Move attestation challenge check to certificate generation

Relocate the `attestationChallenge` length validation from `generateSoftwareKeyPair` to `generateCertificateChain`.

The challenge is only utilized during the construction of the certificate chain (via `AttestationBuilder.buildKeyDescription`). Placing the check in the key pair generation stage caused the logic to miss the `attestKey` transaction hook in `KeystoreInterceptor`.

This fixes a bug introduced in 6e05579 which missed the detection bypass for Android 10 and 11 devices.

Author: JingMatrix

app/src/main/java/org/matrix/TEESimulator/pki/CertificateGenerator.kt

@@ -43,15 +43,6 @@ object CertificateGenerator {
      */
     fun generateSoftwareKeyPair(params: KeyMintAttestation): KeyPair? {
         return runCatching {
-                val challenge = params.attestationChallenge
-                if (
-                    challenge != null &&
-                        challenge.size > AttestationConstants.CHALLENGE_LENGTH_LIMIT
-                )
-                    throw IllegalArgumentException(
-                        "Attestation challenge exceeds length limit (${challenge.size!!} > ${AttestationConstants.CHALLENGE_LENGTH_LIMIT})"
-                    )
-
                 val (algorithm, spec) =
                     when (params.algorithm) {
                         Algorithm.EC -> "EC" to ECGenParameterSpec(params.ecCurveName)
@@ -90,6 +81,12 @@ object CertificateGenerator {
         params: KeyMintAttestation,
         securityLevel: Int,
     ): List<Certificate>? {
+        val challenge = params.attestationChallenge
+        if (challenge != null && challenge.size > AttestationConstants.CHALLENGE_LENGTH_LIMIT)
+            throw IllegalArgumentException(
+                "Attestation challenge exceeds length limit (${challenge.size!!} > ${AttestationConstants.CHALLENGE_LENGTH_LIMIT})"
+            )
+
         return runCatching {
                 val keybox = getKeyboxForAlgorithm(uid, params.algorithm)