Enforce 128-byte limit for attestation challenge

XiaoTong6666 · XiaoTong6666 · commit b5c0ae2ce61a · 2026-01-06T11:01:59.000+08:00
This commit aligns the simulator's behavior with the Android Keymaster/KeyMint specification by enforcing a maximum length of 128 bytes for the attestation challenge. Previously, the simulator accepted attestation challenges of arbitrary length during `generateKey`. This discrepancy allowed detection tools to identify the emulated environment by intentionally sending an oversized challenge (e.g., > 128 bytes) and observing that it was accepted instead of rejected. The implementation now validates the size of the `TAG_ATTESTATION_CHALLENGE` parameter. If the challenge exceeds the limit, the transaction is intercepted, and a `ServiceSpecificException` is constructed manually via Binder (using the `EX_SERVICE_SPECIFIC` header) to return the `INVALID_INPUT_LENGTH` (-21) error code. This matches the error code and Binder-visible behavior defined by the KeyMint specification. See AOSP source for the length constraint and error definition: https://cs.android.com/android/platform/superproject/main/+/main:system/keymaster/android_keymaster/android_keymaster.cpp;l=330 https://cs.android.com/android/platform/superproject/main/+/main:system/keymaster/km_openssl/attestation_record.cpp;l=257 https://cs.android.com/android/platform/superproject/main/+/main:hardware/interfaces/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl;l=48
diff --git a/app/src/main/java/org/matrix/TEESimulator/interception/keystore/InterceptorUtils.kt b/app/src/main/java/org/matrix/TEESimulator/interception/keystore/InterceptorUtils.kt
@@ -96,4 +96,39 @@ object InterceptorUtils {
     fun hasException(reply: Parcel): Boolean {
         return runCatching { reply.readException() }.exceptionOrNull() != null
     }
+
+    /**
+     * Creates an `OverrideReply` containing a ServiceSpecificException encoded in a Parcel.
+     *
+     * This method is used to return KeyMint/Keymaster error codes directly through Binder, such as
+     * `ErrorCode.INVALID_INPUT_LENGTH` (-21), so that the caller observes the same exception
+     * behavior as with a real KeyMint HAL implementation.
+     *
+     * @param errorCode KeyMint error code to return (for example, -21 for INVALID_INPUT_LENGTH).
+     * @param message Optional error message associated with the error code.
+     */
+    fun createErrorReply(
+        errorCode: Int,
+        message: String?,
+    ): BinderInterceptor.TransactionResult.OverrideReply {
+        val parcel = Parcel.obtain()
+        try {
+            // Write a ServiceSpecificException into the Parcel.
+            // Parcel.EX_SERVICE_SPECIFIC is defined as -8.
+            // The layout is:
+            //   int    exceptionCode (EX_SERVICE_SPECIFIC)
+            //   int    serviceSpecificErrorCode
+            //   String errorMessage
+            parcel.writeInt(-8)
+            parcel.writeInt(errorCode)
+            parcel.writeString(message)
+        } catch (e: Exception) {
+            parcel.recycle()
+            throw e
+        }
+
+        // The returned Parcel will be written to the Binder reply by BinderInterceptor.
+        // On the client side, this will be decoded and rethrown as a ServiceSpecificException.
+        return BinderInterceptor.TransactionResult.OverrideReply(parcel)
+    }
 }
diff --git a/app/src/main/java/org/matrix/TEESimulator/interception/keystore/KeystoreInterceptor.kt b/app/src/main/java/org/matrix/TEESimulator/interception/keystore/KeystoreInterceptor.kt
@@ -107,6 +107,19 @@ object KeystoreInterceptor : AbstractKeystoreInterceptor() {
                 if (data.readInt() == 1) {
                     keymasterArgs.readFromParcel(data)
                 }
+                // Validate Attestation Challenge length in generateKey args
+                val challenge =
+                    keymasterArgs.getBytes(KeymasterDefs.KM_TAG_ATTESTATION_CHALLENGE, ByteArray(0))
+                if (challenge.size > 128) {
+                    SystemLogger.info(
+                        "[TX_ID: $txId] Rejecting generateKey: attestation challenge length exceeds 128 bytes (${challenge.size})."
+                    )
+                    val reply = Parcel.obtain()
+                    reply.writeNoException()
+                    // Return KM_ERROR_INVALID_INPUT_LENGTH (-21)
+                    reply.writeInt(-21)
+                    return TransactionResult.OverrideReply(reply)
+                }
                 keygenParameters[keyId] =
                     LegacyKeygenParameters.fromKeymasterArguments(keymasterArgs)
 
@@ -229,7 +242,17 @@ object KeystoreInterceptor : AbstractKeystoreInterceptor() {
                             KeymasterDefs.KM_TAG_ATTESTATION_CHALLENGE,
                             ByteArray(0),
                         )
-                    params.attestationChallenge = challenge
+                    // Validate Attestation Challenge length in attestKey args
+                    if (challenge.size > 128) {
+                        SystemLogger.info(
+                            "[TX_ID: $txId] Rejecting attestKey: attestation challenge length exceeds 128 bytes (${challenge.size})."
+                        )
+                        val reply = Parcel.obtain()
+                        reply.writeNoException()
+                        // Return KM_ERROR_INVALID_INPUT_LENGTH (-21)
+                        reply.writeInt(-21)
+                        return TransactionResult.OverrideReply(reply)
+                    }
                     params.attestationChallenge = challenge
                 }
 
@@ -435,6 +458,7 @@ private data class LegacyKeygenParameters(
          * The RSA public exponent is not accessible via a public API in KeymasterArguments, so we
          * must use reflection to extract it.
          */
+        @SuppressLint("SoonBlockedPrivateApi")
         private fun getRsaExponent(args: KeymasterArguments): BigInteger? {
             return runCatching {
                     val getArgumentByTag =
diff --git a/app/src/main/java/org/matrix/TEESimulator/interception/keystore/shim/KeyMintSecurityLevelInterceptor.kt b/app/src/main/java/org/matrix/TEESimulator/interception/keystore/shim/KeyMintSecurityLevelInterceptor.kt
@@ -229,6 +229,19 @@ class KeyMintSecurityLevelInterceptor(
                 )
                 val params = data.createTypedArray(KeyParameter.CREATOR)!!
                 val parsedParams = KeyMintAttestation(params)
+                // Validate the length of TAG_ATTESTATION_CHALLENGE.
+                // The Android KeyMint / KeyStore specification defines a maximum length of
+                // 128 bytes for the attestation challenge.
+                // If the provided challenge exceeds this limit, the operation must fail with
+                // ErrorCode.INVALID_INPUT_LENGTH (-21).
+                val challenge = parsedParams.attestationChallenge
+                if (challenge != null && challenge.size > 128) {
+                    SystemLogger.info(
+                        "Rejecting generateKey: attestation challenge length exceeds 128 bytes (${challenge.size})."
+                    )
+                    // Return INVALID_INPUT_LENGTH as defined by the KeyMint error codes.
+                    return InterceptorUtils.createErrorReply(-21, "Attestation challenge too large")
+                }
                 val keyId = KeyIdentifier(callingUid, keyDescriptor.alias)
                 val isAttestKeyRequest =
                     parsedParams.purpose.size == 1 &&
