android · copybara-service · Jul 7, 2025 · Jul 7, 2025
diff --git a/src/main/kotlin/Extension.kt b/src/main/kotlin/Extension.kt
@@ -114,17 +114,17 @@ data class DeviceIdentity(
     @JvmStatic
     fun parseFrom(description: KeyDescription) =
       DeviceIdentity(
-        description.teeEnforced.attestationIdBrand,
-        description.teeEnforced.attestationIdDevice,
-        description.teeEnforced.attestationIdProduct,
-        description.teeEnforced.attestationIdSerial,
+        description.hardwareEnforced.attestationIdBrand,
+        description.hardwareEnforced.attestationIdDevice,
+        description.hardwareEnforced.attestationIdProduct,
+        description.hardwareEnforced.attestationIdSerial,
         setOfNotNull(
-          description.teeEnforced.attestationIdImei,
-          description.teeEnforced.attestationIdSecondImei,
+          description.hardwareEnforced.attestationIdImei,
+          description.hardwareEnforced.attestationIdSecondImei,
         ),
-        description.teeEnforced.attestationIdMeid,
-        description.teeEnforced.attestationIdManufacturer,
-        description.teeEnforced.attestationIdModel,
+        description.hardwareEnforced.attestationIdMeid,
+        description.hardwareEnforced.attestationIdManufacturer,
+        description.hardwareEnforced.attestationIdModel,
       )
   }
 }
@@ -139,8 +139,7 @@ data class KeyDescription(
   val attestationChallenge: ByteString,
   val uniqueId: ByteString,
   val softwareEnforced: AuthorizationList,
-  // TODO: Rename to hardwareEnforced b/c could be TEE or StrongBox.
-  val teeEnforced: AuthorizationList,
+  val hardwareEnforced: AuthorizationList,
 ) {
   fun asExtension(): Extension {
     return Extension(OID, /* critical= */ false, encodeToAsn1())
@@ -155,7 +154,7 @@ data class KeyDescription(
         add(attestationChallenge.toAsn1())
         add(uniqueId.toAsn1())
         add(softwareEnforced.toAsn1())
-        add(teeEnforced.toAsn1())
+        add(hardwareEnforced.toAsn1())
       }
       .let { DERSequence(it.toTypedArray()).encoded }
 
@@ -178,7 +177,7 @@ data class KeyDescription(
         from(ASN1Sequence.getInstance(bytes))
       } catch (e: NullPointerException) {
         // Workaround for a NPE in BouncyCastle.
-        // http://google3/third_party/java_src/bouncycastle/core/src/main/java/org/bouncycastle/asn1/ASN1UniversalType.java;l=24;rcl=484684674
+        // https://github.com/bcgit/bc-java/blob/228211ecb973fe87fdd0fc4ab16ba0446ec1a29c/core/src/main/java/org/bouncycastle/asn1/ASN1UniversalType.java#L24
         throw IllegalArgumentException(e)
       }
 
@@ -192,7 +191,7 @@ data class KeyDescription(
         attestationChallenge = seq.getObjectAt(4).toByteString(),
         uniqueId = seq.getObjectAt(5).toByteString(),
         softwareEnforced = seq.getObjectAt(6).toAuthorizationList(),
-        teeEnforced = seq.getObjectAt(7).toAuthorizationList(),
+        hardwareEnforced = seq.getObjectAt(7).toAuthorizationList(),
       )
     }
   }
@@ -204,14 +203,10 @@ data class KeyDescription(
  * @see https://source.android.com/docs/security/features/keystore/attestation#securitylevel-values
  */
 enum class SecurityLevel(val value: Int) {
-  // LINT.IfChange(security_level)
   SOFTWARE(0),
   TRUSTED_ENVIRONMENT(1),
   STRONG_BOX(2);
 
-  // LINT.ThenChange(//depot/google3/identity/cryptauth/apparat/apparat.proto:key_type,
-  // //depot/google3/identity/cryptauth/apparat/storage/apparat_storage_api.proto:keymaster_security_level)
-
   internal fun toAsn1() = ASN1Enumerated(value)
 }
 

diff --git a/src/main/kotlin/Verifier.kt b/src/main/kotlin/Verifier.kt
@@ -121,11 +121,11 @@ open class Verifier(
     }
 
     if (
-      keyDescription.teeEnforced.origin == null ||
-        keyDescription.teeEnforced.origin != Origin.GENERATED
+      keyDescription.hardwareEnforced.origin == null ||
+        keyDescription.hardwareEnforced.origin != Origin.GENERATED
     ) {
       return VerificationResult.ExtensionConstraintViolation(
-        "origin != GENERATED: ${keyDescription.teeEnforced.origin}"
+        "origin != GENERATED: ${keyDescription.hardwareEnforced.origin}"
       )
     }
 
@@ -138,8 +138,10 @@ open class Verifier(
         )
       }
     val rootOfTrust =
-      keyDescription.teeEnforced.rootOfTrust
-        ?: return VerificationResult.ExtensionConstraintViolation("teeEnforced.rootOfTrust is null")
+      keyDescription.hardwareEnforced.rootOfTrust
+        ?: return VerificationResult.ExtensionConstraintViolation(
+          "hardwareEnforced.rootOfTrust is null"
+        )
     val deviceInformation =
       if (certPath.provisioningMethod() == ProvisioningMethod.REMOTELY_PROVISIONED) {
         certPath.attestationCert().provisioningInfo()

diff --git a/src/main/kotlin/provider/KeyAttestationCertPathValidator.kt b/src/main/kotlin/provider/KeyAttestationCertPathValidator.kt
@@ -256,7 +256,6 @@ private class BasicChecker(
      * KAVS does not check the validity of the final certificate in the path. For the purposes of
      * migration this path validator is intended to be bug compatible with KAVS, so we do not check
      * the validity of the final certificate either.
-     * http://google3/java/com/google/wireless/android/work/boq/unspoofableid/common/VerifyCertificateChain.java;l=173;rcl=679670181
      *
      * TODO: b/355190989 - explore if is viable to check the validity of the final certificate.
      */

diff --git a/src/main/kotlin/provider/RevocationChecker.kt b/src/main/kotlin/provider/RevocationChecker.kt
@@ -27,8 +27,6 @@ import java.security.cert.X509Certificate
  *
  * Currently, this class is a clone of the as-built revocation checker from KAVS. It is only
  * intended to be for migrating the bespoke KAVS path validation logic to this provider.
- *
- * http://google3/java/com/google/wireless/android/work/boq/unspoofableid/common/VerifyCertificateChain.java;l=107;rcl=677835266
  */
 class RevocationChecker(private val revokedSerials: Set<String>) : PKIXRevocationChecker() {
   override fun init(forward: Boolean) {

diff --git a/src/main/kotlin/testing/KeyAttestationCertFactory.kt b/src/main/kotlin/testing/KeyAttestationCertFactory.kt
@@ -130,7 +130,7 @@ internal class KeyAttestationCertFactory(val fakeCalendar: FakeCalendar = FakeCa
         attestationChallenge = ByteString.copyFromUtf8("A random 40-byte challenge for no reason"),
         uniqueId = ByteString.empty(),
         softwareEnforced = AuthorizationList(),
-        teeEnforced =
+        hardwareEnforced =
           AuthorizationList(
             rootOfTrust =
               RootOfTrust(

diff --git a/src/main/kotlin/testing/KeyAttestationCertPathFactory.kt b/src/main/kotlin/testing/KeyAttestationCertPathFactory.kt
@@ -50,7 +50,7 @@ class KeyAttestationCertPathFactory(val fakeCalendar: FakeCalendar = FakeCalenda
               /* critical= */ false,
               ProvisioningInfoMap(
                   certificatesIssued = 1,
-                  manufacturer = keyDescription.teeEnforced.attestationIdManufacturer,
+                  manufacturer = keyDescription.hardwareEnforced.attestationIdManufacturer,
                 )
                 .encodeToAsn1(),
             ),

diff --git a/src/test/kotlin/ExtensionTest.kt b/src/test/kotlin/ExtensionTest.kt
@@ -67,7 +67,7 @@ class ExtensionTest {
   fun parseFrom_containsAllowWhileOnBody_success() {
     val unused =
       testData.resolve("allow_while_on_body.pem").inputStream().asX509Certificate().keyDescription()
-    // assertThat(keyDescription.teeEnforced.allowWhileOnBody).isTrue()
+    // assertThat(keyDescription.hardwareEnforced.allowWhileOnBody).isTrue()
   }
 
   @Test
@@ -142,7 +142,7 @@ class ExtensionTest {
         attestationChallenge = ByteString.empty(),
         uniqueId = ByteString.empty(),
         softwareEnforced = authorizationList,
-        teeEnforced = authorizationList,
+        hardwareEnforced = authorizationList,
       )
     assertThat(KeyDescription.parseFrom(keyDescription.encodeToAsn1())).isEqualTo(keyDescription)
   }

diff --git a/testdata/akita/sdk34/SB_RSA_NONE.json b/testdata/akita/sdk34/SB_RSA_NONE.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "2048",
     "algorithms": "1",

diff --git a/testdata/akita/sdk34/TEE_EC_NONE.json b/testdata/akita/sdk34/TEE_EC_NONE.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "256",
     "algorithms": "3",

diff --git a/testdata/akita/sdk34/TEE_RSA_BASE+IMEI.json b/testdata/akita/sdk34/TEE_RSA_BASE+IMEI.json
@@ -12,7 +12,7 @@
       "signatures": []
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "2048",
     "algorithms": "1",

diff --git a/testdata/akita/sdk34/TEE_RSA_NONE.json b/testdata/akita/sdk34/TEE_RSA_NONE.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "2048",
     "algorithms": "1",

diff --git a/testdata/akita/sdk34/TEE_RSA_NONE_USERAUTH.json b/testdata/akita/sdk34/TEE_RSA_NONE_USERAUTH.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "2048",
     "algorithms": "1",

diff --git a/testdata/blueline/sdk28/SB_RSA_NONE.json b/testdata/blueline/sdk28/SB_RSA_NONE.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "2048",
     "algorithms": "1",

diff --git a/testdata/blueline/sdk28/SB_RSA_NONE_USERAUTH.json b/testdata/blueline/sdk28/SB_RSA_NONE_USERAUTH.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "2048",
     "algorithms": "1",

diff --git a/testdata/blueline/sdk28/TEE_EC_NONE.json b/testdata/blueline/sdk28/TEE_EC_NONE.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "256",
     "algorithms": "3",

diff --git a/testdata/blueline/sdk28/TEE_RSA_BASE+IMEI.json b/testdata/blueline/sdk28/TEE_RSA_BASE+IMEI.json
@@ -12,7 +12,7 @@
       "signatures": []
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "2048",
     "algorithms": "1",

diff --git a/testdata/blueline/sdk28/TEE_RSA_NONE.json b/testdata/blueline/sdk28/TEE_RSA_NONE.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "2048",
     "algorithms": "1",

diff --git a/testdata/marlin/sdk29/TEE_EC_NONE.json b/testdata/marlin/sdk29/TEE_EC_NONE.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "256",
     "algorithms": "3",

diff --git a/testdata/marlin/sdk29/TEE_RSA_NONE.json b/testdata/marlin/sdk29/TEE_RSA_NONE.json
@@ -17,7 +17,7 @@
       "signatures": ["EDk47kU35Z6O55L2VFBPuDRvxrNG0LvEQV/DOfz8jsE="]
     }
   },
-  "teeEnforced": {
+  "hardwareEnforced": {
     "purposes": ["2"],
     "keySize": "2048",
     "algorithms": "1",