From 35751351e64244e0908a8ebbd7a82843209a62de Mon Sep 17 00:00:00 2001 From: Bruno Michel Date: Thu, 25 Jan 2024 16:46:21 +0100 Subject: [PATCH] Fix digest comparison for Play Integrity API Google was using a standard base64 for the certificate digest in the Safety Net API, buit it's now the URL-safe variant for Play Integrity. --- model/oauth/android_play_integrity.go | 10 +++++++++- model/oauth/android_safety_net.go | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/model/oauth/android_play_integrity.go b/model/oauth/android_play_integrity.go index 9cb3f0aa9bc..c152a165b8a 100644 --- a/model/oauth/android_play_integrity.go +++ b/model/oauth/android_play_integrity.go @@ -203,9 +203,17 @@ func checkPlayIntegrityCertificateDigest(claims jwt.MapClaims) error { if digest == certDigest[0] { return nil } + // XXX Google was using standard base64 for SafetyNet, but the safe-URL + // variant for Play Integrity... + urlSafeDigest := strings.TrimRight(digest, "=") + urlSafeDigest = strings.ReplaceAll(urlSafeDigest, "+", "-") + urlSafeDigest = strings.ReplaceAll(urlSafeDigest, "/", "_") + if urlSafeDigest == certDigest[0] { + return nil + } } logger.WithNamespace("oauth"). - Debugf("Invalid certificate digest, expected %s, got %s", digests[0], certDigest) + Debugf("Invalid certificate digest, expected %s, got %s", digests[0], certDigest[0]) return errors.New("invalid certificate digest") } diff --git a/model/oauth/android_safety_net.go b/model/oauth/android_safety_net.go index 682084116c7..3c9ad38cfdb 100644 --- a/model/oauth/android_safety_net.go +++ b/model/oauth/android_safety_net.go @@ -74,7 +74,7 @@ func checkSafetyNetCertificateDigest(claims jwt.MapClaims) error { } } logger.WithNamespace("oauth"). - Debugf("Invalid certificate digest, expected %s, got %s", digests[0], certDigest) + Debugf("Invalid certificate digest, expected %s, got %s", digests[0], certDigest[0]) return errors.New("invalid certificate digest") }