add UserManager.getUserCount for versions with signature permissions

app/src/main/AndroidManifest.xml

@@ -6,6 +6,7 @@
     <uses-permission android:name="android.permission.INTERNET" />
     <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
     <uses-permission android:name="android.permission.USE_FINGERPRINT" />
+    <uses-permission android:name="android.permission.MANAGE_USERS"/>
 
     <application android:label="@string/app_name"
             android:useEmbeddedDex="true"

app/src/main/java/app/attestation/auditor/AttestationProtocol.java

@@ -17,6 +17,7 @@
 import android.util.Log;
 import android.view.accessibility.AccessibilityManager;
 
+import androidx.core.content.ContextCompat;
 import androidx.preference.PreferenceManager;
 
 import com.google.common.collect.ImmutableMap;
@@ -790,7 +791,7 @@ private static VerificationResult verify(final Context context, final byte[] fin
             final boolean accessibility, final boolean deviceAdmin,
             final boolean deviceAdminNonSystem, final boolean adbEnabled,
             final boolean addUsersWhenLocked, final boolean enrolledFingerprints,
-            final boolean denyNewUsb, final boolean oemUnlockAllowed, final boolean systemUser)
+            final boolean denyNewUsb, final boolean oemUnlockAllowed, final boolean systemUser, final byte userCount)
             throws GeneralSecurityException, IOException {
         final String fingerprintHex = BaseEncoding.base16().encode(fingerprint);
         final byte[] currentFingerprint = getFingerprint(attestationCertificates[0]);
@@ -945,6 +946,9 @@ private static VerificationResult verify(final Context context, final byte[] fin
             osEnforced.append(context.getString(R.string.system_user,
                     toYesNoString(context, systemUser)));
         }
+        if (userCount != 0) {
+            osEnforced.append(context.getString(R.string.user_count) +userCount);
+        }
 
         return new VerificationResult(hasPersistentKey, teeEnforced.toString(), osEnforced.toString());
     }
@@ -1006,6 +1010,8 @@ static VerificationResult verifySerialized(final Context context, final byte[] a
         final boolean oemUnlockAllowed = (osEnforcedFlags & OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED) != 0;
         final boolean systemUser = (osEnforcedFlags & OS_ENFORCED_FLAGS_SYSTEM_USER) != 0;
 
+        final byte userCount = deserializer.get();
+
         if (deviceAdminNonSystem && !deviceAdmin) {
             throw new GeneralSecurityException("invalid device administrator state");
         }
@@ -1023,7 +1029,7 @@ static VerificationResult verifySerialized(final Context context, final byte[] a
         return verify(context, fingerprint, challenge, deserializer.asReadOnlyBuffer(), signature,
                 certificates, userProfileSecure, accessibility, deviceAdmin, deviceAdminNonSystem,
                 adbEnabled, addUsersWhenLocked, enrolledFingerprints, denyNewUsb, oemUnlockAllowed,
-                systemUser);
+                systemUser, userCount);
     }
 
     static class AttestationResult {
@@ -1261,6 +1267,13 @@ static AttestationResult generateSerialized(final Context context, final byte[]
             }
             serializer.putInt(osEnforcedFlags);
 
+            byte userCount = 0;
+            if (ContextCompat.checkSelfPermission(context, "android.permission.MANAGE_USERS")
+                    == PackageManager.PERMISSION_GRANTED){
+                userCount = (byte) userManager.getUserCount();
+            }
+            serializer.put(userCount);
+
             final ByteBuffer message = serializer.duplicate();
             message.flip();
 

app/src/main/res/values/strings.xml

@@ -68,6 +68,7 @@
     <string name="deny_new_usb">Disallow new USB peripherals when locked: %s\n</string>
     <string name="oem_unlock_allowed">OEM unlocking allowed: %s\n</string>
     <string name="system_user">Main user account: %s\n</string>
+    <string name="user_count">User count:&#160;</string>
 
     <string name="no">no</string>
     <string name="yes">yes</string>