roboto/com.android.keyattestation.verifier

Package-level declarations

Types

AttestationApplicationId

@Immutable

data class AttestationApplicationId(val packages: Set<AttestationPackageInfo>, val signatures: Set<ByteString>)

Representation of the AttestationApplicationId sequence contained within AuthorizationList.

AttestationPackageInfo

data class AttestationPackageInfo(val name: String, val version: BigInteger)

Representation of the AttestationPackageInfo sequence contained within AttestationApplicationId.

AuthorizationList

@Immutable

data class AuthorizationList(val purposes: Set<BigInteger>? = null, val algorithms: BigInteger? = null, val keySize: BigInteger? = null, val blockModes: Set<BigInteger>? = null, val digests: Set<BigInteger>? = null, val paddings: Set<BigInteger>? = null, val ecCurve: BigInteger? = null, val rsaPublicExponent: BigInteger? = null, val rsaOaepMgfDigests: Set<BigInteger>? = null, val activeDateTime: BigInteger? = null, val originationExpireDateTime: BigInteger? = null, val usageExpireDateTime: BigInteger? = null, val noAuthRequired: Boolean? = null, val userAuthType: BigInteger? = null, val authTimeout: BigInteger? = null, val trustedUserPresenceRequired: Boolean? = null, val unlockedDeviceRequired: Boolean? = null, val creationDateTime: BigInteger? = null, val origin: Origin? = null, val rollbackResistant: Boolean? = null, val rootOfTrust: RootOfTrust? = null, val osVersion: BigInteger? = null, val osPatchLevel: PatchLevel? = null, val attestationApplicationId: AttestationApplicationId? = null, val attestationIdBrand: String? = null, val attestationIdDevice: String? = null, val attestationIdProduct: String? = null, val attestationIdSerial: String? = null, val attestationIdImei: String? = null, val attestationIdMeid: String? = null, val attestationIdManufacturer: String? = null, val attestationIdModel: String? = null, val vendorPatchLevel: PatchLevel? = null, val bootPatchLevel: PatchLevel? = null, val attestationIdSecondImei: String? = null, val moduleHash: ByteString? = null)

Representation of the AuthorizationList sequence contained within KeyDescription.

ChallengeChecker

@ThreadSafe

interface ChallengeChecker

An interface to handle checking validity of challenges.

DeviceIdentity

@Immutable

data class DeviceIdentity(val brand: String? = null, val device: String? = null, val product: String? = null, val serialNumber: String? = null, val imeis: Set<String> = emptySet(), val meid: String? = null, val manufacturer: String? = null, val model: String? = null)

ExtensionConstraintConfig

@ThreadSafe

data class ExtensionConstraintConfig(val keyOrigin: ValidationLevel<Origin> = ValidationLevel.STRICT(Origin.GENERATED), val securityLevel: ValidationLevel<KeyDescription> = SecurityLevelValidationLevel.STRICT(SecurityLevel.TRUSTED_ENVIRONMENT), val rootOfTrust: ValidationLevel<RootOfTrust> = ValidationLevel.NOT_NULL)

Configuration for validating the extensions in an Android attestation certificate, as described at https://source.android.com/docs/security/features/keystore/attestation.

ExtensionParsingException

@Immutable

data class ExtensionParsingException(val msg: String, val reason: KeyAttestationReason? = null) : Exception

InstantSource

@ThreadSafe

fun interface InstantSource

Polyfill for java.time.InstantSource.

KeyAttestationReason

enum KeyAttestationReason : CertPathValidatorException.Reason, Enum<KeyAttestationReason>

Reasons why a certificate chain could not be verified which are specific to key attestation.

KeyDescription

@Immutable

data class KeyDescription(val attestationVersion: BigInteger, val attestationSecurityLevel: SecurityLevel, val keyMintVersion: BigInteger, val keyMintSecurityLevel: SecurityLevel, val attestationChallenge: ByteString, val uniqueId: ByteString, val softwareEnforced: AuthorizationList, val hardwareEnforced: AuthorizationList)

KeyMintTag

enum KeyMintTag : Enum<KeyMintTag>

KeyMint tag names and IDs.

LogHook

@ThreadSafe

interface LogHook

Interface for logging info level key attestation events and information.

Origin

enum Origin : Enum<Origin>

Representation of the Origin enum contained within KeyDescription.

PatchLevel

@Immutable

data class PatchLevel(val yearMonth: YearMonth, val version: Int? = null)

ProvisioningInfoMap

@Immutable

data class ProvisioningInfoMap(val certificatesIssued: Int)

RootOfTrust

@Immutable

data class RootOfTrust(val verifiedBootKey: ByteString, val deviceLocked: Boolean, val verifiedBootState: VerifiedBootState, val verifiedBootHash: ByteString? = null)

Representation of the RootOfTrust sequence contained within AuthorizationList.

SecurityLevel

enum SecurityLevel : Enum<SecurityLevel>

Representation of the SecurityLevel enum contained within KeyDescription.

SecurityLevelValidationLevel

@Immutable

sealed class SecurityLevelValidationLevel : ValidationLevel<KeyDescription>

Configuration for validating the attestationSecurityLevel and keyMintSecurityLevel fields in an Android attestation certificate.

ValidationLevel

@Immutable(containerOf = ["T"])

sealed interface ValidationLevel<out T>

Configuration for validating a single extension in an Android attestation certificate.

VerificationResult

sealed interface VerificationResult

The result of verifying an Android Key Attestation certificate chain.

VerifiedBootState

enum VerifiedBootState : Enum<VerifiedBootState>

Representation of the VerifiedBootState enum contained within RootOfTrust.

Verifier

@ThreadSafe

open class Verifier @JvmOverloads constructor(trustAnchorsSource: () -> Set<TrustAnchor>, revokedSerialsSource: () -> Set<String>, instantSource: InstantSource, extensionConstraintConfig: ExtensionConstraintConfig = ExtensionConstraintConfig())

Verifier for Android Key Attestation certificate chain.

VerifyRequestLog

interface VerifyRequestLog

Properties

SOFTWARE_ROOT

val SOFTWARE_ROOT: X509Certificate

Functions

asDataItem

fun Int.asDataItem(): Number

fun String.asDataItem(): UnicodeString

asInteger

fun DataItem.asInteger(): Int

asString

fun DataItem.asString(): String

asUnicodeString

fun DataItem.asUnicodeString(): UnicodeString

asX509Certificate

fun InputStream.asX509Certificate(): X509Certificate

fun String.asX509Certificate(): X509Certificate

Returns an X509Certificate from a String.

cborDecode

fun cborDecode(data: ByteArray): DataItem

cborEncode

fun cborEncode(dataItem: DataItem): ByteArray

getGoogleRevocationStatusFromWeb

fun getGoogleRevocationStatusFromWeb(): Set<String>

Fetches Google's revocation status list from the web.

getRevocationStatusFromWeb

fun getRevocationStatusFromWeb(url: URL, connectionProvider: (URL) -> HttpURLConnection = { (it.openConnection() as? HttpURLConnection) ?: throw IllegalArgumentException("Could not open HttpURLConnection to $it") }): Set<String>

Fetches a revocation status list from the web.

keyDescription

fun X509Certificate.keyDescription(): KeyDescription

Returns the Android Key Attestation extension.

parseAttestationStatus

fun parseAttestationStatus(input: InputStream): Set<String>

Parses a revocation status list from an input stream.

provisioningInfo

fun X509Certificate.provisioningInfo(): ProvisioningInfoMap?

Returns the Android Key Attestation extension for provisioning info.