PI: Fix Failed to generate key pair and related crashes

Author: DaVinci9196

vending-app/src/main/kotlin/com/google/android/finsky/IntegrityExtensions.kt

@@ -182,11 +182,16 @@ fun fetchCertificateChain(context: Context, attestationChallenge: ByteArray?): L
     if (android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.N) {
         val devicePropertiesAttestationIncluded = context.packageManager.hasSystemFeature("android.software.device_id_attestation")
         val keyGenParameterSpecBuilder =
-            KeyGenParameterSpec.Builder("integrity.api.key.alias", KeyProperties.PURPOSE_SIGN).setAlgorithmParameterSpec(ECGenParameterSpec("secp256r1")).setDigests(KeyProperties.DIGEST_SHA512)
-                .setAttestationChallenge(attestationChallenge)
-        if (android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.S) {
-            keyGenParameterSpecBuilder.setDevicePropertiesAttestationIncluded(devicePropertiesAttestationIncluded)
-        }
+            KeyGenParameterSpec.Builder("integrity.api.key.alias", KeyProperties.PURPOSE_SIGN).apply {
+                this.setAlgorithmParameterSpec(ECGenParameterSpec("secp256r1"))
+                this.setDigests(KeyProperties.DIGEST_SHA512)
+                if (devicePropertiesAttestationIncluded){
+                    this.setAttestationChallenge(attestationChallenge)
+                }
+                if (android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.S) {
+                    this.setDevicePropertiesAttestationIncluded(devicePropertiesAttestationIncluded)
+                }
+            }
         val keyGenParameterSpec = keyGenParameterSpecBuilder.build()
         val keyPairGenerator = KeyPairGenerator.getInstance("EC", "AndroidKeyStore").apply {
             initialize(keyGenParameterSpec)

vending-app/src/main/kotlin/com/google/android/finsky/expressintegrityservice/ExpressIntegrityService.kt

@@ -229,52 +229,52 @@ private class ExpressIntegrityServiceImpl(private val context: Context, override
     override fun requestExpressIntegrityToken(bundle: Bundle, callback: IExpressIntegrityServiceCallback?) {
         Log.d(TAG, "requestExpressIntegrityToken bundle:$bundle")
         lifecycleScope.launchWhenCreated {
-            val expressIntegritySession = ExpressIntegritySession(
-                packageName = bundle.getString(KEY_PACKAGE_NAME) ?: "",
-                cloudProjectVersion = bundle.getLong(KEY_CLOUD_PROJECT, 0L),
-                sessionId = Random.nextLong(),
-                requestHash = bundle.getString(KEY_NONCE),
-                originatingWarmUpSessionId = bundle.getLong(KEY_WARM_UP_SID, 0),
-                verdictOptOut = bundle.getIntegerArrayList(KEY_REQUEST_VERDICT_OPT_OUT),
-                webViewRequestMode = bundle.getInt(KEY_REQUEST_MODE, 0)
-            )
-
-            if (TextUtils.isEmpty(expressIntegritySession.packageName)) {
-                Log.w(TAG, "packageName is empty.")
-                callback?.onRequestResult(bundleOf(KEY_ERROR to IntegrityErrorCode.INTERNAL_ERROR))
-                return@launchWhenCreated
-            }
-
-            if (expressIntegritySession.cloudProjectVersion <= 0L) {
-                Log.w(TAG, "cloudProjectVersion error")
-                callback?.onRequestResult(bundleOf(KEY_ERROR to IntegrityErrorCode.CLOUD_PROJECT_NUMBER_IS_INVALID))
-                return@launchWhenCreated
-            }
+            runCatching {
+                val expressIntegritySession = ExpressIntegritySession(
+                    packageName = bundle.getString(KEY_PACKAGE_NAME) ?: "",
+                    cloudProjectVersion = bundle.getLong(KEY_CLOUD_PROJECT, 0L),
+                    sessionId = Random.nextLong(),
+                    requestHash = bundle.getString(KEY_NONCE),
+                    originatingWarmUpSessionId = bundle.getLong(KEY_WARM_UP_SID, 0),
+                    verdictOptOut = bundle.getIntegerArrayList(KEY_REQUEST_VERDICT_OPT_OUT),
+                    webViewRequestMode = bundle.getInt(KEY_REQUEST_MODE, 0)
+                )
 
-            if (expressIntegritySession.requestHash?.length!! > 500) {
-                Log.w(TAG, "requestHash error")
-                callback?.onRequestResult(bundleOf(KEY_ERROR to IntegrityErrorCode.REQUEST_HASH_TOO_LONG))
-                return@launchWhenCreated
-            }
+                if (TextUtils.isEmpty(expressIntegritySession.packageName)) {
+                    Log.w(TAG, "packageName is empty.")
+                    callback?.onRequestResult(bundleOf(KEY_ERROR to IntegrityErrorCode.INTERNAL_ERROR))
+                    return@launchWhenCreated
+                }
 
-            updateExpressSessionTime(context, expressIntegritySession, refreshWarmUpMethodTime = false, refreshRequestMethodTime = true)
+                if (expressIntegritySession.cloudProjectVersion <= 0L) {
+                    Log.w(TAG, "cloudProjectVersion error")
+                    callback?.onRequestResult(bundleOf(KEY_ERROR to IntegrityErrorCode.CLOUD_PROJECT_NUMBER_IS_INVALID))
+                    return@launchWhenCreated
+                }
 
-            val defaultAccountName: String = runCatching {
-                if (expressIntegritySession.webViewRequestMode != 0) {
-                    RESULT_UN_AUTH
-                } else {
-                    AccountManager.get(context).getAccountsByType(DEFAULT_ACCOUNT_TYPE).firstOrNull()?.name ?: RESULT_UN_AUTH
+                if (expressIntegritySession.requestHash?.length!! > 500) {
+                    Log.w(TAG, "requestHash error")
+                    callback?.onRequestResult(bundleOf(KEY_ERROR to IntegrityErrorCode.REQUEST_HASH_TOO_LONG))
+                    return@launchWhenCreated
                 }
-            }.getOrDefault(RESULT_UN_AUTH)
 
-            val integrityRequestWrapper = getIntegrityRequestWrapper(context, expressIntegritySession, defaultAccountName)
-            if (integrityRequestWrapper == null) {
-                Log.w(TAG, "integrityRequestWrapper is null")
-                callback?.onRequestResult(bundleOf(KEY_ERROR to IntegrityErrorCode.INTEGRITY_TOKEN_PROVIDER_INVALID))
-                return@launchWhenCreated
-            }
+                updateExpressSessionTime(context, expressIntegritySession, refreshWarmUpMethodTime = false, refreshRequestMethodTime = true)
+
+                val defaultAccountName: String = runCatching {
+                    if (expressIntegritySession.webViewRequestMode != 0) {
+                        RESULT_UN_AUTH
+                    } else {
+                        AccountManager.get(context).getAccountsByType(DEFAULT_ACCOUNT_TYPE).firstOrNull()?.name ?: RESULT_UN_AUTH
+                    }
+                }.getOrDefault(RESULT_UN_AUTH)
+
+                val integrityRequestWrapper = getIntegrityRequestWrapper(context, expressIntegritySession, defaultAccountName)
+                if (integrityRequestWrapper == null) {
+                    Log.w(TAG, "integrityRequestWrapper is null")
+                    callback?.onRequestResult(bundleOf(KEY_ERROR to IntegrityErrorCode.INTEGRITY_TOKEN_PROVIDER_INVALID))
+                    return@launchWhenCreated
+                }
 
-            try {
                 val integritySession = IntermediateIntegritySession.Builder().creationTime(makeTimestamp(System.currentTimeMillis())).requestHash(expressIntegritySession.requestHash)
                     .sessionId(Random.nextBytes(8).toByteString()).timestampMillis(0).build()
 
@@ -297,8 +297,8 @@ private class ExpressIntegrityServiceImpl(private val context: Context, override
                     )
                 )
                 Log.d(TAG, "requestExpressIntegrityToken token: $token, sid: ${expressIntegritySession.sessionId}, mode: ${expressIntegritySession.webViewRequestMode}")
-            } catch (exception: RemoteException) {
-                Log.e(TAG, "requesting token has failed for ${expressIntegritySession.packageName}.")
+            }.onFailure {
+                Log.e(TAG, "requesting token has failed for ${bundle.getString(KEY_PACKAGE_NAME)}.")
                 callback?.onRequestResult(bundleOf(KEY_ERROR to IntegrityErrorCode.INTEGRITY_TOKEN_PROVIDER_INVALID))
             }
         }