From 6a0e6c220b9a53ce08644a7b325d2ed918d635e4 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 13 May 2023 23:42:12 -0400
Subject: [PATCH] enforce attest key for new pairings when supported

---
 .../java/app/attestation/auditor/AttestationProtocol.java    | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/app/src/main/java/app/attestation/auditor/AttestationProtocol.java b/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
index c5aa26c0..10056e72 100644
--- a/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
+++ b/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
@@ -876,6 +876,11 @@ private static Verified verifyStateless(final Certificate[] certificates,
             attestKey = true;
         } catch (final Attestation.KeyDescriptionMissingException e) {}
 
+        // enforce attest key for new pairings with devices supporting it
+        if (!hasPersistentKey && attestationVersion >= 100 && !attestKey) {
+            throw new GeneralSecurityException("missing per-pairing attest key for device supporting it");
+        }
+
         for (int i = 2; i < certificates.length; i++) {
             try {
                 new Attestation((X509Certificate) certificates[i]);