证书证明是Android7 API 24加入的一个功能,可以对证书做出证明。
开发者在生成证书时可以要求系统进行证书证明,然后开发者获取该证书的证书链,全部发往服务器进行检查。在一般情况下,Google会检查厂商的安全环境,然后用Google的根证书给厂商颁发二级证书,安全环境的二级证书再颁发开发者要求的证书,其中包含了证明信息。
在开发者服务器上,首先检查证书链中每张证书是否有效,是否均未被吊销。然后查看根证书,如果根证书是Google公开的证书,即表明证书从安全环境生成,是可信的。否则是软件或假冒的安全环境生成。
在确认证书从安全环境生成之后,解析上面附带的证明信息。它包含:证明版本,安全级别,要求应用的包名和签名,证书基本信息,系统版本,补丁日期,是否防回滚,bootloader状态等。目前最新证明版本是v3,低版本会缺少某些内容。
当证书有效且未被吊销,证书链根证书为Google证书,安全级别是可信环境或硬件时(不能是软件),检查bootloader状态信息。deviceLocked布尔值:表明是否解锁。verifiedBootState有三个可能值:verified已验证,即bootloader已上锁,原厂boot镜像;selfSigned多见于Pixel等可自签名的设备,bootloader已上锁,用户自签名的boot镜像;unverified不验证,即bootloader解锁。(其实有第四个可能值,验证失败,无法开机)
目前没有手段能篡改可信环境或安全硬件,证书的安全体系也未被攻破,当然不可能修改服务器的检查逻辑。证书证明是无解的,除非安全研究员发现漏洞。
The root certificate is NOT correct. The attestation was probably generated by software, not in secure hardware. This means that, although the attestation contents are probably valid and correct, there is no proof that they are in fact correct. If you're using a production-level system, you should now treat the properties of this attestation certificate as advisory only, and you shouldn't rely on this attestation certificate to provide security guarantees.
Attestation version: 3
Attestation Security Level: STRONG_BOX
Keymaster Version: 4
Keymaster Security Level: STRONG_BOX
Attestation Challenge: abc
Unique ID: []
Software Enforced Authorization List:
Rollback Resistance: false
No Auth Required: false
Allow While On Body: false
Trusted User Presence Required: false
Trusted Confirmation Required: false
Unlocked Device Required: false
All Applications: false
Creation DateTime: 2019-06-21T11:11:28.586Z
Rollback Resistant: false
Attestation Application ID:
Package Infos (<package name>, <version>):
android, 29
com.android.keychain, 29
com.android.settings, 29
com.qti.diagservices, 29
com.android.dynsystem, 29
com.android.inputdevices, 29
com.android.localtransport, 29
com.android.location.fused, 29
com.android.server.telecom, 29
com.android.wallpaperbackup, 29
com.google.SSRestartDetector, 29
com.google.android.hiddenmenu, 1
com.android.providers.settings, 29
Signature Digests:
MBqjywgRNFAcRfFCKrxmwkIk/V3tX9yPF+aXF2/YZqo=
Attestation Application ID Bytes: MIIBszGCAYswDAQHYW5kcm9pZAIBHTAZBBRjb20uYW5kcm9pZC5rZXljaGFpbgIBHTAZBBRjb20uYW5kcm9pZC5zZXR0aW5ncwIBHTAZBBRjb20ucXRpLmRpYWdzZXJ2aWNlcwIBHTAaBBVjb20uYW5kcm9pZC5keW5zeXN0ZW0CAR0wHQQYY29tLmFuZHJvaWQuaW5wdXRkZXZpY2VzAgEdMB8EGmNvbS5hbmRyb2lkLmxvY2FsdHJhbnNwb3J0AgEdMB8EGmNvbS5hbmRyb2lkLmxvY2F0aW9uLmZ1c2VkAgEdMB8EGmNvbS5hbmRyb2lkLnNlcnZlci50ZWxlY29tAgEdMCAEG2NvbS5hbmRyb2lkLndhbGxwYXBlcmJhY2t1cAIBHTAhBBxjb20uZ29vZ2xlLlNTUmVzdGFydERldGVjdG9yAgEdMCIEHWNvbS5nb29nbGUuYW5kcm9pZC5oaWRkZW5tZW51AgEBMCMEHmNvbS5hbmRyb2lkLnByb3ZpZGVycy5zZXR0aW5ncwIBHTEiBCAwGqPLCBE0UBxF8UIqvGbCQiT9Xe1f3I8X5pcXb9hmqg==
TEE Enforced Authorization List:
Purpose(s): [2, 3]
Algorithm: 3
Key Size: 256
Digest: [4]
Rollback Resistance: false
No Auth Required: true
Allow While On Body: false
Trusted User Presence Required: false
Trusted Confirmation Required: false
Unlocked Device Required: false
All Applications: false
Origin: 0
Rollback Resistant: false
Root Of Trust:
Verified Boot Key: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
Device Locked: false
Verified Boot State: UNVERIFIED
Verified Boot Hash: co2xJ08fHPFXHeQ4CwSKVUrEo4Dnb1NVCDUpCEqTeAE=
OS Version: 0
OS Patch Level: 201907
Vendor Patch Level: 20190705
Boot Patch Level: 20190700
The root certificate is correct, so this attestation is trustworthy, as long as none of the certificates in the chain have been revoked. A production-level system should check the certificate revocation lists using the distribution points that are listed in the intermediate and root certificates.
Attestation version: 3
Attestation Security Level: TRUSTED_ENVIRONMENT
Keymaster Version: 4
Keymaster Security Level: TRUSTED_ENVIRONMENT
Attestation Challenge: abc
Unique ID: []
Software Enforced Authorization List:
Rollback Resistance: false
No Auth Required: false
Allow While On Body: false
Trusted User Presence Required: false
Trusted Confirmation Required: false
Unlocked Device Required: false
All Applications: false
Creation DateTime: 2018-07-12T07:43:45.477Z
Rollback Resistant: false
Attestation Application ID:
Package Infos (<package name>, <version>):
android, 29
com.android.keychain, 29
com.android.settings, 29
com.qti.diagservices, 29
com.android.dynsystem, 29
com.android.inputdevices, 29
com.android.localtransport, 29
com.android.location.fused, 29
com.android.server.telecom, 29
com.android.wallpaperbackup, 29
com.google.SSRestartDetector, 29
com.google.android.hiddenmenu, 1
com.android.providers.settings, 29
Signature Digests:
MBqjywgRNFAcRfFCKrxmwkIk/V3tX9yPF+aXF2/YZqo=
Attestation Application ID Bytes: MIIBszGCAYswDAQHYW5kcm9pZAIBHTAZBBRjb20uYW5kcm9pZC5rZXljaGFpbgIBHTAZBBRjb20uYW5kcm9pZC5zZXR0aW5ncwIBHTAZBBRjb20ucXRpLmRpYWdzZXJ2aWNlcwIBHTAaBBVjb20uYW5kcm9pZC5keW5zeXN0ZW0CAR0wHQQYY29tLmFuZHJvaWQuaW5wdXRkZXZpY2VzAgEdMB8EGmNvbS5hbmRyb2lkLmxvY2FsdHJhbnNwb3J0AgEdMB8EGmNvbS5hbmRyb2lkLmxvY2F0aW9uLmZ1c2VkAgEdMB8EGmNvbS5hbmRyb2lkLnNlcnZlci50ZWxlY29tAgEdMCAEG2NvbS5hbmRyb2lkLndhbGxwYXBlcmJhY2t1cAIBHTAhBBxjb20uZ29vZ2xlLlNTUmVzdGFydERldGVjdG9yAgEdMCIEHWNvbS5nb29nbGUuYW5kcm9pZC5oaWRkZW5tZW51AgEBMCMEHmNvbS5hbmRyb2lkLnByb3ZpZGVycy5zZXR0aW5ncwIBHTEiBCAwGqPLCBE0UBxF8UIqvGbCQiT9Xe1f3I8X5pcXb9hmqg==
TEE Enforced Authorization List:
Purpose(s): [2, 3]
Algorithm: 3
Key Size: 256
Digest: [4]
EC Curve: 1
Rollback Resistance: false
No Auth Required: true
Allow While On Body: false
Trusted User Presence Required: false
Trusted Confirmation Required: false
Unlocked Device Required: false
All Applications: false
Origin: 0
Rollback Resistant: false
Root Of Trust:
Verified Boot Key: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
Device Locked: false
Verified Boot State: UNVERIFIED
Verified Boot Hash: co2xJ08fHPFXHeQ4CwSKVUrEo4Dnb1NVCDUpCEqTeAE=
OS Version: 0
OS Patch Level: 201907
Vendor Patch Level: 201907
Boot Patch Level: 201907
The root certificate is correct, so this attestation is trustworthy, as long as none of the certificates in the chain have been revoked. A production-level system should check the certificate revocation lists using the distribution points that are listed in the intermediate and root certificates.
Attestation version: 2
Attestation Security Level: TRUSTED_ENVIRONMENT
Keymaster Version: 3
Keymaster Security Level: TRUSTED_ENVIRONMENT
Attestation Challenge: hello world
Unique ID: []
Software Enforced Authorization List:
No Auth Required: false
Allow While On Body: false
All Applications: false
Creation DateTime: 2020-03-01T15:23:22.292Z
Rollback Resistant: false
Attestation Application ID:
Package Infos (<package name>, <version>):
io.github.vvb2060.keyattestation, 1
Signature Digests:
qfecNjEge6Ry3nP6bh1LZt9mLnwQ0w1sLjU6Q6DyTXo=
Attestation Application ID Bytes: MEMxHTAbBBZpby5naXRodWIudnZiMjA2MC50ZXN0AgEBMSIEIKn3nDYxIHukct5z+m4dS2bfZi58ENMNbC41OkOg8k16
TEE Enforced Authorization List:
Purpose(s): [2]
Algorithm: 3
Key Size: 256
Digest: [4, 5, 6]
EC Curve: 1
Rollback Resistance: false
No Auth Required: true
Allow While On Body: false
Trusted User Presence Required: false
Trusted Confirmation Required: false
Unlocked Device Required: false
All Applications: false
Origin: 0
Rollback Resistant: true
Root Of Trust:
Verified Boot Key: nBLP3ATHRYTXh6w9I3chMsGFJLx6so3sQhm4/FtCX3A=
Device Locked: false
Verified Boot State: UNVERIFIED