Decoding QCOM private key blob

[satur9nine]

I'm working on a bug we are experiencing with a Qualcomm HW backed keys on a device running Nougat. I am able to decode the USRCERT file with your tool. I attempted to decode the USRPKEY file with your tool but it crashes with an index out of bounds exception:

Exception in thread "main" java.lang.IndexOutOfBoundsException
at java.nio.Buffer.checkIndex(Buffer.java:546)
at java.nio.HeapByteBuffer.getInt(HeapByteBuffer.java:365)
at org.nick.ksdecryptor.Keymaster1Blob.parse(Keymaster1Blob.java:50)
at org.nick.ksdecryptor.Main.showKeyMaterial(Main.java:157)
at org.nick.ksdecryptor.Main.showBlob(Main.java:68)
at org.nick.ksdecryptor.Main.main(Main.java:52)

I found in a lollipop code drop from Qualcomm the struct for qcom_km_key_blob_t defined in https://android.googlesource.com/platform/hardware/qcom/keymaster/+/lollipop-mr1-release/keymaster_qcom.h, but that is for KEYMASTER_MODULE_API_VERSION_0_3. In Nougat the Qualcomm implementation is now KEYMASTER_MODULE_API_VERSION_1_0 and the HAL is implemented in a precompiled static library so I couldn't find the struct format. Do you happen to know what the struct format is?

[nelenkov]

There's been some redesign in 7x, you should be able to find the latest format in AOSP code.
Some high-level info here: https://source.android.com/security/keystore/