convert attestation parsing error to GeneralSecurityException

GrapheneOS · Oct 1, 2024 · 9d565b0 · 9d565b0
1 parent 1376ac2
commit 9d565b0
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/src/main/java/app/attestation/server/AttestationProtocol.java b/src/main/java/app/attestation/server/AttestationProtocol.java
@@ -482,7 +482,7 @@ private static X509Certificate generateCertificate(final InputStream in)
 
     private static Verified verifyStateless(final Certificate[] certificates,
             final Cache<ByteBuffer, Boolean> pendingChallenges, final boolean hasPersistentKey,
-            final byte[][] validRoots) throws GeneralSecurityException, IOException {
+            final byte[][] validRoots) throws GeneralSecurityException {
 
         verifyCertificateSignatures(certificates, hasPersistentKey);
 
@@ -496,7 +496,7 @@ private static Verified verifyStateless(final Certificate[] certificates,
         try {
             attestation = ParsedAttestationRecord.createParsedAttestationRecord(
                     List.of((X509Certificate) certificates[0]));
-        } catch (final ParsedAttestationRecord.KeyDescriptionMissingException e) {
+        } catch (final IOException | ParsedAttestationRecord.KeyDescriptionMissingException e) {
             throw new GeneralSecurityException(e);
         }
 
@@ -730,6 +730,8 @@ private static Verified verifyStateless(final Certificate[] certificates,
             }
 
             attestKey = true;
+        } catch (final IOException e) {
+            throw new GeneralSecurityException(e);
         } catch (final ParsedAttestationRecord.KeyDescriptionMissingException ignored) {}
 
         // enforce attest key for new pairings with devices supporting it
@@ -740,7 +742,9 @@ private static Verified verifyStateless(final Certificate[] certificates,
         for (int i = 2; i < certificates.length; i++) {
             try {
                 ParsedAttestationRecord.createParsedAttestationRecord(List.of((X509Certificate) certificates[i]));
-            } catch (final  ParsedAttestationRecord.KeyDescriptionMissingException e) {
+            } catch (final IOException e) {
+                throw new GeneralSecurityException(e);
+            } catch (final ParsedAttestationRecord.KeyDescriptionMissingException e) {
                 continue;
             }
             throw new GeneralSecurityException("only initial key and attest key should have attestation extension");

diff --git a/src/main/java/app/attestation/server/AttestationServer.java b/src/main/java/app/attestation/server/AttestationServer.java
@@ -1536,7 +1536,8 @@ public void handlePost(final HttpExchange exchange) throws IOException, SQLiteEx
 
             try {
                 AttestationProtocol.verifySerialized(attestationResult, pendingChallenges, userId, subscribeKey == null);
-            } catch (final BufferUnderflowException | NegativeArraySizeException | DataFormatException | GeneralSecurityException | IOException e) {
+            } catch (final BufferUnderflowException | NegativeArraySizeException |
+                    DataFormatException | GeneralSecurityException e) {
                 logger.log(Level.WARNING, "invalid request", e);
                 final byte[] response = "Error\n".getBytes();
                 exchange.sendResponseHeaders(400, response.length);