显示如何使用 Android ID Attestation 的示例代码
Sample code showing how to use Android ID Attestation
Android 8 添加 'ID attestation'(根据 https://source.android.com/security/keystore/attestation#id-attestation)。
有人知道如何使用此功能吗?我找到的最接近的是 AttestationUtils.java (https://android.googlesource.com/platform/frameworks/base/+/master/keystore/java/android/security/keystore/AttestationUtils.java),但我没有随 Android SDK 一起提供这些 API。使用 P 开发者预览版(compileSdkVersion 'android-P' 和 targetSdkVersion 'P')时,它们不会出现在我的 IDE 中。
我能够破解并想出一个演示代码来执行 Key/ID 证明。参见 https://github.com/monkey-jsun/android-id-attestation/tree/master
程序运行的过程中,此时遇到两个问题,
- 所有的硬件ID都显示为"NOT PRESENT"。见下文。显然他们在那里。如何让它们出现?
- 目前我们一步生成一个密钥及其证明(keyPairGenerator.generateKeyPair()),因为我们必须在初始化 keyPairGenerator 时请求证明。这是非常不自然的。有没有办法在创建密钥后请求key/ID证明?
这里是我的演示代码的快速回顾,仅供快速参考:
- 在密钥库中生成带有挑战短语的密钥对
- 获取密钥对及其证书链
- 显示带有充气城堡库的证书[0]扩展数据
为了方便参考,我也附上了输出程序。
Getting key 'key1' ...
found the key with alias 'key1' ...
private key : android.security.keystore.AndroidKeyStoreECPrivateKey@3467522e
public key : MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOfYzvOETzK0NGmlkk3vnuDb9FilG7iiRYGJX2pQy
Syuyt2XZow5M3aseZEfD64iasieuumWx3Tn6/aiopre0cw==
what is happening ...
number certificates in the chain is 4
Attestation version: 3
Attestation Security Level: TRUSTED_ENVIRONMENT
Keymaster Version: 4
Keymaster Security Level: TRUSTED_ENVIRONMENT
Attestation Challenge: hello, this is challenge phrase [jsun]
Unique ID: []
=========
Software Enforced Authorization List:
Purpose(s): NOT PRESENT
Algorithm: NOT PRESENT
Key Size: NOT PRESENT
Digest: NOT PRESENT
Padding: NOT PRESENT
EC Curve: NOT PRESENT
RSA Public Exponent: NOT PRESENT
Rollback Resistance: false
Active DateTime: NOT PRESENT
Origination Expire DateTime: NOT PRESENT
Usage Expire DateTime: NOT PRESENT
No Auth Required: false
User Auth Type: NOT PRESENT
Auth Timeout: NOT PRESENT
Allow While On Body: false
Trusted User Presence Required: false
Trusted Confirmation Required: false
Unlocked Device Required: false
All Applications: false
Application ID: NOT PRESENT
Creation DateTime: 2020-03-07T17:58:57.143Z
Origin: NOT PRESENT
Rollback Resistant: false
OS Version: NOT PRESENT
OS Patch Level: NOT PRESENT
Attestation Application ID:
Package Infos (<package name>, <version>):
net.junsun.idattestation, 1
Signature Digests:
GGv7HVeENa6GZO4irSicN64Wz38NJ7QHsmC0Z2G7s4g=
Attestation Application ID Bytes: MEUxHzAdBBhuZXQuanVuc3VuLmlkYXR0ZXN0YXRpb24CAQExIgQgGGv7HVeENa6GZO4irSicN64Wz38NJ7QHsmC0Z2G7s4g=
Attestation ID Brand: NOT PRESENT
Attestation ID Device: NOT PRESENT
Attestation ID Product: NOT PRESENT
Attestation ID Serial: NOT PRESENT
Attestation ID IMEI: NOT PRESENT
Attestation ID MEID: NOT PRESENT
Attestation ID Manufacturer: NOT PRESENT
Attestation ID Model: NOT PRESENT
Vendor Patch Level: NOT PRESENT
Boot Patch Level: NOT PRESENT
=========
TEE Enforced Authorization List:
Purpose(s): [2, 3]
Algorithm: 3
Key Size: 256
Digest: NOT PRESENT
Padding: NOT PRESENT
EC Curve: 1
RSA Public Exponent: NOT PRESENT
Rollback Resistance: false
Active DateTime: NOT PRESENT
Origination Expire DateTime: NOT PRESENT
Usage Expire DateTime: NOT PRESENT
No Auth Required: true
User Auth Type: NOT PRESENT
Auth Timeout: NOT PRESENT
Allow While On Body: false
Trusted User Presence Required: false
Trusted Confirmation Required: false
Unlocked Device Required: false
All Applications: false
Application ID: NOT PRESENT
Creation DateTime: NOT PRESENT
Origin: 0
Rollback Resistant: false
OS Version: 100000
OS Patch Level: 202002
Attestation Application ID Bytes: NOT PRESENT
Attestation ID Brand: NOT PRESENT
Attestation ID Device: NOT PRESENT
Attestation ID Product: NOT PRESENT
Attestation ID Serial: NOT PRESENT
Attestation ID IMEI: NOT PRESENT
Attestation ID MEID: NOT PRESENT
Attestation ID Manufacturer: NOT PRESENT
Attestation ID Model: NOT PRESENT
Vendor Patch Level: 20200205
Boot Patch Level: 20200205
关于您的第一点,设备 ID 肯定存储在您的设备系统分区中,但是为了进行证明,必须在设备出厂前将这些 ID 复制到设备的 TEE 中。
由于 Android 兼容性 ID 证明不是强制性要求,因此并不是说供应商决定向 TEE 提供 ID。其实也有可能是平台没有提供BSP API 来做。
所以如果是这样的话,你将无法让它们出现在认证证书中。
您可以在 /etc/permissions/ 下检查 android.software.device_id_attestation.xml 以检查您的设备是否支持 id 认证。
部分问题还可能是通过 AttestationUtils 进行的 ID 证明是一个系统 API,您的应用程序必须是一个系统应用才能使用这些 API。换句话说,您无法从普通应用程序执行此操作。
Android 8 添加 'ID attestation'(根据 https://source.android.com/security/keystore/attestation#id-attestation)。
有人知道如何使用此功能吗?我找到的最接近的是 AttestationUtils.java (https://android.googlesource.com/platform/frameworks/base/+/master/keystore/java/android/security/keystore/AttestationUtils.java),但我没有随 Android SDK 一起提供这些 API。使用 P 开发者预览版(compileSdkVersion 'android-P' 和 targetSdkVersion 'P')时,它们不会出现在我的 IDE 中。
我能够破解并想出一个演示代码来执行 Key/ID 证明。参见 https://github.com/monkey-jsun/android-id-attestation/tree/master
程序运行的过程中,此时遇到两个问题,
- 所有的硬件ID都显示为"NOT PRESENT"。见下文。显然他们在那里。如何让它们出现?
- 目前我们一步生成一个密钥及其证明(keyPairGenerator.generateKeyPair()),因为我们必须在初始化 keyPairGenerator 时请求证明。这是非常不自然的。有没有办法在创建密钥后请求key/ID证明?
这里是我的演示代码的快速回顾,仅供快速参考:
- 在密钥库中生成带有挑战短语的密钥对
- 获取密钥对及其证书链
- 显示带有充气城堡库的证书[0]扩展数据
为了方便参考,我也附上了输出程序。
Getting key 'key1' ...
found the key with alias 'key1' ...
private key : android.security.keystore.AndroidKeyStoreECPrivateKey@3467522e
public key : MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOfYzvOETzK0NGmlkk3vnuDb9FilG7iiRYGJX2pQy
Syuyt2XZow5M3aseZEfD64iasieuumWx3Tn6/aiopre0cw==
what is happening ...
number certificates in the chain is 4
Attestation version: 3
Attestation Security Level: TRUSTED_ENVIRONMENT
Keymaster Version: 4
Keymaster Security Level: TRUSTED_ENVIRONMENT
Attestation Challenge: hello, this is challenge phrase [jsun]
Unique ID: []
=========
Software Enforced Authorization List:
Purpose(s): NOT PRESENT
Algorithm: NOT PRESENT
Key Size: NOT PRESENT
Digest: NOT PRESENT
Padding: NOT PRESENT
EC Curve: NOT PRESENT
RSA Public Exponent: NOT PRESENT
Rollback Resistance: false
Active DateTime: NOT PRESENT
Origination Expire DateTime: NOT PRESENT
Usage Expire DateTime: NOT PRESENT
No Auth Required: false
User Auth Type: NOT PRESENT
Auth Timeout: NOT PRESENT
Allow While On Body: false
Trusted User Presence Required: false
Trusted Confirmation Required: false
Unlocked Device Required: false
All Applications: false
Application ID: NOT PRESENT
Creation DateTime: 2020-03-07T17:58:57.143Z
Origin: NOT PRESENT
Rollback Resistant: false
OS Version: NOT PRESENT
OS Patch Level: NOT PRESENT
Attestation Application ID:
Package Infos (<package name>, <version>):
net.junsun.idattestation, 1
Signature Digests:
GGv7HVeENa6GZO4irSicN64Wz38NJ7QHsmC0Z2G7s4g=
Attestation Application ID Bytes: MEUxHzAdBBhuZXQuanVuc3VuLmlkYXR0ZXN0YXRpb24CAQExIgQgGGv7HVeENa6GZO4irSicN64Wz38NJ7QHsmC0Z2G7s4g=
Attestation ID Brand: NOT PRESENT
Attestation ID Device: NOT PRESENT
Attestation ID Product: NOT PRESENT
Attestation ID Serial: NOT PRESENT
Attestation ID IMEI: NOT PRESENT
Attestation ID MEID: NOT PRESENT
Attestation ID Manufacturer: NOT PRESENT
Attestation ID Model: NOT PRESENT
Vendor Patch Level: NOT PRESENT
Boot Patch Level: NOT PRESENT
=========
TEE Enforced Authorization List:
Purpose(s): [2, 3]
Algorithm: 3
Key Size: 256
Digest: NOT PRESENT
Padding: NOT PRESENT
EC Curve: 1
RSA Public Exponent: NOT PRESENT
Rollback Resistance: false
Active DateTime: NOT PRESENT
Origination Expire DateTime: NOT PRESENT
Usage Expire DateTime: NOT PRESENT
No Auth Required: true
User Auth Type: NOT PRESENT
Auth Timeout: NOT PRESENT
Allow While On Body: false
Trusted User Presence Required: false
Trusted Confirmation Required: false
Unlocked Device Required: false
All Applications: false
Application ID: NOT PRESENT
Creation DateTime: NOT PRESENT
Origin: 0
Rollback Resistant: false
OS Version: 100000
OS Patch Level: 202002
Attestation Application ID Bytes: NOT PRESENT
Attestation ID Brand: NOT PRESENT
Attestation ID Device: NOT PRESENT
Attestation ID Product: NOT PRESENT
Attestation ID Serial: NOT PRESENT
Attestation ID IMEI: NOT PRESENT
Attestation ID MEID: NOT PRESENT
Attestation ID Manufacturer: NOT PRESENT
Attestation ID Model: NOT PRESENT
Vendor Patch Level: 20200205
Boot Patch Level: 20200205
关于您的第一点,设备 ID 肯定存储在您的设备系统分区中,但是为了进行证明,必须在设备出厂前将这些 ID 复制到设备的 TEE 中。 由于 Android 兼容性 ID 证明不是强制性要求,因此并不是说供应商决定向 TEE 提供 ID。其实也有可能是平台没有提供BSP API 来做。 所以如果是这样的话,你将无法让它们出现在认证证书中。 您可以在 /etc/permissions/ 下检查 android.software.device_id_attestation.xml 以检查您的设备是否支持 id 认证。
部分问题还可能是通过 AttestationUtils 进行的 ID 证明是一个系统 API,您的应用程序必须是一个系统应用才能使用这些 API。换句话说,您无法从普通应用程序执行此操作。