roboto/at.asitplus.attestation.android

Package-level declarations

Types

Link copied to clipboard
@Serializable
data class AndroidAttestationConfiguration @JvmOverloads constructor(val applications: List<AndroidAttestationConfiguration.AppData>, val androidVersion: Int? = null, val patchLevel: PatchLevel? = null, val requireStrongBox: Boolean = false, val allowBootloaderUnlock: Boolean = false, val requireRollbackResistance: Boolean = false, val ignoreLeafValidity: Boolean = true, val verificationSecondsOffset: Long = 0, val attestationStatementValiditySeconds: Long? = null, val hardwareTrustedRoots: Set<TrustedRoot> = GOOGLE_DEFAULT_HARDWARE_TRUST_ANCHORS, val softwareTrustedRoots: Set<TrustedRoot> = GOOGLE_SOFTWARE_TRUST_ANCHORS_UNTIL_A12, val disableHardwareAttestation: Boolean = false, val enableSoftwareAttestation: Boolean = false, val requireRemoteKeyProvisioning: Boolean = false, val revocation: List<AndroidRevocationList.Loader.Configuration<*>> = listOf(AndroidRevocationList.GoogleDefaultLoaderConfig)) : AttestationConfiguration

Main Android attestation configuration class serving as ground truth for all key and app attestation verifications.

Link copied to clipboard
@Serializable
class AndroidDebugAttestationStatement(val version: String, val kind: AndroidDebugAttestationStatement.Type, val configuration: AndroidAttestationConfiguration, val verificationTime: Date, val challenge: ByteArray, val attestationStatement: List<@Serializable(with = CertPemSerializer::class) X509Certificate>, val revocationLists: List<ConfigWithList>) : DebugStatement<ParsedAttestationRecord>
Link copied to clipboard
@Serializable
data class AndroidRevocationList(val entries: Map<String, AndroidRevocationList.Entry>, val date: Instant? = null, val expires: Instant? = null, val lastModified: Instant? = null)

Represents a revocation list specific to Android attestation as per [the official specification}(https://developer.android.com/privacy-and-security/security-key-attestation#certificate_status), containing information about revoked or suspended certificates, metadata on expiration, and modification timestamps.

Link copied to clipboard
object CertPemSerializer : TransformingSerializerTemplate<X509Certificate, String>
Link copied to clipboard
@Serializable
data class ConfigWithList(val config: AndroidRevocationList.Loader.Configuration<*>, val list: AndroidRevocationList)
Link copied to clipboard
object DateTimeSerializer : KSerializer<Date>
Link copied to clipboard
Link copied to clipboard
class HardwareAttestationVerifier @JvmOverloads constructor(attestationConfiguration: AndroidAttestationConfiguration, verifyChallenge: (expected: ByteArray, actual: ByteArray) -> Boolean = { expected, actual -> expected contentEquals actual }) : Roboto
Link copied to clipboard
@Serializable
data class PatchLevel @JvmOverloads constructor(val year: Int, val month: Int, val maxFuturePatchLevelMonths: Int? = 1)

Represents a Patch level configuration property. Patch levels are defined as year and month.

Link copied to clipboard
object PubKeyBasePemSerializer : TransformingSerializerTemplate<PublicKey, String>
Link copied to clipboard
abstract class Roboto(attestationConfiguration: AndroidAttestationConfiguration, verifyChallenge: (expected: ByteArray, actual: ByteArray) -> Boolean)
Link copied to clipboard
class SoftwareAttestationVerifier @JvmOverloads constructor(attestationConfiguration: AndroidAttestationConfiguration, verifyChallenge: (expected: ByteArray, actual: ByteArray) -> Boolean = { expected, actual -> expected contentEquals actual }) : Roboto
Link copied to clipboard
@Serializable(with = TrustedRootSerializer::class)
sealed interface TrustedRoot

Represents a trusted root entity, which can either be a public key or an X.509 certificate.

Link copied to clipboard
object TrustedRootSerializer : KSerializer<TrustedRoot>

Properties

Link copied to clipboard
val DEFAULT_HARDWARE_TRUST_ANCHORS: Array<PublicKey?>

Default public keys used as trust anchors used to verify hardware attestation

Link copied to clipboard
val GOOGLE_DEFAULT_HARDWARE_TRUST_ANCHORS: Set<TrustedRoot>

Default trust anchors used to verify hardware attestation

Link copied to clipboard
Link copied to clipboard
val GOOGLE_SOFTWARE_TRUST_ANCHORS_UNTIL_A12: Set<TrustedRoot>

Default trust anchors used to verify software attestation working up to Android 12. Useful for testing. If possible, use older Android images on emulators for testing, EVEN IF THEIR ATTTESTATION ROOT IS EXPIRED, because it has a stable, fixed root cert. Newer Android emulator image keys' are a moving target due to utterly undocumented key rotation

Link copied to clipboard
const val OID_RKP: String

The object identifier containing the remote key provisioning extension.

Functions

Link copied to clipboard
infix fun Any?.contentEqualsIfArray(other: Any?): Boolean
Link copied to clipboard
fun List<X509Certificate>.getNumberOfRemotelyProvisionedCertificates(): Int?

TRIES to parse the number of remotely provisioned attestation certificates. Note that this method returning null does not necessarily mean that a remotely provisioned certificate is not present. It could very well be that the extension is present but botched. (Looking at you, Samsung!).

Link copied to clipboard
fun List<X509Certificate>.getRkpData(): Map?

Returns the parsed, but generic contents of the Remote Key Provisioning extension, if present in an Android attestation certificate chain. One would assume that we could define a type-safe data structure for that, but Samsung being Samsung has kindly reminded us of the fact that phrases like "conforms schema" are thrown around far too often in specifications.

Link copied to clipboard
fun List<X509Certificate>.isRemoteKeyProvisioned(): Boolean

Indicates whether the attestation certificate in this certificate chain is remotely provisioned.

Link copied to clipboard
fun String.parseHex(): ByteArray

Leniently (ignore case, and whitespace) parse hex to bytes

Generated by Dokka
© 2026 Copyright