1. Bern University of Applied Sciences
  2. APC Project
  3. Android Protected Confirmation
  4. Trusted Root Certificates

Trusted Root Certificates

Key attestation allows to verify that the APC keys are generated and backed on hardware.

Verify Hardware-backed APC Keys

Security Key Attestation is a feature introduces in Android 7 (API level 24). Key attestation provides public key certificates that contain detailed descriptions of the keys and their access controls, to ensure that these were generated and are stored and protected in secure hardware.

The trustworthiness of the attestation depends on the root certificate of the chain. The device manufacturer injects the root certificate into the device's hardware-backed keystore at the factory.

In case of the Pixel devices the root certificate should be one of the following Google Hardware Attestation Root certificates:


    Subject: serialNumber=f92009e853b6b045
    • Fingerprint: 71E1696AC4A1470F565F1482255A4612
    • Not Before: May 26 16:28:52 2016 GMT
    • Not After: May 24 16:28:52 2026 GMT
    • Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e8:fa:19:63:14:d2:fa:18
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: serialNumber=f92009e853b6b045
        Validity
            Not Before: May 26 16:28:52 2016 GMT
            Not After : May 24 16:28:52 2026 GMT
        Subject: serialNumber=f92009e853b6b045
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:af:b6:c7:82:2b:b1:a7:01:ec:2b:b4:2e:8b:cc:
                    54:16:63:ab:ef:98:2f:32:c7:7f:75:31:03:0c:97:
                    52:4b:1b:5f:e8:09:fb:c7:2a:a9:45:1f:74:3c:bd:
                    9a:6f:13:35:74:4a:a5:5e:77:f6:b6:ac:35:35:ee:
                    17:c2:5e:63:95:17:dd:9c:92:e6:37:4a:53:cb:fe:
                    25:8f:8f:fb:b6:fd:12:93:78:a2:2a:4c:a9:9c:45:
                    2d:47:a5:9f:32:01:f4:41:97:ca:1c:cd:7e:76:2f:
                    b2:f5:31:51:b6:fe:b2:ff:fd:2b:6f:e4:fe:5b:c6:
                    bd:9e:c3:4b:fe:08:23:9d:aa:fc:eb:8e:b5:a8:ed:
                    2b:3a:cd:9c:5e:3a:77:90:e1:b5:14:42:79:31:59:
                    85:98:11:ad:9e:b2:a9:6b:bd:d7:a5:7c:93:a9:1c:
                    41:fc:cd:27:d6:7f:d6:f6:71:aa:0b:81:52:61:ad:
                    38:4f:a3:79:44:86:46:04:dd:b3:d8:c4:f9:20:a1:
                    9b:16:56:c2:f1:4a:d6:d0:3c:56:ec:06:08:99:04:
                    1c:1e:d1:a5:fe:6d:34:40:b5:56:ba:d1:d0:a1:52:
                    58:9c:53:e5:5d:37:07:62:f0:12:2e:ef:91:86:1b:
                    1b:0e:6c:4c:80:92:74:99:c0:e9:be:c0:b8:3e:3b:
                    c1:f9:3c:72:c0:49:60:4b:bd:2f:13:45:e6:2c:3f:
                    8e:26:db:ec:06:c9:47:66:f3:c1:28:23:9d:4f:43:
                    12:fa:d8:12:38:87:e0:6b:ec:f5:67:58:3b:f8:35:
                    5a:81:fe:ea:ba:f9:9a:83:c8:df:3e:2a:32:2a:fc:
                    67:2b:f1:20:b1:35:15:8b:68:21:ce:af:30:9b:6e:
                    ee:77:f9:88:33:b0:18:da:a1:0e:45:1f:06:a3:74:
                    d5:07:81:f3:59:08:29:66:bb:77:8b:93:08:94:26:
                    98:e7:4e:0b:cd:24:62:8a:01:c2:cc:03:e5:1f:0b:
                    3e:5b:4a:c1:e4:df:9e:af:9f:f6:a4:92:a7:7c:14:
                    83:88:28:85:01:5b:42:2c:e6:7b:80:b8:8c:9b:48:
                    e1:3b:60:7a:b5:45:c7:23:ff:8c:44:f8:f2:d3:68:
                    b9:f6:52:0d:31:14:5e:bf:9e:86:2a:d7:1d:f6:a3:
                    bf:d2:45:09:59:d6:53:74:0d:97:a1:2f:36:8b:13:
                    ef:66:d5:d0:a5:4a:6e:2f:5d:9a:6f:ef:44:68:32:
                    bc:67:84:47:25:86:1f:09:3d:d0:e6:f3:40:5d:a8:
                    96:43:ef:0f:4d:69:b6:42:00:51:fd:b9:30:49:67:
                    3e:36:95:05:80:d3:cd:f4:fb:d0:8b:c5:84:83:95:
                    26:00:63
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                36:61:E1:00:7C:88:05:09:51:8B:44:6C:47:FF:1A:4C:C9:EA:4F:12
            X509v3 Authority Key Identifier: 
                keyid:36:61:E1:00:7C:88:05:09:51:8B:44:6C:47:FF:1A:4C:C9:EA:4F:12

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:https://android.googleapis.com/attestation/crl/

    Signature Algorithm: sha256WithRSAEncryption
         20:c8:c3:8d:4b:dc:a9:57:1b:46:8c:89:2f:ff:72:aa:c6:f8:
         44:a1:1d:41:a8:f0:73:6c:c3:7d:16:d6:42:6d:8e:7e:94:07:
         04:4c:ea:39:e6:8b:07:c1:3d:bf:15:03:dd:5c:85:bd:af:b2:
         c0:2d:5f:6c:db:4e:fa:81:27:df:8b:04:f1:82:77:0f:c4:e7:
         74:5b:7f:ce:aa:87:12:9a:88:01:ce:8e:9b:c0:cb:96:37:9b:
         4d:26:a8:2d:30:fd:9c:2f:8e:ed:6d:c1:be:2f:84:b6:89:e4:
         d9:14:25:8b:14:4b:ba:e6:24:a1:c7:06:71:13:2e:2f:06:16:
         a8:84:b2:a4:d6:a4:6f:fa:89:b6:02:bf:ba:d8:0c:12:43:71:
         1f:56:eb:60:56:f6:37:c8:a0:14:1c:c5:40:94:26:8b:8c:3c:
         7d:b9:94:b3:5c:0d:cd:6c:b2:ab:c2:da:fe:e2:52:02:3d:2d:
         ea:0c:d6:c3:68:be:a3:e6:41:48:86:f6:b1:e5:8b:5b:d7:c7:
         30:b2:68:c4:e3:c1:fb:64:24:b9:1f:eb:bd:b8:0c:58:6e:2a:
         e8:36:8c:84:d5:d1:09:17:bd:a2:56:17:89:d4:68:73:93:34:
         0e:2e:25:4f:56:0e:f6:4b:23:58:fc:dc:0f:bf:c6:70:09:52:
         e7:08:bf:fc:c6:27:50:0c:1f:66:e8:1e:a1:7c:09:8d:7a:2e:
         9b:18:80:1b:7a:b4:ac:71:58:7d:34:5d:cc:83:09:d5:b6:2a:
         50:42:7a:a6:d0:3d:cb:05:99:6c:96:ba:0c:5d:71:e9:21:62:
         c0:16:ca:84:9f:f3:5f:0d:52:c6:5d:05:60:5a:47:f3:ae:91:
         7a:cd:2d:f9:10:ef:d2:32:66:88:59:6e:f6:9b:3b:f5:fe:31:
         54:f7:ae:b8:80:a0:a7:3c:a0:4d:94:c2:ce:83:17:ee:b4:3d:
         5e:ff:58:83:e3:36:f5:f2:49:da:ac:a4:89:92:37:bf:26:7e:
         5c:43:ab:02:ea:44:16:24:03:72:3b:e6:aa:69:2c:61:bd:ae:
         9e:d4:09:d4:63:c4:c9:7c:64:30:65:77:ee:f2:bc:75:60:b7:
         57:15:cc:9c:7d:c6:7c:86:08:2d:b7:51:a8:9c:30:34:97:62:
         b0:78:23:85:87:5c:f1:a3:c6:16:6e:0a:e3:c1:2d:37:4e:2d:
         4f:18:46:f3:18:74:4b:d8:79:b5:87:32:9b:f0:18:21:7a:6c:
         0c:77:24:1a:48:78:e4:35:c0:30:79:cb:45:12:89:c5:77:62:
         06:06:9a:2f:8d:65:f8:40:e1:44:52:87:be:d8:77:ab:ae:24:
         e2:44:35:16:8d:55:3c:e4
    Subject: serialNumber=f92009e853b6b045
    • Fingerprint: 7B3DED84D2B6216B88A3F422758A4895
    • Not Before: Nov 22 20:37:58 2019 GMT
    • Not After: Nov 18 20:37:58 2034 GMT
    • Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d5:0f:f2:5b:a3:f2:d6:b3
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: serialNumber=f92009e853b6b045
        Validity
            Not Before: Nov 22 20:37:58 2019 GMT
            Not After : Nov 18 20:37:58 2034 GMT
        Subject: serialNumber=f92009e853b6b045
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:af:b6:c7:82:2b:b1:a7:01:ec:2b:b4:2e:8b:cc:
                    54:16:63:ab:ef:98:2f:32:c7:7f:75:31:03:0c:97:
                    52:4b:1b:5f:e8:09:fb:c7:2a:a9:45:1f:74:3c:bd:
                    9a:6f:13:35:74:4a:a5:5e:77:f6:b6:ac:35:35:ee:
                    17:c2:5e:63:95:17:dd:9c:92:e6:37:4a:53:cb:fe:
                    25:8f:8f:fb:b6:fd:12:93:78:a2:2a:4c:a9:9c:45:
                    2d:47:a5:9f:32:01:f4:41:97:ca:1c:cd:7e:76:2f:
                    b2:f5:31:51:b6:fe:b2:ff:fd:2b:6f:e4:fe:5b:c6:
                    bd:9e:c3:4b:fe:08:23:9d:aa:fc:eb:8e:b5:a8:ed:
                    2b:3a:cd:9c:5e:3a:77:90:e1:b5:14:42:79:31:59:
                    85:98:11:ad:9e:b2:a9:6b:bd:d7:a5:7c:93:a9:1c:
                    41:fc:cd:27:d6:7f:d6:f6:71:aa:0b:81:52:61:ad:
                    38:4f:a3:79:44:86:46:04:dd:b3:d8:c4:f9:20:a1:
                    9b:16:56:c2:f1:4a:d6:d0:3c:56:ec:06:08:99:04:
                    1c:1e:d1:a5:fe:6d:34:40:b5:56:ba:d1:d0:a1:52:
                    58:9c:53:e5:5d:37:07:62:f0:12:2e:ef:91:86:1b:
                    1b:0e:6c:4c:80:92:74:99:c0:e9:be:c0:b8:3e:3b:
                    c1:f9:3c:72:c0:49:60:4b:bd:2f:13:45:e6:2c:3f:
                    8e:26:db:ec:06:c9:47:66:f3:c1:28:23:9d:4f:43:
                    12:fa:d8:12:38:87:e0:6b:ec:f5:67:58:3b:f8:35:
                    5a:81:fe:ea:ba:f9:9a:83:c8:df:3e:2a:32:2a:fc:
                    67:2b:f1:20:b1:35:15:8b:68:21:ce:af:30:9b:6e:
                    ee:77:f9:88:33:b0:18:da:a1:0e:45:1f:06:a3:74:
                    d5:07:81:f3:59:08:29:66:bb:77:8b:93:08:94:26:
                    98:e7:4e:0b:cd:24:62:8a:01:c2:cc:03:e5:1f:0b:
                    3e:5b:4a:c1:e4:df:9e:af:9f:f6:a4:92:a7:7c:14:
                    83:88:28:85:01:5b:42:2c:e6:7b:80:b8:8c:9b:48:
                    e1:3b:60:7a:b5:45:c7:23:ff:8c:44:f8:f2:d3:68:
                    b9:f6:52:0d:31:14:5e:bf:9e:86:2a:d7:1d:f6:a3:
                    bf:d2:45:09:59:d6:53:74:0d:97:a1:2f:36:8b:13:
                    ef:66:d5:d0:a5:4a:6e:2f:5d:9a:6f:ef:44:68:32:
                    bc:67:84:47:25:86:1f:09:3d:d0:e6:f3:40:5d:a8:
                    96:43:ef:0f:4d:69:b6:42:00:51:fd:b9:30:49:67:
                    3e:36:95:05:80:d3:cd:f4:fb:d0:8b:c5:84:83:95:
                    26:00:63
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                36:61:E1:00:7C:88:05:09:51:8B:44:6C:47:FF:1A:4C:C9:EA:4F:12
            X509v3 Authority Key Identifier: 
                keyid:36:61:E1:00:7C:88:05:09:51:8B:44:6C:47:FF:1A:4C:C9:EA:4F:12

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign
    Signature Algorithm: sha256WithRSAEncryption
         4e:31:a0:5c:f2:8b:a6:5d:bd:af:a1:ce:d7:09:69:ee:5c:a8:
         41:04:ad:de:d8:a3:06:cf:7f:6d:ee:50:37:5d:74:5e:d9:92:
         cb:02:42:cc:e7:2d:c9:ee:d5:11:91:fe:5a:d5:2b:ad:7d:d3:
         b2:5c:09:9e:13:a4:91:a3:cd:d4:87:a5:ac:ce:87:66:32:4c:
         4a:e4:63:38:24:6a:e7:b7:8a:41:8a:cb:b9:8a:05:c4:c9:d6:
         96:ee:aa:b6:09:d0:ba:0c:e1:a3:1b:e9:84:90:df:3f:4c:0e:
         a9:dd:c9:e8:2f:fb:0f:cb:3e:9e:bd:d8:cb:95:27:89:f2:b1:
         41:1f:ac:56:c8:86:42:6e:b7:29:60:42:73:5d:a5:0e:11:ac:
         71:5f:18:18:cf:9f:dc:4e:25:4a:37:63:35:1b:6a:24:40:15:
         08:61:26:3a:6e:31:0b:e1:a5:0d:e5:c7:e8:ee:88:0f:dd:4b:
         e5:88:4a:37:12:8d:18:83:0b:b3:47:6b:f4:29:1e:82:d5:c6:
         6a:64:94:93:9e:08:48:0b:fb:c0:0f:7d:8a:74:d4:3e:73:73:
         7e:be:5d:8e:4e:c5:15:30:2d:46:89:69:27:80:dc:75:38:ed:
         7e:91:75:be:61:39:e7:4d:43:ad:38:8b:30:50:ff:d5:a9:de:
         52:62:00:08:98:c0:1f:63:c5:3d:fe:22:20:91:08:fa:4f:65:
         ba:16:c4:9c:cb:de:08:37:d7:c5:84:4d:54:b7:39:8b:a0:12:
         2e:50:5b:15:5c:93:13:cf:e2:6e:72:d8:7e:22:aa:16:16:e6:
         bd:bf:54:7d:df:f9:3d:f2:9e:35:a6:3b:45:5f:e1:fc:0e:c9:
         55:81:f3:f4:f7:bb:e3:bb:82:83:96:a3:7a:e3:15:75:82:bc:
         37:64:b9:78:0a:23:9e:fc:0f:75:a1:e2:e6:d9:41:ce:ab:ac:
         27:dd:eb:01:e2:bd:84:21:02:9b:ea:34:d5:1a:ee:6c:60:27:
         1d:5a:95:eb:d0:05:15:a9:c0:01:3d:d8:0b:f8:7e:ea:26:0b:
         81:c3:4f:68:8e:6e:b1:34:8a:f0:d8:ea:1c:ac:32:ac:b9:d9:
         3f:a2:4a:ff:03:0a:84:c8:f2:b0:f5:69:cc:95:08:0b:20:ac:
         35:ac:e0:c6:d8:db:d4:f6:84:77:19:51:9d:32:45:01:66:eb:
         4b:f1:5b:85:90:44:50:1a:de:af:43:63:82:c3:4b:15:e3:b5:
         4c:92:e6:1b:69:c2:bf:c7:26:45:89:17:2b:3c:93:db:e3:5c:
         e0:6d:08:fd:5c:01:32:2c:a0:87:7b:1d:12:74:3a:f1:fa:d5:
         94:0e:a1:bc:02:dd:89:1c
APC Links
Trusted Envrionments
Trusted Execution Environment (TEE)
Attestation
Project References
About BFH