From 195fedd03b0ece711c8a923a21ee67d72b2a5245 Mon Sep 17 00:00:00 2001
From: vvb2060 <vvb2060@gmail.com>
Date: Tue, 23 Jan 2024 05:32:03 +0800
Subject: [PATCH] add knox sakv2 root public key

Co-authored-by: BlackMesa123 <giangrecosalvo9@gmail.com>
---
 .../keyattestation/attestation/CertificateInfo.java  | 12 +++++++++++-
 .../vvb2060/keyattestation/home/HomeAdapter.kt       |  7 +++++++
 app/src/main/res/values-zh-rCN/strings.xml           |  2 ++
 app/src/main/res/values/strings.xml                  |  2 ++
 4 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/app/src/main/java/io/github/vvb2060/keyattestation/attestation/CertificateInfo.java b/app/src/main/java/io/github/vvb2060/keyattestation/attestation/CertificateInfo.java
index 0b18006..b3e10d3 100644
--- a/app/src/main/java/io/github/vvb2060/keyattestation/attestation/CertificateInfo.java
+++ b/app/src/main/java/io/github/vvb2060/keyattestation/attestation/CertificateInfo.java
@@ -31,7 +31,8 @@ public class CertificateInfo {
     public static final int KEY_UNKNOWN = 0;
     public static final int KEY_AOSP = 1;
     public static final int KEY_GOOGLE = 2;
-    public static final int KEY_OEM = 3;
+    public static final int KEY_KNOX = 3;
+    public static final int KEY_OEM = 4;
 
     public static final int CERT_UNKNOWN = 0;
     public static final int CERT_SIGN = 1;
@@ -63,9 +64,16 @@ public class CertificateInfo {
             "MdsGUmX4RFlXYfC78hdLt0GAZMAoDo9Sd47b0ke2RekZyOmLw9vCkT/X11DEHTVm" +
             "+Vfkl5YLCazOkjWFmwIDAQAB";
 
+    private static final String KNOX_SAKV2_ROOT_PUBLIC_KEY = "" +
+            "MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBhbGuLrpql5I2WJmrE5kEVZOo+dgA" +
+            "46mKrVJf/sgzfzs2u7M9c1Y9ZkCEiiYkhTFE9vPbasmUfXybwgZ2EM30A1ABPd12" +
+            "4n3JbEDfsB/wnMH1AcgsJyJFPbETZiy42Fhwi+2BCA5bcHe7SrdkRIYSsdBRaKBo" +
+            "ZsapxB0gAOs0jSPRX5M=";
+
     private static final byte[] googleKey = Base64.decode(GOOGLE_ROOT_PUBLIC_KEY, 0);
     private static final byte[] aospEcKey = Base64.decode(AOSP_ROOT_EC_PUBLIC_KEY, 0);
     private static final byte[] aospRsaKey = Base64.decode(AOSP_ROOT_RSA_PUBLIC_KEY, 0);
+    private static final byte[] knoxSakv2Key = Base64.decode(KNOX_SAKV2_ROOT_PUBLIC_KEY, 0);
     private static final Set<PublicKey> oemKeys = getOemPublicKey();
 
     private final X509Certificate cert;
@@ -117,6 +125,8 @@ private void checkIssuer() {
             issuer = KEY_AOSP;
         } else if (Arrays.equals(publicKey, aospRsaKey)) {
             issuer = KEY_AOSP;
+        } else if (Arrays.equals(publicKey, knoxSakv2Key)) {
+            issuer = KEY_KNOX;
         } else if (oemKeys != null) {
             for (var key : oemKeys) {
                 if (Arrays.equals(publicKey, key.getEncoded())) {
diff --git a/app/src/main/java/io/github/vvb2060/keyattestation/home/HomeAdapter.kt b/app/src/main/java/io/github/vvb2060/keyattestation/home/HomeAdapter.kt
index 4af1866..98c31df 100644
--- a/app/src/main/java/io/github/vvb2060/keyattestation/home/HomeAdapter.kt
+++ b/app/src/main/java/io/github/vvb2060/keyattestation/home/HomeAdapter.kt
@@ -63,6 +63,13 @@ class HomeAdapter(listener: Listener) : IdBasedRecyclerViewAdapter() {
                         R.drawable.ic_trustworthy_24,
                         rikka.material.R.attr.colorSafe), ID_CERT_STATUS)
             }
+            CertificateInfo.KEY_KNOX -> {
+                addItem(HeaderViewHolder.CREATOR, HeaderData(
+                    R.string.knox_root_cert,
+                    R.string.knox_root_cert_summary,
+                    R.drawable.ic_trustworthy_24,
+                    rikka.material.R.attr.colorSafe), ID_CERT_STATUS)
+            }
             CertificateInfo.KEY_OEM -> {
                 addItem(HeaderViewHolder.CREATOR, HeaderData(
                         R.string.oem_root_cert,
diff --git a/app/src/main/res/values-zh-rCN/strings.xml b/app/src/main/res/values-zh-rCN/strings.xml
index 539fd39..697b97f 100644
--- a/app/src/main/res/values-zh-rCN/strings.xml
+++ b/app/src/main/res/values-zh-rCN/strings.xml
@@ -23,6 +23,8 @@
     <string name="aosp_root_cert_summary">认证密钥的私钥众所周知，证书链可以被篡改。</string>
     <string name="google_root_cert">由 Google 硬件认证根证书签名</string>
     <string name="google_root_cert_summary">兼容 GMS 的设备可以使用由 Google 签名的认证密钥。</string>
+    <string name="knox_root_cert">由三星 Knox 认证根证书签名</string>
+    <string name="knox_root_cert_summary">Knox 认证使用三星认证密钥（SAK）签名。</string>
     <string name="oem_root_cert">由设备制造商的根证书签名</string>
     <string name="oem_root_cert_summary">此设备信任该根证书，但它可能不被其它人信任。</string>
 
diff --git a/app/src/main/res/values/strings.xml b/app/src/main/res/values/strings.xml
index 55b8941..6ed1fc7 100644
--- a/app/src/main/res/values/strings.xml
+++ b/app/src/main/res/values/strings.xml
@@ -23,6 +23,8 @@
     <string name="aosp_root_cert_summary">Private key of attest key is well known, the certificate chain can be tampered with.</string>
     <string name="google_root_cert">Google hardware attestation root certificate</string>
     <string name="google_root_cert_summary">GMS compatible devices can use attest keys signed by Google.</string>
+    <string name="knox_root_cert">Samsung Knox attestation root certificate</string>
+    <string name="knox_root_cert_summary">Knox attestation is signed using Samsung attestation key(SAK).</string>
     <string name="oem_root_cert">OEM root certificate</string>
     <string name="oem_root_cert_summary">This device trusts this root certificate, but it may not be trusted by others.</string>