Keystore 2.0: Integrate onLockScreenEvent.

This patch updates LockSettingService and TrustManagerService to use the new Keystore 2.0 authorization api. Bug: 166672367 Test: VTS test Change-Id: I5494d7b923d33d447488a0c67ada43d1f9593861
2021-01-07 15:45:30 +00:00
parent f9c123d7da
commit 49e239ec96
3 changed files with 38 additions and 0 deletions
--- a/keystore/java/android/security/Authorization.java
+++ b/keystore/java/android/security/Authorization.java
@@ -17,11 +17,13 @@
 package android.security;

 import android.annotation.NonNull;
+import android.annotation.Nullable;
 import android.hardware.security.keymint.HardwareAuthToken;
 import android.os.RemoteException;
 import android.os.ServiceManager;
 import android.os.ServiceSpecificException;
 import android.security.authorization.IKeystoreAuthorization;
+import android.security.authorization.LockScreenEvent;
 import android.system.keystore2.ResponseCode;
 import android.util.Log;

@@ -75,4 +77,31 @@ public class Authorization {
        return addAuthToken(AuthTokenUtils.toHardwareAuthToken(authToken));
    }

+    /**
+     * Informs keystore2 about lock screen event.
+     *
+     * @param locked            - whether it is a lock (true) or unlock (false) event
+     * @param syntheticPassword - if it is an unlock event with the password, pass the synthetic
+     *                          password provided by the LockSettingService
+     *
+     * @return 0 if successful or a {@code ResponseCode}.
+     */
+    public int onLockScreenEvent(@NonNull boolean locked, @NonNull int userId,
+            @Nullable byte[] syntheticPassword) {
+        if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0;
+        try {
+            if (locked) {
+                getService().onLockScreenEvent(LockScreenEvent.LOCK, userId, null);
+            } else {
+                getService().onLockScreenEvent(LockScreenEvent.UNLOCK, userId, syntheticPassword);
+            }
+            return 0;
+        } catch (RemoteException e) {
+            Log.w(TAG, "Can not connect to keystore", e);
+            return SYSTEM_ERROR;
+        } catch (ServiceSpecificException e) {
+            return e.errorCode;
+        }
+    }
+
 }
--- a/services/core/java/com/android/server/locksettings/LockSettingsService.java
+++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java
@@ -89,6 +89,7 @@ import android.os.storage.StorageManager;
 import android.provider.Settings;
 import android.provider.Settings.Secure;
 import android.provider.Settings.SettingNotFoundException;
+import android.security.Authorization;
 import android.security.KeyStore;
 import android.security.keystore.AndroidKeyStoreProvider;
 import android.security.keystore.KeyProperties;
@@ -1272,6 +1273,7 @@ public class LockSettingsService extends ILockSettings.Stub {

    private void unlockKeystore(byte[] password, int userHandle) {
        if (DEBUG) Slog.v(TAG, "Unlock keystore for user: " + userHandle);
+        new Authorization().onLockScreenEvent(false, userHandle, password);
        // TODO(b/120484642): Update keystore to accept byte[] passwords
        String passwordString = password == null ? null : new String(password);
        final KeyStore ks = KeyStore.getInstance();
--- a/services/core/java/com/android/server/trust/TrustManagerService.java
+++ b/services/core/java/com/android/server/trust/TrustManagerService.java
@@ -53,6 +53,7 @@ import android.os.SystemClock;
 import android.os.UserHandle;
 import android.os.UserManager;
 import android.provider.Settings;
+import android.security.Authorization;
 import android.security.KeyStore;
 import android.service.trust.TrustAgentService;
 import android.text.TextUtils;
@@ -185,6 +186,8 @@ public class TrustManagerService extends SystemService {
    private boolean mTrustAgentsCanRun = false;
    private int mCurrentUser = UserHandle.USER_SYSTEM;

+    private Authorization mAuthorizationService;
+
    public TrustManagerService(Context context) {
        super(context);
        mContext = context;
@@ -194,6 +197,7 @@ public class TrustManagerService extends SystemService {
        mStrongAuthTracker = new StrongAuthTracker(context);
        mAlarmManager = (AlarmManager) mContext.getSystemService(Context.ALARM_SERVICE);
        mSettingsObserver = new SettingsObserver(mHandler);
+        mAuthorizationService = new Authorization();
    }

    @Override
@@ -696,11 +700,13 @@ public class TrustManagerService extends SystemService {
        if (changed) {
            dispatchDeviceLocked(userId, locked);

+            mAuthorizationService.onLockScreenEvent(locked, userId, null);
            KeyStore.getInstance().onUserLockedStateChanged(userId, locked);
            // Also update the user's profiles who have unified challenge, since they
            // share the same unlocked state (see {@link #isDeviceLocked(int)})
            for (int profileHandle : mUserManager.getEnabledProfileIds(userId)) {
                if (mLockPatternUtils.isManagedProfileWithUnifiedChallenge(profileHandle)) {
+                    mAuthorizationService.onLockScreenEvent(locked, profileHandle, null);
                    KeyStore.getInstance().onUserLockedStateChanged(profileHandle, locked);
                }
            }
@@ -1252,6 +1258,7 @@ public class TrustManagerService extends SystemService {
                        mDeviceLockedForUser.put(userId, locked);
                    }

+                    mAuthorizationService.onLockScreenEvent(locked, userId, null);
                    KeyStore.getInstance().onUserLockedStateChanged(userId, locked);

                    if (locked) {