diff --git a/src/main/java/app/attestation/server/AttestationProtocol.java b/src/main/java/app/attestation/server/AttestationProtocol.java index 12b209cb..245b0c70 100644 --- a/src/main/java/app/attestation/server/AttestationProtocol.java +++ b/src/main/java/app/attestation/server/AttestationProtocol.java @@ -1285,9 +1285,17 @@ private static void verify(final byte[] fingerprint, int pinnedSecurityLevel = 1; if (hasPersistentKey) { final SQLiteStatement st = conn.prepare(""" - SELECT pinnedCertificates, pinnedVerifiedBootKey, pinnedOsVersion, - pinnedOsPatchLevel, pinnedVendorPatchLevel, pinnedBootPatchLevel, - pinnedAppVersion, pinnedAppVariant, pinnedSecurityLevel, userId + SELECT + pinnedCertificates, + pinnedVerifiedBootKey, + pinnedOsVersion, + pinnedOsPatchLevel, + pinnedVendorPatchLevel, + pinnedBootPatchLevel, + pinnedAppVersion, + pinnedAppVariant, + pinnedSecurityLevel, + userId FROM Devices WHERE fingerprint = ?"""); try { st.bind(1, fingerprint); @@ -1375,12 +1383,23 @@ private static void verify(final byte[] fingerprint, } final SQLiteStatement update = conn.prepare(""" - UPDATE Devices SET verifiedBootHash = ?, pinnedOsVersion = ?, - pinnedOsPatchLevel = ?, pinnedVendorPatchLevel = ?, - pinnedBootPatchLevel = ?, pinnedAppVersion = ?, pinnedSecurityLevel = ?, - userProfileSecure = ?, enrolledBiometrics = ?, accessibility = ?, - deviceAdmin = ?, adbEnabled = ?, addUsersWhenLocked = ?, - oemUnlockAllowed = ?, systemUser = ?, verifiedTimeLast = ? + UPDATE Devices SET + verifiedBootHash = ?, + pinnedOsVersion = ?, + pinnedOsPatchLevel = ?, + pinnedVendorPatchLevel = ?, + pinnedBootPatchLevel = ?, + pinnedAppVersion = ?, + pinnedSecurityLevel = ?, + userProfileSecure = ?, + enrolledBiometrics = ?, + accessibility = ?, + deviceAdmin = ?, + adbEnabled = ?, + addUsersWhenLocked = ?, + oemUnlockAllowed = ?, + systemUser = ?, + verifiedTimeLast = ? WHERE fingerprint = ?"""); try { update.bind(1, verified.verifiedBootHash); @@ -1412,14 +1431,31 @@ private static void verify(final byte[] fingerprint, verifySignature(attestationCertificates[0].getPublicKey(), signedMessage, signature); final SQLiteStatement insert = conn.prepare(""" - INSERT INTO Devices (fingerprint, pinnedCertificates, attestKey, - pinnedVerifiedBootKey, verifiedBootHash, pinnedOsVersion, - pinnedOsPatchLevel, pinnedVendorPatchLevel, pinnedBootPatchLevel, - pinnedAppVersion, pinnedAppVariant, pinnedSecurityLevel, userProfileSecure, - enrolledBiometrics, accessibility, deviceAdmin, adbEnabled, - addUsersWhenLocked, oemUnlockAllowed, systemUser, - verifiedTimeFirst, verifiedTimeLast, userId) - VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"""); + INSERT INTO Devices ( + fingerprint, + pinnedCertificates, + attestKey, + pinnedVerifiedBootKey, + verifiedBootHash, + pinnedOsVersion, + pinnedOsPatchLevel, + pinnedVendorPatchLevel, + pinnedBootPatchLevel, + pinnedAppVersion, + pinnedAppVariant, + pinnedSecurityLevel, + userProfileSecure, + enrolledBiometrics, + accessibility, + deviceAdmin, + adbEnabled, + addUsersWhenLocked, + oemUnlockAllowed, + systemUser, + verifiedTimeFirst, + verifiedTimeLast, + userId + ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"""); try { insert.bind(1, fingerprint); insert.bind(2, encodeChain(DEFLATE_DICTIONARY_2, attestationCertificates)); @@ -1455,11 +1491,25 @@ INSERT INTO Devices (fingerprint, pinnedCertificates, attestKey, } final SQLiteStatement insert = conn.prepare(""" - INSERT INTO Attestations (fingerprint, time, strong, osVersion, osPatchLevel, - vendorPatchLevel, bootPatchLevel, verifiedBootHash, appVersion, - userProfileSecure, enrolledBiometrics, accessibility, deviceAdmin, adbEnabled, - addUsersWhenLocked, oemUnlockAllowed, systemUser) - VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"""); + INSERT INTO Attestations ( + fingerprint, + time, + strong, + osVersion, + osPatchLevel, + vendorPatchLevel, + bootPatchLevel, + verifiedBootHash, + appVersion, + userProfileSecure, + enrolledBiometrics, + accessibility, + deviceAdmin, + adbEnabled, + addUsersWhenLocked, + oemUnlockAllowed, + systemUser + ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"""); try { insert.bind(1, fingerprint); insert.bind(2, now); diff --git a/src/main/java/app/attestation/server/AttestationServer.java b/src/main/java/app/attestation/server/AttestationServer.java index b7586925..59d908a4 100644 --- a/src/main/java/app/attestation/server/AttestationServer.java +++ b/src/main/java/app/attestation/server/AttestationServer.java @@ -608,9 +608,16 @@ private static void createAccount(final String username, final String password) final SQLiteConnection conn = getLocalAttestationConn(); try { final SQLiteStatement insert = conn.prepare(""" - INSERT INTO Accounts - (username, passwordHash, passwordSalt, subscribeKey, creationTime, loginTime, verifyInterval, alertDelay) - VALUES (?, ?, ?, ?, ?, ?, ?, ?)"""); + INSERT INTO Accounts ( + username, + passwordHash, + passwordSalt, + subscribeKey, + creationTime, + loginTime, + verifyInterval, + alertDelay + ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)"""); try { insert.bind(1, username); insert.bind(2, passwordHash); @@ -949,7 +956,14 @@ private static Account verifySession(final HttpExchange exchange, final boolean final SQLiteConnection conn = getLocalAttestationConn(); final SQLiteStatement select = conn.prepare(""" - SELECT token, expiryTime, username, subscribeKey, Accounts.userId, verifyInterval, alertDelay + SELECT + token, + expiryTime, + username, + subscribeKey, + Accounts.userId, + verifyInterval, + alertDelay FROM Sessions INNER JOIN Accounts on Accounts.userId = Sessions.userId WHERE sessionId = ?"""); @@ -1191,14 +1205,31 @@ private static void writeDevicesJson(final HttpExchange exchange, final long use final JsonArrayBuilder devices = Json.createArrayBuilder(); final SQLiteConnection conn = getLocalAttestationConn(); final SQLiteStatement select = conn.prepare(""" - SELECT fingerprint, pinnedCertificates, attestKey, hex(pinnedVerifiedBootKey), - (SELECT hex(verifiedBootHash) WHERE verifiedBootHash IS NOT NULL), - pinnedOsVersion, pinnedOsPatchLevel, pinnedVendorPatchLevel, pinnedBootPatchLevel, - pinnedAppVersion, pinnedAppVariant, pinnedSecurityLevel, userProfileSecure, - enrolledBiometrics, accessibility, deviceAdmin, adbEnabled, addUsersWhenLocked, - oemUnlockAllowed, systemUser, verifiedTimeFirst, verifiedTimeLast, - (SELECT min(id) FROM Attestations WHERE Attestations.fingerprint = Devices.fingerprint), - (SELECT max(id) FROM Attestations WHERE Attestations.fingerprint = Devices.fingerprint) + SELECT + fingerprint, + pinnedCertificates, + attestKey, + hex(pinnedVerifiedBootKey), + (SELECT hex(verifiedBootHash) WHERE verifiedBootHash IS NOT NULL), + pinnedOsVersion, + pinnedOsPatchLevel, + pinnedVendorPatchLevel, + pinnedBootPatchLevel, + pinnedAppVersion, + pinnedAppVariant, + pinnedSecurityLevel, + userProfileSecure, + enrolledBiometrics, + accessibility, + deviceAdmin, + adbEnabled, + addUsersWhenLocked, + oemUnlockAllowed, + systemUser, + verifiedTimeFirst, + verifiedTimeLast, + (SELECT min(id) FROM Attestations WHERE Attestations.fingerprint = Devices.fingerprint), + (SELECT max(id) FROM Attestations WHERE Attestations.fingerprint = Devices.fingerprint) FROM Devices WHERE userId is ? AND deletionTime IS NULL ORDER BY verifiedTimeFirst"""); try { @@ -1319,12 +1350,24 @@ private static void writeAttestationHistoryJson(final HttpExchange exchange, fin final byte[] fingerprint = BaseEncoding.base16().decode(deviceFingerprint); final SQLiteConnection conn = getLocalAttestationConn(); final SQLiteStatement history = conn.prepare(""" - SELECT id, time, strong, osVersion, osPatchLevel, - vendorPatchLevel, bootPatchLevel, Attestations.verifiedBootHash, appVersion, - Attestations.userProfileSecure, Attestations.enrolledBiometrics, - Attestations.accessibility, Attestations.deviceAdmin, Attestations.adbEnabled, - Attestations.addUsersWhenLocked, Attestations.oemUnlockAllowed, - Attestations.systemUser + SELECT + id, + time, + strong, + osVersion, + osPatchLevel, + vendorPatchLevel, + bootPatchLevel, + Attestations.verifiedBootHash, + appVersion, + Attestations.userProfileSecure, + Attestations.enrolledBiometrics, + Attestations.accessibility, + Attestations.deviceAdmin, + Attestations.adbEnabled, + Attestations.addUsersWhenLocked, + Attestations.oemUnlockAllowed, + Attestations.systemUser FROM Attestations INNER JOIN Devices ON Attestations.fingerprint = Devices.fingerprint WHERE Devices.fingerprint = ? AND userid = ?