import csv from datetime import UTC, datetime from pathlib import Path import requests from cryptography import x509 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec, padding from defusedxml.ElementTree import parse def load_public_key_from_file(file_path): with open(file_path, "rb") as key_file: public_key = serialization.load_pem_public_key( key_file.read(), backend=default_backend() ) return public_key def compare_keys(public_key1, public_key2): return public_key1.public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo, ) == public_key2.public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo, ) revoked_keybox_list = requests.get( "https://android.googleapis.com/attestation/status", headers={ "Cache-Control": "max-age=0, no-cache, no-store, must-revalidate", "Pragma": "no-cache", "Expires": "0", }, ).json()["entries"] google_public_key = load_public_key_from_file(".github/google.pem") aosp_ec_public_key = load_public_key_from_file(".github/aosp_ec.pem") aosp_rsa_public_key = load_public_key_from_file(".github/aosp_rsa.pem") knox_public_key = load_public_key_from_file(".github/knox.pem") with open("status.csv", "w") as csvfile: fieldnames = [ "File", "Serial number", "Subject", "Certificate within validity period", "Valid keychain", "Note", "Not found in Google's revoked keybox list", ] writer = csv.DictWriter(csvfile, fieldnames=fieldnames) writer.writeheader() output = [] for kb in Path(".").glob("*.xml"): values = [kb.name] root = parse(kb).getroot() pem_number = int(root.find(".//NumberOfCertificates").text.strip()) pem_certificates = [ cert.text.strip() for cert in root.findall('.//Certificate[@format="pem"]')[:pem_number] ] certificate = x509.load_pem_x509_certificate( pem_certificates[0].encode(), default_backend() ) serial_number = hex(certificate.serial_number)[2:] values.append(serial_number) subject = "" for rdn in certificate.subject: subject += f"{rdn.oid._name}={rdn.value} | " subject = subject[:-3] values.append(subject) not_valid_before = certificate.not_valid_before_utc not_valid_after = certificate.not_valid_after_utc current_time = datetime.now(UTC) is_valid = not_valid_before <= current_time <= not_valid_after values.append("✅" if is_valid else "❌") flag = True for i in range(pem_number - 1): son_certificate = x509.load_pem_x509_certificate( pem_certificates[i].encode(), default_backend() ) father_certificate = x509.load_pem_x509_certificate( pem_certificates[i + 1].encode(), default_backend() ) if son_certificate.issuer != father_certificate.subject: flag = False break signature = son_certificate.signature signature_algorithm = son_certificate.signature_algorithm_oid._name tbs_certificate = son_certificate.tbs_certificate_bytes public_key = father_certificate.public_key() try: match signature_algorithm: case "sha256WithRSAEncryption" | "ecdsa-with-SHA256": hash_algorithm = hashes.SHA256() case "sha1WithRSAEncryption" | "ecdsa-with-SHA1": hash_algorithm = hashes.SHA1() case "sha384WithRSAEncryption" | "ecdsa-with-SHA384": hash_algorithm = hashes.SHA384() case "sha512WithRSAEncryption" | "ecdsa-with-SHA512": hash_algorithm = hashes.SHA512() if signature_algorithm.endswith("WithRSAEncryption"): padding_algorithm = padding.PKCS1v15() public_key.verify( signature, tbs_certificate, padding_algorithm, hash_algorithm ) else: padding_algorithm = ec.ECDSA(hash_algorithm) public_key.verify(signature, tbs_certificate, padding_algorithm) except Exception as e: flag = False break values.append("✅" if flag else "❌") root_certificate = x509.load_pem_x509_certificate( pem_certificates[-1].encode(), default_backend() ) root_public_key = root_certificate.public_key() if compare_keys(root_public_key, google_public_key): values.append("✅ Google hardware attestation root certificate") elif compare_keys(root_public_key, aosp_ec_public_key): values.append("🟡 AOSP software attestation root certificate (EC)") elif compare_keys(root_public_key, aosp_rsa_public_key): values.append("🟡 AOSP software attestation root certificate (RSA)") elif compare_keys(root_public_key, knox_public_key): values.append("✅ Samsung Knox attestation root certificate") else: values.append("❌ Unknown root certificate") status = revoked_keybox_list.get(serial_number) values.append("✅" if not status else f"❌ {status['reason']}") output.append(dict(zip(fieldnames, values))) writer.writerows(sorted(output, key=lambda x: x[fieldnames[0]]))