feat: Add RSA KeyStore attestation support

[linuxct]

Currently, the application only allowed verifying ECDSA keys as it lacked support for attesting RSA keys within the Android KeyStore. This PR adds support to perform a complete validation of the two currently supported asymmetric key types in the Android KeyStore.

A new menu option "Attest RSA key" was added for this purpose. Additionally, when exporting the keychain in p7b format, the keystore's type will be included as part of the filename to differentiate between the ECDSA (current default) and RSA.

Prebuilt CI outputs:

• Build on macOS-latest (sha256:4afa6a44cd3380fc1c57e4b94d7e8eec3d56d41dc2b8363d087e39a28f907d99)
• Build on ubuntu-latest (sha256:de6c89b55a6390fba4ee40459e2492759cf5c4351640c52d3a16c26905a45af7)
• Build on windows-latest (sha256:4130e6646f1a9d38f9b12d196aaec81c645abb27aa0264f084aac49ff38c9bee)
• Link to the CI run (for artifact attestation purposes)

[VisionR1]

More features, even better.

If you want you can look there:
https://github.com/VisionR1/KeyAttestation

[Vagelis1608]

@VisionR1 seeing that it's a single commit, think you could cherrypick it and include it in your own fork?

[VisionR1]

@VisionR1 seeing that it's a single commit, think you could cherrypick it and include it in your own fork?

Yeah, i can take all the changes, and merged manually, like i did with other features from the fork of chiteroman.

For that i write my above comment to see @linuxct and if want send a PR to my fork, or if I have permission to merged manually.

[VisionR1]

@Vagelis1608

Done. 👍 VisionR1#4
Now only the translation remains.

Thanks @linuxct, for this useful feature.

[salvogiangri]

@linuxct make sure to disable RSA attestation when SAK is enabled, as SAK only supports EC attestation.

[VisionR1]

@linuxct make sure to disable RSA attestation when SAK is enabled, as SAK only supports EC attestation.

Thanks for info, didn't know that, and i have already merge this PR with my fork.

So, in the AndroidKeyStore.java, in the generateKeyPair part, after boolean useSak) {

Must add something like this ?

    if (useSak && keyStoreKeyType == KeyStoreKeyType.RSA.ordinal()) {
        Log.e(AppApplication.TAG, "RSA attestation is not supported with SAK enabled.");
        var exception = new IllegalArgumentException("RSA attestation is not supported when SAK is enabled.");
        var buf = new ByteArrayOutputStream(2048);
        try (var out = new ObjectOutputStream(buf)) {
            out.writeObject(exception);
        } catch (IOException e) {
            throw new IllegalStateException(e.getMessage());
        }
        return buf.toByteArray();
    } 

[salvogiangri]

It's better to disable the toggle/attestation in HomeFragment.kt & HomeViewModel.kt just like it's currently done with attest key/strongbox.

KeyAttestation/app/src/main/java/io/github/vvb2060/keyattestation/home/HomeFragment.kt

Lines 145 to 146 in e9454a2

	menu.findItem(R.id.menu_use_strongbox)?.isVisible = !viewModel.preferSak
	menu.findItem(R.id.menu_use_attest_key)?.isVisible = !viewModel.preferSak

KeyAttestation/app/src/main/java/io/github/vvb2060/keyattestation/home/HomeViewModel.kt

Lines 193 to 194 in e9454a2

	val useAttestKey = hasAttestKey && preferAttestKey && !useSak
	val useStrongBox = hasStrongBox && preferStrongBox && !useSak

[salvogiangri]

menu.findItem(R.id.menu_attest_rsa_key)?.isVisible = !viewModel.preferSak

val attestKeyStoreKeyType =
    if (preferAttestRsaKey && !useSak) { KeyStoreKeyType.RSA }
    else { KeyStoreKeyType.ECDSA }

[VisionR1]

Oh yeah, i forgot we can disable by default the toggle when use Sak, much more simple.

Thanks @salvogiangri for the idea.

EDIT: Added.