Loading Android.bp +1 −0 Original line number Diff line number Diff line Loading @@ -525,6 +525,7 @@ java_library { "android.hardware.vibrator-V1.3-java", "android.security.apc-java", "android.security.authorization-java", "android.security.usermanager-java", "android.system.keystore2-V1-java", "android.system.suspend.control.internal-java", "devicepolicyprotosnano", Loading keystore/java/android/security/AndroidKeyStoreMaintenance.java 0 → 100644 +105 −0 Original line number Diff line number Diff line /* * Copyright (C) 2021 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package android.security; import android.annotation.NonNull; import android.annotation.Nullable; import android.os.ServiceManager; import android.os.ServiceSpecificException; import android.security.usermanager.IKeystoreUserManager; import android.system.keystore2.ResponseCode; import android.util.Log; /** * @hide This is the client side for IKeystoreUserManager AIDL. * It shall only be used by the LockSettingsService. */ public class AndroidKeyStoreMaintenance { private static final String TAG = "AndroidKeyStoreMaintenance"; public static final int SYSTEM_ERROR = ResponseCode.SYSTEM_ERROR; private static IKeystoreUserManager getService() { return IKeystoreUserManager.Stub.asInterface( ServiceManager.checkService("android.security.usermanager")); } /** * Informs keystore2 about adding a user * * @param userId - Android user id of the user being added * @return 0 if successful or a {@code ResponseCode} * @hide */ public static int onUserAdded(@NonNull int userId) { if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0; try { getService().onUserAdded(userId); return 0; } catch (ServiceSpecificException e) { Log.e(TAG, "onUserAdded failed", e); return e.errorCode; } catch (Exception e) { Log.e(TAG, "Can not connect to keystore", e); return SYSTEM_ERROR; } } /** * Informs keystore2 about removing a usergit mer * * @param userId - Android user id of the user being removed * @return 0 if successful or a {@code ResponseCode} * @hide */ public static int onUserRemoved(int userId) { if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0; try { getService().onUserRemoved(userId); return 0; } catch (ServiceSpecificException e) { Log.e(TAG, "onUserRemoved failed", e); return e.errorCode; } catch (Exception e) { Log.e(TAG, "Can not connect to keystore", e); return SYSTEM_ERROR; } } /** * Informs keystore2 about changing user's password * * @param userId - Android user id of the user * @param password - a secret derived from the synthetic password provided by the * LockSettingService * @return 0 if successful or a {@code ResponseCode} * @hide */ public static int onUserPasswordChanged(int userId, @Nullable byte[] password) { if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0; try { getService().onUserPasswordChanged(userId, password); return 0; } catch (ServiceSpecificException e) { Log.e(TAG, "onUserPasswordChanged failed", e); return e.errorCode; } catch (Exception e) { Log.e(TAG, "Can not connect to keystore", e); return SYSTEM_ERROR; } } } services/core/java/com/android/server/locksettings/LockSettingsService.java +4 −1 Original line number Diff line number Diff line Loading @@ -89,6 +89,7 @@ import android.os.storage.StorageManager; import android.provider.Settings; import android.provider.Settings.Secure; import android.provider.Settings.SettingNotFoundException; import android.security.AndroidKeyStoreMaintenance; import android.security.Authorization; import android.security.KeyStore; import android.security.keystore.AndroidKeyStoreProvider; Loading Loading @@ -225,7 +226,6 @@ public class LockSettingsService extends ILockSettings.Stub { private final SyntheticPasswordManager mSpManager; private final KeyStore mKeyStore; private final RecoverableKeyStoreManager mRecoverableKeyStoreManager; private ManagedProfilePasswordCache mManagedProfilePasswordCache; Loading Loading @@ -803,6 +803,7 @@ public class LockSettingsService extends ILockSettings.Stub { if (Intent.ACTION_USER_ADDED.equals(intent.getAction())) { // Notify keystore that a new user was added. final int userHandle = intent.getIntExtra(Intent.EXTRA_USER_HANDLE, 0); AndroidKeyStoreMaintenance.onUserAdded(userHandle); final KeyStore ks = KeyStore.getInstance(); final UserInfo parentInfo = mUserManager.getProfileParent(userHandle); final int parentHandle = parentInfo != null ? parentInfo.id : -1; Loading Loading @@ -1270,6 +1271,7 @@ public class LockSettingsService extends ILockSettings.Stub { } private void setKeystorePassword(byte[] password, int userHandle) { AndroidKeyStoreMaintenance.onUserPasswordChanged(userHandle, password); final KeyStore ks = KeyStore.getInstance(); // TODO(b/120484642): Update keystore to accept byte[] passwords String passwordString = password == null ? null : new String(password); Loading Loading @@ -2301,6 +2303,7 @@ public class LockSettingsService extends ILockSettings.Stub { mSpManager.removeUser(userId); mStrongAuth.removeUser(userId); AndroidKeyStoreMaintenance.onUserRemoved(userId); final KeyStore ks = KeyStore.getInstance(); ks.onUserRemoved(userId); mManagedProfilePasswordCache.removePassword(userId); Loading services/core/java/com/android/server/locksettings/SyntheticPasswordCrypto.java +1 −13 Original line number Diff line number Diff line Loading @@ -18,7 +18,6 @@ package com.android.server.locksettings; import android.security.keystore.KeyProperties; import android.security.keystore.KeyProtection; import android.security.keystore2.AndroidKeyStoreProvider; import android.util.Slog; import java.io.ByteArrayOutputStream; Loading Loading @@ -141,19 +140,8 @@ public class SyntheticPasswordCrypto { } } /** * TODO This function redirects keystore access to the legacy keystore during a transitional * phase during which not all calling code has been adjusted to use Keystore 2.0. * This can be reverted to a constant of "AndroidKeyStore" when b/171305684 is complete. * The specific bug for this component is b/171305115. */ static String androidKeystoreProviderName() { if (AndroidKeyStoreProvider.isInstalled()) { return "AndroidKeyStoreLegacy"; } else { return "AndroidKeystore"; } return "AndroidKeyStore"; } public static byte[] decryptBlob(String keyAlias, byte[] blob, byte[] applicationId) { Loading Loading
Android.bp +1 −0 Original line number Diff line number Diff line Loading @@ -525,6 +525,7 @@ java_library { "android.hardware.vibrator-V1.3-java", "android.security.apc-java", "android.security.authorization-java", "android.security.usermanager-java", "android.system.keystore2-V1-java", "android.system.suspend.control.internal-java", "devicepolicyprotosnano", Loading
keystore/java/android/security/AndroidKeyStoreMaintenance.java 0 → 100644 +105 −0 Original line number Diff line number Diff line /* * Copyright (C) 2021 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package android.security; import android.annotation.NonNull; import android.annotation.Nullable; import android.os.ServiceManager; import android.os.ServiceSpecificException; import android.security.usermanager.IKeystoreUserManager; import android.system.keystore2.ResponseCode; import android.util.Log; /** * @hide This is the client side for IKeystoreUserManager AIDL. * It shall only be used by the LockSettingsService. */ public class AndroidKeyStoreMaintenance { private static final String TAG = "AndroidKeyStoreMaintenance"; public static final int SYSTEM_ERROR = ResponseCode.SYSTEM_ERROR; private static IKeystoreUserManager getService() { return IKeystoreUserManager.Stub.asInterface( ServiceManager.checkService("android.security.usermanager")); } /** * Informs keystore2 about adding a user * * @param userId - Android user id of the user being added * @return 0 if successful or a {@code ResponseCode} * @hide */ public static int onUserAdded(@NonNull int userId) { if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0; try { getService().onUserAdded(userId); return 0; } catch (ServiceSpecificException e) { Log.e(TAG, "onUserAdded failed", e); return e.errorCode; } catch (Exception e) { Log.e(TAG, "Can not connect to keystore", e); return SYSTEM_ERROR; } } /** * Informs keystore2 about removing a usergit mer * * @param userId - Android user id of the user being removed * @return 0 if successful or a {@code ResponseCode} * @hide */ public static int onUserRemoved(int userId) { if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0; try { getService().onUserRemoved(userId); return 0; } catch (ServiceSpecificException e) { Log.e(TAG, "onUserRemoved failed", e); return e.errorCode; } catch (Exception e) { Log.e(TAG, "Can not connect to keystore", e); return SYSTEM_ERROR; } } /** * Informs keystore2 about changing user's password * * @param userId - Android user id of the user * @param password - a secret derived from the synthetic password provided by the * LockSettingService * @return 0 if successful or a {@code ResponseCode} * @hide */ public static int onUserPasswordChanged(int userId, @Nullable byte[] password) { if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0; try { getService().onUserPasswordChanged(userId, password); return 0; } catch (ServiceSpecificException e) { Log.e(TAG, "onUserPasswordChanged failed", e); return e.errorCode; } catch (Exception e) { Log.e(TAG, "Can not connect to keystore", e); return SYSTEM_ERROR; } } }
services/core/java/com/android/server/locksettings/LockSettingsService.java +4 −1 Original line number Diff line number Diff line Loading @@ -89,6 +89,7 @@ import android.os.storage.StorageManager; import android.provider.Settings; import android.provider.Settings.Secure; import android.provider.Settings.SettingNotFoundException; import android.security.AndroidKeyStoreMaintenance; import android.security.Authorization; import android.security.KeyStore; import android.security.keystore.AndroidKeyStoreProvider; Loading Loading @@ -225,7 +226,6 @@ public class LockSettingsService extends ILockSettings.Stub { private final SyntheticPasswordManager mSpManager; private final KeyStore mKeyStore; private final RecoverableKeyStoreManager mRecoverableKeyStoreManager; private ManagedProfilePasswordCache mManagedProfilePasswordCache; Loading Loading @@ -803,6 +803,7 @@ public class LockSettingsService extends ILockSettings.Stub { if (Intent.ACTION_USER_ADDED.equals(intent.getAction())) { // Notify keystore that a new user was added. final int userHandle = intent.getIntExtra(Intent.EXTRA_USER_HANDLE, 0); AndroidKeyStoreMaintenance.onUserAdded(userHandle); final KeyStore ks = KeyStore.getInstance(); final UserInfo parentInfo = mUserManager.getProfileParent(userHandle); final int parentHandle = parentInfo != null ? parentInfo.id : -1; Loading Loading @@ -1270,6 +1271,7 @@ public class LockSettingsService extends ILockSettings.Stub { } private void setKeystorePassword(byte[] password, int userHandle) { AndroidKeyStoreMaintenance.onUserPasswordChanged(userHandle, password); final KeyStore ks = KeyStore.getInstance(); // TODO(b/120484642): Update keystore to accept byte[] passwords String passwordString = password == null ? null : new String(password); Loading Loading @@ -2301,6 +2303,7 @@ public class LockSettingsService extends ILockSettings.Stub { mSpManager.removeUser(userId); mStrongAuth.removeUser(userId); AndroidKeyStoreMaintenance.onUserRemoved(userId); final KeyStore ks = KeyStore.getInstance(); ks.onUserRemoved(userId); mManagedProfilePasswordCache.removePassword(userId); Loading
services/core/java/com/android/server/locksettings/SyntheticPasswordCrypto.java +1 −13 Original line number Diff line number Diff line Loading @@ -18,7 +18,6 @@ package com.android.server.locksettings; import android.security.keystore.KeyProperties; import android.security.keystore.KeyProtection; import android.security.keystore2.AndroidKeyStoreProvider; import android.util.Slog; import java.io.ByteArrayOutputStream; Loading Loading @@ -141,19 +140,8 @@ public class SyntheticPasswordCrypto { } } /** * TODO This function redirects keystore access to the legacy keystore during a transitional * phase during which not all calling code has been adjusted to use Keystore 2.0. * This can be reverted to a constant of "AndroidKeyStore" when b/171305684 is complete. * The specific bug for this component is b/171305115. */ static String androidKeystoreProviderName() { if (AndroidKeyStoreProvider.isInstalled()) { return "AndroidKeyStoreLegacy"; } else { return "AndroidKeystore"; } return "AndroidKeyStore"; } public static byte[] decryptBlob(String keyAlias, byte[] blob, byte[] applicationId) { Loading
