-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathAttestationAsyncTask.java
189 lines (165 loc) · 8.06 KB
/
AttestationAsyncTask.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
package com.catherine.securitysample.safety_net;
import android.content.Context;
import android.os.AsyncTask;
import android.util.Log;
import android.view.View;
import android.widget.ProgressBar;
import com.catherine.securitysample.Algorithm;
import com.catherine.securitysample.BuildConfig;
import com.catherine.securitysample.Settings;
import com.catherine.securitysample.certificate.CertificatesManager;
import com.catherine.securitysample.certificate.KeySet;
import org.json.JSONArray;
import org.json.JSONObject;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.net.URL;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.net.ssl.HttpsURLConnection;
/**
* Created by Catherine on 2017/7/7.
*/
public class AttestationAsyncTask extends AsyncTask<String, Void, Boolean> {
public final static String TAG = "AttestationAsyncTask";
private ProgressBar progressBar;
private boolean runInBackground;
private Context ctx;
private String errorMessage;
private AttestationTaskCallback callback;
public AttestationAsyncTask(Context ctx, boolean runInBackground, AttestationTaskCallback callback) {
this.ctx = ctx;
this.callback = callback;
this.runInBackground = runInBackground;
}
protected void onPreExecute() {
if (runInBackground) {
progressBar = new ProgressBar(ctx);
progressBar.setVisibility(View.VISIBLE);
}
}
@Override
protected Boolean doInBackground(String... params) {
String jws = params[0];
// Log.d(TAG, "signatureToVerify:" + signatureToVerify);
try {
URL verifyApiUrl = new URL(Settings.GOOGLE_VERIFICATION_URL + BuildConfig.API_KEY);
HttpsURLConnection urlConnection = (HttpsURLConnection) verifyApiUrl.openConnection();
urlConnection.setRequestMethod("POST");
urlConnection.setRequestProperty("Content-Type", "application/json");
urlConnection.setConnectTimeout(10000);
urlConnection.setReadTimeout(5000);
urlConnection.setDoOutput(true);
//build post body { "signedAttestation": "<output of getJwsResult()>" }
String requestJsonBody = "{ \"signedAttestation\": \"" + jws + "\"}";
byte[] outputInBytes = requestJsonBody.getBytes("UTF-8");
OutputStream os = urlConnection.getOutputStream();
os.write(outputInBytes);
os.close();
urlConnection.connect();
//resp ={ “isValidSignature”: true }
int status = urlConnection.getResponseCode();
Log.d(TAG, "status: " + status);
if (status == 200) {
InputStream is = urlConnection.getInputStream();
StringBuilder sb = new StringBuilder();
BufferedReader rd = new BufferedReader(new InputStreamReader(is));
String line;
while ((line = rd.readLine()) != null) {
sb.append(line);
}
String response = sb.toString();
Log.d(TAG, "response: " + response);
JSONObject responseRoot = new JSONObject(response);
if (responseRoot.optBoolean("isValidSignature", false)) {
JwsHelper jwsHelper = new JwsHelper(jws);
AttestationResult result = new AttestationResult(jwsHelper.getDecodedPayload());
Log.d(TAG, result.toString());
List<X509Certificate> certs = jwsHelper.getX5CCertificates();
X509Certificate rootCert = CertificatesManager.downloadCaIssuersCert(KeySet.GIAG2_URL);
// Just verify one of the certificates which is belonged to "attest.android.com" in this case.
boolean isJwsHeaderLegal = false;
for (X509Certificate cert : certs) {
boolean isValid = CertificatesManager.validate(cert, rootCert);
CertificatesManager.printCertificatesInfo(cert);
if (isValid == true)
isJwsHeaderLegal = true;
}
// Verify the signature of JWS
boolean isJwsSignatureLegal = jwsHelper.verifySignature(Algorithm.ALG_SHA256_WITH_RSA);
Log.d(TAG, isJwsHeaderLegal + "," + isJwsSignatureLegal);
if (isJwsHeaderLegal && isJwsSignatureLegal) {
Log.d(TAG, "Android attestation JWS: verified!");
return true;
} else {
Log.d(TAG, "Android attestation JWS: failed to verify.");
return false;
}
} else {
errorMessage = "Error JSON response.";
return false;
}
} else if (status == 400) {
Log.e(TAG, "error status: 400");
errorMessage = "Check your API_KEY in gradle";
return false;
} else {
InputStream is = urlConnection.getErrorStream();
StringBuilder sb = new StringBuilder();
BufferedReader rd = new BufferedReader(new InputStreamReader(is));
String line;
while ((line = rd.readLine()) != null) {
sb.append(line);
}
String response = sb.toString();
Log.e(TAG, "error response: " + response);
JSONObject responseRoot = new JSONObject(response);
JSONObject responseBody = responseRoot.getJSONObject("error");
errorMessage = responseBody.optString("message", "error");
JSONArray errors = responseBody.getJSONArray("errors");
for (int i = 0; i < errors.length(); i++) {
JSONObject jo = errors.getJSONObject(i);
if ("usageLimits".equals(jo.optString("domain", ""))) {
// In this case, it means you've run out of the quota. You can verify the compatibility check response by yourself.
JwsHelper jwsHelper = new JwsHelper(jws);
AttestationResult result = new AttestationResult(jwsHelper.getDecodedPayload());
Log.d(TAG, result.toString());
List<X509Certificate> certs = jwsHelper.getX5CCertificates();
X509Certificate rootCert = CertificatesManager.downloadCaIssuersCert(KeySet.GIAG2_URL);
// Just verify one of the certificates which is belonged to "attest.android.com" in this case.
boolean isJwsHeaderLegal = false;
for (X509Certificate cert : certs) {
boolean isValid = CertificatesManager.validate(cert, rootCert);
CertificatesManager.printCertificatesInfo(cert);
if (isValid == true)
isJwsHeaderLegal = true;
}
// Verify the signature of JWS
boolean isJwsSignatureLegal = jwsHelper.verifySignature(Algorithm.ALG_SHA256_WITH_RSA);
if (isJwsHeaderLegal && isJwsSignatureLegal) {
Log.d(TAG, "Android attestation JWS: verified!");
return true;
} else {
Log.d(TAG, "Android attestation JWS: failed to verify.");
return false;
}
}
}
return false;
}
} catch (Exception e) {
errorMessage = "Exception: " + e.getMessage();
Log.e(TAG, errorMessage, e);
return false;
}
}
@Override
protected void onPostExecute(Boolean b) {
if (b)
callback.success(b);
else
callback.error(errorMessage);
}
}