Fix hardware key attestation support (#715)

awly · web-flow · commit 6f3d1881a8d7 · 2025-11-12T14:43:50.000-08:00
Enable attestation key by default, any enforcement happens in control. Also, make the HashMap for tracking loaded keys in HardwareKeyStore a singleton, so that multiple instances of HardwareKeyStore created in App.kt don't lose the state of the loaded keys. Updates tailscale/tailscale#15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
diff --git a/android/src/main/java/com/tailscale/ipn/App.kt b/android/src/main/java/com/tailscale/ipn/App.kt
@@ -151,7 +151,7 @@ class App : UninitializedApp(), libtailscale.AppContext, ViewModelStoreOwner {
     // Check if a directory URI has already been stored.
     val storedUri = getStoredDirectoryUri()
     val rm = getSystemService(Context.RESTRICTIONS_SERVICE) as RestrictionsManager
-    val hardwareAttestation = rm.applicationRestrictions.getBoolean(MDMSettings.KEY_HARDWARE_ATTESTATION, false)
+    val hardwareAttestation = rm.applicationRestrictions.getBoolean(MDMSettings.KEY_HARDWARE_ATTESTATION, true)
     if (storedUri != null && storedUri.toString().startsWith("content://")) {
       startLibtailscale(storedUri.toString(), hardwareAttestation)
     } else {
diff --git a/android/src/main/java/com/tailscale/ipn/util/HardwareKeyStore.kt b/android/src/main/java/com/tailscale/ipn/util/HardwareKeyStore.kt
@@ -2,7 +2,6 @@
 // SPDX-License-Identifier: BSD-3-Clause
 package com.tailscale.ipn.util
 
-import android.content.pm.PackageManager
 import android.os.Build
 import android.security.keystore.KeyGenParameterSpec
 import android.security.keystore.KeyProperties
@@ -18,7 +17,13 @@ class HardwareKeysNotSupported : Exception("hardware-backed keys are not support
 // HardwareKeyStore implements the callbacks necessary to implement key.HardwareAttestationKey on
 // the Go side. It uses KeyStore with a StrongBox processor.
 class HardwareKeyStore() {
-    var keyStoreKeys = HashMap<String, KeyPair>();
+    // keyStoreKeys should be a singleton. Even if multiple HardwareKeyStores are created, we should
+    // not create distinct underlying key maps.
+    companion object {
+        val keyStoreKeys: HashMap<String, KeyPair> by lazy {
+            HashMap<String, KeyPair>()
+        }
+    }
     val keyStore: KeyStore = KeyStore.getInstance("AndroidKeyStore").apply {
         load(null)
     }
diff --git a/libtailscale/keystore.go b/libtailscale/keystore.go
@@ -48,7 +48,7 @@ func (k *hardwareAttestationKey) fetchPublic() error {
 
 	pubRaw, err := k.appCtx.HardwareAttestationKeyPublic(k.id)
 	if err != nil {
-		return fmt.Errorf("loading public key from KeyStore: %w", err)
+		return fmt.Errorf("loading public key for id %q from KeyStore: %w", k.id, err)
 	}
 	pubAny, err := x509.ParsePKIXPublicKey(pubRaw)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ func (k *hardwareAttestationKey) fetchPublic() error {`
`48`	`48`
`49`	`49`	`pubRaw, err := k.appCtx.HardwareAttestationKeyPublic(k.id)`
`50`	`50`	`if err != nil {`
`51`		`- return fmt.Errorf("loading public key from KeyStore: %w", err)`
	`51`	`+ return fmt.Errorf("loading public key for id %q from KeyStore: %w", k.id, err)`
`52`	`52`	`}`
`53`	`53`	`pubAny, err := x509.ParsePKIXPublicKey(pubRaw)`
`54`	`54`	`if err != nil {`