1

When performing Key Attestation in Android, I'm getting a certificate with the following first 4 values in the 1.3.6.1.4.1.11129.2.1.17 x509v3 extension:

    0:d=0  hl=4 l= 304 cons: SEQUENCE          
    4:d=1  hl=2 l=   1 prim:  INTEGER           :64
    7:d=1  hl=2 l=   1 prim:  ENUMERATED        :02
   10:d=1  hl=2 l=   1 prim:  INTEGER           :64
   13:d=1  hl=2 l=   1 prim:  ENUMERATED        :02
 ... snip ...

These correspond to this ASN.1 schema:

KeyDescription ::= SEQUENCE {
  attestationVersion         INTEGER, # KM2 value is 1. KM3 value is 2. KM4 value is 3.
  attestationSecurityLevel   SecurityLevel,
  keymasterVersion           INTEGER,
  keymasterSecurityLevel     SecurityLevel,
 ... snip ...
}

Both the attestationVersion and keymasterVersion are given as 0x64 (integer value 100). I was expecting a value of 1, 2, or 3.

Can anyone explain to me what these 0x64 values represent?

======== Edit 1 =========

In case it's useful to someone, here is a full hexdump of that extension:

308201300201640A01020201640A0102041C467269204A756E2031362031343A33343A30312043445420323032330400305BBF853D0802060188C5B348B6BF85454B044930473121301F0418636F6D2E747275657069632E6C656E7364656D6F2E646576020313B32D3122042053BA31684769FF807B94B7958B6CE51DAF150B70327814EE8691FB024DFF12CC3081A4A1083106020102020103A203020103A30402020100A5053103020104AA03020101BF8377020500BF853E03020100BF85404C304A0420003F1ADE9D476E612B00F2983E6AD7DCD15E6A80CC2DBB008DA7D6839ED73A8F0101FF0A010004207481333693C30E79A58C07EF39B6C8D7CF80AA4B8CB1B41B085070013E5DF576BF854105020301FBD0BF8542050203031641BF854E0602040134B169BF854F0602040134B169

======== Edit 2 =========

I found this line in the AOSP code, indicating that 100 is KM_VERSION_KEYMINT_1.

Searching online, I can find very few references to Keymint. Does anyone know what Keymint is?

Improve this question
4
  • Are you sure it is 0x64? Based on your posted snippet lit looks more like 64 = 0x40. For easy ASN-1 decoding I would recommend to use lapo.it/asn1js Commented Jun 22, 2023 at 11:47
  • @Robert - Yes. It's 100. I tried using that tool that you linked. It also gives 100: INTEGER 100. Commented Jun 22, 2023 at 12:02
  • I have updated the question to include the full extension data, in case that's useful to someone to see the context. Commented Jun 22, 2023 at 12:06
  • Looking at the code you have found the documentation is wrong for a long time as it mentions everything but values like 1, 2 or 3. Regarding keyMint there is a complete description what such a device is supposed to provide: cs.android.com/android/platform/superproject/+/master:hardware/… May be KeyMint is the Rust reimplementation of Keymaster? Commented Jun 22, 2023 at 12:49
Related questions
6432
What is the difference between px, dip, dp, and sp?
4374
How can I close/hide the Android soft keyboard programmatically?
4055
Proper use cases for Android UserManager.isUserAGoat()?
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.