supreme-common/at.asitplus.attestation.android

Package-level declarations

Types

interface AttestationExtension<A : AttestationExtension.AuthList>

data class AttestationKeyDescription(val attestationVersion: Int, val attestationSecurityLevel: AttestationKeyDescription.SecurityLevel, val keyMintVersion: Int, val keyMintSecurityLevel: AttestationKeyDescription.SecurityLevel, val attestationChallenge: ByteArray, val uniqueId: ByteArray, val softwareEnforced: AuthorizationList, val hardwareEnforced: AuthorizationList) : Asn1Encodable<Asn1Sequence> , Identifiable, PrettyPrintable, AttestationExtension<AuthorizationList>

Attestation certificate extension used by Google. While we could use sophisticated sanity checks to ensure that only valid extensions that conform to the schema in every aspect, the reality is ugly, with device manufacturers being very creative about how and what will be encoded into softwareEnforced and hardwareEnforced. Hence, we must be able to parse extensions that are structurally valid at first glance, even when the actual values inside look like they have been through a meat grinder. As long as those values we check for during attestation validation are there and contain the values required for a successful assessment, we're golden! Hence, barely any sanity checks are enforced.

AttestationValue

sealed class AttestationValue<out A : Asn1Encodable<*>> : AuthorizationList.Tagged.WithTag<Asn1Element> , PrettyPrintable

Either type containing:

AttestationValueException

class AttestationValueException(val elementName: String, val tagged: AuthorizationList.Tagged, val source: Asn1Element) : Asn1Exception

Exception equivalent of AttestationValue.Failure

AuthorizationList

data class AuthorizationList : Asn1Encodable<Asn1Sequence> , PrettyPrintable, AttestationExtension.AuthList

Authorization List ASN.1 sequence as defined by Android’s attestation schema: https://source.android.com/docs/security/features/keystore/attestation#schema

PrettyPrintable

interface PrettyPrintable

Properties

androidAttestationExtension

val X509Certificate.androidAttestationExtension: AttestationKeyDescription?

Tries to parse an AttestationKeyDescription certificate extension, if present. Never throws.

val List<X509Certificate>.androidAttestationExtension: AttestationKeyDescription?

val X509Certificate.androidAttestationExtension: AttestationKeyDescription?

Tries to parse an AttestationKeyDescription certificate extension, if present. Never throws.

val CertificateChain.androidAttestationExtension: AttestationKeyDescription?

As per Google's parser: Parse the attestation record that is closest to the root. This prevents an adversary from attesting an attestation record of their choice with an otherwise trusted chain using the following attack:

osPatchLevelLenient

val AuthorizationList.osPatchLevelLenient: YearMonth?

YearMonth representation of AuthorizationList.osPatchLevel, but tolerating a zero-indexed month

Functions

infix fun AuthorizationList.UserAuth.Type.or(other: AuthorizationList.UserAuth.Type): Asn1Integer

infix fun AuthorizationList.UserAuth.Type.or(other: Asn1Integer): Asn1Integer

infix fun Asn1Integer.or(other: AuthorizationList.UserAuth.Type): Asn1Integer

prettyPrint

fun PrettyPrintable.prettyPrint(): String