Fix hardware key attestation support

Enable attestation key by default, any enforcement happens in control. Also, make the HashMap for tracking loaded keys in HardwareKeyStore a singleton, so that multiple instances of HardwareKeyStore created in App.kt don't lose the state of the loaded keys. Updates https://github.com/tailscale/tailscale/issues/15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
3 weeks ago · 2f8cc27f0b
parent d62efaa365
commit 2f8cc27f0b
3 changed files with 9 additions and 4 deletions
--- a/android/src/main/java/com/tailscale/ipn/App.kt
+++ b/android/src/main/java/com/tailscale/ipn/App.kt
@ -151,7 +151,7 @@ class App : UninitializedApp(), libtailscale.AppContext, ViewModelStoreOwner {
    // Check if a directory URI has already been stored.
    val storedUri = getStoredDirectoryUri()
    val rm = getSystemService(Context.RESTRICTIONS_SERVICE) as RestrictionsManager
-    val hardwareAttestation = rm.applicationRestrictions.getBoolean(MDMSettings.KEY_HARDWARE_ATTESTATION, false)
+    val hardwareAttestation = rm.applicationRestrictions.getBoolean(MDMSettings.KEY_HARDWARE_ATTESTATION, true)
    if (storedUri != null && storedUri.toString().startsWith("content://")) {
      startLibtailscale(storedUri.toString(), hardwareAttestation)
    } else {
--- a/android/src/main/java/com/tailscale/ipn/util/HardwareKeyStore.kt
+++ b/android/src/main/java/com/tailscale/ipn/util/HardwareKeyStore.kt
@ -2,7 +2,6 @@
 // SPDX-License-Identifier: BSD-3-Clause
 package com.tailscale.ipn.util

-import android.content.pm.PackageManager
 import android.os.Build
 import android.security.keystore.KeyGenParameterSpec
 import android.security.keystore.KeyProperties
@ -18,7 +17,13 @@ class HardwareKeysNotSupported : Exception("hardware-backed keys are not support
 // HardwareKeyStore implements the callbacks necessary to implement key.HardwareAttestationKey on
 // the Go side. It uses KeyStore with a StrongBox processor.
 class HardwareKeyStore() {
-    var keyStoreKeys = HashMap<String, KeyPair>();
+    // keyStoreKeys should be a singleton. Even if multiple HardwareKeyStores are created, we should
+    // not create distinct underlying key maps.
+    companion object {
+        val keyStoreKeys: HashMap<String, KeyPair> by lazy {
+            HashMap<String, KeyPair>()
+        }
+    }
    val keyStore: KeyStore = KeyStore.getInstance("AndroidKeyStore").apply {
        load(null)
    }
--- a/libtailscale/keystore.go
+++ b/libtailscale/keystore.go
@ -48,7 +48,7 @@ func (k *hardwareAttestationKey) fetchPublic() error {

 	pubRaw, err := k.appCtx.HardwareAttestationKeyPublic(k.id)
 	if err != nil {
-		return fmt.Errorf("loading public key from KeyStore: %w", err)
+		return fmt.Errorf("loading public key for id %q from KeyStore: %w", k.id, err)
 	}
 	pubAny, err := x509.ParsePKIXPublicKey(pubRaw)
 	if err != nil {