Fix incorrect default constraint configuration for attestation verification

sethmoo · copybara-github · commit 5317d080fe00 · 2026-02-24T18:09:01.000-08:00
The config was set to "strict -- TEE only". This is incorrect, as we should also allow
StrongBox attestations by default.

Add StrongBox test data from a real phone to ensure no future regressions.

PiperOrigin-RevId: 874876371
diff --git a/src/main/kotlin/ExtensionConstraintConfig.kt b/src/main/kotlin/ExtensionConstraintConfig.kt
@@ -27,8 +27,7 @@ import com.google.errorprone.annotations.ThreadSafe
 @ThreadSafe
 data class ExtensionConstraintConfig(
   val keyOrigin: ValidationLevel<Origin> = ValidationLevel.STRICT(Origin.GENERATED),
-  val securityLevel: ValidationLevel<KeyDescription> =
-    SecurityLevelValidationLevel.STRICT(SecurityLevel.TRUSTED_ENVIRONMENT),
+  val securityLevel: ValidationLevel<KeyDescription> = SecurityLevelValidationLevel.NOT_SOFTWARE,
   val rootOfTrust: ValidationLevel<RootOfTrust> = ValidationLevel.NOT_NULL,
   val authorizationListTagOrder: ValidationLevel<KeyDescription> = ValidationLevel.IGNORE,
 )
diff --git a/src/test/kotlin/VerifierTest.kt b/src/test/kotlin/VerifierTest.kt
@@ -101,6 +101,10 @@ class VerifierTest {
       "tegu/sdk36/TEE_EC_2026_ROOT",
       LocalDate.of(2026, 2, 23).atStartOfDay(ZoneOffset.UTC).toInstant(),
     ),
+    PIXEL_9A_SDK36_STRONGBOX(
+      "tegu/sdk36/SB_EC_2026_ROOT",
+      LocalDate.of(2026, 2, 24).atStartOfDay(ZoneOffset.UTC).toInstant(),
+    ),
   }
 
   @Test
diff --git a/testdata/tegu/sdk36/SB_EC_2026_ROOT.json b/testdata/tegu/sdk36/SB_EC_2026_ROOT.json
@@ -0,0 +1,38 @@
+{
+  "attestationVersion": "300",
+  "attestationSecurityLevel": "STRONG_BOX",
+  "keyMintVersion": "300",
+  "keyMintSecurityLevel": "STRONG_BOX",
+  "attestationChallenge": "OTA1NzhlMWQtZjViZi00Y2NmLWEyN2YtYTRmNGQ4OWVlMjFm",
+  "uniqueId": "",
+  "softwareEnforced": {
+    "creationDateTime": "1771979841867",
+    "attestationApplicationId": {
+      "packages": [
+        { "name": "com.google.android.attestation", "version": "0" }
+      ],
+      "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
+    },
+    "areTagsOrdered": true
+  },
+  "hardwareEnforced": {
+    "purposes": ["2", "3"],
+    "algorithms": "3",
+    "keySize": "256",
+    "digests": ["4"],
+    "ecCurve": "1",
+    "noAuthRequired": true,
+    "origin": "GENERATED",
+    "rootOfTrust": {
+      "verifiedBootKey": "MyevYthKuJevJSOhbctYAeYMXVuX9ByhvQmcR4T3t0M=",
+      "deviceLocked": true,
+      "verifiedBootState": "VERIFIED",
+      "verifiedBootHash": "7Owyr9T0ZfyInz7SDm95qsof0as6351/GX7KuwyaOFY="
+    },
+    "osVersion": "160000",
+    "osPatchLevel": "202602",
+    "vendorPatchLevel": "20260205",
+    "bootPatchLevel": "20260205",
+    "areTagsOrdered": true
+  }
+}
diff --git a/testdata/tegu/sdk36/SB_EC_2026_ROOT.pem b/testdata/tegu/sdk36/SB_EC_2026_ROOT.pem
@@ -0,0 +1,77 @@
+-----BEGIN CERTIFICATE-----
+MIICuTCCAl+gAwIBAgIBATAKBggqhkjOPQQDAjA/MRIwEAYDVQQKEwlTdHJvbmdC
+b3gxKTAnBgNVBAMTIGFiNGQ1ODRkMzI4NWI2YzUxZDIzYzE5OTIwMTc0NGMwMB4X
+DTcwMDEwMTAwMDAwMFoXDTQ4MDEwMTAwMDAwMFowHzEdMBsGA1UEAxMUQW5kcm9p
+ZCBLZXlzdG9yZSBLZXkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ+vIZcheqw
+PXkwVjmqo91UsRbALOcse/zOBx49/Yv4mPkMd5Fz+vRWFiS/poXmvl4bO0ChWLdl
+hpUIOGgf0BTUo4IBajCCAWYwDgYDVR0PAQH/BAQDAgeAMIIBUgYKKwYBBAHWeQIB
+EQSCAUIwggE+AgIBLAoBAgICASwKAQIEJDkwNTc4ZTFkLWY1YmYtNGNjZi1hMjdm
+LWE0ZjRkODllZTIxZgQAMF+/hT0IAgYBnJI6oUu/hUVPBE0wSzElMCMEHmNvbS5n
+b29nbGUuYW5kcm9pZC5hdHRlc3RhdGlvbgIBADEiBCAQOTjuRTflno7nkvZUUE+4
+NG/Gs0bQu8RBX8M5/PyOwTCBpKEIMQYCAQICAQOiAwIBA6MEAgIBAKUFMQMCAQSq
+AwIBAb+DdwIFAL+FPgMCAQC/hUBMMEoEIDMnr2LYSriXryUjoW3LWAHmDF1bl/Qc
+ob0JnEeE97dDAQH/CgEABCDs7DKv1PRl/IifPtIOb3mqyh/RqzrfnX8Zfsq7DJo4
+Vr+FQQUCAwJxAL+FQgUCAwMXar+FTgYCBAE1JW2/hU8GAgQBNSVtMAoGCCqGSM49
+BAMCA0gAMEUCIQCL16yWJyYvWysuJJEt5+vFVk8IBryZxNCPQtM68TVN5AIgUn6B
+zffsayHDyyYWNQInIA/Atzi4btMMeU6eir/xIzs=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB5jCCAYygAwIBAgIRAKtNWE0yhbbFHSPBmSAXRMAwCgYIKoZIzj0EAwIwKTET
+MBEGA1UEChMKR29vZ2xlIExMQzESMBAGA1UEAxMJRHJvaWQgQ0EzMB4XDTI2MDIy
+MjAwMDc1NloXDTI2MDMwNjAxMTg0N1owPzESMBAGA1UEChMJU3Ryb25nQm94MSkw
+JwYDVQQDEyBhYjRkNTg0ZDMyODViNmM1MWQyM2MxOTkyMDE3NDRjMDBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABM3hgoF7wGE1eaPEUMmwnxaL5f9u2Xu7mSovGj1+
+ak6ECs+Zl2DA9N8bglBp+6dF9NdNvfVJ1rM251hJcwopB2+jfzB9MB0GA1UdDgQW
+BBQayeOdpcYdVEHUFn51q6p1BdQ0uzAfBgNVHSMEGDAWgBSHdUpvQ8E+IyP2M1Ym
+I0AZY9jUxjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDAaBgorBgEE
+AdZ5AgEeBAyiARggA2ZHb29nbGUwCgYIKoZIzj0EAwIDSAAwRQIgIWrTtQIRZPn9
+MET+bETrS0YSYr2zgR8nd2saSQIMJn4CIQDs4DGBtQOVonT+a5Q6COlaReb4UGod
+U5Vi5699HBQVwQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAnWgAwIBAgITMDqNZ8RaDdp7Da+8CS9agkoC7DAKBggqhkjOPQQDAzAp
+MRMwEQYDVQQKEwpHb29nbGUgTExDMRIwEAYDVQQDEwlEcm9pZCBDQTIwHhcNMjYw
+MjE5MjMzODI3WhcNMjYwNDMwMjMzODI2WjApMRMwEQYDVQQKEwpHb29nbGUgTExD
+MRIwEAYDVQQDEwlEcm9pZCBDQTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR0
+mLbPl8AKkaG97eE8yKN9bkO3whZwBnSmgQwY7hndpWKobx8YwGY9r8dOZ9v3xELC
+epDPBwMHjJL0zOTA7CdRo4IBejCCAXYwDgYDVR0PAQH/BAQDAgIEMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFId1Sm9DwT4jI/YzViYjQBlj2NTGMB8GA1UdIwQY
+MBaAFEUgMj4fpvmPHNXDRy7UelD+O6jgMIGNBggrBgEFBQcBAQSBgDB+MHwGCCsG
+AQUFBzAChnBodHRwOi8vcHJpdmF0ZWNhLWNvbnRlbnQtNjlhNDczNWItMDAwMC0y
+NWEyLWE3MWMtM2MyODZkMzhlYjlhLnN0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vN2My
+Y2U5ZTVlMGI4OTgxYTc2MWIvY2EuY3J0MIGCBgNVHR8EezB5MHegdaBzhnFodHRw
+Oi8vcHJpdmF0ZWNhLWNvbnRlbnQtNjlhNDczNWItMDAwMC0yNWEyLWE3MWMtM2My
+ODZkMzhlYjlhLnN0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vN2MyY2U5ZTVlMGI4OTgx
+YTc2MWIvY3JsLmNybDAKBggqhkjOPQQDAwNoADBlAjB1PdABk1m57OVPr3NwdddY
+Vq0xAaK/t93net8TYQyRAQNmOqJ9nTZcuffefw1Y6j0CMQDMZXUJA7/LYK0FGkez
+H9BDC8itvrLdHnT2o/3N5LwXIbUUpa+LODkWnaYIAk4IQWA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICZTCCAeugAwIBAgIRALGEywXsUP3JhfDsUyl8+CMwCgYIKoZIzj0EAwMwUjEc
+MBoGA1UEAwwTS2V5IEF0dGVzdGF0aW9uIENBMTEQMA4GA1UECwwHQW5kcm9pZDET
+MBEGA1UECgwKR29vZ2xlIExMQzELMAkGA1UEBhMCVVMwHhcNMjYwMjA5MTk1NzEw
+WhcNMjkwMjA4MTk1NzEwWjApMRMwEQYDVQQKEwpHb29nbGUgTExDMRIwEAYDVQQD
+EwlEcm9pZCBDQTIwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT19+tRAlmwuauVyRrg
+HqykkymaEkOS1IYSoXAQyBRvUNEnY5FGqmi44dOWcqMxu0uIbB3in5TD3GsR1NBm
+i3f//mI0aiARbBtdP3YaIff8yy076NY9dPMnBiCMIwjRR2Cjga0wgaowRwYDVR0f
+BEAwPjA8oDqgOIY2aHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVz
+dGF0aW9uL2tleV9jYTEuY3JsMB0GA1UdDgQWBBRFIDI+H6b5jxzVw0cu1HpQ/juo
+4DAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRS
+Mrss+0ZDm9zWgakOZWbgNEHqQDAKBggqhkjOPQQDAwNoADBlAjBfOXmY1+SCcT/o
+WL17AuVS7uoxMXssLksjChHT+VhTMpWu9J42x3G20hHVGTj+3ZICMQDBYZjd7+vf
+uyLVCZkTX7wlvjcRJjvrEWyxvkZE5vlq8c3lwH9JyNBP3OeTd3o8IJs=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICIjCCAaigAwIBAgIRAISp0Cl7DrWK5/8OgN52BgUwCgYIKoZIzj0EAwMwUjEc
+MBoGA1UEAwwTS2V5IEF0dGVzdGF0aW9uIENBMTEQMA4GA1UECwwHQW5kcm9pZDET
+MBEGA1UECgwKR29vZ2xlIExMQzELMAkGA1UEBhMCVVMwHhcNMjUwNzE3MjIzMjE4
+WhcNMzUwNzE1MjIzMjE4WjBSMRwwGgYDVQQDDBNLZXkgQXR0ZXN0YXRpb24gQ0Ex
+MRAwDgYDVQQLDAdBbmRyb2lkMRMwEQYDVQQKDApHb29nbGUgTExDMQswCQYDVQQG
+EwJVUzB2MBAGByqGSM49AgEGBSuBBAAiA2IABCPaI3FO3z5bBQo8cuiEas4HjqCt
+G/mLFfRT0MsIssPBEEU5Cfbt6sH5yOAxqEi5QagpU1yX4HwnGb7OtBYpDTB57uH5
+Eczm34A5FNijV3s0/f0UPl7zbJcTx6xwqMIRq6NCMEAwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFFIyuyz7RkOb3NaBqQ5lZuA0QepA
+MAoGCCqGSM49BAMDA2gAMGUCMETfjPO/HwqReR2CS7p0ZWoD/LHs6hDi422opifH
+EUaYLxwGlT9SLdjkVpz0UUOR5wIxAIoGyxGKRHVTpqpGRFiJtQEOOTp/+s1GcxeY
+uR2zh/80lQyu9vAFCj6E4AXc+osmRg==
+-----END CERTIFICATE-----
