server/src/main/java/com/google/android/attestation/AuthorizationList.java - platform/external/android-key-attestation - Git at Google

 /* Copyright 2019, The Android Open Source Project, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package com.google.android.attestation;

 import static com.google.android.attestation.AuthorizationList.UserAuthType.FINGERPRINT;
 import static com.google.android.attestation.AuthorizationList.UserAuthType.PASSWORD;
 import static com.google.android.attestation.AuthorizationList.UserAuthType.USER_AUTH_TYPE_ANY;
 import static com.google.android.attestation.AuthorizationList.UserAuthType.USER_AUTH_TYPE_NONE;
 import static com.google.android.attestation.Constants.KM_TAG_ACTIVE_DATE_TIME;
 import static com.google.android.attestation.Constants.KM_TAG_ALGORITHM;
 import static com.google.android.attestation.Constants.KM_TAG_ALLOW_WHILE_ON_BODY;
 import static com.google.android.attestation.Constants.KM_TAG_ALL_APPLICATIONS;
 import static com.google.android.attestation.Constants.KM_TAG_APPLICATION_ID;
 import static com.google.android.attestation.Constants.KM_TAG_ATTESTATION_APPLICATION_ID;
 import static com.google.android.attestation.Constants.KM_TAG_ATTESTATION_ID_BRAND;
 import static com.google.android.attestation.Constants.KM_TAG_ATTESTATION_ID_DEVICE;
 import static com.google.android.attestation.Constants.KM_TAG_ATTESTATION_ID_IMEI;
 import static com.google.android.attestation.Constants.KM_TAG_ATTESTATION_ID_MANUFACTURER;
 import static com.google.android.attestation.Constants.KM_TAG_ATTESTATION_ID_MEID;
 import static com.google.android.attestation.Constants.KM_TAG_ATTESTATION_ID_MODEL;
 import static com.google.android.attestation.Constants.KM_TAG_ATTESTATION_ID_PRODUCT;
 import static com.google.android.attestation.Constants.KM_TAG_ATTESTATION_ID_SERIAL;
 import static com.google.android.attestation.Constants.KM_TAG_AUTH_TIMEOUT;
 import static com.google.android.attestation.Constants.KM_TAG_BOOT_PATCH_LEVEL;
 import static com.google.android.attestation.Constants.KM_TAG_CREATION_DATE_TIME;
 import static com.google.android.attestation.Constants.KM_TAG_DIGEST;
 import static com.google.android.attestation.Constants.KM_TAG_EC_CURVE;
 import static com.google.android.attestation.Constants.KM_TAG_KEY_SIZE;
 import static com.google.android.attestation.Constants.KM_TAG_NO_AUTH_REQUIRED;
 import static com.google.android.attestation.Constants.KM_TAG_ORIGIN;
 import static com.google.android.attestation.Constants.KM_TAG_ORIGINATION_EXPIRE_DATE_TIME;
 import static com.google.android.attestation.Constants.KM_TAG_OS_PATCH_LEVEL;
 import static com.google.android.attestation.Constants.KM_TAG_OS_VERSION;
 import static com.google.android.attestation.Constants.KM_TAG_PADDING;
 import static com.google.android.attestation.Constants.KM_TAG_PURPOSE;
 import static com.google.android.attestation.Constants.KM_TAG_ROLLBACK_RESISTANCE;
 import static com.google.android.attestation.Constants.KM_TAG_ROLLBACK_RESISTANT;
 import static com.google.android.attestation.Constants.KM_TAG_ROOT_OF_TRUST;
 import static com.google.android.attestation.Constants.KM_TAG_RSA_PUBLIC_EXPONENT;
 import static com.google.android.attestation.Constants.KM_TAG_TRUSTED_CONFIRMATION_REQUIRED;
 import static com.google.android.attestation.Constants.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED;
 import static com.google.android.attestation.Constants.KM_TAG_UNLOCKED_DEVICE_REQUIRED;
 import static com.google.android.attestation.Constants.KM_TAG_USAGE_EXPIRE_DATE_TIME;
 import static com.google.android.attestation.Constants.KM_TAG_USER_AUTH_TYPE;
 import static com.google.android.attestation.Constants.KM_TAG_VENDOR_PATCH_LEVEL;
 import static com.google.android.attestation.Constants.UINT32_MAX;

 import java.time.Duration;
 import java.time.Instant;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import org.bouncycastle.asn1.ASN1Encodable;
 import org.bouncycastle.asn1.ASN1Integer;
 import org.bouncycastle.asn1.ASN1OctetString;
 import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1Sequence;
 import org.bouncycastle.asn1.ASN1Set;
 import org.bouncycastle.asn1.ASN1TaggedObject;
 import org.bouncycastle.asn1.DEROctetString;

 /**
  * This data structure contains the key pair's properties themselves, as defined in the Keymaster
  * hardware abstraction layer (HAL). You compare these values to the device's current state or to a
  * set of expected values to verify that a key pair is still valid for use in your app.
  */
 @SuppressWarnings("OptionalUsedAsFieldOrParameterType")
 public class AuthorizationList {
   /** Specifies the types of user authenticators that may be used to authorize this key. */
   public enum UserAuthType {
     USER_AUTH_TYPE_NONE,
     PASSWORD,
     FINGERPRINT,
     USER_AUTH_TYPE_ANY
   }

   public final Optional<Set<Integer>> purpose;
   public final Optional<Integer> algorithm;
   public final Optional<Integer> keySize;
   public final Optional<Set<Integer>> digest;
   public final Optional<Set<Integer>> padding;
   public final Optional<Integer> ecCurve;
   public final Optional<Long> rsaPublicExponent;
   public final boolean rollbackResistance;
   public final Optional<Instant> activeDateTime;
   public final Optional<Instant> originationExpireDateTime;
   public final Optional<Instant> usageExpireDateTime;
   public final boolean noAuthRequired;
   public final Optional<UserAuthType> userAuthType;
   public final Optional<Duration> authTimeout;
   public final boolean allowWhileOnBody;
   public final boolean trustedUserPresenceRequired;
   public final boolean trustedConfirmationRequired;
   public final boolean unlockedDeviceRequired;
   public final boolean allApplications;
   public final Optional<byte[]> applicationId;
   public final Optional<Instant> creationDateTime;
   public final Optional<Integer> origin;
   public final boolean rollbackResistant;
   public final Optional<RootOfTrust> rootOfTrust;
   public final Optional<Integer> osVersion;
   public final Optional<Integer> osPatchLevel;
   public final Optional<AttestationApplicationId> attestationApplicationId;
   public final Optional<byte[]> attestationApplicationIdBytes;
   public final Optional<byte[]> attestationIdBrand;
   public final Optional<byte[]> attestationIdDevice;
   public final Optional<byte[]> attestationIdProduct;
   public final Optional<byte[]> attestationIdSerial;
   public final Optional<byte[]> attestationIdImei;
   public final Optional<byte[]> attestationIdMeid;
   public final Optional<byte[]> attestationIdManufacturer;
   public final Optional<byte[]> attestationIdModel;
   public final Optional<Integer> vendorPatchLevel;
   public final Optional<Integer> bootPatchLevel;

   private AuthorizationList(ASN1Encodable[] authorizationList, int attestationVersion) {
     Map<Integer, ASN1Primitive> authorizationMap = getAuthorizationMap(authorizationList);
     this.purpose = findOptionalIntegerSetAuthorizationListEntry(authorizationMap, KM_TAG_PURPOSE);
     this.algorithm = findOptionalIntegerAuthorizationListEntry(authorizationMap, KM_TAG_ALGORITHM);
     this.keySize = findOptionalIntegerAuthorizationListEntry(authorizationMap, KM_TAG_KEY_SIZE);
     this.digest = findOptionalIntegerSetAuthorizationListEntry(authorizationMap, KM_TAG_DIGEST);
     this.padding = findOptionalIntegerSetAuthorizationListEntry(authorizationMap, KM_TAG_PADDING);
     this.ecCurve = findOptionalIntegerAuthorizationListEntry(authorizationMap, KM_TAG_EC_CURVE);
     this.rsaPublicExponent =
         findOptionalLongAuthorizationListEntry(authorizationMap, KM_TAG_RSA_PUBLIC_EXPONENT);
     this.rollbackResistance =
         findBooleanAuthorizationListEntry(authorizationMap, KM_TAG_ROLLBACK_RESISTANCE);
     this.activeDateTime =
         findOptionalInstantMillisAuthorizationListEntry(authorizationMap, KM_TAG_ACTIVE_DATE_TIME);
     this.originationExpireDateTime =
         findOptionalInstantMillisAuthorizationListEntry(
             authorizationMap, KM_TAG_ORIGINATION_EXPIRE_DATE_TIME);
     this.usageExpireDateTime =
         findOptionalInstantMillisAuthorizationListEntry(
             authorizationMap, KM_TAG_USAGE_EXPIRE_DATE_TIME);
     this.noAuthRequired =
         findBooleanAuthorizationListEntry(authorizationMap, KM_TAG_NO_AUTH_REQUIRED);
     this.userAuthType = findOptionalUserAuthType(authorizationMap, KM_TAG_USER_AUTH_TYPE);
     this.authTimeout =
         findOptionalDurationSecondsAuthorizationListEntry(authorizationMap, KM_TAG_AUTH_TIMEOUT);
     this.allowWhileOnBody =
         findBooleanAuthorizationListEntry(authorizationMap, KM_TAG_ALLOW_WHILE_ON_BODY);
     this.trustedUserPresenceRequired =
         findBooleanAuthorizationListEntry(authorizationMap, KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED);
     this.trustedConfirmationRequired =
         findBooleanAuthorizationListEntry(authorizationMap, KM_TAG_TRUSTED_CONFIRMATION_REQUIRED);
     this.unlockedDeviceRequired =
         findBooleanAuthorizationListEntry(authorizationMap, KM_TAG_UNLOCKED_DEVICE_REQUIRED);
     this.allApplications =
         findBooleanAuthorizationListEntry(authorizationMap, KM_TAG_ALL_APPLICATIONS);
     this.applicationId =
         findOptionalByteArrayAuthorizationListEntry(authorizationMap, KM_TAG_APPLICATION_ID);
     this.creationDateTime =
         findOptionalInstantMillisAuthorizationListEntry(
             authorizationMap, KM_TAG_CREATION_DATE_TIME);
     this.origin = findOptionalIntegerAuthorizationListEntry(authorizationMap, KM_TAG_ORIGIN);
     this.rollbackResistant =
         findBooleanAuthorizationListEntry(authorizationMap, KM_TAG_ROLLBACK_RESISTANT);
     this.rootOfTrust =
         Optional.ofNullable(
             RootOfTrust.createRootOfTrust(
                 (ASN1Sequence) findAuthorizationListEntry(authorizationMap, KM_TAG_ROOT_OF_TRUST),
                 attestationVersion));
     this.osVersion = findOptionalIntegerAuthorizationListEntry(authorizationMap, KM_TAG_OS_VERSION);
     this.osPatchLevel =
         findOptionalIntegerAuthorizationListEntry(authorizationMap, KM_TAG_OS_PATCH_LEVEL);
     this.attestationApplicationId =
         Optional.ofNullable(
             AttestationApplicationId.createAttestationApplicationId(
                 (DEROctetString)
                     findAuthorizationListEntry(
                         authorizationMap, KM_TAG_ATTESTATION_APPLICATION_ID)));
     this.attestationApplicationIdBytes =
         findOptionalByteArrayAuthorizationListEntry(
             authorizationMap, KM_TAG_ATTESTATION_APPLICATION_ID);
     this.attestationIdBrand =
         findOptionalByteArrayAuthorizationListEntry(authorizationMap, KM_TAG_ATTESTATION_ID_BRAND);
     this.attestationIdDevice =
         findOptionalByteArrayAuthorizationListEntry(authorizationMap, KM_TAG_ATTESTATION_ID_DEVICE);
     this.attestationIdProduct =
         findOptionalByteArrayAuthorizationListEntry(
             authorizationMap, KM_TAG_ATTESTATION_ID_PRODUCT);
     this.attestationIdSerial =
         findOptionalByteArrayAuthorizationListEntry(authorizationMap, KM_TAG_ATTESTATION_ID_SERIAL);
     this.attestationIdImei =
         findOptionalByteArrayAuthorizationListEntry(authorizationMap, KM_TAG_ATTESTATION_ID_IMEI);
     this.attestationIdMeid =
         findOptionalByteArrayAuthorizationListEntry(authorizationMap, KM_TAG_ATTESTATION_ID_MEID);
     this.attestationIdManufacturer =
         findOptionalByteArrayAuthorizationListEntry(
             authorizationMap, KM_TAG_ATTESTATION_ID_MANUFACTURER);
     this.attestationIdModel =
         findOptionalByteArrayAuthorizationListEntry(authorizationMap, KM_TAG_ATTESTATION_ID_MODEL);
     this.vendorPatchLevel =
         findOptionalIntegerAuthorizationListEntry(authorizationMap, KM_TAG_VENDOR_PATCH_LEVEL);
     this.bootPatchLevel =
         findOptionalIntegerAuthorizationListEntry(authorizationMap, KM_TAG_BOOT_PATCH_LEVEL);
   }

   static AuthorizationList createAuthorizationList(
       ASN1Encodable[] authorizationList, int attestationVersion) {
     return new AuthorizationList(authorizationList, attestationVersion);
   }

   private static Map<Integer, ASN1Primitive> getAuthorizationMap(
       ASN1Encodable[] authorizationList) {
     Map<Integer, ASN1Primitive> authorizationMap = new HashMap<>();
     for (ASN1Encodable entry : authorizationList) {
       ASN1TaggedObject taggedEntry = (ASN1TaggedObject) entry;
       authorizationMap.put(taggedEntry.getTagNo(), taggedEntry.getObject());
     }
     return authorizationMap;
   }

   private static ASN1Primitive findAuthorizationListEntry(
       Map<Integer, ASN1Primitive> authorizationMap, int tag) {
     return authorizationMap.getOrDefault(tag, null);
   }

   private static Optional<Set<Integer>> findOptionalIntegerSetAuthorizationListEntry(
       Map<Integer, ASN1Primitive> authorizationMap, int tag) {
     ASN1Set asn1Set = (ASN1Set) findAuthorizationListEntry(authorizationMap, tag);
     if (asn1Set == null) {
       return Optional.empty();
     }
     Set<Integer> entrySet = new HashSet<>();
     for (ASN1Encodable value : asn1Set) {
       entrySet.add(ASN1Parsing.getIntegerFromAsn1(value));
     }
     return Optional.of(entrySet);
   }

   private static Optional<Duration> findOptionalDurationSecondsAuthorizationListEntry(
       Map<Integer, ASN1Primitive> authorizationMap, int tag) {
     Optional<Integer> seconds = findOptionalIntegerAuthorizationListEntry(authorizationMap, tag);
     return seconds.map(Duration::ofSeconds);
   }

   private static Optional<Integer> findOptionalIntegerAuthorizationListEntry(
       Map<Integer, ASN1Primitive> authorizationMap, int tag) {
     ASN1Primitive entry = findAuthorizationListEntry(authorizationMap, tag);
     return Optional.ofNullable(entry).map(ASN1Parsing::getIntegerFromAsn1);
   }

   private static Optional<Instant> findOptionalInstantMillisAuthorizationListEntry(
       Map<Integer, ASN1Primitive> authorizationMap, int tag) {
     Optional<Long> millis = findOptionalLongAuthorizationListEntry(authorizationMap, tag);
     return millis.map(Instant::ofEpochMilli);
   }

   private static Optional<Long> findOptionalLongAuthorizationListEntry(
       Map<Integer, ASN1Primitive> authorizationMap, int tag) {
     ASN1Integer longEntry = ((ASN1Integer) findAuthorizationListEntry(authorizationMap, tag));
     return Optional.ofNullable(longEntry).map(value -> value.getValue().longValue());
   }

   private static boolean findBooleanAuthorizationListEntry(
       Map<Integer, ASN1Primitive> authorizationMap, int tag) {
     return null != findAuthorizationListEntry(authorizationMap, tag);
   }

   private static Optional<byte[]> findOptionalByteArrayAuthorizationListEntry(
       Map<Integer, ASN1Primitive> authorizationMap, int tag) {
     ASN1OctetString entry = (ASN1OctetString) findAuthorizationListEntry(authorizationMap, tag);
     return Optional.ofNullable(entry).map(ASN1OctetString::getOctets);
   }

   private static Optional<UserAuthType> findOptionalUserAuthType(
       Map<Integer, ASN1Primitive> authorizationMap, int tag) {
     Optional<Long> userAuthType = findOptionalLongAuthorizationListEntry(authorizationMap, tag);
     return userAuthType.map(AuthorizationList::userAuthTypeToEnum);
   }

   // Visible for testing.
   static UserAuthType userAuthTypeToEnum(long userAuthType) {
     if (userAuthType == 0L) {
       return USER_AUTH_TYPE_NONE;
     } else if (userAuthType == 1L) {
       return PASSWORD;
     } else if (userAuthType == 2L) {
       return FINGERPRINT;
     } else if (userAuthType == UINT32_MAX) {
       return USER_AUTH_TYPE_ANY;
     }
     throw new IllegalArgumentException("Invalid User Auth Type.");
   }
 }
	/* Copyright 2019, The Android Open Source Project, Inc.
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package com.google.android.attestation;

	import static com.google.android.attestation.AuthorizationList.UserAuthType.FINGERPRINT;
	import static com.google.android.attestation.AuthorizationList.UserAuthType.PASSWORD;
	import static com.google.android.attestation.AuthorizationList.UserAuthType.USER_AUTH_TYPE_ANY;
	import static com.google.android.attestation.AuthorizationList.UserAuthType.USER_AUTH_TYPE_NONE;
	import static com.google.android.attestation.Constants.KM_TAG_ACTIVE_DATE_TIME;
	import static com.google.android.attestation.Constants.KM_TAG_ALGORITHM;
	import static com.google.android.attestation.Constants.KM_TAG_ALLOW_WHILE_ON_BODY;
	import static com.google.android.attestation.Constants.KM_TAG_ALL_APPLICATIONS;
	import static com.google.android.attestation.Constants.KM_TAG_APPLICATION_ID;
	import static com.google.android.attestation.Constants.KM_TAG_ATTESTATION_APPLICATION_ID;
	import static com.google.android.attestation.Constants.KM_TAG_ATTESTATION_ID_BRAND;
	import static com.google.android.attestation.Constants.KM_TAG_ATTESTATION_ID_DEVICE;
	import static com.google.android.attestation.Constants.KM_TAG_ATTESTATION_ID_IMEI;
	import static com.google.android.attestation.Constants.KM_TAG_ATTESTATION_ID_MANUFACTURER;
	import static com.google.android.attestation.Constants.KM_TAG_ATTESTATION_ID_MEID;
	import static com.google.android.attestation.Constants.KM_TAG_ATTESTATION_ID_MODEL;
	import static com.google.android.attestation.Constants.KM_TAG_ATTESTATION_ID_PRODUCT;
	import static com.google.android.attestation.Constants.KM_TAG_ATTESTATION_ID_SERIAL;
	import static com.google.android.attestation.Constants.KM_TAG_AUTH_TIMEOUT;
	import static com.google.android.attestation.Constants.KM_TAG_BOOT_PATCH_LEVEL;
	import static com.google.android.attestation.Constants.KM_TAG_CREATION_DATE_TIME;
	import static com.google.android.attestation.Constants.KM_TAG_DIGEST;
	import static com.google.android.attestation.Constants.KM_TAG_EC_CURVE;
	import static com.google.android.attestation.Constants.KM_TAG_KEY_SIZE;
	import static com.google.android.attestation.Constants.KM_TAG_NO_AUTH_REQUIRED;
	import static com.google.android.attestation.Constants.KM_TAG_ORIGIN;
	import static com.google.android.attestation.Constants.KM_TAG_ORIGINATION_EXPIRE_DATE_TIME;
	import static com.google.android.attestation.Constants.KM_TAG_OS_PATCH_LEVEL;
	import static com.google.android.attestation.Constants.KM_TAG_OS_VERSION;
	import static com.google.android.attestation.Constants.KM_TAG_PADDING;
	import static com.google.android.attestation.Constants.KM_TAG_PURPOSE;
	import static com.google.android.attestation.Constants.KM_TAG_ROLLBACK_RESISTANCE;
	import static com.google.android.attestation.Constants.KM_TAG_ROLLBACK_RESISTANT;
	import static com.google.android.attestation.Constants.KM_TAG_ROOT_OF_TRUST;
	import static com.google.android.attestation.Constants.KM_TAG_RSA_PUBLIC_EXPONENT;
	import static com.google.android.attestation.Constants.KM_TAG_TRUSTED_CONFIRMATION_REQUIRED;
	import static com.google.android.attestation.Constants.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED;
	import static com.google.android.attestation.Constants.KM_TAG_UNLOCKED_DEVICE_REQUIRED;
	import static com.google.android.attestation.Constants.KM_TAG_USAGE_EXPIRE_DATE_TIME;
	import static com.google.android.attestation.Constants.KM_TAG_USER_AUTH_TYPE;
	import static com.google.android.attestation.Constants.KM_TAG_VENDOR_PATCH_LEVEL;
	import static com.google.android.attestation.Constants.UINT32_MAX;

	import java.time.Duration;
	import java.time.Instant;
	import java.util.HashMap;
	import java.util.HashSet;
	import java.util.Map;
	import java.util.Optional;
	import java.util.Set;
	import org.bouncycastle.asn1.ASN1Encodable;
	import org.bouncycastle.asn1.ASN1Integer;
	import org.bouncycastle.asn1.ASN1OctetString;
	import org.bouncycastle.asn1.ASN1Primitive;
	import org.bouncycastle.asn1.ASN1Sequence;
	import org.bouncycastle.asn1.ASN1Set;
	import org.bouncycastle.asn1.ASN1TaggedObject;
	import org.bouncycastle.asn1.DEROctetString;

	/**
	* This data structure contains the key pair's properties themselves, as defined in the Keymaster
	* hardware abstraction layer (HAL). You compare these values to the device's current state or to a
	* set of expected values to verify that a key pair is still valid for use in your app.
	*/
	@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
	public class AuthorizationList {
	/** Specifies the types of user authenticators that may be used to authorize this key. */
	public enum UserAuthType {
	USER_AUTH_TYPE_NONE,
	PASSWORD,
	FINGERPRINT,
	USER_AUTH_TYPE_ANY
	}

	public final Optional<Set<Integer>> purpose;
	public final Optional<Integer> algorithm;
	public final Optional<Integer> keySize;
	public final Optional<Set<Integer>> digest;
	public final Optional<Set<Integer>> padding;
	public final Optional<Integer> ecCurve;
	public final Optional<Long> rsaPublicExponent;
	public final boolean rollbackResistance;
	public final Optional<Instant> activeDateTime;
	public final Optional<Instant> originationExpireDateTime;
	public final Optional<Instant> usageExpireDateTime;
	public final boolean noAuthRequired;
	public final Optional<UserAuthType> userAuthType;
	public final Optional<Duration> authTimeout;
	public final boolean allowWhileOnBody;
	public final boolean trustedUserPresenceRequired;
	public final boolean trustedConfirmationRequired;
	public final boolean unlockedDeviceRequired;
	public final boolean allApplications;
	public final Optional<byte[]> applicationId;
	public final Optional<Instant> creationDateTime;
	public final Optional<Integer> origin;
	public final boolean rollbackResistant;
	public final Optional<RootOfTrust> rootOfTrust;
	public final Optional<Integer> osVersion;
	public final Optional<Integer> osPatchLevel;
	public final Optional<AttestationApplicationId> attestationApplicationId;
	public final Optional<byte[]> attestationApplicationIdBytes;
	public final Optional<byte[]> attestationIdBrand;
	public final Optional<byte[]> attestationIdDevice;
	public final Optional<byte[]> attestationIdProduct;
	public final Optional<byte[]> attestationIdSerial;
	public final Optional<byte[]> attestationIdImei;
	public final Optional<byte[]> attestationIdMeid;
	public final Optional<byte[]> attestationIdManufacturer;
	public final Optional<byte[]> attestationIdModel;
	public final Optional<Integer> vendorPatchLevel;
	public final Optional<Integer> bootPatchLevel;

	private AuthorizationList(ASN1Encodable[] authorizationList, int attestationVersion) {
	Map<Integer, ASN1Primitive> authorizationMap = getAuthorizationMap(authorizationList);
	this.purpose = findOptionalIntegerSetAuthorizationListEntry(authorizationMap, KM_TAG_PURPOSE);
	this.algorithm = findOptionalIntegerAuthorizationListEntry(authorizationMap, KM_TAG_ALGORITHM);
	this.keySize = findOptionalIntegerAuthorizationListEntry(authorizationMap, KM_TAG_KEY_SIZE);
	this.digest = findOptionalIntegerSetAuthorizationListEntry(authorizationMap, KM_TAG_DIGEST);
	this.padding = findOptionalIntegerSetAuthorizationListEntry(authorizationMap, KM_TAG_PADDING);
	this.ecCurve = findOptionalIntegerAuthorizationListEntry(authorizationMap, KM_TAG_EC_CURVE);
	this.rsaPublicExponent =
	findOptionalLongAuthorizationListEntry(authorizationMap, KM_TAG_RSA_PUBLIC_EXPONENT);
	this.rollbackResistance =
	findBooleanAuthorizationListEntry(authorizationMap, KM_TAG_ROLLBACK_RESISTANCE);
	this.activeDateTime =
	findOptionalInstantMillisAuthorizationListEntry(authorizationMap, KM_TAG_ACTIVE_DATE_TIME);
	this.originationExpireDateTime =
	findOptionalInstantMillisAuthorizationListEntry(
	authorizationMap, KM_TAG_ORIGINATION_EXPIRE_DATE_TIME);
	this.usageExpireDateTime =
	findOptionalInstantMillisAuthorizationListEntry(
	authorizationMap, KM_TAG_USAGE_EXPIRE_DATE_TIME);
	this.noAuthRequired =
	findBooleanAuthorizationListEntry(authorizationMap, KM_TAG_NO_AUTH_REQUIRED);
	this.userAuthType = findOptionalUserAuthType(authorizationMap, KM_TAG_USER_AUTH_TYPE);
	this.authTimeout =
	findOptionalDurationSecondsAuthorizationListEntry(authorizationMap, KM_TAG_AUTH_TIMEOUT);
	this.allowWhileOnBody =
	findBooleanAuthorizationListEntry(authorizationMap, KM_TAG_ALLOW_WHILE_ON_BODY);
	this.trustedUserPresenceRequired =
	findBooleanAuthorizationListEntry(authorizationMap, KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED);
	this.trustedConfirmationRequired =
	findBooleanAuthorizationListEntry(authorizationMap, KM_TAG_TRUSTED_CONFIRMATION_REQUIRED);
	this.unlockedDeviceRequired =
	findBooleanAuthorizationListEntry(authorizationMap, KM_TAG_UNLOCKED_DEVICE_REQUIRED);
	this.allApplications =
	findBooleanAuthorizationListEntry(authorizationMap, KM_TAG_ALL_APPLICATIONS);
	this.applicationId =
	findOptionalByteArrayAuthorizationListEntry(authorizationMap, KM_TAG_APPLICATION_ID);
	this.creationDateTime =
	findOptionalInstantMillisAuthorizationListEntry(
	authorizationMap, KM_TAG_CREATION_DATE_TIME);
	this.origin = findOptionalIntegerAuthorizationListEntry(authorizationMap, KM_TAG_ORIGIN);
	this.rollbackResistant =
	findBooleanAuthorizationListEntry(authorizationMap, KM_TAG_ROLLBACK_RESISTANT);
	this.rootOfTrust =
	Optional.ofNullable(
	RootOfTrust.createRootOfTrust(
	(ASN1Sequence) findAuthorizationListEntry(authorizationMap, KM_TAG_ROOT_OF_TRUST),
	attestationVersion));
	this.osVersion = findOptionalIntegerAuthorizationListEntry(authorizationMap, KM_TAG_OS_VERSION);
	this.osPatchLevel =
	findOptionalIntegerAuthorizationListEntry(authorizationMap, KM_TAG_OS_PATCH_LEVEL);
	this.attestationApplicationId =
	Optional.ofNullable(
	AttestationApplicationId.createAttestationApplicationId(
	(DEROctetString)
	findAuthorizationListEntry(
	authorizationMap, KM_TAG_ATTESTATION_APPLICATION_ID)));
	this.attestationApplicationIdBytes =
	findOptionalByteArrayAuthorizationListEntry(
	authorizationMap, KM_TAG_ATTESTATION_APPLICATION_ID);
	this.attestationIdBrand =
	findOptionalByteArrayAuthorizationListEntry(authorizationMap, KM_TAG_ATTESTATION_ID_BRAND);
	this.attestationIdDevice =
	findOptionalByteArrayAuthorizationListEntry(authorizationMap, KM_TAG_ATTESTATION_ID_DEVICE);
	this.attestationIdProduct =
	findOptionalByteArrayAuthorizationListEntry(
	authorizationMap, KM_TAG_ATTESTATION_ID_PRODUCT);
	this.attestationIdSerial =
	findOptionalByteArrayAuthorizationListEntry(authorizationMap, KM_TAG_ATTESTATION_ID_SERIAL);
	this.attestationIdImei =
	findOptionalByteArrayAuthorizationListEntry(authorizationMap, KM_TAG_ATTESTATION_ID_IMEI);
	this.attestationIdMeid =
	findOptionalByteArrayAuthorizationListEntry(authorizationMap, KM_TAG_ATTESTATION_ID_MEID);
	this.attestationIdManufacturer =
	findOptionalByteArrayAuthorizationListEntry(
	authorizationMap, KM_TAG_ATTESTATION_ID_MANUFACTURER);
	this.attestationIdModel =
	findOptionalByteArrayAuthorizationListEntry(authorizationMap, KM_TAG_ATTESTATION_ID_MODEL);
	this.vendorPatchLevel =
	findOptionalIntegerAuthorizationListEntry(authorizationMap, KM_TAG_VENDOR_PATCH_LEVEL);
	this.bootPatchLevel =
	findOptionalIntegerAuthorizationListEntry(authorizationMap, KM_TAG_BOOT_PATCH_LEVEL);
	}

	static AuthorizationList createAuthorizationList(
	ASN1Encodable[] authorizationList, int attestationVersion) {
	return new AuthorizationList(authorizationList, attestationVersion);
	}

	private static Map<Integer, ASN1Primitive> getAuthorizationMap(
	ASN1Encodable[] authorizationList) {
	Map<Integer, ASN1Primitive> authorizationMap = new HashMap<>();
	for (ASN1Encodable entry : authorizationList) {
	ASN1TaggedObject taggedEntry = (ASN1TaggedObject) entry;
	authorizationMap.put(taggedEntry.getTagNo(), taggedEntry.getObject());
	}
	return authorizationMap;
	}

	private static ASN1Primitive findAuthorizationListEntry(
	Map<Integer, ASN1Primitive> authorizationMap, int tag) {
	return authorizationMap.getOrDefault(tag, null);
	}

	private static Optional<Set<Integer>> findOptionalIntegerSetAuthorizationListEntry(
	Map<Integer, ASN1Primitive> authorizationMap, int tag) {
	ASN1Set asn1Set = (ASN1Set) findAuthorizationListEntry(authorizationMap, tag);
	if (asn1Set == null) {
	return Optional.empty();
	}
	Set<Integer> entrySet = new HashSet<>();
	for (ASN1Encodable value : asn1Set) {
	entrySet.add(ASN1Parsing.getIntegerFromAsn1(value));
	}
	return Optional.of(entrySet);
	}

	private static Optional<Duration> findOptionalDurationSecondsAuthorizationListEntry(
	Map<Integer, ASN1Primitive> authorizationMap, int tag) {
	Optional<Integer> seconds = findOptionalIntegerAuthorizationListEntry(authorizationMap, tag);
	return seconds.map(Duration::ofSeconds);
	}

	private static Optional<Integer> findOptionalIntegerAuthorizationListEntry(
	Map<Integer, ASN1Primitive> authorizationMap, int tag) {
	ASN1Primitive entry = findAuthorizationListEntry(authorizationMap, tag);
	return Optional.ofNullable(entry).map(ASN1Parsing::getIntegerFromAsn1);
	}

	private static Optional<Instant> findOptionalInstantMillisAuthorizationListEntry(
	Map<Integer, ASN1Primitive> authorizationMap, int tag) {
	Optional<Long> millis = findOptionalLongAuthorizationListEntry(authorizationMap, tag);
	return millis.map(Instant::ofEpochMilli);
	}

	private static Optional<Long> findOptionalLongAuthorizationListEntry(
	Map<Integer, ASN1Primitive> authorizationMap, int tag) {
	ASN1Integer longEntry = ((ASN1Integer) findAuthorizationListEntry(authorizationMap, tag));
	return Optional.ofNullable(longEntry).map(value -> value.getValue().longValue());
	}

	private static boolean findBooleanAuthorizationListEntry(
	Map<Integer, ASN1Primitive> authorizationMap, int tag) {
	return null != findAuthorizationListEntry(authorizationMap, tag);
	}

	private static Optional<byte[]> findOptionalByteArrayAuthorizationListEntry(
	Map<Integer, ASN1Primitive> authorizationMap, int tag) {
	ASN1OctetString entry = (ASN1OctetString) findAuthorizationListEntry(authorizationMap, tag);
	return Optional.ofNullable(entry).map(ASN1OctetString::getOctets);
	}

	private static Optional<UserAuthType> findOptionalUserAuthType(
	Map<Integer, ASN1Primitive> authorizationMap, int tag) {
	Optional<Long> userAuthType = findOptionalLongAuthorizationListEntry(authorizationMap, tag);
	return userAuthType.map(AuthorizationList::userAuthTypeToEnum);
	}

	// Visible for testing.
	static UserAuthType userAuthTypeToEnum(long userAuthType) {
	if (userAuthType == 0L) {
	return USER_AUTH_TYPE_NONE;
	} else if (userAuthType == 1L) {
	return PASSWORD;
	} else if (userAuthType == 2L) {
	return FINGERPRINT;
	} else if (userAuthType == UINT32_MAX) {
	return USER_AUTH_TYPE_ANY;
	}
	throw new IllegalArgumentException("Invalid User Auth Type.");
	}
	}