Add storage for snapshots in KeySyncTask

    public static final int NO_ERROR = KeyStore.NO_ERROR;

    public static final int SYSTEM_ERROR = KeyStore.SYSTEM_ERROR;

    public static final int UNINITIALIZED_RECOVERY_PUBLIC_KEY = 20;

    public static final int NO_SNAPSHOT_PENDING_ERROR = 21;

    /**

     * Rate limit is enforced to prevent using too many trusted remote devices, since each device

     * can have its own number of user secret guesses allowed.

package com.android.server.locksettings.recoverablekeystore;

import static android.security.recoverablekeystore.KeyStoreRecoveryMetadata.TYPE_LOCKSCREEN;

import android.annotation.NonNull;

import android.content.Context;

import android.security.recoverablekeystore.KeyDerivationParameters;

import android.security.recoverablekeystore.KeyEntryRecoveryData;

import android.security.recoverablekeystore.KeyStoreRecoveryData;

import android.security.recoverablekeystore.KeyStoreRecoveryMetadata;

import android.util.Log;

import com.android.internal.annotations.VisibleForTesting;

import com.android.internal.widget.LockPatternUtils;

import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDb;

import com.android.server.locksettings.recoverablekeystore.storage.RecoverySnapshotStorage;

import java.nio.ByteBuffer;

import java.nio.ByteOrder;

import java.security.PublicKey;

import java.security.SecureRandom;

import java.security.UnrecoverableKeyException;

import java.util.ArrayList;

import java.util.List;

import java.util.Map;

import javax.crypto.KeyGenerator;

    private final RecoverableKeyStoreDb mRecoverableKeyStoreDb;

    private final int mUserId;

    private final RecoverableSnapshotConsumer mSnapshotConsumer;

    private final int mCredentialType;

    private final String mCredential;

    private final PlatformKeyManager.Factory mPlatformKeyManagerFactory;

    private final VaultKeySupplier mVaultKeySupplier;

    private final RecoverySnapshotStorage mRecoverySnapshotStorage;

    public static KeySyncTask newInstance(

            Context context,

            RecoverableKeyStoreDb recoverableKeyStoreDb,

            RecoverySnapshotStorage snapshotStorage,

            int userId,

            int credentialType,

            String credential

    ) throws NoSuchAlgorithmException, KeyStoreException, InsecureUserException {

        return new KeySyncTask(

                recoverableKeyStoreDb,

                snapshotStorage,

                userId,

                credentialType,

                credential,

                () -> PlatformKeyManager.getInstance(context, recoverableKeyStoreDb, userId),

                (salt, recoveryKey, applicationKeys) -> {

                    // TODO: implement sending intent

                },

                () -> {

                    throw new UnsupportedOperationException("Not implemented vault key.");

                });

    @VisibleForTesting

    KeySyncTask(

            RecoverableKeyStoreDb recoverableKeyStoreDb,

            RecoverySnapshotStorage snapshotStorage,

            int userId,

            int credentialType,

            String credential,

            PlatformKeyManager.Factory platformKeyManagerFactory,

            RecoverableSnapshotConsumer snapshotConsumer,

            VaultKeySupplier vaultKeySupplier) {

        mRecoverableKeyStoreDb = recoverableKeyStoreDb;

        mUserId = userId;

        mCredentialType = credentialType;

        mCredential = credential;

        mPlatformKeyManagerFactory = platformKeyManagerFactory;

        mSnapshotConsumer = snapshotConsumer;

        mVaultKeySupplier = vaultKeySupplier;

        mRecoverySnapshotStorage = snapshotStorage;

    }

    @Override

            return;

        }

        mSnapshotConsumer.accept(salt, encryptedRecoveryKey, encryptedApplicationKeys);

        // TODO: why is the secret sent here? I thought it wasn't sent in the raw at all.

        KeyStoreRecoveryMetadata metadata = new KeyStoreRecoveryMetadata(

                /*userSecretType=*/ TYPE_LOCKSCREEN,

                /*lockScreenUiFormat=*/ mCredentialType,

                /*keyDerivationParameters=*/ KeyDerivationParameters.createSHA256Parameters(salt),

                /*secret=*/ new byte[0]);

        ArrayList<KeyStoreRecoveryMetadata> metadataList = new ArrayList<>();

        metadataList.add(metadata);

        // TODO: implement snapshot version

        mRecoverySnapshotStorage.put(mUserId, new KeyStoreRecoveryData(

                /*snapshotVersion=*/ 1,

                /*recoveryMetadata=*/ metadataList,

                /*applicationKeyBlobs=*/ createApplicationKeyEntries(encryptedApplicationKeys),

                /*encryptedRecoveryKeyblob=*/ encryptedRecoveryKey));

    }

    private PublicKey getVaultPublicKey() {

        return keyGenerator.generateKey();

    }

    /**

     * TODO: just replace with the Intent call. I'm not sure exactly what this looks like, hence

     * this interface, so I can test in the meantime.

     */

    public interface RecoverableSnapshotConsumer {

        void accept(

                byte[] salt,

                byte[] encryptedRecoveryKey,

                Map<String, byte[]> encryptedApplicationKeys);

    private static List<KeyEntryRecoveryData> createApplicationKeyEntries(

            Map<String, byte[]> encryptedApplicationKeys) {

        ArrayList<KeyEntryRecoveryData> keyEntries = new ArrayList<>();

        for (String alias : encryptedApplicationKeys.keySet()) {

            keyEntries.add(

                    new KeyEntryRecoveryData(

                            alias.getBytes(StandardCharsets.UTF_8),

                            encryptedApplicationKeys.get(alias)));

        }

        return keyEntries;

    }

    /**

import com.android.internal.annotations.VisibleForTesting;

import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDb;

import com.android.server.locksettings.recoverablekeystore.storage.RecoverySessionStorage;

import com.android.server.locksettings.recoverablekeystore.storage.RecoverySnapshotStorage;

import java.nio.charset.StandardCharsets;

import java.security.InvalidKeyException;

    private final ExecutorService mExecutorService;

    private final ListenersStorage mListenersStorage;

    private final RecoverableKeyGenerator mRecoverableKeyGenerator;

    private final RecoverySnapshotStorage mSnapshotStorage;

    /**

     * Returns a new or existing instance.

                    db,

                    new RecoverySessionStorage(),

                    Executors.newSingleThreadExecutor(),

                    ListenersStorage.getInstance());

                    ListenersStorage.getInstance(),

                    new RecoverySnapshotStorage());

        }

        return mInstance;

    }

            RecoverableKeyStoreDb recoverableKeyStoreDb,

            RecoverySessionStorage recoverySessionStorage,

            ExecutorService executorService,

            ListenersStorage listenersStorage) {

            ListenersStorage listenersStorage,

            RecoverySnapshotStorage snapshotStorage) {

        mContext = context;

        mDatabase = recoverableKeyStoreDb;

        mRecoverySessionStorage = recoverySessionStorage;

        mExecutorService = executorService;

        mListenersStorage = listenersStorage;

        mSnapshotStorage = snapshotStorage;

        try {

            mRecoverableKeyGenerator = RecoverableKeyGenerator.newInstance(mDatabase);

        } catch (NoSuchAlgorithmException e) {

    public @NonNull KeyStoreRecoveryData getRecoveryData(@NonNull byte[] account, int userId)

            throws RemoteException {

        checkRecoverKeyStorePermission();

        final int callingUid = Binder.getCallingUid(); // Recovery agent uid.

        final int callingUserId = UserHandle.getCallingUserId();

        final long callingIdentiy = Binder.clearCallingIdentity();

        try {

            // TODO: Return the latest snapshot for the calling recovery agent.

        } finally {

            Binder.restoreCallingIdentity(callingIdentiy);

        }

        // KeyStoreRecoveryData without application keys and empty recovery blob.

        KeyStoreRecoveryData recoveryData =

                new KeyStoreRecoveryData(

                        /*snapshotVersion=*/ 1,

                        new ArrayList<KeyStoreRecoveryMetadata>(),

                        new ArrayList<KeyEntryRecoveryData>(),

                        /*encryptedRecoveryKeyBlob=*/ new byte[] {});

        throw new ServiceSpecificException(

                RecoverableKeyStoreLoader.UNINITIALIZED_RECOVERY_PUBLIC_KEY);

        KeyStoreRecoveryData snapshot = mSnapshotStorage.get(UserHandle.getCallingUserId());

        if (snapshot == null) {

            throw new ServiceSpecificException(RecoverableKeyStoreLoader.NO_SNAPSHOT_PENDING_ERROR);

        }

        return snapshot;

    }

    public void setSnapshotCreatedPendingIntent(@Nullable PendingIntent intent, int userId)

        // So as not to block the critical path unlocking the phone, defer to another thread.

        try {

            mExecutorService.execute(KeySyncTask.newInstance(

                    mContext, mDatabase, userId, storedHashType, credential));

                    mContext, mDatabase, mSnapshotStorage, userId, storedHashType, credential));

        } catch (NoSuchAlgorithmException e) {

            Log.wtf(TAG, "Should never happen - algorithm unavailable for KeySync", e);

        } catch (KeyStoreException e) {

/*

 * Copyright (C) 2017 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package com.android.server.locksettings.recoverablekeystore.storage;

import android.content.Context;

/*

 * Copyright (C) 2017 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package com.android.server.locksettings.recoverablekeystore.storage;

import android.annotation.Nullable;

import android.security.recoverablekeystore.KeyStoreRecoveryData;

import android.util.SparseArray;

import com.android.internal.annotations.GuardedBy;

/**

 * In-memory storage for recovery snapshots.

 *

 * <p>Recovery snapshots are generated after a successful screen unlock. They are only generated if

 * the recoverable keystore has been mutated since the previous snapshot. This class stores only the

 * latest snapshot for each user.

 *

 * <p>This class is thread-safe. It is used both on the service thread and the

 * {@link com.android.server.locksettings.recoverablekeystore.KeySyncTask} thread.

 */

public class RecoverySnapshotStorage {

    @GuardedBy("this")

    private final SparseArray<KeyStoreRecoveryData> mSnapshotByUserId = new SparseArray<>();

    /**

     * Sets the latest {@code snapshot} for the user {@code userId}.

     */

    public synchronized void put(int userId, KeyStoreRecoveryData snapshot) {

        mSnapshotByUserId.put(userId, snapshot);

    }

    /**

     * Returns the latest snapshot for user {@code userId}, or null if none exists.

     */

    @Nullable

    public synchronized KeyStoreRecoveryData get(int userId) {

        return mSnapshotByUserId.get(userId);

    }

    /**

     * Removes any (if any) snapshot associated with user {@code userId}.

     */

    public synchronized void remove(int userId) {

        mSnapshotByUserId.remove(userId);

    }

}