diff options
4 files changed, 111 insertions, 14 deletions
diff --git a/Android.bp b/Android.bp index 4f248d9d5c96..88ed676aae69 100644 --- a/Android.bp +++ b/Android.bp @@ -525,6 +525,7 @@ java_library { "android.hardware.vibrator-V1.3-java", "android.security.apc-java", "android.security.authorization-java", + "android.security.usermanager-java", "android.system.keystore2-V1-java", "android.system.suspend.control.internal-java", "devicepolicyprotosnano", diff --git a/keystore/java/android/security/AndroidKeyStoreMaintenance.java b/keystore/java/android/security/AndroidKeyStoreMaintenance.java new file mode 100644 index 000000000000..c81c8c54d88a --- /dev/null +++ b/keystore/java/android/security/AndroidKeyStoreMaintenance.java @@ -0,0 +1,105 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security; + +import android.annotation.NonNull; +import android.annotation.Nullable; +import android.os.ServiceManager; +import android.os.ServiceSpecificException; +import android.security.usermanager.IKeystoreUserManager; +import android.system.keystore2.ResponseCode; +import android.util.Log; + +/** + * @hide This is the client side for IKeystoreUserManager AIDL. + * It shall only be used by the LockSettingsService. + */ +public class AndroidKeyStoreMaintenance { + private static final String TAG = "AndroidKeyStoreMaintenance"; + + public static final int SYSTEM_ERROR = ResponseCode.SYSTEM_ERROR; + + private static IKeystoreUserManager getService() { + return IKeystoreUserManager.Stub.asInterface( + ServiceManager.checkService("android.security.usermanager")); + } + + /** + * Informs keystore2 about adding a user + * + * @param userId - Android user id of the user being added + * @return 0 if successful or a {@code ResponseCode} + * @hide + */ + public static int onUserAdded(@NonNull int userId) { + if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0; + try { + getService().onUserAdded(userId); + return 0; + } catch (ServiceSpecificException e) { + Log.e(TAG, "onUserAdded failed", e); + return e.errorCode; + } catch (Exception e) { + Log.e(TAG, "Can not connect to keystore", e); + return SYSTEM_ERROR; + } + } + + /** + * Informs keystore2 about removing a usergit mer + * + * @param userId - Android user id of the user being removed + * @return 0 if successful or a {@code ResponseCode} + * @hide + */ + public static int onUserRemoved(int userId) { + if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0; + try { + getService().onUserRemoved(userId); + return 0; + } catch (ServiceSpecificException e) { + Log.e(TAG, "onUserRemoved failed", e); + return e.errorCode; + } catch (Exception e) { + Log.e(TAG, "Can not connect to keystore", e); + return SYSTEM_ERROR; + } + } + + /** + * Informs keystore2 about changing user's password + * + * @param userId - Android user id of the user + * @param password - a secret derived from the synthetic password provided by the + * LockSettingService + * @return 0 if successful or a {@code ResponseCode} + * @hide + */ + public static int onUserPasswordChanged(int userId, @Nullable byte[] password) { + if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0; + try { + getService().onUserPasswordChanged(userId, password); + return 0; + } catch (ServiceSpecificException e) { + Log.e(TAG, "onUserPasswordChanged failed", e); + return e.errorCode; + } catch (Exception e) { + Log.e(TAG, "Can not connect to keystore", e); + return SYSTEM_ERROR; + } + } +} diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java index a589fedaec72..86cf9b5ae874 100644 --- a/services/core/java/com/android/server/locksettings/LockSettingsService.java +++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java @@ -89,6 +89,7 @@ import android.os.storage.StorageManager; import android.provider.Settings; import android.provider.Settings.Secure; import android.provider.Settings.SettingNotFoundException; +import android.security.AndroidKeyStoreMaintenance; import android.security.Authorization; import android.security.KeyStore; import android.security.keystore.AndroidKeyStoreProvider; @@ -225,7 +226,6 @@ public class LockSettingsService extends ILockSettings.Stub { private final SyntheticPasswordManager mSpManager; private final KeyStore mKeyStore; - private final RecoverableKeyStoreManager mRecoverableKeyStoreManager; private ManagedProfilePasswordCache mManagedProfilePasswordCache; @@ -803,6 +803,7 @@ public class LockSettingsService extends ILockSettings.Stub { if (Intent.ACTION_USER_ADDED.equals(intent.getAction())) { // Notify keystore that a new user was added. final int userHandle = intent.getIntExtra(Intent.EXTRA_USER_HANDLE, 0); + AndroidKeyStoreMaintenance.onUserAdded(userHandle); final KeyStore ks = KeyStore.getInstance(); final UserInfo parentInfo = mUserManager.getProfileParent(userHandle); final int parentHandle = parentInfo != null ? parentInfo.id : -1; @@ -1270,6 +1271,7 @@ public class LockSettingsService extends ILockSettings.Stub { } private void setKeystorePassword(byte[] password, int userHandle) { + AndroidKeyStoreMaintenance.onUserPasswordChanged(userHandle, password); final KeyStore ks = KeyStore.getInstance(); // TODO(b/120484642): Update keystore to accept byte[] passwords String passwordString = password == null ? null : new String(password); @@ -2301,6 +2303,7 @@ public class LockSettingsService extends ILockSettings.Stub { mSpManager.removeUser(userId); mStrongAuth.removeUser(userId); + AndroidKeyStoreMaintenance.onUserRemoved(userId); final KeyStore ks = KeyStore.getInstance(); ks.onUserRemoved(userId); mManagedProfilePasswordCache.removePassword(userId); diff --git a/services/core/java/com/android/server/locksettings/SyntheticPasswordCrypto.java b/services/core/java/com/android/server/locksettings/SyntheticPasswordCrypto.java index 6d420a95e26c..35e6489debcf 100644 --- a/services/core/java/com/android/server/locksettings/SyntheticPasswordCrypto.java +++ b/services/core/java/com/android/server/locksettings/SyntheticPasswordCrypto.java @@ -18,7 +18,6 @@ package com.android.server.locksettings; import android.security.keystore.KeyProperties; import android.security.keystore.KeyProtection; -import android.security.keystore2.AndroidKeyStoreProvider; import android.util.Slog; import java.io.ByteArrayOutputStream; @@ -141,19 +140,8 @@ public class SyntheticPasswordCrypto { } } - /** - * TODO This function redirects keystore access to the legacy keystore during a transitional - * phase during which not all calling code has been adjusted to use Keystore 2.0. - * This can be reverted to a constant of "AndroidKeyStore" when b/171305684 is complete. - * The specific bug for this component is b/171305115. - */ static String androidKeystoreProviderName() { - if (AndroidKeyStoreProvider.isInstalled()) { - return "AndroidKeyStoreLegacy"; - } else { - return "AndroidKeystore"; - } - + return "AndroidKeyStore"; } public static byte[] decryptBlob(String keyAlias, byte[] blob, byte[] applicationId) { |