Android 8添加了“身份证明”(根据https://source.android.com/security/keystore/attestation#id-attestation)。
有没有人想出如何使用此功能?我发现的最接近的是AttestationUtils.java(https://android.googlesource.com/platform/frameworks/base/+/master/keystore/java/android/security/keystore/AttestationUtils.java),但我没有附带Android SDK的API。使用P开发人员预览(compileSdkVersion 'android-P'和targetSdkVersion 'P')时,它们不会出现在我的IDE中。
答案 0 :(得分:2)
我能够四处破解,并想出了一个进行Key / ID认证的演示代码。参见https://github.com/monkey-jsun/android-id-attestation/tree/master
程序运行时,此刻我有两个问题,
这里是我的演示代码的快速回顾,仅供快速参考:
我还将输出附加到程序中,以方便参考。
Getting key 'key1' ...
found the key with alias 'key1' ...
private key : android.security.keystore.AndroidKeyStoreECPrivateKey@3467522e
public key : MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOfYzvOETzK0NGmlkk3vnuDb9FilG7iiRYGJX2pQy
Syuyt2XZow5M3aseZEfD64iasieuumWx3Tn6/aiopre0cw==
what is happening ...
number certificates in the chain is 4
Attestation version: 3
Attestation Security Level: TRUSTED_ENVIRONMENT
Keymaster Version: 4
Keymaster Security Level: TRUSTED_ENVIRONMENT
Attestation Challenge: hello, this is challenge phrase [jsun]
Unique ID: []
=========
Software Enforced Authorization List:
Purpose(s): NOT PRESENT
Algorithm: NOT PRESENT
Key Size: NOT PRESENT
Digest: NOT PRESENT
Padding: NOT PRESENT
EC Curve: NOT PRESENT
RSA Public Exponent: NOT PRESENT
Rollback Resistance: false
Active DateTime: NOT PRESENT
Origination Expire DateTime: NOT PRESENT
Usage Expire DateTime: NOT PRESENT
No Auth Required: false
User Auth Type: NOT PRESENT
Auth Timeout: NOT PRESENT
Allow While On Body: false
Trusted User Presence Required: false
Trusted Confirmation Required: false
Unlocked Device Required: false
All Applications: false
Application ID: NOT PRESENT
Creation DateTime: 2020-03-07T17:58:57.143Z
Origin: NOT PRESENT
Rollback Resistant: false
OS Version: NOT PRESENT
OS Patch Level: NOT PRESENT
Attestation Application ID:
Package Infos (<package name>, <version>):
net.junsun.idattestation, 1
Signature Digests:
GGv7HVeENa6GZO4irSicN64Wz38NJ7QHsmC0Z2G7s4g=
Attestation Application ID Bytes: MEUxHzAdBBhuZXQuanVuc3VuLmlkYXR0ZXN0YXRpb24CAQExIgQgGGv7HVeENa6GZO4irSicN64Wz38NJ7QHsmC0Z2G7s4g=
Attestation ID Brand: NOT PRESENT
Attestation ID Device: NOT PRESENT
Attestation ID Product: NOT PRESENT
Attestation ID Serial: NOT PRESENT
Attestation ID IMEI: NOT PRESENT
Attestation ID MEID: NOT PRESENT
Attestation ID Manufacturer: NOT PRESENT
Attestation ID Model: NOT PRESENT
Vendor Patch Level: NOT PRESENT
Boot Patch Level: NOT PRESENT
=========
TEE Enforced Authorization List:
Purpose(s): [2, 3]
Algorithm: 3
Key Size: 256
Digest: NOT PRESENT
Padding: NOT PRESENT
EC Curve: 1
RSA Public Exponent: NOT PRESENT
Rollback Resistance: false
Active DateTime: NOT PRESENT
Origination Expire DateTime: NOT PRESENT
Usage Expire DateTime: NOT PRESENT
No Auth Required: true
User Auth Type: NOT PRESENT
Auth Timeout: NOT PRESENT
Allow While On Body: false
Trusted User Presence Required: false
Trusted Confirmation Required: false
Unlocked Device Required: false
All Applications: false
Application ID: NOT PRESENT
Creation DateTime: NOT PRESENT
Origin: 0
Rollback Resistant: false
OS Version: 100000
OS Patch Level: 202002
Attestation Application ID Bytes: NOT PRESENT
Attestation ID Brand: NOT PRESENT
Attestation ID Device: NOT PRESENT
Attestation ID Product: NOT PRESENT
Attestation ID Serial: NOT PRESENT
Attestation ID IMEI: NOT PRESENT
Attestation ID MEID: NOT PRESENT
Attestation ID Manufacturer: NOT PRESENT
Attestation ID Model: NOT PRESENT
Vendor Patch Level: 20200205
Boot Patch Level: 20200205
答案 1 :(得分:1)
关于您的第一点,设备ID确实存储在设备系统分区中,但是为了得到证明,必须在设备TEE出厂之前将这些ID复制到设备的TEE中。 由于对于Android兼容性,ID认证不是强制性要求,因此不必说供应商决定将ID设置为TEE。实际上,该平台也可能不提供BSP API来执行此操作。 因此,如果是这样,您将无法使它们出现在证明证书中。 您可以在/ etc / permissions /下检查android.software.device_id_attestation.xml,以检查您的设备是否支持ID证明。
答案 2 :(得分:1)
部分问题还可能是通过 AttestationUtils 进行的 ID 证明是系统 API,而您的应用程序必须是系统应用程序才能使用这些 API。换句话说,您无法通过普通应用程序执行此操作。