Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0a587d28 authored by Clara Bayarri's avatar Clara Bayarri
Browse files

Unlock Keystore/Keymaster separately for Work Challenge 

The Keystore should be unlocked by the work challenge when
the work profile has its own lock, and should not be unlocked
by the device lock in this case.

Tested use cases:

When unified, both users have the password key set to the parent's
Setting a work challenge changes the work profile's password key to its
own
Unifying causes the work challenge key to be set to null first and then
when the device password is reset right after that it is reset to the
same as the parent
Unlocking when locks are unified unlocks both using the same password
key
Unlocking the device when not unified only unlocks the parent
Unlocking the work challenge only unlocks the work profile

Bug:26817206
Change-Id: I99dca279687f4f77636992e355dbdb607bbf7b6d
parent 342006e9

services/core/java/com/android/server/LockSettingsService.java

+34 −6
Original line number Diff line number Diff line
@@ -545,21 +545,49 @@ public class LockSettingsService extends ILockSettings.Stub { 
        final UserManager um = (UserManager) mContext.getSystemService(USER_SERVICE);

        final KeyStore ks = KeyStore.getInstance();



        if (um.getUserInfo(userHandle).isManagedProfile()) {

            if (mLockPatternUtils.isSeparateProfileChallengeEnabled(userHandle)) {

                ks.onUserPasswordChanged(userHandle, password);

            } else {

                throw new RuntimeException("Can't set keystore password on a profile that "

                        + "doesn't have a profile challenge.");

            }

        } else {

            final List<UserInfo> profiles = um.getProfiles(userHandle);

            for (UserInfo pi : profiles) {

                // Change password on the given user and all its profiles that don't have

                // their own profile challenge enabled.

                if (pi.id == userHandle || (pi.isManagedProfile()

                        && !mLockPatternUtils.isSeparateProfileChallengeEnabled(pi.id))) {

                    ks.onUserPasswordChanged(pi.id, password);

                }

            }

        }

    }



    private void unlockKeystore(String password, int userHandle) {

        final UserManager um = (UserManager) mContext.getSystemService(USER_SERVICE);

        final KeyStore ks = KeyStore.getInstance();



        if (um.getUserInfo(userHandle).isManagedProfile()) {

            if (mLockPatternUtils.isSeparateProfileChallengeEnabled(userHandle)) {

                ks.unlock(userHandle, password);

            } else {

                throw new RuntimeException("Can't unlock a profile explicitly if it "

                        + "doesn't have a profile challenge.");

            }

        } else {

            final List<UserInfo> profiles = um.getProfiles(userHandle);

            for (UserInfo pi : profiles) {

                // Unlock the given user and all its profiles that don't have

                // their own profile challenge enabled.

                if (pi.id == userHandle || (pi.isManagedProfile()

                        && !mLockPatternUtils.isSeparateProfileChallengeEnabled(pi.id))) {

                    ks.unlock(pi.id, password);

                }

            }

        }

    }



    private void unlockUser(int userId, byte[] token, byte[] secret) {

        try {