From 4eb320eca953f14a266c2cd67e6175190a077353 Mon Sep 17 00:00:00 2001
From: Daniel Micay
Our MIT / Apache 2 licensed Auditor - app can be used a reference implementation for verifying hardware-based - attestations. There are some subtleties in the verification process such as making - sure only the 2nd certificate in the chain (the one signing the certificate for the - key generated by your app) has an attestation extension to prevent making a fake - attestation by extending the chain. You can reuse our code and simply omit support for - an app generated attestation signing key (attest key) and the other pinning - support.
+Google provides a key + attestation library with examples. Our MIT + / Apache 2 licensed Auditor app can be used a reference implementation for + verifying hardware-based attestations. There are some subtleties in the verification + process such as making sure only the 2nd certificate in the chain (the one signing the + certificate for the key generated by your app) has an attestation extension to prevent + making a fake attestation by extending the chain. You can reuse our code and simply + omit support for an app generated attestation signing key (attest key) and the other + pinning support.
After verifying the signature of the attestation certificate chain and extracting
the attestation metadata, you can enforce that verifiedBootState
is