Loading services/core/java/com/android/server/LockSettingsService.java +12 −4 Original line number Original line Diff line number Diff line Loading @@ -245,13 +245,16 @@ public class LockSettingsService extends ILockSettings.Stub { try { try { randomLockSeed = SecureRandom.getInstance("SHA1PRNG").generateSeed(40); randomLockSeed = SecureRandom.getInstance("SHA1PRNG").generateSeed(40); String newPassword = String.valueOf(HexEncoding.encode(randomLockSeed)); String newPassword = String.valueOf(HexEncoding.encode(randomLockSeed)); tieProfileLockToParent(managedUserId, newPassword); setLockPasswordInternal(newPassword, managedUserPassword, managedUserId); setLockPasswordInternal(newPassword, managedUserPassword, managedUserId); // We store a private credential for the managed user that's unlocked by the primary // We store a private credential for the managed user that's unlocked by the primary // account holder's credential. As such, the user will never be prompted to enter this // account holder's credential. As such, the user will never be prompted to enter this // password directly, so we always store a password. // password directly, so we always store a password. setLong(LockPatternUtils.PASSWORD_TYPE_KEY, setLong(LockPatternUtils.PASSWORD_TYPE_KEY, DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC, managedUserId); DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC, managedUserId); tieProfileLockToParent(managedUserId, newPassword); } catch (KeyStoreException e) { // Bug: 32490092 Slog.e(TAG, "Not able to set keys to keystore", e); } catch (NoSuchAlgorithmException | RemoteException e) { } catch (NoSuchAlgorithmException | RemoteException e) { Slog.e(TAG, "Fail to tie managed profile", e); Slog.e(TAG, "Fail to tie managed profile", e); // Nothing client can do to fix this issue, so we do not throw exception out // Nothing client can do to fix this issue, so we do not throw exception out Loading Loading @@ -772,6 +775,7 @@ public class LockSettingsService extends ILockSettings.Stub { } } private void unlockChildProfile(int profileHandle) throws RemoteException { private void unlockChildProfile(int profileHandle) throws RemoteException { if (DEBUG) Slog.v(TAG, "Unlock child profile"); try { try { doVerifyPassword(getDecryptedPasswordForTiedProfile(profileHandle), false, doVerifyPassword(getDecryptedPasswordForTiedProfile(profileHandle), false, 0 /* no challenge */, profileHandle, null /* progressCallback */); 0 /* no challenge */, profileHandle, null /* progressCallback */); Loading Loading @@ -1031,7 +1035,7 @@ public class LockSettingsService extends ILockSettings.Stub { } } } } private void tieProfileLockToParent(int userId, String password) { private void tieProfileLockToParent(int userId, String password) throws KeyStoreException { if (DEBUG) Slog.v(TAG, "tieProfileLockToParent for user: " + userId); if (DEBUG) Slog.v(TAG, "tieProfileLockToParent for user: " + userId); byte[] randomLockSeed = password.getBytes(StandardCharsets.UTF_8); byte[] randomLockSeed = password.getBytes(StandardCharsets.UTF_8); byte[] encryptionResult; byte[] encryptionResult; Loading Loading @@ -1073,7 +1077,7 @@ public class LockSettingsService extends ILockSettings.Stub { keyStore.deleteEntry(LockPatternUtils.PROFILE_KEY_NAME_ENCRYPT + userId); keyStore.deleteEntry(LockPatternUtils.PROFILE_KEY_NAME_ENCRYPT + userId); } } } catch (CertificateException | UnrecoverableKeyException } catch (CertificateException | UnrecoverableKeyException | IOException | BadPaddingException | IllegalBlockSizeException | KeyStoreException | IOException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException | NoSuchAlgorithmException | InvalidKeyException e) { | NoSuchPaddingException | NoSuchAlgorithmException | InvalidKeyException e) { throw new RuntimeException("Failed to encrypt key", e); throw new RuntimeException("Failed to encrypt key", e); } } Loading Loading @@ -1215,7 +1219,11 @@ public class LockSettingsService extends ILockSettings.Stub { } finally { } finally { if (managedUserId != -1 && managedUserDecryptedPassword != null) { if (managedUserId != -1 && managedUserDecryptedPassword != null) { if (DEBUG) Slog.v(TAG, "Restore tied profile lock"); if (DEBUG) Slog.v(TAG, "Restore tied profile lock"); try { tieProfileLockToParent(managedUserId, managedUserDecryptedPassword); tieProfileLockToParent(managedUserId, managedUserDecryptedPassword); } catch (KeyStoreException e) { throw new RuntimeException("Failed to tie profile lock", e); } } } } } } } Loading Loading
services/core/java/com/android/server/LockSettingsService.java +12 −4 Original line number Original line Diff line number Diff line Loading @@ -245,13 +245,16 @@ public class LockSettingsService extends ILockSettings.Stub { try { try { randomLockSeed = SecureRandom.getInstance("SHA1PRNG").generateSeed(40); randomLockSeed = SecureRandom.getInstance("SHA1PRNG").generateSeed(40); String newPassword = String.valueOf(HexEncoding.encode(randomLockSeed)); String newPassword = String.valueOf(HexEncoding.encode(randomLockSeed)); tieProfileLockToParent(managedUserId, newPassword); setLockPasswordInternal(newPassword, managedUserPassword, managedUserId); setLockPasswordInternal(newPassword, managedUserPassword, managedUserId); // We store a private credential for the managed user that's unlocked by the primary // We store a private credential for the managed user that's unlocked by the primary // account holder's credential. As such, the user will never be prompted to enter this // account holder's credential. As such, the user will never be prompted to enter this // password directly, so we always store a password. // password directly, so we always store a password. setLong(LockPatternUtils.PASSWORD_TYPE_KEY, setLong(LockPatternUtils.PASSWORD_TYPE_KEY, DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC, managedUserId); DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC, managedUserId); tieProfileLockToParent(managedUserId, newPassword); } catch (KeyStoreException e) { // Bug: 32490092 Slog.e(TAG, "Not able to set keys to keystore", e); } catch (NoSuchAlgorithmException | RemoteException e) { } catch (NoSuchAlgorithmException | RemoteException e) { Slog.e(TAG, "Fail to tie managed profile", e); Slog.e(TAG, "Fail to tie managed profile", e); // Nothing client can do to fix this issue, so we do not throw exception out // Nothing client can do to fix this issue, so we do not throw exception out Loading Loading @@ -772,6 +775,7 @@ public class LockSettingsService extends ILockSettings.Stub { } } private void unlockChildProfile(int profileHandle) throws RemoteException { private void unlockChildProfile(int profileHandle) throws RemoteException { if (DEBUG) Slog.v(TAG, "Unlock child profile"); try { try { doVerifyPassword(getDecryptedPasswordForTiedProfile(profileHandle), false, doVerifyPassword(getDecryptedPasswordForTiedProfile(profileHandle), false, 0 /* no challenge */, profileHandle, null /* progressCallback */); 0 /* no challenge */, profileHandle, null /* progressCallback */); Loading Loading @@ -1031,7 +1035,7 @@ public class LockSettingsService extends ILockSettings.Stub { } } } } private void tieProfileLockToParent(int userId, String password) { private void tieProfileLockToParent(int userId, String password) throws KeyStoreException { if (DEBUG) Slog.v(TAG, "tieProfileLockToParent for user: " + userId); if (DEBUG) Slog.v(TAG, "tieProfileLockToParent for user: " + userId); byte[] randomLockSeed = password.getBytes(StandardCharsets.UTF_8); byte[] randomLockSeed = password.getBytes(StandardCharsets.UTF_8); byte[] encryptionResult; byte[] encryptionResult; Loading Loading @@ -1073,7 +1077,7 @@ public class LockSettingsService extends ILockSettings.Stub { keyStore.deleteEntry(LockPatternUtils.PROFILE_KEY_NAME_ENCRYPT + userId); keyStore.deleteEntry(LockPatternUtils.PROFILE_KEY_NAME_ENCRYPT + userId); } } } catch (CertificateException | UnrecoverableKeyException } catch (CertificateException | UnrecoverableKeyException | IOException | BadPaddingException | IllegalBlockSizeException | KeyStoreException | IOException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException | NoSuchAlgorithmException | InvalidKeyException e) { | NoSuchPaddingException | NoSuchAlgorithmException | InvalidKeyException e) { throw new RuntimeException("Failed to encrypt key", e); throw new RuntimeException("Failed to encrypt key", e); } } Loading Loading @@ -1215,7 +1219,11 @@ public class LockSettingsService extends ILockSettings.Stub { } finally { } finally { if (managedUserId != -1 && managedUserDecryptedPassword != null) { if (managedUserId != -1 && managedUserDecryptedPassword != null) { if (DEBUG) Slog.v(TAG, "Restore tied profile lock"); if (DEBUG) Slog.v(TAG, "Restore tied profile lock"); try { tieProfileLockToParent(managedUserId, managedUserDecryptedPassword); tieProfileLockToParent(managedUserId, managedUserDecryptedPassword); } catch (KeyStoreException e) { throw new RuntimeException("Failed to tie profile lock", e); } } } } } } } Loading
