roboto/at.asitplus.attestation.android

Package-level declarations

Types

typealias ~~AndroidAttestationChecker~~ = Roboto

@Serializable

data class AndroidAttestationConfiguration @JvmOverloads constructor(val applications: List<AndroidAttestationConfiguration.AppData>, val androidVersion: Int? = null, patchLevel: PatchLevel? = null, val requireStrongBox: Boolean = false, val allowBootloaderUnlock: Boolean = false, val requireRollbackResistance: Boolean = false, val ignoreLeafValidity: Boolean = true, val verificationSecondsOffset: Long = 0, val attestationStatementValiditySeconds: Long? = 5 * 60, val hardwareTrustedRoots: Set<TrustedRoot> = GOOGLE_DEFAULT_HARDWARE_TRUST_ANCHORS, val softwareTrustedRoots: Set<TrustedRoot> = GOOGLE_SOFTWARE_TRUST_ANCHORS_UNTIL_A11, val disableHardwareAttestation: Boolean = false, val enableNougatAttestation: Boolean = false, val enableSoftwareAttestation: Boolean = false, val requireRemoteKeyProvisioning: Boolean = false, val httpProxy: String? = null)

Main Android attestation configuration class serving as ground truth for all key and app attestation verifications.

AndroidDebugAttestationStatement

@Serializable

class AndroidDebugAttestationStatement(val kind: AndroidDebugAttestationStatement.Type, val configuration: AndroidAttestationConfiguration, val verificationTime: Date, val challenge: ByteArray, val attestationStatement: List<@Serializable(with = CertPemSerializer::class) X509Certificate>)

CertPemSerializer

object CertPemSerializer : TransformingSerializerTemplate<X509Certificate, String>

DateTimeSerializer

object DateTimeSerializer : KSerializer<Date>

EternalX509Certificate

class EternalX509Certificate(delegate: X509Certificate) : X509Certificate

HardwareAttestationChecker

typealias ~~HardwareAttestationChecker~~ = HardwareAttestationVerifier

HardwareAttestationVerifier

class HardwareAttestationVerifier @JvmOverloads constructor(attestationConfiguration: AndroidAttestationConfiguration, verifyChallenge: (expected: ByteArray, actual: ByteArray) -> Boolean = { expected, actual -> expected contentEquals actual }) : Roboto

NougatHybridAttestationChecker

typealias ~~NougatHybridAttestationChecker~~ = NougatHybridAttestationVerifier

NougatHybridAttestationVerifier

class NougatHybridAttestationVerifier @JvmOverloads constructor(attestationConfiguration: AndroidAttestationConfiguration, verifyChallenge: (expected: ByteArray, actual: ByteArray) -> Boolean = { expected, actual -> expected contentEquals actual }) : Roboto

PatchLevel

@Serializable

data class PatchLevel @JvmOverloads constructor(val year: Int, val month: Int, val maxFuturePatchLevelMonths: Int? = 1)

Represents a Patch level configuration property. Patch levels are defined as year and month.

PubKeyBasePemSerializer

object PubKeyBasePemSerializer : TransformingSerializerTemplate<PublicKey, String>

Roboto

abstract class Roboto(attestationConfiguration: AndroidAttestationConfiguration, verifyChallenge: (expected: ByteArray, actual: ByteArray) -> Boolean)

SoftwareAttestationChecker

typealias ~~SoftwareAttestationChecker~~ = SoftwareAttestationVerifier

SoftwareAttestationVerifier

class SoftwareAttestationVerifier @JvmOverloads constructor(attestationConfiguration: AndroidAttestationConfiguration, verifyChallenge: (expected: ByteArray, actual: ByteArray) -> Boolean = { expected, actual -> expected contentEquals actual }) : Roboto

TrustedRoot

@Serializable(with = TrustedRootSerializer::class)

sealed interface TrustedRoot

Represents a trusted root entity, which can either be a public key or an X.509 certificate.

TrustedRootSerializer

object TrustedRootSerializer : KSerializer<TrustedRoot>

Properties

DEFAULT_HARDWARE_TRUST_ANCHORS

val ~~DEFAULT_HARDWARE_TRUST_ANCHORS~~: Array<PublicKey>

Default public keys used as trust anchors used to verify hardware attestation

DEFAULT_SOFTWARE_TRUST_ANCHORS

val ~~DEFAULT_SOFTWARE_TRUST_ANCHORS~~: Array<PublicKey>

Default public keys used as trust anchors used to verify software attestation

GOOGLE_DEFAULT_HARDWARE_TRUST_ANCHORS

val GOOGLE_DEFAULT_HARDWARE_TRUST_ANCHORS: Set<TrustedRoot>

Default trust anchors used to verify hardware attestation

GOOGLE_RKP_EC_ROOT

val GOOGLE_RKP_EC_ROOT: <Error class: unknown class>

GOOGLE_SOFTWARE_TRUST_ANCHORS_UNTIL_A11

val GOOGLE_SOFTWARE_TRUST_ANCHORS_UNTIL_A11: Set<TrustedRoot>

Default trust anchors used to verify software attestation working up to Android 11. Useful for testing.

OID_RKP

const val OID_RKP: String

The object identifier containing the remote key provisioning extension.

Functions

contentEqualsIfArray

infix fun Any?.contentEqualsIfArray(other: Any?): Boolean

contentHashCodeIfArray

inline fun Any.contentHashCodeIfArray(): Int

getNumberOfRemotelyProvisionedCertificates

fun List<X509Certificate>.getNumberOfRemotelyProvisionedCertificates(): Int?

TRIES to parse the number of remotely provisioned attestation certificates. Note that this method returning null does not necessarily mean that a remotely provisioned certificate is not present. It could very well be that the extension is present but botched. (Looking at you, Samsung!).

getRkpData

fun List<X509Certificate>.getRkpData(): Map?

Returns the parsed, but generic contents of the [Remote Key Provisioning

isRemoteKeyProvisioned

fun List<X509Certificate>.isRemoteKeyProvisioned(): Boolean

Indicates whether the attestation certificate in this certificate chain is remotely provisioned.

parseHex

fun String.parseHex(): ByteArray

Leniently (ignore case, and whitespace) parse hex to bytes

setup

fun HttpClientConfig<*>.setup(proxyUrl: String?): <Error class: unknown class>