Rebrand to WARDEN-roboto and update dependencies (#11)

* Rebrand to WARDEN-roboto and update dependencies

.github/workflows/gradle-build.yml

@@ -19,11 +19,11 @@ jobs:
         if: success() || failure()
         with:
           name: All Tests
-          path: android-attestation/build/test-results/**/TEST*.xml
+          path: warden-roboto/build/test-results/**/TEST*.xml
           reporter: java-junit
       - name: Upload jar
         uses: actions/upload-artifact@v3
         with:
-          name: android-attestation
+          name: warden-roboto
           path: |
             build/libs/*jar

.github/workflows/publish.yml

@@ -17,7 +17,7 @@ jobs:
           distribution: 'temurin'
           java-version: '17'
       - name: Publish to Sonatype
-        run: ./gradlew clean android-attestation:publishToSonatype closeSonatypeStagingRepository
+        run: ./gradlew clean warden-roboto:publishToSonatype closeSonatypeStagingRepository
         env:
           ORG_GRADLE_PROJECT_signingKeyId: ${{ secrets.PUBLISH_SIGNING_KEYID }}
           ORG_GRADLE_PROJECT_signingKey: ${{ secrets.PUBLISH_SIGNING_KEY }}
@@ -40,7 +40,7 @@ jobs:
           distribution: 'temurin'
           java-version: '17'
       - name: Build Dokka HTML
-        run: ./gradlew android-attestation:dokkaHtml
+        run: ./gradlew warden-roboto:dokkaHtml
       - name: Setup Pages
         uses: actions/configure-pages@v3
       - name: Upload artifact

CHANGELOG.md

@@ -135,4 +135,13 @@ out the attestation record.
   -  ktor:          2.3.11
   -  napier:        2.7.1
   -  nexus:         1.3.0
-  -  serialization: 1.7.1
+  -  serialization: 1.7.1
+
+### 1.6.0
+- Rebrand to _WARDEN-roboto_
+- Update to latest upstream attestation code
+  - `rollbackResistant` -> `rollbackResistance`
+  - Dependency Updates
+    - Guava: 33.2.1-jre
+    - autovalue: 1.11.0
+    - protobuf-javalite: 4.27.0

README.md

@@ -1,14 +1,22 @@
-# Android  Attestation Library
+<div align="center">
+
+![WARDEN-roboto](warden-roboto.png)
+
+# Server-Side Android Attestation Library
+
+[![A-SIT Plus Official](https://img.shields.io/badge/A--SIT_Plus-official-005b79?logo=data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCAxNDMuNzYyODYgMTg0LjgxOTk5Ij48ZGVmcz48Y2xpcFBhdGggaWQ9ImEiIGNsaXBQYXRoVW5pdHM9InVzZXJTcGFjZU9uVXNlIj48cGF0aCBkPSJNMCA1OTUuMjhoODQxLjg5VjBIMFoiLz48L2NsaXBQYXRoPjwvZGVmcz48ZyBjbGlwLXBhdGg9InVybCgjYSkiIHRyYW5zZm9ybT0ibWF0cml4KDEuMzMzMzMzMyAwIDAgLTEuMzMzMzMzMyAtNDgyLjI1IDUxNy41MykiPjxwYXRoIGZpbGw9IiMwMDViNzkiIGQ9Ik00MTUuNjcgMjQ5LjUzYy03LjE1LjA4LTEzLjk0IDEtMjAuMTcgMi43NWE1Mi4zMyA1Mi4zMyAwIDAgMC0xNy40OCA4LjQ2IDQwLjQzIDQwLjQzIDAgMCAwLTExLjk2IDE0LjU2Yy0yLjY4IDUuNDEtNC4xNCAxMS44NC00LjM1IDE5LjA5bC0uMDIgNi4xMnYyLjE3YS43MS43MSAwIDAgMCAuNy43M2gxNi41MmMuMzkgMCAuNy0uMzIuNzEtLjdsLjAxLTIuMmMwLTIuNi4wMi01LjgyLjAzLTYuMDcuMi00LjYgMS4yNC04LjY2IDMuMDgtMTIuMDZhMjguNTIgMjguNTIgMCAwIDEgOC4yMy05LjU4IDM1LjI1IDM1LjI1IDAgMCAxIDExLjk2LTUuNTggNTUuMzggNTUuMzggMCAwIDEgMTIuNTgtMS43NmM0LjMyLjEgOC42LjcgMTIuNzQgMS44YTM1LjA3IDM1LjA3IDAgMCAxIDExLjk2IDUuNTcgMjguNTQgMjguNTQgMCAwIDEgOC4yNCA5LjU3YzEuOTYgMy42NCAzIDguMDIgMy4xMiAxMy4wMnYyNC4wOUgzNjIuNGEuNy43IDAgMCAwLS43MS43VjMzNWMwIDguNDMuMDEgOC4wNS4wMSA4LjE0LjIgNy4zIDEuNjcgMTMuNzcgNC4zNiAxOS4yMmE0MC40MyA0MC40MyAwIDAgMCAxMS45NiAxNC41N2M1IDMuNzYgMTAuODcgNi42MSAxNy40OCA4LjQ2YTc3LjUgNzcuNSAwIDAgMCAyMC4wMiAyLjc3YzcuMTUtLjA3IDEzLjk0LTEgMjAuMTctMi43NGE1Mi4zIDUyLjMgMCAwIDAgMTcuNDgtOC40NiA0MC40IDQwLjQgMCAwIDAgMTEuOTUtMTQuNTdjMS42Mi0zLjI2IDMuNzctMTAuMDQgMy43Ny0xNC42OCAwLS4zOC0uMTctLjc0LS41NC0uODJsLTE2Ljg5LS40Yy0uMi0uMDQtLjM0LjM0LS4zNC41NCAwIC4yNy0uMDMuNC0uMDYuNi0uNSAyLjgyLTEuMzggNS40LTIuNjEgNy42OWEyOC41MyAyOC41MyAwIDAgMS04LjI0IDkuNTggMzUuMDEgMzUuMDEgMCAwIDEtMTEuOTYgNS41NyA1NS4yNSA1NS4yNSAwIDAgMS0xMi41NyAxLjc3Yy00LjMyLS4xLTguNjEtLjcxLTEyLjc1LTEuOGEzNS4wNSAzNS4wNSAwIDAgMS0xMS45Ni01LjU3IDI4LjUyIDI4LjUyIDAgMCAxLTguMjMtOS41OGMtMS44Ni0zLjQ0LTIuOS03LjU1LTMuMDktMTIuMmwtLjAxLTcuNDdoODkuMTZhLjcuNyAwIDAgMCAuNy0uNzJ2LTM5LjVjLS4xLTcuNjUtMS41OC0xNC40LTQuMzgtMjAuMDZhNDAuNCA0MC40IDAgMCAwLTExLjk1LTE0LjU2IDUyLjM3IDUyLjM3IDAgMCAwLTE3LjQ4LTguNDcgNzcuNTYgNzcuNTYgMCAwIDAtMjAuMDEtMi43N1oiLz48cGF0aCBmaWxsPSIjY2U0OTJlIiBkPSJNNDE5LjM4IDI4MC42M2gtNy41N2EuNy43IDAgMCAwLS43MS43MXYxNS40MmE4LjE3IDguMTcgMCAwIDAtMy43OCA2LjkgOC4yOCA4LjI4IDAgMCAwIDE2LjU0IDAgOC4yOSA4LjI5IDAgMCAwLTMuNzYtNi45di0xNS40MmEuNy43IDAgMCAwLS43Mi0uNzEiLz48L2c%2BPC9zdmc%2B&logoColor=white&labelColor=white)](https://a-sit-plus.github.io)
 [![GitHub license](https://img.shields.io/badge/license-Apache%20License%202.0-brightgreen.svg?style=flat)](http://www.apache.org/licenses/LICENSE-2.0) 
 [![Kotlin](https://img.shields.io/badge/kotlin-2.0.0-blue.svg?logo=kotlin)](http://kotlinlang.org)
 ![Java](https://img.shields.io/badge/java-17-blue.svg?logo=OPENJDK)
-![Build artifacts](https://github.com/a-sit-plus/android-attestation/actions/workflows/gradle-build.yml/badge.svg)
-[![Maven Central](https://img.shields.io/maven-central/v/at.asitplus/android-attestation)](https://mvnrepository.com/artifact/at.asitplus/android-attestation/)
+![Build artifacts](https://github.com/a-sit-plus/warden-roboto/actions/workflows/gradle-build.yml/badge.svg)
+[![Maven Central](https://img.shields.io/maven-central/v/at.asitplus/warden-roboto)](https://mvnrepository.com/artifact/at.asitplus/warden-roboto/)
+
+</div>
 
-This Kotlin library provides a convenient API (a single function, actually) to remotely attest the integrity of an Android device, its OS and a specific application.
+This Kotlin library provides a convenient API (a single function, actually) to remotely attest the integrity of an Android device, its OS, and a specific application.
 It is intended to be integrated into back-end services requiring authentic, unmodified mobile clients (but it also works in other settings, such as peer-to-peer-scenarios).
 
-Full API docs are available [here](https://a-sit-plus.github.io/android-attestation).
+Full API docs are available [here](https://a-sit-plus.github.io/warden-roboto).
 
 This library's core logic is based off [code from Google](https://github.com/google/android-key-attestation) (and actually directly integrates it), such that it can easily keep up with upstream for the lower-level functionality.
 Because of this, it only targets the JVM, although a KMP rewrite (also targeting JS/Node) is possible.
@@ -24,7 +32,7 @@ for end-to-end-tests, for example.
 
 ## Development
 
-See [DEVELOPMENT.md](https://github.com/a-sit-plus/android-attestation/blob/main/DEVELOPMENT.md)
+See [DEVELOPMENT.md](https://github.com/a-sit-plus/warden-roboto/blob/main/DEVELOPMENT.md)
 
 ## Background
 Android devices with a TEE allow for cryptographic keys to be generated in hardware. These keys can only be used, but not exported and are safe from extraction due protective hardware measures. The Android Keystore API expose this hardware-based management of cryptographic material and also allows for generating certficates for such keys, which contain custom Extension that indicate the location of a key (hardware or software).
@@ -40,19 +48,19 @@ Written in Kotlin, plays nicely with Java (cf. `@JvmOverloads`), published at ma
 
 ```kotlin
  dependencies {
-     implementation("at.asitplus:android-attestation:$version")
+     implementation("at.asitplus:warden-roboto:$version")
  }
 ```
 
 Three flavours of attestation are implemented:
-* Hardware attestation through [HardwareAttestationChecker](https://github.com/a-sit-plus/android-attestation/blob/main/android-attestation/src/main/kotlin/AndroidAttestationChecker.kt)
+* Hardware attestation through [HardwareAttestationChecker](https://github.com/a-sit-plus/warden-roboto/blob/main/warden-roboto/src/main/kotlin/AndroidAttestationChecker.kt)
   (this is what you typically want)
-* Software attestation through [SoftwareAttestationChecker](https://github.com/a-sit-plus/android-attestation/blob/main/android-attestation/src/main/kotlin/SoftwareAttestationChecker.kt)
+* Software attestation through [SoftwareAttestationChecker](https://github.com/a-sit-plus/warden-roboto/blob/main/warden-roboto/src/main/kotlin/SoftwareAttestationChecker.kt)
   (you typically don't want to use this)
-* Nougat hybrid attestation through [NougatHybridAttestationChecker](https://github.com/a-sit-plus/android-attestation/blob/main/android-attestation/src/main/kotlin/NougatHybridAttestationChecker.kt)
+* Nougat hybrid attestation through [NougatHybridAttestationChecker](https://github.com/a-sit-plus/warden-roboto/blob/main/warden-roboto/src/main/kotlin/NougatHybridAttestationChecker.kt)
   (you may require this to support legacy devices originally shipped with Android 7 (Nougat))
 
-All of these extend [AndroidAttestationChecker](https://github.com/a-sit-plus/android-attestation/blob/main/android-attestation/src/main/kotlin/AndroidAttestationChecker.kt)
+All of these extend [AndroidAttestationChecker](https://github.com/a-sit-plus/warden-roboto/blob/main/warden-roboto/src/main/kotlin/AndroidAttestationChecker.kt)
 
 
 ### Configuration
@@ -140,7 +148,7 @@ val attestationRecord =  checker.verifyAttestation(attestationCertChain, Date(),
 ```
 
 ## Debugging
-The module [attestation-diag](https://github.com/a-sit-plus/android-attestation/blob/main/attestation-diag) contains a
+The module [attestation-diag](https://github.com/a-sit-plus/warden-roboto/blob/main/attestation-diag) contains a
 (very) simple command-line utility. It can be built using the `shadowJar` gradle task and pretty-prints attestation
 information contained in attestation certificates:
 ```shell
@@ -355,3 +363,8 @@ programme under grant agreement No 959072.
 <p align="center">
 <img src="eu.svg" alt="EU flag">
 </p>
+
+<p align="center">
+The Apache License does not apply to the logos, (including the A-SIT logo) and the project/module name(s), as these are the sole property of
+A-SIT/A-SIT Plus GmbH and may not be used in derivative works without explicit permission!
+</p>

attestation-diag/build.gradle.kts

@@ -14,7 +14,7 @@ application {
 }
 
 dependencies {
-    implementation(project(":android-attestation"))
+    implementation(project(":warden-roboto"))
     implementation("com.google.guava:guava:33.0.0-jre")
     implementation("com.google.code.gson:gson:2.10.1")
 }

build.gradle.kts

@@ -1,3 +1,3 @@
-plugins {  id("at.asitplus.gradle.conventions") version "2.0.0+20240619" }
+plugins {  id("at.asitplus.gradle.conventions") version "2.0.0+20240725" }
 
 group = "at.asitplus"

settings.gradle.kts

@@ -1,4 +1,4 @@
-rootProject.name = "android-attestation-root"
+rootProject.name = "WARDEN-roboto-root"
 
 pluginManagement {
     repositories {
@@ -11,5 +11,5 @@ pluginManagement {
     }
 }
 
-include("android-attestation")
+include("warden-roboto")
 include("attestation-diag")

android-attestation/build.gradle.kts → warden-roboto/build.gradle.kts

@@ -1,9 +1,11 @@
 import at.asitplus.gradle.bouncycastle
 import at.asitplus.gradle.ktor
 import org.gradle.kotlin.dsl.support.listFilesOrdered
+import org.jetbrains.kotlin.gradle.targets.js.testing.karma.processKarmaStackTrace
 
 group = "at.asitplus"
-version = "1.5.2"
+val artifactVersion= "1.6.0"
+version = artifactVersion
 
 plugins {
     kotlin("jvm")
@@ -15,7 +17,7 @@ plugins {
 
 sourceSets.main {
     java {
-        srcDirs("${project.rootDir}/android-key-attestation/server/src/main/java")
+        srcDirs("${project.rootDir}/android-key-attestation/src/main/java")
         exclude("com/android/example/", "com/google/android/attestation/CertificateRevocationStatus.java")
     }
 }
@@ -31,7 +33,7 @@ sourceSets.test {
     }
     resources {
         srcDirs(
-            rootProject.layout.projectDirectory.dir("android-key-attestation").dir("server").dir("src").dir("test")
+            rootProject.layout.projectDirectory.dir("android-key-attestation").dir("src").dir("test")
                 .dir("resources"),
             "src/test/resources"
         )
@@ -46,10 +48,10 @@ dependencies {
     implementation(ktor("serialization-kotlinx-json"))
     implementation(ktor("client-cio"))
     implementation("com.google.errorprone:error_prone_annotations:2.24.1")
-    api("com.google.guava:guava:33.0.0-jre")
-    implementation("com.google.auto.value:auto-value-annotations:1.10.4")
-    annotationProcessor ("com.google.auto.value:auto-value:1.10.4")
-    api("com.google.protobuf:protobuf-javalite:3.25.1")
+    api("com.google.guava:guava:33.2.1-jre")
+    implementation("com.google.auto.value:auto-value-annotations:1.11.0")
+    annotationProcessor ("com.google.auto.value:auto-value:1.11.0")
+    api("com.google.protobuf:protobuf-javalite:4.27.0")
 
     testImplementation("org.slf4j:slf4j-reload4j:1.7.36")
     testImplementation("io.netty:netty-all:4.1.36.Final")
@@ -69,10 +71,9 @@ tasks.dokkaHtml {
 
     val moduleDesc = File("$rootDir/dokka-tmp.md").also { it.createNewFile() }
     val readme =
-        File("${rootDir}/README.md").readText().replaceFirst("# ", "")
-    val moduleTitle = readme.lines().first()
-    moduleDesc.writeText("# Module $readme")
-    moduleName.set(moduleTitle)
+        File("${rootDir}/README.md").readText()
+    moduleDesc.writeText("# Module ${project.name}\n\n$readme")
+    moduleName.set(project.name)
 
     dokkaSourceSets {
         named("main") {
@@ -108,12 +109,12 @@ publishing {
     publications {
         register("mavenJava", MavenPublication::class) {
             from(components["java"])
-            artifact(sourcesJar.get())
-            artifact(javadocJar.get())
+            if (this.name != "relocation") artifact(sourcesJar.get())
+            if (this.name != "relocation") artifact(javadocJar.get())
             pom {
-                name.set("Android Attestation")
-                description.set("Server-Side Android attestation library")
-                url.set("https://github.com/a-sit-plus/android-attestation")
+                name.set("WARDEN-roboto")
+                description.set("Server-Side Android Attestation Library")
+                url.set("https://github.com/a-sit-plus/warden-roboto")
                 licenses {
                     license {
                         name.set("The Apache License, Version 2.0")
@@ -133,9 +134,26 @@ publishing {
                     }
                 }
                 scm {
-                    connection.set("scm:git:[email protected]:a-sit-plus/android-attestation.git")
-                    developerConnection.set("scm:git:[email protected]:a-sit-plus/android-attestation.git")
-                    url.set("https://github.com/a-sit-plus/android-attestation")
+                    connection.set("scm:git:[email protected]:a-sit-plus/warden-roboto.git")
+                    developerConnection.set("scm:git:[email protected]:a-sit-plus/warden-roboto.git")
+                    url.set("https://github.com/a-sit-plus/warden-roboto")
+                }
+            }
+        }
+        //REMOVE ME AFTER REBRANDED ARTIFACT HAS BEEN PUBLISHED
+        create<MavenPublication>("relocation") {
+            pom {
+                // Old artifact coordinates
+                artifactId = "android-attestation"
+                version = artifactVersion
+
+                distributionManagement {
+                    relocation {
+                        // New artifact coordinates
+                        artifactId = "warden-roboto"
+                        version = artifactVersion
+                        message = "artifactId has been changed"
+                    }
                 }
             }
         }

android-attestation/src/main/kotlin/AndroidAttestationChecker.kt → warden-roboto/src/main/kotlin/AndroidAttestationChecker.kt

@@ -29,6 +29,7 @@ import java.security.PublicKey
 import java.security.cert.CertificateExpiredException
 import java.security.cert.CertificateNotYetValidException
 import java.security.cert.X509Certificate
+import java.time.YearMonth
 import java.util.*
 
 abstract class AndroidAttestationChecker(
@@ -157,10 +158,10 @@ abstract class AndroidAttestationChecker(
     @Throws(AttestationValueException::class)
     protected abstract fun ParsedAttestationRecord.verifyAndroidVersion(
         versionOverride: Int? = null,
-        osPatchLevel: Int?
+        osPatchLevel: PatchLevel?
     )
 
-    protected fun AuthorizationList.verifyAndroidVersion(versionOverride: Int?, patchLevel: Int?) {
+    protected fun AuthorizationList.verifyAndroidVersion(versionOverride: Int?, patchLevel: PatchLevel?) {
         runCatching {
 
             (versionOverride ?: attestationConfiguration.androidVersion)?.let {
@@ -170,8 +171,8 @@ abstract class AndroidAttestationChecker(
                 )
             }
 
-            (patchLevel ?: attestationConfiguration.osPatchLevel)?.let {
-                if ((osPatchLevel().get()) < it) throw AttestationValueException(
+            (patchLevel ?: attestationConfiguration.patchLevel)?.let {
+                if ((osPatchLevel().get()).isBefore(YearMonth.of(it.year, it.month))) throw AttestationValueException(
                     "Patch level not supported",
                     reason = AttestationValueException.Reason.OS_VERSION
                 )
@@ -220,7 +221,7 @@ abstract class AndroidAttestationChecker(
     @Throws(AttestationValueException::class)
     protected fun AuthorizationList.verifyRollbackResistance() {
         if (attestationConfiguration.requireRollbackResistance)
-            if (!rollbackResistant()) throw AttestationValueException(
+            if (!rollbackResistance()) throw AttestationValueException(
                 "No rollback resistance",
                 reason = AttestationValueException.Reason.ROLLBACK_RESISTANCE
             )
@@ -269,7 +270,7 @@ abstract class AndroidAttestationChecker(
             it.entries.firstOrNull { (_, result) -> result.isSuccess } ?: it.values.first().exceptionOrNull()!!
                 .let { throw it }
         }.key
-        parsedAttestationRecord.verifyAndroidVersion(attestedApp.androidVersionOverride, attestedApp.osPatchLevel)
+        parsedAttestationRecord.verifyAndroidVersion(attestedApp.androidVersionOverride, attestedApp.patchLevelOverride)
         return parsedAttestationRecord
     }
 

android-attestation/src/main/kotlin/AndroidAttestationConfiguration.kt → warden-roboto/src/main/kotlin/AndroidAttestationConfiguration.kt

@@ -95,7 +95,7 @@ data class AndroidAttestationConfiguration @JvmOverloads constructor(
      * optional parameter. If set, attestation enforces Security patch level to be greater or equal to this parameter.
      * Can be overridden for individual apps.
      */
-    private val patchLevel: PatchLevel? = null,
+    internal val patchLevel: PatchLevel? = null,
 
     /**
      * Set to `true` if *StrongBox* security level should be required.
@@ -432,7 +432,7 @@ data class AndroidAttestationConfiguration @JvmOverloads constructor(
         /**
          * optional parameter. If set, attestation enforces Security patch level to be greater or equal to this parameter.
          */
-        private val patchLevelOverride: PatchLevel? = null,
+        internal val patchLevelOverride: PatchLevel? = null,
 
         ) {
         init {
@@ -441,7 +441,7 @@ data class AndroidAttestationConfiguration @JvmOverloads constructor(
         }
 
         /**
-         * Internal representation of the patch level as contained in the [com.google.android.attestation.ParsedAttestationRecord]
+         * Internal representation of the patch level as previously contained in the [com.google.android.attestation.ParsedAttestationRecord]
          */
         val osPatchLevel: Int? = patchLevelOverride?.asSingleInt
 

android-attestation/src/main/kotlin/HardwareAttestationChecker.kt → warden-roboto/src/main/kotlin/HardwareAttestationChecker.kt

@@ -55,7 +55,7 @@ class HardwareAttestationChecker @JvmOverloads constructor(
     override val trustAnchors = attestationConfiguration.hardwareAttestationTrustAnchors
 
     @Throws(AttestationValueException::class)
-    override fun ParsedAttestationRecord.verifyAndroidVersion(versionOverride: Int?, osPatchLevel: Int?) =
+    override fun ParsedAttestationRecord.verifyAndroidVersion(versionOverride: Int?, osPatchLevel: PatchLevel?) =
         teeEnforced().verifyAndroidVersion(versionOverride, osPatchLevel)
 
     @Throws(AttestationValueException::class)

android-attestation/src/main/kotlin/NougatHybridAttestationChecker.kt → warden-roboto/src/main/kotlin/NougatHybridAttestationChecker.kt

@@ -46,7 +46,7 @@ class NougatHybridAttestationChecker @JvmOverloads constructor(
     override val trustAnchors = attestationConfiguration.softwareAttestationTrustAnchors
 
     @Throws(AttestationValueException::class)
-    override fun ParsedAttestationRecord.verifyAndroidVersion(versionOverride: Int?, osPatchLevel: Int?) {
+    override fun ParsedAttestationRecord.verifyAndroidVersion(versionOverride: Int?, osPatchLevel: PatchLevel?) {
         //impossible
     }