You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On some ROMs (such as certain versions of Samsung One UI), there have been enough changes to the keystore service that the attestKey transaction is no longer assigned to the same ID as AOSP, so the shim solution doesn't work at all.
It is technically possible to obtain the transaction ID at install time by decompiling the framework, but this is very fragile and needs to be done on every update.
My proposal is to inspect the contents of the AIDL Parcel object to determine the call instead of relying on the transaction code. attestKey takes a unique set of arguments:
IKeystoreCertificateChain callback (AIDL service)
String alias
KeymasterArguments params
This allows to identify the transaction by checking the data in the Parcel. For IKeystoreCertificateChainCallback, the client sends a Binder to its implementation of the callback as a value in the Parcel, so we can check whether the service is correct by doing the equivalent of Java's Binder#queryLocalInterface("android.security.keystore.IKeystoreCertificateChainCallback") in C++. The other arguments should be easy to inspect as they are either primitive Parcel data types or Parcelables composed of primitives.
It must be noted, however, that the raw Parcel data format is not necessarily stable across major Android versions to the best of my knowledge. Attempting to read the data blindly using the C++ Parcel API is also dangerous because it could cause an out-of-bounds read when attempting to read a string at the wrong position.
Implementations are free to be submitted to the shim branch for #13. This is currently blocking #32.
The text was updated successfully, but these errors were encountered:
On some ROMs (such as certain versions of Samsung One UI), there have been enough changes to the keystore service that the
attestKey
transaction is no longer assigned to the same ID as AOSP, so the shim solution doesn't work at all.It is technically possible to obtain the transaction ID at install time by decompiling the framework, but this is very fragile and needs to be done on every update.
My proposal is to inspect the contents of the AIDL Parcel object to determine the call instead of relying on the transaction code.
attestKey
takes a unique set of arguments:IKeystoreCertificateChain
callback (AIDL service)String
aliasKeymasterArguments
paramsThis allows to identify the transaction by checking the data in the Parcel. For
IKeystoreCertificateChainCallback
, the client sends a Binder to its implementation of the callback as a value in the Parcel, so we can check whether the service is correct by doing the equivalent of Java'sBinder#queryLocalInterface("android.security.keystore.IKeystoreCertificateChainCallback")
in C++. The other arguments should be easy to inspect as they are either primitive Parcel data types or Parcelables composed of primitives.It must be noted, however, that the raw Parcel data format is not necessarily stable across major Android versions to the best of my knowledge. Attempting to read the data blindly using the C++ Parcel API is also dangerous because it could cause an out-of-bounds read when attempting to read a string at the wrong position.
Implementations are free to be submitted to the
shim
branch for #13. This is currently blocking #32.The text was updated successfully, but these errors were encountered: