Loading services/core/java/com/android/server/locksettings/LockSettingsService.java +6 −21 Original line number Diff line number Diff line Loading @@ -1587,7 +1587,7 @@ public class LockSettingsService extends ILockSettings.Stub { if (!savedCredential.isNone()) { throw new IllegalStateException("Saved credential given, but user has no SP"); } initializeSyntheticPasswordLocked(savedCredential, userId); initializeSyntheticPasswordLocked(userId); } else if (savedCredential.isNone() && isProfileWithUnifiedLock(userId)) { // get credential from keystore when profile has unified lock try { Loading Loading @@ -2513,35 +2513,21 @@ public class LockSettingsService extends ILockSettings.Stub { } /** * Creates the synthetic password (SP) for the given user and protects it with the user's LSKF. * Creates the synthetic password (SP) for the given user and protects it with an empty LSKF. * This is called just once in the lifetime of the user: the first time a nonempty LSKF is set, * or when an escrow token is activated on a device with an empty LSKF. * * Maintains the SP invariants described in {@link SyntheticPasswordManager}. */ @GuardedBy("mSpManager") @VisibleForTesting SyntheticPassword initializeSyntheticPasswordLocked(LockscreenCredential credential, int userId) { SyntheticPassword initializeSyntheticPasswordLocked(int userId) { Slog.i(TAG, "Initialize SyntheticPassword for user: " + userId); Preconditions.checkState(getCurrentLskfBasedProtectorId(userId) == SyntheticPasswordManager.NULL_PROTECTOR_ID, "Cannot reinitialize SP"); final SyntheticPassword sp = mSpManager.newSyntheticPassword(userId); long protectorId = mSpManager.createLskfBasedProtector(getGateKeeperService(), credential, sp, userId); if (!credential.isNone()) { mSpManager.newSidForUser(getGateKeeperService(), sp, userId); mSpManager.verifyChallenge(getGateKeeperService(), sp, 0L, userId); setUserKeyProtection(userId, sp.deriveFileBasedEncryptionKey()); setKeystorePassword(sp.deriveKeyStorePassword(), userId); } else { clearUserKeyProtection(userId, null); setKeystorePassword(null, userId); gateKeeperClearSecureUserId(userId); } fixateNewestUserKeyAuth(userId); final long protectorId = mSpManager.createLskfBasedProtector(getGateKeeperService(), LockscreenCredential.createNone(), sp, userId); setCurrentLskfBasedProtectorId(protectorId, userId); onSyntheticPasswordKnown(userId, sp); return sp; Loading Loading @@ -2818,8 +2804,7 @@ public class LockSettingsService extends ILockSettings.Stub { if (!isUserSecure(userId)) { long protectorId = getCurrentLskfBasedProtectorId(userId); if (protectorId == SyntheticPasswordManager.NULL_PROTECTOR_ID) { sp = initializeSyntheticPasswordLocked(LockscreenCredential.createNone(), userId); sp = initializeSyntheticPasswordLocked(userId); } else { sp = mSpManager.unlockLskfBasedProtector(getGateKeeperService(), protectorId, LockscreenCredential.createNone(), userId, null).syntheticPassword; Loading services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java +4 −1 Original line number Diff line number Diff line Loading @@ -369,6 +369,8 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests { throws Exception { final LockscreenCredential parentPassword = newPassword("parentPassword"); final LockscreenCredential profilePassword = newPattern("12345"); mService.setSeparateProfileChallengeEnabled( MANAGED_PROFILE_USER_ID, true, profilePassword); initializeStorageWithCredential(PRIMARY_USER_ID, parentPassword); // Create and verify separate profile credentials. testCreateCredential(MANAGED_PROFILE_USER_ID, profilePassword); Loading Loading @@ -550,11 +552,12 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests { throws RemoteException { assertEquals(0, mGateKeeperService.getSecureUserId(userId)); synchronized (mService.mSpManager) { mService.initializeSyntheticPasswordLocked(credential, userId); mService.initializeSyntheticPasswordLocked(userId); } if (credential.isNone()) { assertEquals(0, mGateKeeperService.getSecureUserId(userId)); } else { assertTrue(mService.setLockCredential(credential, nonePassword(), userId)); assertNotEquals(0, mGateKeeperService.getSecureUserId(userId)); } } Loading Loading
services/core/java/com/android/server/locksettings/LockSettingsService.java +6 −21 Original line number Diff line number Diff line Loading @@ -1587,7 +1587,7 @@ public class LockSettingsService extends ILockSettings.Stub { if (!savedCredential.isNone()) { throw new IllegalStateException("Saved credential given, but user has no SP"); } initializeSyntheticPasswordLocked(savedCredential, userId); initializeSyntheticPasswordLocked(userId); } else if (savedCredential.isNone() && isProfileWithUnifiedLock(userId)) { // get credential from keystore when profile has unified lock try { Loading Loading @@ -2513,35 +2513,21 @@ public class LockSettingsService extends ILockSettings.Stub { } /** * Creates the synthetic password (SP) for the given user and protects it with the user's LSKF. * Creates the synthetic password (SP) for the given user and protects it with an empty LSKF. * This is called just once in the lifetime of the user: the first time a nonempty LSKF is set, * or when an escrow token is activated on a device with an empty LSKF. * * Maintains the SP invariants described in {@link SyntheticPasswordManager}. */ @GuardedBy("mSpManager") @VisibleForTesting SyntheticPassword initializeSyntheticPasswordLocked(LockscreenCredential credential, int userId) { SyntheticPassword initializeSyntheticPasswordLocked(int userId) { Slog.i(TAG, "Initialize SyntheticPassword for user: " + userId); Preconditions.checkState(getCurrentLskfBasedProtectorId(userId) == SyntheticPasswordManager.NULL_PROTECTOR_ID, "Cannot reinitialize SP"); final SyntheticPassword sp = mSpManager.newSyntheticPassword(userId); long protectorId = mSpManager.createLskfBasedProtector(getGateKeeperService(), credential, sp, userId); if (!credential.isNone()) { mSpManager.newSidForUser(getGateKeeperService(), sp, userId); mSpManager.verifyChallenge(getGateKeeperService(), sp, 0L, userId); setUserKeyProtection(userId, sp.deriveFileBasedEncryptionKey()); setKeystorePassword(sp.deriveKeyStorePassword(), userId); } else { clearUserKeyProtection(userId, null); setKeystorePassword(null, userId); gateKeeperClearSecureUserId(userId); } fixateNewestUserKeyAuth(userId); final long protectorId = mSpManager.createLskfBasedProtector(getGateKeeperService(), LockscreenCredential.createNone(), sp, userId); setCurrentLskfBasedProtectorId(protectorId, userId); onSyntheticPasswordKnown(userId, sp); return sp; Loading Loading @@ -2818,8 +2804,7 @@ public class LockSettingsService extends ILockSettings.Stub { if (!isUserSecure(userId)) { long protectorId = getCurrentLskfBasedProtectorId(userId); if (protectorId == SyntheticPasswordManager.NULL_PROTECTOR_ID) { sp = initializeSyntheticPasswordLocked(LockscreenCredential.createNone(), userId); sp = initializeSyntheticPasswordLocked(userId); } else { sp = mSpManager.unlockLskfBasedProtector(getGateKeeperService(), protectorId, LockscreenCredential.createNone(), userId, null).syntheticPassword; Loading
services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java +4 −1 Original line number Diff line number Diff line Loading @@ -369,6 +369,8 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests { throws Exception { final LockscreenCredential parentPassword = newPassword("parentPassword"); final LockscreenCredential profilePassword = newPattern("12345"); mService.setSeparateProfileChallengeEnabled( MANAGED_PROFILE_USER_ID, true, profilePassword); initializeStorageWithCredential(PRIMARY_USER_ID, parentPassword); // Create and verify separate profile credentials. testCreateCredential(MANAGED_PROFILE_USER_ID, profilePassword); Loading Loading @@ -550,11 +552,12 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests { throws RemoteException { assertEquals(0, mGateKeeperService.getSecureUserId(userId)); synchronized (mService.mSpManager) { mService.initializeSyntheticPasswordLocked(credential, userId); mService.initializeSyntheticPasswordLocked(userId); } if (credential.isNone()) { assertEquals(0, mGateKeeperService.getSecureUserId(userId)); } else { assertTrue(mService.setLockCredential(credential, nonePassword(), userId)); assertNotEquals(0, mGateKeeperService.getSecureUserId(userId)); } } Loading
