Merge "Support non-user-0 profile in ManagedProfilePasswordCache" into udc-dev

    private final boolean mCriticalToDeviceEncryption;

    private final int mMaxUsageCount;

    private final String mAttestKeyAlias;

    private final long mBoundToSecureUserId;

    /*

     * ***NOTE***: All new fields MUST also be added to the following:

     * ParcelableKeyGenParameterSpec class.

            boolean unlockedDeviceRequired,

            boolean criticalToDeviceEncryption,

            int maxUsageCount,

            String attestKeyAlias) {

            String attestKeyAlias,

            long boundToSecureUserId) {

        if (TextUtils.isEmpty(keyStoreAlias)) {

            throw new IllegalArgumentException("keyStoreAlias must not be empty");

        }

        mCriticalToDeviceEncryption = criticalToDeviceEncryption;

        mMaxUsageCount = maxUsageCount;

        mAttestKeyAlias = attestKeyAlias;

        mBoundToSecureUserId = boundToSecureUserId;

    }

    /**

    }

    /**

     * Return the secure user id that this key should be bound to.

     *

     * Normally an authentication-bound key is tied to the secure user id of the current user

     * (either the root SID from GateKeeper for auth-bound keys with a timeout, or the authenticator

     * id of the current biometric set for keys requiring explicit biometric authorization).

     * If this parameter is set (this method returning non-zero value), the key should be tied to

     * the specified secure user id, overriding the logic above.

     *

     * This is only applicable when {@link #isUserAuthenticationRequired} is {@code true}

     *

     * @hide

     */

    public long getBoundToSpecificSecureUserId() {

        return GateKeeper.INVALID_SECURE_USER_ID;

        return mBoundToSecureUserId;

    }

    /**

        private boolean mCriticalToDeviceEncryption = false;

        private int mMaxUsageCount = KeyProperties.UNRESTRICTED_USAGE_COUNT;

        private String mAttestKeyAlias = null;

        private long mBoundToSecureUserId = GateKeeper.INVALID_SECURE_USER_ID;

        /**

         * Creates a new instance of the {@code Builder}.

            mCriticalToDeviceEncryption = sourceSpec.isCriticalToDeviceEncryption();

            mMaxUsageCount = sourceSpec.getMaxUsageCount();

            mAttestKeyAlias = sourceSpec.getAttestKeyAlias();

            mBoundToSecureUserId = sourceSpec.getBoundToSpecificSecureUserId();

        }

        /**

            return this;

        }

        /**

         * Set the secure user id that this key should be bound to.

         *

         * Normally an authentication-bound key is tied to the secure user id of the current user

         * (either the root SID from GateKeeper for auth-bound keys with a timeout, or the

         * authenticator id of the current biometric set for keys requiring explicit biometric

         * authorization). If this parameter is set (this method returning non-zero value), the key

         * should be tied to the specified secure user id, overriding the logic above.

         *

         * This is only applicable when {@link #setUserAuthenticationRequired} is set to

         * {@code true}

         *

         * @see KeyGenParameterSpec#getBoundToSpecificSecureUserId()

         * @hide

         */

        @NonNull

        public Builder setBoundToSpecificSecureUserId(long secureUserId) {

            mBoundToSecureUserId = secureUserId;

            return this;

        }

        /**

         * Builds an instance of {@code KeyGenParameterSpec}.

         */

                    mUnlockedDeviceRequired,

                    mCriticalToDeviceEncryption,

                    mMaxUsageCount,

                    mAttestKeyAlias);

                    mAttestKeyAlias,

                    mBoundToSecureUserId);

        }

    }

}

        out.writeBoolean(mSpec.isCriticalToDeviceEncryption());

        out.writeInt(mSpec.getMaxUsageCount());

        out.writeString(mSpec.getAttestKeyAlias());

        out.writeLong(mSpec.getBoundToSpecificSecureUserId());

    }

    private static Date readDateOrNull(Parcel in) {

        final boolean criticalToDeviceEncryption = in.readBoolean();

        final int maxUsageCount = in.readInt();

        final String attestKeyAlias = in.readString();

        final long boundToSecureUserId = in.readLong();

        // The KeyGenParameterSpec is intentionally not constructed using a Builder here:

        // The intention is for this class to break if new parameters are added to the

        // KeyGenParameterSpec constructor (whereas using a builder would silently drop them).

                unlockedDeviceRequired,

                criticalToDeviceEncryption,

                maxUsageCount,

                attestKeyAlias);

                attestKeyAlias,

                boundToSecureUserId);

    }

    public static final @android.annotation.NonNull Creator<ParcelableKeyGenParameterSpec> CREATOR = new Creator<ParcelableKeyGenParameterSpec>() {

                    profileUserId, /* isLockTiedToParent= */ true);

            return;

        }

        final long parentSid;

        // Do not tie when the parent has no SID (but does have a screen lock).

        // This can only happen during an upgrade path where SID is yet to be

        // generated when the user unlocks for the first time.

        try {

            if (getGateKeeperService().getSecureUserId(parentId) == 0) {

            parentSid = getGateKeeperService().getSecureUserId(parentId);

            if (parentSid == 0) {

                return;

            }

        } catch (RemoteException e) {

            setLockCredentialInternal(unifiedProfilePassword, profileUserPassword, profileUserId,

                    /* isLockTiedToParent= */ true);

            tieProfileLockToParent(profileUserId, parentId, unifiedProfilePassword);

            mManagedProfilePasswordCache.storePassword(profileUserId, unifiedProfilePassword);

            mManagedProfilePasswordCache.storePassword(profileUserId, unifiedProfilePassword,

                    parentSid);

        }

    }

        public @NonNull ManagedProfilePasswordCache getManagedProfilePasswordCache(

                java.security.KeyStore ks) {

            return new ManagedProfilePasswordCache(ks, getUserManager());

            return new ManagedProfilePasswordCache(ks);

        }

        public boolean isHeadlessSystemUserMode() {

        LockscreenCredential credential = LockscreenCredential.createManagedPassword(

                decryptionResult);

        Arrays.fill(decryptionResult, (byte) 0);

        mManagedProfilePasswordCache.storePassword(userId, credential);

        try {

            long parentSid = getGateKeeperService().getSecureUserId(

                    mUserManager.getProfileParent(userId).id);

            mManagedProfilePasswordCache.storePassword(userId, credential, parentSid);

        } catch (RemoteException e) {

            Slogf.w(TAG, "Failed to talk to GateKeeper service", e);

        }

        return credential;

    }

    public VerifyCredentialResponse verifyTiedProfileChallenge(LockscreenCredential credential,

            int userId, @LockPatternUtils.VerifyFlag int flags) {

        checkPasswordReadPermission();

        Slogf.i(TAG, "Verifying tied profile challenge for user %d", userId);

        if (!isProfileWithUnifiedLock(userId)) {

            throw new IllegalArgumentException(

                    "User id must be managed/clone profile with unified lock");

package com.android.server.locksettings;

import android.annotation.Nullable;

import android.content.pm.UserInfo;

import android.os.UserHandle;

import android.os.UserManager;

import android.security.GateKeeper;

import android.security.keystore.KeyGenParameterSpec;

import android.security.keystore.KeyProperties;

import android.security.keystore.UserNotAuthenticatedException;

import javax.crypto.spec.GCMParameterSpec;

/**

 * Caches *unified* work challenge for user 0's managed profiles. Only user 0's profile is supported

 * at the moment because the cached credential is encrypted using a keystore key auth-bound to

 * user 0: this is to match how unified work challenge is similarly auth-bound to its parent user's

 * lockscreen credential normally. It's possible to extend this class to support managed profiles

 * for secondary users, that will require generating auth-bound keys to their corresponding parent

 * user though (which {@link KeyGenParameterSpec} does not support right now).

 * Caches *unified* work challenge for managed profiles. The cached credential is encrypted using

 * a keystore key auth-bound to the parent user's lockscreen credential, similar to how unified

 * work challenge is normally secured.

 *

 * <p> The cache is filled whenever the managed profile's unified challenge is created or derived

 * (as part of the parent user's credential verification flow). It's removed when the profile is

    private final SparseArray<byte[]> mEncryptedPasswords = new SparseArray<>();

    private final KeyStore mKeyStore;

    private final UserManager mUserManager;

    public ManagedProfilePasswordCache(KeyStore keyStore, UserManager userManager) {

    public ManagedProfilePasswordCache(KeyStore keyStore) {

        mKeyStore = keyStore;

        mUserManager = userManager;

    }

    /**

     * Encrypt and store the password in the cache. Does NOT overwrite existing password cache

     * if one for the given user already exists.

     *

     * Should only be called on a profile userId.

     */

    public void storePassword(int userId, LockscreenCredential password) {

    public void storePassword(int userId, LockscreenCredential password, long parentSid) {

        if (parentSid == GateKeeper.INVALID_SECURE_USER_ID) return;

        synchronized (mEncryptedPasswords) {

            if (mEncryptedPasswords.contains(userId)) {

                return;

            }

            UserInfo parent = mUserManager.getProfileParent(userId);

            if (parent == null || parent.id != UserHandle.USER_SYSTEM) {

                // Since the cached password is encrypted using a keystore key auth-bound to user 0,

                // only support caching password for user 0's profile.

                return;

            }

            String keyName = getEncryptionKeyName(userId);

            KeyGenerator generator;

            SecretKey key;

                        .setBlockModes(KeyProperties.BLOCK_MODE_GCM)

                        .setNamespace(SyntheticPasswordCrypto.keyNamespace())

                        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)

                        // Generate auth-bound key to user 0 (since we the caller is user 0)

                        .setUserAuthenticationRequired(true)

                        .setBoundToSpecificSecureUserId(parentSid)

                        .setUserAuthenticationValidityDurationSeconds(CACHE_TIMEOUT_SECONDS)

                        .build());

                key = generator.generateKey();