Update LogHook for updated thread safety annotations.

PiperOrigin-RevId: 830853528

Author: carmenyh

src/main/kotlin/Verifier.kt

@@ -64,10 +64,17 @@ sealed interface VerificationResult {
     VerificationResult
 }
 
-/** Interface for logging info level key attestation events and information. */
+/**
+ * Interface for logging info level key attestation events and information.
+ *
+ * Uses of the log hook must be thread safe within a single verify call.
+ */
 @ThreadSafe
 interface LogHook {
+  fun createRequestLog(): VerifyRequestLog
+}
 
+interface VerifyRequestLog {
   /**
    * Logs the certificate chain which is being verified. Called for each call to [verify].
    *
@@ -114,6 +121,9 @@ interface LogHook {
    * @param infoMessage The info level message to log.
    */
   fun logInfoMessage(infoMessage: String)
+
+  /* Flushes any buffered logs. Called just before [verify] returns. */
+  fun flush()
 }
 
 /**
@@ -151,15 +161,17 @@ open class Verifier(
     challengeChecker: ChallengeChecker? = null,
     log: LogHook? = null,
   ): VerificationResult {
+    val requestLog = log?.createRequestLog()
     val result =
       try {
         val certPath = KeyAttestationCertPath(chain)
-        runBlocking { internalVerify(certPath, challengeChecker, log) }
+        runBlocking { internalVerify(certPath, challengeChecker, requestLog) }
       } catch (e: CertificateException) {
-        log?.logInputChain(chain.map { it.getEncoded().toByteString() })
+        requestLog?.logInputChain(chain.map { it.getEncoded().toByteString() })
         VerificationResult.ChainParsingFailure(e)
       }
-    log?.logResult(result)
+    requestLog?.logResult(result)
+    requestLog?.flush()
     return result
   }
 
@@ -182,15 +194,17 @@ open class Verifier(
   ): ListenableFuture<VerificationResult> {
     val immutableChain = ImmutableList.copyOf(chain)
     return coroutineScope.future {
+      val requestLog = log?.createRequestLog()
       val result =
         try {
           val certPath = KeyAttestationCertPath(immutableChain)
-          internalVerify(certPath, challengeChecker, log)
+          internalVerify(certPath, challengeChecker, requestLog)
         } catch (e: CertificateException) {
-          log?.logInputChain(immutableChain.map { it.getEncoded().toByteString() })
+          requestLog?.logInputChain(immutableChain.map { it.getEncoded().toByteString() })
           VerificationResult.ChainParsingFailure(e)
         }
-      log?.logResult(result)
+      requestLog?.logResult(result)
+      requestLog?.flush()
       result
     }
   }
@@ -199,7 +213,7 @@ open class Verifier(
   private suspend fun internalVerify(
     certPath: KeyAttestationCertPath,
     challengeChecker: ChallengeChecker? = null,
-    log: LogHook? = null,
+    log: VerifyRequestLog? = null,
   ): VerificationResult {
     log?.logInputChain(certPath.certificatesWithAnchor.map { it.getEncoded().toByteString() })
     log?.logCertSerialNumbers(

src/main/kotlin/testing/Certs.kt

@@ -20,6 +20,7 @@ import com.android.keyattestation.verifier.AuthorizationList
 import com.android.keyattestation.verifier.KeyDescription
 import com.android.keyattestation.verifier.KeyMintTag
 import com.android.keyattestation.verifier.Origin
+import com.android.keyattestation.verifier.ProvisioningInfoMap
 import com.android.keyattestation.verifier.RootOfTrust
 import com.android.keyattestation.verifier.SecurityLevel
 import com.android.keyattestation.verifier.VerifiedBootState
@@ -52,7 +53,6 @@ object Certs {
   val rootKey = certFactory.rootKey
   val factoryIntermediate = certFactory.factoryIntermediate
   val remoteIntermediate = certFactory.remoteIntermediate
-  val strongBoxIntermediate = certFactory.strongBoxIntermediate
   val factoryAttestation = certFactory.factoryAttestation
 }
 
@@ -100,8 +100,8 @@ object CertLists {
   val validStrongboxFactoryProvisioned by lazy {
     listOf(
       certFactory.generateLeafCert(extension = certFactory.STRONG_BOX_KEY_DESCRIPTION_EXT),
-      certFactory.generateAttestationCert(issuer = Certs.strongBoxIntermediate.subject),
-      Certs.strongBoxIntermediate,
+      certFactory.generateAttestationCert(issuer = certFactory.strongBoxIntermediate.subject),
+      certFactory.strongBoxIntermediate,
       Certs.root,
     )
   }
@@ -340,6 +340,43 @@ object CertLists {
     )
   }
 
+  val malformedProvisioningInfo by lazy {
+    listOf(
+      certFactory.generateLeafCert(),
+      certFactory.generateAttestationCert(
+        issuer = certFactory.rkpIntermediate.subject,
+        signingKey = certFactory.rkpKey.private,
+        extraExtension =
+          Extension(
+            ProvisioningInfoMap.OID,
+            /* critical= */ false,
+            ASN1Integer(BigInteger.valueOf(1234567)).encoded,
+          ),
+      ),
+      certFactory.rkpIntermediate,
+      Certs.remoteIntermediate,
+      certFactory.root,
+    )
+  }
+
+  /* Different revoked serial numbers for testing. */
+  @JvmField val REVOKED_SERIAL_NUMBER = 42.toBigInteger()
+  @JvmField val REVOKED_SERIAL_NUMBER_BIG = 8000000000000.toBigInteger()
+  @JvmField
+  val REVOKED_SERIAL_NUMBER_LONG_STRING = "c35747a084470c3135aeefe2b8d40cd6".toBigInteger(16)
+  @JvmField val REVOKED_SERIAL_NUMBER_ODD_LENGTH = 1228286566665971148.toBigInteger()
+
+  /* A chain where the attesstation certificate has {@link REVOKED_SERIAL_NUMBER}. */
+  @JvmStatic
+  val revoked by lazy {
+    listOf(
+      certFactory.generateLeafCert(),
+      certFactory.generateAttestationCert(serialNumber = REVOKED_SERIAL_NUMBER),
+      Certs.factoryIntermediate,
+      certFactory.root,
+    )
+  }
+
   private fun generateValidLeafCertWithAppendedTag(appendedTag: Int, appendedValue: ASN1Encodable) =
     certFactory.generateLeafCert(
       extension =
@@ -471,24 +508,6 @@ object Chains {
     )
   }
 
-  /* Different revoked serial numbers for testing. */
-  @JvmField val REVOKED_SERIAL_NUMBER = 42.toBigInteger()
-  @JvmField val REVOKED_SERIAL_NUMBER_BIG = 8000000000000.toBigInteger()
-  @JvmField
-  val REVOKED_SERIAL_NUMBER_LONG_STRING = "c35747a084470c3135aeefe2b8d40cd6".toBigInteger(16)
-  @JvmField val REVOKED_SERIAL_NUMBER_ODD_LENGTH = 1228286566665971148.toBigInteger()
-
-  /* A chain where the attesstation certificate has {@link REVOKED_SERIAL_NUMBER}. */
-  @JvmStatic
-  val revoked by lazy {
-    KeyAttestationCertPath(
-      certFactory.generateLeafCert(),
-      certFactory.generateAttestationCert(serialNumber = REVOKED_SERIAL_NUMBER),
-      Certs.factoryIntermediate,
-      certFactory.root,
-    )
-  }
-
   /* A factory chain with an additional intermediate certificate. */
   val forgedKeybox by lazy {
     val compromisedAttestationKey = certFactory.generateEcKeyPair()

src/main/kotlin/testing/FakeLogHook.kt

@@ -20,6 +20,7 @@ import com.android.keyattestation.verifier.KeyDescription
 import com.android.keyattestation.verifier.LogHook
 import com.android.keyattestation.verifier.ProvisioningInfoMap
 import com.android.keyattestation.verifier.VerificationResult
+import com.android.keyattestation.verifier.VerifyRequestLog
 import com.google.errorprone.annotations.ThreadSafe
 import com.google.protobuf.ByteString
 
@@ -30,6 +31,20 @@ import com.google.protobuf.ByteString
  * test.
  */
 class FakeLogHook : LogHook {
+  var fakeVerifyRequestLog = FakeVerifyRequestLog()
+
+  override fun createRequestLog(): VerifyRequestLog {
+    return fakeVerifyRequestLog
+  }
+}
+
+/**
+ * Fake implementation of [VerifyRequestLog] for testing.
+ *
+ * Stores the last values passed to each logging method. A new instance should be created for each
+ * test.
+ */
+class FakeVerifyRequestLog : VerifyRequestLog {
   var inputChain = mutableListOf<ByteString>()
   var result: VerificationResult? = null
   var keyDescription: KeyDescription? = null
@@ -60,4 +75,6 @@ class FakeLogHook : LogHook {
   override fun logInfoMessage(infoMessage: String) {
     this.infoMessages.add(infoMessage)
   }
+
+  override fun flush() {}
 }

src/test/kotlin/VerifierTest.kt

@@ -201,7 +201,7 @@ class VerifierTest {
         )
         .await()
     )
-    assertThat(logHook.inputChain)
+    assertThat(logHook.fakeVerifyRequestLog.inputChain)
       .isEqualTo(CertLists.wrongTrustAnchor.map { it.encoded.toByteString() })
   }
 
@@ -210,7 +210,8 @@ class VerifierTest {
     val logHook = FakeLogHook()
     val chain = readCertList("blueline/sdk28/TEE_EC_NONE.pem")
     assertIs<VerificationResult.Success>(verifier.verifyAsync(this, chain, log = logHook).await())
-    assertThat(logHook.keyDescription).isEqualTo(chain[0].keyDescription())
+    assertThat(logHook.fakeVerifyRequestLog.keyDescription)
+      .isEqualTo(chain.first().keyDescription())
   }
 
   @Test
@@ -225,7 +226,7 @@ class VerifierTest {
     assertIs<VerificationResult.Success>(
       verifierWithTestRoot.verifyAsync(this, CertLists.invalidBootPatchLevel, log = logHook).await()
     )
-    assertThat(logHook.infoMessages).isNotEmpty()
+    assertThat(logHook.fakeVerifyRequestLog.infoMessages).isNotEmpty()
   }
 
   @Test

src/test/kotlin/provider/RevocationCheckerTest.kt

@@ -16,8 +16,8 @@
 
 package com.android.keyattestation.verifier.provider
 
+import com.android.keyattestation.verifier.testing.CertLists
 import com.android.keyattestation.verifier.testing.Certs
-import com.android.keyattestation.verifier.testing.Chains
 import com.android.keyattestation.verifier.testing.FakeCalendar
 import java.security.Security
 import java.security.cert.CertPathValidator
@@ -39,28 +39,34 @@ class RevocationCheckerTest {
   private val revocationChecker =
     RevocationChecker(
       setOf(
-        Chains.REVOKED_SERIAL_NUMBER.toString(16),
-        Chains.REVOKED_SERIAL_NUMBER_BIG.toString(16),
-        Chains.REVOKED_SERIAL_NUMBER_LONG_STRING.toString(16),
-        Chains.REVOKED_SERIAL_NUMBER_ODD_LENGTH.toString(16),
+        CertLists.REVOKED_SERIAL_NUMBER.toString(16),
+        CertLists.REVOKED_SERIAL_NUMBER_BIG.toString(16),
+        CertLists.REVOKED_SERIAL_NUMBER_LONG_STRING.toString(16),
+        CertLists.REVOKED_SERIAL_NUMBER_ODD_LENGTH.toString(16),
       )
     )
   private val validator = CertPathValidator.getInstance("KeyAttestation")
   private val pkixValidator = CertPathValidator.getInstance("PKIX")
 
   @Test
   fun withoutRevocationChecker_validationSucceeds() {
-    validator.validate(Chains.revoked, params)
-    pkixValidator.validate(Chains.revoked, params)
+    validator.validate(KeyAttestationCertPath(CertLists.revoked), params)
+    pkixValidator.validate(KeyAttestationCertPath(CertLists.revoked), params)
   }
 
   @Test
   fun withRevocationChecker_throwsCertPathValidatorException() {
     assertFailsWith<CertPathValidatorException> {
-      validator.validate(Chains.revoked, params.apply { addCertPathChecker(revocationChecker) })
+      validator.validate(
+        KeyAttestationCertPath(CertLists.revoked),
+        params.apply { addCertPathChecker(revocationChecker) },
+      )
     }
     assertFailsWith<CertPathValidatorException> {
-      pkixValidator.validate(Chains.revoked, params.apply { addCertPathChecker(revocationChecker) })
+      pkixValidator.validate(
+        KeyAttestationCertPath(CertLists.revoked),
+        params.apply { addCertPathChecker(revocationChecker) },
+      )
     }
   }