Add Flogger logging and ThreadSafe annotations to Verifier.

PiperOrigin-RevId: 850090876

Author: agxp

src/main/kotlin/GoogleLoggerLogHook.kt

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.keyattestation.verifier
+
+import com.google.common.flogger.GoogleLogger
+import com.google.errorprone.annotations.ThreadSafe
+import com.google.protobuf.ByteString
+
+/** A [LogHook] that logs to GoogleLogger. */
+@ThreadSafe
+class GoogleLoggerLogHook : LogHook {
+  override fun createRequestLog(): VerifyRequestLog = GoogleLoggerRequestLog(logger)
+
+  internal companion object {
+    val logger = GoogleLogger.forEnclosingClass()
+  }
+}
+
+@ThreadSafe
+private class GoogleLoggerRequestLog(private val logger: GoogleLogger) : VerifyRequestLog {
+  override fun logInputChain(inputChain: List<ByteString>) {}
+
+  override fun logResult(result: VerificationResult) {
+    when (result) {
+      is VerificationResult.Success -> logger.atInfo().log("Attestation verification succeeded.")
+      is VerificationResult.ChallengeMismatch ->
+        logger.atWarning().log("Attestation challenge mismatch.")
+      is VerificationResult.PathValidationFailure ->
+        logger.atWarning().withCause(result.cause).log("Certificate path validation failed.")
+      is VerificationResult.ChainParsingFailure ->
+        logger.atWarning().withCause(result.cause).log("Failed to parse certificate chain.")
+      is VerificationResult.ExtensionParsingFailure ->
+        logger.atWarning().withCause(result.cause).log("Failed to parse key description extension.")
+      is VerificationResult.ExtensionConstraintViolation ->
+        logger.atWarning().log("Constraint violation: %s", result.cause)
+      is VerificationResult.SoftwareAttestationUnsupported -> {}
+    }
+  }
+
+  override fun logKeyDescription(keyDescription: KeyDescription) {}
+
+  override fun logProvisioningInfoMap(provisioningInfoMap: ProvisioningInfoMap) {}
+
+  override fun logCertSerialNumbers(certSerialNumbers: List<String>) {}
+
+  override fun logInfoMessage(infoMessage: String) {}
+
+  override fun flush() {}
+}

src/main/kotlin/Verifier.kt

@@ -42,28 +42,44 @@ import kotlinx.coroutines.guava.future
 import kotlinx.coroutines.runBlocking
 
 /** The result of verifying an Android Key Attestation certificate chain. */
+@ThreadSafe
 sealed interface VerificationResult {
+  @ThreadSafe
   data class Success(
-    val publicKey: PublicKey,
+    @field:ThreadSafe.Suppress(reason = "PublicKey is immutable") val publicKey: PublicKey,
     val challenge: ByteString,
     val securityLevel: SecurityLevel,
     val verifiedBootState: VerifiedBootState,
     val deviceInformation: ProvisioningInfoMap?,
+    @field:ThreadSafe.Suppress(reason = "DeviceIdentity is deeply immutable")
     val attestedDeviceIds: DeviceIdentity,
   ) : VerificationResult
 
-  data object ChallengeMismatch : VerificationResult
+  @ThreadSafe data object ChallengeMismatch : VerificationResult
 
-  data class PathValidationFailure(val cause: CertPathValidatorException) : VerificationResult
+  @ThreadSafe
+  data class PathValidationFailure(
+    @field:ThreadSafe.Suppress(reason = "Exceptions are generally immutable after creation")
+    val cause: CertPathValidatorException
+  ) : VerificationResult
 
-  data class ChainParsingFailure(val cause: Exception) : VerificationResult
+  @ThreadSafe
+  data class ChainParsingFailure(
+    @field:ThreadSafe.Suppress(reason = "Exceptions are generally immutable after creation")
+    val cause: Exception
+  ) : VerificationResult
 
-  data class ExtensionParsingFailure(val cause: ExtensionParsingException) : VerificationResult
+  @ThreadSafe
+  data class ExtensionParsingFailure(
+    @field:ThreadSafe.Suppress(reason = "Exceptions are generally immutable after creation")
+    val cause: ExtensionParsingException
+  ) : VerificationResult
 
+  @ThreadSafe
   data class ExtensionConstraintViolation(val cause: String, val reason: KeyAttestationReason) :
     VerificationResult
 
-  data object SoftwareAttestationUnsupported : VerificationResult
+  @ThreadSafe data object SoftwareAttestationUnsupported : VerificationResult
 }
 
 /**

src/main/kotlin/provider/RevocationChecker.kt

@@ -43,7 +43,7 @@ class RevocationChecker(private val revokedSerials: Set<String>) : PKIXRevocatio
     require(cert is X509Certificate)
 
     if (revokedSerials.contains(cert.serialNumber.toString(16))) {
-      // TODO: b/356234568 - Surface the revocation reason.
+      // TODO: google-internal bug - Surface the revocation reason.
       throw CertPathValidatorException(
         "Certificate has been revoked: ${cert.serialNumber}",
         null,