROPERTIY_IMEI_SIZE (ID_PRIVACY_PROPERTIES_SIZE + 1)
84 DECLARE_TAG(hksImei, ID_PRIVACY_PROPERTIY_IMEI);
85 DECLARE_OID(hksImei);
86
87 #define ID_PRIVACY_PROPERTIY_MEID ID_PRIVACY_PROPERTIES, 0x02
88 #define ID_PRIVACY_PROPERTIY_MEID_SIZE (ID_PRIVACY_PROPERTIES_SIZE + 1)
89 DECLARE_TAG(hksMeid, ID_PRIVACY_PROPERTIY_MEID);
90 DECLARE_OID(hksMeid);
91
92 #define ID_PRIVACY_PROPERTIY_SN ID_PRIVACY_PROPERTIES, 0x03
93 #define ID_PRIVACY_PROPERTIY_SN_SIZE (ID_PRIVACY_PROPERTIES_SIZE + 1)
94 DECLARE_TAG(hksSn, ID_PRIVACY_PROPERTIY_SN);
95 DECLARE_OID(hksSn);
96
97 #define ID_PRIVACY_PROPERTIY_BRAND ID_PRIVACY_PROPERTIES, 0x04
98 #define ID_PRIVACY_PROPERTIY_BRAND_SIZE (ID_PRIVACY_PROPERTIES_SIZE + 1)
99 DECLARE_TAG(hksBrand, ID_PRIVACY_PROPERTIY_BRAND);
100 DECLARE_OID(hksBrand);
101
102 #define ID_PRIVACY_PROPERTIY_DEVICE ID_PRIVACY_PROPERTIES, 0x05
103 #define ID_PRIVACY_PROPERTIY_DEVICE_SIZE (ID_PRIVACY_PROPERTIES_SIZE + 1)
104 DECLARE_TAG(hksDevice, ID_PRIVACY_PROPERTIY_DEVICE);
105 DECLARE_OID(hksDevice);
106
107 #define ID_PRIVACY_PROPERTIY_PRODUCT ID_PRIVACY_PROPERTIES, 0x06
108 #define ID_PRIVACY_PROPERTIY_PRODUCT_SIZE (ID_PRIVACY_PROPERTIES_SIZE + 1)
109 DECLARE_TAG(hksProduct, ID_PRIVACY_PROPERTIY_PRODUCT);
110 DECLARE_OID(hksProduct);
111
112 #define ID_PRIVACY_PROPERTIY_MANUFACTURER ID_PRIVACY_PROPERTIES, 0x07
113 #define ID_PRIVACY_PROPERTIY_MANUFACTURER_SIZE (ID_PRIVACY_PROPERTIES_SIZE + 1)
114 DECLARE_TAG(hksManufacturer, ID_PRIVACY_PROPERTIY_MANUFACTURER);
115 DECLARE_OID(hksManufacturer);
116
117 #define ID_PRIVACY_PROPERTIY_MODEL ID_PRIVACY_PROPERTIES, 0x08
118 #define ID_PRIVACY_PROPERTIY_MODEL_SIZE (ID_PRIVACY_PROPERTIES_SIZE + 1)
119 DECLARE_TAG(hksModel, ID_PRIVACY_PROPERTIY_MODEL);
120 DECLARE_OID(hksModel);
121
122 #define ID_PRIVACY_PROPERTIY_SOCID ID_PRIVACY_PROPERTIES, 0x09
123 #define ID_PRIVACY_PROPERTIY_SOCID_SIZE (ID_PRIVACY_PROPERTIES_SIZE + 1)
124 DECLARE_TAG(hksSocId, ID_PRIVACY_PROPERTIY_SOCID);
125 DECLARE_OID(hksSocId);
126
127 #define ID_PRIVACY_PROPERTIY_UDID ID_PRIVACY_PROPERTIES, 0x0A
128 #define ID_PRIVACY_PROPERTIY_UDID_SIZE (ID_PRIVACY_PROPERTIES_SIZE + 1)
129 DECLARE_TAG(hksUdid, ID_PRIVACY_PROPERTIY_UDID);
130 DECLARE_OID(hksUdid);
131
132 #define ID_KEY_PROPERTY_USAGE ID_KEY_PROPERTIES, 0x01
133 #define ID_KEY_PROPERTY_USAGE_SIZE (ID_KEY_PROPERTIES_SIZE + 1)
134 DECLARE_TAG(hksKeyUsage, ID_KEY_PROPERTY_USAGE);
135 DECLARE_OID(hksKeyUsage);
136
137 #if !defined(WS7200_ROUTER) && !defined(ADAPT_OID_TO_PHONE)
138 #define ID_KEY_PROPERTY_KEY_ID ID_KEY_PROPERTIES, 0x02
139 #define ID_KEY_PROPERTY_KEY_ID_SIZE (ID_KEY_PROPERTIES_SIZE + 1)
140 DECLARE_TAG(hksKeyId, ID_KEY_PROPERTY_KEY_ID);
141 DECLARE_OID(hksKeyId);
142
143 #define ID_KEY_PROPERTY_APP_ID ID_KEY_PROPERTIES, 0x03
144 #define ID_KEY_PROPERTY_APP_ID_SIZE (ID_KEY_PROPERTIES_SIZE + 1)
145 DECLARE_TAG(hksApplicationId, ID_KEY_PROPERTY_APP_ID);
146 DECLARE_OID(hksApplicationId);
147
148 #define ID_KEY_PROPERTY_APP_ID_RAW ID_KEY_PROPERTY_APP_ID, 0x01
149 #define ID_KEY_PROPERTY_APP_ID_RAW_SIZE (ID_KEY_PROPERTY_APP_ID_SIZE + 1)
150 DECLARE_TAG(hksApplicationIdRaw, ID_KEY_PROPERTY_APP_ID_RAW);
151 DECLARE_OID(hksApplicationIdRaw);
152
153 #define ID_KEY_PROPERTY_CHALLENGE ID_KEY_PROPERTIES, 0x04
154 #define ID_KEY_PROPERTY_CHALLENGE_SIZE (ID_KEY_PROPERTIES_SIZE + 1)
155 DECLARE_TAG(hksAttestationChallenge, ID_KEY_PROPERTY_CHALLENGE);
156 DECLARE_OID(hksAttestationChallenge);
157 #endif
158
159 #define ID_KEY_PROPERTY_DIGEST ID_KEY_PROPERTIES, 0x08
160 #define ID_KEY_PROPERTY_DIGEST_SIZE (ID_KEY_PROPERTIES_SIZE + 1)
161 DECLARE_TAG(hksDigest, ID_KEY_PROPERTY_DIGEST);
162 DECLARE_OID(hksDigest);
163
164 #define ID_KEY_PROPERTY_PADDING ID_KEY_PROPERTIES, 0x09
165 #define ID_KEY_PROPERTY_PADDING_SIZE (ID_KEY_PROPERTIES_SIZE + 1)
166 DECLARE_TAG(hksPadding, ID_KEY_PROPERTY_PADDING);
167 DECLARE_OID(hksPadding);
168
169 #define ID_KEY_PROPERTY_SIGN_TYPE ID_KEY_PROPERTIES, 0x0b
170 #define ID_KEY_PROPERTY_SIGN_TYPE_SIZE (ID_KEY_PROPERTIES_SIZE + 1)
171 DECLARE_TAG(hksSignType, ID_KEY_PROPERTY_SIGN_TYPE);
172 DECLARE_OID(hksSignType);
173
174 #define ID_KEY_PROPERTY_KEY_FLAG ID_KEY_PROPERTIES, 0x05
175 #define ID_KEY_PROPERTY_KEY_FLAG_SIZE (ID_KEY_PROPERTIES_SIZE + 1)
176 DECLARE_TAG(hkskeyFlag, ID_KEY_PROPERTY_KEY_FLAG);
177 DECLARE_OID(hkskeyFlag);
178
179 #define ID_HUKS_PKI_OID ID_HUKS_PKI, 0x01
180 #define ID_HUKS_PKI_OID_SIZE (ID_HUKS_PKI_SIZE + 1)
181
182 #define ID_HUKS_ATTESTATION_EXTENSION ID_HUKS_PKI_OID, 0x03
183 #define ID_HUKS_ATTESTATION_EXTENSION_SIZE (ID_HUKS_PKI_OID_SIZE + 1)
184 DECLARE_TAG(hksAttestationExtension, ID_HUKS_ATTESTATION_EXTENSION);
185 DECLARE_OID(hksAttestationExtension);
186
187 #define ID_KEY_PROPERTY_GROUPS ID_HUKS_ATTESTATION_BASE, 0x04
188 #define ID_KEY_PROPERTY_GROUPS_SIZE (ID_HUKS_ATTESTATION_BASE_SIZE + 1)
189
190 #define ID_KEY_PROPERTY_GROUP_SIG ID_KEY_PROPERTY_GROUPS, 0x01
191 #define ID_KEY_PROPERTY_GROUP_SIG_SIZE (ID_KEY_PROPERTY_GROUPS_SIZE + 1)
192
193 #define ID_KEY_PROPERTY_GROUP_SIG_RSA ID_KEY_PROPERTY_GROUP_SIG, 0x01
194 #define ID_KEY_PROPERTY_GROUP_SIG_RSA_SIZE (ID_KEY_PROPERTY_GROUP_SIG_SIZE + 1)
195
196 #define ID_KEY_PROPERTY_GROUP_SIG_RSA_PKCS1_SHA256 ID_KEY_PROPERTY_GROUP_SIG, 0x02
197 #define ID_KEY_PROPERTY_GROUP_SIG_RSA_PKCS1_SHA256_SIZE (ID_KEY_PROPERTY_GROUP_SIG_SIZE + 1)
198
199 #define ID_KEY_PROPERTY_GROUP_SIG_RSA_PSS_MGF1_SHA256 ID_KEY_PROPERTY_GROUP_SIG, 0x03
200 #define ID_KEY_PROPERTY_GROUP_SIG_RSA_PSS_MGF1_SHA256_SIZE (ID_KEY_PROPERTY_GROUP_SIG_SIZE + 1)
201 DECLARE_TAG(hksGroupSigRsaPssMgf1Sha256, ID_KEY_PROPERTY_GROUP_SIG_RSA_PSS_MGF1_SHA256);
202 DECLARE_OID(hksGroupSigRsaPssMgf1Sha256);
203
204 #define ID_KEY_PROPERTY_GROUP_SIG_EDDSA ID_KEY_PROPERTY_GROUP_SIG, 0x04
205 #define ID_KEY_PROPERTY_GROUP_SIG_EDDSA_SIZE (ID_KEY_PROPERTY_GROUP_SIG_SIZE + 1)
206
207 #define ID_KEY_PROPERTY_GROUP_SIG_ECDSA_SHA256 ID_KEY_PROPERTY_GROUP_SIG, 0x05
208 #define ID_KEY_PROPERTY_GROUP_SIG_ECDSA_SHA256_SIZE (ID_KEY_PROPERTY_GROUP_SIG_SIZE + 1)
209 DECLARE_TAG(hksGroupSigEcdsaSha256, ID_KEY_PROPERTY_GROUP_SIG_ECDSA_SHA256);
210 DECLARE_OID(hksGroupSigEcdsaSha256);
211
212 #define ID_KEY_PROPERTY_GROUP_SIG_SM2 ID_KEY_PROPERTY_GROUP_SIG, 0x06
213 #define ID_KEY_PROPERTY_GROUP_SIG_SM2_SIZE (ID_KEY_PROPERTY_GROUP_SIG_SIZE + 1)
214
215 #define ID_KEY_PROPERTY_GROUP_SIG_SM2_SM3 ID_KEY_PROPERTY_GROUP_SIG, 0x05
216 #define ID_KEY_PROPERTY_GROUP_SIG_SM2_SM3_SIZE (ID_KEY_PROPERTY_GROUP_SIG_SIZE + 1)
217 DECLARE_TAG(hksGroupSigSm2Sm3, ID_KEY_PROPERTY_GROUP_SIG_SM2_SM3);
218 DECLARE_OID(hksGroupSigSm2Sm3);
219
220 #define ID_KEY_PROPERTY_GROUP_ENC ID_KEY_PROPERTY_GROUPS, 0x02
221 #define ID_KEY_PROPERTY_GROUP_ENC_SIZE (ID_KEY_PROPERTY_GROUPS_SIZE + 1)
222
223 #define ID_KEY_PROPERTY_GROUP_ENC_RSA_PKCS1 ID_KEY_PROPERTY_GROUP_ENC, 0x01
224 #define ID_KEY_PROPERTY_GROUP_ENC_RSA_PKCS1_SIZE (ID_KEY_PROPERTY_GROUP_ENC_SIZE + 1)
225
226 #define ID_KEY_PROPERTY_GROUP_ENC_RSA_OAEP ID_KEY_PROPERTY_GROUP_ENC, 0x02
227 #define ID_KEY_PROPERTY_GROUP_ENC_RSA_OAEP_SIZE (ID_KEY_PROPERTY_GROUP_ENC_SIZE + 1)
228 DECLARE_TAG(hksGroupEncRsaOaep, ID_KEY_PROPERTY_GROUP_ENC_RSA_OAEP);
229 DECLARE_OID(hksGroupEncRsaOaep);
230
231 #define ID_KEY_PROPERTY_GROUP_ENC_RSA_OAEP_MGF1_SHA256 ID_KEY_PROPERTY_GROUP_ENC, 0x03
232 #define ID_KEY_PROPERTY_GROUP_ENC_RSA_OAEP_MGF1_SHA256_SIZE (ID_KEY_PROPERTY_GROUP_ENC_SIZE + 1)
233 DECLARE_TAG(hksGroupEncRsaOaepMgf1Sha256, ID_KEY_PROPERTY_GROUP_ENC_RSA_OAEP_MGF1_SHA256);
234 DECLARE_OID(hksGroupEncRsaOaepMgf1Sha256);
235
236 #define ID_KEY_PROPERTY_GROUP_KEY_AGREEMENT ID_KEY_PROPERTY_GROUPS, 0x03
237 #define ID_KEY_PROPERTY_GROUP_KEY_AGREEMENT_SIZE (ID_KEY_PROPERTY_GROUPS_SIZE + 1)
238
239 #define ID_KEY_PROPERTY_GROUP_KEY_AGREEMENT_HKDF_SHA256 ID_KEY_PROPERTY_GROUP_KEY_AGREEMENT, 0x01
240 #define ID_KEY_PROPERTY_GROUP_KEY_AGREEMENT_HKDF_SHA256_SIZE (ID_KEY_PROPERTY_GROUP_KEY_AGREEMENT_SIZE + 1)
241
242 static uint8_t g_rsaSha256Tag[] = { 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B };
243 DECLARE_OID(g_rsaSha256);
244
245 static uint8_t g_ecdsaSha256Tag[] = { 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02 };
246 DECLARE_OID(g_ecdsaSha256);
247
248 static uint8_t g_sm2Tag[] = {0x2A, 0x81, 0x1C, 0xCF, 0x55, 0x01, 0x82, 0x2D};
249 DECLARE_OID(g_sm2);
250
251 static const uint8_t g_attestTbsRsa[] = {
252 0x30, 0x82, 0x01, 0xc7, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x01, 0x30, 0x0b, 0x06, 0x09,
253 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x30, 0x1d, 0x31, 0x1b, 0x30, 0x19, 0x06,
254 0x03, 0x55, 0x04, 0x03, 0x13, 0x12, 0x48, 0x75, 0x61, 0x77, 0x65, 0x69, 0x20, 0x4b, 0x65, 0x79,
255 0x53, 0x74, 0x6f, 0x72, 0x65, 0x20, 0x20, 0x20, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x36,
256 0x30, 0x34, 0x31, 0x38, 0x32, 0x38, 0x34, 0x34, 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x36, 0x30,
257 0x34, 0x31, 0x38, 0x32, 0x38, 0x34, 0x34, 0x5a, 0x30, 0x1a, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03,
258 0x55, 0x04, 0x03, 0x13, 0x0f, 0x41, 0x20, 0x4b, 0x65, 0x79, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72,
259 0x20, 0x4b, 0x65, 0x79, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
260 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a,
261 0x02, 0x82, 0x01, 0x01, 0x00, 0xe8, 0xd8, 0xf9, 0x14, 0x5f, 0x88, 0xf7, 0x36, 0x63, 0xcb, 0x28,
262 0x0c, 0x18, 0xf7, 0xc7, 0x3f, 0x0d, 0xa0, 0x73, 0x9a, 0x9c, 0xe0, 0x3c, 0xc6, 0x79, 0x5a, 0xd4,
263 0xa3, 0xd7, 0x72, 0x2f, 0x46, 0x42, 0xe1, 0x3b, 0xc1, 0xc8, 0xf3, 0xbc, 0x51, 0xd3, 0x5d, 0x8d,
264 0xc4, 0x18, 0x03, 0x92, 0x26, 0x5a, 0xd7, 0x92, 0xbb, 0x1e, 0x4f, 0xc0, 0x71, 0x51, 0x75, 0xc2,
265 0x41, 0x31, 0xb9, 0xd2, 0xc7, 0xf2, 0x9c, 0x03, 0x6c, 0xff, 0x77, 0x75, 0x17, 0x82, 0x5b, 0x3c,
266 0x05, 0x0d, 0x1c, 0x82, 0x1c, 0xa3, 0xd5, 0x25, 0xd9, 0x31, 0x0f, 0x2d, 0x2b, 0xf1, 0x82, 0xd2,
267 0x2a, 0x0a, 0xdc, 0xe1, 0x0c, 0xcc, 0x8b, 0xc1, 0xd1, 0x9e, 0x20, 0xaf, 0x00, 0x2a, 0xcb, 0x7a,
268 0x3c, 0xcb, 0x8f, 0x6d, 0xb0, 0x52, 0xc3, 0x3b, 0x17, 0x85, 0x56, 0xe7, 0x45, 0xb6, 0x1e, 0x3a,
269 0x42, 0xb9, 0x38, 0xdb, 0xf7, 0x7b, 0x0f, 0x73, 0x37, 0x1b, 0xf4, 0x20, 0xcb, 0x85, 0xbf, 0xdc,
270 0xb4, 0x2f, 0x3d, 0x77, 0x27, 0x31, 0x53, 0x31, 0xb4, 0x71, 0x72, 0x3a, 0x47, 0xcd, 0x98, 0xcf,
271 0xf0, 0x34, 0x5d, 0x90, 0x1d, 0x71, 0xba, 0x19, 0x7d, 0xf6, 0xe9, 0xdc, 0xe6, 0xf9, 0x67, 0xf4,
272 0x1c, 0x93, 0x7d, 0x10, 0xfd, 0x3a, 0x58, 0x71, 0xc2, 0xf5, 0x3d, 0x45, 0xca, 0xcf, 0xf9, 0x1b,
273 0x6c, 0x27, 0x79, 0x5f, 0xcd, 0xf2, 0x4f, 0xa7, 0xa2, 0x91, 0x9f, 0xd1, 0x8b, 0xbb, 0x3b, 0x4c,
274 0x36, 0x40, 0x2e, 0x73, 0xf6, 0xd9, 0xb8, 0xdf, 0x21, 0x6e, 0xcd, 0xae, 0x6b, 0x43, 0xb2, 0x99,
275 0xea, 0x9e, 0xdd, 0x3d, 0x4c, 0xc8, 0x0a, 0xf4, 0x5a, 0xaa, 0x66, 0x24, 0x98, 0xce, 0xfd, 0xb1,
276 0xfb, 0x16, 0x94, 0xd8, 0x87, 0xa2, 0x08, 0xc4, 0x55, 0x95, 0xf5, 0x95, 0xcd, 0x75, 0x03, 0xc9,
277 0x99, 0x8a, 0x84, 0xe4, 0x57, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x2f, 0x30, 0x2d, 0x30, 0x0b,
278 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x08, 0x06, 0x03, 0x55,
279 0x1d, 0x1f, 0x04, 0x01, 0x00, 0x30, 0x14, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79,
280 0x02, 0x01, 0x11, 0x04, 0x06, 0x30, 0x04, 0x04, 0x02, 0x0b, 0x0c
281 };
282
283 static const uint8_t g_attestTbs[] = {
284 0x30, 0x81, 0xf6, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x01, 0x30, 0x0a, 0x06, 0x08, 0x2a,
285 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x1d, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55,
286 0x04, 0x03, 0x13, 0x12, 0x41, 0x6e, 0x64, 0x72, 0x6f, 0x69, 0x64, 0x20, 0x4b, 0x65, 0x79, 0x6d,
287 0x61, 0x73, 0x74, 0x65, 0x72, 0x32, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x36, 0x30, 0x31,
288 0x31, 0x32, 0x31, 0x37, 0x32, 0x31, 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x36, 0x30, 0x31, 0x31,
289 0x32, 0x31, 0x37, 0x32, 0x31, 0x5a, 0x30, 0x1a, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04,
290 0x03, 0x13, 0x0f, 0x41, 0x20, 0x4b, 0x65, 0x79, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b,
291 0x65, 0x79, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06,
292 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xb0, 0x51, 0x4c,
293 0x4c, 0x13, 0x54, 0x0f, 0x23, 0x97, 0xf5, 0x47, 0x19, 0xf3, 0x33, 0x2e, 0x7e, 0xf3, 0x8e, 0x42,
294 0xad, 0x9d, 0xc0, 0x8b, 0x71, 0xe6, 0x60, 0xce, 0x16, 0xb9, 0xe8, 0x8d, 0x09, 0x4e, 0x7f, 0x3a,
295 0xdc, 0x88, 0x8e, 0x94, 0x4d, 0x45, 0xd5, 0xe4, 0x59, 0x4e, 0x3f, 0xbe, 0x28, 0x91, 0x80, 0xbb,
296 0x1c, 0xd7, 0xfc, 0x55, 0xd1, 0xb5, 0xc7, 0xcb, 0x50, 0x1c, 0x09, 0xca, 0x50, 0xa3, 0x2a, 0x30,
297 0x28, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x07,
298 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x00, 0x30, 0x10, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01,
299 0xd6, 0x79, 0x02, 0x01, 0x11, 0x04, 0x02, 0x30, 0x00
300 };
301
302 static const uint8_t g_attestExtTmpl[] = {
303 0x30, 0x2c, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x07,
304 0x80, 0x30, 0x08, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x01, 0x00, 0x30, 0x13, 0x06, 0x0a, 0x2b,
305 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x01, 0x11, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff
306 };
307
308 static const uint32_t g_monthLengths[2][MONS_PER_YEAR] = {
309 { 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 },
310 { 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 }
311 };
312
313 static const uint32_t g_yearLengths[2] = {
314 HKS_YEAR_DAYS, HKS_LEAP_YEAR_DAYS
315 };
316
317 static enum HksTag g_idAttestList[] = {
318 HKS_TAG_ATTESTATION_ID_BRAND,
319 HKS_TAG_ATTESTATION_ID_DEVICE,
320 HKS_TAG_ATTESTATION_ID_PRODUCT,
321 HKS_TAG_ATTESTATION_ID_SERIAL,
322 HKS_TAG_ATTESTATION_ID_IMEI,
323 HKS_TAG_ATTESTATION_ID_MEID,
324 HKS_TAG_ATTESTATION_ID_MANUFACTURER,
325 HKS_TAG_ATTESTATION_ID_MODEL,
326 HKS_TAG_ATTESTATION_ID_SOCID,
327 HKS_TAG_ATTESTATION_ID_UDID,
328 HKS_TAG_ATTESTATION_ID_SEC_LEVEL_INFO,
329 HKS_TAG_ATTESTATION_ID_VERSION_INFO,
330 };
331
GetYearIndex(uint32_t year)332 static inline uint32_t GetYearIndex(uint32_t year)
333 {
334 if ((year % 4 == 0) && ((year % 100 != 0) || (year % 400 == 0))) { /* 4/100/400 check whether it is a leap year */
335 return 1;
336 } else {
337 return 0;
338 }
339 }
340
GetLeapDays(uint32_t year)341 static inline uint32_t GetLeapDays(uint32_t year)
342 {
343 return ((year / 4) - (year / 100) + (year / 400)); /* 4/100/400 check whether it is a leap year */
344 }
345
IsSignPurpose(enum HksKeyPurpose purpose)346 static inline bool IsSignPurpose(enum HksKeyPurpose purpose)
347 {
348 return ((((uint32_t)purpose & HKS_KEY_PURPOSE_SIGN) == HKS_KEY_PURPOSE_SIGN) ||
349 (((uint32_t)purpose & HKS_KEY_PURPOSE_VERIFY) == HKS_KEY_PURPOSE_VERIFY));
350 }
351
IsCipherPurpose(enum HksKeyPurpose purpose)352 static inline bool IsCipherPurpose(enum HksKeyPurpose purpose)
353 {
354 return ((((uint32_t)purpose & HKS_KEY_PURPOSE_ENCRYPT) == HKS_KEY_PURPOSE_ENCRYPT) ||
355 (((uint32_t)purpose & HKS_KEY_PURPOSE_DECRYPT) == HKS_KEY_PURPOSE_DECRYPT) ||
356 (((uint32_t)purpose & HKS_KEY_PURPOSE_WRAP) == HKS_KEY_PURPOSE_WRAP) ||
357 (((uint32_t)purpose & HKS_KEY_PURPOSE_UNWRAP) == HKS_KEY_PURPOSE_UNWRAP));
358 }
359
IsAgreementPurpose(enum HksKeyPurpose purpose)360 static inline bool IsAgreementPurpose(enum HksKeyPurpose purpose)
361 {
362 return ((((uint32_t)purpose & HKS_KEY_PURPOSE_DERIVE) == HKS_KEY_PURPOSE_DERIVE) ||
363 (((uint32_t)purpose & HKS_KEY_PURPOSE_AGREE) == HKS_KEY_PURPOSE_AGREE));
364 }
365
GetTimeStampTee(uint8_t * timeStamp,const struct DataTime * time)366 static void GetTimeStampTee(uint8_t *timeStamp, const struct DataTime *time)
367 {
368 int i = 0;
369 uint32_t year = time->year - ((time->year / HKS_DECIMAL_HUNDRED) * HKS_DECIMAL_HUNDRED);
370 timeStamp[i++] = (year / HKS_DECIMAL_TEN) + '0';
371 timeStamp[i++] = (year % HKS_DECIMAL_TEN) + '0';
372 timeStamp[i++] = (time->month / HKS_DECIMAL_TEN) + '0';
373 timeStamp[i++] = (time->month % HKS_DECIMAL_TEN) + '0';
374 timeStamp[i++] = (time->day / HKS_DECIMAL_TEN) + '0';
375 timeStamp[i++] = (time->day % HKS_DECIMAL_TEN) + '0';
376 timeStamp[i++] = (time->hour / HKS_DECIMAL_TEN) + '0';
377 timeStamp[i++] = (time->hour % HKS_DECIMAL_TEN) + '0';
378 timeStamp[i++] = (time->min / HKS_DECIMAL_TEN) + '0';
379 timeStamp[i++] = (time->min % HKS_DECIMAL_TEN) + '0';
380 timeStamp[i++] = (time->seconds / HKS_DECIMAL_TEN) + '0';
381 timeStamp[i++] = (time->seconds % HKS_DECIMAL_TEN) + '0';
382 timeStamp[i++] = 'Z';
383 }
384
GenerateSysDateTime(const uint32_t rtcTime,struct DataTime * time)385 static void GenerateSysDateTime(const uint32_t rtcTime, struct DataTime *time)
386 {
387 uint32_t seconds = rtcTime;
388 uint32_t tDays = seconds / HKS_SECOND_TO_DAY;
389 uint32_t remainSec = seconds - tDays * HKS_SECOND_TO_DAY;
390 uint32_t year = EPOCH_YEAR;
391 const uint32_t *ip = NULL;
392
393 while (tDays >= g_yearLengths[GetYearIndex(year)]) {
394 uint32_t carryOver = tDays / HKS_LEAP_YEAR_DAYS;
395 if (carryOver == 0) {
396 carryOver = 1;
397 }
398 uint32_t newYear = year + carryOver;
399 uint32_t leapDays = GetLeapDays(newYear - 1) - GetLeapDays(year - 1);
400 tDays -= (newYear - year) * HKS_YEAR_DAYS;
401 tDays -= leapDays;
402 year = newYear;
403 }
404
405 uint32_t iDays = tDays;
406 time->year = year;
407 time->hour = remainSec / HKS_SECOND_TO_HOUR;
408 remainSec %= HKS_SECOND_TO_HOUR;
409 time->min = remainSec / HKS_SECOND_TO_MINUTE;
410 time->seconds = remainSec % HKS_SECOND_TO_MINUTE;
411 ip = g_monthLengths[GetYearIndex(year)];
412 for (time->month = 0; iDays >= ip[time->month]; ++(time->month)) {
413 iDays -= ip[time->month];
414 }
415 ++time->month;
416 time->day = iDays + 1;
417 }
418
AddYears(uint8_t * end,const uint8_t * start,uint32_t years)419 static void AddYears(uint8_t *end, const uint8_t *start, uint32_t years)
420 {
421 if (memmove_s(end, UTCTIME_LEN, start, UTCTIME_LEN) != EOK) {
422 HKS_LOG_E("memmove_s failed.");
423 return;
424 }
425 uint32_t tens = start[0] - '0';
426 uint32_t units = start[1] - '0';
427 units += years;
428 tens += units / 10; /* 10 is base */
429 units %= 10; /* 10 is base */
430 end[0] = tens + '0';
431 end[1] = units + '0';
432 }
433
SetAttestCertValid(struct ValidPeriod * valid)434 static void SetAttestCertValid(struct ValidPeriod *valid)
435 {
436 uint64_t activeDateTime;
437 struct timeval curTime = {0};
438
439 int ret = gettimeofday(&curTime, NULL);
440 if (ret < 0) {
441 HKS_LOG_E("Unable to get system UTC time stamp\n");
442 return;
443 }
444
445 uint64_t curTimeValue = (uint64_t)curTime.tv_sec;
446 curTimeValue = curTimeValue * SECOND_TO_MILLI + ((uint64_t)curTime.tv_usec) / SECOND_TO_MILLI;
447 activeDateTime = curTimeValue;
448
449 struct DataTime notBefore = {0};
450 uint64_t tmpSec = (activeDateTime >> 10); /* 10 is uesed for uint64 dividing 1000 in 32 bit system. */
451 tmpSec = tmpSec + ((3 * tmpSec) >> 7) + ((9 * tmpSec) >> 14); /* 3/7/9/14 are same with 10 */
452 tmpSec = tmpSec + (uint32_t)(activeDateTime - tmpSec * SECOND_TO_MILLI) / SECOND_TO_MILLI;
453 GenerateSysDateTime((uint32_t)tmpSec, ¬Before);
454 HKS_LOG_I("notBefore:"
455 "%" LOG_PUBLIC "u%" LOG_PUBLIC "u%" LOG_PUBLIC "u %" LOG_PUBLIC "u:%" LOG_PUBLIC "u:%" LOG_PUBLIC "uZ\n",
456 notBefore.year, notBefore.month, notBefore.day, notBefore.hour, notBefore.min, notBefore.seconds);
457 GetTimeStampTee(valid->start, ¬Before);
458
459 HKS_LOG_I("set expired date to default.\n");
460 AddYears(valid->end, valid->start, 10); /* default set to 10 years after current time */
461 }
462
IsValidTlv(const struct HksAsn1Obj obj)463 static int32_t IsValidTlv(const struct HksAsn1Obj obj)
464 {
465 uint32_t length = 0;
466 if ((obj.value.data != NULL) && (obj.header.data != NULL)) {
467 length = obj.value.size + obj.header.size;
468 } else {
469 HKS_LOG_E("value or header is NULL");
470 return HKS_ERROR_INVALID_ARGUMENT;
471 }
472 if (length < ASN_1_MIN_HEADER_LEN) {
473 HKS_LOG_E("len %" LOG_PUBLIC "u < %" LOG_PUBLIC "u.", length, ASN_1_MIN_HEADER_LEN);
474 return HKS_ERROR_INVALID_ARGUMENT;
475 }
476 return HKS_SUCCESS;
477 }
478
IsValidAttestTbs(struct HksAttestTbsSpec * tbsSpec)479 static int32_t IsValidAttestTbs(struct HksAttestTbsSpec *tbsSpec)
480 {
481 if (IsValidTlv(tbsSpec->version)) {
482 HKS_LOG_E("invalid version.\n");
483 return HKS_ERROR_INVALID_ARGUMENT;
484 }
485 if (IsValidTlv(tbsSpec->serial)) {
486 HKS_LOG_E("invalid serial.\n");
487 return HKS_ERROR_INVALID_ARGUMENT;
488 }
489 if (IsValidTlv(tbsSpec->signature)) {
490 HKS_LOG_E("invalid signature.\n");
491 return HKS_ERROR_INVALID_ARGUMENT;
492 }
493 if (IsValidTlv(tbsSpec->issuer)) {
494 HKS_LOG_E("invalid issuer.\n");
495 return HKS_ERROR_INVALID_ARGUMENT;
496 }
497 if (IsValidTlv(tbsSpec->validity)) {
498 HKS_LOG_E("invalid validity.\n");
499 return HKS_ERROR_INVALID_ARGUMENT;
500 }
501 if (IsValidTlv(tbsSpec->subject)) {
502 HKS_LOG_E("invalid subject.\n");
503 return HKS_ERROR_INVALID_ARGUMENT;
504 }
505 if (IsValidTlv(tbsSpec->spki)) {
506 HKS_LOG_E("invalid spki.\n");
507 return HKS_ERROR_INVALID_ARGUMENT;
508 }
509 if (IsValidTlv(tbsSpec->extensions)) {
510 HKS_LOG_E("invalid extensions.\n");
511 return HKS_ERROR_INVALID_ARGUMENT;
512 }
513 return HKS_SUCCESS;
514 }
515
IsValidAttestCert(struct HksAttestCert * cert)516 static int32_t IsValidAttestCert(struct HksAttestCert *cert)
517 {
518 if (IsValidAttestTbs(&cert->tbs)) {
519 HKS_LOG_E("invalid AttestTbs.\n");
520 return HKS_ERROR_INVALID_ARGUMENT;
521 }
522 if (IsValidTlv(cert->signAlg)) {
523 HKS_LOG_E("invalid signAlg.\n");
524 return HKS_ERROR_INVALID_ARGUMENT;
525 }
526 if (IsValidTlv(cert->signature)) {
527 HKS_LOG_E("invalid signature.\n");
528 return HKS_ERROR_INVALID_ARGUMENT;
529 }
530 if ((cert->signAlg.value.size != cert->tbs.signature.value.size) ||
531 (HksMemCmp(cert->signAlg.value.data, cert->tbs.signature.value.data, cert->signAlg.value.size) != 0)) {
532 HKS_LOG_E("algorithm identifiers not match.\n");
533 return HKS_ERROR_INVALID_ARGUMENT;
534 }
535 return HKS_SUCCESS;
536 }
537
ParseAttestTbs(const struct HksBlob * template,struct HksAttestTbsSpec * tbsSpec)538 static void ParseAttestTbs(const struct HksBlob *template, struct HksAttestTbsSpec *tbsSpec)
539 {
540 struct HksAsn1Obj obj = {{0}};
541 struct HksBlob skip = { 0, NULL };
542 int32_t ret = DcmAsn1ExtractTag(&skip, &obj, template, ASN_1_TAG_TYPE_SEQ);
543 struct HksBlob val = { obj.value.size, obj.value.data };
544
545 ret += DcmAsn1ExtractTag(&val, &tbsSpec->version, &val, ASN_1_TAG_TYPE_CTX_SPEC0);
546 ret += DcmAsn1ExtractTag(&val, &tbsSpec->serial, &val, ASN_1_TAG_TYPE_INT);
547 ret += DcmAsn1ExtractTag(&val, &tbsSpec->signature, &val, ASN_1_TAG_TYPE_SEQ);
548 ret += DcmAsn1ExtractTag(&val, &tbsSpec->issuer, &val, ASN_1_TAG_TYPE_SEQ);
549 ret += DcmAsn1ExtractTag(&val, &tbsSpec->validity, &val, ASN_1_TAG_TYPE_SEQ);
550 ret += DcmAsn1ExtractTag(&val, &tbsSpec->subject, &val, ASN_1_TAG_TYPE_SEQ);
551 ret += DcmAsn1ExtractTag(&val, &tbsSpec->spki, &val, ASN_1_TAG_TYPE_SEQ);
552 ret += DcmAsn1ExtractTag(&val, &tbsSpec->extensions, &val, ASN_1_TAG_TYPE_CTX_SPEC3);
553 ret += IsValidAttestTbs(tbsSpec);
554 HKS_IF_NOT_SUCC_LOGE(ret, "invalid tbs.\n")
555 }
556
ParseAttestCert(const struct HksBlob * devCert,struct HksAttestCert * cert)557 static void ParseAttestCert(const struct HksBlob *devCert, struct HksAttestCert *cert)
558 {
559 struct HksAsn1Obj obj = {{0}};
560 struct HksBlob next = { 0, NULL };
561
562 int32_t ret = DcmAsn1ExtractTag(&next, &obj, devCert, ASN_1_TAG_TYPE_SEQ);
563 struct HksBlob val = { obj.value.size, obj.value.data };
564 ParseAttestTbs(&val, &cert->tbs);
565 struct HksAsn1Obj skip = {{0}};
566 ret += DcmAsn1ExtractTag(&val, &skip, &val, ASN_1_TAG_TYPE_SEQ);
567 ret += DcmAsn1ExtractTag(&val, &cert->signAlg, &val, ASN_1_TAG_TYPE_SEQ);
568 ret += DcmAsn1ExtractTag(&val, &cert->signature, &val, ASN_1_TAG_TYPE_BIT_STR);
569
570 ret += IsValidAttestCert(cert);
571 HKS_IF_NOT_SUCC_LOGE(ret, "invalid dev cert.\n")
572 }
573
ParseAttestExtension(const struct HksBlob * data,struct HksAttestExt * ext)574 static void ParseAttestExtension(const struct HksBlob *data, struct HksAttestExt *ext)
575 {
576 struct HksBlob val = *data;
577 int32_t ret = DcmAsn1ExtractTag(&val, &ext->seq, &val, ASN_1_TAG_TYPE_SEQ);
578 val.data = ext->seq.value.data;
579 val.size = ext->seq.value.size;
580
581 ret += DcmAsn1ExtractTag(&val, &ext->keyUsage, &val, ASN_1_TAG_TYPE_SEQ);
582 ret += DcmAsn1ExtractTag(&val, &ext->crl, &val, ASN_1_TAG_TYPE_SEQ);
583 ret += DcmAsn1ExtractTag(&val, &ext->claims, &val, ASN_1_TAG_TYPE_SEQ);
584 HKS_IF_NOT_SUCC_LOGE(ret, "invalid extension.\n")
585 }
586
EncodeUtcTime(const uint8_t * time,uint8_t * buf)587 static uint32_t EncodeUtcTime(const uint8_t *time, uint8_t *buf)
588 {
589 uint8_t *tmp = buf;
590 tmp[0] = (uint8_t)ASN_1_TAG_TYPE_UTC_TIME;
591 tmp++;
592 tmp[0] = (uint8_t)UTCTIME_LEN;
593 tmp++;
594 (void)memcpy_s(tmp, UTCTIME_LEN, time, UTCTIME_LEN);
595 tmp += UTCTIME_LEN;
596 return tmp - buf;
597 }
598
EncodeValidity(const struct ValidPeriod * validity,struct HksBlob * out)599 static void EncodeValidity(const struct ValidPeriod *validity, struct HksBlob *out)
600 {
601 uint8_t *start = out->data + ASN_1_MAX_HEADER_LEN;
602 uint8_t *p = start;
603 p += EncodeUtcTime(validity->start, p);
604 p += EncodeUtcTime(validity->end, p);
605
606 struct HksAsn1Blob insertValid = { ASN_1_TAG_TYPE_SEQ, (p - start), start };
607 int32_t ret = DcmAsn1WriteFinal(out, &insertValid);
608 HKS_IF_NOT_SUCC_LOGE(ret, "encode validity fail.\n")
609 }
610
EncodeKeyUsageBits(const uint32_t usage,uint8_t * bits)611 static uint8_t EncodeKeyUsageBits(const uint32_t usage, uint8_t *bits)
612 {
613 uint8_t v = 0;
614 uint8_t unused = 8; /* one byte haa 8 bits, so init to 8 */
615 if (IsSignPurpose((enum HksKeyPurpose)usage)) {
616 v |= 0x80;
617 unused = 7; /* 7 bits are unused */
618 }
619 if (IsCipherPurpose((enum HksKeyPurpose)usage)) {
620 v |= 0x20;
621 unused = 5; /* 5 bits are unused */
622 }
623 if (IsAgreementPurpose((enum HksKeyPurpose)usage)) {
624 v |= 0x08;
625 unused = 3; /* 3 bits are unused */
626 }
627 *bits = v;
628 return unused;
629 }
630
EncodeClaims(const struct HksBlob * oid,const struct HksBlob * claim,struct HksBlob * seq)631 static int32_t EncodeClaims(const struct HksBlob *oid, const struct HksBlob *claim, struct HksBlob *seq)
632 {
633 if (memcpy_s(seq->data, seq->size, oid->data, oid->size) != EOK) {
634 HKS_LOG_E("copy claim oid failed!");
635 return HKS_ERROR_INSUFFICIENT_MEMORY;
636 }
637 uint32_t size = oid->size;
638 struct HksBlob tmp = *seq;
639 tmp.data += size;
640 tmp.size -= size;
641
642 struct HksAsn1Blob value = { ASN_1_TAG_TYPE_OCT_STR, claim->size, claim->data };
643 int32_t ret = DcmAsn1WriteFinal(&tmp, &value);
644 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_BAD_STATE, "write claim oct str failed!")
645
646 size += tmp.size;
647
648 value.type = ASN_1_TAG_TYPE_SEQ;
649 value.data = seq->data;
650 value.size = size;
651 return DcmAsn1WriteFinal(seq, &value);
652 }
653
CreateAttestExtension(const struct HksAttestSpec * attestSpec,struct HksBlob * extension)654 static int32_t CreateAttestExtension(const struct HksAttestSpec *attestSpec, struct HksBlob *extension)
655 {
656 struct HksAttestExt tmplExt;
657 (void)memset_s(&tmplExt, sizeof(struct HksAttestExt), 0, sizeof(struct HksAttestExt));
658 struct HksBlob extensionTmpl = { sizeof(g_attestExtTmpl), (uint8_t *)g_attestExtTmpl };
659 ParseAttestExtension(&extensionTmpl, &tmplExt);
660 if (memcpy_s(extension->data, extension->size, extensionTmpl.data, extensionTmpl.size) != EOK) {
661 HKS_LOG_E("copy extension failed!");
662 return HKS_ERROR_INSUFFICIENT_MEMORY;
663 }
664
665 uint8_t usage = 0;
666 uint8_t unusedBits = EncodeKeyUsageBits(attestSpec->usageSpec.purpose, &usage);
667 extension->data[ATTESTATION_KEY_USAGE_OFFSET] = usage;
668 extension->data[ATTESTATION_KEY_USAGE_OFFSET - 1] = unusedBits;
669
670 uint32_t claimsOffset = tmplExt.claims.header.data - extensionTmpl.data;
671 struct HksBlob tmp = *extension;
672 tmp.data += claimsOffset;
673 tmp.size -= claimsOffset;
674
675 int32_t ret = EncodeClaims(&attestSpec->claimsOid, &attestSpec->claims, &tmp);
676 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "EncodeClaims failed!")
677
678 uint32_t usageOffset = tmplExt.keyUsage.header.data - extensionTmpl.data;
679 struct HksAsn1Blob seqValue = {
680 .type = ASN_1_TAG_TYPE_SEQ,
681 .size = claimsOffset + tmp.size - usageOffset,
682 .data = extension->data + usageOffset
683 };
684 return DcmAsn1WriteFinal(extension, &seqValue);
685 }
686
EncodeTbs(const struct HksAttestTbsSpec * tbs,struct HksBlob * out)687 static int32_t EncodeTbs(const struct HksAttestTbsSpec *tbs, struct HksBlob *out)
688 {
689 struct HksBlob tmp = *out;
690 tmp.data += ATT_CERT_HEADER_SIZE;
691 tmp.size -= ATT_CERT_HEADER_SIZE;
692
693 int32_t ret = DcmAsn1InsertValue(&tmp, NULL, &tbs->version.value);
694 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_BAD_STATE, "insert version failed!")
695
696 ret = DcmAsn1InsertValue(&tmp, NULL, &tbs->serial.value);
697 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_BAD_STATE, "insert serial failed!")
698
699 ret = DcmAsn1InsertValue(&tmp, NULL, &tbs->signature.value);
700 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_BAD_STATE, "insert signature failed!")
701
702 ret = DcmAsn1InsertValue(&tmp, NULL, &tbs->issuer.value);
703 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_BAD_STATE, "insert issuer failed!")
704
705 ret = DcmAsn1InsertValue(&tmp, NULL, &tbs->validity.value);
706 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_BAD_STATE, "insert validity failed!")
707
708 ret = DcmAsn1InsertValue(&tmp, NULL, &tbs->subject.value);
709 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_BAD_STATE, "insert subject failed!")
710
711 ret = DcmAsn1InsertValue(&tmp, NULL, &tbs->spki.value);
712 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_BAD_STATE, "insert spki failed!")
713
714 ret = DcmAsn1InsertValue(&tmp, NULL, &tbs->extensions.value);
715 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "insert extensions failed!")
716
717 uint8_t *data = out->data + ATT_CERT_HEADER_SIZE;
718 uint32_t size = tmp.data - data;
719 struct HksAsn1Blob seq = { ASN_1_TAG_TYPE_SEQ, size, data };
720 return DcmAsn1WriteFinal(out, &seq);
721 }
722
GetSignatureByAlg(uint32_t signAlg,struct HksAsn1Blob * sigature)723 static void GetSignatureByAlg(uint32_t signAlg, struct HksAsn1Blob *sigature)
724 {
725 if (signAlg == HKS_ALG_RSA) {
726 sigature->size = g_rsaSha256Oid.size;
727 sigature->data = g_rsaSha256Oid.data;
728 } else if (signAlg == HKS_ALG_SM2) {
729 sigature->size = g_sm2Oid.size;
730 sigature->data = g_sm2Oid.data;
731 } else {
732 sigature->size = g_ecdsaSha256Oid.size;
733 sigature->data = g_ecdsaSha256Oid.data;
734 }
735 }
CreateTbs(const struct HksBlob * template,const struct HksAttestSpec * attestSpec,struct HksBlob * tbs,uint32_t signAlg)736 static int32_t CreateTbs(const struct HksBlob *template, const struct HksAttestSpec *attestSpec,
737 struct HksBlob *tbs, uint32_t signAlg)
738 {
739 struct HksAttestTbsSpec draftTbs;
740 (void)memset_s(&draftTbs, sizeof(struct HksAttestTbsSpec), 0, sizeof(struct HksAttestTbsSpec));
741 ParseAttestTbs(template, &draftTbs);
742 struct HksAsn1Blob sigature = { ASN_1_TAG_TYPE_SEQ, 0, NULL };
743 GetSignatureByAlg(signAlg, &sigature);
744 draftTbs.signature.value = sigature;
745
746 uint8_t validityBuf[VALIDITY_BUF_SIZE] = {0};
747 struct HksBlob validity = { sizeof(validityBuf), validityBuf };
748 EncodeValidity(&attestSpec->validity, &validity);
749 struct HksAsn1Blob validBlob = { ASN_1_TAG_TYPE_RAW, validity.size, validity.data };
750 draftTbs.validity.value = validBlob;
751
752 struct HksAttestCert devCert;
753 (void)memset_s(&devCert, sizeof(struct HksAttestCert), 0, sizeof(struct HksAttestCert));
754 ParseAttestCert(&attestSpec->devCert, &devCert);
755 draftTbs.issuer = devCert.tbs.subject;
756
757 uint8_t pubKey[PUBKEY_DER_LEN] = {0};
758 struct HksBlob pubKeyBlob = { PUBKEY_DER_LEN, pubKey };
759 int32_t ret = HksCryptoHalGetPubKey(&attestSpec->attestKey, &pubKeyBlob);
760 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "get attest public key failed!")
761
762 uint8_t pubKeyDer[PUBKEY_DER_LEN] = {0};
763 struct HksBlob spkiBlob = { PUBKEY_DER_LEN, pubKeyDer };
764 ret = DcmGetPublicKey(&spkiBlob, (struct HksPubKeyInfo *)pubKeyBlob.data, &attestSpec->usageSpec);
765 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "der public key failed!")
766
767 struct HksAsn1Blob insertSpki = { ASN_1_TAG_TYPE_RAW, spkiBlob.size, spkiBlob.data };
768 draftTbs.spki.value = insertSpki;
769
770 uint8_t *extBuf = HksMalloc(EXT_MAX_SIZE + attestSpec->claims.size);
771 HKS_IF_NULL_RETURN(extBuf, HKS_ERROR_MALLOC_FAIL)
772
773 struct HksBlob extension = { EXT_MAX_SIZE + attestSpec->claims.size, extBuf };
774 ret = CreateAttestExtension(attestSpec, &extension);
775 if (ret != HKS_SUCCESS) {
776 HKS_LOG_E("create extensions failed!");
777 HKS_FREE(extBuf);
778 return ret;
779 }
780
781 struct HksAsn1Blob extBlob = { ASN_1_TAG_TYPE_CTX_SPEC3, extension.size, extension.data };
782 draftTbs.extensions.value = extBlob;
783 ret = EncodeTbs(&draftTbs, tbs);
784 HKS_FREE(extBuf);
785 return ret;
786 }
787
GetPrivateKeyMaterial(struct HksBlob * val,struct HksBlob * material)788 static int32_t GetPrivateKeyMaterial(struct HksBlob *val, struct HksBlob *material)
789 {
790 struct HksAsn1Obj obj = {{0}};
791 struct KeyMaterialRsa *keyMaterial = (struct KeyMaterialRsa *)material->data;
792
793 keyMaterial->keyAlg = HKS_ALG_RSA;
794 keyMaterial->keySize = HKS_RSA_KEY_SIZE_2048;
795
796 uint32_t offset = sizeof(struct KeyMaterialRsa);
797 int32_t ret = DcmAsn1ExtractTag(val, &obj, val, ASN_1_TAG_TYPE_INT);
798 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "extract n fail!")
799
800 if (memcpy_s(material->data + offset, material->size - offset, obj.value.data, obj.value.size) != EOK) {
801 HKS_LOG_E("copy n fail!");
802 return HKS_ERROR_INSUFFICIENT_MEMORY;
803 }
804 keyMaterial->nSize = obj.value.size;
805
806 offset += keyMaterial->nSize;
807 ret = DcmAsn1ExtractTag(val, &obj, val, ASN_1_TAG_TYPE_INT);
808 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "extract e fail!")
809
810 if (memcpy_s(material->data + offset, material->size - offset, obj.value.data, obj.value.size) != EOK) {
811 HKS_LOG_E("copy e fail!");
812 return HKS_ERROR_INSUFFICIENT_MEMORY;
813 }
814 keyMaterial->eSize = obj.value.size;
815
816 offset += keyMaterial->eSize;
817 ret = DcmAsn1ExtractTag(val, &obj, val, ASN_1_TAG_TYPE_INT);
818 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "extract d fail!")
819
820 if (memcpy_s(material->data + offset, material->size - offset, obj.value.data, obj.value.size) != EOK) {
821 HKS_LOG_E("copy d fail!");
822 return HKS_ERROR_INSUFFICIENT_MEMORY;
823 }
824 keyMaterial->dSize = obj.value.size;
825 material->size = offset + keyMaterial->dSize;
826 return HKS_SUCCESS;
827 }
828
StepIntoPrivateKey(const struct HksBlob * key,struct HksBlob * val)829 static int32_t StepIntoPrivateKey(const struct HksBlob *key, struct HksBlob *val)
830 {
831 struct HksAsn1Obj obj = {{0}};
832 struct HksBlob skip = { 0, NULL };
833 int32_t ret;
834
835 ret = DcmAsn1ExtractTag(&skip, &obj, key, ASN_1_TAG_TYPE_SEQ);
836 HKS_IF_NOT_SUCC_RETURN(ret, ret)
837
838 val->data = obj.value.data;
839 val->size = obj.value.size;
840
841 ret = DcmAsn1ExtractTag(val, &obj, val, ASN_1_TAG_TYPE_INT);
842 HKS_IF_NOT_SUCC_RETURN(ret, ret)
843
844 return HKS_SUCCESS;
845 }
846
HksGetDevicePrivateKey(const struct HksBlob * key,struct HksBlob * out)847 int32_t HksGetDevicePrivateKey(const struct HksBlob *key, struct HksBlob *out)
848 {
849 struct HksBlob val = { 0, NULL };
850 int32_t ret = StepIntoPrivateKey(key, &val);
851 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "step into private key fail!")
852
853 uint32_t keySize = HKS_RSA_KEY_SIZE_2048;
854 uint32_t materialLen = sizeof(struct KeyMaterialRsa) + keySize / HKS_BITS_PER_BYTE * 3; /* 3 bits are unused */
855 uint8_t *material = (uint8_t *)HksMalloc(materialLen);
856 HKS_IF_NULL_LOGE_RETURN(material, HKS_ERROR_MALLOC_FAIL, "malloc key materail fail!")
857
858 struct HksBlob materialBlob = { materialLen, material };
859 ret = GetPrivateKeyMaterial(&val, &materialBlob);
860 if (ret != HKS_SUCCESS) {
861 (void)memset_s(material, materialLen, 0, materialLen);
862 HKS_FREE(material);
863 HKS_LOG_E("get key materail fail!");
864 return ret;
865 }
866
867 out->data = materialBlob.data;
868 out->size = materialBlob.size;
869 HKS_LOG_I("prikey size %" LOG_PUBLIC "x", out->size);
870
871 return HKS_SUCCESS;
872 }
873
SignTbs(struct HksBlob * sig,const struct HksBlob * tbs,const struct HksBlob * key,uint32_t signAlg)874 static int32_t SignTbs(struct HksBlob *sig, const struct HksBlob *tbs, const struct HksBlob *key, uint32_t signAlg)
875 {
876 (void)key;
877 uint8_t buffer[HKS_DIGEST_SHA256_LEN] = {0};
878 struct HksBlob message = { HKS_DIGEST_SHA256_LEN, buffer };
879 int32_t ret = HksCryptoHalHash(HKS_DIGEST_SHA256, tbs, &message);
880 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "calc hash of tbs failed!")
881
882 struct HksUsageSpec usageSpec = {0};
883 usageSpec.digest = HKS_DIGEST_SHA256;
884 if (signAlg == HKS_ALG_RSA) {
885 usageSpec.padding = HKS_PADDING_PKCS1_V1_5;
886 usageSpec.algType = HKS_ALG_RSA;
887 } else if (signAlg == HKS_ALG_SM2) {
888 usageSpec.algType = HKS_ALG_SM2;
889 usageSpec.digest = HKS_DIGEST_SM3;
890 } else {
891 usageSpec.padding = HKS_PADDING_NONE;
892 usageSpec.algType = HKS_ALG_ECC;
893 }
894
895 struct HksBlob priKey = { 0, NULL };
896 ret = HksGetDevicePrivateKey(key, &priKey);
897 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "get private key failed!")
898
899 ret = HksCryptoHalSign(&priKey, &usageSpec, &message, sig);
900 (void)memset_s(priKey.data, priKey.size, 0, priKey.size);
901 HKS_FREE(priKey.data);
902 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "sign tbs failed!")
903
904 return HKS_SUCCESS;
905 }
906
CreateAttestCert(struct HksBlob * attestCert,struct HksBlob * template,const struct HksAttestSpec * attestSpec,uint32_t signAlg)907 static int32_t CreateAttestCert(struct HksBlob *attestCert, struct HksBlob *template,
908 const struct HksAttestSpec *attestSpec, uint32_t signAlg)
909 {
910 struct HksBlob tbs = *attestCert;
911 tbs.data += ATT_CERT_HEADER_SIZE;
912 tbs.size -= ATT_CERT_HEADER_SIZE;
913 int32_t ret = CreateTbs(template, attestSpec, &tbs, signAlg);
914 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_BAD_STATE, "CreateTbs failed!")
915
916 uint8_t sigBuf[SIG_MAX_SIZE] = {0};
917 struct HksBlob signature = { sizeof(sigBuf), sigBuf };
918 ret = SignTbs(&signature, &tbs, &attestSpec->devKey, signAlg);
919 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_BAD_STATE, "SignTbs failed!")
920
921 uint32_t certSize = tbs.size;
922 struct HksAsn1Obj obj = {{0}};
923 struct HksBlob tmp = *attestCert;
924 tmp.data += ATT_CERT_HEADER_SIZE + tbs.size;
925 tmp.size -= ATT_CERT_HEADER_SIZE + tbs.size;
926 struct HksAsn1Blob signOidBlob = { ASN_1_TAG_TYPE_SEQ, g_rsaSha256Oid.size, g_rsaSha256Oid.data };
927 if (signAlg == HKS_ALG_ECC) {
928 signOidBlob.size = g_ecdsaSha256Oid.size;
929 signOidBlob.data = g_ecdsaSha256Oid.data;
930 }
931 if (signAlg == HKS_ALG_SM2) {
932 signOidBlob.size = g_sm2Oid.size;
933 signOidBlob.data = g_sm2Oid.data;
934 }
935 ret = DcmAsn1InsertValue(&tmp, &obj, &signOidBlob);
936 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_BAD_STATE, "insert sign oid failed!")
937
938 certSize += obj.header.size + obj.value.size;
939
940 struct HksAsn1Blob sigBlob = { ASN_1_TAG_TYPE_BIT_STR, signature.size, signature.data };
941 ret = DcmAsn1InsertValue(&tmp, &obj, &sigBlob);
942 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_BAD_STATE, "insert sign failed!")
943
944 certSize += obj.header.size + obj.value.size;
945
946 struct HksAsn1Blob certBlob = { ASN_1_TAG_TYPE_SEQ, certSize, attestCert->data + ATT_CERT_HEADER_SIZE };
947 return DcmAsn1WriteFinal(attestCert, &certBlob);
948 }
949
InsertSignatureGroupClaim(struct HksBlob * out,const struct HksUsageSpec * attetUsageSpec,uint32_t secLevel)950 static int32_t InsertSignatureGroupClaim(struct HksBlob *out, const struct HksUsageSpec *attetUsageSpec,
951 uint32_t secLevel)
952 {
953 if (!(attetUsageSpec->purpose & (HKS_KEY_PURPOSE_SIGN | HKS_KEY_PURPOSE_VERIFY))) {
954 return HKS_ERROR_NOT_SUPPORTED;
955 }
956 if ((attetUsageSpec->digest != HKS_DIGEST_SHA256) && (attetUsageSpec->digest != HKS_DIGEST_SM3)) {
957 return HKS_ERROR_NOT_SUPPORTED;
958 }
959
960 uint8_t asn1True = ASN_1_TRUE_VALUE;
961 struct HksAsn1Blob booleanTrue = { ASN_1_TAG_TYPE_BOOL, 1, &asn1True };
962 if (attetUsageSpec->algType == HKS_ALG_RSA) {
963 if (attetUsageSpec->padding == HKS_PADDING_PSS) {
964 HKS_LOG_I("inserting SigRsaPssMgf1Sha256 group\n");
965 return DcmInsertClaim(out, &hksGroupSigRsaPssMgf1Sha256Oid, &booleanTrue, secLevel);
966 }
967 } else if (attetUsageSpec->algType == HKS_ALG_ECC) {
968 if (attetUsageSpec->padding == HKS_PADDING_NONE) {
969 HKS_LOG_I("inserting SigEcdsaSha256 group\n");
970 return DcmInsertClaim(out, &hksGroupSigEcdsaSha256Oid, &booleanTrue, secLevel);
971 }
972 } else if (attetUsageSpec->algType == HKS_ALG_SM2) {
973 HKS_LOG_I("inserting SigSm2Sm3 group\n");
974 return DcmInsertClaim(out, &hksGroupSigSm2Sm3Oid, &booleanTrue, secLevel);
975 }
976 return HKS_ERROR_NOT_SUPPORTED;
977 }
978
InsertEncryptionGroupClaim(struct HksBlob * out,const struct HksUsageSpec * attetUsageSpec,uint32_t secLevel)979 static int32_t InsertEncryptionGroupClaim(struct HksBlob *out, const struct HksUsageSpec *attetUsageSpec,
980 uint32_t secLevel)
981 {
982 if (!(attetUsageSpec->purpose & (HKS_KEY_PURPOSE_ENCRYPT | HKS_KEY_PURPOSE_DECRYPT))) {
983 return HKS_ERROR_NOT_SUPPORTED;
984 }
985
986 uint8_t asn1True = ASN_1_TRUE_VALUE;
987 struct HksAsn1Blob booleanTrue = { ASN_1_TAG_TYPE_BOOL, 1, &asn1True };
988 if (attetUsageSpec->algType == HKS_ALG_RSA) {
989 if (attetUsageSpec->digest == HKS_DIGEST_SHA256) {
990 if (attetUsageSpec->padding == HKS_PADDING_OAEP) {
991 HKS_LOG_I("inserting EncRsaOaepMgf1Sha256 group\n");
992 return DcmInsertClaim(out, &hksGroupEncRsaOaepMgf1Sha256Oid, &booleanTrue, secLevel);
993 }
994 } else {
995 if (attetUsageSpec->padding == HKS_PADDING_OAEP) {
996 HKS_LOG_I("inserting EncRsaOaep group\n");
997 return DcmInsertClaim(out, &hksGroupEncRsaOaepOid, &booleanTrue, secLevel);
998 }
999 }
1000 }
1001 return HKS_ERROR_NOT_SUPPORTED;
1002 }
1003
InsertGroupClaim(bool * isInsert,struct HksBlob * out,const struct HksUsageSpec * attetUsageSpec,uint32_t secLevel)1004 static int32_t InsertGroupClaim(bool *isInsert, struct HksBlob *out, const struct HksUsageSpec *attetUsageSpec,
1005 uint32_t secLevel)
1006 {
1007 if (isInsert == NULL || CheckBlob(out) != HKS_SUCCESS || attetUsageSpec == NULL) {
1008 HKS_LOG_E("invalid input");
1009 return HKS_ERROR_INVALID_ARGUMENT;
1010 }
1011
1012 uint8_t *p = out->data;
1013 int32_t ret = InsertSignatureGroupClaim(out, attetUsageSpec, secLevel);
1014 if (ret != HKS_SUCCESS && ret != HKS_ERROR_NOT_SUPPORTED) {
1015 HKS_LOG_E("fail to insert signature group claim");
1016 return ret;
1017 }
1018 ret = InsertEncryptionGroupClaim(out, attetUsageSpec, secLevel);
1019 if (ret != HKS_SUCCESS && ret != HKS_ERROR_NOT_SUPPORTED) {
1020 HKS_LOG_E("fail to insert encryption group claim");
1021 return ret;
1022 }
1023 if (p != out->data) {
1024 *isInsert = true;
1025 } else {
1026 *isInsert = false;
1027 }
1028 return HKS_SUCCESS;
1029 }
1030
VerifyIdsInfo(enum HksTag tag,struct HksParam * param)1031 static int32_t VerifyIdsInfo(enum HksTag tag, struct HksParam *param)
1032 {
1033 (void)tag;
1034 (void)param;
1035 return HKS_SUCCESS;
1036 }
1037
InsertAppIdClaim(struct HksBlob * out,const struct HksParamSet * paramSet,uint32_t secLevel)1038 static int32_t InsertAppIdClaim(struct HksBlob *out, const struct HksParamSet *paramSet, uint32_t secLevel)
1039 {
1040 struct HksParam *appId = NULL;
1041 int32_t ret = HksGetParam(paramSet, HKS_TAG_ATTESTATION_APPLICATION_ID, &appId);
1042 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_SUCCESS, "not contain appId param!") // appId is optional
1043
1044 uint8_t buf[ASN_1_MAX_HEADER_LEN + MAX_OID_LEN + HKS_APP_ID_SIZE] = {0};
1045 uint8_t *tmp = buf;
1046 if (memcpy_s(tmp, MAX_OID_LEN, hksApplicationIdRawOid.data, hksApplicationIdRawOid.size) != EOK) {
1047 HKS_LOG_I("invalid oid of app id!");
1048 return HKS_ERROR_INVALID_ARGUMENT;
1049 }
1050 tmp += hksApplicationIdRawOid.size;
1051
1052 struct HksBlob tmpBlob = { sizeof(buf) - hksApplicationIdRawOid.size, tmp };
1053 struct HksAsn1Blob value = { ASN_1_TAG_TYPE_OCT_STR, appId->blob.size, appId->blob.data };
1054 ret = DcmAsn1WriteFinal(&tmpBlob, &value);
1055 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "write final value fail\n")
1056 tmp += tmpBlob.size;
1057
1058 uint32_t seqSize = tmp - buf;
1059 struct HksAsn1Blob seq = { ASN_1_TAG_TYPE_SEQ, seqSize, buf };
1060 ret = DcmInsertClaim(out, &hksApplicationIdOid, &seq, secLevel);
1061 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "add appId to cert fail, ret = %" LOG_PUBLIC "d", ret)
1062
1063 HKS_LOG_I("add appId to cert success!");
1064 return HKS_SUCCESS;
1065 }
1066
BuildAttestMsgClaims(struct HksBlob * out,const struct HksParamSet * paramSet)1067 static int32_t BuildAttestMsgClaims(struct HksBlob *out, const struct HksParamSet *paramSet)
1068 {
1069 uint32_t secLevel = HKS_SECURITY_LEVEL_HIGH;
1070 uint8_t version = HKS_HW_ATTESTATION_VERSION;
1071 struct HksAsn1Blob versionBlob = { ASN_1_TAG_TYPE_INT, 1, &version };
1072 int32_t ret = DcmAsn1InsertValue(out, NULL, &versionBlob);
1073 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "insert version fail\n")
1074
1075 struct HksParam *challenge = NULL;
1076 ret = HksGetParam(paramSet, HKS_TAG_ATTESTATION_CHALLENGE, &challenge);
1077 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "get challenge param failed!")
1078
1079 struct HksAsn1Blob challengeBlob = { ASN_1_TAG_TYPE_OCT_STR, challenge->blob.size, challenge->blob.data };
1080 ret = DcmInsertClaim(out, &hksAttestationChallengeOid, &challengeBlob, HKS_SECURITY_LEVEL_LOW);
1081 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "insert challenge fail\n")
1082
1083 struct HksParam *keyId = NULL;
1084 ret = HksGetParam(paramSet, HKS_TAG_ATTESTATION_ID_ALIAS, &keyId);
1085 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "get keyId param failed!")
1086
1087 struct HksAsn1Blob keyIdBlob = { ASN_1_TAG_TYPE_OCT_STR, keyId->blob.size, keyId->blob.data };
1088 ret = DcmInsertClaim(out, &hksKeyIdOid, &keyIdBlob, secLevel);
1089 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "insert keyId fail\n")
1090
1091 ret = InsertAppIdClaim(out, paramSet, secLevel);
1092 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "insert appId fail\n")
1093
1094 return HKS_SUCCESS;
1095 }
1096
BuildAttestKeyClaims(struct HksBlob * out,const struct HksParamSet * keyParamSet,const struct HksUsageSpec * attetUsageSpec)1097 static int32_t BuildAttestKeyClaims(struct HksBlob *out, const struct HksParamSet *keyParamSet,
1098 const struct HksUsageSpec *attetUsageSpec)
1099 {
1100 uint32_t secLevel = HKS_SECURITY_LEVEL_HIGH;
1101
1102 struct HksParam *signTypeParam = NULL;
1103 uint32_t signType = 0;
1104 int32_t ret = HksGetParam(keyParamSet, HKS_TAG_KEY_SECURE_SIGN_TYPE, &signTypeParam);
1105 if (ret == HKS_SUCCESS) {
1106 signType = signTypeParam->uint32Param;
1107 }
1108 struct HksAsn1Blob signTypeBlob = { ASN_1_TAG_TYPE_OCT_STR, sizeof(uint32_t), (uint8_t *)&signType };
1109 ret = DcmInsertClaim(out, &hksSignTypeOid, &signTypeBlob, secLevel);
1110 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "insert signType failed")
1111
1112 // insert key flag
1113 struct HksParam *keyFlagParam = NULL;
1114 ret = HksGetParam(keyParamSet, HKS_TAG_KEY_FLAG, &keyFlagParam);
1115 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "get key flag failed")
1116
1117 struct HksAsn1Blob keyFlagBlob = { ASN_1_TAG_TYPE_OCT_STR, sizeof(uint32_t),
1118 (uint8_t *)&keyFlagParam->uint32Param };
1119
1120 ret = DcmInsertClaim(out, &hkskeyFlagOid, &keyFlagBlob, secLevel);
1121 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "insert keyFlag failed")
1122 HKS_LOG_I("attest key claims keyFlag[%" LOG_PUBLIC "u] success", keyFlagParam->uint32Param);
1123
1124 bool isGroupInsert = false;
1125 ret = InsertGroupClaim(&isGroupInsert, out, attetUsageSpec, secLevel);
1126 if (ret != HKS_SUCCESS && ret != HKS_ERROR_NOT_SUPPORTED) {
1127 HKS_LOG_E("insert group fail, ret %" LOG_PUBLIC "d\n", ret);
1128 return ret;
1129 }
1130
1131 if (isGroupInsert) {
1132 return HKS_SUCCESS;
1133 }
1134
1135 struct HksAsn1Blob usage = { ASN_1_TAG_TYPE_OCT_STR, sizeof(uint32_t), (uint8_t *)&attetUsageSpec->purpose };
1136 ret = DcmInsertClaim(out, &hksKeyUsageOid, &usage, secLevel);
1137 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "insert usage fail\n")
1138
1139 struct HksAsn1Blob digest = { ASN_1_TAG_TYPE_OCT_STR, sizeof(uint32_t), (uint8_t *)&attetUsageSpec->digest };
1140 ret = DcmInsertClaim(out, &hksDigestOid, &digest, secLevel);
1141 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "insert digest fail\n")
1142
1143 if ((attetUsageSpec->algType != HKS_ALG_RSA) && (attetUsageSpec->algType != HKS_ALG_SM2)) {
1144 struct HksAsn1Blob padding = { ASN_1_TAG_TYPE_OCT_STR, sizeof(uint32_t), (uint8_t *)&attetUsageSpec->padding };
1145 ret = DcmInsertClaim(out, &hksPaddingOid, &padding, secLevel);
1146 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "insert padding fail\n")
1147 }
1148 return HKS_SUCCESS;
1149 }
1150
InsertIdOrSecInfoData(enum HksTag tag,uint32_t type,const struct HksBlob * oid,struct HksBlob * out,const struct HksParamSet * paramSet)1151 static int32_t InsertIdOrSecInfoData(enum HksTag tag, uint32_t type, const struct HksBlob *oid,
1152 struct HksBlob *out, const struct HksParamSet *paramSet)
1153 {
1154 struct HksParam *param = NULL;
1155 int32_t ret = HksGetParam(paramSet, tag, ¶m);
1156 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "get id param failed! tag is %" LOG_PUBLIC "x", tag)
1157
1158 ret = VerifyIdsInfo(tag, param);
1159 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "VerifyIdsInfo failed! tag is %" LOG_PUBLIC "x", tag)
1160
1161 struct HksAsn1Blob paramBlob = { type, param->blob.size, param->blob.data };
1162 ret = DcmInsertClaim(out, oid, ¶mBlob, HKS_SECURITY_LEVEL_SUPER);
1163 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "insert id cliam failed! tag is %" LOG_PUBLIC "x", tag)
1164
1165 return ret;
1166 }
1167
InsertIdOrSecInfoByOid(enum HksTag tagOne,enum HksTag tagTwo,struct HksBlob * out,const struct HksParamSet * paramSet)1168 static int32_t InsertIdOrSecInfoByOid(enum HksTag tagOne, enum HksTag tagTwo,
1169 struct HksBlob *out, const struct HksParamSet *paramSet)
1170 {
1171 if (tagOne != tagTwo) {
1172 return HKS_SUCCESS;
1173 }
1174 switch (tagOne) {
1175 case HKS_TAG_ATTESTATION_ID_BRAND:
1176 return InsertIdOrSecInfoData(tagOne, ASN_1_TAG_TYPE_UTF8_STR, &hksBrandOid, out, paramSet);
1177 case HKS_TAG_ATTESTATION_ID_DEVICE:
1178 return InsertIdOrSecInfoData(tagOne, ASN_1_TAG_TYPE_UTF8_STR, &hksDeviceOid, out, paramSet);
1179 case HKS_TAG_ATTESTATION_ID_PRODUCT:
1180 return InsertIdOrSecInfoData(tagOne, ASN_1_TAG_TYPE_UTF8_STR, &hksProductOid, out, paramSet);
1181 case HKS_TAG_ATTESTATION_ID_SERIAL:
1182 return InsertIdOrSecInfoData(tagOne, ASN_1_TAG_TYPE_UTF8_STR, &hksSnOid, out, paramSet);
1183 case HKS_TAG_ATTESTATION_ID_IMEI:
1184 return InsertIdOrSecInfoData(tagOne, ASN_1_TAG_TYPE_UTF8_STR, &hksImeiOid, out, paramSet);
1185 case HKS_TAG_ATTESTATION_ID_MEID:
1186 return InsertIdOrSecInfoData(tagOne, ASN_1_TAG_TYPE_UTF8_STR, &hksMeidOid, out, paramSet);
1187 case HKS_TAG_ATTESTATION_ID_MANUFACTURER:
1188 return InsertIdOrSecInfoData(tagOne, ASN_1_TAG_TYPE_UTF8_STR, &hksManufacturerOid, out, paramSet);
1189 case HKS_TAG_ATTESTATION_ID_MODEL:
1190 return InsertIdOrSecInfoData(tagOne, ASN_1_TAG_TYPE_UTF8_STR, &hksModelOid, out, paramSet);
1191 case HKS_TAG_ATTESTATION_ID_SOCID:
1192 return InsertIdOrSecInfoData(tagOne, ASN_1_TAG_TYPE_UTF8_STR, &hksSocIdOid, out, paramSet);
1193 case HKS_TAG_ATTESTATION_ID_UDID:
1194 return InsertIdOrSecInfoData(tagOne, ASN_1_TAG_TYPE_UTF8_STR, &hksUdidOid, out, paramSet);
1195 case HKS_TAG_ATTESTATION_ID_SEC_LEVEL_INFO:
1196 return InsertIdOrSecInfoData(tagOne, ASN_1_TAG_TYPE_OCT_STR, &hksSecInfoOid, out, paramSet);
1197 case HKS_TAG_ATTESTATION_ID_VERSION_INFO:
1198 return InsertIdOrSecInfoData(tagOne, ASN_1_TAG_TYPE_OCT_STR, &hksOsVersionOid, out, paramSet);
1199 default:
1200 break;
1201 }
1202 return HKS_ERROR_NOT_SUPPORTED;
1203 }
1204
BuildAttestDeviceClaims(struct HksBlob * out,const struct HksParamSet * paramSet)1205 static int32_t BuildAttestDeviceClaims(struct HksBlob *out, const struct HksParamSet *paramSet)
1206 {
1207 int32_t ret = HKS_SUCCESS;
1208 for (uint32_t i = 0; i < sizeof(g_idAttestList) / sizeof(g_idAttestList[0]); i++) {
1209 for (uint32_t j = 0; j < paramSet->paramsCnt; j++) {
1210 ret = InsertIdOrSecInfoByOid(paramSet->params[j].tag, g_idAttestList[i], out, paramSet);
1211 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "insert ids %" LOG_PUBLIC "x fail\n", paramSet->params[i].tag)
1212 }
1213 }
1214 return ret;
1215 }
1216
BuildAttestClaims(const struct HksParamSet * paramSet,const struct HksParamSet * keyParamSet,struct HksAttestSpec * attestSpec)1217 static int32_t BuildAttestClaims(const struct HksParamSet *paramSet, const struct HksParamSet *keyParamSet,
1218 struct HksAttestSpec *attestSpec)
1219 {
1220 uint8_t *claims = HksMalloc(ATTEST_CLAIM_BUF_LEN + ASN_1_MAX_HEADER_LEN);
1221 HKS_IF_NULL_LOGE_RETURN(claims, HKS_ERROR_MALLOC_FAIL, "malloc claims fail\n")
1222
1223 attestSpec->claims.data = claims;
1224 attestSpec->claims.size = ATTEST_CLAIM_BUF_LEN + ASN_1_MAX_HEADER_LEN;
1225
1226 struct HksBlob tmp = { ATTEST_CLAIM_BUF_LEN + ASN_1_MAX_HEADER_LEN, claims };
1227 tmp.data += ASN_1_MAX_HEADER_LEN;
1228 tmp.size -= ASN_1_MAX_HEADER_LEN;
1229
1230 int32_t ret = BuildAttestMsgClaims(&tmp, paramSet);
1231 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "build attest message claims fail\n")
1232
1233 ret = BuildAttestDeviceClaims(&tmp, paramSet);
1234 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "build attest device claims fail\n")
1235
1236 ret = BuildAttestKeyClaims(&tmp, keyParamSet, &attestSpec->usageSpec);
1237 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "build attest key claims fail\n")
1238
1239 uint8_t *seqData = claims + ASN_1_MAX_HEADER_LEN;
1240 uint32_t seqSize = tmp.data - seqData;
1241 struct HksAsn1Blob seqDataBlob = { ASN_1_TAG_TYPE_SEQ, seqSize, seqData };
1242 ret = DcmAsn1WriteFinal(&attestSpec->claims, &seqDataBlob);
1243 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "build attest claims fail\n")
1244
1245 return HKS_SUCCESS;
1246 }
1247
ReadCertOrKey(const uint8_t * inData,uint32_t size,struct HksBlob * out)1248 static int32_t ReadCertOrKey(const uint8_t *inData, uint32_t size, struct HksBlob *out)
1249 {
1250 uint8_t *data = HksMalloc(size);
1251 HKS_IF_NULL_LOGE_RETURN(data, HKS_ERROR_MALLOC_FAIL, "malloc data fail\n")
1252
1253 (void)memcpy_s(data, size, inData, size);
1254 out->size = size;
1255 out->data = data;
1256 return HKS_SUCCESS;
1257 }
1258
GetCertOrKey(enum HksCertType type,struct HksBlob * out)1259 static int32_t GetCertOrKey(enum HksCertType type, struct HksBlob *out)
1260 {
1261 switch (type) {
1262 case HKS_DEVICE_KEY:
1263 return ReadCertOrKey(g_deviceKey, sizeof(g_deviceKey), out);
1264 case HKS_DEVICE_CERT:
1265 return ReadCertOrKey(g_deviceCert, sizeof(g_deviceCert), out);
1266 case HKS_CA_CERT:
1267 return ReadCertOrKey(g_caCert, sizeof(g_caCert), out);
1268 case HKS_ROOT_CERT:
1269 return ReadCertOrKey(g_rootCert, sizeof(g_rootCert), out);
1270 default:
1271 break;
1272 }
1273 return HKS_ERROR_NOT_SUPPORTED;
1274 }
1275
GetCertAndKey(struct HksAttestSpec * attestSpec)1276 static int32_t GetCertAndKey(struct HksAttestSpec *attestSpec)
1277 {
1278 int32_t ret = GetCertOrKey(HKS_DEVICE_CERT, &attestSpec->devCert);
1279 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "get devCert fail")
1280
1281 ret = GetCertOrKey(HKS_DEVICE_KEY, &attestSpec->devKey);
1282 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "get devKey fail")
1283
1284 return ret;
1285 }
1286
FreeAttestSpec(struct HksAttestSpec ** attestSpec)1287 static void FreeAttestSpec(struct HksAttestSpec **attestSpec)
1288 {
1289 struct HksAttestSpec *spec = *attestSpec;
1290
1291 if (spec == NULL) {
1292 return;
1293 }
1294 if (spec->claims.data != NULL) {
1295 HKS_FREE(spec->claims.data);
1296 }
1297 if (spec->devCert.data != NULL) {
1298 HKS_FREE(spec->devCert.data);
1299 }
1300 if (spec->devKey.data != NULL) {
1301 (void)memset_s(spec->devKey.data, spec->devKey.size, 0, spec->devKey.size);
1302 HKS_FREE(spec->devKey.data);
1303 }
1304 if (spec->attestKey.data != NULL) {
1305 (void)memset_s(spec->attestKey.data, spec->attestKey.size, 0, spec->attestKey.size);
1306 HKS_FREE(spec->attestKey.data);
1307 }
1308 HKS_FREE(spec);
1309 *attestSpec = NULL;
1310 }
1311
CheckAttestUsageSpec(const struct HksUsageSpec * usageSpec)1312 static int32_t CheckAttestUsageSpec(const struct HksUsageSpec *usageSpec)
1313 {
1314 if ((usageSpec->algType != HKS_ALG_RSA) && (usageSpec->algType != HKS_ALG_ECC) &&
1315 (usageSpec->algType != HKS_ALG_X25519) && (usageSpec->algType != HKS_ALG_SM2)) {
1316 HKS_LOG_E("invalid alg %" LOG_PUBLIC "u\n", usageSpec->algType);
1317 return HKS_ERROR_INVALID_ARGUMENT;
1318 }
1319 if ((usageSpec->algType == HKS_ALG_RSA) && (usageSpec->padding != HKS_PADDING_PSS) &&
1320 (usageSpec->padding != HKS_PADDING_PKCS1_V1_5)) {
1321 HKS_LOG_E("invalid padding\n");
1322 return HKS_ERROR_INVALID_ARGUMENT;
1323 }
1324 return HKS_SUCCESS;
1325 }
1326
BuildAttestSpec(const struct HksParamSet * keyNodeParamSet,const struct HksParamSet * paramSet,struct HksBlob * rawKey,struct HksAttestSpec ** outAttestSpec)1327 static int32_t BuildAttestSpec(const struct HksParamSet *keyNodeParamSet, const struct HksParamSet *paramSet,
1328 struct HksBlob *rawKey, struct HksAttestSpec **outAttestSpec)
1329 {
1330 struct HksAttestSpec *attestSpec = HksMalloc(sizeof(struct HksAttestSpec));
1331 HKS_IF_NULL_LOGE_RETURN(attestSpec, HKS_ERROR_MALLOC_FAIL, "malloc attestSpec fail\n")
1332
1333 (void)memset_s(attestSpec, sizeof(struct HksAttestSpec), 0, sizeof(struct HksAttestSpec));
1334
1335 SetAttestCertValid(&attestSpec->validity);
1336
1337 HksFillUsageSpec(keyNodeParamSet, &attestSpec->usageSpec);
1338 int32_t ret = CheckAttestUsageSpec(&attestSpec->usageSpec);
1339 if (ret != HKS_SUCCESS) {
1340 FreeAttestSpec(&attestSpec);
1341 return ret;
1342 }
1343
1344 ret = BuildAttestClaims(paramSet, keyNodeParamSet, attestSpec);
1345 if (ret != HKS_SUCCESS) {
1346 FreeAttestSpec(&attestSpec);
1347 return ret;
1348 }
1349
1350 attestSpec->claimsOid = hksAttestationExtensionOid;
1351 attestSpec->attestKey.size = rawKey->size;
1352 attestSpec->attestKey.data = HksMalloc(rawKey->size);
1353 HKS_IF_NULL_LOGE_RETURN(attestSpec->attestKey.data, HKS_ERROR_MALLOC_FAIL, "fail to malloc raw key")
1354 (void)memcpy_s(attestSpec->attestKey.data, rawKey->size, rawKey->data, rawKey->size);
1355
1356 ret = GetCertAndKey(attestSpec);
1357 if (ret != HKS_SUCCESS) {
1358 HKS_LOG_E("get cert and key fail\n");
1359 FreeAttestSpec(&attestSpec);
1360 return ret;
1361 }
1362 *outAttestSpec = attestSpec;
1363 return HKS_SUCCESS;
1364 }
1365
CreateHwAttestCert(const struct HksAttestSpec * attestSpec,struct HksBlob * outAttestCert,uint32_t signAlg)1366 static int32_t CreateHwAttestCert(const struct HksAttestSpec *attestSpec, struct HksBlob *outAttestCert,
1367 uint32_t signAlg)
1368 {
1369 struct HksBlob template = { 0, NULL };
1370 if (signAlg == HKS_ALG_RSA) {
1371 template.data = (uint8_t *)g_attestTbsRsa;
1372 template.size = sizeof(g_attestTbsRsa);
1373 } else {
1374 template.data = (uint8_t *)g_attestTbs;
1375 template.size = sizeof(g_attestTbs);
1376 }
1377
1378 uint8_t *attest = HksMalloc(HKS_ATTEST_CERT_SIZE + attestSpec->claims.size);
1379 HKS_LOG_E("mattestSpec->claims.size is %" LOG_PUBLIC "d!", attestSpec->claims.size);
1380 HKS_IF_NULL_LOGE_RETURN(attest, HKS_ERROR_MALLOC_FAIL, "malloc attest cert failed!")
1381
1382 struct HksBlob attestCert = { HKS_ATTEST_CERT_SIZE + attestSpec->claims.size, attest };
1383 int32_t ret = CreateAttestCert(&attestCert, &template, attestSpec, signAlg);
1384 if (ret != HKS_SUCCESS) {
1385 HKS_FREE(attest);
1386 HKS_LOG_E("CreateAttestCert failed!");
1387 return ret;
1388 }
1389 *outAttestCert = attestCert;
1390 return HKS_SUCCESS;
1391 }
1392
CopyBlobToBuffer(const struct HksBlob * blob,struct HksBlob * buf)1393 static int32_t CopyBlobToBuffer(const struct HksBlob *blob, struct HksBlob *buf)
1394 {
1395 if (buf->size < sizeof(blob->size) + ALIGN_SIZE(blob->size)) {
1396 return HKS_ERROR_BUFFER_TOO_SMALL;
1397 }
1398 (void)memcpy_s(buf->data, buf->size, &blob->size, sizeof(blob->size));
1399 buf->data += sizeof(blob->size);
1400 buf->size -= sizeof(blob->size);
1401 (void)memcpy_s(buf->data, buf->size, blob->data, blob->size);
1402 buf->data += ALIGN_SIZE(blob->size);
1403 buf->size -= ALIGN_SIZE(blob->size);
1404 return HKS_SUCCESS;
1405 }
1406
FormatCertToBuf(enum HksCertType type,struct HksBlob * buf)1407 static int32_t FormatCertToBuf(enum HksCertType type, struct HksBlob *buf)
1408 {
1409 struct HksBlob cert = { 0, NULL };
1410 int32_t ret = GetCertOrKey(type, &cert);
1411 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_BAD_STATE, "get cert failed!")
1412
1413 ret = CopyBlobToBuffer(&cert, buf);
1414 HKS_FREE(cert.data);
1415 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "copy cert fail")
1416
1417 return ret;
1418 }
1419
FormatAttestChain(const struct HksBlob * attestCert,const struct HksAttestSpec * attestSpec,struct HksBlob * certChain)1420 static int32_t FormatAttestChain(const struct HksBlob *attestCert, const struct HksAttestSpec *attestSpec,
1421 struct HksBlob *certChain)
1422 {
1423 struct HksBlob tmp = *certChain;
1424 *((uint32_t *)tmp.data) = HKS_ATTEST_CERT_COUNT;
1425 tmp.data += sizeof(uint32_t);
1426 tmp.size -= sizeof(uint32_t);
1427
1428 int32_t ret = CopyBlobToBuffer(attestCert, &tmp);
1429 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "copy attest cert fail")
1430
1431 ret = CopyBlobToBuffer(&attestSpec->devCert, &tmp);
1432 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "copy dev cert fail")
1433
1434 ret = FormatCertToBuf(HKS_CA_CERT, &tmp);
1435 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_BAD_STATE, "format ca cert failed!")
1436
1437 ret = FormatCertToBuf(HKS_ROOT_CERT, &tmp);
1438 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_BAD_STATE, "format root cert failed!")
1439
1440 certChain->size = tmp.data - certChain->data;
1441 HKS_LOG_I("certChain size after format is %" LOG_PUBLIC "u", certChain->size);
1442 return HKS_SUCCESS;
1443 }
1444
CreateAttestCertChain(const struct HksParamSet * keyNodeParamSet,const struct HksParamSet * paramSet,struct HksBlob * certChain,struct HksBlob * rawKey)1445 int32_t CreateAttestCertChain(const struct HksParamSet *keyNodeParamSet, const struct HksParamSet *paramSet,
1446 struct HksBlob *certChain, struct HksBlob *rawKey)
1447 {
1448 struct HksAttestSpec *attestSpec = NULL;
1449 int32_t ret = BuildAttestSpec(keyNodeParamSet, paramSet, rawKey, &attestSpec);
1450 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "build attest spec failed")
1451
1452 struct HksBlob attestCert;
1453 ret = CreateHwAttestCert(attestSpec, &attestCert, HKS_ALG_RSA);
1454 if (ret != HKS_SUCCESS) {
1455 FreeAttestSpec(&attestSpec);
1456 HKS_LOG_E("build attest spec failed");
1457 return ret;
1458 }
1459
1460 ret = FormatAttestChain(&attestCert, attestSpec, certChain);
1461 HKS_FREE_BLOB(attestCert);
1462 FreeAttestSpec(&attestSpec);
1463 return ret;
1464 }
1465