Clean up biometric system server

1) BiometricService / AuthService always need to be started, since on Android 11 and later, the public credential auth API comes through this path. 2) Consolidate getAuthenticatorId() and expose via AuthService. This is used only by the platform during key generation. Instead of asking each individual service, AuthService will return a list of IDs for sensors which are enrolled and meet the required strength. Test: atest com.android.server.biometrics Test: fingerprint device, CtsVerifier biometric section Test: face unlock device, CtsVerifier biometric section Test: remove biometrics from device, CtsVerifier biometric section Bug: 148419762 Bug: 149795050 Change-Id: I2c5385b1cd4f343fabb0010e1fe6fb1ea8283391
author: Kevin Chyn <kchyn@google.com> 2020-02-18 18:18:17 -0800
committer: Kevin Chyn <kchyn@google.com> 2020-02-20 11:12:51 -0800
commit: 7d07c892356684682fd4ba4c1382415b777e44dc (patch)
tree: cefd24bf9526262b371e9892a1e39caa7931a348 /keystore/java/android/security/KeyStore.java
parent: e49a32946f8757692dc9e8d20bca3467d4f13d73 (diff)
1 files changed, 19 insertions, 44 deletions
diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java
index dc57f55bb4af..9d0fe11be46b 100644
--- a/keystore/java/android/security/KeyStore.java
+++ b/keystore/java/android/security/KeyStore.java
@@ -21,9 +21,7 @@ import android.app.Application;
 import android.app.KeyguardManager;
 import android.compat.annotation.UnsupportedAppUsage;
 import android.content.Context;
-import android.content.pm.PackageManager;
-import android.hardware.face.FaceManager;
-import android.hardware.fingerprint.FingerprintManager;
+import android.hardware.biometrics.BiometricManager;
 import android.os.Binder;
 import android.os.Build;
 import android.os.IBinder;
@@ -1348,19 +1346,26 @@ public class KeyStore {
                     return new UserNotAuthenticatedException();
                 }
 
-                final long fingerprintOnlySid = getFingerprintOnlySid();
-                if ((fingerprintOnlySid != 0)
-                        && (keySids.contains(KeymasterArguments.toUint64(fingerprintOnlySid)))) {
-                    // One of the key's SIDs is the current fingerprint SID -- user can be
-                    // authenticated against that SID.
-                    return new UserNotAuthenticatedException();
+                final BiometricManager bm = mContext.getSystemService(BiometricManager.class);
+                long[] biometricSids = bm.getAuthenticatorIds();
+
+                // The key must contain every biometric SID. This is because the current API surface
+                // treats all biometrics (capable of keystore integration) equally. e.g. if the
+                // device has multiple keystore-capable sensors, and one of the sensor's SIDs
+                // changed, 1) there is no way for a developer to specify authentication with a
+                // specific sensor (the one that hasn't changed), and 2) currently the only
+                // signal to developers is the UserNotAuthenticatedException, which doesn't
+                // indicate a specific sensor.
+                boolean canUnlockViaBiometrics = true;
+                for (long sid : biometricSids) {
+                    if (!keySids.contains(KeymasterArguments.toUint64(sid))) {
+                        canUnlockViaBiometrics = false;
+                        break;
+                    }
                 }
 
-                final long faceOnlySid = getFaceOnlySid();
-                if ((faceOnlySid != 0)
-                        && (keySids.contains(KeymasterArguments.toUint64(faceOnlySid)))) {
-                    // One of the key's SIDs is the current face SID -- user can be
-                    // authenticated against that SID.
+                if (canUnlockViaBiometrics) {
+                    // All of the biometric SIDs are contained in the key's SIDs.
                     return new UserNotAuthenticatedException();
                 }
 
@@ -1374,36 +1379,6 @@ public class KeyStore {
         }
     }
 
-    private long getFaceOnlySid() {
-        final PackageManager packageManager = mContext.getPackageManager();
-        if (!packageManager.hasSystemFeature(PackageManager.FEATURE_FACE)) {
-            return 0;
-        }
-        FaceManager faceManager = mContext.getSystemService(FaceManager.class);
-        if (faceManager == null) {
-            return 0;
-        }
-
-        // TODO: Restore USE_BIOMETRIC or USE_BIOMETRIC_INTERNAL permission check in
-        // FaceManager.getAuthenticatorId once the ID is no longer needed here.
-        return faceManager.getAuthenticatorId();
-    }
-
-    private long getFingerprintOnlySid() {
-        final PackageManager packageManager = mContext.getPackageManager();
-        if (!packageManager.hasSystemFeature(PackageManager.FEATURE_FINGERPRINT)) {
-            return 0;
-        }
-        FingerprintManager fingerprintManager = mContext.getSystemService(FingerprintManager.class);
-        if (fingerprintManager == null) {
-            return 0;
-        }
-
-        // TODO: Restore USE_FINGERPRINT permission check in
-        // FingerprintManager.getAuthenticatorId once the ID is no longer needed here.
-        return fingerprintManager.getAuthenticatorId();
-    }
-
     /**
      * Returns an {@link InvalidKeyException} corresponding to the provided keystore/keymaster error
      * code.
author	Kevin Chyn <kchyn@google.com>	2020-02-18 18:18:17 -0800
committer	Kevin Chyn <kchyn@google.com>	2020-02-20 11:12:51 -0800
commit	7d07c892356684682fd4ba4c1382415b777e44dc (patch)
tree	cefd24bf9526262b371e9892a1e39caa7931a348 /keystore/java/android/security/KeyStore.java
parent	e49a32946f8757692dc9e8d20bca3467d4f13d73 (diff)