Not getting a certificate chain from AndroidKeystore

Question

I'm trying to verify a hardware-backed key using guidelines from https://developer.android.com/training/articles/security-key-attestation.html.

The key (ECDSA) is generated in the AndroidKeystore correctly, and KeyInfo provides the correct information for emulators:

Starting check for secure element
Generated an ECDSA key with 256 bits
Keyname: d512e563-92ea-4bfa-9e35-3043e5c55ae0
Key Imported?: Generated
Keysize: 256
UserAuth Required?: true
**In Secure HW?: false**
Finished check for secure element

and when I attempt to get the certificate chain, I get this:

  Found required key: d512e563-92ea-4bfa-9e35-3043e5c55ae0
    Number of certificates in chain: 1
    SubjectDN: CN=fake
    Serial Number: 1
    Issuer: CN=fake
    Valid from: Wed Dec 31 16:00:00 PST 1969
    Valid Until: Tue Dec 31 16:00:00 PST 2047

    -----BEGIN CERTIFICATE-----
    MIHFMIGxoAMCAQICAQEwCgYIKoZIzj0EAwIwDzENMAsGA1UEAxMEZmFrZTAeFw03
    MDAxMDEwMDAwMDBaFw00ODAxMDEwMDAwMDBaMA8xDTALBgNVBAMTBGZha2UwWTAT
    BgcqhkjOPQIBBggqhkjOPQMBBwNCAATZ/2iTrpOa35IAnhCiNU+UTfPukTMgvvdO
    gJyjQyDcu4+KjuJdesiqnw8bT1kmh4KO085Ri3ZFYKSloSU6GT1oMAoGCCqGSM49
    BAMCAwMAMAA=
    -----END CERTIFICATE-----

However, for real phones with a secure element, I get this:

Starting check for secure element
Generated an ECDSA key with 256 bits
Keyname: f416a3b1-a8a7-4aeb-b1d4-14a5cf459506
Key Imported?: Generated
Keysize: 256
UserAuth Required?: true
**In Secure HW?: true**
Finished check for secure element

and when I attempt to get the certificate chain, I get this:

Found required key: f416a3b1-a8a7-4aeb-b1d4-14a5cf459506
Number of certificates in chain: 1
SubjectDN: CN=fake
Serial Number: 1
Issuer: CN=fake
Valid from: Wed Dec 31 16:00:00 PST 1969
Valid Until: Tue Dec 31 16:00:00 PST 2047

-----BEGIN CERTIFICATE-----
MIHFMIGxoAMCAQICAQEwCgYIKoZIzj0EAwIwDzENMAsGA1UEAxMEZmFrZTAeFw03
MDAxMDEwMDAwMDBaFw00ODAxMDEwMDAwMDBaMA8xDTALBgNVBAMTBGZha2UwWTAT
BgcqhkjOPQIBBggqhkjOPQMBBwNCAAQAwtqkhgodfwFGEOyEKEJSP2u+hdpLlZ1B
OIGFUeiZ0dZOHLvg6D4ivJ/j7xe0AvNp+TdnOdTtx7zKSAnfxD6bMAoGCCqGSM49
BAMCAwMAMAA=
-----END CERTIFICATE-----

I cannot seem to get the actual certificate chain no matter what emulator or real phone device I use.

The example on github for certificate chain verification assumes you already acquired the chain correctly and are using those certificates for validation; but I don't see any example of what code one must have to get the chain correctly. Here is what I have in my code:

try {
            keystore = KeyStore.getInstance(KEYSTORE_PROVIDER);
            keystore.load(null);
            Enumeration<String> keys = keystore.aliases();
            sb = new StringBuilder("Certificate chain of key in AndroidKeystore:\n\n");
            while (keys.hasMoreElements()) {
                String s = keys.nextElement();
                Log.i("info", "KeyAlias: " + s);
                KeyStore.Entry entry = keystore.getEntry(keyalias, null);
                if (entry != null) {
                    Log.i("info", "Found required key: " + keyalias);
                    certchain = ((KeyStore.PrivateKeyEntry) entry).getCertificateChain();
                    Log.i("info", "Number of certificates in chain: " + certchain.length);
                    return sb.append(getCertChain(certchain)).toString();
                }
            }
            Log.w("error", "Key not found: " + keyalias);
            sb.append(getResources().getString(R.string.key_not_found));
        } catch (KeyStoreException | NoSuchAlgorithmException | IOException | UnrecoverableEntryException | CertificateException e) {
            e.printStackTrace();
        }
        return sb.toString();

(Please excuse formatting errors).

All devices are running API 24 or greater. What am I missing in trying to get the actual certificate chain for attestation? TIA.

Answer 1

When you created your keypair, did you call setAttestationChallenge()? If not, it will just generate your self-signed certificate.