I was able to hack around and came up with an demo code that does Key/ID attestation. See https://github.com/monkey-jsun/android-id-attestation/tree/master
While the program runs, I have two problems at this moment,
- All the hardware ID are shown as "NOT PRESENT". See below. Clearly they are there. How to make them appear?
- Currently we generate a key and its attestation in one step (keyPairGenerator.generateKeyPair()) because we have to request attestation when initializing keyPairGenerator. It is very unnatural. Is there a way to request key/ID attestation after the key is created?
Here is a quick recap of my demo code just for quick reference:
- generate a key pair with challenge phrase in keystore
- fetch the key pair and its certificate chain
- display cert[0] extension data with bouncy castle library
I also attached the output the program for easy reference.
Getting key 'key1' ...
found the key with alias 'key1' ...
private key : android.security.keystore.AndroidKeyStoreECPrivateKey@3467522e
public key : MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOfYzvOETzK0NGmlkk3vnuDb9FilG7iiRYGJX2pQy
Syuyt2XZow5M3aseZEfD64iasieuumWx3Tn6/aiopre0cw==
what is happening ...
number certificates in the chain is 4
Attestation version: 3
Attestation Security Level: TRUSTED_ENVIRONMENT
Keymaster Version: 4
Keymaster Security Level: TRUSTED_ENVIRONMENT
Attestation Challenge: hello, this is challenge phrase [jsun]
Unique ID: []
=========
Software Enforced Authorization List:
Purpose(s): NOT PRESENT
Algorithm: NOT PRESENT
Key Size: NOT PRESENT
Digest: NOT PRESENT
Padding: NOT PRESENT
EC Curve: NOT PRESENT
RSA Public Exponent: NOT PRESENT
Rollback Resistance: false
Active DateTime: NOT PRESENT
Origination Expire DateTime: NOT PRESENT
Usage Expire DateTime: NOT PRESENT
No Auth Required: false
User Auth Type: NOT PRESENT
Auth Timeout: NOT PRESENT
Allow While On Body: false
Trusted User Presence Required: false
Trusted Confirmation Required: false
Unlocked Device Required: false
All Applications: false
Application ID: NOT PRESENT
Creation DateTime: 2020-03-07T17:58:57.143Z
Origin: NOT PRESENT
Rollback Resistant: false
OS Version: NOT PRESENT
OS Patch Level: NOT PRESENT
Attestation Application ID:
Package Infos (<package name>, <version>):
net.junsun.idattestation, 1
Signature Digests:
GGv7HVeENa6GZO4irSicN64Wz38NJ7QHsmC0Z2G7s4g=
Attestation Application ID Bytes: MEUxHzAdBBhuZXQuanVuc3VuLmlkYXR0ZXN0YXRpb24CAQExIgQgGGv7HVeENa6GZO4irSicN64Wz38NJ7QHsmC0Z2G7s4g=
Attestation ID Brand: NOT PRESENT
Attestation ID Device: NOT PRESENT
Attestation ID Product: NOT PRESENT
Attestation ID Serial: NOT PRESENT
Attestation ID IMEI: NOT PRESENT
Attestation ID MEID: NOT PRESENT
Attestation ID Manufacturer: NOT PRESENT
Attestation ID Model: NOT PRESENT
Vendor Patch Level: NOT PRESENT
Boot Patch Level: NOT PRESENT
=========
TEE Enforced Authorization List:
Purpose(s): [2, 3]
Algorithm: 3
Key Size: 256
Digest: NOT PRESENT
Padding: NOT PRESENT
EC Curve: 1
RSA Public Exponent: NOT PRESENT
Rollback Resistance: false
Active DateTime: NOT PRESENT
Origination Expire DateTime: NOT PRESENT
Usage Expire DateTime: NOT PRESENT
No Auth Required: true
User Auth Type: NOT PRESENT
Auth Timeout: NOT PRESENT
Allow While On Body: false
Trusted User Presence Required: false
Trusted Confirmation Required: false
Unlocked Device Required: false
All Applications: false
Application ID: NOT PRESENT
Creation DateTime: NOT PRESENT
Origin: 0
Rollback Resistant: false
OS Version: 100000
OS Patch Level: 202002
Attestation Application ID Bytes: NOT PRESENT
Attestation ID Brand: NOT PRESENT
Attestation ID Device: NOT PRESENT
Attestation ID Product: NOT PRESENT
Attestation ID Serial: NOT PRESENT
Attestation ID IMEI: NOT PRESENT
Attestation ID MEID: NOT PRESENT
Attestation ID Manufacturer: NOT PRESENT
Attestation ID Model: NOT PRESENT
Vendor Patch Level: 20200205
Boot Patch Level: 20200205