What's the relation between keybox and attestation_cert_chain. Is keybox the private key and the end-node "ATTESTATION_CERTIFICATE" of the cert-chain is the certificate of that keybox? Should the keybox key pair be generated inside TEE or generated from external?
Here is sample keybox: <Keybox DeviceID="XXXX"><Key algorithm="ecdsa"><PrivateKey format="pem"> -----BEGIN EC PRIVATE KEY----- MHcCAQEEIPkqUSMK5bPQntppGeSsFcbXRcMWC2bx1lRpGaZEIrq/oAoGCCqGSM49 AwEHoUQDQgAEalaoKb/I5S9bpfDVzAYymLaJJowm59uojupRL/CY87KcCjeULbcB QirzI2TcpH5ATmUc+qGtnyYwBaWSy0h7nQ== -----END EC PRIVATE KEY----- Here is sample cert-chain from "googlesamples <https://github.com/googlesamples>/android-key-attestation <https://github.com/googlesamples/android-key-attestation>" https://github.com/googlesamples/android-key-attestation/blob/master/server/src/main/java/com/android/example/KeyAttestationExample.java public static final String[] SAMPLE_ATTESTATION_CERT_CHAIN = new String[]{ ATTESTATION_CERTIFICATE, INTERMEDIATE_CERTIFICATE, ROOT_CERTIFICATE }; -----BEGIN CERTIFICATE----- MIICizCCAjKgAwIBAgIJAKIFntEOQ1tXMAoGCCqGSM49BAMCMIGYMQswCQYDVQQGEw JVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzE VMBMGA1UECgwMR29vZ2xl LCBJbmMuMRAwDgYDVQQLDAdBbmRyb2lkMTMwMQYDVQQD DCpBbmRyb2lkIEtleXN0b3JlIFNvZnR3 YXJlIEF0dGVzdGF0aW9uIFJvb3QwHhcNM TYwMTExMDA0MzUwWhcNMzYwMTA2MDA0MzUwWjCBmDEL MAkGA1UEBhMCVVMxEzARBg NVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx FTATBgNVBAo MDEdvb2dsZSwgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDEzMDEGA1UEAwwqQW5kcm9p ZCBLZXlzdG9yZSBTb2Z0d2FyZSBBdHRlc3RhdGlvbiBSb290MFkwEwYHKoZIzj0CAQ YIKoZIzj0D AQcDQgAE7l1ex+HA220Dpn7mthvsTWpdamguD/9/SQ59dx9EIm29sa/ 6FsvHrcV30lacqrewLVQB XT5DKyqO107sSHVBpKNjMGEwHQYDVR0OBBYEFMit6XdM RcOjzw0WEOR5QzohWjDPMB8GA1UdIwQY MBaAFMit6XdMRcOjzw0WEOR5QzohWjDPM A8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgKE MAoGCCqGSM49BAMCA0cAME QCIDUho++LNEYenNVg8x1YiSBq3KNlQfYNns6KGYxmSGB7AiBNC/NR 2TB8fVvaNTQ dqEcbY6WFZTytTySn502vQX3xvw== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICeDCCAh6gAwIBAgICEAEwCgYIKoZIzj0EAwIwgZgxCzAJBgNVBAYTAlVTMRMwEQ YDVQQIDApD YWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRUwEwYDVQQ KDAxHb29nbGUsIEluYy4x EDAOBgNVBAsMB0FuZHJvaWQxMzAxBgNVBAMMKkFuZHJv aWQgS2V5c3RvcmUgU29mdHdhcmUgQXR0 ZXN0YXRpb24gUm9vdDAeFw0xNjAxMTEwM DQ2MDlaFw0yNjAxMDgwMDQ2MDlaMIGIMQswCQYDVQQG EwJVUzETMBEGA1UECAwKQ2 FsaWZvcm5pYTEVMBMGA1UECgwMR29vZ2xlLCBJbmMuMRAwDgYDVQQL DAdBbmRyb2l kMTswOQYDVQQDDDJBbmRyb2lkIEtleXN0b3JlIFNvZnR3YXJlIEF0dGVzdGF0aW9u IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOueefhCY1msyy qRTImGzHCt kGaTgqlzJhP+rMv4ISdMIXSXSir+pblNf2bU4GUQZjW8U7ego6ZxWD7 bPhGuEBSjZjBkMB0GA1Ud DgQWBBQ//KzWGrE6noEguNUlHMVlux6RqTAfBgNVHSME GDAWgBTIrel3TEXDo88NFhDkeUM6IVow zzASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA 1UdDwEB/wQEAwIChDAKBggqhkjOPQQDAgNIADBFAiBL ipt77oK8wDOHri/AiZi03c ONqycqRZ9pDMfDktQPjgIhAO7aAV229DLp1IQ7YkyUBO86fMy9Xvsi u+f+uXc/WT/ 7 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIByTCCAXCgAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDDBFBbmRyb2lkIE tleW1hc3Rl cjAgFw03MDAxMDEwMDAwMDBaGA8yMTA2MDIwNzA2MjgxNVowGjEYMBY GA1UEAwwPQSBLZXltYXN0 ZXIgS2V5MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE FpsFUWID9p2QPAvtfal4MRf9vJg0tNc3 vKJwoDhhSCMm7If0FljgvmroBYQyCIbnn Bxh2OU9SKxI/manPwIIUqOBojCBnzALBgNVHQ8EBAMC B4AwbwYKKwYBBAHWeQIBEQ RhMF8CAQEKAQACAQEKAQEEBWhlbGxvBAAwDL+FPQgCBgFWDy29GDA6 oQUxAwIBAqI DAgEDowQCAgEApQUxAwIBBKoDAgEBv4N4AwIBA7+DeQQCAgEsv4U+AwIBAL+FPwIF ADAfBgNVHSMEGDAWgBQ//KzWGrE6noEguNUlHMVlux6RqTAKBggqhkjOPQQDAgNHAD BEAiBKzJSk 9VNauKu4dr+ZJ5jMTNlAxSI99XkKEkXSolsGSAIgCnd5T99gv3B/IqM CHn0yZ7Wuu/jisU0epRRo xh8otA8= -----END CERTIFICATE----- On Wednesday, October 24, 2018 at 7:14:57 AM UTC-7, Janis wrote: > > Yes that is a perfectly viable. If you do not intend to use the Google > PlayStore you don't need a Google signed attestation key. Note, however, > that the attestation certificates issued by keymaster are checked by the > applications' service back ends. So if you allow apps from third parties > which use key attestation, their back ends may not trust your certificates > and reject the attestation certificates issued by your keymaster > implementation. You may need to negotiate with these vendors to white list > your CA. But if you control all of the apps it is up to you which CAs to > trust. > > On Tuesday, October 23, 2018 at 1:09:37 PM UTC-7, davi...@ff.com wrote: >> >> Janis, thank you for the reply. Good to know that we don't have to use >> Google root CA for CTS test. >> Our platform doesn't allow application installation from Google >> Playstore, which means all the Apps are controlled and signed by ourselves. >> Can I assume that in this case these Apps can also use our own cert-chain >> for Keymaster authority check? >> >> >> On Tuesday, October 23, 2018 at 11:18:26 AM UTC-7, Janis wrote: >>> >>> Hi, >>> >>> CTS and VTS test do not check the origin of the root CA. So you can pass >>> these tests with a certificate chain rooted in a self signed CA. Once you >>> passed CTS and VTS you can get the Google signed keys. Please reach out to >>> your technical account manager at Google for the right process. >>> >>> With kind regards, >>> Janis >>> >>> On Wednesday, October 17, 2018 at 5:51:53 PM UTC-7, davi...@ff.com >>> wrote: >>>> >>>> Get information from QCOM datasheet "Attestation key provision is >>>> mandatory on new android O release, customer need do key attestation >>>> before the CTS/VTS test. ", however, the information from Google is we >>>> have to pass CTS before applying key attestation. >>>> Which one is correct? Which department should we reach to to apply the >>>> attestation key? >>>> >>> -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. Visit this group at https://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
