Integrate IKeystoreUserManager aidl with LockSettingsService. (13dd6133) · Commits · e / os / android_frameworks_base

Android.bp

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -525,6 +525,7 @@ java_library {
	"android.hardware.vibrator-V1.3-java",		"android.hardware.vibrator-V1.3-java",
	"android.security.apc-java",		"android.security.apc-java",
	"android.security.authorization-java",		"android.security.authorization-java",
			"android.security.usermanager-java",
	"android.system.keystore2-V1-java",		"android.system.keystore2-V1-java",
	"android.system.suspend.control.internal-java",		"android.system.suspend.control.internal-java",
	"devicepolicyprotosnano",		"devicepolicyprotosnano",

keystore/java/android/security/AndroidKeyStoreMaintenance.java

0 → 100644

+105 −0

Original line number	Original line	Diff line number	Diff line
			/*
			* Copyright (C) 2021 The Android Open Source Project
			*
			* Licensed under the Apache License, Version 2.0 (the "License");
			* you may not use this file except in compliance with the License.
			* You may obtain a copy of the License at
			*
			* http://www.apache.org/licenses/LICENSE-2.0
			*
			* Unless required by applicable law or agreed to in writing, software
			* distributed under the License is distributed on an "AS IS" BASIS,
			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
			* See the License for the specific language governing permissions and
			* limitations under the License.
			*/

			package android.security;

			import android.annotation.NonNull;
			import android.annotation.Nullable;
			import android.os.ServiceManager;
			import android.os.ServiceSpecificException;
			import android.security.usermanager.IKeystoreUserManager;
			import android.system.keystore2.ResponseCode;
			import android.util.Log;

			/**
			* @hide This is the client side for IKeystoreUserManager AIDL.
			* It shall only be used by the LockSettingsService.
			*/
			public class AndroidKeyStoreMaintenance {
			private static final String TAG = "AndroidKeyStoreMaintenance";

			public static final int SYSTEM_ERROR = ResponseCode.SYSTEM_ERROR;

			private static IKeystoreUserManager getService() {
			return IKeystoreUserManager.Stub.asInterface(
			ServiceManager.checkService("android.security.usermanager"));
			}

			/**
			* Informs keystore2 about adding a user
			*
			* @param userId - Android user id of the user being added
			* @return 0 if successful or a {@code ResponseCode}
			* @hide
			*/
			public static int onUserAdded(@NonNull int userId) {
			if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0;
			try {
			getService().onUserAdded(userId);
			return 0;
			} catch (ServiceSpecificException e) {
			Log.e(TAG, "onUserAdded failed", e);
			return e.errorCode;
			} catch (Exception e) {
			Log.e(TAG, "Can not connect to keystore", e);
			return SYSTEM_ERROR;
			}
			}

			/**
			* Informs keystore2 about removing a usergit mer
			*
			* @param userId - Android user id of the user being removed
			* @return 0 if successful or a {@code ResponseCode}
			* @hide
			*/
			public static int onUserRemoved(int userId) {
			if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0;
			try {
			getService().onUserRemoved(userId);
			return 0;
			} catch (ServiceSpecificException e) {
			Log.e(TAG, "onUserRemoved failed", e);
			return e.errorCode;
			} catch (Exception e) {
			Log.e(TAG, "Can not connect to keystore", e);
			return SYSTEM_ERROR;
			}
			}

			/**
			* Informs keystore2 about changing user's password
			*
			* @param userId - Android user id of the user
			* @param password - a secret derived from the synthetic password provided by the
			* LockSettingService
			* @return 0 if successful or a {@code ResponseCode}
			* @hide
			*/
			public static int onUserPasswordChanged(int userId, @Nullable byte[] password) {
			if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0;
			try {
			getService().onUserPasswordChanged(userId, password);
			return 0;
			} catch (ServiceSpecificException e) {
			Log.e(TAG, "onUserPasswordChanged failed", e);
			return e.errorCode;
			} catch (Exception e) {
			Log.e(TAG, "Can not connect to keystore", e);
			return SYSTEM_ERROR;
			}
			}
			}

services/core/java/com/android/server/locksettings/LockSettingsService.java

+4 −1

services/core/java/com/android/server/locksettings/SyntheticPasswordCrypto.java

+1 −13

Original line number	Original line	Diff line number	Diff line
	@@ -18,7 +18,6 @@ package com.android.server.locksettings;

	import android.security.keystore.KeyProperties;		import android.security.keystore.KeyProperties;
	import android.security.keystore.KeyProtection;		import android.security.keystore.KeyProtection;
	import android.security.keystore2.AndroidKeyStoreProvider;
	import android.util.Slog;		import android.util.Slog;

	import java.io.ByteArrayOutputStream;		import java.io.ByteArrayOutputStream;
	@@ -141,19 +140,8 @@ public class SyntheticPasswordCrypto {
	}		}
	}		}

	/**
	* TODO This function redirects keystore access to the legacy keystore during a transitional
	* phase during which not all calling code has been adjusted to use Keystore 2.0.
	* This can be reverted to a constant of "AndroidKeyStore" when b/171305684 is complete.
	* The specific bug for this component is b/171305115.
	*/
	static String androidKeystoreProviderName() {		static String androidKeystoreProviderName() {
	if (AndroidKeyStoreProvider.isInstalled()) {		return "AndroidKeyStore";
	return "AndroidKeyStoreLegacy";
	} else {
	return "AndroidKeystore";
	}

	}		}

	public static byte[] decryptBlob(String keyAlias, byte[] blob, byte[] applicationId) {		public static byte[] decryptBlob(String keyAlias, byte[] blob, byte[] applicationId) {

Original line number	Original line	Diff line number	Diff line
	@@ -89,6 +89,7 @@ import android.os.storage.StorageManager;
	import android.provider.Settings;		import android.provider.Settings;
	import android.provider.Settings.Secure;		import android.provider.Settings.Secure;
	import android.provider.Settings.SettingNotFoundException;		import android.provider.Settings.SettingNotFoundException;
			import android.security.AndroidKeyStoreMaintenance;
	import android.security.Authorization;		import android.security.Authorization;
	import android.security.KeyStore;		import android.security.KeyStore;
	import android.security.keystore.AndroidKeyStoreProvider;		import android.security.keystore.AndroidKeyStoreProvider;
	@@ -225,7 +226,6 @@ public class LockSettingsService extends ILockSettings.Stub {
	private final SyntheticPasswordManager mSpManager;		private final SyntheticPasswordManager mSpManager;

	private final KeyStore mKeyStore;		private final KeyStore mKeyStore;

	private final RecoverableKeyStoreManager mRecoverableKeyStoreManager;		private final RecoverableKeyStoreManager mRecoverableKeyStoreManager;
	private ManagedProfilePasswordCache mManagedProfilePasswordCache;		private ManagedProfilePasswordCache mManagedProfilePasswordCache;

	@@ -803,6 +803,7 @@ public class LockSettingsService extends ILockSettings.Stub {
	if (Intent.ACTION_USER_ADDED.equals(intent.getAction())) {		if (Intent.ACTION_USER_ADDED.equals(intent.getAction())) {
	// Notify keystore that a new user was added.		// Notify keystore that a new user was added.
	final int userHandle = intent.getIntExtra(Intent.EXTRA_USER_HANDLE, 0);		final int userHandle = intent.getIntExtra(Intent.EXTRA_USER_HANDLE, 0);
			AndroidKeyStoreMaintenance.onUserAdded(userHandle);
	final KeyStore ks = KeyStore.getInstance();		final KeyStore ks = KeyStore.getInstance();
	final UserInfo parentInfo = mUserManager.getProfileParent(userHandle);		final UserInfo parentInfo = mUserManager.getProfileParent(userHandle);
	final int parentHandle = parentInfo != null ? parentInfo.id : -1;		final int parentHandle = parentInfo != null ? parentInfo.id : -1;
	@@ -1270,6 +1271,7 @@ public class LockSettingsService extends ILockSettings.Stub {
	}		}

	private void setKeystorePassword(byte[] password, int userHandle) {		private void setKeystorePassword(byte[] password, int userHandle) {
			AndroidKeyStoreMaintenance.onUserPasswordChanged(userHandle, password);
	final KeyStore ks = KeyStore.getInstance();		final KeyStore ks = KeyStore.getInstance();
	// TODO(b/120484642): Update keystore to accept byte[] passwords		// TODO(b/120484642): Update keystore to accept byte[] passwords
	String passwordString = password == null ? null : new String(password);		String passwordString = password == null ? null : new String(password);
	@@ -2301,6 +2303,7 @@ public class LockSettingsService extends ILockSettings.Stub {
	mSpManager.removeUser(userId);		mSpManager.removeUser(userId);
	mStrongAuth.removeUser(userId);		mStrongAuth.removeUser(userId);

			AndroidKeyStoreMaintenance.onUserRemoved(userId);
	final KeyStore ks = KeyStore.getInstance();		final KeyStore ks = KeyStore.getInstance();
	ks.onUserRemoved(userId);		ks.onUserRemoved(userId);
	mManagedProfilePasswordCache.removePassword(userId);		mManagedProfilePasswordCache.removePassword(userId);