Merge "Update OWNERS file."
diff --git a/core/api/current.txt b/core/api/current.txt
index 2ba2f5b..b78e293 100644
--- a/core/api/current.txt
+++ b/core/api/current.txt
@@ -27285,6 +27285,7 @@
public final class VcnConfig implements android.os.Parcelable {
method public int describeContents();
method @NonNull public java.util.Set<android.net.vcn.VcnGatewayConnectionConfig> getGatewayConnectionConfigs();
+ method @NonNull public java.util.Set<java.lang.Integer> getRestrictedUnderlyingNetworkTransports();
method public void writeToParcel(@NonNull android.os.Parcel, int);
field @NonNull public static final android.os.Parcelable.Creator<android.net.vcn.VcnConfig> CREATOR;
}
@@ -27293,6 +27294,7 @@
ctor public VcnConfig.Builder(@NonNull android.content.Context);
method @NonNull public android.net.vcn.VcnConfig.Builder addGatewayConnectionConfig(@NonNull android.net.vcn.VcnGatewayConnectionConfig);
method @NonNull public android.net.vcn.VcnConfig build();
+ method @NonNull public android.net.vcn.VcnConfig.Builder setRestrictedUnderlyingNetworkTransports(@NonNull java.util.Set<java.lang.Integer>);
}
public final class VcnGatewayConnectionConfig {
@@ -37652,6 +37654,11 @@
ctor public AlreadyPersonalizedException(@NonNull String, @NonNull Throwable);
}
+ public class AuthenticationKeyMetadata {
+ method @NonNull public java.time.Instant getExpirationDate();
+ method @IntRange(from=0) public int getUsageCount();
+ }
+
public class CipherSuiteNotSupportedException extends android.security.identity.IdentityCredentialException {
ctor public CipherSuiteNotSupportedException(@NonNull String);
ctor public CipherSuiteNotSupportedException(@NonNull String, @NonNull Throwable);
@@ -37682,6 +37689,7 @@
public abstract class CredentialDataResult {
method @Nullable public abstract byte[] getDeviceMac();
method @NonNull public abstract byte[] getDeviceNameSpaces();
+ method @Nullable public byte[] getDeviceSignature();
method @NonNull public abstract android.security.identity.CredentialDataResult.Entries getDeviceSignedEntries();
method @NonNull public abstract android.security.identity.CredentialDataResult.Entries getIssuerSignedEntries();
method @NonNull public abstract byte[] getStaticAuthenticationData();
@@ -37718,13 +37726,15 @@
method @NonNull public byte[] delete(@NonNull byte[]);
method @Deprecated @NonNull public abstract byte[] encryptMessageToReader(@NonNull byte[]);
method @NonNull public abstract java.util.Collection<java.security.cert.X509Certificate> getAuthKeysNeedingCertification();
- method @NonNull public abstract int[] getAuthenticationDataUsageCount();
+ method @Deprecated @NonNull public abstract int[] getAuthenticationDataUsageCount();
+ method @NonNull public java.util.List<android.security.identity.AuthenticationKeyMetadata> getAuthenticationKeyMetadata();
method @NonNull public abstract java.util.Collection<java.security.cert.X509Certificate> getCredentialKeyCertificateChain();
method @Deprecated @NonNull public abstract android.security.identity.ResultData getEntries(@Nullable byte[], @NonNull java.util.Map<java.lang.String,java.util.Collection<java.lang.String>>, @Nullable byte[], @Nullable byte[]) throws android.security.identity.EphemeralPublicKeyNotFoundException, android.security.identity.InvalidReaderSignatureException, android.security.identity.InvalidRequestMessageException, android.security.identity.NoAuthenticationKeyAvailableException, android.security.identity.SessionTranscriptMismatchException;
method @NonNull public byte[] proveOwnership(@NonNull byte[]);
method @Deprecated public abstract void setAllowUsingExhaustedKeys(boolean);
method @Deprecated public void setAllowUsingExpiredKeys(boolean);
- method public abstract void setAvailableAuthenticationKeys(int, int);
+ method @Deprecated public abstract void setAvailableAuthenticationKeys(int, int);
+ method public void setAvailableAuthenticationKeys(@IntRange(from=0) int, @IntRange(from=1) int, @IntRange(from=0) long);
method @Deprecated public abstract void setReaderEphemeralPublicKey(@NonNull java.security.PublicKey) throws java.security.InvalidKeyException;
method @Deprecated public abstract void storeStaticAuthenticationData(@NonNull java.security.cert.X509Certificate, @NonNull byte[]) throws android.security.identity.UnknownAuthenticationKeyException;
method public void storeStaticAuthenticationData(@NonNull java.security.cert.X509Certificate, @NonNull java.time.Instant, @NonNull byte[]) throws android.security.identity.UnknownAuthenticationKeyException;
diff --git a/core/java/android/hardware/display/AmbientBrightnessDayStats.java b/core/java/android/hardware/display/AmbientBrightnessDayStats.java
index 8aff911..2816706 100644
--- a/core/java/android/hardware/display/AmbientBrightnessDayStats.java
+++ b/core/java/android/hardware/display/AmbientBrightnessDayStats.java
@@ -208,7 +208,7 @@
}
private int getBucketIndex(float ambientBrightness) {
- if (ambientBrightness < mBucketBoundaries[0]) {
+ if (ambientBrightness < mBucketBoundaries[0] || Float.isNaN(ambientBrightness)) {
return -1;
}
int low = 0;
diff --git a/core/java/android/net/vcn/VcnConfig.java b/core/java/android/net/vcn/VcnConfig.java
index fd3fe37..dcf0026 100644
--- a/core/java/android/net/vcn/VcnConfig.java
+++ b/core/java/android/net/vcn/VcnConfig.java
@@ -15,16 +15,23 @@
*/
package android.net.vcn;
+import static android.net.NetworkCapabilities.TRANSPORT_CELLULAR;
+import static android.net.NetworkCapabilities.TRANSPORT_WIFI;
+
import static com.android.internal.annotations.VisibleForTesting.Visibility;
+import static com.android.server.vcn.util.PersistableBundleUtils.INTEGER_DESERIALIZER;
+import static com.android.server.vcn.util.PersistableBundleUtils.INTEGER_SERIALIZER;
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.content.Context;
+import android.net.NetworkCapabilities;
import android.net.NetworkRequest;
import android.os.Parcel;
import android.os.Parcelable;
import android.os.PersistableBundle;
import android.util.ArraySet;
+import android.util.Log;
import com.android.internal.annotations.VisibleForTesting;
import com.android.internal.util.Preconditions;
@@ -32,6 +39,7 @@
import java.util.ArrayList;
import java.util.Collections;
+import java.util.Iterator;
import java.util.Objects;
import java.util.Set;
@@ -46,22 +54,36 @@
public final class VcnConfig implements Parcelable {
@NonNull private static final String TAG = VcnConfig.class.getSimpleName();
+ private static final Set<Integer> ALLOWED_TRANSPORTS = new ArraySet<>();
+
+ static {
+ ALLOWED_TRANSPORTS.add(TRANSPORT_WIFI);
+ ALLOWED_TRANSPORTS.add(TRANSPORT_CELLULAR);
+ }
+
private static final String PACKAGE_NAME_KEY = "mPackageName";
@NonNull private final String mPackageName;
private static final String GATEWAY_CONNECTION_CONFIGS_KEY = "mGatewayConnectionConfigs";
@NonNull private final Set<VcnGatewayConnectionConfig> mGatewayConnectionConfigs;
+ private static final Set<Integer> RESTRICTED_TRANSPORTS_DEFAULT =
+ Collections.singleton(TRANSPORT_WIFI);
+ private static final String RESTRICTED_TRANSPORTS_KEY = "mRestrictedTransports";
+ @NonNull private final Set<Integer> mRestrictedTransports;
+
private static final String IS_TEST_MODE_PROFILE_KEY = "mIsTestModeProfile";
private final boolean mIsTestModeProfile;
private VcnConfig(
@NonNull String packageName,
@NonNull Set<VcnGatewayConnectionConfig> gatewayConnectionConfigs,
+ @NonNull Set<Integer> restrictedTransports,
boolean isTestModeProfile) {
mPackageName = packageName;
mGatewayConnectionConfigs =
Collections.unmodifiableSet(new ArraySet<>(gatewayConnectionConfigs));
+ mRestrictedTransports = Collections.unmodifiableSet(new ArraySet<>(restrictedTransports));
mIsTestModeProfile = isTestModeProfile;
validate();
@@ -82,6 +104,20 @@
new ArraySet<>(
PersistableBundleUtils.toList(
gatewayConnectionConfigsBundle, VcnGatewayConnectionConfig::new));
+
+ final PersistableBundle restrictedTransportsBundle =
+ in.getPersistableBundle(RESTRICTED_TRANSPORTS_KEY);
+ if (restrictedTransportsBundle == null) {
+ // RESTRICTED_TRANSPORTS_KEY was added in U and does not exist in VcnConfigs created in
+ // older platforms
+ mRestrictedTransports = RESTRICTED_TRANSPORTS_DEFAULT;
+ } else {
+ mRestrictedTransports =
+ new ArraySet<Integer>(
+ PersistableBundleUtils.toList(
+ restrictedTransportsBundle, INTEGER_DESERIALIZER));
+ }
+
mIsTestModeProfile = in.getBoolean(IS_TEST_MODE_PROFILE_KEY);
validate();
@@ -91,6 +127,19 @@
Objects.requireNonNull(mPackageName, "packageName was null");
Preconditions.checkCollectionNotEmpty(
mGatewayConnectionConfigs, "gatewayConnectionConfigs was empty");
+
+ final Iterator<Integer> iterator = mRestrictedTransports.iterator();
+ while (iterator.hasNext()) {
+ final int transport = iterator.next();
+ if (!ALLOWED_TRANSPORTS.contains(transport)) {
+ iterator.remove();
+ Log.w(
+ TAG,
+ "Found invalid transport "
+ + transport
+ + " which might be from a new version of VcnConfig");
+ }
+ }
}
/**
@@ -110,6 +159,16 @@
}
/**
+ * Retrieve the transports that will be restricted by the VCN.
+ *
+ * @see Builder#setRestrictedUnderlyingNetworkTransports(Set)
+ */
+ @NonNull
+ public Set<Integer> getRestrictedUnderlyingNetworkTransports() {
+ return Collections.unmodifiableSet(mRestrictedTransports);
+ }
+
+ /**
* Returns whether or not this VcnConfig is restricted to test networks.
*
* @hide
@@ -134,6 +193,12 @@
new ArrayList<>(mGatewayConnectionConfigs),
VcnGatewayConnectionConfig::toPersistableBundle);
result.putPersistableBundle(GATEWAY_CONNECTION_CONFIGS_KEY, gatewayConnectionConfigsBundle);
+
+ final PersistableBundle restrictedTransportsBundle =
+ PersistableBundleUtils.fromList(
+ new ArrayList<>(mRestrictedTransports), INTEGER_SERIALIZER);
+ result.putPersistableBundle(RESTRICTED_TRANSPORTS_KEY, restrictedTransportsBundle);
+
result.putBoolean(IS_TEST_MODE_PROFILE_KEY, mIsTestModeProfile);
return result;
@@ -141,7 +206,8 @@
@Override
public int hashCode() {
- return Objects.hash(mPackageName, mGatewayConnectionConfigs, mIsTestModeProfile);
+ return Objects.hash(
+ mPackageName, mGatewayConnectionConfigs, mRestrictedTransports, mIsTestModeProfile);
}
@Override
@@ -153,6 +219,7 @@
final VcnConfig rhs = (VcnConfig) other;
return mPackageName.equals(rhs.mPackageName)
&& mGatewayConnectionConfigs.equals(rhs.mGatewayConnectionConfigs)
+ && mRestrictedTransports.equals(rhs.mRestrictedTransports)
&& mIsTestModeProfile == rhs.mIsTestModeProfile;
}
@@ -189,12 +256,15 @@
@NonNull
private final Set<VcnGatewayConnectionConfig> mGatewayConnectionConfigs = new ArraySet<>();
+ @NonNull private final Set<Integer> mRestrictedTransports = new ArraySet<>();
+
private boolean mIsTestModeProfile = false;
public Builder(@NonNull Context context) {
Objects.requireNonNull(context, "context was null");
mPackageName = context.getOpPackageName();
+ mRestrictedTransports.addAll(RESTRICTED_TRANSPORTS_DEFAULT);
}
/**
@@ -225,6 +295,36 @@
return this;
}
+ private void validateRestrictedTransportsOrThrow(Set<Integer> restrictedTransports) {
+ Objects.requireNonNull(restrictedTransports, "transports was null");
+
+ for (int transport : restrictedTransports) {
+ if (!ALLOWED_TRANSPORTS.contains(transport)) {
+ throw new IllegalArgumentException("Invalid transport " + transport);
+ }
+ }
+ }
+
+ /**
+ * Sets transports that will be restricted by the VCN.
+ *
+ * @param transports transports that will be restricted by VCN. Networks that include any
+ * of the transports will be marked as restricted. Only {@link
+ * NetworkCapabilities#TRANSPORT_WIFI} and {@link
+ * NetworkCapabilities#TRANSPORT_CELLULAR} are allowed. {@link
+ * NetworkCapabilities#TRANSPORT_WIFI} is marked restricted by default.
+ * @return this {@link Builder} instance, for chaining
+ * @throws IllegalArgumentException if the input contains unsupported transport types.
+ */
+ @NonNull
+ public Builder setRestrictedUnderlyingNetworkTransports(@NonNull Set<Integer> transports) {
+ validateRestrictedTransportsOrThrow(transports);
+
+ mRestrictedTransports.clear();
+ mRestrictedTransports.addAll(transports);
+ return this;
+ }
+
/**
* Restricts this VcnConfig to matching with test networks (only).
*
@@ -248,7 +348,11 @@
*/
@NonNull
public VcnConfig build() {
- return new VcnConfig(mPackageName, mGatewayConnectionConfigs, mIsTestModeProfile);
+ return new VcnConfig(
+ mPackageName,
+ mGatewayConnectionConfigs,
+ mRestrictedTransports,
+ mIsTestModeProfile);
}
}
}
diff --git a/core/java/android/nfc/NfcAdapter.java b/core/java/android/nfc/NfcAdapter.java
index f545c30..0c7f529 100644
--- a/core/java/android/nfc/NfcAdapter.java
+++ b/core/java/android/nfc/NfcAdapter.java
@@ -30,6 +30,7 @@
import android.compat.annotation.UnsupportedAppUsage;
import android.content.Context;
import android.content.IntentFilter;
+import android.content.pm.IPackageManager;
import android.content.pm.PackageManager;
import android.net.Uri;
import android.nfc.tech.MifareClassic;
@@ -525,6 +526,66 @@
}
/**
+ * Helper to check if this device has FEATURE_NFC_BEAM, but without using
+ * a context.
+ * Equivalent to
+ * context.getPackageManager().hasSystemFeature(PackageManager.FEATURE_NFC_BEAM)
+ */
+ private static boolean hasBeamFeature() {
+ IPackageManager pm = ActivityThread.getPackageManager();
+ if (pm == null) {
+ Log.e(TAG, "Cannot get package manager, assuming no Android Beam feature");
+ return false;
+ }
+ try {
+ return pm.hasSystemFeature(PackageManager.FEATURE_NFC_BEAM, 0);
+ } catch (RemoteException e) {
+ Log.e(TAG, "Package manager query failed, assuming no Android Beam feature", e);
+ return false;
+ }
+ }
+
+ /**
+ * Helper to check if this device has FEATURE_NFC, but without using
+ * a context.
+ * Equivalent to
+ * context.getPackageManager().hasSystemFeature(PackageManager.FEATURE_NFC)
+ */
+ private static boolean hasNfcFeature() {
+ IPackageManager pm = ActivityThread.getPackageManager();
+ if (pm == null) {
+ Log.e(TAG, "Cannot get package manager, assuming no NFC feature");
+ return false;
+ }
+ try {
+ return pm.hasSystemFeature(PackageManager.FEATURE_NFC, 0);
+ } catch (RemoteException e) {
+ Log.e(TAG, "Package manager query failed, assuming no NFC feature", e);
+ return false;
+ }
+ }
+
+ /**
+ * Helper to check if this device is NFC HCE capable, by checking for
+ * FEATURE_NFC_HOST_CARD_EMULATION and/or FEATURE_NFC_HOST_CARD_EMULATION_NFCF,
+ * but without using a context.
+ */
+ private static boolean hasNfcHceFeature() {
+ IPackageManager pm = ActivityThread.getPackageManager();
+ if (pm == null) {
+ Log.e(TAG, "Cannot get package manager, assuming no NFC feature");
+ return false;
+ }
+ try {
+ return pm.hasSystemFeature(PackageManager.FEATURE_NFC_HOST_CARD_EMULATION, 0)
+ || pm.hasSystemFeature(PackageManager.FEATURE_NFC_HOST_CARD_EMULATION_NFCF, 0);
+ } catch (RemoteException e) {
+ Log.e(TAG, "Package manager query failed, assuming no NFC feature", e);
+ return false;
+ }
+ }
+
+ /**
* Return list of Secure Elements which support off host card emulation.
*
* @return List<String> containing secure elements on the device which supports
@@ -533,21 +594,23 @@
* @hide
*/
public @NonNull List<String> getSupportedOffHostSecureElements() {
- if (mContext == null) {
- throw new UnsupportedOperationException("You need a context on NfcAdapter to use the "
- + " getSupportedOffHostSecureElements APIs");
- }
List<String> offHostSE = new ArrayList<String>();
- PackageManager pm = mContext.getPackageManager();
+ IPackageManager pm = ActivityThread.getPackageManager();
if (pm == null) {
Log.e(TAG, "Cannot get package manager, assuming no off-host CE feature");
return offHostSE;
}
- if (pm.hasSystemFeature(PackageManager.FEATURE_NFC_OFF_HOST_CARD_EMULATION_UICC)) {
- offHostSE.add("SIM");
- }
- if (pm.hasSystemFeature(PackageManager.FEATURE_NFC_OFF_HOST_CARD_EMULATION_ESE)) {
- offHostSE.add("eSE");
+ try {
+ if (pm.hasSystemFeature(PackageManager.FEATURE_NFC_OFF_HOST_CARD_EMULATION_UICC, 0)) {
+ offHostSE.add("SIM");
+ }
+ if (pm.hasSystemFeature(PackageManager.FEATURE_NFC_OFF_HOST_CARD_EMULATION_ESE, 0)) {
+ offHostSE.add("eSE");
+ }
+ } catch (RemoteException e) {
+ Log.e(TAG, "Package manager query failed, assuming no off-host CE feature", e);
+ offHostSE.clear();
+ return offHostSE;
}
return offHostSE;
}
@@ -559,19 +622,10 @@
*/
@UnsupportedAppUsage
public static synchronized NfcAdapter getNfcAdapter(Context context) {
- if (context == null) {
- if (sNullContextNfcAdapter == null) {
- sNullContextNfcAdapter = new NfcAdapter(null);
- }
- return sNullContextNfcAdapter;
- }
if (!sIsInitialized) {
- PackageManager pm = context.getPackageManager();
- sHasNfcFeature = pm.hasSystemFeature(PackageManager.FEATURE_NFC);
- sHasBeamFeature = pm.hasSystemFeature(PackageManager.FEATURE_NFC_BEAM);
- boolean hasHceFeature =
- pm.hasSystemFeature(PackageManager.FEATURE_NFC_HOST_CARD_EMULATION)
- || pm.hasSystemFeature(PackageManager.FEATURE_NFC_HOST_CARD_EMULATION_NFCF);
+ sHasNfcFeature = hasNfcFeature();
+ sHasBeamFeature = hasBeamFeature();
+ boolean hasHceFeature = hasNfcHceFeature();
/* is this device meant to have NFC */
if (!sHasNfcFeature && !hasHceFeature) {
Log.v(TAG, "this device does not have NFC support");
@@ -607,6 +661,12 @@
sIsInitialized = true;
}
+ if (context == null) {
+ if (sNullContextNfcAdapter == null) {
+ sNullContextNfcAdapter = new NfcAdapter(null);
+ }
+ return sNullContextNfcAdapter;
+ }
NfcAdapter adapter = sNfcAdapters.get(context);
if (adapter == null) {
adapter = new NfcAdapter(context);
@@ -617,12 +677,8 @@
/** get handle to NFC service interface */
private static INfcAdapter getServiceInterface() {
- if (!sHasNfcFeature) {
- /* NFC is not supported */
- return null;
- }
/* get a handle to NFC service */
- IBinder b = ServiceManager.waitForService("nfc");
+ IBinder b = ServiceManager.getService("nfc");
if (b == null) {
return null;
}
@@ -652,15 +708,6 @@
"context not associated with any application (using a mock context?)");
}
- synchronized (NfcAdapter.class) {
- if (!sIsInitialized) {
- PackageManager pm = context.getPackageManager();
- sHasNfcFeature = pm.hasSystemFeature(PackageManager.FEATURE_NFC);
- }
- if (!sHasNfcFeature) {
- return null;
- }
- }
if (getServiceInterface() == null) {
// NFC is not available
return null;
diff --git a/core/java/android/nfc/cardemulation/CardEmulation.java b/core/java/android/nfc/cardemulation/CardEmulation.java
index 6a42091..0b56d19 100644
--- a/core/java/android/nfc/cardemulation/CardEmulation.java
+++ b/core/java/android/nfc/cardemulation/CardEmulation.java
@@ -22,9 +22,11 @@
import android.annotation.SdkConstant;
import android.annotation.SdkConstant.SdkConstantType;
import android.app.Activity;
+import android.app.ActivityThread;
import android.content.ComponentName;
import android.content.Context;
import android.content.Intent;
+import android.content.pm.IPackageManager;
import android.content.pm.PackageManager;
import android.nfc.INfcCardEmulation;
import android.nfc.NfcAdapter;
@@ -156,13 +158,18 @@
throw new UnsupportedOperationException();
}
if (!sIsInitialized) {
- PackageManager pm = context.getPackageManager();
+ IPackageManager pm = ActivityThread.getPackageManager();
if (pm == null) {
Log.e(TAG, "Cannot get PackageManager");
throw new UnsupportedOperationException();
}
- if (!pm.hasSystemFeature(PackageManager.FEATURE_NFC_HOST_CARD_EMULATION)) {
- Log.e(TAG, "This device does not support card emulation");
+ try {
+ if (!pm.hasSystemFeature(PackageManager.FEATURE_NFC_HOST_CARD_EMULATION, 0)) {
+ Log.e(TAG, "This device does not support card emulation");
+ throw new UnsupportedOperationException();
+ }
+ } catch (RemoteException e) {
+ Log.e(TAG, "PackageManager query failed.");
throw new UnsupportedOperationException();
}
sIsInitialized = true;
diff --git a/core/java/android/nfc/cardemulation/NfcFCardEmulation.java b/core/java/android/nfc/cardemulation/NfcFCardEmulation.java
index 48bbf5b6..3c92455 100644
--- a/core/java/android/nfc/cardemulation/NfcFCardEmulation.java
+++ b/core/java/android/nfc/cardemulation/NfcFCardEmulation.java
@@ -17,8 +17,10 @@
package android.nfc.cardemulation;
import android.app.Activity;
+import android.app.ActivityThread;
import android.content.ComponentName;
import android.content.Context;
+import android.content.pm.IPackageManager;
import android.content.pm.PackageManager;
import android.nfc.INfcFCardEmulation;
import android.nfc.NfcAdapter;
@@ -68,13 +70,18 @@
throw new UnsupportedOperationException();
}
if (!sIsInitialized) {
- PackageManager pm = context.getPackageManager();
+ IPackageManager pm = ActivityThread.getPackageManager();
if (pm == null) {
Log.e(TAG, "Cannot get PackageManager");
throw new UnsupportedOperationException();
}
- if (!pm.hasSystemFeature(PackageManager.FEATURE_NFC_HOST_CARD_EMULATION_NFCF)) {
- Log.e(TAG, "This device does not support NFC-F card emulation");
+ try {
+ if (!pm.hasSystemFeature(PackageManager.FEATURE_NFC_HOST_CARD_EMULATION_NFCF, 0)) {
+ Log.e(TAG, "This device does not support NFC-F card emulation");
+ throw new UnsupportedOperationException();
+ }
+ } catch (RemoteException e) {
+ Log.e(TAG, "PackageManager query failed.");
throw new UnsupportedOperationException();
}
sIsInitialized = true;
diff --git a/core/tests/coretests/src/android/companion/virtual/OWNERS b/core/tests/coretests/src/android/companion/virtual/OWNERS
new file mode 100644
index 0000000..1a3e927
--- /dev/null
+++ b/core/tests/coretests/src/android/companion/virtual/OWNERS
@@ -0,0 +1,3 @@
+set noparent
+
+include /services/companion/java/com/android/server/companion/virtual/OWNERS
\ No newline at end of file
diff --git a/identity/java/android/security/identity/AuthenticationKeyMetadata.java b/identity/java/android/security/identity/AuthenticationKeyMetadata.java
new file mode 100644
index 0000000..d4c28f8
--- /dev/null
+++ b/identity/java/android/security/identity/AuthenticationKeyMetadata.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.identity;
+
+import android.annotation.IntRange;
+import android.annotation.NonNull;
+
+import java.time.Instant;
+
+/**
+ * Data about authentication keys.
+ */
+public class AuthenticationKeyMetadata {
+ private int mUsageCount;
+ private Instant mExpirationDate;
+
+ AuthenticationKeyMetadata(int usageCount, Instant expirationDate) {
+ mUsageCount = usageCount;
+ mExpirationDate = expirationDate;
+ }
+
+ /**
+ * Gets usage count for the authentication key.
+ *
+ * @return the usage count
+ */
+ public @IntRange(from = 0) int getUsageCount() {
+ return mUsageCount;
+ }
+
+ /**
+ * Gets expiration date for the authentication key.
+ *
+ * @return the expiration date of the authentication key.
+ */
+ public @NonNull Instant getExpirationDate() {
+ return mExpirationDate;
+ }
+}
diff --git a/identity/java/android/security/identity/CredentialDataResult.java b/identity/java/android/security/identity/CredentialDataResult.java
index beb03af..dca039a 100644
--- a/identity/java/android/security/identity/CredentialDataResult.java
+++ b/identity/java/android/security/identity/CredentialDataResult.java
@@ -106,6 +106,30 @@
public abstract @Nullable byte[] getDeviceMac();
/**
+ * Returns a signature over the {@code DeviceAuthenticationBytes} CBOR
+ * specified in {@link #getDeviceNameSpaces()}, to prove to the reader that the data
+ * is from a trusted credential.
+ *
+ * <p>The signature is made using the authentication private key. See section 9.1.3.4 of
+ * ISO/IEC 18013-5:2021 for details of this operation.
+ *
+ * <p>If the session transcript or reader ephemeral key wasn't set on the {@link
+ * PresentationSession} used to obtain this data no signature will be produced and this method
+ * will return {@code null}.
+ *
+ * <p>This is only implemented in feature version 202301 or later. If not implemented, the call
+ * fails with {@link UnsupportedOperationException}. See
+ * {@link android.content.pm.PackageManager#FEATURE_IDENTITY_CREDENTIAL_HARDWARE} for known
+ * feature versions.
+ *
+ * @return A COSE_Sign1 structure as described above or {@code null} if the conditions
+ * specified above are not met.
+ */
+ public @Nullable byte[] getDeviceSignature() {
+ throw new UnsupportedOperationException();
+ }
+
+ /**
* Returns the static authentication data associated with the dynamic authentication
* key used to MAC the data returned by {@link #getDeviceNameSpaces()}.
*
diff --git a/identity/java/android/security/identity/CredstoreCredentialDataResult.java b/identity/java/android/security/identity/CredstoreCredentialDataResult.java
index 7afe3d4..b4fd5d3 100644
--- a/identity/java/android/security/identity/CredstoreCredentialDataResult.java
+++ b/identity/java/android/security/identity/CredstoreCredentialDataResult.java
@@ -47,6 +47,11 @@
}
@Override
+ public @Nullable byte[] getDeviceSignature() {
+ return mDeviceSignedResult.getSignature();
+ }
+
+ @Override
public @NonNull byte[] getStaticAuthenticationData() {
return mDeviceSignedResult.getStaticAuthenticationData();
}
diff --git a/identity/java/android/security/identity/CredstoreIdentityCredential.java b/identity/java/android/security/identity/CredstoreIdentityCredential.java
index 8e01105..449c7a7 100644
--- a/identity/java/android/security/identity/CredstoreIdentityCredential.java
+++ b/identity/java/android/security/identity/CredstoreIdentityCredential.java
@@ -38,8 +38,9 @@
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.time.Instant;
+import java.util.ArrayList;
import java.util.Collection;
-import java.util.LinkedList;
+import java.util.List;
import java.util.Map;
import javax.crypto.BadPaddingException;
@@ -59,16 +60,19 @@
private Context mContext;
private ICredential mBinder;
private CredstorePresentationSession mSession;
+ private int mFeatureVersion;
CredstoreIdentityCredential(Context context, String credentialName,
@IdentityCredentialStore.Ciphersuite int cipherSuite,
ICredential binder,
- @Nullable CredstorePresentationSession session) {
+ @Nullable CredstorePresentationSession session,
+ int featureVersion) {
mContext = context;
mCredentialName = credentialName;
mCipherSuite = cipherSuite;
mBinder = binder;
mSession = session;
+ mFeatureVersion = featureVersion;
}
private KeyPair mEphemeralKeyPair = null;
@@ -227,7 +231,7 @@
throw new RuntimeException("Error decoding certificates", e);
}
- LinkedList<X509Certificate> x509Certs = new LinkedList<>();
+ ArrayList<X509Certificate> x509Certs = new ArrayList<>();
for (Certificate cert : certs) {
x509Certs.add((X509Certificate) cert);
}
@@ -346,12 +350,18 @@
}
}
+ byte[] signature = resultParcel.signature;
+ if (signature != null && signature.length == 0) {
+ signature = null;
+ }
+
byte[] mac = resultParcel.mac;
if (mac != null && mac.length == 0) {
mac = null;
}
CredstoreResultData.Builder resultDataBuilder = new CredstoreResultData.Builder(
- resultParcel.staticAuthenticationData, resultParcel.deviceNameSpaces, mac);
+ mFeatureVersion, resultParcel.staticAuthenticationData,
+ resultParcel.deviceNameSpaces, mac, signature);
for (ResultNamespaceParcel resultNamespaceParcel : resultParcel.resultNamespaces) {
for (ResultEntryParcel resultEntryParcel : resultNamespaceParcel.entries) {
@@ -370,8 +380,14 @@
@Override
public void setAvailableAuthenticationKeys(int keyCount, int maxUsesPerKey) {
+ setAvailableAuthenticationKeys(keyCount, maxUsesPerKey, 0);
+ }
+
+ @Override
+ public void setAvailableAuthenticationKeys(int keyCount, int maxUsesPerKey,
+ long minValidTimeMillis) {
try {
- mBinder.setAvailableAuthenticationKeys(keyCount, maxUsesPerKey);
+ mBinder.setAvailableAuthenticationKeys(keyCount, maxUsesPerKey, minValidTimeMillis);
} catch (android.os.RemoteException e) {
throw new RuntimeException("Unexpected RemoteException ", e);
} catch (android.os.ServiceSpecificException e) {
@@ -384,7 +400,7 @@
public @NonNull Collection<X509Certificate> getAuthKeysNeedingCertification() {
try {
AuthKeyParcel[] authKeyParcels = mBinder.getAuthKeysNeedingCertification();
- LinkedList<X509Certificate> x509Certs = new LinkedList<>();
+ ArrayList<X509Certificate> x509Certs = new ArrayList<>();
CertificateFactory factory = CertificateFactory.getInstance("X.509");
for (AuthKeyParcel authKeyParcel : authKeyParcels) {
Collection<? extends Certificate> certs = null;
@@ -471,6 +487,34 @@
}
@Override
+ public @NonNull List<AuthenticationKeyMetadata> getAuthenticationKeyMetadata() {
+ try {
+ int[] usageCount = mBinder.getAuthenticationDataUsageCount();
+ long[] expirationsMillis = mBinder.getAuthenticationDataExpirations();
+ if (usageCount.length != expirationsMillis.length) {
+ throw new IllegalStateException("Size og usageCount and expirationMillis differ");
+ }
+ List<AuthenticationKeyMetadata> mds = new ArrayList<>();
+ for (int n = 0; n < expirationsMillis.length; n++) {
+ AuthenticationKeyMetadata md = null;
+ long expirationMillis = expirationsMillis[n];
+ if (expirationMillis != Long.MAX_VALUE) {
+ md = new AuthenticationKeyMetadata(
+ usageCount[n],
+ Instant.ofEpochMilli(expirationMillis));
+ }
+ mds.add(md);
+ }
+ return mds;
+ } catch (android.os.RemoteException e) {
+ throw new IllegalStateException("Unexpected RemoteException ", e);
+ } catch (android.os.ServiceSpecificException e) {
+ throw new IllegalStateException("Unexpected ServiceSpecificException with code "
+ + e.errorCode, e);
+ }
+ }
+
+ @Override
public @NonNull byte[] proveOwnership(@NonNull byte[] challenge) {
try {
byte[] proofOfOwnership = mBinder.proveOwnership(challenge);
diff --git a/identity/java/android/security/identity/CredstoreIdentityCredentialStore.java b/identity/java/android/security/identity/CredstoreIdentityCredentialStore.java
index bbaf086..d785c3c 100644
--- a/identity/java/android/security/identity/CredstoreIdentityCredentialStore.java
+++ b/identity/java/android/security/identity/CredstoreIdentityCredentialStore.java
@@ -19,6 +19,8 @@
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.content.Context;
+import android.content.pm.FeatureInfo;
+import android.content.pm.PackageManager;
import android.os.RemoteException;
import android.os.ServiceManager;
import android.security.GenerateRkpKey;
@@ -30,10 +32,28 @@
private Context mContext = null;
private ICredentialStore mStore = null;
+ private int mFeatureVersion;
+
+ static int getFeatureVersion(@NonNull Context context) {
+ PackageManager pm = context.getPackageManager();
+ if (pm.hasSystemFeature(PackageManager.FEATURE_IDENTITY_CREDENTIAL_HARDWARE)) {
+ FeatureInfo[] infos = pm.getSystemAvailableFeatures();
+ for (int n = 0; n < infos.length; n++) {
+ FeatureInfo info = infos[n];
+ if (info.name.equals(PackageManager.FEATURE_IDENTITY_CREDENTIAL_HARDWARE)) {
+ return info.version;
+ }
+ }
+ }
+ // Use of the system feature is not required since Android 12. So for Android 11
+ // return 202009 which is the feature version shipped with Android 11.
+ return 202009;
+ }
private CredstoreIdentityCredentialStore(@NonNull Context context, ICredentialStore store) {
mContext = context;
mStore = store;
+ mFeatureVersion = getFeatureVersion(mContext);
}
static CredstoreIdentityCredentialStore getInstanceForType(@NonNull Context context,
@@ -139,8 +159,7 @@
ICredential credstoreCredential;
credstoreCredential = mStore.getCredentialByName(credentialName, cipherSuite);
return new CredstoreIdentityCredential(mContext, credentialName, cipherSuite,
- credstoreCredential,
- null);
+ credstoreCredential, null, mFeatureVersion);
} catch (android.os.RemoteException e) {
throw new RuntimeException("Unexpected RemoteException ", e);
} catch (android.os.ServiceSpecificException e) {
@@ -182,7 +201,8 @@
throws CipherSuiteNotSupportedException {
try {
ISession credstoreSession = mStore.createPresentationSession(cipherSuite);
- return new CredstorePresentationSession(mContext, cipherSuite, this, credstoreSession);
+ return new CredstorePresentationSession(mContext, cipherSuite, this, credstoreSession,
+ mFeatureVersion);
} catch (android.os.RemoteException e) {
throw new RuntimeException("Unexpected RemoteException ", e);
} catch (android.os.ServiceSpecificException e) {
diff --git a/identity/java/android/security/identity/CredstorePresentationSession.java b/identity/java/android/security/identity/CredstorePresentationSession.java
index e3c6689..96bda52 100644
--- a/identity/java/android/security/identity/CredstorePresentationSession.java
+++ b/identity/java/android/security/identity/CredstorePresentationSession.java
@@ -48,15 +48,18 @@
private byte[] mSessionTranscript = null;
private boolean mOperationHandleSet = false;
private long mOperationHandle = 0;
+ private int mFeatureVersion = 0;
CredstorePresentationSession(Context context,
@IdentityCredentialStore.Ciphersuite int cipherSuite,
CredstoreIdentityCredentialStore store,
- ISession binder) {
+ ISession binder,
+ int featureVersion) {
mContext = context;
mCipherSuite = cipherSuite;
mStore = store;
mBinder = binder;
+ mFeatureVersion = featureVersion;
}
private void ensureEphemeralKeyPair() {
@@ -147,7 +150,7 @@
mBinder.getCredentialForPresentation(credentialName);
credential = new CredstoreIdentityCredential(mContext, credentialName,
mCipherSuite, credstoreCredential,
- this);
+ this, mFeatureVersion);
mCredentialCache.put(credentialName, credential);
credential.setAllowUsingExhaustedKeys(request.isAllowUsingExhaustedKeys());
diff --git a/identity/java/android/security/identity/CredstoreResultData.java b/identity/java/android/security/identity/CredstoreResultData.java
index 2ef735e..57c0436 100644
--- a/identity/java/android/security/identity/CredstoreResultData.java
+++ b/identity/java/android/security/identity/CredstoreResultData.java
@@ -30,10 +30,11 @@
* data requested from a {@link IdentityCredential}.
*/
class CredstoreResultData extends ResultData {
-
+ int mFeatureVersion = 0;
byte[] mStaticAuthenticationData = null;
byte[] mAuthenticatedData = null;
byte[] mMessageAuthenticationCode = null;
+ byte[] mSignature = null;
private Map<String, Map<String, EntryData>> mData = new LinkedHashMap<>();
@@ -61,6 +62,14 @@
}
@Override
+ @Nullable byte[] getSignature() {
+ if (mFeatureVersion < 202301) {
+ throw new UnsupportedOperationException();
+ }
+ return mSignature;
+ }
+
+ @Override
public @NonNull byte[] getStaticAuthenticationData() {
return mStaticAuthenticationData;
}
@@ -124,13 +133,17 @@
static class Builder {
private CredstoreResultData mResultData;
- Builder(byte[] staticAuthenticationData,
+ Builder(int featureVersion,
+ byte[] staticAuthenticationData,
byte[] authenticatedData,
- byte[] messageAuthenticationCode) {
+ byte[] messageAuthenticationCode,
+ byte[] signature) {
this.mResultData = new CredstoreResultData();
+ this.mResultData.mFeatureVersion = featureVersion;
this.mResultData.mStaticAuthenticationData = staticAuthenticationData;
this.mResultData.mAuthenticatedData = authenticatedData;
this.mResultData.mMessageAuthenticationCode = messageAuthenticationCode;
+ this.mResultData.mSignature = signature;
}
private Map<String, EntryData> getOrCreateInnerMap(String namespaceName) {
diff --git a/identity/java/android/security/identity/CredstoreWritableIdentityCredential.java b/identity/java/android/security/identity/CredstoreWritableIdentityCredential.java
index d2e7984..1ad70ed 100644
--- a/identity/java/android/security/identity/CredstoreWritableIdentityCredential.java
+++ b/identity/java/android/security/identity/CredstoreWritableIdentityCredential.java
@@ -25,8 +25,9 @@
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
+import java.util.ArrayList;
import java.util.Collection;
-import java.util.LinkedList;
+import java.util.List;
class CredstoreWritableIdentityCredential extends WritableIdentityCredential {
@@ -61,7 +62,7 @@
throw new RuntimeException("Error decoding certificates", e);
}
- LinkedList<X509Certificate> x509Certs = new LinkedList<>();
+ ArrayList<X509Certificate> x509Certs = new ArrayList<>();
for (Certificate cert : certs) {
x509Certs.add((X509Certificate) cert);
}
diff --git a/identity/java/android/security/identity/IdentityCredential.java b/identity/java/android/security/identity/IdentityCredential.java
index f440b69..2dd9778 100644
--- a/identity/java/android/security/identity/IdentityCredential.java
+++ b/identity/java/android/security/identity/IdentityCredential.java
@@ -16,6 +16,7 @@
package android.security.identity;
+import android.annotation.IntRange;
import android.annotation.NonNull;
import android.annotation.Nullable;
@@ -25,6 +26,7 @@
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.Collection;
+import java.util.List;
import java.util.Map;
/**
@@ -236,14 +238,15 @@
* IntentToRetain = bool
* </pre>
*
- * <p>If the {@code sessionTranscript} parameter is not {@code null}, the X and Y coordinates
- * of the public part of the key-pair previously generated by {@link #createEphemeralKeyPair()}
- * must appear somewhere in the bytes of the CBOR. Each of these coordinates must appear
- * encoded with the most significant bits first and use the exact amount of bits indicated by
- * the key size of the ephemeral keys. For example, if the ephemeral key is using the P-256
- * curve then the 32 bytes for the X coordinate encoded with the most significant bits first
- * must appear somewhere in {@code sessionTranscript} and ditto for the 32 bytes for the Y
- * coordinate.
+ * <p>If mdoc session encryption is used (e.g. if {@link #createEphemeralKeyPair()} has been
+ * called) and if the {@code sessionTranscript} parameter is not {@code null}, the X and Y
+ * coordinates of the public part of the key-pair previously generated by
+ * {@link #createEphemeralKeyPair()} must appear somewhere in the bytes of the CBOR. Each of
+ * these coordinates must appear encoded with the most significant bits first and use the
+ * exact amount of bits indicated by the key size of the ephemeral keys. For example, if the
+ * ephemeral key is using the P-256 curve then the 32 bytes for the X coordinate encoded with
+ * the most significant bits first must appear somewhere in {@code sessionTranscript} and
+ * ditto for the 32 bytes for the Y coordinate.
*
* <p>If {@code readerSignature} is not {@code null} it must be the bytes of a
* {@code COSE_Sign1} structure as defined in RFC 8152. For the payload nil shall be used and
@@ -296,7 +299,7 @@
* session transcripts.
* @throws NoAuthenticationKeyAvailableException if authentication keys were never
* provisioned, the method
- * {@link #setAvailableAuthenticationKeys(int, int)}
+ * {@link #setAvailableAuthenticationKeys(int, int, long)}
* was called with {@code keyCount} set to 0,
* the method
* {@link #setAllowUsingExhaustedKeys(boolean)}
@@ -330,19 +333,25 @@
* for which this method has not been called behave as though it had been called wit
* {@code keyCount} 0 and {@code maxUsesPerKey} 1.
*
+ * <p>The effect of this method is like calling
+ * {@link #setAvailableAuthenticationKeys(int, int, long)} with the last parameter is set to 0.
+ *
* @param keyCount The number of active, certified dynamic authentication keys the
* {@code IdentityCredential} will try to keep available. This value
* must be non-negative.
* @param maxUsesPerKey The maximum number of times each of the keys will be used before it's
* eligible for replacement. This value must be greater than zero.
+ * @deprecated Use {@link #setAvailableAuthenticationKeys(int, int, long)} instead.
*/
+ @Deprecated
public abstract void setAvailableAuthenticationKeys(int keyCount, int maxUsesPerKey);
/**
* Gets a collection of dynamic authentication keys that need certification.
*
* <p>When there aren't enough certified dynamic authentication keys, either because the key
- * count has been increased or because one or more keys have reached their usage count, this
+ * count has been increased or because one or more keys have reached their usage count or
+ * it if a key is too close to its expiration date, this
* method will generate replacement keys and certificates and return them for issuer
* certification. The issuer certificates and associated static authentication data must then
* be provided back to the Identity Credential using
@@ -400,11 +409,6 @@
* This should only be called for an authenticated key returned by
* {@link #getAuthKeysNeedingCertification()}.
*
- * <p>This is only implemented in feature version 202101 or later. If not implemented, the call
- * fails with {@link UnsupportedOperationException}. See
- * {@link android.content.pm.PackageManager#FEATURE_IDENTITY_CREDENTIAL_HARDWARE} for known
- * feature versions.
- *
* @param authenticationKey The dynamic authentication key for which certification and
* associated static
* authentication data is being provided.
@@ -426,7 +430,9 @@
* Get the number of times the dynamic authentication keys have been used.
*
* @return int array of dynamic authentication key usage counts.
+ * @deprecated Use {@link #getAuthenticationKeyMetadata()} instead.
*/
+ @Deprecated
public @NonNull abstract int[] getAuthenticationDataUsageCount();
/**
@@ -519,4 +525,47 @@
public @NonNull byte[] update(@NonNull PersonalizationData personalizationData) {
throw new UnsupportedOperationException();
}
+
+ /**
+ * Sets the number of dynamic authentication keys the {@code IdentityCredential} will maintain,
+ * the number of times each should be used, and the minimum amount of time it's valid for.
+ *
+ * <p>The Identity Credential system will select the least-used dynamic authentication key each
+ * time {@link #getEntries(byte[], Map, byte[], byte[])} is called. Identity Credentials
+ * for which this method has not been called behave as though it had been called wit
+ * {@code keyCount} 0, {@code maxUsesPerKey} 1, and {@code minValidTimeMillis} 0.
+ *
+ * <p>Applications can use {@link #getAuthenticationKeyMetadata()} to get a picture of the
+ * usage andtime left of each configured authentication key. This can be used to determine
+ * how urgent it is recertify new authentication keys via the
+ * {@link #getAuthKeysNeedingCertification()} method.
+ *
+ * @param keyCount The number of active, certified dynamic authentication keys the
+ * {@code IdentityCredential} will try to keep available. This value
+ * must be non-negative.
+ * @param maxUsesPerKey The maximum number of times each of the keys will be used before it's
+ * eligible for replacement. This value must be greater than zero.
+ * @param minValidTimeMillis If a key has less time left than this value it will be eliglible
+ * for replacement. This value must be non-negative.
+ */
+ public void setAvailableAuthenticationKeys(
+ @IntRange(from = 0) int keyCount,
+ @IntRange(from = 1) int maxUsesPerKey,
+ @IntRange(from = 0) long minValidTimeMillis) {
+ throw new UnsupportedOperationException();
+ }
+
+ /**
+ * Get information about dynamic authentication keys.
+ *
+ * <p>The returned list may have <code>null</code> values if certification for the dynamic
+ * authentication key is pending.
+ *
+ * <p>The list is always <code>keyCount</code> elements long.
+ *
+ * @return list of authentication key metadata objects.
+ */
+ public @NonNull List<AuthenticationKeyMetadata> getAuthenticationKeyMetadata() {
+ throw new UnsupportedOperationException();
+ }
}
diff --git a/identity/java/android/security/identity/PersonalizationData.java b/identity/java/android/security/identity/PersonalizationData.java
index b34f250..bdb00fdf 100644
--- a/identity/java/android/security/identity/PersonalizationData.java
+++ b/identity/java/android/security/identity/PersonalizationData.java
@@ -18,10 +18,11 @@
import android.annotation.NonNull;
+import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.LinkedHashMap;
-import java.util.LinkedList;
+import java.util.List;
/**
* An object that holds personalization data.
@@ -38,7 +39,7 @@
private PersonalizationData() {
}
- private LinkedList<AccessControlProfile> mProfiles = new LinkedList<>();
+ private ArrayList<AccessControlProfile> mProfiles = new ArrayList<>();
private LinkedHashMap<String, NamespaceData> mNamespaces = new LinkedHashMap<>();
diff --git a/identity/java/android/security/identity/PresentationSession.java b/identity/java/android/security/identity/PresentationSession.java
index 6cde611..f392e12 100644
--- a/identity/java/android/security/identity/PresentationSession.java
+++ b/identity/java/android/security/identity/PresentationSession.java
@@ -73,7 +73,8 @@
* <p>If called, this must be called before any calls to
* {@link #getCredentialData(String, CredentialDataRequest)}.
*
- * <p>The X and Y coordinates of the public part of the key-pair returned by {@link
+ * <p>If mdoc session encryption is used (e.g. if {@link #getEphemeralKeyPair()} has been
+ * called) then the X and Y coordinates of the public part of the key-pair returned by {@link
* #getEphemeralKeyPair()} must appear somewhere in the bytes of the passed in CBOR. Each of
* these coordinates must appear encoded with the most significant bits first and use the exact
* amount of bits indicated by the key size of the ephemeral keys. For example, if the
diff --git a/identity/java/android/security/identity/ResultData.java b/identity/java/android/security/identity/ResultData.java
index d46f985..8a0e56e 100644
--- a/identity/java/android/security/identity/ResultData.java
+++ b/identity/java/android/security/identity/ResultData.java
@@ -134,6 +134,10 @@
*/
public abstract @Nullable byte[] getMessageAuthenticationCode();
+ @Nullable byte[] getSignature() {
+ throw new UnsupportedOperationException();
+ }
+
/**
* Returns the static authentication data associated with the dynamic authentication
* key used to sign or MAC the data returned by {@link #getAuthenticatedData()}.
diff --git a/packages/SystemUI/src/com/android/systemui/volume/VolumeDialogControllerImpl.java b/packages/SystemUI/src/com/android/systemui/volume/VolumeDialogControllerImpl.java
index bf7c459..55fa4c0 100644
--- a/packages/SystemUI/src/com/android/systemui/volume/VolumeDialogControllerImpl.java
+++ b/packages/SystemUI/src/com/android/systemui/volume/VolumeDialogControllerImpl.java
@@ -429,6 +429,11 @@
AudioManager.DEVICE_OUT_BLUETOOTH_A2DP_SPEAKER |
AudioManager.DEVICE_OUT_BLE_HEADSET)) != 0;
changed |= updateStreamRoutedToBluetoothW(stream, routedToBluetooth);
+ } else if (stream == AudioManager.STREAM_VOICE_CALL) {
+ final boolean routedToBluetooth =
+ (mAudio.getDevicesForStream(AudioManager.STREAM_VOICE_CALL)
+ & AudioManager.DEVICE_OUT_BLE_HEADSET) != 0;
+ changed |= updateStreamRoutedToBluetoothW(stream, routedToBluetooth);
}
return changed;
}
diff --git a/packages/SystemUI/src/com/android/systemui/volume/VolumeDialogImpl.java b/packages/SystemUI/src/com/android/systemui/volume/VolumeDialogImpl.java
index 903aba1..198d022 100644
--- a/packages/SystemUI/src/com/android/systemui/volume/VolumeDialogImpl.java
+++ b/packages/SystemUI/src/com/android/systemui/volume/VolumeDialogImpl.java
@@ -1677,6 +1677,7 @@
if (ss.level == row.requestedLevel) {
row.requestedLevel = -1;
}
+ final boolean isVoiceCallStream = row.stream == AudioManager.STREAM_VOICE_CALL;
final boolean isA11yStream = row.stream == STREAM_ACCESSIBILITY;
final boolean isRingStream = row.stream == AudioManager.STREAM_RING;
final boolean isSystemStream = row.stream == AudioManager.STREAM_SYSTEM;
@@ -1721,8 +1722,12 @@
} else if (isRingSilent || zenMuted) {
iconRes = row.iconMuteRes;
} else if (ss.routedToBluetooth) {
- iconRes = isStreamMuted(ss) ? R.drawable.ic_volume_media_bt_mute
- : R.drawable.ic_volume_media_bt;
+ if (isVoiceCallStream) {
+ iconRes = R.drawable.ic_volume_bt_sco;
+ } else {
+ iconRes = isStreamMuted(ss) ? R.drawable.ic_volume_media_bt_mute
+ : R.drawable.ic_volume_media_bt;
+ }
} else if (isStreamMuted(ss)) {
iconRes = ss.muted ? R.drawable.ic_volume_media_off : row.iconMuteRes;
} else {
diff --git a/packages/SystemUI/tests/src/com/android/systemui/volume/VolumeDialogControllerImplTest.java b/packages/SystemUI/tests/src/com/android/systemui/volume/VolumeDialogControllerImplTest.java
index aaf2188..acf1088 100644
--- a/packages/SystemUI/tests/src/com/android/systemui/volume/VolumeDialogControllerImplTest.java
+++ b/packages/SystemUI/tests/src/com/android/systemui/volume/VolumeDialogControllerImplTest.java
@@ -167,6 +167,34 @@
}
@Test
+ public void testVolumeChangeW_deviceOutFromBLEHeadset_doStateChanged() {
+ mVolumeController.setDeviceInteractive(false);
+ when(mWakefullnessLifcycle.getWakefulness()).thenReturn(
+ WakefulnessLifecycle.WAKEFULNESS_AWAKE);
+ when(mAudioManager.getDevicesForStream(AudioManager.STREAM_VOICE_CALL)).thenReturn(
+ AudioManager.DEVICE_OUT_BLE_HEADSET);
+
+ mVolumeController.onVolumeChangedW(
+ AudioManager.STREAM_VOICE_CALL, AudioManager.FLAG_SHOW_UI);
+
+ verify(mCallback, times(1)).onStateChanged(any());
+ }
+
+ @Test
+ public void testVolumeChangeW_deviceOutFromA2DP_doStateChanged() {
+ mVolumeController.setDeviceInteractive(false);
+ when(mWakefullnessLifcycle.getWakefulness()).thenReturn(
+ WakefulnessLifecycle.WAKEFULNESS_AWAKE);
+ when(mAudioManager.getDevicesForStream(AudioManager.STREAM_VOICE_CALL)).thenReturn(
+ AudioManager.DEVICE_OUT_BLUETOOTH_A2DP);
+
+ mVolumeController.onVolumeChangedW(
+ AudioManager.STREAM_VOICE_CALL, AudioManager.FLAG_SHOW_UI);
+
+ verify(mCallback, never()).onStateChanged(any());
+ }
+
+ @Test
public void testOnRemoteVolumeChanged_newStream_noNullPointer() {
MediaSession.Token token = new MediaSession.Token(Process.myUid(), null);
mVolumeController.mMediaSessionsCallbacksW.onRemoteVolumeChanged(token, 0);
diff --git a/services/core/java/com/android/server/VcnManagementService.java b/services/core/java/com/android/server/VcnManagementService.java
index 61f7f30..f652cb0 100644
--- a/services/core/java/com/android/server/VcnManagementService.java
+++ b/services/core/java/com/android/server/VcnManagementService.java
@@ -371,8 +371,9 @@
return new LocationPermissionChecker(context);
}
- /** Gets the transports that need to be marked as restricted by the VCN */
- public Set<Integer> getRestrictedTransports(
+ /** Gets transports that need to be marked as restricted by the VCN from CarrierConfig */
+ @VisibleForTesting(visibility = Visibility.PRIVATE)
+ public Set<Integer> getRestrictedTransportsFromCarrierConfig(
ParcelUuid subGrp, TelephonySubscriptionSnapshot lastSnapshot) {
if (!Build.IS_ENG && !Build.IS_USERDEBUG) {
return RESTRICTED_TRANSPORTS_DEFAULT;
@@ -398,6 +399,22 @@
}
return restrictedTransports;
}
+
+ /** Gets the transports that need to be marked as restricted by the VCN */
+ public Set<Integer> getRestrictedTransports(
+ ParcelUuid subGrp,
+ TelephonySubscriptionSnapshot lastSnapshot,
+ VcnConfig vcnConfig) {
+ final Set<Integer> restrictedTransports = new ArraySet<>();
+ restrictedTransports.addAll(vcnConfig.getRestrictedUnderlyingNetworkTransports());
+
+ // TODO: b/262269892 Remove the ability to configure restricted transports
+ // via CarrierConfig
+ restrictedTransports.addAll(
+ getRestrictedTransportsFromCarrierConfig(subGrp, lastSnapshot));
+
+ return restrictedTransports;
+ }
}
/** Notifies the VcnManagementService that external dependencies can be set up. */
@@ -719,6 +736,7 @@
if (mVcns.containsKey(subscriptionGroup)) {
final Vcn vcn = mVcns.get(subscriptionGroup);
vcn.updateConfig(config);
+ notifyAllPolicyListenersLocked();
} else {
// TODO(b/193687515): Support multiple VCNs active at the same time
if (isActiveSubGroup(subscriptionGroup, mLastSnapshot)) {
@@ -936,7 +954,6 @@
}
/** Adds the provided listener for receiving VcnUnderlyingNetworkPolicy updates. */
- @GuardedBy("mLock")
@Override
public void addVcnUnderlyingNetworkPolicyListener(
@NonNull IVcnUnderlyingNetworkPolicyListener listener) {
@@ -963,16 +980,7 @@
});
}
- @VisibleForTesting(visibility = Visibility.PRIVATE)
- void addVcnUnderlyingNetworkPolicyListenerForTest(
- @NonNull IVcnUnderlyingNetworkPolicyListener listener) {
- synchronized (mLock) {
- addVcnUnderlyingNetworkPolicyListener(listener);
- }
- }
-
/** Removes the provided listener from receiving VcnUnderlyingNetworkPolicy updates. */
- @GuardedBy("mLock")
@Override
public void removeVcnUnderlyingNetworkPolicyListener(
@NonNull IVcnUnderlyingNetworkPolicyListener listener) {
@@ -1062,8 +1070,8 @@
isVcnManagedNetwork = true;
}
- final Set<Integer> restrictedTransports =
- mDeps.getRestrictedTransports(subGrp, mLastSnapshot);
+ final Set<Integer> restrictedTransports = mDeps.getRestrictedTransports(
+ subGrp, mLastSnapshot, mConfigs.get(subGrp));
for (int restrictedTransport : restrictedTransports) {
if (ncCopy.hasTransport(restrictedTransport)) {
if (restrictedTransport == TRANSPORT_CELLULAR) {
diff --git a/services/core/java/com/android/server/clipboard/EmulatorClipboardMonitor.java b/services/core/java/com/android/server/clipboard/EmulatorClipboardMonitor.java
index ab3b250..dce1c96 100644
--- a/services/core/java/com/android/server/clipboard/EmulatorClipboardMonitor.java
+++ b/services/core/java/com/android/server/clipboard/EmulatorClipboardMonitor.java
@@ -29,6 +29,7 @@
import java.io.EOFException;
import java.io.FileDescriptor;
import java.io.InterruptedIOException;
+import java.net.ProtocolException;
import java.net.SocketException;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
@@ -39,12 +40,16 @@
// write contents of the host system's clipboard.
class EmulatorClipboardMonitor implements Consumer<ClipData> {
private static final String TAG = "EmulatorClipboardMonitor";
+
private static final String PIPE_NAME = "pipe:clipboard";
private static final int HOST_PORT = 5000;
- private final Thread mHostMonitorThread;
+
private static final boolean LOG_CLIBOARD_ACCESS =
SystemProperties.getBoolean("ro.boot.qemu.log_clipboard_access", false);
+ private static final int MAX_CLIPBOARD_BYTES = 128 << 20;
+
private FileDescriptor mPipe = null;
+ private final Thread mHostMonitorThread;
private static byte[] createOpenHandshake() {
// String.getBytes doesn't include the null terminator,
@@ -97,8 +102,8 @@
return fd;
}
- private static byte[] receiveMessage(final FileDescriptor fd) throws ErrnoException,
- InterruptedIOException, EOFException {
+ private byte[] receiveMessage(final FileDescriptor fd) throws ErrnoException,
+ InterruptedIOException, EOFException, ProtocolException {
final byte[] lengthBits = new byte[4];
readFully(fd, lengthBits, 0, lengthBits.length);
@@ -106,6 +111,10 @@
bb.order(ByteOrder.LITTLE_ENDIAN);
final int msgLen = bb.getInt();
+ if (msgLen <= 0 || msgLen > MAX_CLIPBOARD_BYTES) {
+ throw new ProtocolException("Clipboard message length: " + msgLen + " out of bounds.");
+ }
+
final byte[] msg = new byte[msgLen];
readFully(fd, msg, 0, msg.length);
@@ -150,7 +159,8 @@
}
setAndroidClipboard.accept(clip);
} catch (ErrnoException | EOFException | InterruptedIOException
- | InterruptedException e) {
+ | InterruptedException | ProtocolException | OutOfMemoryError e) {
+ Slog.w(TAG, "Failure to read from host clipboard", e);
setPipeFD(null);
try {
diff --git a/services/core/jni/Android.bp b/services/core/jni/Android.bp
index 8e0dc5d..075991e 100644
--- a/services/core/jni/Android.bp
+++ b/services/core/jni/Android.bp
@@ -183,7 +183,7 @@
"android.frameworks.sensorservice@1.0",
"android.frameworks.sensorservice-V1-ndk",
"android.frameworks.stats@1.0",
- "android.frameworks.stats-V1-ndk",
+ "android.frameworks.stats-V2-ndk",
"android.system.suspend.control-V1-cpp",
"android.system.suspend.control.internal-cpp",
"android.system.suspend-V1-ndk",
diff --git a/tests/vcn/java/android/net/vcn/VcnConfigTest.java b/tests/vcn/java/android/net/vcn/VcnConfigTest.java
index 7ac51b7..b313c9f 100644
--- a/tests/vcn/java/android/net/vcn/VcnConfigTest.java
+++ b/tests/vcn/java/android/net/vcn/VcnConfigTest.java
@@ -16,7 +16,12 @@
package android.net.vcn;
+import static android.net.NetworkCapabilities.TRANSPORT_CELLULAR;
+import static android.net.NetworkCapabilities.TRANSPORT_WIFI;
+
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotEquals;
import static org.junit.Assert.fail;
import static org.mockito.Mockito.doReturn;
import static org.mockito.Mockito.mock;
@@ -24,6 +29,7 @@
import android.annotation.NonNull;
import android.content.Context;
import android.os.Parcel;
+import android.util.ArraySet;
import androidx.test.filters.SmallTest;
import androidx.test.runner.AndroidJUnit4;
@@ -42,19 +48,36 @@
private static final Set<VcnGatewayConnectionConfig> GATEWAY_CONNECTION_CONFIGS =
Collections.singleton(VcnGatewayConnectionConfigTest.buildTestConfig());
+ private static final Set<Integer> RESTRICTED_TRANSPORTS = new ArraySet<>();
+
+ static {
+ RESTRICTED_TRANSPORTS.add(TRANSPORT_WIFI);
+ RESTRICTED_TRANSPORTS.add(TRANSPORT_CELLULAR);
+ }
+
private final Context mContext = mock(Context.class);
// Public visibility for VcnManagementServiceTest
- public static VcnConfig buildTestConfig(@NonNull Context context) {
+ public static VcnConfig buildTestConfig(
+ @NonNull Context context, Set<Integer> restrictedTransports) {
VcnConfig.Builder builder = new VcnConfig.Builder(context);
for (VcnGatewayConnectionConfig gatewayConnectionConfig : GATEWAY_CONNECTION_CONFIGS) {
builder.addGatewayConnectionConfig(gatewayConnectionConfig);
}
+ if (restrictedTransports != null) {
+ builder.setRestrictedUnderlyingNetworkTransports(restrictedTransports);
+ }
+
return builder.build();
}
+ // Public visibility for VcnManagementServiceTest
+ public static VcnConfig buildTestConfig(@NonNull Context context) {
+ return buildTestConfig(context, null);
+ }
+
@Before
public void setUp() throws Exception {
doReturn(TEST_PACKAGE_NAME).when(mContext).getOpPackageName();
@@ -91,11 +114,25 @@
}
@Test
- public void testBuilderAndGetters() {
+ public void testBuilderAndGettersDefaultValues() {
final VcnConfig config = buildTestConfig(mContext);
assertEquals(TEST_PACKAGE_NAME, config.getProvisioningPackageName());
assertEquals(GATEWAY_CONNECTION_CONFIGS, config.getGatewayConnectionConfigs());
+ assertFalse(config.isTestModeProfile());
+ assertEquals(
+ Collections.singleton(TRANSPORT_WIFI),
+ config.getRestrictedUnderlyingNetworkTransports());
+ }
+
+ @Test
+ public void testBuilderAndGettersConfigRestrictedTransports() {
+ final VcnConfig config = buildTestConfig(mContext, RESTRICTED_TRANSPORTS);
+
+ assertEquals(TEST_PACKAGE_NAME, config.getProvisioningPackageName());
+ assertEquals(GATEWAY_CONNECTION_CONFIGS, config.getGatewayConnectionConfigs());
+ assertFalse(config.isTestModeProfile());
+ assertEquals(RESTRICTED_TRANSPORTS, config.getRestrictedUnderlyingNetworkTransports());
}
@Test
@@ -106,6 +143,24 @@
}
@Test
+ public void testPersistableBundleWithRestrictedTransports() {
+ final VcnConfig config = buildTestConfig(mContext, RESTRICTED_TRANSPORTS);
+
+ assertEquals(config, new VcnConfig(config.toPersistableBundle()));
+ }
+
+ @Test
+ public void testEqualityWithRestrictedTransports() {
+ final VcnConfig config = buildTestConfig(mContext, RESTRICTED_TRANSPORTS);
+ final VcnConfig configEqual = buildTestConfig(mContext, RESTRICTED_TRANSPORTS);
+ final VcnConfig configNotEqual =
+ buildTestConfig(mContext, Collections.singleton(TRANSPORT_WIFI));
+
+ assertEquals(config, configEqual);
+ assertNotEquals(config, configNotEqual);
+ }
+
+ @Test
public void testParceling() {
final VcnConfig config = buildTestConfig(mContext);
diff --git a/tests/vcn/java/com/android/server/VcnManagementServiceTest.java b/tests/vcn/java/com/android/server/VcnManagementServiceTest.java
index 258642ac..075bc5e 100644
--- a/tests/vcn/java/com/android/server/VcnManagementServiceTest.java
+++ b/tests/vcn/java/com/android/server/VcnManagementServiceTest.java
@@ -258,7 +258,7 @@
doReturn(Collections.singleton(TRANSPORT_WIFI))
.when(mMockDeps)
- .getRestrictedTransports(any(), any());
+ .getRestrictedTransports(any(), any(), any());
}
@@ -1038,18 +1038,18 @@
new LinkProperties());
}
- private void checkGetRestrictedTransports(
+ private void checkGetRestrictedTransportsFromCarrierConfig(
ParcelUuid subGrp,
TelephonySubscriptionSnapshot lastSnapshot,
Set<Integer> expectedTransports) {
Set<Integer> result =
new VcnManagementService.Dependencies()
- .getRestrictedTransports(subGrp, lastSnapshot);
+ .getRestrictedTransportsFromCarrierConfig(subGrp, lastSnapshot);
assertEquals(expectedTransports, result);
}
@Test
- public void testGetRestrictedTransports() {
+ public void testGetRestrictedTransportsFromCarrierConfig() {
final Set<Integer> restrictedTransports = new ArraySet<>();
restrictedTransports.add(TRANSPORT_CELLULAR);
restrictedTransports.add(TRANSPORT_WIFI);
@@ -1065,11 +1065,12 @@
mock(TelephonySubscriptionSnapshot.class);
doReturn(carrierConfig).when(lastSnapshot).getCarrierConfigForSubGrp(eq(TEST_UUID_2));
- checkGetRestrictedTransports(TEST_UUID_2, lastSnapshot, restrictedTransports);
+ checkGetRestrictedTransportsFromCarrierConfig(
+ TEST_UUID_2, lastSnapshot, restrictedTransports);
}
@Test
- public void testGetRestrictedTransports_noRestrictPolicyConfigured() {
+ public void testGetRestrictedTransportsFromCarrierConfig_noRestrictPolicyConfigured() {
final Set<Integer> restrictedTransports = Collections.singleton(TRANSPORT_WIFI);
final PersistableBundleWrapper carrierConfig =
@@ -1078,17 +1079,54 @@
mock(TelephonySubscriptionSnapshot.class);
doReturn(carrierConfig).when(lastSnapshot).getCarrierConfigForSubGrp(eq(TEST_UUID_2));
- checkGetRestrictedTransports(TEST_UUID_2, lastSnapshot, restrictedTransports);
+ checkGetRestrictedTransportsFromCarrierConfig(
+ TEST_UUID_2, lastSnapshot, restrictedTransports);
}
@Test
- public void testGetRestrictedTransports_noCarrierConfig() {
+ public void testGetRestrictedTransportsFromCarrierConfig_noCarrierConfig() {
final Set<Integer> restrictedTransports = Collections.singleton(TRANSPORT_WIFI);
final TelephonySubscriptionSnapshot lastSnapshot =
mock(TelephonySubscriptionSnapshot.class);
- checkGetRestrictedTransports(TEST_UUID_2, lastSnapshot, restrictedTransports);
+ checkGetRestrictedTransportsFromCarrierConfig(
+ TEST_UUID_2, lastSnapshot, restrictedTransports);
+ }
+
+ @Test
+ public void testGetRestrictedTransportsFromCarrierConfigAndVcnConfig() {
+ // Configure restricted transport in CarrierConfig
+ final Set<Integer> restrictedTransportInCarrierConfig =
+ Collections.singleton(TRANSPORT_WIFI);
+
+ PersistableBundle carrierConfigBundle = new PersistableBundle();
+ carrierConfigBundle.putIntArray(
+ VCN_RESTRICTED_TRANSPORTS_INT_ARRAY_KEY,
+ restrictedTransportInCarrierConfig.stream().mapToInt(i -> i).toArray());
+ final PersistableBundleWrapper carrierConfig =
+ new PersistableBundleWrapper(carrierConfigBundle);
+
+ final TelephonySubscriptionSnapshot lastSnapshot =
+ mock(TelephonySubscriptionSnapshot.class);
+ doReturn(carrierConfig).when(lastSnapshot).getCarrierConfigForSubGrp(eq(TEST_UUID_2));
+
+ // Configure restricted transport in VcnConfig
+ final Context mockContext = mock(Context.class);
+ doReturn(TEST_PACKAGE_NAME).when(mockContext).getOpPackageName();
+ final VcnConfig vcnConfig =
+ VcnConfigTest.buildTestConfig(
+ mockContext, Collections.singleton(TRANSPORT_CELLULAR));
+
+ // Verifications
+ final Set<Integer> expectedTransports = new ArraySet<>();
+ expectedTransports.add(TRANSPORT_CELLULAR);
+ expectedTransports.add(TRANSPORT_WIFI);
+
+ Set<Integer> result =
+ new VcnManagementService.Dependencies()
+ .getRestrictedTransports(TEST_UUID_2, lastSnapshot, vcnConfig);
+ assertEquals(expectedTransports, result);
}
private void checkGetUnderlyingNetworkPolicy(
@@ -1103,7 +1141,7 @@
if (isTransportRestricted) {
restrictedTransports.add(transportType);
}
- doReturn(restrictedTransports).when(mMockDeps).getRestrictedTransports(any(), any());
+ doReturn(restrictedTransports).when(mMockDeps).getRestrictedTransports(any(), any(), any());
final VcnUnderlyingNetworkPolicy policy =
startVcnAndGetPolicyForTransport(
@@ -1201,7 +1239,7 @@
public void testGetUnderlyingNetworkPolicyCell_restrictWifi() throws Exception {
doReturn(Collections.singleton(TRANSPORT_WIFI))
.when(mMockDeps)
- .getRestrictedTransports(any(), any());
+ .getRestrictedTransports(any(), any(), any());
setupSubscriptionAndStartVcn(TEST_SUBSCRIPTION_ID, TEST_UUID_2, true /* isVcnActive */);
@@ -1344,6 +1382,23 @@
}
@Test
+ public void testVcnConfigChangeUpdatesPolicyListener() throws Exception {
+ setupActiveSubscription(TEST_UUID_2);
+
+ mVcnMgmtSvc.setVcnConfig(TEST_UUID_2, TEST_VCN_CONFIG, TEST_PACKAGE_NAME);
+ mVcnMgmtSvc.addVcnUnderlyingNetworkPolicyListener(mMockPolicyListener);
+
+ final Context mockContext = mock(Context.class);
+ doReturn(TEST_PACKAGE_NAME).when(mockContext).getOpPackageName();
+ final VcnConfig vcnConfig =
+ VcnConfigTest.buildTestConfig(
+ mockContext, Collections.singleton(TRANSPORT_CELLULAR));
+ mVcnMgmtSvc.setVcnConfig(TEST_UUID_2, vcnConfig, TEST_PACKAGE_NAME);
+
+ verify(mMockPolicyListener).onPolicyChanged();
+ }
+
+ @Test
public void testRemoveVcnUpdatesPolicyListener() throws Exception {
setupActiveSubscription(TEST_UUID_2);
@@ -1375,7 +1430,7 @@
setupActiveSubscription(TEST_UUID_2);
mVcnMgmtSvc.setVcnConfig(TEST_UUID_2, TEST_VCN_CONFIG, TEST_PACKAGE_NAME);
- mVcnMgmtSvc.addVcnUnderlyingNetworkPolicyListenerForTest(mMockPolicyListener);
+ mVcnMgmtSvc.addVcnUnderlyingNetworkPolicyListener(mMockPolicyListener);
final TelephonySubscriptionSnapshot snapshot =
buildSubscriptionSnapshot(