AndroidAttestationConfiguration
Main Android attestation configuration class serving as ground truth for all key and app attestation verifications.
Parameters
list of applications to be attested
optional parameter. If set, attestation enforces Android version to be greater or equal to this parameter. Caution: Major Android versions increment in steps of ten-thousands. I.e. Android 11 is specified as 110000 Can be overridden for individual apps
optional parameter. If set, attestation enforces Security patch level to be greater or equal to this parameter
optional parameter. Set to true if StrongBox security level should be required
optional parameter. Set to true if unlocked bootloaders should be allowed. Attention: Allowing unlocked bootloaders in production effectively defeats the purpose of app attestation. (but retains the ability to attest whether a key is securely stored in hardware) Useful for debugging/testing
optional parameter. Unsupported by most devices. See Official Documentation
optional parameter. Whether to ignore the timely validity of the leaf certificate (looking at you, Samsung!)
Manually specify the trust anchor for HW-attested certificate chains. Defaults to google HW attestation key. Overriding this set is useful for automated end-to-end tests, for example. The default trust anchors are accessible through GOOGLE_DEFAULT_HARDWARE_TRUST_ANCHORS
Manually specify the trust anchor for SW-attested certificate chains. Defaults to google SW attestation keys. Overriding this set is useful for automated end-to-end tests, for example. The default trust anchors are accessible through GOOGLE_SOFTWARE_TRUST_ANCHORS_UNTIL_A12
Entirely disable creation of a HardwareAttestationVerifier. Only change this flag, if you really know what you are doing!
Enables software attestation. A SoftwareAttestationVerifier can only be instantiated if this flag is set to true. Only change this flag, if you really know what you are doing! Enabling this flag, while keeping disableHardwareAttestation true makes is possible to instantiate both a HardwareAttestationVerifier and a SoftwareAttestationVerifier.
Constructors
Convenience constructor to attest a single app
Constructor used when loading this class from a config file through Hoplite
Types
Specifies a to-be attested app
Builder to construct an AndroidAttestationConfiguration in a java-friendly way
Properties
Set to true if unlocked bootloaders should be allowed. Attention: Allowing unlocked bootloaders in production effectively defeats the purpose of Key Attestation. Useful for debugging/testing BEWARE that this switch is utterly useless if SoftwareAttestationVerifier is used
optional parameter. If set, attestation enforces Android version to be greater or equal to this parameter. Caution: Major Android versions increment in steps of ten-thousands. I.e. Android 11 is specified as 110000 Can be overridden for individual apps
List of applications which can be attested
Validity of the attestation statement in seconds. This is not the certificate validity! An attestation statement has a creation time. This value indicates how far in the past the creation time might be.
Entirely disable creation of a HardwareAttestationVerifier. Only change this flag, if you really know what you are doing!
Enables software attestation. A SoftwareAttestationVerifier can only be instantiated if this flag is set to true. Only change this flag, if you really know what you are doing! Enabling this flag, while keeping disableHardwareAttestation true makes is possible to instantiate both a HardwareAttestationVerifier and a SoftwareAttestationVerifier.
Manually specify the trust anchor for HW-attested certificate chains. Defaults to google HW attestation key. Overriding this set is useful for automated end-to-end tests, for example. The default trust anchors are accessible through GOOGLE_DEFAULT_HARDWARE_TRUST_ANCHORS
Whether to ignore the timely validity of the leaf certificate
Internal representation of the patch level as contained in the com.google.android.attestation.ParsedAttestationRecord
optional parameter. If set, attestation enforces Security patch level to be greater or equal to this parameter. Can be overridden for individual apps.
Mandates Remote Key Provisioning (RKP) for attestation checks to pass
Unsupported by most devices. See Official Documentation
Set to true if StrongBox security level should be required. BEWARE that this switch is utterly useless if SoftwareAttestationVerifier is used
Configures revocation checking. Defaults to checking against the official Google revocation list without Proxy.
Manually specify the trust anchor for SW-attested certificate chains. Defaults to google SW attestation keys. Overriding this set is useful for automated end-to-end tests, for example. The default trust anchors are accessible through GOOGLE_SOFTWARE_TRUST_ANCHORS_UNTIL_A12
Tolerance in seconds added to verification date
Functions
Serialises this config into a JsonObject. Can be loaded using fromJsonObject afterwards.
Writes the JSON representation of this AttestationConfiguration to the specified file.
Serialises this config into its canonical form (JSON). Can be loaded using fromJsonString afterwards.
Serializes this AttestationConfiguration instance to a YAML-formatted string and writes it to the specified file.
Serialises this config into its canonical form (YAML). Can be loaded using fromYamlString afterwards.