/Keybox-Generator

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

Keybox generator

This is a simple set of scripts to generate a keybox file for android key attestation. Keyboxes generated using these scripts CANNOT PASS STRONG INTEGRITY (Unless you have the correct private key to sign the root certificate or any certificate down the chain).

Requirements

  • Python 3
  • OpenSSL

Usage

  1. Generate the certificate chains
python generate_cert_chains.py
  1. Generate the keybox
python generate_keybox.py -a -t

This will generate a keybox.xml file in the working directory.

For more options, run the scripts with the -h flag.

To verify the generated keybox, you can use this checker.

Notes

There is a wizard for a more user-friendly experience, run it with:

python wizard.py

The scripts folder contains scripts used to develop the keybox generator.

This is all experimental.

Details

Certificate chains generation

generate_cert_chains.py Generates 2 certificate chains (one in RSA and one in ECDSA) made of 4 certificates starting from a RSA root certificate (either generated or given).

The variable SUBJECTS contains a list of either generated or user specified subjects for the certificates.

You can use this list with the option -s, if you leave the list empty, the script will generate random subjects. These will be coherent with the rest of the chain.

By default the script will generate subjects using the default openssl configuration and the same subject for all certificates.

You can edit this field too, by changing the DETAILS variable.

The certs folder contains the all generated certificates.

The certificate chains and the end-entity private keys are copied into the working directory for the next script.

Check this page for more information about certificate chains.

Chain scheme
Root CA (self-signed) (By google hopefully) (RSA) (ECDSA optional)
|_ OEM CA (RSA and ECDSA, Signed by Root CA)
   |_ Model CA (RSA and ECDSA, Signed by OEM CA)
      |_ End-entity (Optional) (RSA and ECDSA, Signed by Model CA) (The certificate subject here can literally be anything)

If you want to generate the root certificate using a specific private key, you can put it into the certs folder and name it rootCA.key. You can also put a corresponding root certificate named rootCA.pem in the same folder.

The same goes for the other certificates down the chain.

The filenames are
  • rootCA.key and rootCA.pem for the root certificate
    • rootCA_ecdsa.key and rootCA_ecdsa.pem for the ECDSA root certificate (optional)
  • [type]_oem_CA.key and [type]_oem_CA.pem for the OEM certificate
  • [type]_model_CA.key and [type]_model_CA.pem for the model certificate
  • [type]_end.key and [type]_end.pem for the end-entity certificate

Where [type] is either RSA or ECDSA.

Keybox.xml generation

generate_keybox.py Generates a keybox file using the certificate chains generated by the previous script.

By default, this script will generate an empty keybox, if no files are specified.

There is an auto mode (-a) that automatically detects necessary files in the working directory.

You can generate a pretty printed keybox with the -t option.

Check TrickyStore for more information about keyboxes.

Check this page of the android documentation for more information about key attestation.