getRequestNonce() discards 'data'

googlesamples / android-play-safetynet

Samples for the Google SafetyNet Attestation API

Apache License 2.0

287 stars 133 forks source link

getRequestNonce() discards 'data' #32

Open pprindeville opened 3 years ago

pprindeville commented 3 years ago

Rewriting the description, the first line of the header block states:

Generates a 16-byte nonce with additional data.

but close to the top of the function, we see:

        byte[] bytes = new byte[24];
        mRandom.nextBytes(bytes);
        try {
            byteStream.write(bytes);

so that the nonce is always at least 24 bytes, plus whatever additional data comes in as a parameter. Is the return value meant to be the SHA256 of byteStream? Where is the number "16-byte" coming from?

lifnn99526 commented 3 years ago

Rewriting the description, the first line of the header block states:
Generates a 16-byte nonce with additional data.
but close to the top of the function, we see:
        byte[] bytes = new byte[24];
        mRandom.nextBytes(bytes);
        try {
            byteStream.write(bytes);
so that the nonce is always at least 24 bytes, plus whatever additional data comes in as a parameter. Is the return value meant to be the SHA256 of byteStream? Where is the number "16-byte" coming from?