Keystore: Spoof locked bootloader on local attestations

based from: https://github.com/chiteroman/BootloaderSpoofer

Squashed:

    From: minaripenguin <minaripenguin@users.noreply.github.com>
    Date: Tue, 5 Dec 2023 19:56:07 +0800
    Subject: fixup! Keystore: Spoof locked bootloader on local attestations

    * as reported by sir shamik without this fixup, bootloader is detected as unlocked on keystore attestation app.
    * thanks to ghostrider-reborn for the references and clarification about the injection

    reference: RisingTechOSS/android_frameworks_base@d57f22f#r134217184

    test: m confirmed that key attestation 1.5.0 detects device bootloader state as locked

    Signed-off-by: minaripenguin <minaripenguin@users.noreply.github.com>

Co-authored-by: chiteroman <98092901+chiteroman@users.noreply.github.com>
Signed-off-by: minaripenguin <minaripenguin@users.noreply.github.com>
Signed-off-by: Pranav Vashi <neobuddy89@gmail.com>
Change-Id: I5e26589555d903d626bbc2fa60daec405ad09f6b
Signed-off-by: clarencelol <clarencekuiek@proton.me>
Signed-off-by: NRanjan-17 <nalinishranjan05@gmail.com>

Author: 2 people

keystore/java/android/security/keystore2/AndroidKeyStoreSpi.java

@@ -87,6 +87,7 @@
 import java.util.Enumeration;
 import java.util.Iterator;
 import java.util.List;
+import java.util.Locale;
 import java.util.NoSuchElementException;
 
 import javax.crypto.SecretKey;
@@ -177,6 +178,20 @@ private KeyEntryResponse getKeyMetadata(String alias) {
         }
     }
 
+    private static int indexOf(byte[] array) {
+        final byte[] PATTERN = {48, 74, 4, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 10, 1, 2};
+        outer:
+        for (int i = 0; i < array.length - PATTERN.length + 1; i++) {
+            for (int j = 0; j < PATTERN.length; j++) {
+                if (array[i + j] != PATTERN[j]) {
+                    continue outer;
+                }
+            }
+            return i;
+        }
+        return -1;
+    }
+
     @Override
     public Certificate[] engineGetCertificateChain(String alias) {
         PropImitationHooks.onEngineGetCertificateChain();
@@ -192,15 +207,28 @@ public Certificate[] engineGetCertificateChain(String alias) {
             return null;
         }
 
-        final Certificate[] caList;
+        X509Certificate modLeaf = leaf;
+        try {
+            byte[] bytes = leaf.getEncoded();
+            if (bytes != null && bytes.length > 0) {
+                int index = indexOf(bytes);
+                if (index != -1) {
+                    bytes[index + 38] = 1;
+                    bytes[index + 41] = 0;
+                    CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+                    X509Certificate modCert = (X509Certificate) certFactory.generateCertificate(new ByteArrayInputStream(bytes));
+                    modLeaf = modCert;
+                }
+            }
+        } catch (CertificateException e) {
+            return null;
+        }
 
         final byte[] caBytes = response.metadata.certificateChain;
-
+        final Certificate[] caList;
         if (caBytes != null) {
             final Collection<X509Certificate> caChain = toCertificates(caBytes);
-
             caList = new Certificate[caChain.size() + 1];
-
             final Iterator<X509Certificate> it = caChain.iterator();
             int i = 1;
             while (it.hasNext()) {
@@ -209,9 +237,7 @@ public Certificate[] engineGetCertificateChain(String alias) {
         } else {
             caList = new Certificate[1];
         }
-
-        caList[0] = leaf;
-
+        caList[0] = modLeaf;
         return caList;
     }