Thanks. The existing CA-chain I am going to integrate this leaf attest cert is a mix of RSA CA and ECC CA. Does Android O allow this? Otherwise I will have to create a new chain which is ECC only. Does Android O allow different key strength in the chain, for example, I use ECC-521 for root, and 384 for intermediate and then 256 for leaf.
Is there any sample config file I can refer to, to generate the batch key certificate? On Wednesday, October 24, 2018 at 11:23:18 AM UTC-7, Janis wrote: > > The keybox holds the private batch key. Batch keys are called "batch" keys > be cause they are used across a batch of at least 100K Android devices. > This is a privacy requirement. > > Because of the batch nature of the attestation key it cannot be generated > in the TEE. > > The keybox is very sensitive and you should only allow specially trained > personell to handle these and keep them tightly controlled, e.g, you don't > want to use the keybox posted above for anything but testing (I hope this > is obvious - just making sure). Also If you manage your own CA, you need to > manage your own revocation lists and revoke batch keys if you think they > have been compromised. > > The chain consists of a root CA cert, one or more intermediate > certificates and a batch key certificate (I guess the example chain has 0 > intermediates). The attestation certificate is at the end of this chain and > attests to a key generated in or imported into AndroidKeystore. It includes > the public key of the latter and a bunch of usage requirements, such as > purpose (SIGN, DECRYPT, ...), allowed digest and padding modes, whether > keys are authentication bound, or information about the root of trust (is > the bootloader locked ...). Checkout > https://source.android.com/security/keystore/attestation for a full list > of items that get attested to. > > On Wednesday, October 24, 2018 at 10:19:52 AM UTC-7, davi...@ff.com wrote: >> >> What's the relation between keybox and attestation_cert_chain. Is keybox >> the private key and the end-node "ATTESTATION_CERTIFICATE" of the >> cert-chain is the certificate of that keybox? >> Should the keybox key pair be generated inside TEE or generated from >> external? >> >> >> Here is sample keybox: >> >> <Keybox DeviceID="XXXX"><Key algorithm="ecdsa"><PrivateKey format="pem"> >> -----BEGIN EC PRIVATE KEY----- >> MHcCAQEEIPkqUSMK5bPQntppGeSsFcbXRcMWC2bx1lRpGaZEIrq/oAoGCCqGSM49 >> AwEHoUQDQgAEalaoKb/I5S9bpfDVzAYymLaJJowm59uojupRL/CY87KcCjeULbcB >> QirzI2TcpH5ATmUc+qGtnyYwBaWSy0h7nQ== >> -----END EC PRIVATE KEY----- >> >> >> Here is sample cert-chain from "googlesamples >> <https://github.com/googlesamples>/android-key-attestation >> <https://github.com/googlesamples/android-key-attestation>" >> >> https://github.com/googlesamples/android-key-attestation/blob/master/server/src/main/java/com/android/example/KeyAttestationExample.java >> >> public static final String[] SAMPLE_ATTESTATION_CERT_CHAIN = new String[]{ >> ATTESTATION_CERTIFICATE, INTERMEDIATE_CERTIFICATE, >> ROOT_CERTIFICATE}; >> -----BEGIN CERTIFICATE----- >> MIICizCCAjKgAwIBAgIJAKIFntEOQ1tXMAoGCCqGSM49BAMCMIGYMQswCQYDVQQGEw >> JVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzE >> VMBMGA1UECgwMR29vZ2xl LCBJbmMuMRAwDgYDVQQLDAdBbmRyb2lkMTMwMQYDVQQD >> DCpBbmRyb2lkIEtleXN0b3JlIFNvZnR3 YXJlIEF0dGVzdGF0aW9uIFJvb3QwHhcNM >> TYwMTExMDA0MzUwWhcNMzYwMTA2MDA0MzUwWjCBmDEL MAkGA1UEBhMCVVMxEzARBg >> NVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx FTATBgNVBAo >> MDEdvb2dsZSwgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDEzMDEGA1UEAwwqQW5kcm9p >> ZCBLZXlzdG9yZSBTb2Z0d2FyZSBBdHRlc3RhdGlvbiBSb290MFkwEwYHKoZIzj0CAQ >> YIKoZIzj0D AQcDQgAE7l1ex+HA220Dpn7mthvsTWpdamguD/9/SQ59dx9EIm29sa/ >> 6FsvHrcV30lacqrewLVQB XT5DKyqO107sSHVBpKNjMGEwHQYDVR0OBBYEFMit6XdM >> RcOjzw0WEOR5QzohWjDPMB8GA1UdIwQY MBaAFMit6XdMRcOjzw0WEOR5QzohWjDPM >> A8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgKE MAoGCCqGSM49BAMCA0cAME >> QCIDUho++LNEYenNVg8x1YiSBq3KNlQfYNns6KGYxmSGB7AiBNC/NR 2TB8fVvaNTQ >> dqEcbY6WFZTytTySn502vQX3xvw== >> -----END CERTIFICATE----- >> -----BEGIN CERTIFICATE----- >> MIICeDCCAh6gAwIBAgICEAEwCgYIKoZIzj0EAwIwgZgxCzAJBgNVBAYTAlVTMRMwEQ >> YDVQQIDApD YWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRUwEwYDVQQ >> KDAxHb29nbGUsIEluYy4x EDAOBgNVBAsMB0FuZHJvaWQxMzAxBgNVBAMMKkFuZHJv >> aWQgS2V5c3RvcmUgU29mdHdhcmUgQXR0 ZXN0YXRpb24gUm9vdDAeFw0xNjAxMTEwM >> DQ2MDlaFw0yNjAxMDgwMDQ2MDlaMIGIMQswCQYDVQQG EwJVUzETMBEGA1UECAwKQ2 >> FsaWZvcm5pYTEVMBMGA1UECgwMR29vZ2xlLCBJbmMuMRAwDgYDVQQL DAdBbmRyb2l >> kMTswOQYDVQQDDDJBbmRyb2lkIEtleXN0b3JlIFNvZnR3YXJlIEF0dGVzdGF0aW9u >> IEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOueefhCY1msyy >> qRTImGzHCt kGaTgqlzJhP+rMv4ISdMIXSXSir+pblNf2bU4GUQZjW8U7ego6ZxWD7 >> bPhGuEBSjZjBkMB0GA1Ud DgQWBBQ//KzWGrE6noEguNUlHMVlux6RqTAfBgNVHSME >> GDAWgBTIrel3TEXDo88NFhDkeUM6IVow zzASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA >> 1UdDwEB/wQEAwIChDAKBggqhkjOPQQDAgNIADBFAiBL ipt77oK8wDOHri/AiZi03c >> ONqycqRZ9pDMfDktQPjgIhAO7aAV229DLp1IQ7YkyUBO86fMy9Xvsi u+f+uXc/WT/ >> 7 >> -----END CERTIFICATE----- >> -----BEGIN CERTIFICATE----- >> MIIByTCCAXCgAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDDBFBbmRyb2lkIE >> tleW1hc3Rl cjAgFw03MDAxMDEwMDAwMDBaGA8yMTA2MDIwNzA2MjgxNVowGjEYMBY >> GA1UEAwwPQSBLZXltYXN0 ZXIgS2V5MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE >> FpsFUWID9p2QPAvtfal4MRf9vJg0tNc3 vKJwoDhhSCMm7If0FljgvmroBYQyCIbnn >> Bxh2OU9SKxI/manPwIIUqOBojCBnzALBgNVHQ8EBAMC B4AwbwYKKwYBBAHWeQIBEQ >> RhMF8CAQEKAQACAQEKAQEEBWhlbGxvBAAwDL+FPQgCBgFWDy29GDA6 oQUxAwIBAqI >> DAgEDowQCAgEApQUxAwIBBKoDAgEBv4N4AwIBA7+DeQQCAgEsv4U+AwIBAL+FPwIF >> ADAfBgNVHSMEGDAWgBQ//KzWGrE6noEguNUlHMVlux6RqTAKBggqhkjOPQQDAgNHAD >> BEAiBKzJSk 9VNauKu4dr+ZJ5jMTNlAxSI99XkKEkXSolsGSAIgCnd5T99gv3B/IqM >> CHn0yZ7Wuu/jisU0epRRo xh8otA8= >> -----END CERTIFICATE----- >> >> >> On Wednesday, October 24, 2018 at 7:14:57 AM UTC-7, Janis wrote: >>> >>> Yes that is a perfectly viable. If you do not intend to use the Google >>> PlayStore you don't need a Google signed attestation key. Note, however, >>> that the attestation certificates issued by keymaster are checked by the >>> applications' service back ends. So if you allow apps from third parties >>> which use key attestation, their back ends may not trust your certificates >>> and reject the attestation certificates issued by your keymaster >>> implementation. You may need to negotiate with these vendors to white list >>> your CA. But if you control all of the apps it is up to you which CAs to >>> trust. >>> >>> On Tuesday, October 23, 2018 at 1:09:37 PM UTC-7, davi...@ff.com wrote: >>>> >>>> Janis, thank you for the reply. Good to know that we don't have to use >>>> Google root CA for CTS test. >>>> Our platform doesn't allow application installation from Google >>>> Playstore, which means all the Apps are controlled and signed by >>>> ourselves. >>>> Can I assume that in this case these Apps can also use our own cert-chain >>>> for Keymaster authority check? >>>> >>>> >>>> On Tuesday, October 23, 2018 at 11:18:26 AM UTC-7, Janis wrote: >>>>> >>>>> Hi, >>>>> >>>>> CTS and VTS test do not check the origin of the root CA. So you can >>>>> pass these tests with a certificate chain rooted in a self signed CA. >>>>> Once >>>>> you passed CTS and VTS you can get the Google signed keys. Please reach >>>>> out >>>>> to your technical account manager at Google for the right process. >>>>> >>>>> With kind regards, >>>>> Janis >>>>> >>>>> On Wednesday, October 17, 2018 at 5:51:53 PM UTC-7, davi...@ff.com >>>>> wrote: >>>>>> >>>>>> Get information from QCOM datasheet "Attestation key provision is >>>>>> mandatory on new android O release, customer need do key attestation >>>>>> before the CTS/VTS test. ", however, the information from Google is >>>>>> we have to pass CTS before applying key attestation. >>>>>> Which one is correct? Which department should we reach to to apply >>>>>> the attestation key? >>>>>> >>>>> -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. Visit this group at https://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
