supreme-common/at.asitplus.attestation.android/AuthorizationList

AuthorizationList

data class AuthorizationList(val purpose: Set<AttestationValue<AuthorizationList.KeyPurpose>>? = null, val algorithm: AttestationValue<AuthorizationList.Algorithm>? = null, val keySize: AttestationValue<AuthorizationList.KeySize>? = null, val digest: Set<AttestationValue<AuthorizationList.Digest>>? = null, val padding: Set<AttestationValue<AuthorizationList.Padding>>? = null, val ecCurve: AttestationValue<AuthorizationList.ECCurve>? = null, val rsaPublicExponent: AttestationValue<AuthorizationList.RsaPublicExponent>? = null, val mgfDigest: Set<AttestationValue<AuthorizationList.MgfDigest>>? = null, val rollbackResistance: AttestationValue<AuthorizationList.RollbackResistance>? = null, val earlyBootOnly: AttestationValue<AuthorizationList.EarlyBootOnly>? = null, val activeDateTime: AttestationValue<AuthorizationList.ActiveDateTime>? = null, val originationExpireDateTime: AttestationValue<AuthorizationList.OriginationExpireDateTime>? = null, val usageExpireDateTime: AttestationValue<AuthorizationList.UsageExpireDateTime>? = null, val usageCountLimit: AttestationValue<AuthorizationList.UsageCountLimit>? = null, val noAuthRequired: AttestationValue<AuthorizationList.NoAuthRequired>? = null, val userAuthType: AttestationValue<AuthorizationList.UserAuthType>? = null, val authTimeout: AttestationValue<AuthorizationList.AuthTimeout>? = null, val allowWhileOnBody: AttestationValue<AuthorizationList.AllowWhileOnBody>? = null, val trustedUserPresenceRequired: AttestationValue<AuthorizationList.TrustedUserPresenceRequired>? = null, val trustedConfirmationRequired: AttestationValue<AuthorizationList.TrustedConfirmationRequired>? = null, val unlockedDeviceRequired: AttestationValue<AuthorizationList.UnlockedDeviceRequired>? = null, val allApplications: AttestationValue<AuthorizationList.AllApplications>? = null, val creationDateTime: AttestationValue<AuthorizationList.CreationDateTime>? = null, val origin: AttestationValue<AuthorizationList.Origin>? = null, val rollbackResistant: AttestationValue<AuthorizationList.RollbackResistent>? = null, val rootOfTrust: AttestationValue<AuthorizationList.RootOfTrust>? = null, val osVersion: AttestationValue<AuthorizationList.OsVersion>? = null, val osPatchLevel: AttestationValue<AuthorizationList.OsPatchLevel>? = null, val attestationApplicationId: AttestationValue<AuthorizationList.AttestationApplicationId>? = null, val attestationIdBrand: AttestationValue<AuthorizationList.AttestationId.Brand>? = null, val attestationIdDevice: AttestationValue<AuthorizationList.AttestationId.Device>? = null, val attestationIdProduct: AttestationValue<AuthorizationList.AttestationId.Product>? = null, val attestationIdSerial: AttestationValue<AuthorizationList.AttestationId.Serial>? = null, val attestationIdImei: AttestationValue<AuthorizationList.AttestationId.Imei>? = null, val attestationIdMeid: AttestationValue<AuthorizationList.AttestationId.Meid>? = null, val attestationIdManufacturer: AttestationValue<AuthorizationList.AttestationId.Manufacturer>? = null, val attestationIdModel: AttestationValue<AuthorizationList.AttestationId.Model>? = null, val vendorPatchLevel: AttestationValue<AuthorizationList.PatchLevel.Vendor>? = null, val bootPatchLevel: AttestationValue<AuthorizationList.PatchLevel.Boot>? = null, val deviceUniqueAttestation: AttestationValue<AuthorizationList.DeviceUniqueAttestation>? = null, val attestationIdSecondImei: AttestationValue<AuthorizationList.AttestationId.SecondImei>? = null, val moduleHash: AttestationValue<AuthorizationList.ModuleHash>? = null, val attestationVersion: Int? = null) : Asn1Encodable<Asn1Sequence> , PrettyPrintable(source)

Intro

Authorization List ASN.1 sequence as defined by Google. Enum values as in the keymint definitions This is the meat of the AttestationKeyDescription attestation certificate extension. It is also used for secure key import.

Every value is nullable because two authorization lists are present in an attestation extension: once for software-enforced values, and once for hardware-enforced value. The actual values are scattered across both instances.

On Parsing

Parsing is lenient: If a value fails to parse, it is set to null. In reality, you won't care whether a value is structurally illegal or absent:

  • If you want to enforce it, it must be present and structurally valid, fulfilling your constraints

  • If you don't care for it, you don't care whether it is present, invalid, or absent altogether In case you still want to explore the raw value, check the raw ASN.1 Sequence from the certificate extension and fetch the raw value according to the explicit tag denoting said value.

Structural Properties and Design Decisions

Structurally, this data structure follows the ASN.1 schema exactly, meaning that it is a structural 1:1 mapping if the underlying ASN.1 structure. This as both advantages and disadvantages. The main disadvantage is that it is a bit cumbersome to use. The benefits far outweigh the shortcomings of this approach, though:

  • Just check the schema, and you know what's what. That means that there are no booleans, but an object indicating true or false is either present or absent

  • Re-Encoding produces the exact same ASN.1 structure that was parsed, byte-for-byte!

  • Creating Attestation statements for testing, fun, profit, or malicious intentions is a peak no-brainer; just follow the schema and set values!

Closing Remarks

Note that values found in header files as the one below conform with (autogenerated from?) the aidl files https://android.googlesource.com/platform/hardware/libhardware/+/refs/heads/main/include_all/hardware/keymaster_defs.h

Also note that some online sources do not match the specified ASN.1 values (in the following one PKCS7 has value 65 instead of 64) https://android.googlesource.com/platform/frameworks/base/+blame/45ff13e/core/java/android/security/keymaster/KeymasterDefs.java

Constructors

Link copied to clipboard
constructor(purpose: Set<AttestationValue<AuthorizationList.KeyPurpose>>? = null, algorithm: AttestationValue<AuthorizationList.Algorithm>? = null, keySize: AttestationValue<AuthorizationList.KeySize>? = null, digest: Set<AttestationValue<AuthorizationList.Digest>>? = null, padding: Set<AttestationValue<AuthorizationList.Padding>>? = null, ecCurve: AttestationValue<AuthorizationList.ECCurve>? = null, rsaPublicExponent: AttestationValue<AuthorizationList.RsaPublicExponent>? = null, mgfDigest: Set<AttestationValue<AuthorizationList.MgfDigest>>? = null, rollbackResistance: AttestationValue<AuthorizationList.RollbackResistance>? = null, earlyBootOnly: AttestationValue<AuthorizationList.EarlyBootOnly>? = null, activeDateTime: AttestationValue<AuthorizationList.ActiveDateTime>? = null, originationExpireDateTime: AttestationValue<AuthorizationList.OriginationExpireDateTime>? = null, usageExpireDateTime: AttestationValue<AuthorizationList.UsageExpireDateTime>? = null, usageCountLimit: AttestationValue<AuthorizationList.UsageCountLimit>? = null, noAuthRequired: AttestationValue<AuthorizationList.NoAuthRequired>? = null, userAuthType: AttestationValue<AuthorizationList.UserAuthType>? = null, authTimeout: AttestationValue<AuthorizationList.AuthTimeout>? = null, allowWhileOnBody: AttestationValue<AuthorizationList.AllowWhileOnBody>? = null, trustedUserPresenceRequired: AttestationValue<AuthorizationList.TrustedUserPresenceRequired>? = null, trustedConfirmationRequired: AttestationValue<AuthorizationList.TrustedConfirmationRequired>? = null, unlockedDeviceRequired: AttestationValue<AuthorizationList.UnlockedDeviceRequired>? = null, allApplications: AttestationValue<AuthorizationList.AllApplications>? = null, creationDateTime: AttestationValue<AuthorizationList.CreationDateTime>? = null, origin: AttestationValue<AuthorizationList.Origin>? = null, rollbackResistant: AttestationValue<AuthorizationList.RollbackResistent>? = null, rootOfTrust: AttestationValue<AuthorizationList.RootOfTrust>? = null, osVersion: AttestationValue<AuthorizationList.OsVersion>? = null, osPatchLevel: AttestationValue<AuthorizationList.OsPatchLevel>? = null, attestationApplicationId: AttestationValue<AuthorizationList.AttestationApplicationId>? = null, attestationIdBrand: AttestationValue<AuthorizationList.AttestationId.Brand>? = null, attestationIdDevice: AttestationValue<AuthorizationList.AttestationId.Device>? = null, attestationIdProduct: AttestationValue<AuthorizationList.AttestationId.Product>? = null, attestationIdSerial: AttestationValue<AuthorizationList.AttestationId.Serial>? = null, attestationIdImei: AttestationValue<AuthorizationList.AttestationId.Imei>? = null, attestationIdMeid: AttestationValue<AuthorizationList.AttestationId.Meid>? = null, attestationIdManufacturer: AttestationValue<AuthorizationList.AttestationId.Manufacturer>? = null, attestationIdModel: AttestationValue<AuthorizationList.AttestationId.Model>? = null, vendorPatchLevel: AttestationValue<AuthorizationList.PatchLevel.Vendor>? = null, bootPatchLevel: AttestationValue<AuthorizationList.PatchLevel.Boot>? = null, deviceUniqueAttestation: AttestationValue<AuthorizationList.DeviceUniqueAttestation>? = null, attestationIdSecondImei: AttestationValue<AuthorizationList.AttestationId.SecondImei>? = null, moduleHash: AttestationValue<AuthorizationList.ModuleHash>? = null, attestationVersion: Int? = null)
constructor(purpose: Set<AuthorizationList.KeyPurpose>? = null, algorithm: AuthorizationList.Algorithm? = null, keySize: AuthorizationList.KeySize? = null, digest: Set<AuthorizationList.Digest>? = null, padding: Set<AuthorizationList.Padding>? = null, ecCurve: AuthorizationList.ECCurve? = null, rsaPublicExponent: AuthorizationList.RsaPublicExponent? = null, mgfDigest: Set<AuthorizationList.MgfDigest>? = null, rollbackResistance: AuthorizationList.RollbackResistance? = null, earlyBootOnly: AuthorizationList.EarlyBootOnly? = null, activeDateTime: AuthorizationList.ActiveDateTime? = null, originationExpireDateTime: AuthorizationList.OriginationExpireDateTime? = null, usageExpireDateTime: AuthorizationList.UsageExpireDateTime? = null, usageCountLimit: AuthorizationList.UsageCountLimit? = null, noAuthRequired: AuthorizationList.NoAuthRequired? = null, userAuthType: AuthorizationList.UserAuthType? = null, authTimeout: AuthorizationList.AuthTimeout? = null, allowWhileOnBody: AuthorizationList.AllowWhileOnBody? = null, trustedUserPresenceRequired: AuthorizationList.TrustedUserPresenceRequired? = null, trustedConfirmationRequired: AuthorizationList.TrustedConfirmationRequired? = null, unlockedDeviceRequired: AuthorizationList.UnlockedDeviceRequired? = null, allApplications: AuthorizationList.AllApplications? = null, creationDateTime: AuthorizationList.CreationDateTime? = null, origin: AuthorizationList.Origin? = null, rollbackResistant: AuthorizationList.RollbackResistent? = null, rootOfTrust: AuthorizationList.RootOfTrust? = null, osVersion: AuthorizationList.OsVersion? = null, osPatchLevel: AuthorizationList.OsPatchLevel? = null, attestationApplicationId: AuthorizationList.AttestationApplicationId? = null, attestationIdBrand: AuthorizationList.AttestationId.Brand? = null, attestationIdDevice: AuthorizationList.AttestationId.Device? = null, attestationIdProduct: AuthorizationList.AttestationId.Product? = null, attestationIdSerial: AuthorizationList.AttestationId.Serial? = null, attestationIdImei: AuthorizationList.AttestationId.Imei? = null, attestationIdMeid: AuthorizationList.AttestationId.Meid? = null, attestationIdManufacturer: AuthorizationList.AttestationId.Manufacturer? = null, attestationIdModel: AuthorizationList.AttestationId.Model? = null, vendorPatchLevel: AuthorizationList.PatchLevel.Vendor? = null, bootPatchLevel: AuthorizationList.PatchLevel.Boot? = null, deviceUniqueAttestation: AuthorizationList.DeviceUniqueAttestation? = null, attestationIdSecondImei: AuthorizationList.AttestationId.SecondImei? = null, moduleHash: AuthorizationList.ModuleHash? = null, attestationVersion: Int?)

Types

Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
object AllApplications : AuthorizationList.Tagged, Asn1Encodable<Asn1Primitive>
Link copied to clipboard
object AllowWhileOnBody : AuthorizationList.Tagged, Asn1Encodable<Asn1Primitive>
Link copied to clipboard
class AttestationApplicationId : Asn1Encodable<Asn1Sequence> , AuthorizationList.Tagged.WithTag<Asn1Sequence> , PrettyPrintable

TODO: encodeSorted beschreiben und erklären warum listen und nicht sets eventuell auch für andrere SETs wie digets padding...

Link copied to clipboard
sealed class AttestationId : Asn1Encodable<Asn1Primitive> , AuthorizationList.Tagged.WithTag<Asn1Primitive>
Link copied to clipboard
data class AttestationPackageInfo(val packageName: String, val version: UInt) : Asn1Encodable<Asn1Sequence>
Link copied to clipboard
Link copied to clipboard
object Companion : Asn1Decodable<Asn1Sequence, AuthorizationList>
Link copied to clipboard
Link copied to clipboard
object DeviceUniqueAttestation : AuthorizationList.Tagged, Asn1Encodable<Asn1Primitive>

Can only ever be set by privileged system apps

Link copied to clipboard
Link copied to clipboard
object EarlyBootOnly : AuthorizationList.Tagged, Asn1Encodable<Asn1Primitive>
Link copied to clipboard
Link copied to clipboard
interface IntEncodable : Asn1Encodable<Asn1Primitive> , AuthorizationList.Tagged.WithTag<Asn1Primitive>
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
class MgfDigest(val intValue: Asn1Integer) : AuthorizationList.IntEncodable
Link copied to clipboard
class ModuleHash(val sha256Digest: ByteArray) : Asn1Encodable<Asn1Primitive> , AuthorizationList.Tagged.WithTag<Asn1Primitive>

In the context of Android's Keymaster and Keystore systems, the moduleHash is a component within the attestation data structure, specifically in the KeyDescription sequence. It provides a cryptographic representation of the software environment associated with the key's creation and usage.

Link copied to clipboard
object NoAuthRequired : AuthorizationList.Tagged, Asn1Encodable<Asn1Primitive>
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
class OsPatchLevel(val year: UShort, val month: Month) : AuthorizationList.IntEncodable
Link copied to clipboard
class OsVersion(val major: UByte, val minor: UByte, val sub: UByte) : AuthorizationList.IntEncodable
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
object RollbackResistance : AuthorizationList.Tagged, Asn1Encodable<Asn1Primitive>
Link copied to clipboard
object RollbackResistent : AuthorizationList.Tagged, Asn1Encodable<Asn1Primitive>
Link copied to clipboard
class RootOfTrust(val verifiedBootKeyDigest: ByteArray, val deviceLocked: Boolean, val verifiedBootState: AuthorizationList.RootOfTrust.VerifiedBootState, val verifiedBootHash: ByteArray?) : Asn1Encodable<Asn1Sequence> , AuthorizationList.Tagged.WithTag<Asn1Sequence> , PrettyPrintable
Link copied to clipboard
Link copied to clipboard
sealed class Tagged
Link copied to clipboard
object TrustedConfirmationRequired : AuthorizationList.Tagged, Asn1Encodable<Asn1Primitive>
Link copied to clipboard
object TrustedUserPresenceRequired : AuthorizationList.Tagged, Asn1Encodable<Asn1Primitive>
Link copied to clipboard
object UnlockedDeviceRequired : AuthorizationList.Tagged, Asn1Encodable<Asn1Primitive>
Link copied to clipboard
class UsageCountLimit(val intValue: Asn1Integer) : AuthorizationList.IntEncodable
Link copied to clipboard
Link copied to clipboard

Properties

Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard

Functions

Link copied to clipboard
open override fun doPrettyPrint(indent: String): String
Link copied to clipboard
open fun encodeToDer(): ByteArray
Link copied to clipboard
Link copied to clipboard
open fun encodeToDerSafe(): KmmResult<ByteArray>
Link copied to clipboard
open override fun encodeToTlv(): Asn1Sequence
Link copied to clipboard
open fun encodeToTlvOrNull(): Asn1Sequence?
Link copied to clipboard
open fun encodeToTlvSafe(): KmmResult<Asn1Sequence>
Link copied to clipboard
open operator override fun equals(other: Any?): Boolean
Link copied to clipboard
open override fun hashCode(): Int
Link copied to clipboard
Link copied to clipboard
open fun prettyPrintAsn1(): String
Link copied to clipboard
open override fun toString(): String
Link copied to clipboard
fun versionCheck()

Useful for debugging, but too strict in reality

Link copied to clipboard
open infix fun withImplicitTag(tag: Asn1Element.Tag): Asn1Element
open infix fun withImplicitTag(template: Asn1Element.Tag.Template): Asn1Element
open infix fun withImplicitTag(tagValue: ULong): Asn1Element
Generated by Dokka
© 2026 Copyright