1; CDDL for the generateCertificateRequestV2 method in 2; IRemotelyProvisionedComponent.aidl 3 4Csr = AuthenticatedRequest<CsrPayload> 5 6CsrPayload = [ ; CBOR Array defining the payload for Csr 7 version: 3, ; The CsrPayload CDDL Schema version. 8 CertificateType, ; The type of certificate being requested. 9 DeviceInfo, ; Defined in the relevant DeviceInfoV*.cddl file. 10 KeysToSign, ; Provided by the method parameters 11] 12 13; A tstr identifying the type of certificate. The set of supported certificate types may 14; be extended without requiring a version bump of the HAL. Custom certificate types may 15; be used, but the provisioning server may reject the request for an unknown certificate 16; type. The currently defined certificate types are: 17; * "widevine" -- Widevine content protection system 18; * "keymint" -- KeyMint HAL 19; * "rkp-vm" -- See "Support for Android Virtualization Framework" in the README.md file. 20CertificateType = tstr 21 22KeysToSign = [ * PublicKey ] ; Please see PublicKey.cddl for the PublicKey definition. 23 24AuthenticatedRequest<T> = [ 25 version: 1, ; The AuthenticatedRequest CDDL Schema version. 26 UdsCerts, 27 DiceCertChain, 28 SignedData<[ 29 challenge: bstr .size (0..64), ; Provided by the method parameters 30 bstr .cbor T, 31 ]>, 32] 33 34; COSE_Sign1 (untagged) [RFC9052 s4.2] 35SignedData<Data> = [ 36 protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 }, 37 unprotected: {}, 38 payload: bstr .cbor Data / nil, 39 signature: bstr ; PureEd25519(CDI_Leaf_Priv, SignedDataSigStruct<Data>) / 40 ; ECDSA(CDI_Leaf_Priv, SignedDataSigStruct<Data>) 41] 42 43; Sig_structure for SignedData [ RFC9052 s4.4] 44SignedDataSigStruct<Data> = [ 45 context: "Signature1", 46 protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 }, 47 external_aad: bstr .size 0, 48 payload: bstr .cbor Data / nil, 49] 50 51; UdsCerts allows the platform to provide additional certifications for the UDS_Pub. For 52; example, this could be provided by the hardware vendor, who certifies all of their chips. 53; The SignerName is a free-form string describing who generated the signature. The root 54; certificate will need to be communicated to the verifier out of band, along with the 55; SignerName that is expected for the given root certificate. UDS certificate 56; requirements are defined in https://android.googlesource.com/platform/hardware/interfaces/+/main/security/rkp/README.md#uds-certificates. 57UdsCerts = { 58 * SignerName => UdsCertChain 59} 60 61; SignerName is a string identifier that indicates both the signing authority as 62; well as the format of the UdsCertChain 63SignerName = tstr 64 65UdsCertChain = [ 66 + X509Certificate ; Root -> ... -> Leaf. "Root" is the vendor self-signed 67 ; cert, "Leaf" contains UDS_Pub. It's recommended to 68 ; have at least 3 certificates in the chain. 69 ; The Root certificate is recommended to be generated in an air-gapped, 70 ; HSM-based secure environment. The intermediate signing keys may be 71 ; online, and should be rotated regularly (e.g. annually). Additionally, 72 ; the intermediate certificates may contain product family identifiers. 73] 74 75; A bstr containing a DER-encoded X.509 certificate (RSA, NIST P-curve, or EdDSA) 76X509Certificate = bstr 77 78; The DICE Chain contains measurements about the device firmware. 79; The first entry in the DICE Chain is the UDS_Pub, encoded as a COSE_key. All entries 80; after the first describe a link in the boot chain (e.g. bootloaders: BL1, BL2, ... BLN) 81; Note that there is no DiceChainEntry for UDS_Pub, only a "bare" COSE_key. 82DiceCertChain = [ 83 PubKeyEd25519 / PubKeyECDSA256 / PubKeyECDSA384, ; UDS_Pub 84 + DiceChainEntry, ; First CDI_Certificate -> Last CDI_Certificate 85 ; Last certificate corresponds to KeyMint's DICE key. 86] 87 88; This is the signed payload for each entry in the DICE chain. Note that the "Configuration 89; Input Values" described by the Open Profile are not used here. Instead, the DICE chain 90; defines its own configuration values for the Configuration Descriptor field. See 91; the Open Profile for DICE for more details on the fields. SHA256, SHA384 and SHA512 are 92; acceptable hash algorithms. The digest bstr values in the payload are the digest values 93; without any padding. Note that this implies that the digest is a 32-byte bstr for SHA256 94; and a 48-byte bstr for SHA384. This is an intentional, minor deviation from Open Profile 95; for DICE, which specifies all digests are 64 bytes. 96DiceChainEntryPayload = { ; CWT [RFC8392] 97 1 : tstr, ; Issuer 98 2 : tstr, ; Subject 99 -4670554 : "android.15", ; Profile Name 100 -4670552 : bstr .cbor PubKeyEd25519 / 101 bstr .cbor PubKeyECDSA256 / 102 bstr .cbor PubKeyECDSA384, ; Subject Public Key 103 -4670553 : bstr ; Key Usage 104 105 ; NOTE: All of the following fields may be omitted for a "Degenerate DICE Chain", as 106 ; described above. 107 -4670545 : bstr, ; Code Hash 108 ? -4670546 : bstr, ; Code Descriptor 109 -4670547 : bstr, ; Configuration Hash 110 -4670548 : bstr .cbor ConfigurationDescriptor, 111 -4670549 : bstr, ; Authority Hash 112 ? -4670550 : bstr, ; Authority Descriptor 113 -4670551 : bstr, ; Mode 114} 115 116ConfigurationDescriptor = { ; Configuration Descriptor 117 ? -70002 : tstr, ; Component name 118 ? -70003 : int / tstr, ; Component version 119 ? -70004 : null, ; Resettable 120 ? -70005 : uint, ; Security version 121 ? -70006 : null, ; RKP VM marker 122} 123 124; Each entry in the DICE chain is a DiceChainEntryPayload signed by the key from the previous 125; entry in the DICE chain array. 126DiceChainEntry = [ ; COSE_Sign1 (untagged), [RFC9052 s4.2] 127 protected : bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 }, 128 unprotected: {}, 129 payload: bstr .cbor DiceChainEntryPayload, 130 signature: bstr ; PureEd25519(SigningKey, DiceChainEntryInput) / 131 ; ECDSA(SigningKey, DiceChainEntryInput) 132 ; See RFC 8032 for details of how to encode the signature value 133 ; for Ed25519. 134] 135 136DiceChainEntryInput = [ 137 context: "Signature1", 138 protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 }, 139 external_aad: bstr .size 0, 140 payload: bstr .cbor DiceChainEntryPayload 141] 142 143; The following section defines some types that are reused throughout the above 144; data structures. 145; NOTE: Integer encoding is different for Ed25519 and P256 keys: 146; - Ed25519 is LE: https://www.rfc-editor.org/rfc/rfc8032#section-3.1 147; - P256 is BE: https://www.secg.org/sec1-v2.pdf#page=19 (section 2.3.7) 148PubKeyEd25519 = { ; COSE_Key [RFC9052 s7] 149 1 : 1, ; Key type : octet key pair 150 3 : AlgorithmEdDSA, ; Algorithm : EdDSA 151 -1 : 6, ; Curve : Ed25519 152 -2 : bstr ; X coordinate, little-endian 153} 154 155PubKeyECDSA256 = { ; COSE_Key [RFC9052 s7] 156 1 : 2, ; Key type : EC2 157 3 : AlgorithmES256, ; Algorithm : ECDSA w/ SHA-256 158 -1 : 1, ; Curve: P256 159 -2 : bstr, ; X coordinate, big-endian 160 -3 : bstr ; Y coordinate, big-endian 161} 162 163PubKeyECDSA384 = { ; COSE_Key [RFC9052 s7] 164 1 : 2, ; Key type : EC2 165 3 : AlgorithmES384, ; Algorithm : ECDSA w/ SHA-384 166 -1 : 2, ; Curve: P384 167 -2 : bstr, ; X coordinate, big-endian 168 -3 : bstr ; Y coordinate, big-endian 169} 170 171AlgorithmES256 = -7 ; [RFC9053 s2.1] 172AlgorithmES384 = -35 ; [RFC9053 s2.1] 173AlgorithmEdDSA = -8 ; [RFC9053 s2.2] 174 175; INCLUDE PublicKey.cddl for: PublicKey 176; INCLUDE DeviceInfoV3.cddl for: DeviceInfo 177