Loading keystore/java/android/security/KeyStore.java +5 −13 Original line number Diff line number Diff line Loading @@ -108,15 +108,10 @@ public class KeyStore { } public static Context getApplicationContext() { ActivityThread activityThread = ActivityThread.currentActivityThread(); if (activityThread == null) { throw new IllegalStateException( "Failed to obtain application Context: no ActivityThread"); } Application application = activityThread.getApplication(); Application application = ActivityThread.currentApplication(); if (application == null) { throw new IllegalStateException( "Failed to obtain application Context: no Application"); "Failed to obtain application Context from ActivityThread"); } return application; } Loading Loading @@ -698,16 +693,13 @@ public class KeyStore { } private long getFingerprintOnlySid() { FingerprintManager fingerprintManager = mContext.getSystemService(FingerprintManager.class); FingerprintManager fingerprintManager = mContext.getSystemService(FingerprintManager.class); if (fingerprintManager == null) { return 0; } if (!fingerprintManager.isHardwareDetected()) { return 0; } // TODO: Restore USE_FINGERPRINT permission check in // FingerprintManager.getAuthenticatorId once the ID is no longer needed here. return fingerprintManager.getAuthenticatorId(); } Loading keystore/java/android/security/keystore/KeymasterUtils.java +4 −7 Original line number Diff line number Diff line Loading @@ -101,13 +101,10 @@ public abstract class KeymasterUtils { // fingerprint-only auth. FingerprintManager fingerprintManager = KeyStore.getApplicationContext().getSystemService(FingerprintManager.class); if ((fingerprintManager == null) || (!fingerprintManager.isHardwareDetected())) { throw new IllegalStateException( "This device does not support keys which require authentication for every" + " use -- this requires fingerprint authentication which is not" + " available on this device"); } long fingerprintOnlySid = fingerprintManager.getAuthenticatorId(); // TODO: Restore USE_FINGERPRINT permission check in // FingerprintManager.getAuthenticatorId once the ID is no longer needed here. long fingerprintOnlySid = (fingerprintManager != null) ? fingerprintManager.getAuthenticatorId() : 0; if (fingerprintOnlySid == 0) { throw new IllegalStateException( "At least one fingerprint must be enrolled to create keys requiring user" Loading services/core/java/com/android/server/fingerprint/FingerprintService.java +16 −3 Original line number Diff line number Diff line Loading @@ -706,9 +706,22 @@ public class FingerprintService extends SystemService implements IBinder.DeathRe @Override // Binder call public long getAuthenticatorId(String opPackageName) { if (!canUseFingerprint(opPackageName)) { return 0; } // In this method, we're not checking whether the caller is permitted to use fingerprint // API because current authenticator ID is leaked (in a more contrived way) via Android // Keystore (android.security.keystore package): the user of that API can create a key // which requires fingerprint authentication for its use, and then query the key's // characteristics (hidden API) which returns, among other things, fingerprint // authenticator ID which was active at key creation time. // // Reason: The part of Android Keystore which runs inside an app's process invokes this // method in certain cases. Those cases are not always where the developer demonstrates // explicit intent to use fingerprint functionality. Thus, to avoiding throwing an // unexpected SecurityException this method does not check whether its caller is // permitted to use fingerprint API. // // The permission check should be restored once Android Keystore no longer invokes this // method from inside app processes. return FingerprintService.this.getAuthenticatorId(); } } Loading Loading
keystore/java/android/security/KeyStore.java +5 −13 Original line number Diff line number Diff line Loading @@ -108,15 +108,10 @@ public class KeyStore { } public static Context getApplicationContext() { ActivityThread activityThread = ActivityThread.currentActivityThread(); if (activityThread == null) { throw new IllegalStateException( "Failed to obtain application Context: no ActivityThread"); } Application application = activityThread.getApplication(); Application application = ActivityThread.currentApplication(); if (application == null) { throw new IllegalStateException( "Failed to obtain application Context: no Application"); "Failed to obtain application Context from ActivityThread"); } return application; } Loading Loading @@ -698,16 +693,13 @@ public class KeyStore { } private long getFingerprintOnlySid() { FingerprintManager fingerprintManager = mContext.getSystemService(FingerprintManager.class); FingerprintManager fingerprintManager = mContext.getSystemService(FingerprintManager.class); if (fingerprintManager == null) { return 0; } if (!fingerprintManager.isHardwareDetected()) { return 0; } // TODO: Restore USE_FINGERPRINT permission check in // FingerprintManager.getAuthenticatorId once the ID is no longer needed here. return fingerprintManager.getAuthenticatorId(); } Loading
keystore/java/android/security/keystore/KeymasterUtils.java +4 −7 Original line number Diff line number Diff line Loading @@ -101,13 +101,10 @@ public abstract class KeymasterUtils { // fingerprint-only auth. FingerprintManager fingerprintManager = KeyStore.getApplicationContext().getSystemService(FingerprintManager.class); if ((fingerprintManager == null) || (!fingerprintManager.isHardwareDetected())) { throw new IllegalStateException( "This device does not support keys which require authentication for every" + " use -- this requires fingerprint authentication which is not" + " available on this device"); } long fingerprintOnlySid = fingerprintManager.getAuthenticatorId(); // TODO: Restore USE_FINGERPRINT permission check in // FingerprintManager.getAuthenticatorId once the ID is no longer needed here. long fingerprintOnlySid = (fingerprintManager != null) ? fingerprintManager.getAuthenticatorId() : 0; if (fingerprintOnlySid == 0) { throw new IllegalStateException( "At least one fingerprint must be enrolled to create keys requiring user" Loading
services/core/java/com/android/server/fingerprint/FingerprintService.java +16 −3 Original line number Diff line number Diff line Loading @@ -706,9 +706,22 @@ public class FingerprintService extends SystemService implements IBinder.DeathRe @Override // Binder call public long getAuthenticatorId(String opPackageName) { if (!canUseFingerprint(opPackageName)) { return 0; } // In this method, we're not checking whether the caller is permitted to use fingerprint // API because current authenticator ID is leaked (in a more contrived way) via Android // Keystore (android.security.keystore package): the user of that API can create a key // which requires fingerprint authentication for its use, and then query the key's // characteristics (hidden API) which returns, among other things, fingerprint // authenticator ID which was active at key creation time. // // Reason: The part of Android Keystore which runs inside an app's process invokes this // method in certain cases. Those cases are not always where the developer demonstrates // explicit intent to use fingerprint functionality. Thus, to avoiding throwing an // unexpected SecurityException this method does not check whether its caller is // permitted to use fingerprint API. // // The permission check should be restored once Android Keystore no longer invokes this // method from inside app processes. return FingerprintService.this.getAuthenticatorId(); } } Loading
