Use consistent helper class for keystore authorization
Currently the IKeystoreAuthorization service is intended to be accessed
through the helper class android.security.Authorization. However,
because Authorization provides only static methods, it can only be
unit-tested by static mocking, which is only available in
mockingservicestests. BiometricService works around this in two
different ways: (a) using IKeystoreAuthorization directly, and (b) using
android.security.KeyStore, which is an obsolete class which is now
almost empty and just contains a couple random helpers. I'd like to
remove it to avoid confusion with java.security.KeyStore.
This CL solves the testability problem in a consistent way by renaming
Authorization to KeyStoreAuthorization and changing all public static
methods to instance methods. It updates all callers of the keystore
authorization service to go through a KeyStoreAuthorization instance.
Finally, it updates the unit tests for TrustManagerService and
BiometricService to inject a mock KeyStoreAuthorization.
Bug: 326508120
Test: atest TrustManagerServiceTest
Test: atest FrameworksServicesTests:{BiometricServiceTest,AuthSessionTest}
Test: atest CtsBiometricsTestCases:BiometricSimpleTests
Flag: N/A. Refactoring with no behavior change intended.
Change-Id: I68504f447b1b880c08a60cf027b13f77a6567ec9
diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java
index 2cac2e1..2f2215f 100644
--- a/keystore/java/android/security/KeyStore.java
+++ b/keystore/java/android/security/KeyStore.java
@@ -17,7 +17,6 @@
package android.security;
import android.compat.annotation.UnsupportedAppUsage;
-import android.os.StrictMode;
/**
* This class provides some constants and helper methods related to Android's Keystore service.
@@ -38,17 +37,4 @@
public static KeyStore getInstance() {
return KEY_STORE;
}
-
- /**
- * Add an authentication record to the keystore authorization table.
- *
- * @param authToken The packed bytes of a hw_auth_token_t to be provided to keymaster.
- * @return 0 on success, otherwise an error value corresponding to a
- * {@code KeymasterDefs.KM_ERROR_} value or {@code KeyStore} ResponseCode.
- */
- public int addAuthToken(byte[] authToken) {
- StrictMode.noteDiskWrite();
-
- return Authorization.addAuthToken(authToken);
- }
}
diff --git a/keystore/java/android/security/Authorization.java b/keystore/java/android/security/KeyStoreAuthorization.java
similarity index 82%
rename from keystore/java/android/security/Authorization.java
rename to keystore/java/android/security/KeyStoreAuthorization.java
index 6404c4b..14d715f 100644
--- a/keystore/java/android/security/Authorization.java
+++ b/keystore/java/android/security/KeyStoreAuthorization.java
@@ -33,15 +33,21 @@
* @hide This is the client side for IKeystoreAuthorization AIDL.
* It shall only be used by biometric authentication providers and Gatekeeper.
*/
-public class Authorization {
- private static final String TAG = "KeystoreAuthorization";
+public class KeyStoreAuthorization {
+ private static final String TAG = "KeyStoreAuthorization";
public static final int SYSTEM_ERROR = ResponseCode.SYSTEM_ERROR;
+ private static final KeyStoreAuthorization sInstance = new KeyStoreAuthorization();
+
+ public static KeyStoreAuthorization getInstance() {
+ return sInstance;
+ }
+
/**
* @return an instance of IKeystoreAuthorization
*/
- public static IKeystoreAuthorization getService() {
+ private IKeystoreAuthorization getService() {
return IKeystoreAuthorization.Stub.asInterface(
ServiceManager.checkService("android.security.authorization"));
}
@@ -52,7 +58,7 @@
* @param authToken created by Android authenticators.
* @return 0 if successful or {@code ResponseCode.SYSTEM_ERROR}.
*/
- public static int addAuthToken(@NonNull HardwareAuthToken authToken) {
+ public int addAuthToken(@NonNull HardwareAuthToken authToken) {
StrictMode.noteSlowCall("addAuthToken");
try {
getService().addAuthToken(authToken);
@@ -70,7 +76,7 @@
* @param authToken
* @return 0 if successful or a {@code ResponseCode}.
*/
- public static int addAuthToken(@NonNull byte[] authToken) {
+ public int addAuthToken(@NonNull byte[] authToken) {
return addAuthToken(AuthTokenUtils.toHardwareAuthToken(authToken));
}
@@ -82,7 +88,7 @@
* is LSKF (or equivalent) and thus has made the synthetic password available
* @return 0 if successful or a {@code ResponseCode}.
*/
- public static int onDeviceUnlocked(int userId, @Nullable byte[] password) {
+ public int onDeviceUnlocked(int userId, @Nullable byte[] password) {
StrictMode.noteDiskWrite();
try {
getService().onDeviceUnlocked(userId, password);
@@ -103,7 +109,7 @@
* @param weakUnlockEnabled - true if non-strong biometric or trust agent unlock is enabled
* @return 0 if successful or a {@code ResponseCode}.
*/
- public static int onDeviceLocked(int userId, @NonNull long[] unlockingSids,
+ public int onDeviceLocked(int userId, @NonNull long[] unlockingSids,
boolean weakUnlockEnabled) {
StrictMode.noteDiskWrite();
try {
@@ -125,14 +131,17 @@
* @return the last authentication time or
* {@link BiometricConstants#BIOMETRIC_NO_AUTHENTICATION}.
*/
- public static long getLastAuthenticationTime(
- long userId, @HardwareAuthenticatorType int[] authenticatorTypes) {
+ public long getLastAuthTime(long userId, @HardwareAuthenticatorType int[] authenticatorTypes) {
try {
return getService().getLastAuthTime(userId, authenticatorTypes);
} catch (RemoteException | NullPointerException e) {
- Log.w(TAG, "Can not connect to keystore", e);
+ Log.w(TAG, "Error getting last auth time: " + e);
return BiometricConstants.BIOMETRIC_NO_AUTHENTICATION;
} catch (ServiceSpecificException e) {
+ // This is returned when the feature flag test fails in keystore2
+ if (e.errorCode == ResponseCode.PERMISSION_DENIED) {
+ throw new UnsupportedOperationException();
+ }
return BiometricConstants.BIOMETRIC_NO_AUTHENTICATION;
}
}
diff --git a/services/core/java/com/android/server/biometrics/AuthSession.java b/services/core/java/com/android/server/biometrics/AuthSession.java
index c507300..69e87fc 100644
--- a/services/core/java/com/android/server/biometrics/AuthSession.java
+++ b/services/core/java/com/android/server/biometrics/AuthSession.java
@@ -56,7 +56,7 @@
import android.hardware.fingerprint.FingerprintSensorPropertiesInternal;
import android.os.IBinder;
import android.os.RemoteException;
-import android.security.KeyStore;
+import android.security.KeyStoreAuthorization;
import android.util.Slog;
import com.android.internal.annotations.VisibleForTesting;
@@ -111,7 +111,7 @@
@NonNull private final BiometricContext mBiometricContext;
private final IStatusBarService mStatusBarService;
@VisibleForTesting final IBiometricSysuiReceiver mSysuiReceiver;
- private final KeyStore mKeyStore;
+ private final KeyStoreAuthorization mKeyStoreAuthorization;
private final Random mRandom;
private final ClientDeathReceiver mClientDeathReceiver;
final PreAuthInfo mPreAuthInfo;
@@ -158,7 +158,7 @@
@NonNull BiometricContext biometricContext,
@NonNull IStatusBarService statusBarService,
@NonNull IBiometricSysuiReceiver sysuiReceiver,
- @NonNull KeyStore keystore,
+ @NonNull KeyStoreAuthorization keyStoreAuthorization,
@NonNull Random random,
@NonNull ClientDeathReceiver clientDeathReceiver,
@NonNull PreAuthInfo preAuthInfo,
@@ -172,8 +172,8 @@
@NonNull PromptInfo promptInfo,
boolean debugEnabled,
@NonNull List<FingerprintSensorPropertiesInternal> fingerprintSensorProperties) {
- this(context, biometricContext, statusBarService, sysuiReceiver, keystore, random,
- clientDeathReceiver, preAuthInfo, token, requestId, operationId, userId,
+ this(context, biometricContext, statusBarService, sysuiReceiver, keyStoreAuthorization,
+ random, clientDeathReceiver, preAuthInfo, token, requestId, operationId, userId,
sensorReceiver, clientReceiver, opPackageName, promptInfo, debugEnabled,
fingerprintSensorProperties, BiometricFrameworkStatsLogger.getInstance());
}
@@ -183,7 +183,7 @@
@NonNull BiometricContext biometricContext,
@NonNull IStatusBarService statusBarService,
@NonNull IBiometricSysuiReceiver sysuiReceiver,
- @NonNull KeyStore keystore,
+ @NonNull KeyStoreAuthorization keyStoreAuthorization,
@NonNull Random random,
@NonNull ClientDeathReceiver clientDeathReceiver,
@NonNull PreAuthInfo preAuthInfo,
@@ -203,7 +203,7 @@
mBiometricContext = biometricContext;
mStatusBarService = statusBarService;
mSysuiReceiver = sysuiReceiver;
- mKeyStore = keystore;
+ mKeyStoreAuthorization = keyStoreAuthorization;
mRandom = random;
mClientDeathReceiver = clientDeathReceiver;
mPreAuthInfo = preAuthInfo;
@@ -814,14 +814,14 @@
switch (reason) {
case BiometricPrompt.DISMISSED_REASON_CREDENTIAL_CONFIRMED:
if (credentialAttestation != null) {
- mKeyStore.addAuthToken(credentialAttestation);
+ mKeyStoreAuthorization.addAuthToken(credentialAttestation);
} else {
Slog.e(TAG, "credentialAttestation is null");
}
case BiometricPrompt.DISMISSED_REASON_BIOMETRIC_CONFIRMED:
case BiometricPrompt.DISMISSED_REASON_BIOMETRIC_CONFIRM_NOT_REQUIRED:
if (mTokenEscrow != null) {
- final int result = mKeyStore.addAuthToken(mTokenEscrow);
+ final int result = mKeyStoreAuthorization.addAuthToken(mTokenEscrow);
Slog.d(TAG, "addAuthToken: " + result);
} else {
Slog.e(TAG, "mTokenEscrow is null");
diff --git a/services/core/java/com/android/server/biometrics/BiometricService.java b/services/core/java/com/android/server/biometrics/BiometricService.java
index 91a68ea..bccbee9 100644
--- a/services/core/java/com/android/server/biometrics/BiometricService.java
+++ b/services/core/java/com/android/server/biometrics/BiometricService.java
@@ -65,15 +65,11 @@
import android.os.Looper;
import android.os.RemoteException;
import android.os.ServiceManager;
-import android.os.ServiceSpecificException;
import android.os.UserHandle;
import android.os.UserManager;
import android.provider.Settings;
-import android.security.Authorization;
import android.security.GateKeeper;
-import android.security.KeyStore;
-import android.security.authorization.IKeystoreAuthorization;
-import android.security.authorization.ResponseCode;
+import android.security.KeyStoreAuthorization;
import android.service.gatekeeper.IGateKeeperService;
import android.text.TextUtils;
import android.util.ArraySet;
@@ -123,11 +119,9 @@
@VisibleForTesting
IStatusBarService mStatusBarService;
@VisibleForTesting
- KeyStore mKeyStore;
- @VisibleForTesting
ITrustManager mTrustManager;
@VisibleForTesting
- IKeystoreAuthorization mKeystoreAuthorization;
+ KeyStoreAuthorization mKeyStoreAuthorization;
@VisibleForTesting
IGateKeeperService mGateKeeper;
@@ -672,19 +666,7 @@
int[] authTypesArray = hardwareAuthenticators.stream()
.mapToInt(Integer::intValue)
.toArray();
- try {
- return mKeystoreAuthorization.getLastAuthTime(secureUserId, authTypesArray);
- } catch (RemoteException e) {
- Slog.w(TAG, "Error getting last auth time: " + e);
- return BiometricConstants.BIOMETRIC_NO_AUTHENTICATION;
- } catch (ServiceSpecificException e) {
- // This is returned when the feature flag test fails in keystore2
- if (e.errorCode == ResponseCode.PERMISSION_DENIED) {
- throw new UnsupportedOperationException();
- }
-
- return BiometricConstants.BIOMETRIC_NO_AUTHENTICATION;
- }
+ return mKeyStoreAuthorization.getLastAuthTime(secureUserId, authTypesArray);
}
@android.annotation.EnforcePermission(android.Manifest.permission.USE_BIOMETRIC_INTERNAL)
@@ -1009,8 +991,8 @@
return ActivityManager.getService();
}
- public IKeystoreAuthorization getKeystoreAuthorizationService() {
- return Authorization.getService();
+ public KeyStoreAuthorization getKeyStoreAuthorization() {
+ return KeyStoreAuthorization.getInstance();
}
public IGateKeeperService getGateKeeperService() {
@@ -1034,10 +1016,6 @@
return new SettingObserver(context, handler, callbacks);
}
- public KeyStore getKeyStore() {
- return KeyStore.getInstance();
- }
-
/**
* Allows to enable/disable debug logs.
*/
@@ -1130,7 +1108,7 @@
mBiometricContext = injector.getBiometricContext(context);
mUserManager = injector.getUserManager(context);
mBiometricCameraManager = injector.getBiometricCameraManager(context);
- mKeystoreAuthorization = injector.getKeystoreAuthorizationService();
+ mKeyStoreAuthorization = injector.getKeyStoreAuthorization();
mGateKeeper = injector.getGateKeeperService();
try {
@@ -1150,7 +1128,6 @@
@Override
public void onStart() {
- mKeyStore = mInjector.getKeyStore();
mStatusBarService = mInjector.getStatusBarService();
mTrustManager = mInjector.getTrustManager();
mInjector.publishBinderService(this, mImpl);
@@ -1458,7 +1435,7 @@
final boolean debugEnabled = mInjector.isDebugEnabled(getContext(), userId);
mAuthSession = new AuthSession(getContext(), mBiometricContext, mStatusBarService,
- createSysuiReceiver(requestId), mKeyStore, mRandom,
+ createSysuiReceiver(requestId), mKeyStoreAuthorization, mRandom,
createClientDeathReceiver(requestId), preAuthInfo, token, requestId,
operationId, userId, createBiometricSensorReceiver(requestId), receiver,
opPackageName, promptInfo, debugEnabled,
diff --git a/services/core/java/com/android/server/biometrics/sensors/AuthenticationClient.java b/services/core/java/com/android/server/biometrics/sensors/AuthenticationClient.java
index 6eba23f..749e12b 100644
--- a/services/core/java/com/android/server/biometrics/sensors/AuthenticationClient.java
+++ b/services/core/java/com/android/server/biometrics/sensors/AuthenticationClient.java
@@ -30,7 +30,7 @@
import android.hardware.biometrics.BiometricRequestConstants;
import android.os.IBinder;
import android.os.RemoteException;
-import android.security.KeyStore;
+import android.security.KeyStoreAuthorization;
import android.util.EventLog;
import android.util.Slog;
@@ -255,7 +255,7 @@
// For BP, BiometricService will add the authToken to Keystore.
if (!isBiometricPrompt() && mIsStrongBiometric) {
- final int result = KeyStore.getInstance().addAuthToken(byteToken);
+ final int result = KeyStoreAuthorization.getInstance().addAuthToken(byteToken);
if (result != 0) {
Slog.d(TAG, "Error adding auth token : " + result);
} else {
diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java
index a9a9d87b..ba99d2e 100644
--- a/services/core/java/com/android/server/locksettings/LockSettingsService.java
+++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java
@@ -103,7 +103,7 @@
import android.provider.DeviceConfig;
import android.provider.Settings;
import android.security.AndroidKeyStoreMaintenance;
-import android.security.Authorization;
+import android.security.KeyStoreAuthorization;
import android.security.keystore.KeyProperties;
import android.security.keystore.KeyProtection;
import android.security.keystore.recovery.KeyChainProtectionParams;
@@ -289,6 +289,7 @@
private final SyntheticPasswordManager mSpManager;
private final KeyStore mKeyStore;
+ private final KeyStoreAuthorization mKeyStoreAuthorization;
private final RecoverableKeyStoreManager mRecoverableKeyStoreManager;
private final UnifiedProfilePasswordCache mUnifiedProfilePasswordCache;
@@ -623,6 +624,10 @@
}
}
+ public KeyStoreAuthorization getKeyStoreAuthorization() {
+ return KeyStoreAuthorization.getInstance();
+ }
+
public @NonNull UnifiedProfilePasswordCache getUnifiedProfilePasswordCache(KeyStore ks) {
return new UnifiedProfilePasswordCache(ks);
}
@@ -646,6 +651,7 @@
mInjector = injector;
mContext = injector.getContext();
mKeyStore = injector.getKeyStore();
+ mKeyStoreAuthorization = injector.getKeyStoreAuthorization();
mRecoverableKeyStoreManager = injector.getRecoverableKeyStoreManager();
mHandler = injector.getHandler(injector.getServiceThread());
mStrongAuth = injector.getStrongAuth();
@@ -1434,7 +1440,7 @@
}
private void unlockKeystore(int userId, SyntheticPassword sp) {
- Authorization.onDeviceUnlocked(userId, sp.deriveKeyStorePassword());
+ mKeyStoreAuthorization.onDeviceUnlocked(userId, sp.deriveKeyStorePassword());
}
@VisibleForTesting /** Note: this method is overridden in unit tests */
diff --git a/services/core/java/com/android/server/trust/TrustManagerService.java b/services/core/java/com/android/server/trust/TrustManagerService.java
index e5a8a6d..7794048 100644
--- a/services/core/java/com/android/server/trust/TrustManagerService.java
+++ b/services/core/java/com/android/server/trust/TrustManagerService.java
@@ -61,7 +61,7 @@
import android.os.UserHandle;
import android.os.UserManager;
import android.provider.Settings;
-import android.security.Authorization;
+import android.security.KeyStoreAuthorization;
import android.service.trust.GrantTrustResult;
import android.service.trust.TrustAgentService;
import android.text.TextUtils;
@@ -156,6 +156,7 @@
/* package */ final TrustArchive mArchive = new TrustArchive();
private final Context mContext;
private final LockPatternUtils mLockPatternUtils;
+ private final KeyStoreAuthorization mKeyStoreAuthorization;
private final UserManager mUserManager;
private final ActivityManager mActivityManager;
private FingerprintManager mFingerprintManager;
@@ -249,25 +250,27 @@
* cases.
*/
protected static class Injector {
- private final LockPatternUtils mLockPatternUtils;
- private final Looper mLooper;
+ private final Context mContext;
- public Injector(LockPatternUtils lockPatternUtils, Looper looper) {
- mLockPatternUtils = lockPatternUtils;
- mLooper = looper;
+ public Injector(Context context) {
+ mContext = context;
}
LockPatternUtils getLockPatternUtils() {
- return mLockPatternUtils;
+ return new LockPatternUtils(mContext);
+ }
+
+ KeyStoreAuthorization getKeyStoreAuthorization() {
+ return KeyStoreAuthorization.getInstance();
}
Looper getLooper() {
- return mLooper;
+ return Looper.myLooper();
}
}
public TrustManagerService(Context context) {
- this(context, new Injector(new LockPatternUtils(context), Looper.myLooper()));
+ this(context, new Injector(context));
}
protected TrustManagerService(Context context, Injector injector) {
@@ -277,6 +280,7 @@
mUserManager = (UserManager) mContext.getSystemService(Context.USER_SERVICE);
mActivityManager = (ActivityManager) mContext.getSystemService(Context.ACTIVITY_SERVICE);
mLockPatternUtils = injector.getLockPatternUtils();
+ mKeyStoreAuthorization = injector.getKeyStoreAuthorization();
mStrongAuthTracker = new StrongAuthTracker(context, injector.getLooper());
mAlarmManager = (AlarmManager) mContext.getSystemService(Context.ALARM_SERVICE);
}
@@ -908,16 +912,16 @@
int authUserId = mLockPatternUtils.isProfileWithUnifiedChallenge(userId)
? resolveProfileParent(userId) : userId;
- Authorization.onDeviceLocked(userId, getBiometricSids(authUserId),
+ mKeyStoreAuthorization.onDeviceLocked(userId, getBiometricSids(authUserId),
isWeakUnlockMethodEnabled(authUserId));
} else {
- Authorization.onDeviceLocked(userId, getBiometricSids(userId), false);
+ mKeyStoreAuthorization.onDeviceLocked(userId, getBiometricSids(userId), false);
}
} else {
// Notify Keystore that the device is now unlocked for the user. Note that for unlocks
// with LSKF, this is redundant with the call from LockSettingsService which provides
// the password. However, for unlocks with biometric or trust agent, this is required.
- Authorization.onDeviceUnlocked(userId, /* password= */ null);
+ mKeyStoreAuthorization.onDeviceUnlocked(userId, /* password= */ null);
}
}
diff --git a/services/tests/mockingservicestests/src/com/android/server/trust/TrustManagerServiceTest.java b/services/tests/mockingservicestests/src/com/android/server/trust/TrustManagerServiceTest.java
index b415682..0532e04 100644
--- a/services/tests/mockingservicestests/src/com/android/server/trust/TrustManagerServiceTest.java
+++ b/services/tests/mockingservicestests/src/com/android/server/trust/TrustManagerServiceTest.java
@@ -55,6 +55,7 @@
import android.os.Handler;
import android.os.HandlerThread;
import android.os.IBinder;
+import android.os.Looper;
import android.os.RemoteException;
import android.os.ServiceManager;
import android.os.UserHandle;
@@ -63,8 +64,7 @@
import android.platform.test.flag.junit.CheckFlagsRule;
import android.platform.test.flag.junit.DeviceFlagsValueProvider;
import android.provider.Settings;
-import android.security.Authorization;
-import android.security.authorization.IKeystoreAuthorization;
+import android.security.KeyStoreAuthorization;
import android.service.trust.TrustAgentService;
import android.testing.TestableContext;
import android.view.IWindowManager;
@@ -96,7 +96,6 @@
@Rule
public final ExtendedMockitoRule mExtendedMockitoRule = new ExtendedMockitoRule.Builder(this)
.spyStatic(ActivityManager.class)
- .spyStatic(Authorization.class)
.mockStatic(ServiceManager.class)
.mockStatic(WindowManagerGlobal.class)
.build();
@@ -126,14 +125,13 @@
private @Mock DevicePolicyManager mDevicePolicyManager;
private @Mock FaceManager mFaceManager;
private @Mock FingerprintManager mFingerprintManager;
- private @Mock IKeystoreAuthorization mKeystoreAuthorization;
+ private @Mock KeyStoreAuthorization mKeyStoreAuthorization;
private @Mock LockPatternUtils mLockPatternUtils;
private @Mock PackageManager mPackageManager;
private @Mock UserManager mUserManager;
private @Mock IWindowManager mWindowManager;
private HandlerThread mHandlerThread;
- private TrustManagerService.Injector mInjector;
private TrustManagerService mService;
private ITrustManager mTrustManager;
@@ -145,8 +143,6 @@
when(mFaceManager.getSensorProperties()).thenReturn(List.of());
when(mFingerprintManager.getSensorProperties()).thenReturn(List.of());
- doReturn(mKeystoreAuthorization).when(() -> Authorization.getService());
-
when(mLockPatternUtils.getDevicePolicyManager()).thenReturn(mDevicePolicyManager);
when(mLockPatternUtils.isSecure(TEST_USER_ID)).thenReturn(true);
when(mLockPatternUtils.getKnownTrustAgents(TEST_USER_ID)).thenReturn(mKnownTrustAgents);
@@ -193,8 +189,7 @@
mHandlerThread = new HandlerThread("handler");
mHandlerThread.start();
- mInjector = new TrustManagerService.Injector(mLockPatternUtils, mHandlerThread.getLooper());
- mService = new TrustManagerService(mMockContext, mInjector);
+ mService = new TrustManagerService(mMockContext, new MockInjector(mMockContext));
// Get the ITrustManager from the new TrustManagerService.
mService.onStart();
@@ -204,6 +199,27 @@
mTrustManager = ITrustManager.Stub.asInterface(binderArgumentCaptor.getValue());
}
+ private class MockInjector extends TrustManagerService.Injector {
+ MockInjector(Context context) {
+ super(context);
+ }
+
+ @Override
+ LockPatternUtils getLockPatternUtils() {
+ return mLockPatternUtils;
+ }
+
+ @Override
+ KeyStoreAuthorization getKeyStoreAuthorization() {
+ return mKeyStoreAuthorization;
+ }
+
+ @Override
+ Looper getLooper() {
+ return mHandlerThread.getLooper();
+ }
+ }
+
@After
public void tearDown() {
LocalServices.removeServiceForTest(SystemServiceManager.class);
@@ -371,14 +387,14 @@
when(mWindowManager.isKeyguardLocked()).thenReturn(false);
mTrustManager.reportKeyguardShowingChanged();
- verify(mKeystoreAuthorization).onDeviceUnlocked(PARENT_USER_ID, null);
- verify(mKeystoreAuthorization).onDeviceUnlocked(PROFILE_USER_ID, null);
+ verify(mKeyStoreAuthorization).onDeviceUnlocked(PARENT_USER_ID, null);
+ verify(mKeyStoreAuthorization).onDeviceUnlocked(PROFILE_USER_ID, null);
when(mWindowManager.isKeyguardLocked()).thenReturn(true);
mTrustManager.reportKeyguardShowingChanged();
- verify(mKeystoreAuthorization)
+ verify(mKeyStoreAuthorization)
.onDeviceLocked(eq(PARENT_USER_ID), eq(PARENT_BIOMETRIC_SIDS), eq(false));
- verify(mKeystoreAuthorization)
+ verify(mKeyStoreAuthorization)
.onDeviceLocked(eq(PROFILE_USER_ID), eq(PARENT_BIOMETRIC_SIDS), eq(false));
}
@@ -392,10 +408,10 @@
setupMocksForProfile(/* unifiedChallenge= */ false);
mTrustManager.setDeviceLockedForUser(PROFILE_USER_ID, false);
- verify(mKeystoreAuthorization).onDeviceUnlocked(PROFILE_USER_ID, null);
+ verify(mKeyStoreAuthorization).onDeviceUnlocked(PROFILE_USER_ID, null);
mTrustManager.setDeviceLockedForUser(PROFILE_USER_ID, true);
- verify(mKeystoreAuthorization)
+ verify(mKeyStoreAuthorization)
.onDeviceLocked(eq(PROFILE_USER_ID), eq(PROFILE_BIOMETRIC_SIDS), eq(false));
}
@@ -572,11 +588,11 @@
private void verifyWeakUnlockValue(boolean expectedWeakUnlockEnabled) throws Exception {
when(mWindowManager.isKeyguardLocked()).thenReturn(false);
mTrustManager.reportKeyguardShowingChanged();
- verify(mKeystoreAuthorization).onDeviceUnlocked(TEST_USER_ID, null);
+ verify(mKeyStoreAuthorization).onDeviceUnlocked(TEST_USER_ID, null);
when(mWindowManager.isKeyguardLocked()).thenReturn(true);
mTrustManager.reportKeyguardShowingChanged();
- verify(mKeystoreAuthorization).onDeviceLocked(eq(TEST_USER_ID), any(),
+ verify(mKeyStoreAuthorization).onDeviceLocked(eq(TEST_USER_ID), any(),
eq(expectedWeakUnlockEnabled));
}
diff --git a/services/tests/servicestests/src/com/android/server/biometrics/AuthSessionTest.java b/services/tests/servicestests/src/com/android/server/biometrics/AuthSessionTest.java
index 74eb79d..34092b6 100644
--- a/services/tests/servicestests/src/com/android/server/biometrics/AuthSessionTest.java
+++ b/services/tests/servicestests/src/com/android/server/biometrics/AuthSessionTest.java
@@ -68,7 +68,7 @@
import android.os.IBinder;
import android.os.RemoteException;
import android.platform.test.annotations.Presubmit;
-import android.security.KeyStore;
+import android.security.KeyStoreAuthorization;
import androidx.test.filters.SmallTest;
@@ -105,7 +105,7 @@
@Mock private IBiometricServiceReceiver mClientReceiver;
@Mock private IStatusBarService mStatusBarService;
@Mock private IBiometricSysuiReceiver mSysuiReceiver;
- @Mock private KeyStore mKeyStore;
+ @Mock private KeyStoreAuthorization mKeyStoreAuthorization;
@Mock private AuthSession.ClientDeathReceiver mClientDeathReceiver;
@Mock private BiometricFrameworkStatsLogger mBiometricFrameworkStatsLogger;
@Mock private BiometricCameraManager mBiometricCameraManager;
@@ -665,9 +665,10 @@
final PreAuthInfo preAuthInfo = createPreAuthInfo(sensors, userId, promptInfo,
checkDevicePolicyManager);
return new AuthSession(mContext, mBiometricContext, mStatusBarService, mSysuiReceiver,
- mKeyStore, mRandom, mClientDeathReceiver, preAuthInfo, mToken, requestId,
- operationId, userId, mSensorReceiver, mClientReceiver, TEST_PACKAGE, promptInfo,
- false /* debugEnabled */, mFingerprintSensorProps, mBiometricFrameworkStatsLogger);
+ mKeyStoreAuthorization, mRandom, mClientDeathReceiver, preAuthInfo, mToken,
+ requestId, operationId, userId, mSensorReceiver, mClientReceiver, TEST_PACKAGE,
+ promptInfo, false /* debugEnabled */, mFingerprintSensorProps,
+ mBiometricFrameworkStatsLogger);
}
private PromptInfo createPromptInfo(@Authenticators.Types int authenticators) {
diff --git a/services/tests/servicestests/src/com/android/server/biometrics/BiometricServiceTest.java b/services/tests/servicestests/src/com/android/server/biometrics/BiometricServiceTest.java
index 408442b..3eaf9af 100644
--- a/services/tests/servicestests/src/com/android/server/biometrics/BiometricServiceTest.java
+++ b/services/tests/servicestests/src/com/android/server/biometrics/BiometricServiceTest.java
@@ -80,8 +80,7 @@
import android.platform.test.annotations.Presubmit;
import android.platform.test.flag.junit.SetFlagsRule;
import android.security.GateKeeper;
-import android.security.KeyStore;
-import android.security.authorization.IKeystoreAuthorization;
+import android.security.KeyStoreAuthorization;
import android.service.gatekeeper.IGateKeeperService;
import android.view.Display;
import android.view.DisplayInfo;
@@ -173,7 +172,7 @@
private BiometricCameraManager mBiometricCameraManager;
@Mock
- private IKeystoreAuthorization mKeystoreAuthService;
+ private KeyStoreAuthorization mKeyStoreAuthorization;
@Mock
private IGateKeeperService mGateKeeperService;
@@ -195,7 +194,7 @@
when(mInjector.getStatusBarService()).thenReturn(mock(IStatusBarService.class));
when(mInjector.getSettingObserver(any(), any(), any()))
.thenReturn(mock(BiometricService.SettingObserver.class));
- when(mInjector.getKeyStore()).thenReturn(mock(KeyStore.class));
+ when(mInjector.getKeyStoreAuthorization()).thenReturn(mock(KeyStoreAuthorization.class));
when(mInjector.isDebugEnabled(any(), anyInt())).thenReturn(false);
when(mInjector.getBiometricStrengthController(any()))
.thenReturn(mock(BiometricStrengthController.class));
@@ -231,7 +230,7 @@
mStatusBarService, null /* handler */,
mAuthSessionCoordinator);
when(mInjector.getBiometricContext(any())).thenReturn(mBiometricContextProvider);
- when(mInjector.getKeystoreAuthorizationService()).thenReturn(mKeystoreAuthService);
+ when(mInjector.getKeyStoreAuthorization()).thenReturn(mKeyStoreAuthorization);
when(mInjector.getGateKeeperService()).thenReturn(mGateKeeperService);
when(mGateKeeperService.getSecureUserId(anyInt())).thenReturn(42L);
@@ -661,9 +660,9 @@
waitForIdle();
// HAT sent to keystore
if (isStrongBiometric) {
- verify(mBiometricService.mKeyStore).addAuthToken(AdditionalMatchers.aryEq(HAT));
+ verify(mKeyStoreAuthorization).addAuthToken(AdditionalMatchers.aryEq(HAT));
} else {
- verify(mBiometricService.mKeyStore, never()).addAuthToken(any(byte[].class));
+ verify(mKeyStoreAuthorization, never()).addAuthToken(any(byte[].class));
}
// Send onAuthenticated to client
verify(mReceiver1).onAuthenticationSucceeded(
@@ -726,7 +725,7 @@
waitForIdle();
// Waiting for SystemUI to send confirmation callback
assertEquals(STATE_AUTH_PENDING_CONFIRM, mBiometricService.mAuthSession.getState());
- verify(mBiometricService.mKeyStore, never()).addAuthToken(any(byte[].class));
+ verify(mKeyStoreAuthorization, never()).addAuthToken(any(byte[].class));
// SystemUI sends confirm, HAT is sent to keystore and client is notified.
mBiometricService.mAuthSession.mSysuiReceiver.onDialogDismissed(
@@ -734,9 +733,9 @@
null /* credentialAttestation */);
waitForIdle();
if (isStrongBiometric) {
- verify(mBiometricService.mKeyStore).addAuthToken(AdditionalMatchers.aryEq(HAT));
+ verify(mKeyStoreAuthorization).addAuthToken(AdditionalMatchers.aryEq(HAT));
} else {
- verify(mBiometricService.mKeyStore, never()).addAuthToken(any(byte[].class));
+ verify(mKeyStoreAuthorization, never()).addAuthToken(any(byte[].class));
}
verify(mReceiver1).onAuthenticationSucceeded(
BiometricPrompt.AUTHENTICATION_RESULT_TYPE_BIOMETRIC);
@@ -1292,7 +1291,7 @@
eq(TYPE_FACE),
eq(BiometricConstants.BIOMETRIC_ERROR_USER_CANCELED),
eq(0 /* vendorCode */));
- verify(mBiometricService.mKeyStore, never()).addAuthToken(any(byte[].class));
+ verify(mKeyStoreAuthorization, never()).addAuthToken(any(byte[].class));
assertNull(mBiometricService.mAuthSession);
}
@@ -1796,7 +1795,7 @@
final long expectedResult = 31337L;
- when(mKeystoreAuthService.getLastAuthTime(eq(secureUserId), eq(hardwareAuthenticators)))
+ when(mKeyStoreAuthorization.getLastAuthTime(eq(secureUserId), eq(hardwareAuthenticators)))
.thenReturn(expectedResult);
mBiometricService = new BiometricService(mContext, mInjector);
@@ -1805,7 +1804,8 @@
Authenticators.BIOMETRIC_STRONG | Authenticators.DEVICE_CREDENTIAL);
assertEquals(expectedResult, result);
- verify(mKeystoreAuthService).getLastAuthTime(eq(secureUserId), eq(hardwareAuthenticators));
+ verify(mKeyStoreAuthorization).getLastAuthTime(eq(secureUserId),
+ eq(hardwareAuthenticators));
}
// Helper methods