Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7d07c892 authored by Kevin Chyn's avatar Kevin Chyn
Browse files

Clean up biometric system server 

1) BiometricService / AuthService always need to be started, since on
   Android 11 and later, the public credential auth API comes through this
   path.

2) Consolidate getAuthenticatorId() and expose via AuthService. This is
   used only by the platform during key generation. Instead of asking
   each individual service, AuthService will return a list of IDs for
   sensors which are enrolled and meet the required strength.

Test: atest com.android.server.biometrics
Test: fingerprint device, CtsVerifier biometric section
Test: face unlock device, CtsVerifier biometric section
Test: remove biometrics from device, CtsVerifier biometric section

Bug: 148419762
Bug: 149795050

Change-Id: I2c5385b1cd4f343fabb0010e1fe6fb1ea8283391
parent e49a3294

core/java/android/app/SystemServiceRegistry.java

+5 −11
Original line number Diff line number Diff line
@@ -916,17 +916,11 @@ public final class SystemServiceRegistry { 
                    @Override

                    public BiometricManager createService(ContextImpl ctx)

                            throws ServiceNotFoundException {

                        if (BiometricManager.hasBiometrics(ctx)) {

                        final IBinder binder =

                                ServiceManager.getServiceOrThrow(Context.AUTH_SERVICE);

                        final IAuthService service =

                                IAuthService.Stub.asInterface(binder);

                        return new BiometricManager(ctx.getOuterContext(), service);

                        } else {

                            // Allow access to the manager when service is null. This saves memory

                            // on devices without biometric hardware.

                            return new BiometricManager(ctx.getOuterContext(), null);

                        }

                    }

                });

core/java/android/hardware/biometrics/BiometricManager.java

+22 −22
Original line number Diff line number Diff line
@@ -25,7 +25,6 @@ import android.annotation.RequiresPermission; 
import android.annotation.SystemApi;

import android.annotation.SystemService;

import android.content.Context;

import android.content.pm.PackageManager;

import android.os.RemoteException;

import android.util.Slog;
@@ -160,19 +159,6 @@ public class BiometricManager { 


    private final Context mContext;

    private final IAuthService mService;

    private final boolean mHasHardware;



    /**

     * @param context

     * @return

     * @hide

     */

    public static boolean hasBiometrics(Context context) {

        final PackageManager pm = context.getPackageManager();

        return pm.hasSystemFeature(PackageManager.FEATURE_FINGERPRINT)

                || pm.hasSystemFeature(PackageManager.FEATURE_IRIS)

                || pm.hasSystemFeature(PackageManager.FEATURE_FACE);

    }



    /**

     * @hide
@@ -182,8 +168,6 @@ public class BiometricManager { 
    public BiometricManager(Context context, IAuthService service) {

        mContext = context;

        mService = service;



        mHasHardware = hasBiometrics(context);

    }



    /**
@@ -248,15 +232,11 @@ public class BiometricManager { 
            } catch (RemoteException e) {

                throw e.rethrowFromSystemServer();

            }

        } else {

            if (!mHasHardware) {

                return BIOMETRIC_ERROR_NO_HARDWARE;

        } else {

            Slog.w(TAG, "hasEnrolledBiometrics(): Service not connected");

            return BIOMETRIC_ERROR_HW_UNAVAILABLE;

        }

    }

    }



    /**

     * @hide
@@ -331,5 +311,25 @@ public class BiometricManager { 
        }

    }



    /**

     * Get a list of AuthenticatorIDs for biometric authenticators which have 1) enrolled templates,

     * and 2) meet the requirements for integrating with Keystore. The AuthenticatorIDs are known

     * in Keystore land as SIDs, and are used during key generation.

     * @hide

     */

    @RequiresPermission(USE_BIOMETRIC_INTERNAL)

    public long[] getAuthenticatorIds() {

        if (mService != null) {

            try {

                return mService.getAuthenticatorIds();

            } catch (RemoteException e) {

                throw e.rethrowFromSystemServer();

            }

        } else {

            Slog.w(TAG, "getAuthenticatorIds(): Service not connected");

            return new long[0];

        }

    }



}

core/java/android/hardware/biometrics/BiometricPrompt.java

+15 −20
Original line number Diff line number Diff line
@@ -898,7 +898,7 @@ public class BiometricPrompt implements BiometricAuthenticator, BiometricConstan 
            mExecutor = executor;

            mAuthenticationCallback = callback;

            final long sessionId = crypto != null ? crypto.getOpId() : 0;

            if (BiometricManager.hasBiometrics(mContext)) {



            final Bundle bundle;

            if (crypto != null) {

                // Allowed authenticators should default to BIOMETRIC_STRONG for crypto auth.
@@ -915,12 +915,7 @@ public class BiometricPrompt implements BiometricAuthenticator, BiometricConstan 


            mService.authenticate(mToken, sessionId, userId, mBiometricServiceReceiver,

                    mContext.getOpPackageName(), bundle);

            } else {

                mExecutor.execute(() -> {

                    callback.onAuthenticationError(BiometricPrompt.BIOMETRIC_ERROR_HW_NOT_PRESENT,

                            mContext.getString(R.string.biometric_error_hw_unavailable));

                });

            }



        } catch (RemoteException e) {

            Log.e(TAG, "Remote exception while authenticating", e);

            mExecutor.execute(() -> {

core/java/android/hardware/biometrics/IAuthService.aidl

+5 −0
Original line number Diff line number Diff line
@@ -51,4 +51,9 @@ interface IAuthService { 


    // Reset the lockout when user authenticates with strong auth (e.g. PIN, pattern or password)

    void resetLockout(in byte [] token);



    // Get a list of AuthenticatorIDs for authenticators which have enrolled templates and meet

    // the requirements for integrating with Keystore. The AuthenticatorID are known in Keystore

    // land as SIDs, and are used during key generation.

    long[] getAuthenticatorIds();

}

core/java/android/hardware/biometrics/IBiometricAuthenticator.aidl

+3 −0
Original line number Diff line number Diff line
@@ -55,4 +55,7 @@ interface IBiometricAuthenticator { 


    // Explicitly set the active user (for enrolling work profile)

    void setActiveUser(int uid);



    // Gets the authenticator ID representing the current set of enrolled templates

    long getAuthenticatorId();

}