Add mechanism for adding debug logging.

PiperOrigin-RevId: 769130000

Author: carmenyh

build.gradle.kts

@@ -27,6 +27,7 @@ dependencies {
   implementation("com.google.code.gson:gson:2.11.0")
   implementation("com.google.guava:guava:33.3.1-android")
   implementation("com.google.protobuf:protobuf-javalite:4.28.3")
+  implementation("com.google.protobuf:protobuf-kotlin-lite:4.28.3")
   implementation("org.bouncycastle:bcpkix-jdk18on:1.78.1")
   implementation("org.jetbrains.kotlin:kotlin-stdlib:2.2.0")
 
@@ -49,17 +50,20 @@ tasks {
 
 val generatedSourcesDir = layout.buildDirectory.dir("generated")
 
-val googleTrustAnchors by tasks.registering {
-  val jsonFile = file("roots.json")
-  val json = jsonFile.readText()
-  val generatedFile = generatedSourcesDir.get().file("main/kotlin/GoogleTrustAnchors.kt")
+val googleTrustAnchors by
+  tasks.registering {
+    val jsonFile = file("roots.json")
+    val json = jsonFile.readText()
+    val generatedFile = generatedSourcesDir.get().file("main/kotlin/GoogleTrustAnchors.kt")
 
-  inputs.files(jsonFile)
-  outputs.file(generatedFile)
+    inputs.files(jsonFile)
+    outputs.file(generatedFile)
 
-  doLast {
-    generatedFile.getAsFile().writeText(
-        """
+    doLast {
+      generatedFile
+        .getAsFile()
+        .writeText(
+          """
         package com.android.keyattestation.verifier
 
         import com.android.keyattestation.verifier.asX509Certificate
@@ -81,22 +85,18 @@ val googleTrustAnchors by tasks.registering {
           }
         }
         """
-      )
+        )
+    }
   }
-}
-
-val generateSources by tasks.registering {
-  outputs.dir(generatedSourcesDir)
-  dependsOn(tasks.named("googleTrustAnchors"))
-}
 
-sourceSets {
-  main {
-    kotlin.srcDir(generateSources)
+val generateSources by
+  tasks.registering {
+    outputs.dir(generatedSourcesDir)
+    dependsOn(tasks.named("googleTrustAnchors"))
   }
-}
+
+sourceSets { main { kotlin.srcDir(generateSources) } }
 
 tasks.named("compileKotlin").configure {
-    dependsOn("generateSources")
+  dependsOn("generateSources")
 }
-

src/main/kotlin/Extension.kt

@@ -97,14 +97,14 @@ data class ProvisioningInfoMap(
 }
 
 data class DeviceIdentity(
-  val brand: String?,
-  val device: String?,
-  val product: String?,
-  val serialNumber: String?,
-  val imeis: Set<String>,
-  val meid: String?,
-  val manufacturer: String?,
-  val model: String?,
+  val brand: String? = null,
+  val device: String? = null,
+  val product: String? = null,
+  val serialNumber: String? = null,
+  val imeis: Set<String> = emptySet(),
+  val meid: String? = null,
+  val manufacturer: String? = null,
+  val model: String? = null,
 ) {
   companion object {
     @JvmStatic
@@ -160,23 +160,25 @@ data class KeyDescription(
     @JvmField val OID = ASN1ObjectIdentifier("1.3.6.1.4.1.11129.2.1.17")
 
     @JvmStatic
-    fun parseFrom(cert: X509Certificate) =
+    @JvmOverloads
+    fun parseFrom(cert: X509Certificate, logFn: (String) -> Unit = {}) =
       cert
         .getExtensionValue(OID.id)
         .let { ASN1OctetString.getInstance(it).octets }
-        .let { parseFrom(it) }
+        .let { parseFrom(it, logFn) }
 
     @JvmStatic
-    fun parseFrom(bytes: ByteArray) =
+    @JvmOverloads
+    fun parseFrom(bytes: ByteArray, logFn: (String) -> Unit = {}) =
       try {
-        from(ASN1Sequence.getInstance(bytes))
+        from(ASN1Sequence.getInstance(bytes), logFn)
       } catch (e: NullPointerException) {
         // Workaround for a NPE in BouncyCastle.
         // https://github.com/bcgit/bc-java/blob/228211ecb973fe87fdd0fc4ab16ba0446ec1a29c/core/src/main/java/org/bouncycastle/asn1/ASN1UniversalType.java#L24
         throw IllegalArgumentException(e)
       }
 
-    private fun from(seq: ASN1Sequence): KeyDescription {
+    private fun from(seq: ASN1Sequence, logFn: (String) -> Unit = {}): KeyDescription {
       require(seq.size() == 8)
       return KeyDescription(
         attestationVersion = seq.getObjectAt(0).toInt(),
@@ -185,8 +187,8 @@ data class KeyDescription(
         keyMintSecurityLevel = seq.getObjectAt(3).toSecurityLevel(),
         attestationChallenge = seq.getObjectAt(4).toByteString(),
         uniqueId = seq.getObjectAt(5).toByteString(),
-        softwareEnforced = seq.getObjectAt(6).toAuthorizationList(),
-        hardwareEnforced = seq.getObjectAt(7).toAuthorizationList(),
+        softwareEnforced = seq.getObjectAt(6).toAuthorizationList(logFn),
+        hardwareEnforced = seq.getObjectAt(7).toAuthorizationList(logFn),
       )
     }
   }
@@ -218,7 +220,7 @@ enum class Origin(val value: Long) {
   RESERVED(3),
   SECURELY_IMPORTED(4);
 
-  internal fun toAsn1() = ASN1Integer(value)
+  fun toAsn1() = ASN1Integer(value)
 }
 
 /**
@@ -391,7 +393,7 @@ data class AuthorizationList(
       .let { DERSequence(it.toTypedArray()) }
 
   internal companion object {
-    fun from(seq: ASN1Sequence, validateTagOrder: Boolean = false): AuthorizationList {
+    fun from(seq: ASN1Sequence, logFn: (String) -> Unit = { _ -> }): AuthorizationList {
       val objects =
         seq.associate {
           require(it is ASN1TaggedObject) {
@@ -411,9 +413,8 @@ data class AuthorizationList(
        * 2. within each class of tags, the elements or alternatives shall appear in ascending order
        *    of their tag numbers.
        */
-      // TODO: b/356172932 - Add test data once an example certificate is found in the wild.
-      if (validateTagOrder && !objects.keys.zipWithNext().all { (lhs, rhs) -> rhs > lhs }) {
-        throw IllegalArgumentException("AuthorizationList tags must appear in ascending order")
+      if (!objects.keys.zipWithNext().all { (lhs, rhs) -> rhs > lhs }) {
+        logFn("AuthorizationList tags should appear in ascending order")
       }
 
       return AuthorizationList(
@@ -439,7 +440,7 @@ data class AuthorizationList(
         rollbackResistant = if (objects.containsKey(KeyMintTag.ROLLBACK_RESISTANT)) true else null,
         rootOfTrust = objects[KeyMintTag.ROOT_OF_TRUST]?.toRootOfTrust(),
         osVersion = objects[KeyMintTag.OS_VERSION]?.toInt(),
-        osPatchLevel = objects[KeyMintTag.OS_PATCH_LEVEL]?.toPatchLevel(),
+        osPatchLevel = objects[KeyMintTag.OS_PATCH_LEVEL]?.toPatchLevel("OS", logFn),
         attestationApplicationId =
           objects[KeyMintTag.ATTESTATION_APPLICATION_ID]?.toAttestationApplicationId(),
         attestationIdBrand = objects[KeyMintTag.ATTESTATION_ID_BRAND]?.toStr(),
@@ -450,8 +451,8 @@ data class AuthorizationList(
         attestationIdMeid = objects[KeyMintTag.ATTESTATION_ID_MEID]?.toStr(),
         attestationIdManufacturer = objects[KeyMintTag.ATTESTATION_ID_MANUFACTURER]?.toStr(),
         attestationIdModel = objects[KeyMintTag.ATTESTATION_ID_MODEL]?.toStr(),
-        vendorPatchLevel = objects[KeyMintTag.VENDOR_PATCH_LEVEL]?.toPatchLevel(),
-        bootPatchLevel = objects[KeyMintTag.BOOT_PATCH_LEVEL]?.toPatchLevel(),
+        vendorPatchLevel = objects[KeyMintTag.VENDOR_PATCH_LEVEL]?.toPatchLevel("vendor", logFn),
+        bootPatchLevel = objects[KeyMintTag.BOOT_PATCH_LEVEL]?.toPatchLevel("boot", logFn),
         attestationIdSecondImei = objects[KeyMintTag.ATTESTATION_ID_SECOND_IMEI]?.toStr(),
         moduleHash = objects[KeyMintTag.MODULE_HASH]?.toByteString(),
       )
@@ -470,14 +471,24 @@ data class PatchLevel(val yearMonth: YearMonth, val version: Int? = null) {
   }
 
   companion object {
-    fun from(patchLevel: ASN1Encodable): PatchLevel? {
+    fun from(
+      patchLevel: ASN1Encodable,
+      partitionName: String = "",
+      logFn: (String) -> Unit = { _ -> },
+    ): PatchLevel? {
       check(patchLevel is ASN1Integer) { "Must be an ASN1Integer, was ${this::class.simpleName}" }
-      return from(patchLevel.value.toString())
+      return from(patchLevel.value.toString(), partitionName, logFn)
     }
 
     @JvmStatic
-    fun from(patchLevel: String): PatchLevel? {
+    @JvmOverloads
+    fun from(
+      patchLevel: String,
+      partitionName: String = "",
+      logFn: (String) -> Unit = { _ -> },
+    ): PatchLevel? {
       if (patchLevel.length != 6 && patchLevel.length != 8) {
+        logFn("Invalid $partitionName patch level: $patchLevel")
         return null
       }
       try {
@@ -486,6 +497,7 @@ data class PatchLevel(val yearMonth: YearMonth, val version: Int? = null) {
         val version = if (patchLevel.length == 8) patchLevel.substring(6).toInt() else null
         return PatchLevel(yearMonth, version)
       } catch (e: DateTimeParseException) {
+        logFn("Invalid $partitionName patch level: $patchLevel")
         return null
       }
     }
@@ -615,12 +627,9 @@ private fun ASN1Encodable.toAttestationApplicationId(): AttestationApplicationId
   return AttestationApplicationId.from(ASN1Sequence.getInstance(this.octets))
 }
 
-// TODO: b/356172932 - `validateTagOrder` should default to true after making it user configurable.
-private fun ASN1Encodable.toAuthorizationList(
-  validateTagOrder: Boolean = false
-): AuthorizationList {
+private fun ASN1Encodable.toAuthorizationList(logFn: (String) -> Unit): AuthorizationList {
   check(this is ASN1Sequence) { "Object must be an ASN1Sequence, was ${this::class.simpleName}" }
-  return AuthorizationList.from(this, validateTagOrder)
+  return AuthorizationList.from(this, logFn)
 }
 
 private fun ASN1Encodable.toBoolean(): Boolean {
@@ -647,7 +656,10 @@ private fun ASN1Encodable.toInt(): BigInteger {
   return this.value
 }
 
-private fun ASN1Encodable.toPatchLevel(): PatchLevel? = PatchLevel.from(this)
+private fun ASN1Encodable.toPatchLevel(
+  partitionName: String = "",
+  logFn: (String) -> Unit = { _ -> },
+): PatchLevel? = PatchLevel.from(this, partitionName, logFn)
 
 private fun ASN1Encodable.toRootOfTrust(): RootOfTrust {
   check(this is ASN1Sequence) { "Object must be an ASN1Sequence, was ${this::class.simpleName}" }