Diapolo
commented
3 years ago Would this allow to pass Safetynet?
Open dylangerdaly opened 3 years ago
Diapolo
commented
3 years ago Would this allow to pass Safetynet?
ArchangeGabriel
commented
3 years ago Not sure, and not likely I would say. That being said, on the SafetyNet front they are recent evidences that @mar-v-in has SafetyNet working on his end (https://github.com/corona-warn-app/cwa-wishlist/issues/356#issuecomment-772662697 and his next message right after this one), but there is a gap between having it working in the dev environment from an expert and having it working on everyone setup (though he is clearly working on it, e.g. https://github.com/microg/GmsCore/commit/3d2c7e95237ee6bc8308f57627fb3530f3dbaf85 and https://github.com/microg/GmsCore/commit/1a809e0e478718ef7422b231a9d6b35652b79824).
dylangerdaly
commented
3 years ago The above cert is specifically for attestation, this should allow for Android Key Attestation and by extension GooglePay for example, I haven't checked the status of the key, but I think it's trusted, I believe this key is being used for Android running on a VM for ChromeOS (crosvm)
The key itself was added to the repo like 5 months ago, so I think it would be valid, I don't think Google have figured out how to "pass down" keymaster to a host OS yet, also I think some Chromebooks don't have a valid Attestation Key provisioned onto their hosts, so the only way to get Android Key Attestation working within a VM would be to use a "soft key"
Pub RSA cert below
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = California, L = Mountain View, O = "Google, Inc.", OU = Android
Validity
Not Before: Jan 4 12:40:53 2016 GMT
Not After : Dec 30 12:40:53 2035 GMT
Subject: C = US, ST = California, O = "Google, Inc.", OU = Android, CN = Android Software Attestation Key
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:c0:83:23:dc:56:88:1b:b8:30:20:69:f5:b0:85:
61:c6:ee:be:7f:05:e2:f5:a8:42:04:8a:be:8b:47:
be:76:fe:ae:f2:5c:f2:9b:2a:fa:32:00:14:16:01:
42:99:89:a1:5f:cf:c6:81:5e:b3:63:58:3c:2f:d2:
f2:0b:e4:98:32:83:dd:81:4b:16:d7:e1:85:41:7a:
e5:4a:bc:29:6a:3a:6d:b5:c0:04:08:3b:68:c5:56:
c1:f0:23:39:91:64:19:86:4d:50:b7:4d:40:ae:ca:
48:4c:77:35:6c:89:5a:0c:27:5a:bf:ac:49:9d:5d:
7d:23:62:f2:9c:5e:02:e8:71
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
D4:0C:10:1B:F8:CD:63:B9:F7:39:52:B5:0E:13:5C:A6:D7:99:93:86
X509v3 Authority Key Identifier:
keyid:29:FA:F1:AC:CC:4D:D2:4C:96:40:27:75:B6:B0:E9:32:E5:07:FE:2E
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign
Signature Algorithm: sha256WithRSAEncryption
9e:2d:48:5f:8c:67:33:dc:1a:85:ad:99:d7:50:23:ea:14:ec:
43:b0:e1:9d:ea:c2:23:46:1e:72:b5:19:dc:60:22:e4:a5:68:
31:6c:0b:55:c4:e6:9c:a2:2d:9f:3a:4f:93:6b:31:8b:16:78:
16:0d:88:cb:d9:8b:cc:80:9d:84:f0:c2:27:e3:6b:38:f1:fd:
d1:e7:17:72:31:59:35:7d:96:f3:c5:7f:ab:9d:8f:96:61:26:
4f:b2:be:81:bb:0d:49:04:22:8a:ce:9f:f7:f5:42:2e:25:44:
fa:21:07:12:5a:83:b5:55:ad:18:82:f8:40:14:9b:9c:20:63:
04:7f
-----BEGIN CERTIFICATE-----
MIICtjCCAh+gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCVVMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFTAT
BgNVBAoMDEdvb2dsZSwgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDAeFw0xNjAxMDQx
MjQwNTNaFw0zNTEyMzAxMjQwNTNaMHYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApD
YWxpZm9ybmlhMRUwEwYDVQQKDAxHb29nbGUsIEluYy4xEDAOBgNVBAsMB0FuZHJv
aWQxKTAnBgNVBAMMIEFuZHJvaWQgU29mdHdhcmUgQXR0ZXN0YXRpb24gS2V5MIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAgyPcVogbuDAgafWwhWHG7r5/BeL1
qEIEir6LR752/q7yXPKbKvoyABQWAUKZiaFfz8aBXrNjWDwv0vIL5Jgyg92BSxbX
4YVBeuVKvClqOm21wAQIO2jFVsHwIzmRZBmGTVC3TUCuykhMdzVsiVoMJ1q/rEmd
XX0jYvKcXgLocQIDAQABo2YwZDAdBgNVHQ4EFgQU1AwQG/jNY7n3OVK1DhNcpteZ
k4YwHwYDVR0jBBgwFoAUKfrxrMxN0kyWQCd1trDpMuUH/i4wEgYDVR0TAQH/BAgw
BgEB/wIBADAOBgNVHQ8BAf8EBAMCAoQwDQYJKoZIhvcNAQELBQADgYEAni1IX4xn
M9waha2Z11Aj6hTsQ7DhnerCI0YecrUZ3GAi5KVoMWwLVcTmnKItnzpPk2sxixZ4
Fg2Iy9mLzICdhPDCJ+NrOPH90ecXcjFZNX2W88V/q52PlmEmT7K+gbsNSQQiis6f
9/VCLiVE+iEHElqDtVWtGIL4QBSbnCBjBH8=
-----END CERTIFICATE-----
fembyfox
commented
3 years ago Not sure, and not likely I would say. That being said, on the SafetyNet front they are recent evidences that @mar-v-in has SafetyNet working on his end (corona-warn-app/cwa-wishlist#356 (comment) and his next message right after this one), but there is a gap between having it working in the dev environment from an expert and having it working on everyone setup (though he is clearly working on it, e.g. 3d2c7e9 and 1a809e0).
Last DroidGuard made attestation work(Needed for TextNow signin) but no pass,but at least i can check now. Not sure how to add droidguard to system on a dynamic partiton device :/
mar-v-in
commented
2 years ago I doubt that this key is any use for passing SafetyNet. This is meant to have a software implementation of the normally hardware backed keymaster attestation feature. While this is likely being used in SafetyNet, the attestation key is still required to match the cts device profile. No cts supported device with hardware backed attestation uses this key, so it won't be useful to match any device profile.
The keymaster attestation feature does not require Google services and also works on custom ROMs. However the hardware might use a different key for unlocked bootloaders which again would cause SafetyNet to fail as the key does not match the production device profile. As long as bootloader is not unlocked, this part shouldn't be an issue for microG.
Wire Google's "Soft Cert" into microG's implmentation of Safetynet, I believe this cert is currently used for Android VM targets (Cuttlefish)
https://android.googlesource.com/platform/system/keymaster/+/refs/heads/master/contexts/soft_attestation_cert.cpp#28
Note: I have no idea if this cert/keypair is trusted