Rename teeEnforced to hardwareEnforced.

carmenyh · copybara-github · commit 1d0e1f123dd5 · 2025-06-26T09:09:38.000-07:00
PiperOrigin-RevId: 776162949
diff --git a/src/main/kotlin/Extension.kt b/src/main/kotlin/Extension.kt
@@ -114,17 +114,17 @@ data class DeviceIdentity(
     @JvmStatic
     fun parseFrom(description: KeyDescription) =
       DeviceIdentity(
-        description.teeEnforced.attestationIdBrand,
-        description.teeEnforced.attestationIdDevice,
-        description.teeEnforced.attestationIdProduct,
-        description.teeEnforced.attestationIdSerial,
+        description.hardwareEnforced.attestationIdBrand,
+        description.hardwareEnforced.attestationIdDevice,
+        description.hardwareEnforced.attestationIdProduct,
+        description.hardwareEnforced.attestationIdSerial,
         setOfNotNull(
-          description.teeEnforced.attestationIdImei,
-          description.teeEnforced.attestationIdSecondImei,
+          description.hardwareEnforced.attestationIdImei,
+          description.hardwareEnforced.attestationIdSecondImei,
         ),
-        description.teeEnforced.attestationIdMeid,
-        description.teeEnforced.attestationIdManufacturer,
-        description.teeEnforced.attestationIdModel,
+        description.hardwareEnforced.attestationIdMeid,
+        description.hardwareEnforced.attestationIdManufacturer,
+        description.hardwareEnforced.attestationIdModel,
       )
   }
 }
@@ -139,8 +139,7 @@ data class KeyDescription(
   val attestationChallenge: ByteString,
   val uniqueId: ByteString,
   val softwareEnforced: AuthorizationList,
-  // TODO: Rename to hardwareEnforced b/c could be TEE or StrongBox.
-  val teeEnforced: AuthorizationList,
+  val hardwareEnforced: AuthorizationList,
 ) {
   fun asExtension(): Extension {
     return Extension(OID, /* critical= */ false, encodeToAsn1())
@@ -155,7 +154,7 @@ data class KeyDescription(
         add(attestationChallenge.toAsn1())
         add(uniqueId.toAsn1())
         add(softwareEnforced.toAsn1())
-        add(teeEnforced.toAsn1())
+        add(hardwareEnforced.toAsn1())
       }
       .let { DERSequence(it.toTypedArray()).encoded }
 
@@ -178,7 +177,7 @@ data class KeyDescription(
         from(ASN1Sequence.getInstance(bytes))
       } catch (e: NullPointerException) {
         // Workaround for a NPE in BouncyCastle.
-        // http://google3/third_party/java_src/bouncycastle/core/src/main/java/org/bouncycastle/asn1/ASN1UniversalType.java;l=24;rcl=484684674
+        // https://github.com/bcgit/bc-java/blob/228211ecb973fe87fdd0fc4ab16ba0446ec1a29c/core/src/main/java/org/bouncycastle/asn1/ASN1UniversalType.java#L24
         throw IllegalArgumentException(e)
       }
 
@@ -192,7 +191,7 @@ data class KeyDescription(
         attestationChallenge = seq.getObjectAt(4).toByteString(),
         uniqueId = seq.getObjectAt(5).toByteString(),
         softwareEnforced = seq.getObjectAt(6).toAuthorizationList(),
-        teeEnforced = seq.getObjectAt(7).toAuthorizationList(),
+        hardwareEnforced = seq.getObjectAt(7).toAuthorizationList(),
       )
     }
   }
@@ -204,14 +203,10 @@ data class KeyDescription(
  * @see https://source.android.com/docs/security/features/keystore/attestation#securitylevel-values
  */
 enum class SecurityLevel(val value: Int) {
-  // LINT.IfChange(security_level)
   SOFTWARE(0),
   TRUSTED_ENVIRONMENT(1),
   STRONG_BOX(2);
 
-  // LINT.ThenChange(//depot/google3/identity/cryptauth/apparat/apparat.proto:key_type,
-  // //depot/google3/identity/cryptauth/apparat/storage/apparat_storage_api.proto:keymaster_security_level)
-
   internal fun toAsn1() = ASN1Enumerated(value)
 }
 
diff --git a/src/main/kotlin/Verifier.kt b/src/main/kotlin/Verifier.kt
@@ -121,11 +121,11 @@ open class Verifier(
     }
 
     if (
-      keyDescription.teeEnforced.origin == null ||
-        keyDescription.teeEnforced.origin != Origin.GENERATED
+      keyDescription.hardwareEnforced.origin == null ||
+        keyDescription.hardwareEnforced.origin != Origin.GENERATED
     ) {
       return VerificationResult.ExtensionConstraintViolation(
-        "origin != GENERATED: ${keyDescription.teeEnforced.origin}"
+        "origin != GENERATED: ${keyDescription.hardwareEnforced.origin}"
       )
     }
 
@@ -138,8 +138,10 @@ open class Verifier(
         )
       }
     val rootOfTrust =
-      keyDescription.teeEnforced.rootOfTrust
-        ?: return VerificationResult.ExtensionConstraintViolation("teeEnforced.rootOfTrust is null")
+      keyDescription.hardwareEnforced.rootOfTrust
+        ?: return VerificationResult.ExtensionConstraintViolation(
+          "hardwareEnforced.rootOfTrust is null"
+        )
     val deviceInformation =
       if (certPath.provisioningMethod() == ProvisioningMethod.REMOTELY_PROVISIONED) {
         certPath.attestationCert().provisioningInfo()
diff --git a/src/main/kotlin/provider/KeyAttestationCertPathValidator.kt b/src/main/kotlin/provider/KeyAttestationCertPathValidator.kt
@@ -256,7 +256,6 @@ private class BasicChecker(
      * KAVS does not check the validity of the final certificate in the path. For the purposes of
      * migration this path validator is intended to be bug compatible with KAVS, so we do not check
      * the validity of the final certificate either.
-     * http://google3/java/com/google/wireless/android/work/boq/unspoofableid/common/VerifyCertificateChain.java;l=173;rcl=679670181
      *
      * TODO: b/355190989 - explore if is viable to check the validity of the final certificate.
      */
diff --git a/src/main/kotlin/provider/RevocationChecker.kt b/src/main/kotlin/provider/RevocationChecker.kt
@@ -27,8 +27,6 @@ import java.security.cert.X509Certificate
  *
  * Currently, this class is a clone of the as-built revocation checker from KAVS. It is only
  * intended to be for migrating the bespoke KAVS path validation logic to this provider.
- *
- * http://google3/java/com/google/wireless/android/work/boq/unspoofableid/common/VerifyCertificateChain.java;l=107;rcl=677835266
  */
 class RevocationChecker(private val revokedSerials: Set<String>) : PKIXRevocationChecker() {
   override fun init(forward: Boolean) {
diff --git a/src/main/kotlin/testing/KeyAttestationCertFactory.kt b/src/main/kotlin/testing/KeyAttestationCertFactory.kt
@@ -130,7 +130,7 @@ internal class KeyAttestationCertFactory(val fakeCalendar: FakeCalendar = FakeCa
         attestationChallenge = ByteString.copyFromUtf8("A random 40-byte challenge for no reason"),
         uniqueId = ByteString.empty(),
         softwareEnforced = AuthorizationList(),
-        teeEnforced =
+        hardwareEnforced =
           AuthorizationList(
             rootOfTrust =
               RootOfTrust(
diff --git a/src/main/kotlin/testing/KeyAttestationCertPathFactory.kt b/src/main/kotlin/testing/KeyAttestationCertPathFactory.kt
@@ -50,7 +50,7 @@ class KeyAttestationCertPathFactory(val fakeCalendar: FakeCalendar = FakeCalenda
               /* critical= */ false,
               ProvisioningInfoMap(
                   certificatesIssued = 1,
-                  manufacturer = keyDescription.teeEnforced.attestationIdManufacturer,
+                  manufacturer = keyDescription.hardwareEnforced.attestationIdManufacturer,
                 )
                 .encodeToAsn1(),
             ),
diff --git a/src/test/kotlin/ExtensionTest.kt b/src/test/kotlin/ExtensionTest.kt
@@ -67,7 +67,7 @@ class ExtensionTest {
   fun parseFrom_containsAllowWhileOnBody_success() {
     val unused =
       testData.resolve("allow_while_on_body.pem").inputStream().asX509Certificate().keyDescription()
-    // assertThat(keyDescription.teeEnforced.allowWhileOnBody).isTrue()
+    // assertThat(keyDescription.hardwareEnforced.allowWhileOnBody).isTrue()
   }
 
   @Test
@@ -142,7 +142,7 @@ class ExtensionTest {
         attestationChallenge = ByteString.empty(),
         uniqueId = ByteString.empty(),
         softwareEnforced = authorizationList,
-        teeEnforced = authorizationList,
+        hardwareEnforced = authorizationList,
       )
     assertThat(KeyDescription.parseFrom(keyDescription.encodeToAsn1())).isEqualTo(keyDescription)
   }
diff --git a/testdata/akita/sdk34/SB_RSA_NONE.json b/testdata/akita/sdk34/SB_RSA_NONE.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "2048",
     "algorithms": "1",
diff --git a/testdata/akita/sdk34/TEE_EC_NONE.json b/testdata/akita/sdk34/TEE_EC_NONE.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "256",
     "algorithms": "3",
diff --git a/testdata/akita/sdk34/TEE_RSA_BASE+IMEI.json b/testdata/akita/sdk34/TEE_RSA_BASE+IMEI.json
@@ -12,7 +12,7 @@
       "signatures": []
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "2048",
     "algorithms": "1",
diff --git a/testdata/akita/sdk34/TEE_RSA_NONE.json b/testdata/akita/sdk34/TEE_RSA_NONE.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "2048",
     "algorithms": "1",
diff --git a/testdata/akita/sdk34/TEE_RSA_NONE_USERAUTH.json b/testdata/akita/sdk34/TEE_RSA_NONE_USERAUTH.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "2048",
     "algorithms": "1",
diff --git a/testdata/blueline/sdk28/SB_RSA_NONE.json b/testdata/blueline/sdk28/SB_RSA_NONE.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "2048",
     "algorithms": "1",
diff --git a/testdata/blueline/sdk28/SB_RSA_NONE_USERAUTH.json b/testdata/blueline/sdk28/SB_RSA_NONE_USERAUTH.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "2048",
     "algorithms": "1",
diff --git a/testdata/blueline/sdk28/TEE_EC_NONE.json b/testdata/blueline/sdk28/TEE_EC_NONE.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "256",
     "algorithms": "3",
diff --git a/testdata/blueline/sdk28/TEE_RSA_BASE+IMEI.json b/testdata/blueline/sdk28/TEE_RSA_BASE+IMEI.json
@@ -12,7 +12,7 @@
       "signatures": []
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "2048",
     "algorithms": "1",
diff --git a/testdata/blueline/sdk28/TEE_RSA_NONE.json b/testdata/blueline/sdk28/TEE_RSA_NONE.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "2048",
     "algorithms": "1",
diff --git a/testdata/marlin/sdk29/TEE_EC_NONE.json b/testdata/marlin/sdk29/TEE_EC_NONE.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "256",
     "algorithms": "3",
diff --git a/testdata/marlin/sdk29/TEE_RSA_NONE.json b/testdata/marlin/sdk29/TEE_RSA_NONE.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "2048",
     "algorithms": "1",

Original file line number	Diff line number	Diff line change
`@@ -121,11 +121,11 @@ open class Verifier(`
`121`	`121`	`}`
`122`	`122`
`123`	`123`	`if (`
`124`		`- keyDescription.teeEnforced.origin == null \|\|`
`125`		`- keyDescription.teeEnforced.origin != Origin.GENERATED`
	`124`	`+ keyDescription.hardwareEnforced.origin == null \|\|`
	`125`	`+ keyDescription.hardwareEnforced.origin != Origin.GENERATED`
`126`	`126`	`) {`
`127`	`127`	`return VerificationResult.ExtensionConstraintViolation(`
`128`		`- "origin != GENERATED: ${keyDescription.teeEnforced.origin}"`
	`128`	`+ "origin != GENERATED: ${keyDescription.hardwareEnforced.origin}"`
`129`	`129`	`)`
`130`	`130`	`}`
`131`	`131`
`@@ -138,8 +138,10 @@ open class Verifier(`
`138`	`138`	`)`
`139`	`139`	`}`
`140`	`140`	`val rootOfTrust =`
`141`		`- keyDescription.teeEnforced.rootOfTrust`
`142`		`- ?: return VerificationResult.ExtensionConstraintViolation("teeEnforced.rootOfTrust is null")`
	`141`	`+ keyDescription.hardwareEnforced.rootOfTrust`
	`142`	`+ ?: return VerificationResult.ExtensionConstraintViolation(`
	`143`	`+ "hardwareEnforced.rootOfTrust is null"`
	`144`	`+ )`
`143`	`145`	`val deviceInformation =`
`144`	`146`	`if (certPath.provisioningMethod() == ProvisioningMethod.REMOTELY_PROVISIONED) {`
`145`	`147`	`certPath.attestationCert().provisioningInfo()`
Original file line number	Diff line number	Diff line change
`@@ -256,7 +256,6 @@ private class BasicChecker(`
`256`	`256`	`* KAVS does not check the validity of the final certificate in the path. For the purposes of`
`257`	`257`	`* migration this path validator is intended to be bug compatible with KAVS, so we do not check`
`258`	`258`	`* the validity of the final certificate either.`
`259`		`- * http://google3/java/com/google/wireless/android/work/boq/unspoofableid/common/VerifyCertificateChain.java;l=173;rcl=679670181`
`260`	`259`	`*`
`261`	`260`	`* TODO: b/355190989 - explore if is viable to check the validity of the final certificate.`
`262`	`261`	`*/`
Original file line number	Diff line number	Diff line change
`@@ -27,8 +27,6 @@ import java.security.cert.X509Certificate`
`27`	`27`	`*`
`28`	`28`	`* Currently, this class is a clone of the as-built revocation checker from KAVS. It is only`
`29`	`29`	`* intended to be for migrating the bespoke KAVS path validation logic to this provider.`
`30`		`- *`
`31`		`- * http://google3/java/com/google/wireless/android/work/boq/unspoofableid/common/VerifyCertificateChain.java;l=107;rcl=677835266`
`32`	`30`	`*/`
`33`	`31`	`class RevocationChecker(private val revokedSerials: Set<String>) : PKIXRevocationChecker() {`
`34`	`32`	`override fun init(forward: Boolean) {`
Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ class KeyAttestationCertPathFactory(val fakeCalendar: FakeCalendar = FakeCalenda`
`50`	`50`	`/* critical= */ false,`
`51`	`51`	`ProvisioningInfoMap(`
`52`	`52`	`certificatesIssued = 1,`
`53`		`- manufacturer = keyDescription.teeEnforced.attestationIdManufacturer,`
	`53`	`+ manufacturer = keyDescription.hardwareEnforced.attestationIdManufacturer,`
`54`	`54`	`)`
`55`	`55`	`.encodeToAsn1(),`
`56`	`56`	`),`
Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,7 @@ class ExtensionTest {`
`67`	`67`	`fun parseFrom_containsAllowWhileOnBody_success() {`
`68`	`68`	`val unused =`
`69`	`69`	`testData.resolve("allow_while_on_body.pem").inputStream().asX509Certificate().keyDescription()`
`70`		`- // assertThat(keyDescription.teeEnforced.allowWhileOnBody).isTrue()`
	`70`	`+ // assertThat(keyDescription.hardwareEnforced.allowWhileOnBody).isTrue()`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`@Test`
`@@ -142,7 +142,7 @@ class ExtensionTest {`
`142`	`142`	`attestationChallenge = ByteString.empty(),`
`143`	`143`	`uniqueId = ByteString.empty(),`
`144`	`144`	`softwareEnforced = authorizationList,`
`145`		`- teeEnforced = authorizationList,`
	`145`	`+ hardwareEnforced = authorizationList,`
`146`	`146`	`)`
`147`	`147`	`assertThat(KeyDescription.parseFrom(keyDescription.encodeToAsn1())).isEqualTo(keyDescription)`
`148`	`148`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@`
`17`	`17`	`"signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]`
`18`	`18`	`}`
`19`	`19`	`},`
`20`		`- "teeEnforced": {`
	`20`	`+ "hardwareEnforced": {`
`21`	`21`	`"purposes": ["2"],`
`22`	`22`	`"keySize": "2048",`
`23`	`23`	`"algorithms": "1",`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@`
`12`	`12`	`"signatures": []`
`13`	`13`	`}`
`14`	`14`	`},`
`15`		`- "teeEnforced": {`
	`15`	`+ "hardwareEnforced": {`
`16`	`16`	`"purposes": ["2"],`
`17`	`17`	`"keySize": "2048",`
`18`	`18`	`"algorithms": "1",`