keystore: Block key attestation for SafetyNet (c2a9c80b) · Commits · e / os / android_frameworks_base

core/java/com/android/internal/safetynet/SafetyNetHooks.java

+15 −0

Original line number	Original line	Diff line number	Diff line
	@@ -28,6 +28,8 @@ public final class SafetyNetHooks {
	private static final String TAG = "SafetyNetHooks";		private static final String TAG = "SafetyNetHooks";
	private static final String GMS_PACKAGE_NAME = "com.google.android.gms";		private static final String GMS_PACKAGE_NAME = "com.google.android.gms";

			private static volatile boolean sIsGms = false;

	private static void setBuildField(String key, String value) {		private static void setBuildField(String key, String value) {
	try {		try {
	Field field = Build.class.getDeclaredField(key);		Field field = Build.class.getDeclaredField(key);
	@@ -41,7 +43,20 @@ public final class SafetyNetHooks {

	public static void init(Application app) {		public static void init(Application app) {
	if (GMS_PACKAGE_NAME.equals(app.getPackageName())) {		if (GMS_PACKAGE_NAME.equals(app.getPackageName())) {
			sIsGms = true;
	setBuildField("MODEL", Build.MODEL + " ");		setBuildField("MODEL", Build.MODEL + " ");
	}		}
	}		}

			private static boolean isCallerSafetyNet() {
			return Arrays.stream(Thread.currentThread().getStackTrace())
			.anyMatch(elem -> elem.getClassName().contains("DroidGuard"));
			}

			public static void onEngineGetCertificateChain() {
			// Check stack for SafetyNet
			if (sIsGms && isCallerSafetyNet()) {
			throw new UnsupportedOperationException();
			}
			}
	}		}

+2 −0

Original line number	Original line	Diff line number	Diff line
	@@ -48,6 +48,7 @@ import android.system.keystore2.ResponseCode;
	import android.util.Log;		import android.util.Log;

	import com.android.internal.annotations.VisibleForTesting;		import com.android.internal.annotations.VisibleForTesting;
			import com.android.internal.safetynet.SafetyNetHooks;

	import java.io.ByteArrayInputStream;		import java.io.ByteArrayInputStream;
	import java.io.IOException;		import java.io.IOException;
	@@ -178,6 +179,7 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi {

	@Override		@Override
	public Certificate[] engineGetCertificateChain(String alias) {		public Certificate[] engineGetCertificateChain(String alias) {
			SafetyNetHooks.onEngineGetCertificateChain();
	KeyEntryResponse response = getKeyMetadata(alias);		KeyEntryResponse response = getKeyMetadata(alias);

	if (response == null \|\| response.metadata.certificate == null) {		if (response == null \|\| response.metadata.certificate == null) {