Skip to content

Fix factory provisioned cert detection to catch "really old" certs #85

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
copybara-service merged 1 commit into from
Jun 11, 2026
Merged

Fix factory provisioned cert detection to catch "really old" certs #85

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/main/kotlin/provider/KeyAttestationCertPath.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ class KeyAttestationCertPath(certs: List<X509Certificate>) : CertPath("X.509") {

private fun isFactoryProvisioned(): Boolean {
val rdn = parseDN(this.intermediateCert().subjectX500Principal.getName(X500Principal.RFC1779))
return rdn.containsKey(SERIAL_NUMBER_OID) && rdn[TITLE_OID] in setOf("TEE", "StrongBox")
return rdn.containsKey(SERIAL_NUMBER_OID)
}

// TODO(google-internal bug): Update this to use fields in the RKP root.
Expand Down
4 changes: 4 additions & 0 deletions src/test/kotlin/provider/KeyAttestationCertPathTest.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,10 @@ class KeyAttestationCertPathTest {
}

enum class ProvisioningMethodTestCase(val path: String, val expected: ProvisioningMethod) {
FACTORY_PROVISIONED_OLD_STYLE(
"sony-xperia10-iii/sdk33/TEE_EC",
ProvisioningMethod.FACTORY_PROVISIONED,
),
FACTORY_PROVISIONED("blueline/sdk28/TEE_EC_NONE", ProvisioningMethod.FACTORY_PROVISIONED),
REMOTELY_PROVISIONED("caiman/sdk36/TEE_EC_RKP", ProvisioningMethod.REMOTELY_PROVISIONED),
UNKNOWN("marlin/sdk29/TEE_EC_NONE", ProvisioningMethod.UNKNOWN),
Expand Down
41 changes: 41 additions & 0 deletions testdata/sony-xperia10-iii/sdk33/TEE_EC.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
{
"attestationVersion": "3",
"attestationSecurityLevel": "TRUSTED_ENVIRONMENT",
"keyMintVersion": "41",
"keyMintSecurityLevel": "TRUSTED_ENVIRONMENT",
"attestationChallenge": "Pq/k1d0AkN5aQrQytCSBr1zimWNlayWExZpJLeFtAMk=",
"uniqueId": "",
"softwareEnforced": {
"creationDateTime": "1780585145000",
"attestationApplicationId": {
"packages": [{ "name": "com.android.vending", "version": "85162330" }],
"signatures": ["8P1sW0EPJcslw7UzRsiXL64w+O50Ed+RBICtay1g24M="]
},
"areTagsOrdered": true
},
"hardwareEnforced": {
"purposes": ["2"],
"algorithms": "3",
"keySize": "256",
"digests": ["6"],
"ecCurve": "1",
"noAuthRequired": true,
"origin": "GENERATED",
"rootOfTrust": {
"verifiedBootKey": "gdG7IUVTlNoNf2DCV7dUWYDtUt/XyKiBbM88pwdDb54=",
"deviceLocked": true,
"verifiedBootState": "VERIFIED",
"verifiedBootHash": "UNZsaZbE8OV1KFQV9dBC0iDGeN7N1Bc79PHTAhz55KE="
},
"osVersion": "130000",
"osPatchLevel": "202307",
"attestationIdBrand": "docomo",
"attestationIdDevice": "SO-52B",
"attestationIdProduct": "SO-52B",
"attestationIdManufacturer": "Sony",
"attestationIdModel": "SO-52B",
"vendorPatchLevel": "20230701",
"bootPatchLevel": "20230701",
"areTagsOrdered": true
}
}
85 changes: 85 additions & 0 deletions testdata/sony-xperia10-iii/sdk33/TEE_EC.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
-----BEGIN CERTIFICATE-----
MIICvzCCAmagAwIBAgIBATAKBggqhkjOPQQDAjAbMRkwFwYDVQQFExAzZTdmYjZh
MWVlNGJkNTY4MCAXDTcwMDEwMTAwMDAwMFoYDzIxMDYwMjA3MDYyODE1WjAfMR0w
GwYDVQQDDBRBbmRyb2lkIEtleXN0b3JlIEtleTBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABLrQPJVjzcg/dVotjVbI3VkDyJj/HomhIkxDWA8rS9LM+ZOVEkk/9Pls
nybD1ZsWN9kyvQaK2oKLYAW7Cq53iY2jggGTMIIBjzAOBgNVHQ8BAf8EBAMCB4Aw
ggF7BgorBgEEAdZ5AgERBIIBazCCAWcCAQMKAQECASkKAQEEID6v5NXdAJDeWkK0
MrQkga9c4pljZWslhMWaSS3hbQDJBAAwV7+FPQgCBgGekyUiqL+FRUcERTBDMR0w
GwQTY29tLmFuZHJvaWQudmVuZGluZwIEBRN5WjEiBCDw/WxbQQ8lyyXDtTNGyJcv
rjD47nQR35EEgK1rLWDbgzCB26EFMQMCAQKiAwIBA6MEAgIBAKUFMQMCAQaqAwIB
Ab+DdwIFAL+FPgMCAQC/hUBMMEoEIIHRuyFFU5TaDX9gwle3VFmA7VLf18iogWzP
PKcHQ2+eAQH/CgEABCBQ1mxplsTw5XUoVBX10ELSIMZ43s3UFzv08dMCHPnkob+F
QQUCAwH70L+FQgUCAwMWQ7+FRggEBmRvY29tb7+FRwgEBlNPLTUyQr+FSAgEBlNP
LTUyQr+FTAYEBFNvbnm/hU0IBAZTTy01MkK/hU4GAgQBNLItv4VPBgIEATSyLTAK
BggqhkjOPQQDAgNHADBEAiAc30NT6OoIUR00Vm6x3BKWPa5BNfSdZ29uFI5suUsg
NQIgdYS61mQHaR2IgajOFO+nxMLhzj3/P4D0NZSnn7CgC14=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICKzCCAbKgAwIBAgIKFlgHaDNVWQMWBTAKBggqhkjOPQQDAjAbMRkwFwYDVQQF
ExA4N2Y0NTE0NDc1YmEwYTJiMB4XDTE2MDUyNjE3MTkwMFoXDTI2MDUyNDE3MTkw
MFowGzEZMBcGA1UEBRMQM2U3ZmI2YTFlZTRiZDU2ODBZMBMGByqGSM49AgEGCCqG
SM49AwEHA0IABAb+gStr8TAHqc4ueIBBQwkvDzcbYkIRf0qhu7hev7G9XPtRL8+D
MXUMy/JzFnpiiSt1QdcwrS2jK3lpS7DoA9Ojgd0wgdowHQYDVR0OBBYEFMqTzYTD
BCXs2/vajnn3MZXDBn5YMB8GA1UdIwQYMBaAFDBEI+Wi9gbhUKt3XxYWu5HMY8ZZ
MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMCQGA1UdHgQdMBugGTAXghVp
bnZhbGlkO2VtYWlsOmludmFsaWQwVAYDVR0fBE0wSzBJoEegRYZDaHR0cHM6Ly9h
bmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8xNjU4MDc2ODMz
NTU1OTAzMTYwNTAKBggqhkjOPQQDAgNnADBkAjAMv+GZm51nvmPVl/AWjFqFsriO
oEeQQAzessWJ/cHWmZTr4VfoVkTTf8mqi/X1ytoCMGrosF800OaNbU8gFoP7R6fM
mnnwl2/5WLV3uhP5Yz6AQUWWTYLuF2EbxY3dNNaGGg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDwzCCAaugAwIBAgIKA4gmZ2BliZaFdTANBgkqhkiG9w0BAQsFADAbMRkwFwYD
VQQFExBmOTIwMDllODUzYjZiMDQ1MB4XDTE2MDUyNjE3MDE1MVoXDTI2MDUyNDE3
MDE1MVowGzEZMBcGA1UEBRMQODdmNDUxNDQ3NWJhMGEyYjB2MBAGByqGSM49AgEG
BSuBBAAiA2IABGQ7VmgdJ/rEgs9sIE3rzvApXDUMAaqMMn8+1fRJrvQpZkJfOT2E
djtdrVaxDQRZxixqT5MlVqiSk8PRTqLx3+8OPLoicqMiOeGytH2sVQurvFynVeKq
SGKK1jx2/2fccqOBtjCBszAdBgNVHQ4EFgQUMEQj5aL2BuFQq3dfFha7kcxjxlkw
HwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB
/zAOBgNVHQ8BAf8EBAMCAYYwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cHM6Ly9hbmRy
b2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC9FOEZBMTk2MzE0RDJG
QTE4MA0GCSqGSIb3DQEBCwUAA4ICAQBAOYqLNryTmbOlnrjnIvDoXxzaLOgCXu29
l7KpbFHacVLxgYuGRiIEQqzZBqUYSt9Pgx+P2KvoHtz99sEZr2xTe0Dw6CTHTAmx
WXUFdrlvEMm2GySfvJRfMNCuX1oIS/M5PfREY2YZHyLq/sn1sJr3FjbKMdUMBo5A
camcD3H8wl9O/6qfhX+57iXzoK6yMzJRG/Mlkm58/sFk0pjayUBchmUJL0FQ6IhK
Ygy8RKE2UDyXKOE7+ZMSMUUkAdzyn2PFv7TvQtDk0ge2mkVrNrfPSglMzBNvrSDH
PBmTktXzwseVagIRT5WI91OrUOYPFgostsfH42hs5wJtAFGPwDg/1mNa8UyH9k1b
MrRq3Srez1XG0Ju7SGN/uNX5dkcwvfAmadtmM7Pp+l2VHRYRR600jAcM2+7bl8eg
qfM/A7vyDLZqPIxDwkLXj2eN99nJZJVaGfB9dHyFOqBqBM6SdyV6MSIr3AHoo6u+
BWIX9+q8n1qg5I6JWeEe+K58SbRDVoNQgsKP9/iPruXMU5rm2ywPxICVGysl1GgA
P+FJ3X6oP0tXFWQlYoWdSloSVHNZQqj2ev/69sMnGsTeJw1V7I0gR+eZNEfxe+vZ
D4KP88KxuiPCe94rp+Aqs5/YwuCo6rQ+HGi5OZNBsQXYIufClSBje+OpjQb7HJgi
hJdzo2/IBw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
BAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYy
ODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdS
Sxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7
tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggj
nar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGq
C4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQ
oVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+O
JtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/Eg
sTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRi
igHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+M
RPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9E
aDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5Um
AGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYD
VR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAO
BgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lk
Lmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQAD
ggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfB
Pb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00m
qC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rY
DBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPm
QUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4u
JU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyD
CdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79Iy
ZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxD
qwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23Uaic
MDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1
wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk
-----END CERTIFICATE-----
Loading