Add cause to VerificationResult.PathValidationFailure

PiperOrigin-RevId: 780683473

Author: Android HW Trust Team

src/main/kotlin/ChallengeChecker.kt

@@ -0,0 +1,14 @@
+package com.android.keyattestation.verifier
+
+import com.google.protobuf.ByteString
+
+/** An interface to handle checking validity of challenges. */
+interface ChallengeChecker {
+  /**
+   * Checks the given challenge for validity.
+   *
+   * @param challenge The challenge being check.
+   * @return True if the challenge is valid, else false.
+   */
+  fun checkChallenge(challenge: ByteString): Boolean
+}

src/main/kotlin/Verifier.kt

@@ -22,7 +22,6 @@ import com.android.keyattestation.verifier.provider.ProvisioningMethod
 import com.android.keyattestation.verifier.provider.RevocationChecker
 import com.google.errorprone.annotations.ThreadSafe
 import com.google.protobuf.ByteString
-import java.nio.ByteBuffer
 import java.security.PublicKey
 import java.security.Security
 import java.security.cert.CertPathValidator
@@ -46,7 +45,7 @@ sealed interface VerificationResult {
 
   data object ChallengeMismatch : VerificationResult
 
-  data object PathValidationFailure : VerificationResult
+  data class PathValidationFailure(val cause: CertPathValidatorException) : VerificationResult
 
   data object ChainParsingFailure : VerificationResult
 
@@ -73,26 +72,42 @@ open class Verifier(
     Security.addProvider(KeyAttestationProvider())
   }
 
-  fun verify(chain: List<X509Certificate>, challenge: ByteArray? = null): VerificationResult {
+  /**
+   * Verifies an Android Key Attestation certificate chain.
+   *
+   * @param chain The attestation certificate chain to verify.
+   * @param challengeChecker The challenge checker to use for additional challenge validation.
+   * @return [VerificationResult]
+   */
+  @JvmOverloads
+  fun verify(
+    chain: List<X509Certificate>,
+    challengeChecker: ChallengeChecker? = null,
+  ): VerificationResult {
     val certPath =
       try {
         KeyAttestationCertPath(chain)
       } catch (e: Exception) {
         return VerificationResult.ChainParsingFailure
       }
-    return verify(certPath, challenge)
+    return verify(certPath, challengeChecker)
   }
 
   /**
    * Verifies an Android Key Attestation certificate chain.
    *
    * @param chain The attestation certificate chain to verify.
+   * @param challengeChecker The challenge checker to use for additional validation of the challenge
+   *   in the attestation chain.
    * @return [VerificationResult]
    *
    * TODO: b/366058500 - Make the challenge required after Apparat's changes are rollback safe.
    */
   @JvmOverloads
-  fun verify(certPath: KeyAttestationCertPath, challenge: ByteArray? = null): VerificationResult {
+  fun verify(
+    certPath: KeyAttestationCertPath,
+    challengeChecker: ChallengeChecker? = null,
+  ): VerificationResult {
     val certPathValidator = CertPathValidator.getInstance("KeyAttestation")
     val certPathParameters =
       PKIXParameters(trustAnchorsSource()).apply {
@@ -103,7 +118,7 @@ open class Verifier(
       try {
         certPathValidator.validate(certPath, certPathParameters) as PKIXCertPathValidatorResult
       } catch (e: CertPathValidatorException) {
-        return VerificationResult.PathValidationFailure
+        return VerificationResult.PathValidationFailure(e)
       }
 
     val keyDescription =
@@ -114,8 +129,8 @@ open class Verifier(
       }
 
     if (
-      challenge != null &&
-        keyDescription.attestationChallenge.asReadOnlyByteBuffer() != ByteBuffer.wrap(challenge)
+      challengeChecker != null &&
+        !challengeChecker.checkChallenge(keyDescription.attestationChallenge)
     ) {
       return VerificationResult.ChallengeMismatch
     }

src/main/kotlin/challengecheckers/ChallengeMatcher.kt

@@ -0,0 +1,13 @@
+package com.android.keyattestation.verifier.challengecheckers
+
+import com.android.keyattestation.verifier.ChallengeChecker
+import com.google.protobuf.ByteString
+
+/**
+ * A basic implementation of [ChallengeChecker] that checks if the challenge in the attestation
+ * certificate matches the expected challenge.
+ */
+class ChallengeMatcher(private val expectedChallenge: ByteString) : ChallengeChecker {
+
+  override fun checkChallenge(challenge: ByteString): Boolean = challenge.equals(expectedChallenge)
+}

src/main/kotlin/testing/Certs.kt

@@ -16,6 +16,7 @@
 
 package com.android.keyattestation.verifier.testing
 
+import com.android.keyattestation.verifier.ProvisioningInfoMap
 import com.android.keyattestation.verifier.provider.KeyAttestationCertPath
 import java.security.cert.TrustAnchor
 import org.bouncycastle.asn1.ASN1ObjectIdentifier
@@ -86,7 +87,15 @@ object CertLists {
         signingKey = rkpKey.private,
         issuer = rkpIntermediate.subject,
         extraExtension =
-          Extension(ObjectIds.PROVISIONING_INFO, /* critical= */ false, byteArrayOf()),
+          Extension(
+            ObjectIds.PROVISIONING_INFO,
+            /* critical= */ false,
+            ProvisioningInfoMap(
+                certificatesIssued = 1,
+                manufacturer = "manufacturer",
+              )
+              .encodeToAsn1(),
+          ),
       )
     listOf(
       certFactory.generateLeafCert(),

src/test/kotlin/VerifierTest.kt

@@ -16,6 +16,7 @@
 
 package com.android.keyattestation.verifier
 
+import com.android.keyattestation.verifier.challengecheckers.ChallengeMatcher
 import com.android.keyattestation.verifier.testing.CertLists
 import com.android.keyattestation.verifier.testing.TestUtils.prodRoot
 import com.android.keyattestation.verifier.testing.TestUtils.readCertPath
@@ -41,8 +42,7 @@ class VerifierTest {
   @Test
   fun verify_validChain_returnsSuccess() {
     val chain = readCertPath("blueline/sdk28/TEE_EC_NONE.pem")
-    val result =
-      assertIs<VerificationResult.Success>(verifier.verify(chain, "challenge".toByteArray()))
+    val result = assertIs<VerificationResult.Success>(verifier.verify(chain))
     assertThat(result.publicKey).isEqualTo(chain.leafCert().publicKey)
     assertThat(result.challenge).isEqualTo(ByteString.copyFromUtf8("challenge"))
     assertThat(result.securityLevel).isEqualTo(SecurityLevel.TRUSTED_ENVIRONMENT)
@@ -52,8 +52,7 @@ class VerifierTest {
   @Test
   fun verify_validChain_returnsDeviceIdentity() {
     val chain = readCertPath("blueline/sdk28/TEE_RSA_BASE+IMEI.pem")
-    val result =
-      assertIs<VerificationResult.Success>(verifier.verify(chain, "challenge".toByteArray()))
+    val result = assertIs<VerificationResult.Success>(verifier.verify(chain))
     assertThat(result.attestedDeviceIds)
       .isEqualTo(
         DeviceIdentity(
@@ -70,15 +69,34 @@ class VerifierTest {
   }
 
   @Test
-  fun verify_unexpectedChallenge_returnsChallengeMismatch() {
+  fun verify_challengeCheckerReturnsTrue_returnsSuccess() {
+    val challengeChecker: ChallengeChecker =
+      object : ChallengeChecker {
+        override fun checkChallenge(challenge: ByteString): Boolean = true
+      }
+
     val chain = readCertPath("blueline/sdk28/TEE_EC_NONE.pem")
-    assertIs<VerificationResult.ChallengeMismatch>(verifier.verify(chain, "foo".toByteArray()))
+    assertIs<VerificationResult.Success>(verifier.verify(chain, challengeChecker))
+  }
+
+  @Test
+  fun verify_challengeCheckerReturnsFalse_returnsChallengeMismatch() {
+    val challengeChecker: ChallengeChecker =
+      object : ChallengeChecker {
+        override fun checkChallenge(challenge: ByteString): Boolean = false
+      }
+
+    val chain = readCertPath("blueline/sdk28/TEE_EC_NONE.pem")
+    assertIs<VerificationResult.ChallengeMismatch>(verifier.verify(chain, challengeChecker))
   }
 
   @Test
   fun verify_unexpectedRootKey_returnsPathValidationFailure() {
     assertIs<VerificationResult.PathValidationFailure>(
-      verifier.verify(CertLists.wrongTrustAnchor, "challenge".toByteArray())
+      verifier.verify(
+        CertLists.wrongTrustAnchor,
+        ChallengeMatcher(ByteString.copyFromUtf8("challenge")),
+      )
     )
   }
 }

src/test/kotlin/challengecheckers/ChallengeMatcherTest.kt

@@ -0,0 +1,58 @@
+package com.android.keyattestation.verifier.challengecheckers
+
+import com.android.keyattestation.verifier.VerificationResult
+import com.android.keyattestation.verifier.Verifier
+import com.android.keyattestation.verifier.testing.TestUtils.prodRoot
+import com.android.keyattestation.verifier.testing.TestUtils.readCertPath
+import com.google.common.truth.Truth.assertThat
+import com.google.protobuf.ByteString
+import java.security.cert.TrustAnchor
+import java.time.Instant
+import kotlin.test.assertIs
+import org.junit.Test
+import org.junit.runner.RunWith
+import org.junit.runners.JUnit4
+
+@RunWith(JUnit4::class)
+class ChallengeMatcherTest {
+
+  @Test
+  fun checkChallenge_matchingChallenge_returnsTrue() {
+    val challengeChecker = ChallengeMatcher(ByteString.copyFromUtf8("challenge"))
+    assertThat(challengeChecker.checkChallenge(ByteString.copyFromUtf8("challenge"))).isTrue()
+  }
+
+  @Test
+  fun checkChallenge_mismatchedChallenge_returnsFalse() {
+    val challengeChecker = ChallengeMatcher(ByteString.copyFromUtf8("challenge"))
+    assertThat(challengeChecker.checkChallenge(ByteString.copyFromUtf8("foo"))).isFalse()
+  }
+
+  @Test
+  fun verify_expectedChallenge_returnsSuccess() {
+    val verifier =
+      Verifier(
+        { setOf(TrustAnchor(prodRoot, /* nameConstraints= */ null)) },
+        { setOf<String>() },
+        { Instant.now() },
+      )
+    val chain = readCertPath("blueline/sdk28/TEE_EC_NONE.pem")
+    assertIs<VerificationResult.Success>(
+      verifier.verify(chain, ChallengeMatcher(ByteString.copyFromUtf8("challenge")))
+    )
+  }
+
+  @Test
+  fun verify_unexpectedChallenge_returnsChallengeMismatch() {
+    val verifier =
+      Verifier(
+        { setOf(TrustAnchor(prodRoot, /* nameConstraints= */ null)) },
+        { setOf<String>() },
+        { Instant.now() },
+      )
+    val chain = readCertPath("blueline/sdk28/TEE_EC_NONE.pem")
+    assertIs<VerificationResult.ChallengeMismatch>(
+      verifier.verify(chain, ChallengeMatcher(ByteString.copyFromUtf8("foo")))
+    )
+  }
+}