I want to use Android's hardware KeyStore feature, so I used a Pixel3 phone to get the certificate chain of the KeyStore object, as seen in this article.
Looking at one specific .cer file for example, the CRL Distribution Point is https://android.googleapis.com/attestation/crl/8F6734C9FA504789.
Opening this link in the browser gives a 404 error. Even calling just https://android.googleapis.com produces the same 404 error.
I tried using the Google's OAuth2 Playground to properly authenticate, but even the request from there returns a 404 error.
In addition, when veryfing the certificate chain in Java with the PKIXParameters class, it throws a CertPathValidationException saying "Could not determine revocation status". But when disabling the revocation check with pkix_parameters.setRevocationEnabled(false), then the validation of the chain is successful.
I also woudn't expect it to be an API authentication problem, as the page returns 404, not "Invalid Project ID" as it does on other endpoints.
My question is mostly what am I missing, and why am I only getting 404s when trying to get the CRL distribution point?
Apparently some devices' attestation certificates just don't have valid CRL distribution points. I have tested this with the attestation certificates of different Pixel 3 devices, and also tested some of the devices from GrapheOS/AttestationSamples.
Here is a list of devices whose intermediate attestation certificates don't have valid CRL Distribution Points.
+-----------+----------------+
| samsung | SM-M205F |
| Xiaomi | MI 9 |
| Xiaomi | POCOPHONE F1 |
| OnePlus | GM1913 |
| Google | Pixel 3a XL |
| Google | Pixel 3a |
| Google | Pixel 3 |
| Google | Pixel 3 XL |
| HUAWEI | AUM-L29 |
+-----------+----------------+