Update LogHook for updated thread safety annotations.

PiperOrigin-RevId: 830895939

Author: Android HW Trust Team

src/main/kotlin/Verifier.kt

@@ -64,17 +64,10 @@ sealed interface VerificationResult {
     VerificationResult
 }
 
-/**
- * Interface for logging info level key attestation events and information.
- *
- * Uses of the log hook must be thread safe within a single verify call.
- */
+/** Interface for logging info level key attestation events and information. */
 @ThreadSafe
 interface LogHook {
-  fun createRequestLog(): VerifyRequestLog
-}
 
-interface VerifyRequestLog {
   /**
    * Logs the certificate chain which is being verified. Called for each call to [verify].
    *
@@ -121,9 +114,6 @@ interface VerifyRequestLog {
    * @param infoMessage The info level message to log.
    */
   fun logInfoMessage(infoMessage: String)
-
-  /* Flushes any buffered logs. Called just before [verify] returns. */
-  fun flush()
 }
 
 /**
@@ -161,17 +151,15 @@ open class Verifier(
     challengeChecker: ChallengeChecker? = null,
     log: LogHook? = null,
   ): VerificationResult {
-    val requestLog = log?.createRequestLog()
     val result =
       try {
         val certPath = KeyAttestationCertPath(chain)
-        runBlocking { internalVerify(certPath, challengeChecker, requestLog) }
+        runBlocking { internalVerify(certPath, challengeChecker, log) }
       } catch (e: CertificateException) {
-        requestLog?.logInputChain(chain.map { it.getEncoded().toByteString() })
+        log?.logInputChain(chain.map { it.getEncoded().toByteString() })
         VerificationResult.ChainParsingFailure(e)
       }
-    requestLog?.logResult(result)
-    requestLog?.flush()
+    log?.logResult(result)
     return result
   }
 
@@ -194,17 +182,15 @@ open class Verifier(
   ): ListenableFuture<VerificationResult> {
     val immutableChain = ImmutableList.copyOf(chain)
     return coroutineScope.future {
-      val requestLog = log?.createRequestLog()
       val result =
         try {
           val certPath = KeyAttestationCertPath(immutableChain)
-          internalVerify(certPath, challengeChecker, requestLog)
+          internalVerify(certPath, challengeChecker, log)
         } catch (e: CertificateException) {
-          requestLog?.logInputChain(immutableChain.map { it.getEncoded().toByteString() })
+          log?.logInputChain(immutableChain.map { it.getEncoded().toByteString() })
           VerificationResult.ChainParsingFailure(e)
         }
-      requestLog?.logResult(result)
-      requestLog?.flush()
+      log?.logResult(result)
       result
     }
   }
@@ -213,7 +199,7 @@ open class Verifier(
   private suspend fun internalVerify(
     certPath: KeyAttestationCertPath,
     challengeChecker: ChallengeChecker? = null,
-    log: VerifyRequestLog? = null,
+    log: LogHook? = null,
   ): VerificationResult {
     log?.logInputChain(certPath.certificatesWithAnchor.map { it.getEncoded().toByteString() })
     log?.logCertSerialNumbers(

src/main/kotlin/testing/Certs.kt

@@ -20,7 +20,6 @@ import com.android.keyattestation.verifier.AuthorizationList
 import com.android.keyattestation.verifier.KeyDescription
 import com.android.keyattestation.verifier.KeyMintTag
 import com.android.keyattestation.verifier.Origin
-import com.android.keyattestation.verifier.ProvisioningInfoMap
 import com.android.keyattestation.verifier.RootOfTrust
 import com.android.keyattestation.verifier.SecurityLevel
 import com.android.keyattestation.verifier.VerifiedBootState
@@ -53,6 +52,7 @@ object Certs {
   val rootKey = certFactory.rootKey
   val factoryIntermediate = certFactory.factoryIntermediate
   val remoteIntermediate = certFactory.remoteIntermediate
+  val strongBoxIntermediate = certFactory.strongBoxIntermediate
   val factoryAttestation = certFactory.factoryAttestation
 }
 
@@ -100,8 +100,8 @@ object CertLists {
   val validStrongboxFactoryProvisioned by lazy {
     listOf(
       certFactory.generateLeafCert(extension = certFactory.STRONG_BOX_KEY_DESCRIPTION_EXT),
-      certFactory.generateAttestationCert(issuer = certFactory.strongBoxIntermediate.subject),
-      certFactory.strongBoxIntermediate,
+      certFactory.generateAttestationCert(issuer = Certs.strongBoxIntermediate.subject),
+      Certs.strongBoxIntermediate,
       Certs.root,
     )
   }
@@ -340,43 +340,6 @@ object CertLists {
     )
   }
 
-  val malformedProvisioningInfo by lazy {
-    listOf(
-      certFactory.generateLeafCert(),
-      certFactory.generateAttestationCert(
-        issuer = certFactory.rkpIntermediate.subject,
-        signingKey = certFactory.rkpKey.private,
-        extraExtension =
-          Extension(
-            ProvisioningInfoMap.OID,
-            /* critical= */ false,
-            ASN1Integer(BigInteger.valueOf(1234567)).encoded,
-          ),
-      ),
-      certFactory.rkpIntermediate,
-      Certs.remoteIntermediate,
-      certFactory.root,
-    )
-  }
-
-  /* Different revoked serial numbers for testing. */
-  @JvmField val REVOKED_SERIAL_NUMBER = 42.toBigInteger()
-  @JvmField val REVOKED_SERIAL_NUMBER_BIG = 8000000000000.toBigInteger()
-  @JvmField
-  val REVOKED_SERIAL_NUMBER_LONG_STRING = "c35747a084470c3135aeefe2b8d40cd6".toBigInteger(16)
-  @JvmField val REVOKED_SERIAL_NUMBER_ODD_LENGTH = 1228286566665971148.toBigInteger()
-
-  /* A chain where the attesstation certificate has {@link REVOKED_SERIAL_NUMBER}. */
-  @JvmStatic
-  val revoked by lazy {
-    listOf(
-      certFactory.generateLeafCert(),
-      certFactory.generateAttestationCert(serialNumber = REVOKED_SERIAL_NUMBER),
-      Certs.factoryIntermediate,
-      certFactory.root,
-    )
-  }
-
   private fun generateValidLeafCertWithAppendedTag(appendedTag: Int, appendedValue: ASN1Encodable) =
     certFactory.generateLeafCert(
       extension =
@@ -508,6 +471,24 @@ object Chains {
     )
   }
 
+  /* Different revoked serial numbers for testing. */
+  @JvmField val REVOKED_SERIAL_NUMBER = 42.toBigInteger()
+  @JvmField val REVOKED_SERIAL_NUMBER_BIG = 8000000000000.toBigInteger()
+  @JvmField
+  val REVOKED_SERIAL_NUMBER_LONG_STRING = "c35747a084470c3135aeefe2b8d40cd6".toBigInteger(16)
+  @JvmField val REVOKED_SERIAL_NUMBER_ODD_LENGTH = 1228286566665971148.toBigInteger()
+
+  /* A chain where the attesstation certificate has {@link REVOKED_SERIAL_NUMBER}. */
+  @JvmStatic
+  val revoked by lazy {
+    KeyAttestationCertPath(
+      certFactory.generateLeafCert(),
+      certFactory.generateAttestationCert(serialNumber = REVOKED_SERIAL_NUMBER),
+      Certs.factoryIntermediate,
+      certFactory.root,
+    )
+  }
+
   /* A factory chain with an additional intermediate certificate. */
   val forgedKeybox by lazy {
     val compromisedAttestationKey = certFactory.generateEcKeyPair()

src/main/kotlin/testing/FakeLogHook.kt

@@ -20,7 +20,6 @@ import com.android.keyattestation.verifier.KeyDescription
 import com.android.keyattestation.verifier.LogHook
 import com.android.keyattestation.verifier.ProvisioningInfoMap
 import com.android.keyattestation.verifier.VerificationResult
-import com.android.keyattestation.verifier.VerifyRequestLog
 import com.google.errorprone.annotations.ThreadSafe
 import com.google.protobuf.ByteString
 
@@ -31,20 +30,6 @@ import com.google.protobuf.ByteString
  * test.
  */
 class FakeLogHook : LogHook {
-  var fakeVerifyRequestLog = FakeVerifyRequestLog()
-
-  override fun createRequestLog(): VerifyRequestLog {
-    return fakeVerifyRequestLog
-  }
-}
-
-/**
- * Fake implementation of [VerifyRequestLog] for testing.
- *
- * Stores the last values passed to each logging method. A new instance should be created for each
- * test.
- */
-class FakeVerifyRequestLog : VerifyRequestLog {
   var inputChain = mutableListOf<ByteString>()
   var result: VerificationResult? = null
   var keyDescription: KeyDescription? = null
@@ -75,6 +60,4 @@ class FakeVerifyRequestLog : VerifyRequestLog {
   override fun logInfoMessage(infoMessage: String) {
     this.infoMessages.add(infoMessage)
   }
-
-  override fun flush() {}
 }

src/test/kotlin/VerifierTest.kt

@@ -201,7 +201,7 @@ class VerifierTest {
         )
         .await()
     )
-    assertThat(logHook.fakeVerifyRequestLog.inputChain)
+    assertThat(logHook.inputChain)
       .isEqualTo(CertLists.wrongTrustAnchor.map { it.encoded.toByteString() })
   }
 
@@ -210,8 +210,7 @@ class VerifierTest {
     val logHook = FakeLogHook()
     val chain = readCertList("blueline/sdk28/TEE_EC_NONE.pem")
     assertIs<VerificationResult.Success>(verifier.verifyAsync(this, chain, log = logHook).await())
-    assertThat(logHook.fakeVerifyRequestLog.keyDescription)
-      .isEqualTo(chain.first().keyDescription())
+    assertThat(logHook.keyDescription).isEqualTo(chain[0].keyDescription())
   }
 
   @Test
@@ -226,7 +225,7 @@ class VerifierTest {
     assertIs<VerificationResult.Success>(
       verifierWithTestRoot.verifyAsync(this, CertLists.invalidBootPatchLevel, log = logHook).await()
     )
-    assertThat(logHook.fakeVerifyRequestLog.infoMessages).isNotEmpty()
+    assertThat(logHook.infoMessages).isNotEmpty()
   }
 
   @Test

src/test/kotlin/provider/RevocationCheckerTest.kt

@@ -16,8 +16,8 @@
 
 package com.android.keyattestation.verifier.provider
 
-import com.android.keyattestation.verifier.testing.CertLists
 import com.android.keyattestation.verifier.testing.Certs
+import com.android.keyattestation.verifier.testing.Chains
 import com.android.keyattestation.verifier.testing.FakeCalendar
 import java.security.Security
 import java.security.cert.CertPathValidator
@@ -39,34 +39,28 @@ class RevocationCheckerTest {
   private val revocationChecker =
     RevocationChecker(
       setOf(
-        CertLists.REVOKED_SERIAL_NUMBER.toString(16),
-        CertLists.REVOKED_SERIAL_NUMBER_BIG.toString(16),
-        CertLists.REVOKED_SERIAL_NUMBER_LONG_STRING.toString(16),
-        CertLists.REVOKED_SERIAL_NUMBER_ODD_LENGTH.toString(16),
+        Chains.REVOKED_SERIAL_NUMBER.toString(16),
+        Chains.REVOKED_SERIAL_NUMBER_BIG.toString(16),
+        Chains.REVOKED_SERIAL_NUMBER_LONG_STRING.toString(16),
+        Chains.REVOKED_SERIAL_NUMBER_ODD_LENGTH.toString(16),
       )
     )
   private val validator = CertPathValidator.getInstance("KeyAttestation")
   private val pkixValidator = CertPathValidator.getInstance("PKIX")
 
   @Test
   fun withoutRevocationChecker_validationSucceeds() {
-    validator.validate(KeyAttestationCertPath(CertLists.revoked), params)
-    pkixValidator.validate(KeyAttestationCertPath(CertLists.revoked), params)
+    validator.validate(Chains.revoked, params)
+    pkixValidator.validate(Chains.revoked, params)
   }
 
   @Test
   fun withRevocationChecker_throwsCertPathValidatorException() {
     assertFailsWith<CertPathValidatorException> {
-      validator.validate(
-        KeyAttestationCertPath(CertLists.revoked),
-        params.apply { addCertPathChecker(revocationChecker) },
-      )
+      validator.validate(Chains.revoked, params.apply { addCertPathChecker(revocationChecker) })
     }
     assertFailsWith<CertPathValidatorException> {
-      pkixValidator.validate(
-        KeyAttestationCertPath(CertLists.revoked),
-        params.apply { addCertPathChecker(revocationChecker) },
-      )
+      pkixValidator.validate(Chains.revoked, params.apply { addCertPathChecker(revocationChecker) })
     }
   }