diff options
Diffstat (limited to 'keystore/java/android/security/KeyStore.java')
| -rw-r--r-- | keystore/java/android/security/KeyStore.java | 63 |
1 files changed, 19 insertions, 44 deletions
diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java index dc57f55bb4af..9d0fe11be46b 100644 --- a/keystore/java/android/security/KeyStore.java +++ b/keystore/java/android/security/KeyStore.java @@ -21,9 +21,7 @@ import android.app.Application; import android.app.KeyguardManager; import android.compat.annotation.UnsupportedAppUsage; import android.content.Context; -import android.content.pm.PackageManager; -import android.hardware.face.FaceManager; -import android.hardware.fingerprint.FingerprintManager; +import android.hardware.biometrics.BiometricManager; import android.os.Binder; import android.os.Build; import android.os.IBinder; @@ -1348,19 +1346,26 @@ public class KeyStore { return new UserNotAuthenticatedException(); } - final long fingerprintOnlySid = getFingerprintOnlySid(); - if ((fingerprintOnlySid != 0) - && (keySids.contains(KeymasterArguments.toUint64(fingerprintOnlySid)))) { - // One of the key's SIDs is the current fingerprint SID -- user can be - // authenticated against that SID. - return new UserNotAuthenticatedException(); + final BiometricManager bm = mContext.getSystemService(BiometricManager.class); + long[] biometricSids = bm.getAuthenticatorIds(); + + // The key must contain every biometric SID. This is because the current API surface + // treats all biometrics (capable of keystore integration) equally. e.g. if the + // device has multiple keystore-capable sensors, and one of the sensor's SIDs + // changed, 1) there is no way for a developer to specify authentication with a + // specific sensor (the one that hasn't changed), and 2) currently the only + // signal to developers is the UserNotAuthenticatedException, which doesn't + // indicate a specific sensor. + boolean canUnlockViaBiometrics = true; + for (long sid : biometricSids) { + if (!keySids.contains(KeymasterArguments.toUint64(sid))) { + canUnlockViaBiometrics = false; + break; + } } - final long faceOnlySid = getFaceOnlySid(); - if ((faceOnlySid != 0) - && (keySids.contains(KeymasterArguments.toUint64(faceOnlySid)))) { - // One of the key's SIDs is the current face SID -- user can be - // authenticated against that SID. + if (canUnlockViaBiometrics) { + // All of the biometric SIDs are contained in the key's SIDs. return new UserNotAuthenticatedException(); } @@ -1374,36 +1379,6 @@ public class KeyStore { } } - private long getFaceOnlySid() { - final PackageManager packageManager = mContext.getPackageManager(); - if (!packageManager.hasSystemFeature(PackageManager.FEATURE_FACE)) { - return 0; - } - FaceManager faceManager = mContext.getSystemService(FaceManager.class); - if (faceManager == null) { - return 0; - } - - // TODO: Restore USE_BIOMETRIC or USE_BIOMETRIC_INTERNAL permission check in - // FaceManager.getAuthenticatorId once the ID is no longer needed here. - return faceManager.getAuthenticatorId(); - } - - private long getFingerprintOnlySid() { - final PackageManager packageManager = mContext.getPackageManager(); - if (!packageManager.hasSystemFeature(PackageManager.FEATURE_FINGERPRINT)) { - return 0; - } - FingerprintManager fingerprintManager = mContext.getSystemService(FingerprintManager.class); - if (fingerprintManager == null) { - return 0; - } - - // TODO: Restore USE_FINGERPRINT permission check in - // FingerprintManager.getAuthenticatorId once the ID is no longer needed here. - return fingerprintManager.getAuthenticatorId(); - } - /** * Returns an {@link InvalidKeyException} corresponding to the provided keystore/keymaster error * code. |