Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cdf4b286 authored by Kevin Chyn's avatar Kevin Chyn
Browse files

3/n: Remove challenge from verifyCredential 

Decouples the remainder of challenges from LockSettingsService.
Clients that require Gatekeeper HATs that wrap challenges should
request the Gatekeeper Password, then request LockSettingsService
to verify(GatekeeperPassword, Challenge). If the challenge is
biometric-related, it must be generated after LockSettingsService
completes verifyCredential, since LockSettingsService internally
does generateChallenge/resetLockout/revokeChallenge.

Bug: 161765592
Test: CtsVerifier biometric portion
Test: Reset fingerprint/face lockout
Test: atest com.android.server.locksettings

Change-Id: Icb384194ce5007b264068e697113d55cbf94945b
parent 6e6a735e

core/java/android/hardware/face/FaceManager.java

+3 −3
Original line number Original line Diff line number Diff line
@@ -1073,12 +1073,12 @@ public class FaceManager implements BiometricAuthenticator, BiometricFaceConstan 
    /**

    /**

     * @hide

     * @hide

     */

     */

    public abstract static class GenerateChallengeCallback {

    public interface GenerateChallengeCallback {

        public abstract void onGenerateChallengeResult(long challenge);

        void onGenerateChallengeResult(long challenge);

    }

    }





    private abstract static class InternalGenerateChallengeCallback

    private abstract static class InternalGenerateChallengeCallback

            extends GenerateChallengeCallback {}

            implements GenerateChallengeCallback {}





    private class OnEnrollCancelListener implements OnCancelListener {

    private class OnEnrollCancelListener implements OnCancelListener {

        @Override

        @Override

core/java/com/android/internal/widget/ILockSettings.aidl

+2 −2
Original line number Original line Diff line number Diff line
@@ -47,8 +47,8 @@ interface ILockSettings { 
    void resetKeyStore(int userId);

    void resetKeyStore(int userId);

    VerifyCredentialResponse checkCredential(in LockscreenCredential credential, int userId,

    VerifyCredentialResponse checkCredential(in LockscreenCredential credential, int userId,

            in ICheckCredentialProgressCallback progressCallback);

            in ICheckCredentialProgressCallback progressCallback);

    VerifyCredentialResponse verifyCredential(in LockscreenCredential credential, long challenge, int userId, int flags);

    VerifyCredentialResponse verifyCredential(in LockscreenCredential credential, int userId, int flags);

    VerifyCredentialResponse verifyTiedProfileChallenge(in LockscreenCredential credential, long challenge, int userId, int flags);

    VerifyCredentialResponse verifyTiedProfileChallenge(in LockscreenCredential credential, int userId, int flags);

    VerifyCredentialResponse verifyGatekeeperPassword(in byte[] gatekeeperPassword, long challenge, int userId);

    VerifyCredentialResponse verifyGatekeeperPassword(in byte[] gatekeeperPassword, long challenge, int userId);

    boolean checkVoldPassword(int userId);

    boolean checkVoldPassword(int userId);

    int getCredentialType(int userId);

    int getCredentialType(int userId);

core/java/com/android/internal/widget/LockPatternChecker.java

+2 −6
Original line number Original line Diff line number Diff line
@@ -54,14 +54,12 @@ public final class LockPatternChecker { 
     *

     *

     * @param utils The LockPatternUtils instance to use.

     * @param utils The LockPatternUtils instance to use.

     * @param credential The credential to check.

     * @param credential The credential to check.

     * @param challenge The challenge to verify against the credential.

     * @param userId The user to check against the credential.

     * @param userId The user to check against the credential.

     * @param flags See {@link LockPatternUtils.VerifyFlag}

     * @param flags See {@link LockPatternUtils.VerifyFlag}

     * @param callback The callback to be invoked with the verification result.

     * @param callback The callback to be invoked with the verification result.

     */

     */

    public static AsyncTask<?, ?, ?> verifyCredential(final LockPatternUtils utils,

    public static AsyncTask<?, ?, ?> verifyCredential(final LockPatternUtils utils,

            final LockscreenCredential credential,

            final LockscreenCredential credential,

            final long challenge,

            final int userId,

            final int userId,

            final @LockPatternUtils.VerifyFlag int flags,

            final @LockPatternUtils.VerifyFlag int flags,

            final OnVerifyCallback callback) {

            final OnVerifyCallback callback) {
@@ -71,7 +69,7 @@ public final class LockPatternChecker { 
                new AsyncTask<Void, Void, VerifyCredentialResponse>() {

                new AsyncTask<Void, Void, VerifyCredentialResponse>() {

            @Override

            @Override

            protected VerifyCredentialResponse doInBackground(Void... args) {

            protected VerifyCredentialResponse doInBackground(Void... args) {

                return utils.verifyCredential(credentialCopy, challenge, userId, flags);

                return utils.verifyCredential(credentialCopy, userId, flags);

            }

            }





            @Override

            @Override
@@ -138,14 +136,12 @@ public final class LockPatternChecker { 
     *

     *

     * @param utils The LockPatternUtils instance to use.

     * @param utils The LockPatternUtils instance to use.

     * @param credential The credential to check.

     * @param credential The credential to check.

     * @param challenge The challenge to verify against the credential.

     * @param userId The user to check against the credential.

     * @param userId The user to check against the credential.

     * @param flags See {@link LockPatternUtils.VerifyFlag}

     * @param flags See {@link LockPatternUtils.VerifyFlag}

     * @param callback The callback to be invoked with the verification result.

     * @param callback The callback to be invoked with the verification result.

     */

     */

    public static AsyncTask<?, ?, ?> verifyTiedProfileChallenge(final LockPatternUtils utils,

    public static AsyncTask<?, ?, ?> verifyTiedProfileChallenge(final LockPatternUtils utils,

            final LockscreenCredential credential,

            final LockscreenCredential credential,

            final long challenge,

            final int userId,

            final int userId,

            final @LockPatternUtils.VerifyFlag int flags,

            final @LockPatternUtils.VerifyFlag int flags,

            final OnVerifyCallback callback) {

            final OnVerifyCallback callback) {
@@ -155,7 +151,7 @@ public final class LockPatternChecker { 
                new AsyncTask<Void, Void, VerifyCredentialResponse>() {

                new AsyncTask<Void, Void, VerifyCredentialResponse>() {

            @Override

            @Override

            protected VerifyCredentialResponse doInBackground(Void... args) {

            protected VerifyCredentialResponse doInBackground(Void... args) {

                return utils.verifyTiedProfileChallenge(credentialCopy, challenge, userId, flags);

                return utils.verifyTiedProfileChallenge(credentialCopy, userId, flags);

            }

            }





            @Override

            @Override

core/java/com/android/internal/widget/LockPatternUtils.java

+6 −9
Original line number Original line Diff line number Diff line
@@ -386,18 +386,17 @@ public class LockPatternUtils { 
     * If credential matches, return an opaque attestation that the challenge was verified.

     * If credential matches, return an opaque attestation that the challenge was verified.

     *

     *

     * @param credential The credential to check.

     * @param credential The credential to check.

     * @param challenge The challenge to verify against the credential

     * @param userId The user whose credential is being verified

     * @param userId The user whose credential is being verified

     * @param flags See {@link VerifyFlag}

     * @param flags See {@link VerifyFlag}

     * @throws IllegalStateException if called on the main thread.

     * @throws IllegalStateException if called on the main thread.

     */

     */

    @NonNull

    @NonNull

    public VerifyCredentialResponse verifyCredential(@NonNull LockscreenCredential credential,

    public VerifyCredentialResponse verifyCredential(@NonNull LockscreenCredential credential,

            long challenge, int userId, @VerifyFlag int flags) {

            int userId, @VerifyFlag int flags) {

        throwIfCalledOnMainThread();

        throwIfCalledOnMainThread();

        try {

        try {

            final VerifyCredentialResponse response = getLockSettings().verifyCredential(

            final VerifyCredentialResponse response = getLockSettings().verifyCredential(

                    credential, challenge, userId, flags);

                    credential, userId, flags);

            if (response == null) {

            if (response == null) {

                return VerifyCredentialResponse.ERROR;

                return VerifyCredentialResponse.ERROR;

            } else {

            } else {
@@ -411,8 +410,8 @@ public class LockPatternUtils { 




    /**

    /**

     * With the Gatekeeper Password returned via {@link #verifyCredential(LockscreenCredential,

     * With the Gatekeeper Password returned via {@link #verifyCredential(LockscreenCredential,

     * long, int, boolean)}, request Gatekeeper to create a HardwareAuthToken wrapping the

     * int, int)}, request Gatekeeper to create a HardwareAuthToken wrapping the given

     * given challenge.

     * challenge.

     */

     */

    @NonNull

    @NonNull

    public VerifyCredentialResponse verifyGatekeeperPassword(@NonNull byte[] gatekeeperPassword,

    public VerifyCredentialResponse verifyGatekeeperPassword(@NonNull byte[] gatekeeperPassword,
@@ -470,7 +469,6 @@ public class LockPatternUtils { 
     * verified.

     * verified.

     *

     *

     * @param credential The parent user's credential to check.

     * @param credential The parent user's credential to check.

     * @param challenge The challenge to verify against the credential

     * @return the attestation that the challenge was verified, or null

     * @return the attestation that the challenge was verified, or null

     * @param userId The managed profile user id

     * @param userId The managed profile user id

     * @param flags See {@link VerifyFlag}

     * @param flags See {@link VerifyFlag}
@@ -478,12 +476,11 @@ public class LockPatternUtils { 
     */

     */

    @NonNull

    @NonNull

    public VerifyCredentialResponse verifyTiedProfileChallenge(

    public VerifyCredentialResponse verifyTiedProfileChallenge(

            @NonNull LockscreenCredential credential,

            @NonNull LockscreenCredential credential, int userId, @VerifyFlag int flags) {

            long challenge, int userId, @VerifyFlag int flags) {

        throwIfCalledOnMainThread();

        throwIfCalledOnMainThread();

        try {

        try {

            final VerifyCredentialResponse response = getLockSettings()

            final VerifyCredentialResponse response = getLockSettings()

                    .verifyTiedProfileChallenge(credential, challenge, userId, flags);

                    .verifyTiedProfileChallenge(credential, userId, flags);

            if (response == null) {

            if (response == null) {

                return VerifyCredentialResponse.ERROR;

                return VerifyCredentialResponse.ERROR;

            } else {

            } else {

packages/SystemUI/src/com/android/systemui/biometrics/AuthCredentialPasswordView.java

+5 −1
Original line number Original line Diff line number Diff line
@@ -28,6 +28,7 @@ import android.widget.ImeAwareEditText; 
import android.widget.TextView;

import android.widget.TextView;





import com.android.internal.widget.LockPatternChecker;

import com.android.internal.widget.LockPatternChecker;

import com.android.internal.widget.LockPatternUtils;

import com.android.internal.widget.LockscreenCredential;

import com.android.internal.widget.LockscreenCredential;

import com.android.internal.widget.VerifyCredentialResponse;

import com.android.internal.widget.VerifyCredentialResponse;

import com.android.systemui.R;

import com.android.systemui.R;
@@ -106,8 +107,11 @@ public class AuthCredentialPasswordView extends AuthCredentialView 
                return;

                return;

            }

            }





            // Request LockSettingsService to return the Gatekeeper Password in the

            // VerifyCredentialResponse so that we can request a Gatekeeper HAT with the

            // Gatekeeper Password and operationId.

            mPendingLockCheck = LockPatternChecker.verifyCredential(mLockPatternUtils,

            mPendingLockCheck = LockPatternChecker.verifyCredential(mLockPatternUtils,

                    password, mOperationId, mEffectiveUserId, 0 /* flags */,

                    password, mEffectiveUserId, LockPatternUtils.VERIFY_FLAG_RETURN_GK_PW,

                    this::onCredentialVerified);

                    this::onCredentialVerified);

        }

        }

    }

    }