Use consistent helper class for keystore authorization

Currently the IKeystoreAuthorization service is intended to be accessed through the helper class android.security.Authorization. However, because Authorization provides only static methods, it can only be unit-tested by static mocking, which is only available in mockingservicestests. BiometricService works around this in two different ways: (a) using IKeystoreAuthorization directly, and (b) using android.security.KeyStore, which is an obsolete class which is now almost empty and just contains a couple random helpers. I'd like to remove it to avoid confusion with java.security.KeyStore. This CL solves the testability problem in a consistent way by renaming Authorization to KeyStoreAuthorization and changing all public static methods to instance methods. It updates all callers of the keystore authorization service to go through a KeyStoreAuthorization instance. Finally, it updates the unit tests for TrustManagerService and BiometricService to inject a mock KeyStoreAuthorization. Bug: 326508120 Test: atest TrustManagerServiceTest Test: atest FrameworksServicesTests:{BiometricServiceTest,AuthSessionTest} Test: atest CtsBiometricsTestCases:BiometricSimpleTests Flag: N/A. Refactoring with no behavior change intended. Change-Id: I68504f447b1b880c08a60cf027b13f77a6567ec9
author: Eric Biggers <ebiggers@google.com> 2024-03-22 01:35:05 +0000
committer: Eric Biggers <ebiggers@google.com> 2024-04-01 17:38:12 +0000
commit: a5d7857df0ecccb33ce74a52def4fa4c12e36e9b (patch)
tree: f0ddf8bf0fc544d2cb891719372b0145e86748a7 /keystore
parent: 4f490c581c5f46eef7e84062f19cfb37cafdce48 (diff)
2 files changed, 19 insertions, 24 deletions
diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java
index 2cac2e150919..2f2215fd51a2 100644
--- a/keystore/java/android/security/KeyStore.java
+++ b/keystore/java/android/security/KeyStore.java
@@ -17,7 +17,6 @@
 package android.security;
 
 import android.compat.annotation.UnsupportedAppUsage;
-import android.os.StrictMode;
 
 /**
  * This class provides some constants and helper methods related to Android's Keystore service.
@@ -38,17 +37,4 @@ public class KeyStore {
     public static KeyStore getInstance() {
         return KEY_STORE;
     }
-
-    /**
-     * Add an authentication record to the keystore authorization table.
-     *
-     * @param authToken The packed bytes of a hw_auth_token_t to be provided to keymaster.
-     * @return 0 on success, otherwise an error value corresponding to a
-     * {@code KeymasterDefs.KM_ERROR_} value or {@code KeyStore} ResponseCode.
-     */
-    public int addAuthToken(byte[] authToken) {
-        StrictMode.noteDiskWrite();
-
-        return Authorization.addAuthToken(authToken);
-    }
 }
diff --git a/keystore/java/android/security/Authorization.java b/keystore/java/android/security/KeyStoreAuthorization.java
index 6404c4bc33d6..14d715f03ae1 100644
--- a/keystore/java/android/security/Authorization.java
+++ b/keystore/java/android/security/KeyStoreAuthorization.java
@@ -33,15 +33,21 @@ import android.util.Log;
  * @hide This is the client side for IKeystoreAuthorization AIDL.
  * It shall only be used by biometric authentication providers and Gatekeeper.
  */
-public class Authorization {
-    private static final String TAG = "KeystoreAuthorization";
+public class KeyStoreAuthorization {
+    private static final String TAG = "KeyStoreAuthorization";
 
     public static final int SYSTEM_ERROR = ResponseCode.SYSTEM_ERROR;
 
+    private static final KeyStoreAuthorization sInstance = new KeyStoreAuthorization();
+
+    public static KeyStoreAuthorization getInstance() {
+        return sInstance;
+    }
+
     /**
      * @return an instance of IKeystoreAuthorization
      */
-    public static IKeystoreAuthorization getService() {
+    private IKeystoreAuthorization getService() {
         return IKeystoreAuthorization.Stub.asInterface(
                     ServiceManager.checkService("android.security.authorization"));
     }
@@ -52,7 +58,7 @@ public class Authorization {
      * @param authToken created by Android authenticators.
      * @return 0 if successful or {@code ResponseCode.SYSTEM_ERROR}.
      */
-    public static int addAuthToken(@NonNull HardwareAuthToken authToken) {
+    public int addAuthToken(@NonNull HardwareAuthToken authToken) {
         StrictMode.noteSlowCall("addAuthToken");
         try {
             getService().addAuthToken(authToken);
@@ -70,7 +76,7 @@ public class Authorization {
      * @param authToken
      * @return 0 if successful or a {@code ResponseCode}.
      */
-    public static int addAuthToken(@NonNull byte[] authToken) {
+    public int addAuthToken(@NonNull byte[] authToken) {
         return addAuthToken(AuthTokenUtils.toHardwareAuthToken(authToken));
     }
 
@@ -82,7 +88,7 @@ public class Authorization {
      *                   is LSKF (or equivalent) and thus has made the synthetic password available
      * @return 0 if successful or a {@code ResponseCode}.
      */
-    public static int onDeviceUnlocked(int userId, @Nullable byte[] password) {
+    public int onDeviceUnlocked(int userId, @Nullable byte[] password) {
         StrictMode.noteDiskWrite();
         try {
             getService().onDeviceUnlocked(userId, password);
@@ -103,7 +109,7 @@ public class Authorization {
      * @param weakUnlockEnabled - true if non-strong biometric or trust agent unlock is enabled
      * @return 0 if successful or a {@code ResponseCode}.
      */
-    public static int onDeviceLocked(int userId, @NonNull long[] unlockingSids,
+    public int onDeviceLocked(int userId, @NonNull long[] unlockingSids,
             boolean weakUnlockEnabled) {
         StrictMode.noteDiskWrite();
         try {
@@ -125,14 +131,17 @@ public class Authorization {
      * @return the last authentication time or
      * {@link BiometricConstants#BIOMETRIC_NO_AUTHENTICATION}.
      */
-    public static long getLastAuthenticationTime(
-            long userId, @HardwareAuthenticatorType int[] authenticatorTypes) {
+    public long getLastAuthTime(long userId, @HardwareAuthenticatorType int[] authenticatorTypes) {
         try {
             return getService().getLastAuthTime(userId, authenticatorTypes);
         } catch (RemoteException | NullPointerException e) {
-            Log.w(TAG, "Can not connect to keystore", e);
+            Log.w(TAG, "Error getting last auth time: " + e);
             return BiometricConstants.BIOMETRIC_NO_AUTHENTICATION;
         } catch (ServiceSpecificException e) {
+            // This is returned when the feature flag test fails in keystore2
+            if (e.errorCode == ResponseCode.PERMISSION_DENIED) {
+                throw new UnsupportedOperationException();
+            }
             return BiometricConstants.BIOMETRIC_NO_AUTHENTICATION;
         }
     }
author	Eric Biggers <ebiggers@google.com>	2024-03-22 01:35:05 +0000
committer	Eric Biggers <ebiggers@google.com>	2024-04-01 17:38:12 +0000
commit	a5d7857df0ecccb33ce74a52def4fa4c12e36e9b (patch)
tree	f0ddf8bf0fc544d2cb891719372b0145e86748a7 /keystore
parent	4f490c581c5f46eef7e84062f19cfb37cafdce48 (diff)