• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2025 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 package com.android.devicediagnostics
17 
18 import com.google.android.attestation.CertificateRevocationStatus
19 import com.google.android.attestation.Constants
20 import com.google.android.attestation.ParsedAttestationRecord
21 import com.google.android.attestation.RootOfTrust
22 import com.google.common.collect.ImmutableList
23 import java.io.ByteArrayInputStream
24 import java.io.IOException
25 import java.nio.ByteBuffer
26 import java.security.cert.CertificateException
27 import java.security.cert.CertificateFactory
28 import java.security.cert.X509Certificate
29 import org.bouncycastle.util.encoders.Base64
30 
31 enum class AttestationResult {
32     // There was a non-network error performing attestation.
33     GENERIC_ERROR,
34     // There was a network error perform attestation.
35     NETWORK_ERROR,
36     // The certificate could not be verified.
37     UNVERIFIED,
38     // No attempt was made to verify the certificate.
39     SKIPPED_VERIFICATION,
40     // Certificate was verified but the challenge was incorrect.
41     BAD_CHALLENGE,
42     // The certificate was verified.
43     VERIFIED,
44 }
45 
46 // Verify a device's attestation record. If a challenge is provided, verify the
47 // challenge as well.
checkAttestationnull48 public fun checkAttestation(
49     attestation: ByteArray,
50     challenge: ByteArray?,
51 ): Pair<ParsedAttestationRecord?, AttestationResult> {
52     var certs: ImmutableList<X509Certificate>?
53     var record: ParsedAttestationRecord? = null
54 
55     try {
56         certs = loadCertificates(attestation)
57         record = ParsedAttestationRecord.createParsedAttestationRecord(certs)
58         if (!verifyCertificateChain(certs)) {
59             return Pair(record, AttestationResult.UNVERIFIED)
60         }
61         if (challenge != null && !record.attestationChallenge.contentEquals(challenge)) {
62             return Pair(record, AttestationResult.BAD_CHALLENGE)
63         }
64         return Pair(record, AttestationResult.VERIFIED)
65     } catch (e: Exception) {
66         // Note: set record so we can distinguish between parsing errors and network errors.
67         if (record != null && e is IOException) {
68             return Pair(record, AttestationResult.NETWORK_ERROR)
69         }
70         return Pair(record, AttestationResult.GENERIC_ERROR)
71     }
72 }
73 
isDeviceLockednull74 public fun isDeviceLocked(record: ParsedAttestationRecord): Boolean {
75     val root = record.teeEnforced.rootOfTrust
76     return root.isPresent && root.get().deviceLocked
77 }
78 
getVerifiedBootStatenull79 public fun getVerifiedBootState(record: ParsedAttestationRecord): Boolean {
80     val root = record.teeEnforced.rootOfTrust
81     if (root.isPresent && root.get().verifiedBootState == RootOfTrust.VerifiedBootState.VERIFIED) {
82         return true
83     }
84     return false
85 }
86 
verifyCertificateChainnull87 private fun verifyCertificateChain(certs: List<X509Certificate>): Boolean {
88     var parent = certs[certs.size - 1]
89     for (i in certs.indices.reversed()) {
90         val cert = certs[i]
91         // Verify that the certificate has not expired.
92         cert.checkValidity()
93         cert.verify(parent.publicKey)
94         parent = cert
95         val certStatus = CertificateRevocationStatus.fetchStatus(cert.serialNumber)
96         if (certStatus != null) {
97             throw CertificateException("Certificate revocation status is " + certStatus.status.name)
98         }
99     }
100 
101     // If the attestation is trustworthy and the device ships with hardware-
102     // backed key attestation, Android 7.0 (API level 24) or higher, and
103     // Google Play services, the root certificate should be signed with the
104     // Google attestation root key.
105     val googleRootCaPubKey = Base64.decode(Constants.GOOGLE_ROOT_CA_PUB_KEY)
106     return googleRootCaPubKey.contentEquals(certs[certs.size - 1].publicKey.encoded)
107 }
108 
loadCertificatesnull109 private fun loadCertificates(attestation: ByteArray): ImmutableList<X509Certificate> {
110     val certs = ImmutableList.Builder<X509Certificate>()
111     val factory = CertificateFactory.getInstance("X.509")
112     val buffer = ByteBuffer.wrap(attestation)
113     while (buffer.remaining() > 0) {
114         val size = buffer.int
115         val encodedCert = ByteArray(size)
116         buffer[encodedCert]
117         val inputStream = ByteArrayInputStream(encodedCert)
118         certs.add(factory.generateCertificate(inputStream) as X509Certificate)
119     }
120     return certs.build()
121 }
122