1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
/*
* Copyright (C) 2017 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.security.keystore;
import android.Manifest;
import android.annotation.NonNull;
import android.annotation.RequiresPermission;
import android.annotation.SystemApi;
import android.annotation.TestApi;
import android.content.Context;
import android.os.Build;
import android.security.KeyStore;
import android.security.KeyStoreException;
import android.security.keymaster.KeymasterArguments;
import android.security.keymaster.KeymasterCertificateChain;
import android.security.keymaster.KeymasterDefs;
import android.telephony.TelephonyManager;
import android.util.ArraySet;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Set;
/**
* Utilities for attesting the device's hardware identifiers.
*
* @hide
*/
@SystemApi
@TestApi
public abstract class AttestationUtils {
private AttestationUtils() {
}
/**
* Specifies that the device should attest its serial number. For use with
* {@link #attestDeviceIds}.
*
* @see #attestDeviceIds
*/
public static final int ID_TYPE_SERIAL = 1;
/**
* Specifies that the device should attest its IMEIs. For use with {@link #attestDeviceIds}.
*
* @see #attestDeviceIds
*/
public static final int ID_TYPE_IMEI = 2;
/**
* Specifies that the device should attest its MEIDs. For use with {@link #attestDeviceIds}.
*
* @see #attestDeviceIds
*/
public static final int ID_TYPE_MEID = 3;
/**
* Performs attestation of the device's identifiers. This method returns a certificate chain
* whose first element contains the requested device identifiers in an extension. The device's
* manufacturer, model, brand, device and product are always also included in the attestation.
* If the device supports attestation in secure hardware, the chain will be rooted at a
* trustworthy CA key. Otherwise, the chain will be rooted at an untrusted certificate. See
* <a href="https://developer.android.com/training/articles/security-key-attestation.html">
* Key Attestation</a> for the format of the certificate extension.
* <p>
* Attestation will only be successful when all of the following are true:
* 1) The device has been set up to support device identifier attestation at the factory.
* 2) The user has not permanently disabled device identifier attestation.
* 3) You have permission to access the device identifiers you are requesting attestation for.
* <p>
* For privacy reasons, you cannot distinguish between (1) and (2). If attestation is
* unsuccessful, the device may not support it in general or the user may have permanently
* disabled it.
*
* @param context the context to use for retrieving device identifiers.
* @param idTypes the types of device identifiers to attest.
* @param attestationChallenge a blob to include in the certificate alongside the device
* identifiers.
*
* @return a certificate chain containing the requested device identifiers in the first element
*
* @exception SecurityException if you are not permitted to obtain an attestation of the
* device's identifiers.
* @exception DeviceIdAttestationException if the attestation operation fails.
*/
@RequiresPermission(Manifest.permission.READ_PRIVILEGED_PHONE_STATE)
@NonNull public static X509Certificate[] attestDeviceIds(Context context,
@NonNull int[] idTypes, @NonNull byte[] attestationChallenge) throws
DeviceIdAttestationException {
// Check method arguments, retrieve requested device IDs and prepare attestation arguments.
if (idTypes == null) {
throw new NullPointerException("Missing id types");
}
if (attestationChallenge == null) {
throw new NullPointerException("Missing attestation challenge");
}
final KeymasterArguments attestArgs = new KeymasterArguments();
attestArgs.addBytes(KeymasterDefs.KM_TAG_ATTESTATION_CHALLENGE, attestationChallenge);
final Set<Integer> idTypesSet = new ArraySet<>(idTypes.length);
for (int idType : idTypes) {
idTypesSet.add(idType);
}
TelephonyManager telephonyService = null;
if (idTypesSet.contains(ID_TYPE_IMEI) || idTypesSet.contains(ID_TYPE_MEID)) {
telephonyService = (TelephonyManager) context.getSystemService(
Context.TELEPHONY_SERVICE);
if (telephonyService == null) {
throw new DeviceIdAttestationException("Unable to access telephony service");
}
}
for (final Integer idType : idTypesSet) {
switch (idType) {
case ID_TYPE_SERIAL:
attestArgs.addBytes(KeymasterDefs.KM_TAG_ATTESTATION_ID_SERIAL,
Build.getSerial().getBytes(StandardCharsets.UTF_8));
break;
case ID_TYPE_IMEI: {
final String imei = telephonyService.getImei(0);
if (imei == null) {
throw new DeviceIdAttestationException("Unable to retrieve IMEI");
}
attestArgs.addBytes(KeymasterDefs.KM_TAG_ATTESTATION_ID_IMEI,
imei.getBytes(StandardCharsets.UTF_8));
break;
}
case ID_TYPE_MEID: {
final String meid = telephonyService.getDeviceId();
if (meid == null) {
throw new DeviceIdAttestationException("Unable to retrieve MEID");
}
attestArgs.addBytes(KeymasterDefs.KM_TAG_ATTESTATION_ID_MEID,
meid.getBytes(StandardCharsets.UTF_8));
break;
}
default:
throw new IllegalArgumentException("Unknown device ID type " + idType);
}
}
attestArgs.addBytes(KeymasterDefs.KM_TAG_ATTESTATION_ID_BRAND,
Build.BRAND.getBytes(StandardCharsets.UTF_8));
attestArgs.addBytes(KeymasterDefs.KM_TAG_ATTESTATION_ID_DEVICE,
Build.DEVICE.getBytes(StandardCharsets.UTF_8));
attestArgs.addBytes(KeymasterDefs.KM_TAG_ATTESTATION_ID_PRODUCT,
Build.PRODUCT.getBytes(StandardCharsets.UTF_8));
attestArgs.addBytes(KeymasterDefs.KM_TAG_ATTESTATION_ID_MANUFACTURER,
Build.MANUFACTURER.getBytes(StandardCharsets.UTF_8));
attestArgs.addBytes(KeymasterDefs.KM_TAG_ATTESTATION_ID_MODEL,
Build.MODEL.getBytes(StandardCharsets.UTF_8));
// Perform attestation.
final KeymasterCertificateChain outChain = new KeymasterCertificateChain();
final int errorCode = KeyStore.getInstance().attestDeviceIds(attestArgs, outChain);
if (errorCode != KeyStore.NO_ERROR) {
throw new DeviceIdAttestationException("Unable to perform attestation",
KeyStore.getKeyStoreException(errorCode));
}
// Extract certificate chain.
final Collection<byte[]> rawChain = outChain.getCertificates();
if (rawChain.size() < 2) {
throw new DeviceIdAttestationException("Attestation certificate chain contained "
+ rawChain.size() + " entries. At least two are required.");
}
final ByteArrayOutputStream concatenatedRawChain = new ByteArrayOutputStream();
try {
for (final byte[] cert : rawChain) {
concatenatedRawChain.write(cert);
}
return CertificateFactory.getInstance("X.509").generateCertificates(
new ByteArrayInputStream(concatenatedRawChain.toByteArray()))
.toArray(new X509Certificate[0]);
} catch (Exception e) {
throw new DeviceIdAttestationException("Unable to construct certificate chain", e);
}
}
}
|
