Sample code showing how to use Android ID Attestation

Question

Android 8 added 'ID attestation' (according to https://source.android.com/security/keystore/attestation#id-attestation).

Has anyone figured out how to use this feature? The closest I've found is AttestationUtils.java (https://android.googlesource.com/platform/frameworks/base/+/master/keystore/java/android/security/keystore/AttestationUtils.java), but I don't any of those APIs ship with the Android SDK. They don't appear in my IDE when using the P developer preview (compileSdkVersion 'android-P' and targetSdkVersion 'P').

Answer 1

I was able to hack around and came up with an demo code that does Key/ID attestation. See https://github.com/monkey-jsun/android-id-attestation/tree/master

While the program runs, I have two problems at this moment,

• All the hardware ID are shown as "NOT PRESENT". See below. Clearly they are there. How to make them appear?
• Currently we generate a key and its attestation in one step (keyPairGenerator.generateKeyPair()) because we have to request attestation when initializing keyPairGenerator. It is very unnatural. Is there a way to request key/ID attestation after the key is created?

Here is a quick recap of my demo code just for quick reference:

• generate a key pair with challenge phrase in keystore
• fetch the key pair and its certificate chain
• display cert[0] extension data with bouncy castle library

I also attached the output the program for easy reference.

 Getting key 'key1' ...
 found the key with alias 'key1' ...
 private key : android.security.keystore.AndroidKeyStoreECPrivateKey@3467522e
 public key : MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOfYzvOETzK0NGmlkk3vnuDb9FilG7iiRYGJX2pQy
    Syuyt2XZow5M3aseZEfD64iasieuumWx3Tn6/aiopre0cw==
 what is happening ...
 number certificates in the chain is 4
 Attestation version: 3
 Attestation Security Level: TRUSTED_ENVIRONMENT
 Keymaster Version: 4
 Keymaster Security Level: TRUSTED_ENVIRONMENT
 Attestation Challenge: hello, this is challenge phrase [jsun]
 Unique ID: []
 =========
    Software Enforced Authorization List:
    Purpose(s): NOT PRESENT
    Algorithm: NOT PRESENT
    Key Size: NOT PRESENT
    Digest: NOT PRESENT
    Padding: NOT PRESENT
    EC Curve: NOT PRESENT
    RSA Public Exponent: NOT PRESENT
    Rollback Resistance: false
    Active DateTime: NOT PRESENT
    Origination Expire DateTime: NOT PRESENT
    Usage Expire DateTime: NOT PRESENT
    No Auth Required: false
    User Auth Type: NOT PRESENT
    Auth Timeout: NOT PRESENT
    Allow While On Body: false
    Trusted User Presence Required: false
    Trusted Confirmation Required: false
    Unlocked Device Required: false
    All Applications: false
    Application ID: NOT PRESENT
    Creation DateTime: 2020-03-07T17:58:57.143Z
    Origin: NOT PRESENT
    Rollback Resistant: false
    OS Version: NOT PRESENT
    OS Patch Level: NOT PRESENT
    Attestation Application ID:
        Package Infos (<package name>, <version>): 
            net.junsun.idattestation, 1
        Signature Digests:
            GGv7HVeENa6GZO4irSicN64Wz38NJ7QHsmC0Z2G7s4g=
    Attestation Application ID Bytes: MEUxHzAdBBhuZXQuanVuc3VuLmlkYXR0ZXN0YXRpb24CAQExIgQgGGv7HVeENa6GZO4irSicN64Wz38NJ7QHsmC0Z2G7s4g=
    Attestation ID Brand: NOT PRESENT
    Attestation ID Device: NOT PRESENT
    Attestation ID Product: NOT PRESENT
    Attestation ID Serial: NOT PRESENT
    Attestation ID IMEI: NOT PRESENT
    Attestation ID MEID: NOT PRESENT
    Attestation ID Manufacturer: NOT PRESENT
    Attestation ID Model: NOT PRESENT
    Vendor Patch Level: NOT PRESENT
    Boot Patch Level: NOT PRESENT
 =========
    TEE Enforced Authorization List:
    Purpose(s): [2, 3]
    Algorithm: 3
    Key Size: 256
    Digest: NOT PRESENT
    Padding: NOT PRESENT
    EC Curve: 1
    RSA Public Exponent: NOT PRESENT
    Rollback Resistance: false
    Active DateTime: NOT PRESENT
    Origination Expire DateTime: NOT PRESENT
    Usage Expire DateTime: NOT PRESENT
    No Auth Required: true
    User Auth Type: NOT PRESENT
    Auth Timeout: NOT PRESENT
    Allow While On Body: false
    Trusted User Presence Required: false
    Trusted Confirmation Required: false
    Unlocked Device Required: false
    All Applications: false
    Application ID: NOT PRESENT
    Creation DateTime: NOT PRESENT
    Origin: 0
    Rollback Resistant: false
    OS Version: 100000
    OS Patch Level: 202002
    Attestation Application ID Bytes: NOT PRESENT
    Attestation ID Brand: NOT PRESENT
    Attestation ID Device: NOT PRESENT
    Attestation ID Product: NOT PRESENT
    Attestation ID Serial: NOT PRESENT
    Attestation ID IMEI: NOT PRESENT
    Attestation ID MEID: NOT PRESENT
    Attestation ID Manufacturer: NOT PRESENT
    Attestation ID Model: NOT PRESENT
    Vendor Patch Level: 20200205
    Boot Patch Level: 20200205

Answer 2

As for your first point, the device IDs are surely stored in your device system partition, however in order to be attested, such IDs have to be copied in the device's TEE before it leaves the factory. Since for Android Compatibility ID attestation is not a mandatory requirement it is not said that the vendor decided to perform the provisioning of the ID to TEE. In fact it may also be that the platform does not provide BSP API to do that. So if that's the case, you won't be able to make them appear in the attestation certificate. You could check for android.software.device_id_attestation.xml under /etc/permissions/ to check if your device supports id attestation.