Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 49e239ec authored by Hasini Gunasinghe's avatar Hasini Gunasinghe Committed by Janis Danisevskis
Browse files

Keystore 2.0: Integrate onLockScreenEvent. 

This patch updates LockSettingService and TrustManagerService to use the
new Keystore 2.0 authorization api.

Bug: 166672367
Test: VTS test
Change-Id: I5494d7b923d33d447488a0c67ada43d1f9593861
parent f9c123d7

keystore/java/android/security/Authorization.java

+29 −0
Original line number Diff line number Diff line
@@ -17,11 +17,13 @@ 
package android.security;



import android.annotation.NonNull;

import android.annotation.Nullable;

import android.hardware.security.keymint.HardwareAuthToken;

import android.os.RemoteException;

import android.os.ServiceManager;

import android.os.ServiceSpecificException;

import android.security.authorization.IKeystoreAuthorization;

import android.security.authorization.LockScreenEvent;

import android.system.keystore2.ResponseCode;

import android.util.Log;
@@ -75,4 +77,31 @@ public class Authorization { 
        return addAuthToken(AuthTokenUtils.toHardwareAuthToken(authToken));

    }



    /**

     * Informs keystore2 about lock screen event.

     *

     * @param locked            - whether it is a lock (true) or unlock (false) event

     * @param syntheticPassword - if it is an unlock event with the password, pass the synthetic

     *                          password provided by the LockSettingService

     *

     * @return 0 if successful or a {@code ResponseCode}.

     */

    public int onLockScreenEvent(@NonNull boolean locked, @NonNull int userId,

            @Nullable byte[] syntheticPassword) {

        if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0;

        try {

            if (locked) {

                getService().onLockScreenEvent(LockScreenEvent.LOCK, userId, null);

            } else {

                getService().onLockScreenEvent(LockScreenEvent.UNLOCK, userId, syntheticPassword);

            }

            return 0;

        } catch (RemoteException e) {

            Log.w(TAG, "Can not connect to keystore", e);

            return SYSTEM_ERROR;

        } catch (ServiceSpecificException e) {

            return e.errorCode;

        }

    }



}

services/core/java/com/android/server/locksettings/LockSettingsService.java

+2 −0
Original line number Diff line number Diff line
@@ -89,6 +89,7 @@ import android.os.storage.StorageManager; 
import android.provider.Settings;

import android.provider.Settings.Secure;

import android.provider.Settings.SettingNotFoundException;

import android.security.Authorization;

import android.security.KeyStore;

import android.security.keystore.AndroidKeyStoreProvider;

import android.security.keystore.KeyProperties;
@@ -1272,6 +1273,7 @@ public class LockSettingsService extends ILockSettings.Stub { 


    private void unlockKeystore(byte[] password, int userHandle) {

        if (DEBUG) Slog.v(TAG, "Unlock keystore for user: " + userHandle);

        new Authorization().onLockScreenEvent(false, userHandle, password);

        // TODO(b/120484642): Update keystore to accept byte[] passwords

        String passwordString = password == null ? null : new String(password);

        final KeyStore ks = KeyStore.getInstance();

services/core/java/com/android/server/trust/TrustManagerService.java

+7 −0
Original line number Diff line number Diff line
@@ -53,6 +53,7 @@ import android.os.SystemClock; 
import android.os.UserHandle;

import android.os.UserManager;

import android.provider.Settings;

import android.security.Authorization;

import android.security.KeyStore;

import android.service.trust.TrustAgentService;

import android.text.TextUtils;
@@ -185,6 +186,8 @@ public class TrustManagerService extends SystemService { 
    private boolean mTrustAgentsCanRun = false;

    private int mCurrentUser = UserHandle.USER_SYSTEM;



    private Authorization mAuthorizationService;



    public TrustManagerService(Context context) {

        super(context);

        mContext = context;
@@ -194,6 +197,7 @@ public class TrustManagerService extends SystemService { 
        mStrongAuthTracker = new StrongAuthTracker(context);

        mAlarmManager = (AlarmManager) mContext.getSystemService(Context.ALARM_SERVICE);

        mSettingsObserver = new SettingsObserver(mHandler);

        mAuthorizationService = new Authorization();

    }



    @Override
@@ -696,11 +700,13 @@ public class TrustManagerService extends SystemService { 
        if (changed) {

            dispatchDeviceLocked(userId, locked);



            mAuthorizationService.onLockScreenEvent(locked, userId, null);

            KeyStore.getInstance().onUserLockedStateChanged(userId, locked);

            // Also update the user's profiles who have unified challenge, since they

            // share the same unlocked state (see {@link #isDeviceLocked(int)})

            for (int profileHandle : mUserManager.getEnabledProfileIds(userId)) {

                if (mLockPatternUtils.isManagedProfileWithUnifiedChallenge(profileHandle)) {

                    mAuthorizationService.onLockScreenEvent(locked, profileHandle, null);

                    KeyStore.getInstance().onUserLockedStateChanged(profileHandle, locked);

                }

            }
@@ -1252,6 +1258,7 @@ public class TrustManagerService extends SystemService { 
                        mDeviceLockedForUser.put(userId, locked);

                    }



                    mAuthorizationService.onLockScreenEvent(locked, userId, null);

                    KeyStore.getInstance().onUserLockedStateChanged(userId, locked);



                    if (locked) {