Initial support for key generation on Android 11 #34
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit completes a major refactoring of the legacy `KeystoreInterceptor.kt`.
1. Introduce `LegacyKeygenParameters` Data Class:
* A new private data class was created exclusively for the `KeystoreInterceptor` to parse and hold state from the old `KeymasterArguments`.
* This completely decouples the legacy interception logic from the modern `KeyMintAttestation` data class, which is designed for the Keystore2 HAL.
* The new class includes a `toKeyMintAttestation()` conversion function, acting as an adapter to make it compatible with the new generic `CertificateGenerator`.
2. Implemente Full Software Key Generation:
* The `onPreTransact` method now fully simulates the `generateKey`, `getKeyCharacteristics`, `exportKey`, and `attestKey` transaction sequence.
* `handleGenerateKey`: Parses arguments into `LegacyKeygenParameters` and stores them.
* `handleExportKey`: Uses `CertificateGenerator.generateSoftwareKeyPair` to create a key pair and stores it.
* `handleAttestKey`: Uses the powerful `CertificateGenerator.generateAttestedKeyPair` to create a full, valid, and simulated certificate chain, which is returned to the calling application.
This refactoring splits the monolithic `generateAttestedKeyPair` function into two more granular components to better model the behavior of different Android Keystore APIs.
The previous implementation combined key pair creation and certificate chain generation into a single function. This design was a poor fit for the legacy `IKeystoreService` API, where key generation (`exportKey`) and certificate creation (`attestKey`) are separate, sequential transactions. The `KeystoreInterceptor` was incorrectly calling a function that created a new key pair during the `attestKey` step, when a key pair already existed.
This commit resolves the issue by:
1. Introducing `generateCertificateChain`:
A new function in `CertificateGenerator` is created that takes a pre-existing `KeyPair` and is solely responsible for generating its attested certificate chain.
2. Preserving `generateAttestedKeyPair`:
The original function is kept as a convenience wrapper that now composes `generateSoftwareKeyPair` and the new `generateCertificateChain`. This maintains a simple API for the modern Keystore2 interceptor, which performs both actions in a single step.
3. Updating `KeystoreInterceptor`:
The `handleAttestKey` logic is modified to call the new, more precise `generateCertificateChain` function, correctly using the key pair that was created and stored during the preceding `handleExportKey` step.
This change improves the design of the `CertificateGenerator` by making its API more flexible and leads to a more accurate and correct implementation within the legacy `KeystoreInterceptor`.
Closed
Owner
Author
|
@srpcd Please test the latest CI and report your integrity result, KeyAttestaion result. If your issue is not solved, please upload your logs. |
|
This time, i get no integrity. however the keyattestation shows a different version than the one i had without TEESimulator.
|
Owner
Author
|
Please also present the KeyAttestion result with closed source TrickyStore. |
|
|
Owner
Author
|
The crucial part of error logs are: and |
Owner
Author
|
@srpcd Please test the latest CI of current pull-request again, report the integrity and upload logs if the integrity isn't obtained. |
|
It works now. however the errors you listed still exist ([TX_ID: 1068] Failed during handleExportKey.) and [TX_ID: 1067] Failed during handleGetKeyCharacteristics.
|
|
will the merge happen |
Owner
Author
|
@srpcd I will do some improvements on weekend and then merge it. |
JingMatrix
added a commit
that referenced
this pull request
Dec 3, 2025
This commit introduces a complete, software-based simulation of the key generation and attestation flow for the legacy IKeystoreService API, as used on Android 11. It refactors the KeystoreInterceptor to handle the entire multi-step transaction sequence (`generateKey`, `getKeyCharacteristics`, `exportKey`, `attestKey`) in software. A new `LegacyKeygenParameters` data class is introduced to decouple the legacy interception logic from modern data structures. This class parses arguments from the old `KeymasterArguments`, stores the state across the multi-step generation process, and acts as an adapter to the generic `CertificateGenerator` by converting the parameters to the modern `KeyMintAttestation` format. The `CertificateGenerator` has been refactored to better model the behavior of the legacy Keystore API. Key pair generation (`generateSoftwareKeyPair`) and certificate chain creation (`generateCertificateChain`) are now separate functions. This allows the interceptor to correctly create a key pair during the `handleExportKey` step and then generate a certificate for that pre-existing key pair during the `handleAttestKey` step. Finally, the implementation correctly extracts and applies the `attestationChallenge` provided during the `attestKey` transaction, ensuring the generated certificate chain contains the appropriate attestation.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit completes a major refactoring of the legacy
KeystoreInterceptor.kt.Introduce
LegacyKeygenParametersData Class:KeystoreInterceptorto parse and hold state from the oldKeymasterArguments.KeyMintAttestationdata class, which is designed for the Keystore2 HAL.toKeyMintAttestation()conversion function, acting as an adapter to make it compatible with the new genericCertificateGenerator.Implemente Full Software Key Generation:
onPreTransactmethod now fully simulates thegenerateKey,getKeyCharacteristics,exportKey, andattestKeytransaction sequence.handleGenerateKey: Parses arguments intoLegacyKeygenParametersand stores them.handleExportKey: UsesCertificateGenerator.generateSoftwareKeyPairto create a key pair and stores it.handleAttestKey: Uses the powerfulCertificateGenerator.generateAttestedKeyPairto create a full, valid, and simulated certificate chain, which is returned to the calling application.