KeyAttestationCertPath
CertPath representing an Android key attestation certificate chain.
The expected input is a full key attestation certificate chain (i.e. the output of KeyStore.getCertificateChain()) in the following order:
Leaf certificate (containing the extension)
Attestation certificate (contains the ProvisioningInfo extension if remotely provisioned)
Intermediate certificate (not present if software-backed attestation)
Intermediate certificate (only present if remotely provisioned)
Root certificate
The last certificate in the chain is the trust anchor and is not included in the resulting CertPath: "By convention, the certificates in a CertPath object of type X.509 are ordered starting with the target certificate and ending with a certificate issued by the trust anchor. That is, the issuer of one certificate is the subject of the following one. The certificate representing the TrustAnchor should not be included in the certification path."
https://docs.oracle.com/en/java/javase/21/security/java-pki-programmers-guide.html#GUID-E47B8A0E-6B3A-4B49-994D-CF185BF441EC