Skip to content

Commit

Permalink
drop disabled attest key downgrade support
Browse files Browse the repository at this point in the history
  • Loading branch information
@thestinger
thestinger committed May 14, 2023
1 parent 228d629 commit bd657b1
Showing 1 changed file with 8 additions and 29 deletions.
37 changes: 8 additions & 29 deletions app/src/main/java/app/attestation/auditor/AttestationProtocol.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,6 @@ class AttestationProtocol {

private static final boolean PREFER_STRONGBOX = true;
private static final boolean USE_ATTEST_KEY = true;
private static final boolean ALLOW_ATTEST_KEY_DOWNGRADE = false;

// Challenge message:
//
Expand Down Expand Up @@ -1054,27 +1053,20 @@ private static VerificationResult verify(final Context context, final byte[] fin
boolean attestKeyMigration = false;
if (hasPersistentKey) {
final int chainOffset;
final int pinOffset;
if (attestationCertificates.length != preferences.getInt(KEY_PINNED_CERTIFICATE_LENGTH, 0)) {
if (attestationCertificates.length == 5 && preferences.getInt(KEY_PINNED_CERTIFICATE_LENGTH, 0) == 4) {
// backwards compatible use of attest key without the security benefits for
// forward compatibility with remote provisioning
chainOffset = 1;
pinOffset = 0;
attestKeyMigration = true;
} else if (ALLOW_ATTEST_KEY_DOWNGRADE && attestationCertificates.length == 4 && preferences.getInt(KEY_PINNED_CERTIFICATE_LENGTH, 0) == 5) {
// temporarily work around attest key breakage by allowing not using it
chainOffset = 0;
pinOffset = 1;
} else {
throw new GeneralSecurityException("certificate chain length mismatch");
}
} else {
chainOffset = 0;
pinOffset = 0;
}
for (int i = 1 + chainOffset; i < attestationCertificates.length; i++) {
final byte[] b = BaseEncoding.base64().decode(preferences.getString(KEY_PINNED_CERTIFICATE + (i - chainOffset + pinOffset), ""));
final byte[] b = BaseEncoding.base64().decode(preferences.getString(KEY_PINNED_CERTIFICATE + (i - chainOffset), ""));
if (!Arrays.equals(attestationCertificates[i].getEncoded(), b)) {
throw new GeneralSecurityException("certificate chain mismatch");
}
Expand Down Expand Up @@ -1427,7 +1419,7 @@ static AttestationResult generateSerialized(final Context context, final byte[]
@SuppressLint("InlinedApi")
final boolean canUseAttestKey = (alwaysHasAttestKey || pm.hasSystemFeature(PackageManager.FEATURE_KEYSTORE_APP_ATTEST_KEY))
&& USE_ATTEST_KEY;
boolean useAttestKey;
final boolean useAttestKey;
if (hasPersistentKey) {
final String freshKeyStoreAlias = statePrefix + KEYSTORE_ALIAS_FRESH;
keyStore.deleteEntry(freshKeyStoreAlias);
Expand Down Expand Up @@ -1466,26 +1458,13 @@ static AttestationResult generateSerialized(final Context context, final byte[]
}
}

try {
final KeyGenParameterSpec.Builder builder = getKeyBuilder(attestationKeystoreAlias,
KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY, useStrongBox, challenge,
hasPersistentKey);
if (useAttestKey) {
setAttestKeyAlias(builder, attestKeystoreAlias);
}
generateKeyPair(builder.build());
} catch (final IOException e) {
// try without using attest key when already paired due to Pixel 6 / Pixel 6 Pro / Pixel 6a upgrade bug
if (hasPersistentKey) {
useAttestKey = false;
final KeyGenParameterSpec.Builder builder = getKeyBuilder(attestationKeystoreAlias,
KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY, useStrongBox, challenge,
hasPersistentKey);
generateKeyPair(builder.build());
} else {
throw e;
}
final KeyGenParameterSpec.Builder builder = getKeyBuilder(attestationKeystoreAlias,
KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_VERIFY, useStrongBox, challenge,
hasPersistentKey);
if (useAttestKey) {
setAttestKeyAlias(builder, attestKeystoreAlias);
}
generateKeyPair(builder.build());

try {
final byte[] fingerprint =
Expand Down

0 comments on commit bd657b1

Please sign in to comment.