Merge "Move CDDL into separate CDDL files" into main am: f9e524c5b1 am: 76c929f01e am: 2402a65e30 (8459ae0f) · Commits · e / os / android_hardware_interfaces

security/rkp/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl

+5 −250

Original line number	Diff line number	Diff line
		@@ -185,77 +185,7 @@ interface IRemotelyProvisionedComponent {
		*
		* In either case, the root is self-signed.
		*
		* EekChain = [ + SignedSignatureKey, SignedEek ]
		*
		* SignedSignatureKey = [ ; COSE_Sign1
		* protected: bstr .cbor {
		* 1 : AlgorithmEdDSA / AlgorithmES256, ; Algorithm
		* },
		* unprotected: {},
		* payload: bstr .cbor SignatureKeyEd25519 /
		* bstr .cbor SignatureKeyP256,
		* signature: bstr PureEd25519(.cbor SignatureKeySignatureInput) /
		* bstr ECDSA(.cbor SignatureKeySignatureInput)
		* ]
		*
		* SignatureKeyEd25519 = { ; COSE_Key
		* 1 : 1, ; Key type : Octet Key Pair
		* 3 : AlgorithmEdDSA, ; Algorithm
		* -1 : 6, ; Curve : Ed25519
		* -2 : bstr ; Ed25519 public key
		* }
		*
		* SignatureKeyP256 = { ; COSE_Key
		* 1 : 2, ; Key type : EC2
		* 3 : AlgorithmES256, ; Algorithm
		* -1 : 1, ; Curve: P256
		* -2 : bstr, ; X coordinate
		* -3 : bstr ; Y coordinate
		* }
		*
		* SignatureKeySignatureInput = [
		* context: "Signature1",
		* body_protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 },
		* external_aad: bstr .size 0,
		* payload: bstr .cbor SignatureKeyEd25519 /
		* bstr .cbor SignatureKeyP256
		* ]
		*
		* ; COSE_Sign1
		* SignedEek = [
		* protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 },
		* unprotected: {},
		* payload: bstr .cbor EekX25519 / .cbor EekP256,
		* signature: bstr PureEd25519(.cbor EekSignatureInput) /
		* bstr ECDSA(.cbor EekSignatureInput)
		* ]
		*
		* EekX25519 = { ; COSE_Key
		* 1 : 1, ; Key type : Octet Key Pair
		* 2 : bstr ; KID : EEK ID
		* 3 : -25, ; Algorithm : ECDH-ES + HKDF-256
		* -1 : 4, ; Curve : X25519
		* -2 : bstr ; X25519 public key, little-endian
		* }
		*
		* EekP256 = { ; COSE_Key
		* 1 : 2, ; Key type : EC2
		* 2 : bstr ; KID : EEK ID
		* 3 : -25, ; Algorithm : ECDH-ES + HKDF-256
		* -1 : 1, ; Curve : P256
		* -2 : bstr ; Sender X coordinate
		* -3 : bstr ; Sender Y coordinate
		* }
		*
		* EekSignatureInput = [
		* context: "Signature1",
		* body_protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 },
		* external_aad: bstr .size 0,
		* payload: bstr .cbor EekX25519 / .cbor EekP256
		* ]
		*
		* AlgorithmES256 = -7 ; RFC 8152 section 8.1
		* AlgorithmEdDSA = -8 ; RFC 8152 section 8.2
		* See generateCertificateRequest.cddl for CDDL definitions.
		*
		* If the contents of endpointEncryptionKey do not match the SignedEek structure above,
		* the method must return STATUS_INVALID_EEK.
		@@ -283,25 +213,9 @@ interface IRemotelyProvisionedComponent {
		* HMAC-256(EK_mac, .cbor KeysToMacStructure)
		*
		* Where EK_mac is an ephemeral MAC key, found in ProtectedData (see below). The MACed
		* data is the "tag" field of a COSE_Mac0 structure like:
		*
		* MacedKeys = [ ; COSE_Mac0
		* protected : bstr .cbor {
		* 1 : 5, ; Algorithm : HMAC-256
		* },
		* unprotected : {},
		* ; Payload is PublicKeys from keysToSign argument, in provided order.
		* payload: bstr .cbor [ * PublicKey ],
		* tag: bstr
		* ]
		*
		* KeysToMacStructure = [
		* context : "MAC0",
		* protected : bstr .cbor { 1 : 5 }, ; Algorithm : HMAC-256
		* external_aad : bstr .size 0,
		* ; Payload is PublicKeys from keysToSign argument, in provided order.
		* payload : bstr .cbor [ * PublicKey ]
		* ]
		* data is the "tag" field of a MacedKeys COSE_Mac0 structure.
		*
		* See generateCertificateRequest.cddl for CDDL definitions.
		*/
		byte[] generateCertificateRequest(in boolean testMode, in MacedPublicKey[] keysToSign,
		in byte[] endpointEncryptionCertChain, in byte[] challenge, out DeviceInfo deviceInfo,
		@@ -322,168 +236,9 @@ interface IRemotelyProvisionedComponent {
		* use different semantic data for this field, but the supported sizes must be between 0
		* and 64 bytes, inclusive.
		*
		* @return the following CBOR Certificate Signing Request (Csr) serialized into a byte array:
		*
		* Csr = AuthenticatedRequest<CsrPayload>
		*
		* CsrPayload = [ ; CBOR Array defining the payload for Csr
		* version: 3, ; The CsrPayload CDDL Schema version.
		* CertificateType, ; The type of certificate being requested.
		* DeviceInfo, ; Defined in DeviceInfo.aidl
		* KeysToSign, ; Provided by the method parameters
		* ]
		*
		* ; A tstr identifying the type of certificate. The set of supported certificate types may
		* ; be extended without requiring a version bump of the HAL. Custom certificate types may
		* ; be used, but the provisioning server may reject the request for an unknown certificate
		* ; type. The currently defined certificate types are:
		* ; - "widevine"
		* ; - "keymint"
		* CertificateType = tstr
		*
		* KeysToSign = [ * PublicKey ] ; Please see MacedPublicKey.aidl for the PublicKey definition.
		*
		* AuthenticatedRequest<T> = [
		* version: 1, ; The AuthenticatedRequest CDDL Schema version.
		* UdsCerts,
		* DiceCertChain,
		* SignedData<[
		* challenge: bstr .size (0..64), ; Provided by the method parameters
		* bstr .cbor T,
		* ]>,
		* ]
		*
		* ; COSE_Sign1 (untagged)
		* SignedData<Data> = [
		* protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
		* unprotected: {},
		* payload: bstr .cbor Data / nil,
		* signature: bstr ; PureEd25519(CDI_Leaf_Priv, SignedDataSigStruct<Data>) /
		* ; ECDSA(CDI_Leaf_Priv, SignedDataSigStruct<Data>)
		* ]
		*
		* ; Sig_structure for SignedData
		* SignedDataSigStruct<Data> = [
		* context: "Signature1",
		* protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
		* external_aad: bstr .size 0,
		* payload: bstr .cbor Data / nil,
		* ]
		*
		* ; UdsCerts allows the platform to provide additional certifications for the UDS_Pub. For
		* ; example, this could be provided by the hardware vendor, who certifies all of their chips.
		* ; The SignerName is a free-form string describing who generated the signature. The root
		* ; certificate will need to be communicated to the verifier out of band, along with the
		* ; SignerName that is expected for the given root certificate.
		* UdsCerts = {
		* * SignerName => UdsCertChain
		* }
		*
		* ; SignerName is a string identifier that indicates both the signing authority as
		* ; well as the format of the UdsCertChain
		* SignerName = tstr
		*
		* UdsCertChain = [
		* 2* X509Certificate ; Root -> ... -> Leaf. "Root" is the vendor self-signed
		* ; cert, "Leaf" contains UDS_Public. There may also be
		* ; intermediate certificates between Root and Leaf.
		* ]
		*
		* ; A bstr containing a DER-encoded X.509 certificate (RSA, NIST P-curve, or EdDSA)
		* X509Certificate = bstr
		*
		* ; The DICE Chain contains measurements about the device firmware.
		* ; The first entry in the DICE Chain is the UDS_Pub, encoded as a COSE_key. All entries
		* ; after the first describe a link in the boot chain (e.g. bootloaders: BL1, BL2, ... BLN)
		* ; Note that there is no DiceChainEntry for UDS_pub, only a "bare" COSE_key.
		* DiceCertChain = [
		* PubKeyEd25519 / PubKeyECDSA256 / PubKeyECDSA384, ; UDS_Pub
		* + DiceChainEntry, ; First CDI_Certificate -> Last CDI_Certificate
		* ; Last certificate corresponds to KeyMint's DICE key.
		* ]
		*
		* ; This is the signed payload for each entry in the DICE chain. Note that the "Configuration
		* ; Input Values" described by the Open Profile are not used here. Instead, the DICE chain
		* ; defines its own configuration values for the Configuration Descriptor field. See
		* ; the Open Profile for DICE for more details on the fields. SHA256, SHA384 and SHA512 are
		* ; acceptable hash algorithms. The digest bstr values in the payload are the digest values
		* ; without any padding. Note that this implies that the digest is a 32-byte bstr for SHA256
		* ; and a 48-byte bstr for SHA384. This is an intentional, minor deviation from Open Profile
		* ; for DICE, which specifies all digests are 64 bytes.
		* DiceChainEntryPayload = { ; CWT [RFC8392]
		* 1 : tstr, ; Issuer
		* 2 : tstr, ; Subject
		* -4670552 : bstr .cbor PubKeyEd25519 /
		* bstr .cbor PubKeyECDSA256 /
		* bstr .cbor PubKeyECDSA384, ; Subject Public Key
		* -4670553 : bstr ; Key Usage
		*
		* ; NOTE: All of the following fields may be omitted for a "Degenerate DICE Chain", as
		* ; described above.
		* -4670545 : bstr, ; Code Hash
		* ? -4670546 : bstr, ; Code Descriptor
		* -4670547 : bstr, ; Configuration Hash
		* -4670548 : bstr .cbor { ; Configuration Descriptor
		* ? -70002 : tstr, ; Component name
		* ? -70003 : int / tstr, ; Component version
		* ? -70004 : null, ; Resettable
		* ? -70005 : uint, ; Security version
		* },
		* -4670549 : bstr, ; Authority Hash
		* ? -4670550 : bstr, ; Authority Descriptor
		* -4670551 : bstr, ; Mode
		* }
		*
		* ; Each entry in the DICE chain is a DiceChainEntryPayload signed by the key from the previous
		* ; entry in the DICE chain array.
		* DiceChainEntry = [ ; COSE_Sign1 (untagged)
		* protected : bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
		* unprotected: {},
		* payload: bstr .cbor DiceChainEntryPayload,
		* signature: bstr ; PureEd25519(SigningKey, DiceChainEntryInput) /
		* ; ECDSA(SigningKey, DiceChainEntryInput)
		* ; See RFC 8032 for details of how to encode the signature value
		* ; for Ed25519.
		* ]
		*
		* DiceChainEntryInput = [
		* context: "Signature1",
		* protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
		* external_aad: bstr .size 0,
		* payload: bstr .cbor DiceChainEntryPayload
		* ]
		*
		* ; The following section defines some types that are reused throughout the above
		* ; data structures.
		* ; NOTE: Integer encoding is different for Ed25519 and P256 keys:
		* ; - Ed25519 is LE: https://www.rfc-editor.org/rfc/rfc8032#section-3.1
		* ; - P256 is BE: https://www.secg.org/sec1-v2.pdf#page=19 (section 2.3.7)
		* PubKeyEd25519 = { ; COSE_Key
		* 1 : 1, ; Key type : octet key pair
		* 3 : AlgorithmEdDSA, ; Algorithm : EdDSA
		* -1 : 6, ; Curve : Ed25519
		* -2 : bstr ; X coordinate, little-endian
		* }
		*
		* PubKeyECDSA256 = { ; COSE_Key
		* 1 : 2, ; Key type : EC2
		* 3 : AlgorithmES256, ; Algorithm : ECDSA w/ SHA-256
		* -1 : 1, ; Curve: P256
		* -2 : bstr, ; X coordinate, big-endian
		* -3 : bstr ; Y coordinate, big-endian
		* }
		*
		* PubKeyECDSA384 = { ; COSE_Key
		* 1 : 2, ; Key type : EC2
		* 3 : AlgorithmES384, ; Algorithm : ECDSA w/ SHA-384
		* -1 : 2, ; Curve: P384
		* -2 : bstr, ; X coordinate
		* -3 : bstr ; Y coordinate
		* }
		*
		* AlgorithmES256 = -7
		* AlgorithmES384 = -35
		* AlgorithmEdDSA = -8
		* @return a CBOR Certificate Signing Request (Csr) serialized into a byte array.
		*
		* See generateCertificateRequestV2.cddl for CDDL definitions.
		*/
		byte[] generateCertificateRequestV2(in MacedPublicKey[] keysToSign, in byte[] challenge);
		}

security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequest.cddl

0 → 100644

+92 −0

Original line number	Diff line number	Diff line
		; CDDL for the deprecated version 1 generateCertificateRequest method
		; in IRemotelyProvisionedComponent.aidl

		EekChain = [ + SignedSignatureKey, SignedEek ]

		SignedSignatureKey = [ ; COSE_Sign1
		protected: bstr .cbor {
		1 : AlgorithmEdDSA / AlgorithmES256, ; Algorithm
		},
		unprotected: {},
		payload: bstr .cbor SignatureKeyEd25519 /
		bstr .cbor SignatureKeyP256,
		signature: bstr PureEd25519(.cbor SignatureKeySignatureInput) /
		bstr ECDSA(.cbor SignatureKeySignatureInput)
		]

		SignatureKeyEd25519 = { ; COSE_Key
		1 : 1, ; Key type : Octet Key Pair
		3 : AlgorithmEdDSA, ; Algorithm
		-1 : 6, ; Curve : Ed25519
		-2 : bstr ; Ed25519 public key
		}

		SignatureKeyP256 = { ; COSE_Key
		1 : 2, ; Key type : EC2
		3 : AlgorithmES256, ; Algorithm
		-1 : 1, ; Curve: P256
		-2 : bstr, ; X coordinate
		-3 : bstr ; Y coordinate
		}

		SignatureKeySignatureInput = [
		context: "Signature1",
		body_protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 },
		external_aad: bstr .size 0,
		payload: bstr .cbor SignatureKeyEd25519 /
		bstr .cbor SignatureKeyP256
		]

		; COSE_Sign1
		SignedEek = [
		protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 },
		unprotected: {},
		payload: bstr .cbor EekX25519 / .cbor EekP256,
		signature: bstr PureEd25519(.cbor EekSignatureInput) /
		bstr ECDSA(.cbor EekSignatureInput)
		]

		EekX25519 = { ; COSE_Key
		1 : 1, ; Key type : Octet Key Pair
		2 : bstr ; KID : EEK ID
		3 : -25, ; Algorithm : ECDH-ES + HKDF-256
		-1 : 4, ; Curve : X25519
		-2 : bstr ; X25519 public key, little-endian
		}

		EekP256 = { ; COSE_Key
		1 : 2, ; Key type : EC2
		2 : bstr ; KID : EEK ID
		3 : -25, ; Algorithm : ECDH-ES + HKDF-256
		-1 : 1, ; Curve : P256
		-2 : bstr ; Sender X coordinate
		-3 : bstr ; Sender Y coordinate
		}

		EekSignatureInput = [
		context: "Signature1",
		body_protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 },
		external_aad: bstr .size 0,
		payload: bstr .cbor EekX25519 / .cbor EekP256
		]

		AlgorithmES256 = -7 ; RFC 8152 section 8.1
		AlgorithmEdDSA = -8 ; RFC 8152 section 8.2

		MacedKeys = [ ; COSE_Mac0
		protected : bstr .cbor {
		1 : 5, ; Algorithm : HMAC-256
		},
		unprotected : {},
		; Payload is PublicKeys from keysToSign argument, in provided order.
		payload: bstr .cbor [ * PublicKey ],
		tag: bstr
		]

		KeysToMacStructure = [
		context : "MAC0",
		protected : bstr .cbor { 1 : 5 }, ; Algorithm : HMAC-256
		external_aad : bstr .size 0,
		; Payload is PublicKeys from keysToSign argument, in provided order.
		payload : bstr .cbor [ * PublicKey ]
		]

security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl

0 → 100644

+163 −0

Original line number	Diff line number	Diff line
		; CDDL for the generateCertificateRequestV2 method in
		; IRemotelyProvisionedComponent.aidl

		Csr = AuthenticatedRequest<CsrPayload>

		CsrPayload = [ ; CBOR Array defining the payload for Csr
		version: 3, ; The CsrPayload CDDL Schema version.
		CertificateType, ; The type of certificate being requested.
		DeviceInfo, ; Defined in DeviceInfo.aidl
		KeysToSign, ; Provided by the method parameters
		]

		; A tstr identifying the type of certificate. The set of supported certificate types may
		; be extended without requiring a version bump of the HAL. Custom certificate types may
		; be used, but the provisioning server may reject the request for an unknown certificate
		; type. The currently defined certificate types are:
		; - "widevine"
		; - "keymint"
		CertificateType = tstr

		KeysToSign = [ * PublicKey ] ; Please see MacedPublicKey.aidl for the PublicKey definition.

		AuthenticatedRequest<T> = [
		version: 1, ; The AuthenticatedRequest CDDL Schema version.
		UdsCerts,
		DiceCertChain,
		SignedData<[
		challenge: bstr .size (0..64), ; Provided by the method parameters
		bstr .cbor T,
		]>,
		]

		; COSE_Sign1 (untagged)
		SignedData<Data> = [
		protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
		unprotected: {},
		payload: bstr .cbor Data / nil,
		signature: bstr ; PureEd25519(CDI_Leaf_Priv, SignedDataSigStruct<Data>) /
		; ECDSA(CDI_Leaf_Priv, SignedDataSigStruct<Data>)
		]

		; Sig_structure for SignedData
		SignedDataSigStruct<Data> = [
		context: "Signature1",
		protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
		external_aad: bstr .size 0,
		payload: bstr .cbor Data / nil,
		]

		; UdsCerts allows the platform to provide additional certifications for the UDS_Pub. For
		; example, this could be provided by the hardware vendor, who certifies all of their chips.
		; The SignerName is a free-form string describing who generated the signature. The root
		; certificate will need to be communicated to the verifier out of band, along with the
		; SignerName that is expected for the given root certificate.
		UdsCerts = {
		* SignerName => UdsCertChain
		}

		; SignerName is a string identifier that indicates both the signing authority as
		; well as the format of the UdsCertChain
		SignerName = tstr

		UdsCertChain = [
		2* X509Certificate ; Root -> ... -> Leaf. "Root" is the vendor self-signed
		; cert, "Leaf" contains UDS_Public. There may also be
		; intermediate certificates between Root and Leaf.
		]

		; A bstr containing a DER-encoded X.509 certificate (RSA, NIST P-curve, or EdDSA)
		X509Certificate = bstr

		; The DICE Chain contains measurements about the device firmware.
		; The first entry in the DICE Chain is the UDS_Pub, encoded as a COSE_key. All entries
		; after the first describe a link in the boot chain (e.g. bootloaders: BL1, BL2, ... BLN)
		; Note that there is no DiceChainEntry for UDS_pub, only a "bare" COSE_key.
		DiceCertChain = [
		PubKeyEd25519 / PubKeyECDSA256 / PubKeyECDSA384, ; UDS_Pub
		+ DiceChainEntry, ; First CDI_Certificate -> Last CDI_Certificate
		; Last certificate corresponds to KeyMint's DICE key.
		]

		; This is the signed payload for each entry in the DICE chain. Note that the "Configuration
		; Input Values" described by the Open Profile are not used here. Instead, the DICE chain
		; defines its own configuration values for the Configuration Descriptor field. See
		; the Open Profile for DICE for more details on the fields. SHA256, SHA384 and SHA512 are
		; acceptable hash algorithms. The digest bstr values in the payload are the digest values
		; without any padding. Note that this implies that the digest is a 32-byte bstr for SHA256
		; and a 48-byte bstr for SHA384. This is an intentional, minor deviation from Open Profile
		; for DICE, which specifies all digests are 64 bytes.
		DiceChainEntryPayload = { ; CWT [RFC8392]
		1 : tstr, ; Issuer
		2 : tstr, ; Subject
		-4670552 : bstr .cbor PubKeyEd25519 /
		bstr .cbor PubKeyECDSA256 /
		bstr .cbor PubKeyECDSA384, ; Subject Public Key
		-4670553 : bstr ; Key Usage

		; NOTE: All of the following fields may be omitted for a "Degenerate DICE Chain", as
		; described above.
		-4670545 : bstr, ; Code Hash
		? -4670546 : bstr, ; Code Descriptor
		-4670547 : bstr, ; Configuration Hash
		-4670548 : bstr .cbor { ; Configuration Descriptor
		? -70002 : tstr, ; Component name
		? -70003 : int / tstr, ; Component version
		? -70004 : null, ; Resettable
		? -70005 : uint, ; Security version
		},
		-4670549 : bstr, ; Authority Hash
		? -4670550 : bstr, ; Authority Descriptor
		-4670551 : bstr, ; Mode
		}

		; Each entry in the DICE chain is a DiceChainEntryPayload signed by the key from the previous
		; entry in the DICE chain array.
		DiceChainEntry = [ ; COSE_Sign1 (untagged)
		protected : bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
		unprotected: {},
		payload: bstr .cbor DiceChainEntryPayload,
		signature: bstr ; PureEd25519(SigningKey, DiceChainEntryInput) /
		; ECDSA(SigningKey, DiceChainEntryInput)
		; See RFC 8032 for details of how to encode the signature value
		; for Ed25519.
		]

		DiceChainEntryInput = [
		context: "Signature1",
		protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
		external_aad: bstr .size 0,
		payload: bstr .cbor DiceChainEntryPayload
		]

		; The following section defines some types that are reused throughout the above
		; data structures.
		; NOTE: Integer encoding is different for Ed25519 and P256 keys:
		; - Ed25519 is LE: https://www.rfc-editor.org/rfc/rfc8032#section-3.1
		; - P256 is BE: https://www.secg.org/sec1-v2.pdf#page=19 (section 2.3.7)
		PubKeyEd25519 = { ; COSE_Key
		1 : 1, ; Key type : octet key pair
		3 : AlgorithmEdDSA, ; Algorithm : EdDSA
		-1 : 6, ; Curve : Ed25519
		-2 : bstr ; X coordinate, little-endian
		}

		PubKeyECDSA256 = { ; COSE_Key
		1 : 2, ; Key type : EC2
		3 : AlgorithmES256, ; Algorithm : ECDSA w/ SHA-256
		-1 : 1, ; Curve: P256
		-2 : bstr, ; X coordinate, big-endian
		-3 : bstr ; Y coordinate, big-endian
		}

		PubKeyECDSA384 = { ; COSE_Key
		1 : 2, ; Key type : EC2
		3 : AlgorithmES384, ; Algorithm : ECDSA w/ SHA-384
		-1 : 2, ; Curve: P384
		-2 : bstr, ; X coordinate
		-3 : bstr ; Y coordinate
		}

		AlgorithmES256 = -7
		AlgorithmES384 = -35
		AlgorithmEdDSA = -8