Reset BadRemoteGuess counter after LSKF change.
Bug: 319923018
Test: atest com.android.server.locksettings.recoverablekeystore
Change-Id: I53222aa7b6e0a7ce3b13611e9766ffa61f89983f
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java
index 77a60289..bf1b3c3 100644
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java
@@ -168,6 +168,9 @@
}
private void syncKeys() throws RemoteException {
+ if (mCredentialUpdated && mRecoverableKeyStoreDb.getBadRemoteGuessCounter(mUserId) != 0) {
+ mRecoverableKeyStoreDb.setBadRemoteGuessCounter(mUserId, 0);
+ }
int generation = mPlatformKeyManager.getGenerationId(mUserId);
if (mCredentialType == LockPatternUtils.CREDENTIAL_TYPE_NONE) {
// Application keys for the user will not be available for sync.
diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java
index 80fb5e3..1514de0 100644
--- a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java
+++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java
@@ -89,6 +89,7 @@
private static final String WRAPPING_KEY_ALIAS = "KeySyncTaskTest/WrappingKey";
private static final String DATABASE_FILE_NAME = "recoverablekeystore.db";
private static final int TEST_USER_ID = 1000;
+ private static final int TEST_USER_ID_2 = 1002;
private static final int TEST_RECOVERY_AGENT_UID = 10009;
private static final int TEST_RECOVERY_AGENT_UID2 = 10010;
private static final byte[] TEST_VAULT_HANDLE =
@@ -824,6 +825,48 @@
}
@Test
+ public void run_unlock_keepsRemoteLskfVerificationCounter() throws Exception {
+ mRecoverableKeyStoreDb.setBadRemoteGuessCounter(TEST_USER_ID, 5);
+ mRecoverableKeyStoreDb.setBadRemoteGuessCounter(TEST_USER_ID_2, 4);
+ mKeySyncTask = new KeySyncTask(
+ mRecoverableKeyStoreDb,
+ mRecoverySnapshotStorage,
+ mSnapshotListenersStorage,
+ TEST_USER_ID,
+ CREDENTIAL_TYPE_PIN,
+ "12345".getBytes(),
+ /*credentialUpdated=*/ false,
+ mPlatformKeyManager,
+ mTestOnlyInsecureCertificateHelper,
+ mMockScrypt);
+ mKeySyncTask.run();
+
+ assertThat(mRecoverableKeyStoreDb.getBadRemoteGuessCounter(TEST_USER_ID)).isEqualTo(5);
+ assertThat(mRecoverableKeyStoreDb.getBadRemoteGuessCounter(TEST_USER_ID_2)).isEqualTo(4);
+ }
+
+ @Test
+ public void run_secretChange_resetsRemoteLskfVerificationCounter() throws Exception {
+ mRecoverableKeyStoreDb.setBadRemoteGuessCounter(TEST_USER_ID, 5);
+ mRecoverableKeyStoreDb.setBadRemoteGuessCounter(TEST_USER_ID_2, 4);
+ mKeySyncTask = new KeySyncTask(
+ mRecoverableKeyStoreDb,
+ mRecoverySnapshotStorage,
+ mSnapshotListenersStorage,
+ TEST_USER_ID,
+ CREDENTIAL_TYPE_PIN,
+ "12345".getBytes(),
+ /*credentialUpdated=*/ true,
+ mPlatformKeyManager,
+ mTestOnlyInsecureCertificateHelper,
+ mMockScrypt);
+ mKeySyncTask.run();
+
+ assertThat(mRecoverableKeyStoreDb.getBadRemoteGuessCounter(TEST_USER_ID)).isEqualTo(0);
+ assertThat(mRecoverableKeyStoreDb.getBadRemoteGuessCounter(TEST_USER_ID_2)).isEqualTo(4);
+ }
+
+ @Test
public void run_customLockScreen_RecoveryStatusFailure() throws Exception {
mKeySyncTask = new KeySyncTask(
mRecoverableKeyStoreDb,