KeyAttestationExample

This is an illustration of how you can use the Bouncy Castle ASN.1 parser to extract information from an Android attestation data structure. On a secure server that you trust, create similar logic to verify that a key pair has been generated in an Android device. The app on the device must retrieve the key's certificate chain using KeyStore.getCertificateChain(), then send the contents to the trusted server.

In this example, the certificate chain includes hard-coded excerpts of each certificate.

This example demonstrates the following tasks:

1. Loading the certificates from PEM-encoded strings.

2. Verifying the certificate chain, up to the root. Note that this example does NOT require the root certificate to appear within Google's list of root certificates. However, if you're verifying the properties of hardware-backed keys on a device that ships with hardware-level key attestation, Android 7.0 (API level 24) or higher, and Google Play services, your production code should enforce this requirement.

3. Checking if any certificate in the chain has been revoked or suspended.

4. Extracting the attestation extension data from the attestation certificate.

5. Verifying (and printing) several important data elements from the attestation extension.