Add onLockScreenEvent method to IKeystoreAuthorization AIDL.
This CL adds the unlock onLockScreenEvent and the required enum AIDL.
Bug: 159475191
Test: TBD
Change-Id: Iaf8a2f72ac0640ebf0e47fc1c2920e626d477ec9
diff --git a/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl b/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl
index 48364f4..df64401 100644
--- a/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl
+++ b/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl
@@ -15,21 +15,45 @@
package android.security.authorization;
import android.hardware.security.keymint.HardwareAuthToken;
+import android.security.authorization.LockScreenEvent;
+
+// TODO: mark the interface with @SensitiveData when the annotation is ready (b/176110256).
/**
-* IKeystoreAuthorization interface exposes the methods for other system components to
-* provide keystore with the information required to enforce authorizations on key usage.
-*/
+ * IKeystoreAuthorization interface exposes the methods for other system components to
+ * provide keystore with the information required to enforce authorizations on key usage.
+ */
interface IKeystoreAuthorization {
/**
- * Allows the Android authenticators to hand over an auth token to Keystore.
- * Callers require 'AddAuth' permission.
- * ## Error conditions:
- * `ResponseCode::SYSTEM_ERROR` - if failed to store the auth token in the database or if failed
- * to add the auth token to the operation, if it is a per-op auth token.
- *
- * @param authToken The auth token created by an authenticator, upon user authentication.
- */
+ * Allows the Android authenticators to hand over an auth token to Keystore.
+ * Callers require 'AddAuth' permission.
+ * ## Error conditions:
+ * `ResponseCode::PERMISSION_DENIED` - if the callers do not have the 'AddAuth' permission.
+ * `ResponseCode::SYSTEM_ERROR` - if failed to store the auth token in the database or if failed
+ * to add the auth token to the operation, if it is a per-op auth token.
+ *
+ * @param authToken The auth token created by an authenticator, upon user authentication.
+ */
void addAuthToken(in HardwareAuthToken authToken);
+
+ /**
+ * Unlocks the keystore for the given user id.
+ * Callers require 'Unlock' permission.
+ * If a password was set, a password must be given on unlock or the operation fails.
+ *
+ * ## Error conditions:
+ * `ResponseCode::PERMISSION_DENIED` - if the callers do not have the 'Unlock' permission.
+ * `ResponseCode::SYSTEM_ERROR` - if failed to perform lock/unlock operations due to various
+ *
+ * @lockScreenEvent - Indicates what happened.
+ * * LockScreenEvent.UNLOCK if the screen was unlocked.
+ * * LockScreenEvent.LOCK if the screen was locked.
+ *
+ * @param userId - Android user id
+ *
+ * @param password - synthetic password derived by the user denoted by the user id
+ */
+ void onLockScreenEvent(in LockScreenEvent lockScreenEvent, in int userId,
+ in @nullable byte[] password);
}
diff --git a/keystore2/aidl/android/security/authorization/LockScreenEvent.aidl b/keystore2/aidl/android/security/authorization/LockScreenEvent.aidl
new file mode 100644
index 0000000..877a916
--- /dev/null
+++ b/keystore2/aidl/android/security/authorization/LockScreenEvent.aidl
@@ -0,0 +1,21 @@
+// Copyright 2020, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package android.security.authorization;
+
+@Backing(type="int")
+enum LockScreenEvent {
+ UNLOCK = 0,
+ LOCK = 1,
+}