Add mechanism for adding debug logging.

PiperOrigin-RevId: 769130000

Author: carmenyh

src/main/kotlin/Extension.kt

@@ -100,14 +100,14 @@ data class ProvisioningInfoMap(
 
 @JsonClass(generateAdapter = true)
 data class DeviceIdentity(
-  val brand: String?,
-  val device: String?,
-  val product: String?,
-  val serialNumber: String?,
-  val imeis: Set<String>,
-  val meid: String?,
-  val manufacturer: String?,
-  val model: String?,
+  val brand: String? = null,
+  val device: String? = null,
+  val product: String? = null,
+  val serialNumber: String? = null,
+  val imeis: Set<String> = emptySet(),
+  val meid: String? = null,
+  val manufacturer: String? = null,
+  val model: String? = null,
 ) {
   companion object {
     @JvmStatic
@@ -133,12 +133,13 @@ data class DeviceIdentity(
 data class KeyDescription(
   val attestationVersion: BigInteger,
   val attestationSecurityLevel: SecurityLevel,
-  val keymasterVersion: BigInteger,
-  val keymasterSecurityLevel: SecurityLevel,
+  val keyMintVersion: BigInteger,
+  val keyMintSecurityLevel: SecurityLevel,
   val attestationChallenge: ByteString,
   val uniqueId: ByteString,
   val softwareEnforced: AuthorizationList,
   val hardwareEnforced: AuthorizationList,
+  @SuppressWarnings("Immutable") @Transient val infoMessages: List<String>? = listOf(),
 ) {
   fun asExtension(): Extension {
     return Extension(OID, /* critical= */ false, encodeToAsn1())
@@ -148,8 +149,8 @@ data class KeyDescription(
     buildList {
         add(attestationVersion.toAsn1())
         add(attestationSecurityLevel.toAsn1())
-        add(keymasterVersion.toAsn1())
-        add(keymasterSecurityLevel.toAsn1())
+        add(keyMintVersion.toAsn1())
+        add(keyMintSecurityLevel.toAsn1())
         add(attestationChallenge.toAsn1())
         add(uniqueId.toAsn1())
         add(softwareEnforced.toAsn1())
@@ -182,15 +183,17 @@ data class KeyDescription(
 
     private fun from(seq: ASN1Sequence): KeyDescription {
       require(seq.size() == 8)
+      val infoMessages = mutableListOf<String>()
       return KeyDescription(
         attestationVersion = seq.getObjectAt(0).toInt(),
         attestationSecurityLevel = seq.getObjectAt(1).toSecurityLevel(),
-        keymasterVersion = seq.getObjectAt(2).toInt(),
-        keymasterSecurityLevel = seq.getObjectAt(3).toSecurityLevel(),
+        keyMintVersion = seq.getObjectAt(2).toInt(),
+        keyMintSecurityLevel = seq.getObjectAt(3).toSecurityLevel(),
         attestationChallenge = seq.getObjectAt(4).toByteString(),
         uniqueId = seq.getObjectAt(5).toByteString(),
-        softwareEnforced = seq.getObjectAt(6).toAuthorizationList(),
-        hardwareEnforced = seq.getObjectAt(7).toAuthorizationList(),
+        softwareEnforced = seq.getObjectAt(6).toAuthorizationList(infoMessages = infoMessages),
+        hardwareEnforced = seq.getObjectAt(7).toAuthorizationList(infoMessages = infoMessages),
+        infoMessages = infoMessages.toList(),
       )
     }
   }
@@ -396,7 +399,11 @@ data class AuthorizationList(
       .let { DERSequence(it.toTypedArray()) }
 
   internal companion object {
-    fun from(seq: ASN1Sequence, validateTagOrder: Boolean = false): AuthorizationList {
+    fun from(
+      seq: ASN1Sequence,
+      validateTagOrder: Boolean = false,
+      infoMessages: MutableList<String>? = null,
+    ): AuthorizationList {
       val objects =
         seq.associate {
           require(it is ASN1TaggedObject) {
@@ -417,8 +424,12 @@ data class AuthorizationList(
        *    of their tag numbers.
        */
       // TODO: b/356172932 - Add test data once an example certificate is found in the wild.
-      if (validateTagOrder && !objects.keys.zipWithNext().all { (lhs, rhs) -> rhs > lhs }) {
-        throw IllegalArgumentException("AuthorizationList tags must appear in ascending order")
+      if (!objects.keys.zipWithNext().all { (lhs, rhs) -> rhs > lhs }) {
+        if (validateTagOrder) {
+          throw IllegalArgumentException("AuthorizationList tags must appear in ascending order")
+        } else {
+          infoMessages?.add("AuthorizationList tags must appear in ascending order")
+        }
       }
 
       return AuthorizationList(
@@ -625,10 +636,11 @@ private fun ASN1Encodable.toAttestationApplicationId(): AttestationApplicationId
 
 // TODO: b/356172932 - `validateTagOrder` should default to true after making it user configurable.
 private fun ASN1Encodable.toAuthorizationList(
-  validateTagOrder: Boolean = false
+  validateTagOrder: Boolean = false,
+  infoMessages: MutableList<String>? = null,
 ): AuthorizationList {
   check(this is ASN1Sequence) { "Object must be an ASN1Sequence, was ${this::class.simpleName}" }
-  return AuthorizationList.from(this, validateTagOrder)
+  return AuthorizationList.from(this, validateTagOrder, infoMessages)
 }
 
 private fun ASN1Encodable.toBoolean(): Boolean {

src/main/kotlin/Verifier.kt

@@ -46,15 +46,29 @@ sealed interface VerificationResult {
 
   data object ChallengeMismatch : VerificationResult
 
-  data object PathValidationFailure : VerificationResult
+  data class PathValidationFailure(val cause: Exception) : VerificationResult
 
-  data object ChainParsingFailure : VerificationResult
+  data class ChainParsingFailure(val cause: Exception) : VerificationResult
 
   data class ExtensionParsingFailure(val cause: Exception) : VerificationResult
 
   data class ExtensionConstraintViolation(val cause: String) : VerificationResult
 }
 
+/** Interface for logging info level key attestation events and information. */
+interface LogHook {
+  fun logVerificationEvent(verificationEvent: VerificationEvent)
+}
+
+data class VerificationEvent(
+  val inputChain: List<X509Certificate>,
+  val result: VerificationResult,
+  val keyDescription: KeyDescription? = null,
+  val provisioningInfoMap: ProvisioningInfoMap? = null,
+  val certSerialNumbers: List<String>? = null,
+  val infoMessages: List<String>? = null,
+)
+
 /**
  * Verifier for Android Key Attestation certificate chain.
  *
@@ -73,88 +87,163 @@ open class Verifier(
     Security.addProvider(KeyAttestationProvider())
   }
 
-  fun verify(chain: List<X509Certificate>, challenge: ByteArray? = null): VerificationResult {
+  @JvmOverloads
+  fun verify(
+    chain: List<X509Certificate>,
+    challenge: ByteArray? = null,
+    log: LogHook? = null,
+  ): VerificationResult {
     val certPath =
       try {
         KeyAttestationCertPath(chain)
       } catch (e: Exception) {
-        return VerificationResult.ChainParsingFailure
+        val result = VerificationResult.ChainParsingFailure(e)
+        log?.logVerificationEvent(VerificationEvent(inputChain = chain, result = result))
+        return result
       }
-    return verify(certPath, challenge)
+    val verificationEvent = internalVerify(certPath, challenge)
+    log?.logVerificationEvent(verificationEvent)
+    return verificationEvent.result
   }
 
   /**
    * Verifies an Android Key Attestation certificate chain.
    *
    * @param chain The attestation certificate chain to verify.
-   * @return [VerificationResult]
+   * @return [VerificationEvent]
    *
    * TODO: b/366058500 - Make the challenge required after Apparat's changes are rollback safe.
    */
-  @JvmOverloads
-  fun verify(certPath: KeyAttestationCertPath, challenge: ByteArray? = null): VerificationResult {
+  fun verify(
+    certPath: KeyAttestationCertPath,
+    challenge: ByteArray? = null,
+    log: LogHook? = null,
+  ): VerificationResult {
+    val verificationEvent = internalVerify(certPath, challenge)
+    log?.logVerificationEvent(verificationEvent)
+    return verificationEvent.result
+  }
+
+  internal fun internalVerify(
+    certPath: KeyAttestationCertPath,
+    challenge: ByteArray?,
+  ): VerificationEvent {
+    val serialNumbers =
+      certPath.certificatesWithAnchor.subList(1, certPath.certificatesWithAnchor.size).map {
+        it.serialNumber.toString(16)
+      }
     val certPathValidator = CertPathValidator.getInstance("KeyAttestation")
     val certPathParameters =
       PKIXParameters(trustAnchorsSource()).apply {
         date = Date.from(instantSource.instant())
         addCertPathChecker(RevocationChecker(revokedSerialsSource()))
       }
+
+    val deviceInformation =
+      if (certPath.provisioningMethod() == ProvisioningMethod.REMOTELY_PROVISIONED) {
+        certPath.attestationCert().provisioningInfo()
+      } else {
+        null
+      }
     val pathValidationResult =
       try {
         certPathValidator.validate(certPath, certPathParameters) as PKIXCertPathValidatorResult
       } catch (e: CertPathValidatorException) {
-        return VerificationResult.PathValidationFailure
+        return VerificationEvent(
+          inputChain = certPath.getCertificates(),
+          result = VerificationResult.PathValidationFailure(e),
+          certSerialNumbers = serialNumbers,
+          provisioningInfoMap = deviceInformation,
+        )
       }
 
     val keyDescription =
       try {
         checkNotNull(certPath.leafCert().keyDescription()) { "Key attestation extension not found" }
       } catch (e: Exception) {
-        return VerificationResult.ExtensionParsingFailure(e)
+        return VerificationEvent(
+          inputChain = certPath.getCertificates(),
+          result = VerificationResult.ExtensionParsingFailure(e),
+          certSerialNumbers = serialNumbers,
+          provisioningInfoMap = deviceInformation,
+        )
       }
 
+    val infoMessages = keyDescription.infoMessages
+
     if (
       challenge != null &&
         keyDescription.attestationChallenge.asReadOnlyByteBuffer() != ByteBuffer.wrap(challenge)
     ) {
-      return VerificationResult.ChallengeMismatch
+      return VerificationEvent(
+        inputChain = certPath.getCertificates(),
+        result = VerificationResult.ChallengeMismatch,
+        certSerialNumbers = serialNumbers,
+        keyDescription = keyDescription,
+        infoMessages = infoMessages,
+        provisioningInfoMap = deviceInformation,
+      )
     }
 
     if (
       keyDescription.hardwareEnforced.origin == null ||
         keyDescription.hardwareEnforced.origin != Origin.GENERATED
     ) {
-      return VerificationResult.ExtensionConstraintViolation(
-        "origin != GENERATED: ${keyDescription.hardwareEnforced.origin}"
+      return VerificationEvent(
+        result =
+          VerificationResult.ExtensionConstraintViolation(
+            "hardwareEnforced.origin is not GENERATED: ${keyDescription.hardwareEnforced.origin}"
+          ),
+        inputChain = certPath.getCertificates(),
+        certSerialNumbers = serialNumbers,
+        keyDescription = keyDescription,
+        infoMessages = infoMessages,
+        provisioningInfoMap = deviceInformation,
       )
     }
 
     val securityLevel =
-      if (keyDescription.attestationSecurityLevel == keyDescription.keymasterSecurityLevel) {
+      if (keyDescription.attestationSecurityLevel == keyDescription.keyMintSecurityLevel) {
         keyDescription.attestationSecurityLevel
       } else {
-        return VerificationResult.ExtensionConstraintViolation(
-          "attestationSecurityLevel != keymasterSecurityLevel: ${keyDescription.attestationSecurityLevel} != ${keyDescription.keymasterSecurityLevel}"
+        return VerificationEvent(
+          result =
+            VerificationResult.ExtensionConstraintViolation(
+              "attestationSecurityLevel != keymintSecurityLevel: ${keyDescription.attestationSecurityLevel} != ${keyDescription.keyMintSecurityLevel}"
+            ),
+          inputChain = certPath.getCertificates(),
+          certSerialNumbers = serialNumbers,
+          keyDescription = keyDescription,
+          infoMessages = infoMessages,
+          provisioningInfoMap = deviceInformation,
         )
       }
     val rootOfTrust =
       keyDescription.hardwareEnforced.rootOfTrust
-        ?: return VerificationResult.ExtensionConstraintViolation(
-          "hardwareEnforced.rootOfTrust is null"
+        ?: return VerificationEvent(
+          result =
+            VerificationResult.ExtensionConstraintViolation("hardwareEnforced.rootOfTrust is null"),
+          keyDescription = keyDescription,
+          inputChain = certPath.getCertificates(),
+          certSerialNumbers = serialNumbers,
+          infoMessages = infoMessages,
+          provisioningInfoMap = deviceInformation,
         )
-    val deviceInformation =
-      if (certPath.provisioningMethod() == ProvisioningMethod.REMOTELY_PROVISIONED) {
-        certPath.attestationCert().provisioningInfo()
-      } else {
-        null
-      }
-    return VerificationResult.Success(
-      pathValidationResult.publicKey,
-      keyDescription.attestationChallenge,
-      securityLevel,
-      rootOfTrust.verifiedBootState,
-      deviceInformation,
-      DeviceIdentity.parseFrom(keyDescription),
+    return VerificationEvent(
+      result =
+        VerificationResult.Success(
+          pathValidationResult.publicKey,
+          keyDescription.attestationChallenge,
+          securityLevel,
+          rootOfTrust.verifiedBootState,
+          deviceInformation,
+          DeviceIdentity.parseFrom(keyDescription),
+        ),
+      inputChain = certPath.getCertificates(),
+      certSerialNumbers = serialNumbers,
+      keyDescription = keyDescription,
+      infoMessages = infoMessages,
+      provisioningInfoMap = deviceInformation,
     )
   }
 }

src/main/kotlin/testing/KeyAttestationCertFactory.kt

@@ -125,8 +125,8 @@ internal class KeyAttestationCertFactory(val fakeCalendar: FakeCalendar = FakeCa
     KeyDescription(
         attestationVersion = 1.toBigInteger(),
         attestationSecurityLevel = SecurityLevel.TRUSTED_ENVIRONMENT,
-        keymasterVersion = 1.toBigInteger(),
-        keymasterSecurityLevel = SecurityLevel.TRUSTED_ENVIRONMENT,
+        keyMintVersion = 1.toBigInteger(),
+        keyMintSecurityLevel = SecurityLevel.TRUSTED_ENVIRONMENT,
         attestationChallenge = ByteString.copyFromUtf8("A random 40-byte challenge for no reason"),
         uniqueId = ByteString.empty(),
         softwareEnforced = AuthorizationList(),

src/test/kotlin/ExtensionTest.kt

@@ -85,7 +85,7 @@ class ExtensionTest {
   @Ignore("TODO: b/356172932 - Reenable test once enabling tag order validator is configurable.")
   fun parseFrom_tagsNotInAscendingOrder_Throws() {
     assertFailsWith<IllegalArgumentException> {
-      readCertPath("invalid/tags_not_in_accending_order.pem").leafCert().keyDescription()
+      readCertPath("invalid/tags_not_in_ascending_order.pem").leafCert().keyDescription()
     }
   }
 
@@ -147,8 +147,8 @@ class ExtensionTest {
       KeyDescription(
         attestationVersion = 1.toBigInteger(),
         attestationSecurityLevel = SecurityLevel.SOFTWARE,
-        keymasterVersion = 1.toBigInteger(),
-        keymasterSecurityLevel = SecurityLevel.SOFTWARE,
+        keyMintVersion = 1.toBigInteger(),
+        keyMintSecurityLevel = SecurityLevel.SOFTWARE,
         attestationChallenge = ByteString.empty(),
         uniqueId = ByteString.empty(),
         softwareEnforced = authorizationList,

testdata/akita/sdk34/SB_RSA_NONE.json

@@ -1,8 +1,8 @@
 {
   "attestationVersion": "300",
   "attestationSecurityLevel": "STRONG_BOX",
-  "keymasterVersion": "300",
-  "keymasterSecurityLevel": "STRONG_BOX",
+  "keyMintVersion": "300",
+  "keyMintSecurityLevel": "STRONG_BOX",
   "attestationChallenge": "Y2hhbGxlbmdl",
   "uniqueId": "",
   "softwareEnforced": {

testdata/akita/sdk34/TEE_EC_NONE.json

@@ -1,8 +1,8 @@
 {
   "attestationVersion": "300",
   "attestationSecurityLevel": "TRUSTED_ENVIRONMENT",
-  "keymasterVersion": "300",
-  "keymasterSecurityLevel": "TRUSTED_ENVIRONMENT",
+  "keyMintVersion": "300",
+  "keyMintSecurityLevel": "TRUSTED_ENVIRONMENT",
   "attestationChallenge": "Y2hhbGxlbmdl",
   "uniqueId": "",
   "softwareEnforced": {