1 // Copyright 2022, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 //! Helper functionality for working with legacy tag serialization.
16
17 use crate::{km_err, try_to_vec, vec_try, vec_try_with_capacity, Error, FallibleAllocExt};
18 use alloc::vec::Vec;
19 use core::cmp::Ordering;
20 use core::convert::{TryFrom, TryInto};
21 use kmr_wire::{
22 keymint::{
23 Algorithm, BlockMode, DateTime, Digest, EcCurve, KeyOrigin, KeyParam, KeyPurpose,
24 PaddingMode, Tag,
25 },
26 KeySizeInBits, RsaExponent,
27 };
28
29 /// Retrieve a `u8` from the start of the given slice, if possible.
consume_u8(data: &mut &[u8]) -> Result<u8, Error>30 pub fn consume_u8(data: &mut &[u8]) -> Result<u8, Error> {
31 match data.first() {
32 Some(b) => {
33 *data = &(*data)[1..];
34 Ok(*b)
35 }
36 None => Err(km_err!(InvalidKeyBlob, "failed to find 1 byte")),
37 }
38 }
39
40 /// Move past a bool value from the start of the given slice, if possible.
41 /// Bool values should only be included if `true`, so fail if the value
42 /// is anything other than 1.
consume_bool(data: &mut &[u8]) -> Result<(), Error>43 pub fn consume_bool(data: &mut &[u8]) -> Result<(), Error> {
44 let b = consume_u8(data)?;
45 if b == 0x01 {
46 Ok(())
47 } else {
48 Err(km_err!(InvalidKeyBlob, "bool value other than 1 encountered"))
49 }
50 }
51
52 /// Retrieve a (host-ordered) `u32` from the start of the given slice, if possible.
consume_u32(data: &mut &[u8]) -> Result<u32, Error>53 pub fn consume_u32(data: &mut &[u8]) -> Result<u32, Error> {
54 if data.len() < 4 {
55 return Err(km_err!(InvalidKeyBlob, "failed to find 4 bytes"));
56 }
57 let chunk: [u8; 4] = data[..4].try_into().unwrap(); // safe: just checked
58 *data = &(*data)[4..];
59 Ok(u32::from_ne_bytes(chunk))
60 }
61
62 /// Retrieve a (host-ordered) `i32` from the start of the given slice, if possible.
consume_i32(data: &mut &[u8]) -> Result<i32, Error>63 pub fn consume_i32(data: &mut &[u8]) -> Result<i32, Error> {
64 if data.len() < 4 {
65 return Err(km_err!(InvalidKeyBlob, "failed to find 4 bytes"));
66 }
67 let chunk: [u8; 4] = data[..4].try_into().unwrap(); // safe: just checked
68 *data = &(*data)[4..];
69 Ok(i32::from_ne_bytes(chunk))
70 }
71
72 /// Retrieve a (host-ordered) `u64` from the start of the given slice, if possible.
consume_u64(data: &mut &[u8]) -> Result<u64, Error>73 pub fn consume_u64(data: &mut &[u8]) -> Result<u64, Error> {
74 if data.len() < 8 {
75 return Err(km_err!(InvalidKeyBlob, "failed to find 8 bytes"));
76 }
77 let chunk: [u8; 8] = data[..8].try_into().unwrap(); // safe: just checked
78 *data = &(*data)[8..];
79 Ok(u64::from_ne_bytes(chunk))
80 }
81
82 /// Retrieve a (host-ordered) `i64` from the start of the given slice, if possible.
consume_i64(data: &mut &[u8]) -> Result<i64, Error>83 pub fn consume_i64(data: &mut &[u8]) -> Result<i64, Error> {
84 if data.len() < 8 {
85 return Err(km_err!(InvalidKeyBlob, "failed to find 8 bytes"));
86 }
87 let chunk: [u8; 8] = data[..8].try_into().unwrap(); // safe: just checked
88 *data = &(*data)[8..];
89 Ok(i64::from_ne_bytes(chunk))
90 }
91
92 /// Retrieve a vector of bytes from the start of the given slice, if possible,
93 /// with the length of the data is expected to appear as a host-ordered `u32` prefix.
consume_vec(data: &mut &[u8]) -> Result<Vec<u8>, Error>94 pub fn consume_vec(data: &mut &[u8]) -> Result<Vec<u8>, Error> {
95 let len = consume_u32(data)? as usize;
96 if len > data.len() {
97 return Err(km_err!(InvalidKeyBlob, "failed to find {} bytes", len));
98 }
99 let result = try_to_vec(&data[..len])?;
100 *data = &(*data)[len..];
101 Ok(result)
102 }
103
104 /// Serialize a collection of [`KeyParam`]s into a format that is compatible with previous
105 /// implementations:
106 ///
107 /// ```text
108 /// [0..4] Size B of `TagType::Bytes` data, in host order.
109 /// [4..4+B] (*) Concatenated contents of each `TagType::Bytes` tag.
110 /// [4+B..4+B+4] Count N of the number of parameters, in host order.
111 /// [8+B..8+B+4] Size Z of encoded parameters.
112 /// [12+B..12+B+Z] Serialized parameters one after another.
113 /// ```
114 ///
115 /// Individual parameters are serialized in the last chunk as:
116 ///
117 /// ```text
118 /// [0..4] Tag number, in host order.
119 /// Followed by one of the following depending on the tag's `TagType`; all integers in host order:
120 /// [4..5] Bool value (`TagType::Bool`)
121 /// [4..8] i32 values (`TagType::Uint[Rep]`, `TagType::Enum[Rep]`)
122 /// [4..12] i64 values, in host order (`TagType::UlongRep`, `TagType::Date`)
123 /// [4..8] + [8..12] Size + offset of data in (*) above (`TagType::Bytes`, `TagType::Bignum`)
124 /// ```
serialize(params: &[KeyParam]) -> Result<Vec<u8>, Error>125 pub fn serialize(params: &[KeyParam]) -> Result<Vec<u8>, Error> {
126 // First 4 bytes are the length of the combined [`TagType::Bytes`] data; come back to set that
127 // in a moment.
128 let mut result = vec_try![0; 4]?;
129
130 // Next append the contents of all of the [`TagType::Bytes`] data.
131 let mut blob_size = 0u32;
132 for param in params {
133 match param {
134 // Variants that hold `Vec<u8>`.
135 KeyParam::ApplicationId(v)
136 | KeyParam::ApplicationData(v)
137 | KeyParam::AttestationChallenge(v)
138 | KeyParam::AttestationApplicationId(v)
139 | KeyParam::AttestationIdBrand(v)
140 | KeyParam::AttestationIdDevice(v)
141 | KeyParam::AttestationIdProduct(v)
142 | KeyParam::AttestationIdSerial(v)
143 | KeyParam::AttestationIdImei(v)
144 | KeyParam::AttestationIdSecondImei(v)
145 | KeyParam::AttestationIdMeid(v)
146 | KeyParam::AttestationIdManufacturer(v)
147 | KeyParam::AttestationIdModel(v)
148 | KeyParam::Nonce(v)
149 | KeyParam::RootOfTrust(v)
150 | KeyParam::CertificateSerial(v)
151 | KeyParam::CertificateSubject(v)
152 | KeyParam::ModuleHash(v) => {
153 result.try_extend_from_slice(v)?;
154 blob_size += v.len() as u32;
155 }
156 _ => {}
157 }
158 }
159 // Go back and fill in the combined blob length in native order at the start.
160 result[..4].clone_from_slice(&blob_size.to_ne_bytes());
161
162 result.try_extend_from_slice(&(params.len() as u32).to_ne_bytes())?;
163
164 let params_size_offset = result.len();
165 result.try_extend_from_slice(&[0u8; 4])?; // placeholder for size of elements
166 let first_param_offset = result.len();
167 let mut blob_offset = 0u32;
168 for param in params {
169 result.try_extend_from_slice(&(param.tag() as u32).to_ne_bytes())?;
170 match ¶m {
171 // Enum-holding variants.
172 KeyParam::Purpose(v) => result.try_extend_from_slice(&(*v as u32).to_ne_bytes())?,
173 KeyParam::Algorithm(v) => result.try_extend_from_slice(&(*v as u32).to_ne_bytes())?,
174 KeyParam::BlockMode(v) => result.try_extend_from_slice(&(*v as u32).to_ne_bytes())?,
175 KeyParam::Digest(v) => result.try_extend_from_slice(&(*v as u32).to_ne_bytes())?,
176 KeyParam::Padding(v) => result.try_extend_from_slice(&(*v as u32).to_ne_bytes())?,
177 KeyParam::EcCurve(v) => result.try_extend_from_slice(&(*v as u32).to_ne_bytes())?,
178 KeyParam::RsaOaepMgfDigest(v) => {
179 result.try_extend_from_slice(&(*v as u32).to_ne_bytes())?
180 }
181 KeyParam::Origin(v) => result.try_extend_from_slice(&(*v as u32).to_ne_bytes())?,
182
183 // `u32`-holding variants.
184 KeyParam::KeySize(v) => result.try_extend_from_slice(&(v.0).to_ne_bytes())?,
185 KeyParam::MinMacLength(v)
186 | KeyParam::MaxUsesPerBoot(v)
187 | KeyParam::UsageCountLimit(v)
188 | KeyParam::UserId(v)
189 | KeyParam::UserAuthType(v)
190 | KeyParam::AuthTimeout(v)
191 | KeyParam::OsVersion(v)
192 | KeyParam::OsPatchlevel(v)
193 | KeyParam::VendorPatchlevel(v)
194 | KeyParam::BootPatchlevel(v)
195 | KeyParam::MacLength(v)
196 | KeyParam::MaxBootLevel(v) => result.try_extend_from_slice(&v.to_ne_bytes())?,
197
198 // `u64`-holding variants.
199 KeyParam::RsaPublicExponent(v) => result.try_extend_from_slice(&(v.0).to_ne_bytes())?,
200 KeyParam::UserSecureId(v) => result.try_extend_from_slice(&(*v).to_ne_bytes())?,
201
202 // `true`-holding variants.
203 KeyParam::CallerNonce
204 | KeyParam::IncludeUniqueId
205 | KeyParam::BootloaderOnly
206 | KeyParam::RollbackResistance
207 | KeyParam::EarlyBootOnly
208 | KeyParam::AllowWhileOnBody
209 | KeyParam::NoAuthRequired
210 | KeyParam::TrustedUserPresenceRequired
211 | KeyParam::TrustedConfirmationRequired
212 | KeyParam::UnlockedDeviceRequired
213 | KeyParam::DeviceUniqueAttestation
214 | KeyParam::StorageKey
215 | KeyParam::ResetSinceIdRotation => result.try_push(0x01u8)?,
216
217 // `DateTime`-holding variants.
218 KeyParam::ActiveDatetime(v)
219 | KeyParam::OriginationExpireDatetime(v)
220 | KeyParam::UsageExpireDatetime(v)
221 | KeyParam::CreationDatetime(v)
222 | KeyParam::CertificateNotBefore(v)
223 | KeyParam::CertificateNotAfter(v) => {
224 result.try_extend_from_slice(&(v.ms_since_epoch as u64).to_ne_bytes())?
225 }
226
227 // `Vec<u8>`-holding variants.
228 KeyParam::ApplicationId(v)
229 | KeyParam::ApplicationData(v)
230 | KeyParam::AttestationChallenge(v)
231 | KeyParam::AttestationApplicationId(v)
232 | KeyParam::AttestationIdBrand(v)
233 | KeyParam::AttestationIdDevice(v)
234 | KeyParam::AttestationIdProduct(v)
235 | KeyParam::AttestationIdSerial(v)
236 | KeyParam::AttestationIdImei(v)
237 | KeyParam::AttestationIdSecondImei(v)
238 | KeyParam::AttestationIdMeid(v)
239 | KeyParam::AttestationIdManufacturer(v)
240 | KeyParam::AttestationIdModel(v)
241 | KeyParam::Nonce(v)
242 | KeyParam::RootOfTrust(v)
243 | KeyParam::CertificateSerial(v)
244 | KeyParam::CertificateSubject(v)
245 | KeyParam::ModuleHash(v) => {
246 let blob_len = v.len() as u32;
247 result.try_extend_from_slice(&blob_len.to_ne_bytes())?;
248 result.try_extend_from_slice(&blob_offset.to_ne_bytes())?;
249 blob_offset += blob_len;
250 }
251 }
252 }
253 let serialized_size = (result.len() - first_param_offset) as u32;
254
255 // Go back and fill in the total serialized size.
256 result[params_size_offset..params_size_offset + 4]
257 .clone_from_slice(&serialized_size.to_ne_bytes());
258 Ok(result)
259 }
260
261 /// Retrieve the contents of a tag of `TagType::Bytes`. The `data` parameter holds
262 /// the as-yet unparsed data, and a length and offset are read from this (and consumed).
263 /// This length and offset refer to a location in the combined `blob_data`; however,
264 /// the offset is expected to be the next unconsumed chunk of `blob_data`, as indicated
265 /// by `next_blob_offset` (which itself is updated as a result of consuming the data).
consume_blob( data: &mut &[u8], next_blob_offset: &mut usize, blob_data: &[u8], ) -> Result<Vec<u8>, Error>266 fn consume_blob(
267 data: &mut &[u8],
268 next_blob_offset: &mut usize,
269 blob_data: &[u8],
270 ) -> Result<Vec<u8>, Error> {
271 let data_len = consume_u32(data)? as usize;
272 let data_offset = consume_u32(data)? as usize;
273 // Expect the blob data to come from the next offset in the initial blob chunk.
274 if data_offset != *next_blob_offset {
275 return Err(km_err!(
276 InvalidKeyBlob,
277 "got blob offset {} instead of {}",
278 data_offset,
279 next_blob_offset
280 ));
281 }
282 if (data_offset + data_len) > blob_data.len() {
283 return Err(km_err!(
284 InvalidKeyBlob,
285 "blob at offset [{}..{}+{}] goes beyond blob data size {}",
286 data_offset,
287 data_offset,
288 data_len,
289 blob_data.len(),
290 ));
291 }
292
293 let slice = &blob_data[data_offset..data_offset + data_len];
294 *next_blob_offset += data_len;
295 try_to_vec(slice)
296 }
297
298 /// Deserialize a collection of [`KeyParam`]s in legacy serialized format. The provided slice is
299 /// modified to contain the unconsumed part of the data.
deserialize(data: &mut &[u8]) -> Result<Vec<KeyParam>, Error>300 pub fn deserialize(data: &mut &[u8]) -> Result<Vec<KeyParam>, Error> {
301 let blob_data_size = consume_u32(data)? as usize;
302
303 let blob_data = &data[..blob_data_size];
304 let mut next_blob_offset = 0;
305
306 // Move past the blob data.
307 *data = &data[blob_data_size..];
308
309 let param_count = consume_u32(data)? as usize;
310 let param_size = consume_u32(data)? as usize;
311 if param_size > data.len() {
312 return Err(km_err!(
313 InvalidKeyBlob,
314 "size mismatch 4+{}+4+4+{} > {}",
315 blob_data_size,
316 param_size,
317 data.len()
318 ));
319 }
320
321 let mut results = vec_try_with_capacity!(param_count)?;
322 for _i in 0..param_count {
323 let tag_num = consume_u32(data)? as i32;
324 let tag = <Tag>::try_from(tag_num)
325 .map_err(|_e| km_err!(InvalidKeyBlob, "unknown tag {} encountered", tag_num))?;
326 let enum_err = |_e| km_err!(InvalidKeyBlob, "unknown enum value for {:?}", tag);
327 results.try_push(match tag {
328 // Enum-holding variants.
329 Tag::Purpose => {
330 KeyParam::Purpose(<KeyPurpose>::try_from(consume_i32(data)?).map_err(enum_err)?)
331 }
332 Tag::Algorithm => {
333 KeyParam::Algorithm(<Algorithm>::try_from(consume_i32(data)?).map_err(enum_err)?)
334 }
335 Tag::BlockMode => {
336 KeyParam::BlockMode(<BlockMode>::try_from(consume_i32(data)?).map_err(enum_err)?)
337 }
338 Tag::Digest => {
339 KeyParam::Digest(<Digest>::try_from(consume_i32(data)?).map_err(enum_err)?)
340 }
341 Tag::Padding => {
342 KeyParam::Padding(<PaddingMode>::try_from(consume_i32(data)?).map_err(enum_err)?)
343 }
344 Tag::EcCurve => {
345 KeyParam::EcCurve(<EcCurve>::try_from(consume_i32(data)?).map_err(enum_err)?)
346 }
347 Tag::RsaOaepMgfDigest => KeyParam::RsaOaepMgfDigest(
348 <Digest>::try_from(consume_i32(data)?).map_err(enum_err)?,
349 ),
350 Tag::Origin => {
351 KeyParam::Origin(<KeyOrigin>::try_from(consume_i32(data)?).map_err(enum_err)?)
352 }
353
354 // `u32`-holding variants.
355 Tag::KeySize => KeyParam::KeySize(KeySizeInBits(consume_u32(data)?)),
356 Tag::MinMacLength => KeyParam::MinMacLength(consume_u32(data)?),
357 Tag::MaxUsesPerBoot => KeyParam::MaxUsesPerBoot(consume_u32(data)?),
358 Tag::UsageCountLimit => KeyParam::UsageCountLimit(consume_u32(data)?),
359 Tag::UserId => KeyParam::UserId(consume_u32(data)?),
360 Tag::UserAuthType => KeyParam::UserAuthType(consume_u32(data)?),
361 Tag::AuthTimeout => KeyParam::AuthTimeout(consume_u32(data)?),
362 Tag::OsVersion => KeyParam::OsVersion(consume_u32(data)?),
363 Tag::OsPatchlevel => KeyParam::OsPatchlevel(consume_u32(data)?),
364 Tag::VendorPatchlevel => KeyParam::VendorPatchlevel(consume_u32(data)?),
365 Tag::BootPatchlevel => KeyParam::BootPatchlevel(consume_u32(data)?),
366 Tag::MacLength => KeyParam::MacLength(consume_u32(data)?),
367 Tag::MaxBootLevel => KeyParam::MaxBootLevel(consume_u32(data)?),
368
369 // `u64`-holding variants.
370 Tag::RsaPublicExponent => KeyParam::RsaPublicExponent(RsaExponent(consume_u64(data)?)),
371 Tag::UserSecureId => KeyParam::UserSecureId(consume_u64(data)?),
372
373 // `true`-holding variants.
374 Tag::CallerNonce => {
375 consume_bool(data)?;
376 KeyParam::CallerNonce
377 }
378 Tag::IncludeUniqueId => {
379 consume_bool(data)?;
380 KeyParam::IncludeUniqueId
381 }
382 Tag::BootloaderOnly => {
383 consume_bool(data)?;
384 KeyParam::BootloaderOnly
385 }
386 Tag::RollbackResistance => {
387 consume_bool(data)?;
388 KeyParam::RollbackResistance
389 }
390 Tag::EarlyBootOnly => {
391 consume_bool(data)?;
392 KeyParam::EarlyBootOnly
393 }
394 Tag::AllowWhileOnBody => {
395 consume_bool(data)?;
396 KeyParam::AllowWhileOnBody
397 }
398 Tag::NoAuthRequired => {
399 consume_bool(data)?;
400 KeyParam::NoAuthRequired
401 }
402 Tag::TrustedUserPresenceRequired => {
403 consume_bool(data)?;
404 KeyParam::TrustedUserPresenceRequired
405 }
406 Tag::TrustedConfirmationRequired => {
407 consume_bool(data)?;
408 KeyParam::TrustedConfirmationRequired
409 }
410 Tag::UnlockedDeviceRequired => {
411 consume_bool(data)?;
412 KeyParam::UnlockedDeviceRequired
413 }
414 Tag::DeviceUniqueAttestation => {
415 consume_bool(data)?;
416 KeyParam::DeviceUniqueAttestation
417 }
418 Tag::StorageKey => {
419 consume_bool(data)?;
420 KeyParam::StorageKey
421 }
422 Tag::ResetSinceIdRotation => {
423 consume_bool(data)?;
424 KeyParam::ResetSinceIdRotation
425 }
426
427 // `DateTime`-holding variants.
428 Tag::ActiveDatetime => {
429 KeyParam::ActiveDatetime(DateTime { ms_since_epoch: consume_i64(data)? })
430 }
431 Tag::OriginationExpireDatetime => {
432 KeyParam::OriginationExpireDatetime(DateTime { ms_since_epoch: consume_i64(data)? })
433 }
434 Tag::UsageExpireDatetime => {
435 KeyParam::UsageExpireDatetime(DateTime { ms_since_epoch: consume_i64(data)? })
436 }
437 Tag::CreationDatetime => {
438 KeyParam::CreationDatetime(DateTime { ms_since_epoch: consume_i64(data)? })
439 }
440 Tag::CertificateNotBefore => {
441 KeyParam::CertificateNotBefore(DateTime { ms_since_epoch: consume_i64(data)? })
442 }
443 Tag::CertificateNotAfter => {
444 KeyParam::CertificateNotAfter(DateTime { ms_since_epoch: consume_i64(data)? })
445 }
446
447 // `Vec<u8>`-holding variants.
448 Tag::ApplicationId => {
449 KeyParam::ApplicationId(consume_blob(data, &mut next_blob_offset, blob_data)?)
450 }
451 Tag::ApplicationData => {
452 KeyParam::ApplicationData(consume_blob(data, &mut next_blob_offset, blob_data)?)
453 }
454 Tag::AttestationChallenge => KeyParam::AttestationChallenge(consume_blob(
455 data,
456 &mut next_blob_offset,
457 blob_data,
458 )?),
459 Tag::AttestationApplicationId => KeyParam::AttestationApplicationId(consume_blob(
460 data,
461 &mut next_blob_offset,
462 blob_data,
463 )?),
464 Tag::AttestationIdBrand => {
465 KeyParam::AttestationIdBrand(consume_blob(data, &mut next_blob_offset, blob_data)?)
466 }
467 Tag::AttestationIdDevice => {
468 KeyParam::AttestationIdDevice(consume_blob(data, &mut next_blob_offset, blob_data)?)
469 }
470 Tag::AttestationIdProduct => KeyParam::AttestationIdProduct(consume_blob(
471 data,
472 &mut next_blob_offset,
473 blob_data,
474 )?),
475 Tag::AttestationIdSerial => {
476 KeyParam::AttestationIdSerial(consume_blob(data, &mut next_blob_offset, blob_data)?)
477 }
478 Tag::AttestationIdImei => {
479 KeyParam::AttestationIdImei(consume_blob(data, &mut next_blob_offset, blob_data)?)
480 }
481 Tag::AttestationIdSecondImei => KeyParam::AttestationIdSecondImei(consume_blob(
482 data,
483 &mut next_blob_offset,
484 blob_data,
485 )?),
486 Tag::AttestationIdMeid => {
487 KeyParam::AttestationIdMeid(consume_blob(data, &mut next_blob_offset, blob_data)?)
488 }
489 Tag::AttestationIdManufacturer => KeyParam::AttestationIdManufacturer(consume_blob(
490 data,
491 &mut next_blob_offset,
492 blob_data,
493 )?),
494 Tag::AttestationIdModel => {
495 KeyParam::AttestationIdModel(consume_blob(data, &mut next_blob_offset, blob_data)?)
496 }
497 Tag::Nonce => KeyParam::Nonce(consume_blob(data, &mut next_blob_offset, blob_data)?),
498 Tag::RootOfTrust => {
499 KeyParam::RootOfTrust(consume_blob(data, &mut next_blob_offset, blob_data)?)
500 }
501 Tag::CertificateSerial => {
502 KeyParam::CertificateSerial(consume_blob(data, &mut next_blob_offset, blob_data)?)
503 }
504 Tag::CertificateSubject => {
505 KeyParam::CertificateSubject(consume_blob(data, &mut next_blob_offset, blob_data)?)
506 }
507 Tag::ModuleHash => {
508 KeyParam::ModuleHash(consume_blob(data, &mut next_blob_offset, blob_data)?)
509 }
510 // Invalid variants.
511 Tag::Invalid
512 | Tag::HardwareType
513 | Tag::MinSecondsBetweenOps
514 | Tag::UniqueId
515 | Tag::IdentityCredentialKey
516 | Tag::AssociatedData
517 | Tag::ConfirmationToken => {
518 return Err(km_err!(InvalidKeyBlob, "invalid tag {:?} encountered", tag));
519 }
520 })?;
521 }
522
523 Ok(results)
524 }
525
526 /// Determine ordering of two [`KeyParam`] values for legacy key blob ordering.
527 /// Invalid parameters are likely to compare equal.
param_compare(left: &KeyParam, right: &KeyParam) -> Ordering528 pub fn param_compare(left: &KeyParam, right: &KeyParam) -> Ordering {
529 match (left, right) {
530 (KeyParam::Purpose(l), KeyParam::Purpose(r)) => l.cmp(r),
531 (KeyParam::Algorithm(l), KeyParam::Algorithm(r)) => l.cmp(r),
532 (KeyParam::KeySize(l), KeyParam::KeySize(r)) => l.cmp(r),
533 (KeyParam::BlockMode(l), KeyParam::BlockMode(r)) => l.cmp(r),
534 (KeyParam::Digest(l), KeyParam::Digest(r)) => l.cmp(r),
535 (KeyParam::Padding(l), KeyParam::Padding(r)) => l.cmp(r),
536 (KeyParam::CallerNonce, KeyParam::CallerNonce) => Ordering::Equal,
537 (KeyParam::MinMacLength(l), KeyParam::MinMacLength(r)) => l.cmp(r),
538 (KeyParam::EcCurve(l), KeyParam::EcCurve(r)) => l.cmp(r),
539 (KeyParam::RsaPublicExponent(l), KeyParam::RsaPublicExponent(r)) => l.cmp(r),
540 (KeyParam::IncludeUniqueId, KeyParam::IncludeUniqueId) => Ordering::Equal,
541 (KeyParam::RsaOaepMgfDigest(l), KeyParam::RsaOaepMgfDigest(r)) => l.cmp(r),
542 (KeyParam::BootloaderOnly, KeyParam::BootloaderOnly) => Ordering::Equal,
543 (KeyParam::RollbackResistance, KeyParam::RollbackResistance) => Ordering::Equal,
544 (KeyParam::EarlyBootOnly, KeyParam::EarlyBootOnly) => Ordering::Equal,
545 (KeyParam::ActiveDatetime(l), KeyParam::ActiveDatetime(r)) => l.cmp(r),
546 (KeyParam::OriginationExpireDatetime(l), KeyParam::OriginationExpireDatetime(r)) => {
547 l.cmp(r)
548 }
549 (KeyParam::UsageExpireDatetime(l), KeyParam::UsageExpireDatetime(r)) => l.cmp(r),
550 (KeyParam::MaxUsesPerBoot(l), KeyParam::MaxUsesPerBoot(r)) => l.cmp(r),
551 (KeyParam::UsageCountLimit(l), KeyParam::UsageCountLimit(r)) => l.cmp(r),
552 (KeyParam::UserId(l), KeyParam::UserId(r)) => l.cmp(r),
553 (KeyParam::UserSecureId(l), KeyParam::UserSecureId(r)) => l.cmp(r),
554 (KeyParam::NoAuthRequired, KeyParam::NoAuthRequired) => Ordering::Equal,
555 (KeyParam::UserAuthType(l), KeyParam::UserAuthType(r)) => l.cmp(r),
556 (KeyParam::AuthTimeout(l), KeyParam::AuthTimeout(r)) => l.cmp(r),
557 (KeyParam::AllowWhileOnBody, KeyParam::AllowWhileOnBody) => Ordering::Equal,
558 (KeyParam::TrustedUserPresenceRequired, KeyParam::TrustedUserPresenceRequired) => {
559 Ordering::Equal
560 }
561 (KeyParam::TrustedConfirmationRequired, KeyParam::TrustedConfirmationRequired) => {
562 Ordering::Equal
563 }
564 (KeyParam::UnlockedDeviceRequired, KeyParam::UnlockedDeviceRequired) => Ordering::Equal,
565 (KeyParam::ApplicationId(l), KeyParam::ApplicationId(r)) => l.cmp(r),
566 (KeyParam::ApplicationData(l), KeyParam::ApplicationData(r)) => l.cmp(r),
567 (KeyParam::CreationDatetime(l), KeyParam::CreationDatetime(r)) => l.cmp(r),
568 (KeyParam::Origin(l), KeyParam::Origin(r)) => l.cmp(r),
569 (KeyParam::RootOfTrust(l), KeyParam::RootOfTrust(r)) => l.cmp(r),
570 (KeyParam::OsVersion(l), KeyParam::OsVersion(r)) => l.cmp(r),
571 (KeyParam::OsPatchlevel(l), KeyParam::OsPatchlevel(r)) => l.cmp(r),
572 (KeyParam::AttestationChallenge(l), KeyParam::AttestationChallenge(r)) => l.cmp(r),
573 (KeyParam::AttestationApplicationId(l), KeyParam::AttestationApplicationId(r)) => l.cmp(r),
574 (KeyParam::AttestationIdBrand(l), KeyParam::AttestationIdBrand(r)) => l.cmp(r),
575 (KeyParam::AttestationIdDevice(l), KeyParam::AttestationIdDevice(r)) => l.cmp(r),
576 (KeyParam::AttestationIdProduct(l), KeyParam::AttestationIdProduct(r)) => l.cmp(r),
577 (KeyParam::AttestationIdSerial(l), KeyParam::AttestationIdSerial(r)) => l.cmp(r),
578 (KeyParam::AttestationIdImei(l), KeyParam::AttestationIdImei(r)) => l.cmp(r),
579 (KeyParam::AttestationIdSecondImei(l), KeyParam::AttestationIdSecondImei(r)) => l.cmp(r),
580 (KeyParam::AttestationIdMeid(l), KeyParam::AttestationIdMeid(r)) => l.cmp(r),
581 (KeyParam::AttestationIdManufacturer(l), KeyParam::AttestationIdManufacturer(r)) => {
582 l.cmp(r)
583 }
584 (KeyParam::AttestationIdModel(l), KeyParam::AttestationIdModel(r)) => l.cmp(r),
585 (KeyParam::VendorPatchlevel(l), KeyParam::VendorPatchlevel(r)) => l.cmp(r),
586 (KeyParam::BootPatchlevel(l), KeyParam::BootPatchlevel(r)) => l.cmp(r),
587 (KeyParam::DeviceUniqueAttestation, KeyParam::DeviceUniqueAttestation) => Ordering::Equal,
588 (KeyParam::StorageKey, KeyParam::StorageKey) => Ordering::Equal,
589 (KeyParam::Nonce(l), KeyParam::Nonce(r)) => l.cmp(r),
590 (KeyParam::MacLength(l), KeyParam::MacLength(r)) => l.cmp(r),
591 (KeyParam::ResetSinceIdRotation, KeyParam::ResetSinceIdRotation) => Ordering::Equal,
592 (KeyParam::CertificateSerial(l), KeyParam::CertificateSerial(r)) => l.cmp(r),
593 (KeyParam::CertificateSubject(l), KeyParam::CertificateSubject(r)) => l.cmp(r),
594 (KeyParam::CertificateNotBefore(l), KeyParam::CertificateNotBefore(r)) => l.cmp(r),
595 (KeyParam::CertificateNotAfter(l), KeyParam::CertificateNotAfter(r)) => l.cmp(r),
596 (KeyParam::MaxBootLevel(l), KeyParam::MaxBootLevel(r)) => l.cmp(r),
597 (KeyParam::ModuleHash(l), KeyParam::ModuleHash(r)) => l.cmp(r),
598
599 (left, right) => left.tag().cmp(&right.tag()),
600 }
601 }
602