Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0f598aa9 authored by Kevin Chyn's avatar Kevin Chyn
Browse files

Only BIOMETRIC_STRONG HATs should be sent to KeyStore

Bug: 150014844
Bug: 141025588
Bug: 151967372

Test: Configure a device to have weak biometrics only, then
      run CtsVerifier Weak Biometrics section
Test: com.android.server.biometrics

Change-Id: I866e84b2f88c24faeaf42452d44f651ec220858a
parent d200e5de
Loading
Loading
Loading
Loading
+3 −1
Original line number Diff line number Diff line
@@ -26,7 +26,9 @@ package android.hardware.biometrics;
oneway interface IBiometricServiceReceiverInternal {
    // Notify BiometricService that authentication was successful. If user confirmation is required,
    // the auth token must be submitted into KeyStore.
    void onAuthenticationSucceeded(boolean requireConfirmation, in byte[] token);
    // TODO(b/151967372): Strength should be changed to authenticatorId
    void onAuthenticationSucceeded(boolean requireConfirmation, in byte[] token,
            boolean isStrongBiometric);
    // Notify BiometricService authentication was rejected.
    void onAuthenticationFailed();
    // Notify BiometricService than an error has occured. Forward to the correct receiver depending
+10 −2
Original line number Diff line number Diff line
@@ -70,6 +70,8 @@ public abstract class AuthenticationClient extends ClientMonitor {

    public abstract boolean wasUserDetected();

    public abstract boolean isStrongBiometric();

    public AuthenticationClient(Context context, Constants constants,
            BiometricServiceBase.DaemonWrapper daemon, long halDeviceId, IBinder token,
            BiometricServiceBase.ServiceListener listener, int targetUserId, int groupId, long opId,
@@ -185,9 +187,15 @@ public abstract class AuthenticationClient extends ClientMonitor {
                }
                if (isBiometricPrompt() && listener != null) {
                    // BiometricService will add the token to keystore
                    listener.onAuthenticationSucceededInternal(mRequireConfirmation, byteToken);
                    listener.onAuthenticationSucceededInternal(mRequireConfirmation, byteToken,
                            isStrongBiometric());
                } else if (!isBiometricPrompt() && listener != null) {
                    if (isStrongBiometric()) {
                        KeyStore.getInstance().addAuthToken(byteToken);
                    } else {
                        Slog.d(getLogTag(), "Skipping addAuthToken");
                    }

                    try {
                        // Explicitly have if/else here to make it super obvious in case the code is
                        // touched in the future.
+17 −6
Original line number Diff line number Diff line
@@ -266,7 +266,8 @@ public class BiometricService extends SystemService {
                    SomeArgs args = (SomeArgs) msg.obj;
                    handleAuthenticationSucceeded(
                            (boolean) args.arg1 /* requireConfirmation */,
                            (byte[]) args.arg2 /* token */);
                            (byte[]) args.arg2 /* token */,
                            (boolean) args.arg3 /* isStrongBiometric */);
                    args.recycle();
                    break;
                }
@@ -568,10 +569,12 @@ public class BiometricService extends SystemService {
    final IBiometricServiceReceiverInternal mInternalReceiver =
            new IBiometricServiceReceiverInternal.Stub() {
        @Override
        public void onAuthenticationSucceeded(boolean requireConfirmation, byte[] token) {
        public void onAuthenticationSucceeded(boolean requireConfirmation, byte[] token,
                boolean isStrongBiometric) {
            SomeArgs args = SomeArgs.obtain();
            args.arg1 = requireConfirmation;
            args.arg2 = token;
            args.arg3 = isStrongBiometric;
            mHandler.obtainMessage(MSG_ON_AUTHENTICATION_SUCCEEDED, args).sendToTarget();
        }

@@ -1286,7 +1289,8 @@ public class BiometricService extends SystemService {
        return modality;
    }

    private void handleAuthenticationSucceeded(boolean requireConfirmation, byte[] token) {
    private void handleAuthenticationSucceeded(boolean requireConfirmation, byte[] token,
            boolean isStrongBiometric) {
        try {
            // Should never happen, log this to catch bad HAL behavior (e.g. auth succeeded
            // after user dismissed/canceled dialog).
@@ -1295,9 +1299,16 @@ public class BiometricService extends SystemService {
                return;
            }

            if (isStrongBiometric) {
                // Store the auth token and submit it to keystore after the dialog is confirmed /
                // animating away.
                mCurrentAuthSession.mTokenEscrow = token;
            } else {
                if (token != null) {
                    Slog.w(TAG, "Dropping authToken for non-strong biometric");
                }
            }

            if (!requireConfirmation) {
                mCurrentAuthSession.mState = STATE_AUTHENTICATED_PENDING_SYSUI;
            } else {
+6 −5
Original line number Diff line number Diff line
@@ -416,8 +416,8 @@ public abstract class BiometricServiceBase extends SystemService
            throw new UnsupportedOperationException("Stub!");
        }

        default void onAuthenticationSucceededInternal(boolean requireConfirmation, byte[] token)
                throws RemoteException {
        default void onAuthenticationSucceededInternal(boolean requireConfirmation, byte[] token,
                boolean isStrongBiometric) throws RemoteException {
            throw new UnsupportedOperationException("Stub!");
        }

@@ -454,10 +454,11 @@ public abstract class BiometricServiceBase extends SystemService
        }

        @Override
        public void onAuthenticationSucceededInternal(boolean requireConfirmation, byte[] token)
                throws RemoteException {
        public void onAuthenticationSucceededInternal(boolean requireConfirmation, byte[] token,
                boolean isStrongBiometric) throws RemoteException {
            if (getWrapperReceiver() != null) {
                getWrapperReceiver().onAuthenticationSucceeded(requireConfirmation, token);
                getWrapperReceiver().onAuthenticationSucceeded(requireConfirmation, token,
                        isStrongBiometric);
            }
        }

+5 −0
Original line number Diff line number Diff line
@@ -237,6 +237,11 @@ public class FaceService extends BiometricServiceBase {
                    && mLastAcquire != FaceManager.FACE_ACQUIRED_SENSOR_DIRTY;
        }

        @Override
        public boolean isStrongBiometric() {
            return FaceService.this.isStrongBiometric();
        }

        @Override
        public boolean onAuthenticated(BiometricAuthenticator.Identifier identifier,
                boolean authenticated, ArrayList<Byte> token) {
Loading