enforce attest key for new pairings when supported

GrapheneOS · May 14, 2023 · 6a0e6c2 · 6a0e6c2
1 parent 5f0f27b
commit 6a0e6c2
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/app/src/main/java/app/attestation/auditor/AttestationProtocol.java b/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
@@ -876,6 +876,11 @@ private static Verified verifyStateless(final Certificate[] certificates,
             attestKey = true;
         } catch (final Attestation.KeyDescriptionMissingException e) {}
 
+        // enforce attest key for new pairings with devices supporting it
+        if (!hasPersistentKey && attestationVersion >= 100 && !attestKey) {
+            throw new GeneralSecurityException("missing per-pairing attest key for device supporting it");
+        }
+
         for (int i = 2; i < certificates.length; i++) {
             try {
                 new Attestation((X509Certificate) certificates[i]);