roboto/com.android.keyattestation.verifier

Package-level declarations

Types

AttestationApplicationId

@Immutable

data class AttestationApplicationId(val packages: Set<AttestationPackageInfo>, val signatures: Set<ByteString>)

Representation of the AttestationApplicationId sequence contained within AuthorizationList.

AttestationPackageInfo

data class AttestationPackageInfo(val name: String, val version: BigInteger)

Representation of the AttestationPackageInfo sequence contained within AttestationApplicationId.

AttributeConstraint

@Immutable(containerOf = ["T"])

sealed class AttributeConstraint<out T> : Constraint

Constraint that checks a single attribute of the KeyDescription.

AuthorizationList

@Immutable

data class AuthorizationList(val purposes: Set<BigInteger>? = null, val algorithms: BigInteger? = null, val keySize: BigInteger? = null, val blockModes: Set<BigInteger>? = null, val digests: Set<BigInteger>? = null, val paddings: Set<BigInteger>? = null, val ecCurve: BigInteger? = null, val mlDsaVariant: BigInteger? = null, val rsaPublicExponent: BigInteger? = null, val rsaOaepMgfDigests: Set<BigInteger>? = null, val activeDateTime: BigInteger? = null, val originationExpireDateTime: BigInteger? = null, val usageExpireDateTime: BigInteger? = null, val noAuthRequired: Boolean? = null, val userAuthType: BigInteger? = null, val authTimeout: BigInteger? = null, val trustedUserPresenceRequired: Boolean? = null, val unlockedDeviceRequired: Boolean? = null, val creationDateTime: BigInteger? = null, val origin: Origin? = null, val rollbackResistant: Boolean? = null, val rootOfTrust: RootOfTrust? = null, val osVersion: BigInteger? = null, val osPatchLevel: PatchLevel? = null, val attestationApplicationId: AttestationApplicationId? = null, val attestationIdBrand: String? = null, val attestationIdDevice: String? = null, val attestationIdProduct: String? = null, val attestationIdSerial: String? = null, val attestationIdImei: String? = null, val attestationIdMeid: String? = null, val attestationIdManufacturer: String? = null, val attestationIdModel: String? = null, val vendorPatchLevel: PatchLevel? = null, val bootPatchLevel: PatchLevel? = null, val attestationIdSecondImei: String? = null, val moduleHash: ByteString? = null, areTagsOrdered: Boolean = true)

Representation of the AuthorizationList sequence contained within KeyDescription.

BlockMode

enum BlockMode : Enum<BlockMode>

Representation of the BlockMode enum contained within AuthorizationList.

CertPrinter

object CertPrinter

Constructs pretty-printed strings for various parts of an Android Key Attestation certificate.

ChallengeChecker

@ThreadSafe

interface ChallengeChecker

An interface to handle checking validity of challenges.

Constraint

@ThreadSafe

sealed interface Constraint

An individual limit to place on the KeyDescription from an attestation certificate.

ConstraintConfig

@ThreadSafe

class ConstraintConfig(val keyOrigin: Constraint? = null, val securityLevel: Constraint? = null, val rootOfTrust: Constraint? = null, val additionalConstraints: ImmutableList<Constraint> = ImmutableList.of())

Configuration for validating the attributes in an Android attestation certificate, as described at https://source.android.com/docs/security/features/keystore/attestation.

ConstraintConfigBuilder

class ConstraintConfigBuilder

We need a builder to support creating a ConstraintConfig, as it's a thread-safe object. A Kotlin-idiomatic builder function is provided below.

DeviceIdentity

@Immutable

data class DeviceIdentity(val brand: String? = null, val device: String? = null, val product: String? = null, val serialNumber: String? = null, val imeis: Set<String> = emptySet(), val meid: String? = null, val manufacturer: String? = null, val model: String? = null)

Digest

enum Digest : Enum<Digest>

Representation of the Digest enum contained within AuthorizationList.

EcCurve

enum EcCurve : Enum<EcCurve>

Representation of the ECCurve enum contained within AuthorizationList.

ExtensionParsingException

data class ExtensionParsingException @JvmOverloads constructor(val message: String, val reason: KeyAttestationReason? = null, val cause: Throwable? = null) : Exception

IgnoredConstraint

@Immutable

data object IgnoredConstraint : Constraint

Constraint that is always satisfied.

InstantSource

@ThreadSafe

fun interface InstantSource

Polyfill for java.time.InstantSource.

KeyAlgorithm

enum KeyAlgorithm : Enum<KeyAlgorithm>

Representation of the Algorithm enum contained within AuthorizationList.

KeyAttestationReason

enum KeyAttestationReason : CertPathValidatorException.Reason, Enum<KeyAttestationReason>

Reasons why a certificate chain could not be verified which are specific to key attestation.

KeyDescription

@Immutable

data class KeyDescription(val attestationVersion: BigInteger, val attestationSecurityLevel: SecurityLevel, val keyMintVersion: BigInteger, val keyMintSecurityLevel: SecurityLevel, val attestationChallenge: ByteString, val uniqueId: ByteString, val softwareEnforced: AuthorizationList, val hardwareEnforced: AuthorizationList)

KeyMintTag

enum KeyMintTag : Enum<KeyMintTag>

KeyMint tag names and IDs.

KeyPurpose

enum KeyPurpose : Enum<KeyPurpose>

Representation of the KeyPurpose enum contained within AuthorizationList.

LogHook

@ThreadSafe

interface LogHook

Interface for logging info level key attestation events and information.

MlDsaVariant

enum MlDsaVariant : Enum<MlDsaVariant>

Representation of the MLDsaVariant enum contained within AuthorizationList.

Origin

enum Origin : Enum<Origin>

Representation of the Origin enum contained within KeyDescription.

PatchLevel

@Immutable

data class PatchLevel(val yearMonth: YearMonth, val version: Int? = null)

ProvisioningInfoMap

@Immutable

data class ProvisioningInfoMap(val certificatesIssued: Int)

RootOfTrust

@Immutable

data class RootOfTrust(val verifiedBootKey: ByteString, val deviceLocked: Boolean, val verifiedBootState: VerifiedBootState, val verifiedBootHash: ByteString? = null)

Representation of the RootOfTrust sequence contained within AuthorizationList.

SecurityLevel

enum SecurityLevel : Enum<SecurityLevel>

Representation of the SecurityLevel enum contained within KeyDescription.

SecurityLevelConstraint

@Immutable

sealed class SecurityLevelConstraint : Constraint

Configuration for validating the attestationSecurityLevel and keyMintSecurityLevel fields in an Android attestation certificate.

TagOrderConstraint

@Immutable

sealed class TagOrderConstraint : Constraint

Configuration for validating the ordering of the attributes in the AuthorizationList sequence in an Android attestation certificate.

VerificationResult

sealed interface VerificationResult

The result of verifying an Android Key Attestation certificate chain.

VerifiedBootState

enum VerifiedBootState : Enum<VerifiedBootState>

Representation of the VerifiedBootState enum contained within RootOfTrust.

Verifier

@ThreadSafe

open class Verifier @JvmOverloads constructor(trustAnchorsSource: () -> Set<TrustAnchor>, revokedSerialsSource: () -> Set<String>, instantSource: InstantSource, constraintConfig: ConstraintConfig = ConstraintConfig())

Verifier for Android Key Attestation certificate chain.

VerifyRequestLog

interface VerifyRequestLog

Properties

SOFTWARE_ROOT

val SOFTWARE_ROOT: X509Certificate

Functions

asDataItem

fun Int.asDataItem(): Number

fun String.asDataItem(): UnicodeString

asInteger

fun DataItem.asInteger(): Int

asString

fun DataItem.asString(): String

asUnicodeString

fun DataItem.asUnicodeString(): UnicodeString

asX509Certificate

fun InputStream.asX509Certificate(): X509Certificate

fun String.asX509Certificate(): X509Certificate

Returns an X509Certificate from a String.

cborDecode

fun cborDecode(data: ByteArray): DataItem

cborEncode

fun cborEncode(dataItem: DataItem): ByteArray

constraintConfig

fun constraintConfig(init: ConstraintConfigBuilder.() -> Unit): ConstraintConfig

Implements a Kotlin-style type safe builder for creating a ConstraintConfig.

getGoogleRevocationStatusFromWeb

fun getGoogleRevocationStatusFromWeb(): Set<String>

Fetches Google's revocation status list from the web.

getRevocationStatusFromWeb

fun getRevocationStatusFromWeb(url: URL, connectionProvider: (URL) -> HttpURLConnection = { (it.openConnection() as? HttpURLConnection) ?: throw IllegalArgumentException("Could not open HttpURLConnection to $it") }): Set<String>

Fetches a revocation status list from the web.

keyDescription

fun X509Certificate.keyDescription(): KeyDescription?

Returns the Android Key Attestation extension.

parseAttestationStatus

fun parseAttestationStatus(input: InputStream): Set<String>

Parses a revocation status list from an input stream.

provisioningInfo

fun X509Certificate.provisioningInfo(): ProvisioningInfoMap?

Returns the Android Key Attestation extension for provisioning info.