Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIDO2 screenlock authentication fixes #2199

Merged
merged 1 commit into from
Aug 16, 2024
Merged

FIDO2 screenlock authentication fixes #2199

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 41 additions & 2 deletions ...rc/main/kotlin/org/microg/gms/fido/core/transport/screenlock/ScreenLockCredentialStore.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,14 @@
package org.microg.gms.fido.core.transport.screenlock

import android.content.Context
import android.content.pm.PackageManager
import android.database.sqlite.SQLiteDatabase
import android.database.sqlite.SQLiteOpenHelper
import android.os.Build.VERSION.SDK_INT
import android.security.keystore.KeyGenParameterSpec
import android.security.keystore.KeyPermanentlyInvalidatedException
import android.security.keystore.KeyProperties
import android.security.keystore.StrongBoxUnavailableException
import android.util.Base64
import android.util.Log
import androidx.annotation.RequiresApi
Expand All @@ -32,6 +34,8 @@ class ScreenLockCredentialStore(val context: Context) {

@RequiresApi(23)
fun createKey(rpId: String, challenge: ByteArray): ByteArray {
var useStrongbox = false
if (SDK_INT >= 28) useStrongbox = context.packageManager.hasSystemFeature(PackageManager.FEATURE_STRONGBOX_KEYSTORE)
val keyId = Random.nextBytes(32)
val identifier = getAlias(rpId, keyId)
Log.d(TAG, "Creating key for $identifier")
Expand All @@ -40,9 +44,44 @@ class ScreenLockCredentialStore(val context: Context) {
.setDigests(KeyProperties.DIGEST_SHA256)
.setAlgorithmParameterSpec(ECGenParameterSpec("secp256r1"))
.setUserAuthenticationRequired(true)
if (SDK_INT >= 28) builder.setIsStrongBoxBacked(useStrongbox)
if (SDK_INT >= 24) builder.setAttestationChallenge(challenge)
generator.initialize(builder.build())
generator.generateKeyPair()

var generatedKeypair = false
val exceptionClassesCaught = HashSet<Class<Exception>>()
while (!generatedKeypair) {
try {
generator.initialize(builder.build())
generator.generateKeyPair()
generatedKeypair = true
} catch (e: Exception) {
// Catch each exception class at most once.
// If we've caught the exception before, tried to correct it, and still catch the
// same exception, then we can't fix it and the exception should be thrown further
if (exceptionClassesCaught.contains(e.javaClass)) {
throw e
}
exceptionClassesCaught.add(e.javaClass)

if (SDK_INT >= 28 && e is StrongBoxUnavailableException) {
Log.w(TAG, "Failed with StrongBox, retrying without it...")
// Not all algorithms are backed by the Strongbox. If the Strongbox doesn't
// support this keypair, fall back to TEE
builder.setIsStrongBoxBacked(false)
} else if (SDK_INT >= 24 && e is ProviderException) {
Log.w(TAG, "Failed with attestation challenge, retrying without it...")
// This ProviderException is often thrown if the TEE or Strongbox doesn't have
// a built-in key to attest the new key pair with. If this happens, remove the
// attestation challenge and create an unattested key
builder.setAttestationChallenge(null)
} else {
// We don't know how to handle other errors, so they should be thrown up the
// system
throw e
}
}
}

return keyId
}

Expand Down