From 7f9905509599bd3722ab5bc889acd9ce9227fe11 Mon Sep 17 00:00:00 2001 From: Seth Moore Date: Thu, 11 Jun 2026 13:58:58 -0700 Subject: [PATCH] Fix factory provisioned cert detection to catch "really old" certs Factory certificates changed format at some point between 2016 and 2021, which breaks the "isFactoryProvisioned" check. Make the check a bit more lax so that we consider more cert types as factory provisioned. This is safe because we are not relaxing the isRemoteProvisioned check at all, and that is the check that attackers want to spoof. PiperOrigin-RevId: 930722556 --- .../kotlin/provider/KeyAttestationCertPath.kt | 2 +- .../provider/KeyAttestationCertPathTest.kt | 4 + testdata/sony-xperia10-iii/sdk33/TEE_EC.json | 41 +++++++++ testdata/sony-xperia10-iii/sdk33/TEE_EC.pem | 85 +++++++++++++++++++ 4 files changed, 131 insertions(+), 1 deletion(-) create mode 100644 testdata/sony-xperia10-iii/sdk33/TEE_EC.json create mode 100644 testdata/sony-xperia10-iii/sdk33/TEE_EC.pem diff --git a/src/main/kotlin/provider/KeyAttestationCertPath.kt b/src/main/kotlin/provider/KeyAttestationCertPath.kt index c26d1ed..8ce5fc6 100644 --- a/src/main/kotlin/provider/KeyAttestationCertPath.kt +++ b/src/main/kotlin/provider/KeyAttestationCertPath.kt @@ -111,7 +111,7 @@ class KeyAttestationCertPath(certs: List) : CertPath("X.509") { private fun isFactoryProvisioned(): Boolean { val rdn = parseDN(this.intermediateCert().subjectX500Principal.getName(X500Principal.RFC1779)) - return rdn.containsKey(SERIAL_NUMBER_OID) && rdn[TITLE_OID] in setOf("TEE", "StrongBox") + return rdn.containsKey(SERIAL_NUMBER_OID) } // TODO(google-internal bug): Update this to use fields in the RKP root. diff --git a/src/test/kotlin/provider/KeyAttestationCertPathTest.kt b/src/test/kotlin/provider/KeyAttestationCertPathTest.kt index 09e8836..cf73b69 100644 --- a/src/test/kotlin/provider/KeyAttestationCertPathTest.kt +++ b/src/test/kotlin/provider/KeyAttestationCertPathTest.kt @@ -108,6 +108,10 @@ class KeyAttestationCertPathTest { } enum class ProvisioningMethodTestCase(val path: String, val expected: ProvisioningMethod) { + FACTORY_PROVISIONED_OLD_STYLE( + "sony-xperia10-iii/sdk33/TEE_EC", + ProvisioningMethod.FACTORY_PROVISIONED, + ), FACTORY_PROVISIONED("blueline/sdk28/TEE_EC_NONE", ProvisioningMethod.FACTORY_PROVISIONED), REMOTELY_PROVISIONED("caiman/sdk36/TEE_EC_RKP", ProvisioningMethod.REMOTELY_PROVISIONED), UNKNOWN("marlin/sdk29/TEE_EC_NONE", ProvisioningMethod.UNKNOWN), diff --git a/testdata/sony-xperia10-iii/sdk33/TEE_EC.json b/testdata/sony-xperia10-iii/sdk33/TEE_EC.json new file mode 100644 index 0000000..442a7b6 --- /dev/null +++ b/testdata/sony-xperia10-iii/sdk33/TEE_EC.json @@ -0,0 +1,41 @@ +{ + "attestationVersion": "3", + "attestationSecurityLevel": "TRUSTED_ENVIRONMENT", + "keyMintVersion": "41", + "keyMintSecurityLevel": "TRUSTED_ENVIRONMENT", + "attestationChallenge": "Pq/k1d0AkN5aQrQytCSBr1zimWNlayWExZpJLeFtAMk=", + "uniqueId": "", + "softwareEnforced": { + "creationDateTime": "1780585145000", + "attestationApplicationId": { + "packages": [{ "name": "com.android.vending", "version": "85162330" }], + "signatures": ["8P1sW0EPJcslw7UzRsiXL64w+O50Ed+RBICtay1g24M="] + }, + "areTagsOrdered": true + }, + "hardwareEnforced": { + "purposes": ["2"], + "algorithms": "3", + "keySize": "256", + "digests": ["6"], + "ecCurve": "1", + "noAuthRequired": true, + "origin": "GENERATED", + "rootOfTrust": { + "verifiedBootKey": "gdG7IUVTlNoNf2DCV7dUWYDtUt/XyKiBbM88pwdDb54=", + "deviceLocked": true, + "verifiedBootState": "VERIFIED", + "verifiedBootHash": "UNZsaZbE8OV1KFQV9dBC0iDGeN7N1Bc79PHTAhz55KE=" + }, + "osVersion": "130000", + "osPatchLevel": "202307", + "attestationIdBrand": "docomo", + "attestationIdDevice": "SO-52B", + "attestationIdProduct": "SO-52B", + "attestationIdManufacturer": "Sony", + "attestationIdModel": "SO-52B", + "vendorPatchLevel": "20230701", + "bootPatchLevel": "20230701", + "areTagsOrdered": true + } +} diff --git a/testdata/sony-xperia10-iii/sdk33/TEE_EC.pem b/testdata/sony-xperia10-iii/sdk33/TEE_EC.pem new file mode 100644 index 0000000..70e2c51 --- /dev/null +++ b/testdata/sony-xperia10-iii/sdk33/TEE_EC.pem @@ -0,0 +1,85 @@ +-----BEGIN CERTIFICATE----- +MIICvzCCAmagAwIBAgIBATAKBggqhkjOPQQDAjAbMRkwFwYDVQQFExAzZTdmYjZh +MWVlNGJkNTY4MCAXDTcwMDEwMTAwMDAwMFoYDzIxMDYwMjA3MDYyODE1WjAfMR0w +GwYDVQQDDBRBbmRyb2lkIEtleXN0b3JlIEtleTBZMBMGByqGSM49AgEGCCqGSM49 +AwEHA0IABLrQPJVjzcg/dVotjVbI3VkDyJj/HomhIkxDWA8rS9LM+ZOVEkk/9Pls +nybD1ZsWN9kyvQaK2oKLYAW7Cq53iY2jggGTMIIBjzAOBgNVHQ8BAf8EBAMCB4Aw +ggF7BgorBgEEAdZ5AgERBIIBazCCAWcCAQMKAQECASkKAQEEID6v5NXdAJDeWkK0 +MrQkga9c4pljZWslhMWaSS3hbQDJBAAwV7+FPQgCBgGekyUiqL+FRUcERTBDMR0w +GwQTY29tLmFuZHJvaWQudmVuZGluZwIEBRN5WjEiBCDw/WxbQQ8lyyXDtTNGyJcv +rjD47nQR35EEgK1rLWDbgzCB26EFMQMCAQKiAwIBA6MEAgIBAKUFMQMCAQaqAwIB +Ab+DdwIFAL+FPgMCAQC/hUBMMEoEIIHRuyFFU5TaDX9gwle3VFmA7VLf18iogWzP +PKcHQ2+eAQH/CgEABCBQ1mxplsTw5XUoVBX10ELSIMZ43s3UFzv08dMCHPnkob+F +QQUCAwH70L+FQgUCAwMWQ7+FRggEBmRvY29tb7+FRwgEBlNPLTUyQr+FSAgEBlNP +LTUyQr+FTAYEBFNvbnm/hU0IBAZTTy01MkK/hU4GAgQBNLItv4VPBgIEATSyLTAK +BggqhkjOPQQDAgNHADBEAiAc30NT6OoIUR00Vm6x3BKWPa5BNfSdZ29uFI5suUsg +NQIgdYS61mQHaR2IgajOFO+nxMLhzj3/P4D0NZSnn7CgC14= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICKzCCAbKgAwIBAgIKFlgHaDNVWQMWBTAKBggqhkjOPQQDAjAbMRkwFwYDVQQF +ExA4N2Y0NTE0NDc1YmEwYTJiMB4XDTE2MDUyNjE3MTkwMFoXDTI2MDUyNDE3MTkw +MFowGzEZMBcGA1UEBRMQM2U3ZmI2YTFlZTRiZDU2ODBZMBMGByqGSM49AgEGCCqG +SM49AwEHA0IABAb+gStr8TAHqc4ueIBBQwkvDzcbYkIRf0qhu7hev7G9XPtRL8+D +MXUMy/JzFnpiiSt1QdcwrS2jK3lpS7DoA9Ojgd0wgdowHQYDVR0OBBYEFMqTzYTD +BCXs2/vajnn3MZXDBn5YMB8GA1UdIwQYMBaAFDBEI+Wi9gbhUKt3XxYWu5HMY8ZZ +MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMCQGA1UdHgQdMBugGTAXghVp +bnZhbGlkO2VtYWlsOmludmFsaWQwVAYDVR0fBE0wSzBJoEegRYZDaHR0cHM6Ly9h +bmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8xNjU4MDc2ODMz +NTU1OTAzMTYwNTAKBggqhkjOPQQDAgNnADBkAjAMv+GZm51nvmPVl/AWjFqFsriO +oEeQQAzessWJ/cHWmZTr4VfoVkTTf8mqi/X1ytoCMGrosF800OaNbU8gFoP7R6fM +mnnwl2/5WLV3uhP5Yz6AQUWWTYLuF2EbxY3dNNaGGg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDwzCCAaugAwIBAgIKA4gmZ2BliZaFdTANBgkqhkiG9w0BAQsFADAbMRkwFwYD +VQQFExBmOTIwMDllODUzYjZiMDQ1MB4XDTE2MDUyNjE3MDE1MVoXDTI2MDUyNDE3 +MDE1MVowGzEZMBcGA1UEBRMQODdmNDUxNDQ3NWJhMGEyYjB2MBAGByqGSM49AgEG +BSuBBAAiA2IABGQ7VmgdJ/rEgs9sIE3rzvApXDUMAaqMMn8+1fRJrvQpZkJfOT2E +djtdrVaxDQRZxixqT5MlVqiSk8PRTqLx3+8OPLoicqMiOeGytH2sVQurvFynVeKq +SGKK1jx2/2fccqOBtjCBszAdBgNVHQ4EFgQUMEQj5aL2BuFQq3dfFha7kcxjxlkw +HwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB +/zAOBgNVHQ8BAf8EBAMCAYYwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cHM6Ly9hbmRy +b2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC9FOEZBMTk2MzE0RDJG +QTE4MA0GCSqGSIb3DQEBCwUAA4ICAQBAOYqLNryTmbOlnrjnIvDoXxzaLOgCXu29 +l7KpbFHacVLxgYuGRiIEQqzZBqUYSt9Pgx+P2KvoHtz99sEZr2xTe0Dw6CTHTAmx +WXUFdrlvEMm2GySfvJRfMNCuX1oIS/M5PfREY2YZHyLq/sn1sJr3FjbKMdUMBo5A +camcD3H8wl9O/6qfhX+57iXzoK6yMzJRG/Mlkm58/sFk0pjayUBchmUJL0FQ6IhK +Ygy8RKE2UDyXKOE7+ZMSMUUkAdzyn2PFv7TvQtDk0ge2mkVrNrfPSglMzBNvrSDH +PBmTktXzwseVagIRT5WI91OrUOYPFgostsfH42hs5wJtAFGPwDg/1mNa8UyH9k1b +MrRq3Srez1XG0Ju7SGN/uNX5dkcwvfAmadtmM7Pp+l2VHRYRR600jAcM2+7bl8eg +qfM/A7vyDLZqPIxDwkLXj2eN99nJZJVaGfB9dHyFOqBqBM6SdyV6MSIr3AHoo6u+ +BWIX9+q8n1qg5I6JWeEe+K58SbRDVoNQgsKP9/iPruXMU5rm2ywPxICVGysl1GgA +P+FJ3X6oP0tXFWQlYoWdSloSVHNZQqj2ev/69sMnGsTeJw1V7I0gR+eZNEfxe+vZ +D4KP88KxuiPCe94rp+Aqs5/YwuCo6rQ+HGi5OZNBsQXYIufClSBje+OpjQb7HJgi +hJdzo2/IBw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV +BAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYy +ODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B +AQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS +Sxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7 +tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj +nar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq +C4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ +oVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O +JtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg +sTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi +igHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M +RPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E +aDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um +AGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYD +VR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAO +BgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lk +Lmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQAD +ggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfB +Pb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00m +qC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rY +DBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPm +QUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4u +JU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyD +CdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79Iy +ZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxD +qwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23Uaic +MDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1 +wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk +-----END CERTIFICATE-----