Shim breaks on ROMs with different transaction IDs

[kdrag0n]

On some ROMs (such as certain versions of Samsung One UI), there have been enough changes to the keystore service that the attestKey transaction is no longer assigned to the same ID as AOSP, so the shim solution doesn't work at all.

It is technically possible to obtain the transaction ID at install time by decompiling the framework, but this is very fragile and needs to be done on every update.

My proposal is to inspect the contents of the AIDL Parcel object to determine the call instead of relying on the transaction code. attestKey takes a unique set of arguments:

• IKeystoreCertificateChain callback (AIDL service)
• String alias
• KeymasterArguments params

This allows to identify the transaction by checking the data in the Parcel. For IKeystoreCertificateChainCallback, the client sends a Binder to its implementation of the callback as a value in the Parcel, so we can check whether the service is correct by doing the equivalent of Java's Binder#queryLocalInterface("android.security.keystore.IKeystoreCertificateChainCallback") in C++. The other arguments should be easy to inspect as they are either primitive Parcel data types or Parcelables composed of primitives.

It must be noted, however, that the raw Parcel data format is not necessarily stable across major Android versions to the best of my knowledge. Attempting to read the data blindly using the C++ Parcel API is also dangerous because it could cause an out-of-bounds read when attempting to read a string at the wrong position.

Implementations are free to be submitted to the shim branch for #13. This is currently blocking #32.

[kdrag0n]

Superseded by the new solution in v2.0.0.