diff options
| author | Hasini Gunasinghe <hasinitg@google.com> | 2021-01-07 15:45:30 +0000 |
|---|---|---|
| committer | Janis Danisevskis <jdanis@google.com> | 2021-01-19 10:10:20 -0800 |
| commit | 49e239ec9657d1f60b7654149577141cf86c5738 (patch) | |
| tree | 65394fff46463df9bbe4ee52401485096d076655 | |
| parent | f9c123d7da52467a18626a6f2871e5fd06349222 (diff) | |
Keystore 2.0: Integrate onLockScreenEvent.
This patch updates LockSettingService and TrustManagerService to use the
new Keystore 2.0 authorization api.
Bug: 166672367
Test: VTS test
Change-Id: I5494d7b923d33d447488a0c67ada43d1f9593861
3 files changed, 38 insertions, 0 deletions
diff --git a/keystore/java/android/security/Authorization.java b/keystore/java/android/security/Authorization.java index 1fde2b5412ed..fcc518c374e3 100644 --- a/keystore/java/android/security/Authorization.java +++ b/keystore/java/android/security/Authorization.java @@ -17,11 +17,13 @@ package android.security; import android.annotation.NonNull; +import android.annotation.Nullable; import android.hardware.security.keymint.HardwareAuthToken; import android.os.RemoteException; import android.os.ServiceManager; import android.os.ServiceSpecificException; import android.security.authorization.IKeystoreAuthorization; +import android.security.authorization.LockScreenEvent; import android.system.keystore2.ResponseCode; import android.util.Log; @@ -75,4 +77,31 @@ public class Authorization { return addAuthToken(AuthTokenUtils.toHardwareAuthToken(authToken)); } + /** + * Informs keystore2 about lock screen event. + * + * @param locked - whether it is a lock (true) or unlock (false) event + * @param syntheticPassword - if it is an unlock event with the password, pass the synthetic + * password provided by the LockSettingService + * + * @return 0 if successful or a {@code ResponseCode}. + */ + public int onLockScreenEvent(@NonNull boolean locked, @NonNull int userId, + @Nullable byte[] syntheticPassword) { + if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0; + try { + if (locked) { + getService().onLockScreenEvent(LockScreenEvent.LOCK, userId, null); + } else { + getService().onLockScreenEvent(LockScreenEvent.UNLOCK, userId, syntheticPassword); + } + return 0; + } catch (RemoteException e) { + Log.w(TAG, "Can not connect to keystore", e); + return SYSTEM_ERROR; + } catch (ServiceSpecificException e) { + return e.errorCode; + } + } + } diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java index d003b89e8877..c005af4e9696 100644 --- a/services/core/java/com/android/server/locksettings/LockSettingsService.java +++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java @@ -89,6 +89,7 @@ import android.os.storage.StorageManager; import android.provider.Settings; import android.provider.Settings.Secure; import android.provider.Settings.SettingNotFoundException; +import android.security.Authorization; import android.security.KeyStore; import android.security.keystore.AndroidKeyStoreProvider; import android.security.keystore.KeyProperties; @@ -1272,6 +1273,7 @@ public class LockSettingsService extends ILockSettings.Stub { private void unlockKeystore(byte[] password, int userHandle) { if (DEBUG) Slog.v(TAG, "Unlock keystore for user: " + userHandle); + new Authorization().onLockScreenEvent(false, userHandle, password); // TODO(b/120484642): Update keystore to accept byte[] passwords String passwordString = password == null ? null : new String(password); final KeyStore ks = KeyStore.getInstance(); diff --git a/services/core/java/com/android/server/trust/TrustManagerService.java b/services/core/java/com/android/server/trust/TrustManagerService.java index 25cd6416d9c8..75277d1c338d 100644 --- a/services/core/java/com/android/server/trust/TrustManagerService.java +++ b/services/core/java/com/android/server/trust/TrustManagerService.java @@ -53,6 +53,7 @@ import android.os.SystemClock; import android.os.UserHandle; import android.os.UserManager; import android.provider.Settings; +import android.security.Authorization; import android.security.KeyStore; import android.service.trust.TrustAgentService; import android.text.TextUtils; @@ -185,6 +186,8 @@ public class TrustManagerService extends SystemService { private boolean mTrustAgentsCanRun = false; private int mCurrentUser = UserHandle.USER_SYSTEM; + private Authorization mAuthorizationService; + public TrustManagerService(Context context) { super(context); mContext = context; @@ -194,6 +197,7 @@ public class TrustManagerService extends SystemService { mStrongAuthTracker = new StrongAuthTracker(context); mAlarmManager = (AlarmManager) mContext.getSystemService(Context.ALARM_SERVICE); mSettingsObserver = new SettingsObserver(mHandler); + mAuthorizationService = new Authorization(); } @Override @@ -696,11 +700,13 @@ public class TrustManagerService extends SystemService { if (changed) { dispatchDeviceLocked(userId, locked); + mAuthorizationService.onLockScreenEvent(locked, userId, null); KeyStore.getInstance().onUserLockedStateChanged(userId, locked); // Also update the user's profiles who have unified challenge, since they // share the same unlocked state (see {@link #isDeviceLocked(int)}) for (int profileHandle : mUserManager.getEnabledProfileIds(userId)) { if (mLockPatternUtils.isManagedProfileWithUnifiedChallenge(profileHandle)) { + mAuthorizationService.onLockScreenEvent(locked, profileHandle, null); KeyStore.getInstance().onUserLockedStateChanged(profileHandle, locked); } } @@ -1252,6 +1258,7 @@ public class TrustManagerService extends SystemService { mDeviceLockedForUser.put(userId, locked); } + mAuthorizationService.onLockScreenEvent(locked, userId, null); KeyStore.getInstance().onUserLockedStateChanged(userId, locked); if (locked) { |