Skip to content

Gamesmes90/Keybox-Generator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
keybox-generator
keybox-generator
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Keybox generator

This is a simple set of scripts to generate a keybox file for android key attestation. Keyboxes generated using these scripts CANNOT PASS STRONG INTEGRITY (Unless you have the correct private key to sign the root certificate or any certificate down the chain).

Requirements

  • Python 3
  • OpenSSL

Usage

  1. Generate the certificate chains
python generate_cert_chains.py
  1. Generate the keybox
python generate_keybox.py -a -t

This will generate a keybox.xml file in the working directory.

For more options, run the scripts with the -h flag.

To verify the generated keybox, you can use this checker.

Notes

There is a wizard for a more user-friendly experience, run it with:

python wizard.py

The scripts folder contains scripts used to develop the keybox generator.

This is all experimental.

Details

Certificate chains generation

generate_cert_chains.py Generates 2 certificate chains (one in RSA and one in ECDSA) made of 4 certificates starting from a RSA root certificate (either generated or given).

The variable SUBJECTS contains a list of either generated or user specified subjects for the certificates.

You can use this list with the option -s, if you leave the list empty, the script will generate random subjects. These will be coherent with the rest of the chain.

By default the script will generate subjects using the default openssl configuration and the same subject for all certificates.

You can edit this field too, by changing the DETAILS variable.

The certs folder contains the all generated certificates.

The certificate chains and the end-entity private keys are copied into the working directory for the next script.

Check this page for more information about certificate chains.

Chain scheme
Root CA (self-signed) (By google hopefully) (RSA) (ECDSA optional)
|_ OEM CA (RSA and ECDSA, Signed by Root CA)
   |_ Model CA (RSA and ECDSA, Signed by OEM CA)
      |_ End-entity (Optional) (RSA and ECDSA, Signed by Model CA) (The certificate subject here can literally be anything)

If you want to generate the root certificate using a specific private key, you can put it into the certs folder and name it rootCA.key. You can also put a corresponding root certificate named rootCA.pem in the same folder.

The same goes for the other certificates down the chain.

The filenames are
  • rootCA.key and rootCA.pem for the root certificate
    • rootCA_ecdsa.key and rootCA_ecdsa.pem for the ECDSA root certificate (optional)
  • [type]_oem_CA.key and [type]_oem_CA.pem for the OEM certificate
  • [type]_model_CA.key and [type]_model_CA.pem for the model certificate
  • [type]_end.key and [type]_end.pem for the end-entity certificate

Where [type] is either RSA or ECDSA.

Keybox.xml generation

generate_keybox.py Generates a keybox file using the certificate chains generated by the previous script.

By default, this script will generate an empty keybox, if no files are specified.

There is an auto mode (-a) that automatically detects necessary files in the working directory.

You can generate a pretty printed keybox with the -t option.

Check TrickyStore for more information about keyboxes.

Check this page of the android documentation for more information about key attestation.

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages