Support for including device info in attestation

GrapheneOS · Oct 23, 2023 · 09c2f10 · 09c2f10
1 parent 346ee96
commit 09c2f10
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 0 deletions.
diff --git a/app/src/main/java/app/attestation/auditor/AttestationProtocol.java b/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
@@ -1658,6 +1658,30 @@ static AttestationResult generateSerialized(final Context context, final byte[]
         }
     }
 
+    private static void maybeGenerateKeyPairWithDeviceProperties(
+            final KeyGenParameterSpec.Builder builder) throws IOException,
+            InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException {
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.S) {
+            builder.setDevicePropertiesAttestationIncluded(true);
+            try {
+                generateKeyPair(builder.build());
+            } catch (IOException e) {
+                if (e.getCause() instanceof ProviderException pe) {
+                    if (pe.getCause() instanceof android.security.KeyStoreException ke) {
+                        if (KeyStoreExceptionUtils.isUnableToAttestDeviceInfoError(ke)) {
+                            builder.setDevicePropertiesAttestationIncluded(false);
+                            generateKeyPair(builder.build());
+                            return;
+                        }
+                    }
+                }
+                throw e;
+            }
+        } else {
+            generateKeyPair(builder.build());
+        }
+    }
+
     static void generateKeyPair(final KeyGenParameterSpec spec)
             throws NoSuchAlgorithmException, NoSuchProviderException,
             InvalidAlgorithmParameterException, IOException {

diff --git a/app/src/main/java/app/attestation/auditor/KeyStoreExceptionUtils.java b/app/src/main/java/app/attestation/auditor/KeyStoreExceptionUtils.java
@@ -0,0 +1,26 @@
+package app.attestation.auditor;
+
+import android.os.Build;
+import android.security.KeyStoreException;
+
+class KeyStoreExceptionUtils {
+
+    // See KeymasterDefs#KM_ERROR_CANNOT_ATTEST_IDS
+    private static final int PRIVATE_CANNOT_ATTEST_ID_ERROR_CODE = -66;
+    // See KeymaserDefs#sErrorCodeToString
+    private static final String CANNOT_ATTEST_ID_MESSAGE = "Unable to attest device ids";
+
+    static boolean isUnableToAttestDeviceInfoError(KeyStoreException exception) {
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
+            return exception.getNumericErrorCode() == KeyStoreException.ERROR_ID_ATTESTATION_FAILURE;
+        }
+
+        String localizedMessage = exception.getLocalizedMessage();
+        if (localizedMessage == null) {
+            return false;
+        }
+
+        return localizedMessage.contains(CANNOT_ATTEST_ID_MESSAGE)
+                || localizedMessage.contains(Integer.toString(PRIVATE_CANNOT_ATTEST_ID_ERROR_CODE));
+    }
+}