Merge "Integrate IKeystoreUserManager aidl with LockSettingsService." am: bfc1f6b3 am: 7fa15840

        "android.hardware.vibrator-V1.3-java",

        "android.security.apc-java",

        "android.security.authorization-java",

        "android.security.usermanager-java",

        "android.system.keystore2-V1-java",

        "android.system.suspend.control.internal-java",

        "devicepolicyprotosnano",

/*

 * Copyright (C) 2021 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package android.security;

import android.annotation.NonNull;

import android.annotation.Nullable;

import android.os.ServiceManager;

import android.os.ServiceSpecificException;

import android.security.usermanager.IKeystoreUserManager;

import android.system.keystore2.ResponseCode;

import android.util.Log;

/**

 * @hide This is the client side for IKeystoreUserManager AIDL.

 * It shall only be used by the LockSettingsService.

 */

public class AndroidKeyStoreMaintenance {

    private static final String TAG = "AndroidKeyStoreMaintenance";

    public static final int SYSTEM_ERROR = ResponseCode.SYSTEM_ERROR;

    private static IKeystoreUserManager getService() {

        return IKeystoreUserManager.Stub.asInterface(

                ServiceManager.checkService("android.security.usermanager"));

    }

    /**

     * Informs keystore2 about adding a user

     *

     * @param userId - Android user id of the user being added

     * @return 0 if successful or a {@code ResponseCode}

     * @hide

     */

    public static int onUserAdded(@NonNull int userId) {

        if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0;

        try {

            getService().onUserAdded(userId);

            return 0;

        } catch (ServiceSpecificException e) {

            Log.e(TAG, "onUserAdded failed", e);

            return e.errorCode;

        } catch (Exception e) {

            Log.e(TAG, "Can not connect to keystore", e);

            return SYSTEM_ERROR;

        }

    }

    /**

     * Informs keystore2 about removing a usergit mer

     *

     * @param userId - Android user id of the user being removed

     * @return 0 if successful or a {@code ResponseCode}

     * @hide

     */

    public static int onUserRemoved(int userId) {

        if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0;

        try {

            getService().onUserRemoved(userId);

            return 0;

        } catch (ServiceSpecificException e) {

            Log.e(TAG, "onUserRemoved failed", e);

            return e.errorCode;

        } catch (Exception e) {

            Log.e(TAG, "Can not connect to keystore", e);

            return SYSTEM_ERROR;

        }

    }

    /**

     * Informs keystore2 about changing user's password

     *

     * @param userId   - Android user id of the user

     * @param password - a secret derived from the synthetic password provided by the

     *                 LockSettingService

     * @return 0 if successful or a {@code ResponseCode}

     * @hide

     */

    public static int onUserPasswordChanged(int userId, @Nullable byte[] password) {

        if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0;

        try {

            getService().onUserPasswordChanged(userId, password);

            return 0;

        } catch (ServiceSpecificException e) {

            Log.e(TAG, "onUserPasswordChanged failed", e);

            return e.errorCode;

        } catch (Exception e) {

            Log.e(TAG, "Can not connect to keystore", e);

            return SYSTEM_ERROR;

        }

    }

}

import android.provider.Settings;

import android.provider.Settings.Secure;

import android.provider.Settings.SettingNotFoundException;

import android.security.AndroidKeyStoreMaintenance;

import android.security.Authorization;

import android.security.KeyStore;

import android.security.keystore.AndroidKeyStoreProvider;

    private final SyntheticPasswordManager mSpManager;

    private final KeyStore mKeyStore;

    private final RecoverableKeyStoreManager mRecoverableKeyStoreManager;

    private ManagedProfilePasswordCache mManagedProfilePasswordCache;

            if (Intent.ACTION_USER_ADDED.equals(intent.getAction())) {

                // Notify keystore that a new user was added.

                final int userHandle = intent.getIntExtra(Intent.EXTRA_USER_HANDLE, 0);

                AndroidKeyStoreMaintenance.onUserAdded(userHandle);

                final KeyStore ks = KeyStore.getInstance();

                final UserInfo parentInfo = mUserManager.getProfileParent(userHandle);

                final int parentHandle = parentInfo != null ? parentInfo.id : -1;

    }

    private void setKeystorePassword(byte[] password, int userHandle) {

        AndroidKeyStoreMaintenance.onUserPasswordChanged(userHandle, password);

        final KeyStore ks = KeyStore.getInstance();

        // TODO(b/120484642): Update keystore to accept byte[] passwords

        String passwordString = password == null ? null : new String(password);

        mSpManager.removeUser(userId);

        mStrongAuth.removeUser(userId);

        AndroidKeyStoreMaintenance.onUserRemoved(userId);

        final KeyStore ks = KeyStore.getInstance();

        ks.onUserRemoved(userId);

        mManagedProfilePasswordCache.removePassword(userId);

import android.security.keystore.KeyProperties;

import android.security.keystore.KeyProtection;

import android.security.keystore2.AndroidKeyStoreProvider;

import android.util.Slog;

import java.io.ByteArrayOutputStream;

        }

    }

    /**

     * TODO This function redirects keystore access to the legacy keystore during a transitional

     *      phase during which not all calling code has been adjusted to use Keystore 2.0.

     *      This can be reverted to a constant of "AndroidKeyStore" when b/171305684 is complete.

     *      The specific bug for this component is b/171305115.

     */

    static String androidKeystoreProviderName() {

        if (AndroidKeyStoreProvider.isInstalled()) {

            return "AndroidKeyStoreLegacy";

        } else {

            return "AndroidKeystore";

        }

        return "AndroidKeyStore";

    }

    public static byte[] decryptBlob(String keyAlias, byte[] blob, byte[] applicationId) {