Merge "Return handle to gatekeeper password instead of actual password"

            in ICheckCredentialProgressCallback progressCallback);

            in ICheckCredentialProgressCallback progressCallback);

    VerifyCredentialResponse verifyCredential(in LockscreenCredential credential, int userId, int flags);

    VerifyCredentialResponse verifyCredential(in LockscreenCredential credential, int userId, int flags);

    VerifyCredentialResponse verifyTiedProfileChallenge(in LockscreenCredential credential, int userId, int flags);

    VerifyCredentialResponse verifyTiedProfileChallenge(in LockscreenCredential credential, int userId, int flags);

    VerifyCredentialResponse verifyGatekeeperPassword(in byte[] gatekeeperPassword, long challenge, int userId);

    VerifyCredentialResponse verifyGatekeeperPasswordHandle(long gatekeeperPasswordHandle, long challenge, int userId);

    void removeGatekeeperPasswordHandle(long gatekeeperPasswordHandle);

    boolean checkVoldPassword(int userId);

    boolean checkVoldPassword(int userId);

    int getCredentialType(int userId);

    int getCredentialType(int userId);

    byte[] getHashFactor(in LockscreenCredential currentCredential, int userId);

    byte[] getHashFactor(in LockscreenCredential currentCredential, int userId);

    public @interface CredentialType {}

    public @interface CredentialType {}

    /**

    /**

     * Flag provided to {@link #verifyCredential(LockscreenCredential, long, int, int)} . If set,

     * Flag provided to {@link #verifyCredential(LockscreenCredential, int, int)} . If set, the

     * the method will return the Gatekeeper Password in the {@link VerifyCredentialResponse}.

     * method will return a handle to the Gatekeeper Password in the

     * {@link VerifyCredentialResponse}.

     */

     */

    public static final int VERIFY_FLAG_RETURN_GK_PW = 1 << 0;

    public static final int VERIFY_FLAG_REQUEST_GK_PW_HANDLE = 1 << 0;

    @Retention(RetentionPolicy.SOURCE)

    @Retention(RetentionPolicy.SOURCE)

    @IntDef(flag = true, value = {

    @IntDef(flag = true, value = {

            VERIFY_FLAG_RETURN_GK_PW

            VERIFY_FLAG_REQUEST_GK_PW_HANDLE

    })

    })

    public @interface VerifyFlag {}

    public @interface VerifyFlag {}

    }

    }

    /**

    /**

     * With the Gatekeeper Password returned via {@link #verifyCredential(LockscreenCredential,

     * With the Gatekeeper Password Handle returned via {@link #verifyCredential(

     * int, int)}, request Gatekeeper to create a HardwareAuthToken wrapping the given

     * LockscreenCredential, int, int)}, request Gatekeeper to create a HardwareAuthToken wrapping

     * challenge.

     * the given challenge.

     */

     */

    @NonNull

    @NonNull

    public VerifyCredentialResponse verifyGatekeeperPassword(@NonNull byte[] gatekeeperPassword,

    public VerifyCredentialResponse verifyGatekeeperPasswordHandle(long gatekeeperPasswordHandle,

            long challenge, int userId) {

            long challenge, int userId) {

        try {

        try {

            final VerifyCredentialResponse response = getLockSettings().verifyGatekeeperPassword(

            final VerifyCredentialResponse response = getLockSettings()

                    gatekeeperPassword, challenge, userId);

                    .verifyGatekeeperPasswordHandle(gatekeeperPasswordHandle, challenge, userId);

            if (response == null) {

            if (response == null) {

                return VerifyCredentialResponse.ERROR;

                return VerifyCredentialResponse.ERROR;

            }

            }

        }

        }

    }

    }

    public void removeGatekeeperPasswordHandle(long gatekeeperPasswordHandle) {

        try {

            getLockSettings().removeGatekeeperPasswordHandle(gatekeeperPasswordHandle);

        } catch (RemoteException e) {

            Log.e(TAG, "failed to remove gatekeeper password handle", e);

        }

    }

    /**

    /**

     * Check to see if a credential matches the saved one.

     * Check to see if a credential matches the saved one.

     *

     *

    private final @ResponseCode int mResponseCode;

    private final @ResponseCode int mResponseCode;

    private final int mTimeout;

    private final int mTimeout;

    @Nullable private final byte[] mGatekeeperHAT;

    @Nullable private final byte[] mGatekeeperHAT;

    @Nullable private final byte[] mGatekeeperPw;

    private final long mGatekeeperPasswordHandle;

    public static final Parcelable.Creator<VerifyCredentialResponse> CREATOR

    public static final Parcelable.Creator<VerifyCredentialResponse> CREATOR

            = new Parcelable.Creator<VerifyCredentialResponse>() {

            = new Parcelable.Creator<VerifyCredentialResponse>() {

            final @ResponseCode int responseCode = source.readInt();

            final @ResponseCode int responseCode = source.readInt();

            final int timeout = source.readInt();

            final int timeout = source.readInt();

            final byte[] gatekeeperHAT = source.createByteArray();

            final byte[] gatekeeperHAT = source.createByteArray();

            final byte[] gatekeeperPassword = source.createByteArray();

            long gatekeeperPasswordHandle = source.readLong();

            return new VerifyCredentialResponse(responseCode, timeout, gatekeeperHAT,

            return new VerifyCredentialResponse(responseCode, timeout, gatekeeperHAT,

                    gatekeeperPassword);

                    gatekeeperPasswordHandle);

        }

        }

        @Override

        @Override

    public static class Builder {

    public static class Builder {

        @Nullable private byte[] mGatekeeperHAT;

        @Nullable private byte[] mGatekeeperHAT;

        @Nullable private byte[] mGatekeeperPassword;

        private long mGatekeeperPasswordHandle;

        /**

        /**

         * @param gatekeeperHAT Gatekeeper HardwareAuthToken, minted upon successful authentication.

         * @param gatekeeperHAT Gatekeeper HardwareAuthToken, minted upon successful authentication.

            return this;

            return this;

        }

        }

        public Builder setGatekeeperPassword(byte[] gatekeeperPassword) {

        public Builder setGatekeeperPasswordHandle(long gatekeeperPasswordHandle) {

            mGatekeeperPassword = gatekeeperPassword;

            mGatekeeperPasswordHandle = gatekeeperPasswordHandle;

            return this;

            return this;

        }

        }

            return new VerifyCredentialResponse(RESPONSE_OK,

            return new VerifyCredentialResponse(RESPONSE_OK,

                    0 /* timeout */,

                    0 /* timeout */,

                    mGatekeeperHAT,

                    mGatekeeperHAT,

                    mGatekeeperPassword);

                    mGatekeeperPasswordHandle);

        }

        }

    }

    }

        return new VerifyCredentialResponse(RESPONSE_RETRY,

        return new VerifyCredentialResponse(RESPONSE_RETRY,

                timeout,

                timeout,

                null /* gatekeeperHAT */,

                null /* gatekeeperHAT */,

                null /* gatekeeperPassword */);

                0L /* gatekeeperPasswordHandle */);

    }

    }

    /**

    /**

        return new VerifyCredentialResponse(RESPONSE_ERROR,

        return new VerifyCredentialResponse(RESPONSE_ERROR,

                0 /* timeout */,

                0 /* timeout */,

                null /* gatekeeperHAT */,

                null /* gatekeeperHAT */,

                null /* gatekeeperPassword */);

                0L /* gatekeeperPasswordHandle */);

    }

    }

    private VerifyCredentialResponse(@ResponseCode int responseCode, int timeout,

    private VerifyCredentialResponse(@ResponseCode int responseCode, int timeout,

            @Nullable byte[] gatekeeperHAT, @Nullable byte[] gatekeeperPassword) {

            @Nullable byte[] gatekeeperHAT, long gatekeeperPasswordHandle) {

        mResponseCode = responseCode;

        mResponseCode = responseCode;

        mTimeout = timeout;

        mTimeout = timeout;

        mGatekeeperHAT = gatekeeperHAT;

        mGatekeeperHAT = gatekeeperHAT;

        mGatekeeperPw = gatekeeperPassword;

        mGatekeeperPasswordHandle = gatekeeperPasswordHandle;

    }

    }

    public VerifyCredentialResponse stripPayload() {

    public VerifyCredentialResponse stripPayload() {

        return new VerifyCredentialResponse(mResponseCode, mTimeout,

        return new VerifyCredentialResponse(mResponseCode, mTimeout,

                null /* gatekeeperHAT */, null /* gatekeeperPassword */);

                null /* gatekeeperHAT */, 0L /* gatekeeperPasswordHandle */);

    }

    }

    @Override

    @Override

        dest.writeInt(mResponseCode);

        dest.writeInt(mResponseCode);

        dest.writeInt(mTimeout);

        dest.writeInt(mTimeout);

        dest.writeByteArray(mGatekeeperHAT);

        dest.writeByteArray(mGatekeeperHAT);

        dest.writeByteArray(mGatekeeperPw);

        dest.writeLong(mGatekeeperPasswordHandle);

    }

    }

    @Override

    @Override

        return mGatekeeperHAT;

        return mGatekeeperHAT;

    }

    }

    @Nullable

    public long getGatekeeperPasswordHandle() {

    public byte[] getGatekeeperPw() {

        return mGatekeeperPasswordHandle;

        return mGatekeeperPw;

    }

    public boolean containsGatekeeperPasswordHandle() {

        return mGatekeeperPasswordHandle != 0L;

    }

    }

    public int getTimeout() {

    public int getTimeout() {

    public String toString() {

    public String toString() {

        return "Response: " + mResponseCode

        return "Response: " + mResponseCode

                + ", GK HAT: " + (mGatekeeperHAT != null)

                + ", GK HAT: " + (mGatekeeperHAT != null)

                + ", GK PW: " + (mGatekeeperPw != null);

                + ", GK PW: " + (mGatekeeperPasswordHandle != 0L);

    }

    }

    public static VerifyCredentialResponse fromGateKeeperResponse(

    public static VerifyCredentialResponse fromGateKeeperResponse(

            // VerifyCredentialResponse so that we can request a Gatekeeper HAT with the

            // VerifyCredentialResponse so that we can request a Gatekeeper HAT with the

            // Gatekeeper Password and operationId.

            // Gatekeeper Password and operationId.

            mPendingLockCheck = LockPatternChecker.verifyCredential(mLockPatternUtils,

            mPendingLockCheck = LockPatternChecker.verifyCredential(mLockPatternUtils,

                    password, mEffectiveUserId, LockPatternUtils.VERIFY_FLAG_RETURN_GK_PW,

                    password, mEffectiveUserId, LockPatternUtils.VERIFY_FLAG_REQUEST_GK_PW_HANDLE,

                    this::onCredentialVerified);

                    this::onCredentialVerified);

        }

        }

    }

    }

                        mLockPatternUtils,

                        mLockPatternUtils,

                        credential,

                        credential,

                        mEffectiveUserId,

                        mEffectiveUserId,

                        LockPatternUtils.VERIFY_FLAG_RETURN_GK_PW,

                        LockPatternUtils.VERIFY_FLAG_REQUEST_GK_PW_HANDLE,

                        this::onPatternVerified);

                        this::onPatternVerified);

            }

            }

        }

        }