Android 8 添加了“ID attestation”(根据https://source.android.com/security/keystore/attestation#id-attestation)。
有人知道如何使用此功能吗?我找到的最接近的是AttestationUtils.java (https://android.googlesource.com/platform/frameworks/base/+/master/keystore/java/android/security/keystore/AttestationUtils.java),但我没有随 Android SDK 提供这些 API。使用 P 开发者预览版(compileSdkVersion 'android-P' 和 targetSdkVersion 'P')时,它们不会出现在我的 IDE 中。
【问题讨论】:
标签: android security android-keystore
我设法破解并提出了一个执行密钥/ID 证明的演示代码。见https://github.com/monkey-jsun/android-id-attestation/tree/master
程序运行时,我此时有两个问题,
这里是我的演示代码的简要回顾,仅供快速参考:
我还附上了程序的输出以方便参考。
Getting key 'key1' ...
found the key with alias 'key1' ...
private key : android.security.keystore.AndroidKeyStoreECPrivateKey@3467522e
public key : MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOfYzvOETzK0NGmlkk3vnuDb9FilG7iiRYGJX2pQy
Syuyt2XZow5M3aseZEfD64iasieuumWx3Tn6/aiopre0cw==
what is happening ...
number certificates in the chain is 4
Attestation version: 3
Attestation Security Level: TRUSTED_ENVIRONMENT
Keymaster Version: 4
Keymaster Security Level: TRUSTED_ENVIRONMENT
Attestation Challenge: hello, this is challenge phrase [jsun]
Unique ID: []
=========
Software Enforced Authorization List:
Purpose(s): NOT PRESENT
Algorithm: NOT PRESENT
Key Size: NOT PRESENT
Digest: NOT PRESENT
Padding: NOT PRESENT
EC Curve: NOT PRESENT
RSA Public Exponent: NOT PRESENT
Rollback Resistance: false
Active DateTime: NOT PRESENT
Origination Expire DateTime: NOT PRESENT
Usage Expire DateTime: NOT PRESENT
No Auth Required: false
User Auth Type: NOT PRESENT
Auth Timeout: NOT PRESENT
Allow While On Body: false
Trusted User Presence Required: false
Trusted Confirmation Required: false
Unlocked Device Required: false
All Applications: false
Application ID: NOT PRESENT
Creation DateTime: 2020-03-07T17:58:57.143Z
Origin: NOT PRESENT
Rollback Resistant: false
OS Version: NOT PRESENT
OS Patch Level: NOT PRESENT
Attestation Application ID:
Package Infos (<package name>, <version>):
net.junsun.idattestation, 1
Signature Digests:
GGv7HVeENa6GZO4irSicN64Wz38NJ7QHsmC0Z2G7s4g=
Attestation Application ID Bytes: MEUxHzAdBBhuZXQuanVuc3VuLmlkYXR0ZXN0YXRpb24CAQExIgQgGGv7HVeENa6GZO4irSicN64Wz38NJ7QHsmC0Z2G7s4g=
Attestation ID Brand: NOT PRESENT
Attestation ID Device: NOT PRESENT
Attestation ID Product: NOT PRESENT
Attestation ID Serial: NOT PRESENT
Attestation ID IMEI: NOT PRESENT
Attestation ID MEID: NOT PRESENT
Attestation ID Manufacturer: NOT PRESENT
Attestation ID Model: NOT PRESENT
Vendor Patch Level: NOT PRESENT
Boot Patch Level: NOT PRESENT
=========
TEE Enforced Authorization List:
Purpose(s): [2, 3]
Algorithm: 3
Key Size: 256
Digest: NOT PRESENT
Padding: NOT PRESENT
EC Curve: 1
RSA Public Exponent: NOT PRESENT
Rollback Resistance: false
Active DateTime: NOT PRESENT
Origination Expire DateTime: NOT PRESENT
Usage Expire DateTime: NOT PRESENT
No Auth Required: true
User Auth Type: NOT PRESENT
Auth Timeout: NOT PRESENT
Allow While On Body: false
Trusted User Presence Required: false
Trusted Confirmation Required: false
Unlocked Device Required: false
All Applications: false
Application ID: NOT PRESENT
Creation DateTime: NOT PRESENT
Origin: 0
Rollback Resistant: false
OS Version: 100000
OS Patch Level: 202002
Attestation Application ID Bytes: NOT PRESENT
Attestation ID Brand: NOT PRESENT
Attestation ID Device: NOT PRESENT
Attestation ID Product: NOT PRESENT
Attestation ID Serial: NOT PRESENT
Attestation ID IMEI: NOT PRESENT
Attestation ID MEID: NOT PRESENT
Attestation ID Manufacturer: NOT PRESENT
Attestation ID Model: NOT PRESENT
Vendor Patch Level: 20200205
Boot Patch Level: 20200205
【讨论】:
至于您的第一点,设备 ID 肯定存储在您的设备系统分区中,但是为了得到证明,必须在设备出厂前将这些 ID 复制到设备的 TEE 中。 由于对于 Android 兼容性 ID 认证不是强制性要求,因此没有说供应商决定将 ID 配置到 TEE。事实上,也可能是平台没有提供 BSP API 来做到这一点。 因此,如果是这种情况,您将无法让它们出现在证明证书中。 您可以检查 /etc/permissions/ 下的 android.software.device_id_attestation.xml 以检查您的设备是否支持 id attestation。
【讨论】:
部分问题可能还在于通过AttestationUtils 进行的ID 证明是一个系统API,您的应用程序必须是一个系统应用程序才能使用这些API。换句话说,您无法通过普通应用程序执行此操作。
【讨论】: