Skip to content

Commit 18abe6c

Browse files
carmenyhcopybara-github
authored andcommitted
Log the signing algorithms of the certificate chain.
This change also gives the LogHook methods. Supporting what can be logged should not be a requirement. PiperOrigin-RevId: 946969655
1 parent dac71f9 commit 18abe6c

4 files changed

Lines changed: 58 additions & 7 deletions

File tree

src/main/kotlin/Verifier.kt

Lines changed: 17 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -83,22 +83,22 @@ interface VerifyRequestLog {
8383
*
8484
* @param inputChain The certificate chain which is being verified.
8585
*/
86-
fun logInputChain(inputChain: List<ByteString>)
86+
fun logInputChain(inputChain: List<ByteString>) {}
8787

8888
/**
8989
* Logs the result of the verification. Called for each call to [verify].
9090
*
9191
* @param result The result of the verification.
9292
*/
93-
fun logResult(result: VerificationResult)
93+
fun logResult(result: VerificationResult) {}
9494

9595
/**
9696
* Logs the key description of the leaf certificate. Called if [verify] reaches the point where
9797
* the key description is parsed.
9898
*
9999
* @param keyDescription The key description of the leaf certificate.
100100
*/
101-
fun logKeyDescription(keyDescription: KeyDescription)
101+
fun logKeyDescription(keyDescription: KeyDescription) {}
102102

103103
/**
104104
* Logs the provisioning info map extension of the attestation certificate. Called if [verify]
@@ -107,7 +107,7 @@ interface VerifyRequestLog {
107107
*
108108
* @param provisioningInfoMap The provisioning info map extension of the leaf certificate.
109109
*/
110-
fun logProvisioningInfoMap(provisioningInfoMap: ProvisioningInfoMap)
110+
fun logProvisioningInfoMap(provisioningInfoMap: ProvisioningInfoMap) {}
111111

112112
/**
113113
* Logs the serial numbers of the intermediate certificates in the certificate chain. Called if
@@ -116,17 +116,25 @@ interface VerifyRequestLog {
116116
* @param certSerialNumbers The serial numbers of the intermediate certificates in the certificate
117117
* chain.
118118
*/
119-
fun logCertSerialNumbers(certSerialNumbers: List<String>)
119+
fun logCertSerialNumbers(certSerialNumbers: List<String>) {}
120+
121+
/**
122+
* Logs the certificate signing algorithms of the intermediate certificates in the certificate
123+
* chain. Called if [verify] reaches the point where the certificate chain is validated.
124+
*
125+
* @param certSigningAlgorithms The certificate signing algorithms in the chain.
126+
*/
127+
fun logCertSigningAlgorithms(certSigningAlgorithms: Set<String>) {}
120128

121129
/**
122130
* Logs an info level message. May be called throughout the verification process.
123131
*
124132
* @param infoMessage The info level message to log.
125133
*/
126-
fun logInfoMessage(infoMessage: String)
134+
fun logInfoMessage(infoMessage: String) {}
127135

128136
/* Flushes any buffered logs. Called just before [verify] returns. */
129-
fun flush()
137+
fun flush() {}
130138
}
131139

132140
/**
@@ -267,6 +275,8 @@ constructor(
267275
return VerificationResult.PathValidationFailure(e)
268276
}
269277

278+
log?.logCertSigningAlgorithms(certPath.signingAlgorithms())
279+
270280
val keyDescription =
271281
try {
272282
checkNotNull(

src/main/kotlin/provider/KeyAttestationCertPath.kt

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,9 +19,14 @@ package com.android.keyattestation.verifier.provider
1919
import com.android.keyattestation.verifier.SecurityLevel
2020
import com.android.keyattestation.verifier.asX509Certificate
2121
import com.google.protobuf.ByteString
22+
import java.security.PublicKey
2223
import java.security.cert.CertPath
2324
import java.security.cert.CertificateException
2425
import java.security.cert.X509Certificate
26+
import java.security.interfaces.DSAPublicKey
27+
import java.security.interfaces.ECPublicKey
28+
import java.security.interfaces.RSAPublicKey
29+
import javax.crypto.interfaces.DHPublicKey
2530
import javax.security.auth.x500.X500Principal
2631

2732
/**
@@ -72,6 +77,18 @@ class KeyAttestationCertPath(certs: List<X509Certificate>) : CertPath("X.509") {
7277
*/
7378
fun serialNumbers() = certificatesWithAnchor.map { it.serialNumber.toString(16) }
7479

80+
/**
81+
* Returns the signing algorithms of the certificates in the certificate chain.
82+
*
83+
* The format is "algNameKeySizeN".
84+
*
85+
* @return the signing algorithms of the certificates in the certificate chain.
86+
*/
87+
fun signingAlgorithms() =
88+
certificatesWithAnchor
89+
.zipWithNext { cert, issuer -> "${cert.sigAlgName}KeySize${issuer.publicKey.keySize()}" }
90+
.toSet()
91+
7592
fun provisioningMethod() =
7693
when {
7794
isFactoryProvisioned() -> ProvisioningMethod.FACTORY_PROVISIONED
@@ -152,6 +169,15 @@ private fun parseDN(dn: String): Map<String, String> {
152169
return attributes
153170
}
154171

172+
private fun PublicKey.keySize() =
173+
when (this) {
174+
is RSAPublicKey -> this.modulus.bitLength().toString()
175+
is ECPublicKey -> this.params.curve.field.fieldSize.toString()
176+
is DSAPublicKey -> this.y.bitLength().toString()
177+
is DHPublicKey -> this.y.bitLength().toString()
178+
else -> "unknown"
179+
}
180+
155181
private fun String?.toSecurityLevel() =
156182
when (this) {
157183
"TEE" -> SecurityLevel.TRUSTED_ENVIRONMENT

src/main/kotlin/testing/FakeLogHook.kt

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,7 @@ class FakeVerifyRequestLog : VerifyRequestLog {
5151
var provisioningInfoMap: ProvisioningInfoMap? = null
5252
var certSerialNumbers = mutableListOf<String>()
5353
var infoMessages = mutableListOf<String>()
54+
var certSigningAlgorithms = mutableSetOf<String>()
5455

5556
override fun logInputChain(inputChain: List<ByteString>) {
5657
this.inputChain.addAll(inputChain)
@@ -72,6 +73,10 @@ class FakeVerifyRequestLog : VerifyRequestLog {
7273
this.certSerialNumbers.addAll(certSerialNumbers)
7374
}
7475

76+
override fun logCertSigningAlgorithms(certSigningAlgorithms: Set<String>) {
77+
this.certSigningAlgorithms.addAll(certSigningAlgorithms)
78+
}
79+
7580
override fun logInfoMessage(infoMessage: String) {
7681
this.infoMessages.add(infoMessage)
7782
}

src/test/kotlin/provider/KeyAttestationCertPathTest.kt

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -101,6 +101,16 @@ class KeyAttestationCertPathTest {
101101
.inOrder()
102102
}
103103

104+
@Test
105+
fun signingAlgorithms_returnsExpectedSigningAlgorithms() {
106+
assertThat(readCertPath("blueline/sdk28/TEE_EC_NONE.pem").signingAlgorithms())
107+
.containsExactly(
108+
"SHA256withECDSAKeySize256",
109+
"SHA256withECDSAKeySize384",
110+
"SHA256withRSAKeySize4096",
111+
)
112+
}
113+
104114
@Test
105115
fun provisioningMethod_returnsExpectedType(@TestParameter testCase: ProvisioningMethodTestCase) {
106116
val certPath = readCertPath("${testCase.path}.pem")

0 commit comments

Comments
 (0)