Integrate IKeystoreUserManager aidl with LockSettingsService.
This CL introduces the client side for IKeystoreUserManager aidl and
integrates it with the LockSettingsService.
Bug: 171305115
Test: TBD
Change-Id: I7560e98f95aaec6b85cdcfc01ba83aea0ccc52ae
diff --git a/Android.bp b/Android.bp
index 4f248d9..88ed676 100644
--- a/Android.bp
+++ b/Android.bp
@@ -525,6 +525,7 @@
"android.hardware.vibrator-V1.3-java",
"android.security.apc-java",
"android.security.authorization-java",
+ "android.security.usermanager-java",
"android.system.keystore2-V1-java",
"android.system.suspend.control.internal-java",
"devicepolicyprotosnano",
diff --git a/keystore/java/android/security/AndroidKeyStoreMaintenance.java b/keystore/java/android/security/AndroidKeyStoreMaintenance.java
new file mode 100644
index 0000000..c81c8c54
--- /dev/null
+++ b/keystore/java/android/security/AndroidKeyStoreMaintenance.java
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security;
+
+import android.annotation.NonNull;
+import android.annotation.Nullable;
+import android.os.ServiceManager;
+import android.os.ServiceSpecificException;
+import android.security.usermanager.IKeystoreUserManager;
+import android.system.keystore2.ResponseCode;
+import android.util.Log;
+
+/**
+ * @hide This is the client side for IKeystoreUserManager AIDL.
+ * It shall only be used by the LockSettingsService.
+ */
+public class AndroidKeyStoreMaintenance {
+ private static final String TAG = "AndroidKeyStoreMaintenance";
+
+ public static final int SYSTEM_ERROR = ResponseCode.SYSTEM_ERROR;
+
+ private static IKeystoreUserManager getService() {
+ return IKeystoreUserManager.Stub.asInterface(
+ ServiceManager.checkService("android.security.usermanager"));
+ }
+
+ /**
+ * Informs keystore2 about adding a user
+ *
+ * @param userId - Android user id of the user being added
+ * @return 0 if successful or a {@code ResponseCode}
+ * @hide
+ */
+ public static int onUserAdded(@NonNull int userId) {
+ if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0;
+ try {
+ getService().onUserAdded(userId);
+ return 0;
+ } catch (ServiceSpecificException e) {
+ Log.e(TAG, "onUserAdded failed", e);
+ return e.errorCode;
+ } catch (Exception e) {
+ Log.e(TAG, "Can not connect to keystore", e);
+ return SYSTEM_ERROR;
+ }
+ }
+
+ /**
+ * Informs keystore2 about removing a usergit mer
+ *
+ * @param userId - Android user id of the user being removed
+ * @return 0 if successful or a {@code ResponseCode}
+ * @hide
+ */
+ public static int onUserRemoved(int userId) {
+ if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0;
+ try {
+ getService().onUserRemoved(userId);
+ return 0;
+ } catch (ServiceSpecificException e) {
+ Log.e(TAG, "onUserRemoved failed", e);
+ return e.errorCode;
+ } catch (Exception e) {
+ Log.e(TAG, "Can not connect to keystore", e);
+ return SYSTEM_ERROR;
+ }
+ }
+
+ /**
+ * Informs keystore2 about changing user's password
+ *
+ * @param userId - Android user id of the user
+ * @param password - a secret derived from the synthetic password provided by the
+ * LockSettingService
+ * @return 0 if successful or a {@code ResponseCode}
+ * @hide
+ */
+ public static int onUserPasswordChanged(int userId, @Nullable byte[] password) {
+ if (!android.security.keystore2.AndroidKeyStoreProvider.isInstalled()) return 0;
+ try {
+ getService().onUserPasswordChanged(userId, password);
+ return 0;
+ } catch (ServiceSpecificException e) {
+ Log.e(TAG, "onUserPasswordChanged failed", e);
+ return e.errorCode;
+ } catch (Exception e) {
+ Log.e(TAG, "Can not connect to keystore", e);
+ return SYSTEM_ERROR;
+ }
+ }
+}
diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java
index a589fed..86cf9b5 100644
--- a/services/core/java/com/android/server/locksettings/LockSettingsService.java
+++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java
@@ -89,6 +89,7 @@
import android.provider.Settings;
import android.provider.Settings.Secure;
import android.provider.Settings.SettingNotFoundException;
+import android.security.AndroidKeyStoreMaintenance;
import android.security.Authorization;
import android.security.KeyStore;
import android.security.keystore.AndroidKeyStoreProvider;
@@ -225,7 +226,6 @@
private final SyntheticPasswordManager mSpManager;
private final KeyStore mKeyStore;
-
private final RecoverableKeyStoreManager mRecoverableKeyStoreManager;
private ManagedProfilePasswordCache mManagedProfilePasswordCache;
@@ -803,6 +803,7 @@
if (Intent.ACTION_USER_ADDED.equals(intent.getAction())) {
// Notify keystore that a new user was added.
final int userHandle = intent.getIntExtra(Intent.EXTRA_USER_HANDLE, 0);
+ AndroidKeyStoreMaintenance.onUserAdded(userHandle);
final KeyStore ks = KeyStore.getInstance();
final UserInfo parentInfo = mUserManager.getProfileParent(userHandle);
final int parentHandle = parentInfo != null ? parentInfo.id : -1;
@@ -1270,6 +1271,7 @@
}
private void setKeystorePassword(byte[] password, int userHandle) {
+ AndroidKeyStoreMaintenance.onUserPasswordChanged(userHandle, password);
final KeyStore ks = KeyStore.getInstance();
// TODO(b/120484642): Update keystore to accept byte[] passwords
String passwordString = password == null ? null : new String(password);
@@ -2301,6 +2303,7 @@
mSpManager.removeUser(userId);
mStrongAuth.removeUser(userId);
+ AndroidKeyStoreMaintenance.onUserRemoved(userId);
final KeyStore ks = KeyStore.getInstance();
ks.onUserRemoved(userId);
mManagedProfilePasswordCache.removePassword(userId);
diff --git a/services/core/java/com/android/server/locksettings/SyntheticPasswordCrypto.java b/services/core/java/com/android/server/locksettings/SyntheticPasswordCrypto.java
index 6d420a9..35e6489 100644
--- a/services/core/java/com/android/server/locksettings/SyntheticPasswordCrypto.java
+++ b/services/core/java/com/android/server/locksettings/SyntheticPasswordCrypto.java
@@ -18,7 +18,6 @@
import android.security.keystore.KeyProperties;
import android.security.keystore.KeyProtection;
-import android.security.keystore2.AndroidKeyStoreProvider;
import android.util.Slog;
import java.io.ByteArrayOutputStream;
@@ -141,19 +140,8 @@
}
}
- /**
- * TODO This function redirects keystore access to the legacy keystore during a transitional
- * phase during which not all calling code has been adjusted to use Keystore 2.0.
- * This can be reverted to a constant of "AndroidKeyStore" when b/171305684 is complete.
- * The specific bug for this component is b/171305115.
- */
static String androidKeystoreProviderName() {
- if (AndroidKeyStoreProvider.isInstalled()) {
- return "AndroidKeyStoreLegacy";
- } else {
- return "AndroidKeystore";
- }
-
+ return "AndroidKeyStore";
}
public static byte[] decryptBlob(String keyAlias, byte[] blob, byte[] applicationId) {