diff options
| -rw-r--r-- | keystore/java/android/security/KeyStore.java | 14 | ||||
| -rw-r--r-- | keystore/java/android/security/KeyStoreAuthorization.java (renamed from keystore/java/android/security/Authorization.java) | 29 | ||||
| -rw-r--r-- | services/core/java/com/android/server/biometrics/AuthSession.java | 18 | ||||
| -rw-r--r-- | services/core/java/com/android/server/biometrics/BiometricService.java | 37 | ||||
| -rw-r--r-- | services/core/java/com/android/server/biometrics/sensors/AuthenticationClient.java | 4 | ||||
| -rw-r--r-- | services/core/java/com/android/server/locksettings/LockSettingsService.java | 10 | ||||
| -rw-r--r-- | services/core/java/com/android/server/trust/TrustManagerService.java | 28 | ||||
| -rw-r--r-- | services/tests/mockingservicestests/src/com/android/server/trust/TrustManagerServiceTest.java | 50 | ||||
| -rw-r--r-- | services/tests/servicestests/src/com/android/server/biometrics/AuthSessionTest.java | 11 | ||||
| -rw-r--r-- | services/tests/servicestests/src/com/android/server/biometrics/BiometricServiceTest.java | 26 |
10 files changed, 113 insertions, 114 deletions
diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java index 2cac2e150919..2f2215fd51a2 100644 --- a/keystore/java/android/security/KeyStore.java +++ b/keystore/java/android/security/KeyStore.java @@ -17,7 +17,6 @@ package android.security; import android.compat.annotation.UnsupportedAppUsage; -import android.os.StrictMode; /** * This class provides some constants and helper methods related to Android's Keystore service. @@ -38,17 +37,4 @@ public class KeyStore { public static KeyStore getInstance() { return KEY_STORE; } - - /** - * Add an authentication record to the keystore authorization table. - * - * @param authToken The packed bytes of a hw_auth_token_t to be provided to keymaster. - * @return 0 on success, otherwise an error value corresponding to a - * {@code KeymasterDefs.KM_ERROR_} value or {@code KeyStore} ResponseCode. - */ - public int addAuthToken(byte[] authToken) { - StrictMode.noteDiskWrite(); - - return Authorization.addAuthToken(authToken); - } } diff --git a/keystore/java/android/security/Authorization.java b/keystore/java/android/security/KeyStoreAuthorization.java index 6404c4bc33d6..14d715f03ae1 100644 --- a/keystore/java/android/security/Authorization.java +++ b/keystore/java/android/security/KeyStoreAuthorization.java @@ -33,15 +33,21 @@ import android.util.Log; * @hide This is the client side for IKeystoreAuthorization AIDL. * It shall only be used by biometric authentication providers and Gatekeeper. */ -public class Authorization { - private static final String TAG = "KeystoreAuthorization"; +public class KeyStoreAuthorization { + private static final String TAG = "KeyStoreAuthorization"; public static final int SYSTEM_ERROR = ResponseCode.SYSTEM_ERROR; + private static final KeyStoreAuthorization sInstance = new KeyStoreAuthorization(); + + public static KeyStoreAuthorization getInstance() { + return sInstance; + } + /** * @return an instance of IKeystoreAuthorization */ - public static IKeystoreAuthorization getService() { + private IKeystoreAuthorization getService() { return IKeystoreAuthorization.Stub.asInterface( ServiceManager.checkService("android.security.authorization")); } @@ -52,7 +58,7 @@ public class Authorization { * @param authToken created by Android authenticators. * @return 0 if successful or {@code ResponseCode.SYSTEM_ERROR}. */ - public static int addAuthToken(@NonNull HardwareAuthToken authToken) { + public int addAuthToken(@NonNull HardwareAuthToken authToken) { StrictMode.noteSlowCall("addAuthToken"); try { getService().addAuthToken(authToken); @@ -70,7 +76,7 @@ public class Authorization { * @param authToken * @return 0 if successful or a {@code ResponseCode}. */ - public static int addAuthToken(@NonNull byte[] authToken) { + public int addAuthToken(@NonNull byte[] authToken) { return addAuthToken(AuthTokenUtils.toHardwareAuthToken(authToken)); } @@ -82,7 +88,7 @@ public class Authorization { * is LSKF (or equivalent) and thus has made the synthetic password available * @return 0 if successful or a {@code ResponseCode}. */ - public static int onDeviceUnlocked(int userId, @Nullable byte[] password) { + public int onDeviceUnlocked(int userId, @Nullable byte[] password) { StrictMode.noteDiskWrite(); try { getService().onDeviceUnlocked(userId, password); @@ -103,7 +109,7 @@ public class Authorization { * @param weakUnlockEnabled - true if non-strong biometric or trust agent unlock is enabled * @return 0 if successful or a {@code ResponseCode}. */ - public static int onDeviceLocked(int userId, @NonNull long[] unlockingSids, + public int onDeviceLocked(int userId, @NonNull long[] unlockingSids, boolean weakUnlockEnabled) { StrictMode.noteDiskWrite(); try { @@ -125,14 +131,17 @@ public class Authorization { * @return the last authentication time or * {@link BiometricConstants#BIOMETRIC_NO_AUTHENTICATION}. */ - public static long getLastAuthenticationTime( - long userId, @HardwareAuthenticatorType int[] authenticatorTypes) { + public long getLastAuthTime(long userId, @HardwareAuthenticatorType int[] authenticatorTypes) { try { return getService().getLastAuthTime(userId, authenticatorTypes); } catch (RemoteException | NullPointerException e) { - Log.w(TAG, "Can not connect to keystore", e); + Log.w(TAG, "Error getting last auth time: " + e); return BiometricConstants.BIOMETRIC_NO_AUTHENTICATION; } catch (ServiceSpecificException e) { + // This is returned when the feature flag test fails in keystore2 + if (e.errorCode == ResponseCode.PERMISSION_DENIED) { + throw new UnsupportedOperationException(); + } return BiometricConstants.BIOMETRIC_NO_AUTHENTICATION; } } diff --git a/services/core/java/com/android/server/biometrics/AuthSession.java b/services/core/java/com/android/server/biometrics/AuthSession.java index c5073001a672..69e87fca659a 100644 --- a/services/core/java/com/android/server/biometrics/AuthSession.java +++ b/services/core/java/com/android/server/biometrics/AuthSession.java @@ -56,7 +56,7 @@ import android.hardware.fingerprint.FingerprintManager; import android.hardware.fingerprint.FingerprintSensorPropertiesInternal; import android.os.IBinder; import android.os.RemoteException; -import android.security.KeyStore; +import android.security.KeyStoreAuthorization; import android.util.Slog; import com.android.internal.annotations.VisibleForTesting; @@ -111,7 +111,7 @@ public final class AuthSession implements IBinder.DeathRecipient { @NonNull private final BiometricContext mBiometricContext; private final IStatusBarService mStatusBarService; @VisibleForTesting final IBiometricSysuiReceiver mSysuiReceiver; - private final KeyStore mKeyStore; + private final KeyStoreAuthorization mKeyStoreAuthorization; private final Random mRandom; private final ClientDeathReceiver mClientDeathReceiver; final PreAuthInfo mPreAuthInfo; @@ -158,7 +158,7 @@ public final class AuthSession implements IBinder.DeathRecipient { @NonNull BiometricContext biometricContext, @NonNull IStatusBarService statusBarService, @NonNull IBiometricSysuiReceiver sysuiReceiver, - @NonNull KeyStore keystore, + @NonNull KeyStoreAuthorization keyStoreAuthorization, @NonNull Random random, @NonNull ClientDeathReceiver clientDeathReceiver, @NonNull PreAuthInfo preAuthInfo, @@ -172,8 +172,8 @@ public final class AuthSession implements IBinder.DeathRecipient { @NonNull PromptInfo promptInfo, boolean debugEnabled, @NonNull List<FingerprintSensorPropertiesInternal> fingerprintSensorProperties) { - this(context, biometricContext, statusBarService, sysuiReceiver, keystore, random, - clientDeathReceiver, preAuthInfo, token, requestId, operationId, userId, + this(context, biometricContext, statusBarService, sysuiReceiver, keyStoreAuthorization, + random, clientDeathReceiver, preAuthInfo, token, requestId, operationId, userId, sensorReceiver, clientReceiver, opPackageName, promptInfo, debugEnabled, fingerprintSensorProperties, BiometricFrameworkStatsLogger.getInstance()); } @@ -183,7 +183,7 @@ public final class AuthSession implements IBinder.DeathRecipient { @NonNull BiometricContext biometricContext, @NonNull IStatusBarService statusBarService, @NonNull IBiometricSysuiReceiver sysuiReceiver, - @NonNull KeyStore keystore, + @NonNull KeyStoreAuthorization keyStoreAuthorization, @NonNull Random random, @NonNull ClientDeathReceiver clientDeathReceiver, @NonNull PreAuthInfo preAuthInfo, @@ -203,7 +203,7 @@ public final class AuthSession implements IBinder.DeathRecipient { mBiometricContext = biometricContext; mStatusBarService = statusBarService; mSysuiReceiver = sysuiReceiver; - mKeyStore = keystore; + mKeyStoreAuthorization = keyStoreAuthorization; mRandom = random; mClientDeathReceiver = clientDeathReceiver; mPreAuthInfo = preAuthInfo; @@ -814,14 +814,14 @@ public final class AuthSession implements IBinder.DeathRecipient { switch (reason) { case BiometricPrompt.DISMISSED_REASON_CREDENTIAL_CONFIRMED: if (credentialAttestation != null) { - mKeyStore.addAuthToken(credentialAttestation); + mKeyStoreAuthorization.addAuthToken(credentialAttestation); } else { Slog.e(TAG, "credentialAttestation is null"); } case BiometricPrompt.DISMISSED_REASON_BIOMETRIC_CONFIRMED: case BiometricPrompt.DISMISSED_REASON_BIOMETRIC_CONFIRM_NOT_REQUIRED: if (mTokenEscrow != null) { - final int result = mKeyStore.addAuthToken(mTokenEscrow); + final int result = mKeyStoreAuthorization.addAuthToken(mTokenEscrow); Slog.d(TAG, "addAuthToken: " + result); } else { Slog.e(TAG, "mTokenEscrow is null"); diff --git a/services/core/java/com/android/server/biometrics/BiometricService.java b/services/core/java/com/android/server/biometrics/BiometricService.java index 91a68ea67b3b..bccbee90e234 100644 --- a/services/core/java/com/android/server/biometrics/BiometricService.java +++ b/services/core/java/com/android/server/biometrics/BiometricService.java @@ -65,15 +65,11 @@ import android.os.IBinder; import android.os.Looper; import android.os.RemoteException; import android.os.ServiceManager; -import android.os.ServiceSpecificException; import android.os.UserHandle; import android.os.UserManager; import android.provider.Settings; -import android.security.Authorization; import android.security.GateKeeper; -import android.security.KeyStore; -import android.security.authorization.IKeystoreAuthorization; -import android.security.authorization.ResponseCode; +import android.security.KeyStoreAuthorization; import android.service.gatekeeper.IGateKeeperService; import android.text.TextUtils; import android.util.ArraySet; @@ -123,11 +119,9 @@ public class BiometricService extends SystemService { @VisibleForTesting IStatusBarService mStatusBarService; @VisibleForTesting - KeyStore mKeyStore; - @VisibleForTesting ITrustManager mTrustManager; @VisibleForTesting - IKeystoreAuthorization mKeystoreAuthorization; + KeyStoreAuthorization mKeyStoreAuthorization; @VisibleForTesting IGateKeeperService mGateKeeper; @@ -672,19 +666,7 @@ public class BiometricService extends SystemService { int[] authTypesArray = hardwareAuthenticators.stream() .mapToInt(Integer::intValue) .toArray(); - try { - return mKeystoreAuthorization.getLastAuthTime(secureUserId, authTypesArray); - } catch (RemoteException e) { - Slog.w(TAG, "Error getting last auth time: " + e); - return BiometricConstants.BIOMETRIC_NO_AUTHENTICATION; - } catch (ServiceSpecificException e) { - // This is returned when the feature flag test fails in keystore2 - if (e.errorCode == ResponseCode.PERMISSION_DENIED) { - throw new UnsupportedOperationException(); - } - - return BiometricConstants.BIOMETRIC_NO_AUTHENTICATION; - } + return mKeyStoreAuthorization.getLastAuthTime(secureUserId, authTypesArray); } @android.annotation.EnforcePermission(android.Manifest.permission.USE_BIOMETRIC_INTERNAL) @@ -1009,8 +991,8 @@ public class BiometricService extends SystemService { return ActivityManager.getService(); } - public IKeystoreAuthorization getKeystoreAuthorizationService() { - return Authorization.getService(); + public KeyStoreAuthorization getKeyStoreAuthorization() { + return KeyStoreAuthorization.getInstance(); } public IGateKeeperService getGateKeeperService() { @@ -1034,10 +1016,6 @@ public class BiometricService extends SystemService { return new SettingObserver(context, handler, callbacks); } - public KeyStore getKeyStore() { - return KeyStore.getInstance(); - } - /** * Allows to enable/disable debug logs. */ @@ -1130,7 +1108,7 @@ public class BiometricService extends SystemService { mBiometricContext = injector.getBiometricContext(context); mUserManager = injector.getUserManager(context); mBiometricCameraManager = injector.getBiometricCameraManager(context); - mKeystoreAuthorization = injector.getKeystoreAuthorizationService(); + mKeyStoreAuthorization = injector.getKeyStoreAuthorization(); mGateKeeper = injector.getGateKeeperService(); try { @@ -1150,7 +1128,6 @@ public class BiometricService extends SystemService { @Override public void onStart() { - mKeyStore = mInjector.getKeyStore(); mStatusBarService = mInjector.getStatusBarService(); mTrustManager = mInjector.getTrustManager(); mInjector.publishBinderService(this, mImpl); @@ -1458,7 +1435,7 @@ public class BiometricService extends SystemService { final boolean debugEnabled = mInjector.isDebugEnabled(getContext(), userId); mAuthSession = new AuthSession(getContext(), mBiometricContext, mStatusBarService, - createSysuiReceiver(requestId), mKeyStore, mRandom, + createSysuiReceiver(requestId), mKeyStoreAuthorization, mRandom, createClientDeathReceiver(requestId), preAuthInfo, token, requestId, operationId, userId, createBiometricSensorReceiver(requestId), receiver, opPackageName, promptInfo, debugEnabled, diff --git a/services/core/java/com/android/server/biometrics/sensors/AuthenticationClient.java b/services/core/java/com/android/server/biometrics/sensors/AuthenticationClient.java index 6eba23f45fdf..749e12b4fe14 100644 --- a/services/core/java/com/android/server/biometrics/sensors/AuthenticationClient.java +++ b/services/core/java/com/android/server/biometrics/sensors/AuthenticationClient.java @@ -30,7 +30,7 @@ import android.hardware.biometrics.BiometricManager; import android.hardware.biometrics.BiometricRequestConstants; import android.os.IBinder; import android.os.RemoteException; -import android.security.KeyStore; +import android.security.KeyStoreAuthorization; import android.util.EventLog; import android.util.Slog; @@ -255,7 +255,7 @@ public abstract class AuthenticationClient<T, O extends AuthenticateOptions> // For BP, BiometricService will add the authToken to Keystore. if (!isBiometricPrompt() && mIsStrongBiometric) { - final int result = KeyStore.getInstance().addAuthToken(byteToken); + final int result = KeyStoreAuthorization.getInstance().addAuthToken(byteToken); if (result != 0) { Slog.d(TAG, "Error adding auth token : " + result); } else { diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java index a9a9d87bfaf7..ba99d2e4a950 100644 --- a/services/core/java/com/android/server/locksettings/LockSettingsService.java +++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java @@ -103,7 +103,7 @@ import android.os.storage.StorageManager; import android.provider.DeviceConfig; import android.provider.Settings; import android.security.AndroidKeyStoreMaintenance; -import android.security.Authorization; +import android.security.KeyStoreAuthorization; import android.security.keystore.KeyProperties; import android.security.keystore.KeyProtection; import android.security.keystore.recovery.KeyChainProtectionParams; @@ -289,6 +289,7 @@ public class LockSettingsService extends ILockSettings.Stub { private final SyntheticPasswordManager mSpManager; private final KeyStore mKeyStore; + private final KeyStoreAuthorization mKeyStoreAuthorization; private final RecoverableKeyStoreManager mRecoverableKeyStoreManager; private final UnifiedProfilePasswordCache mUnifiedProfilePasswordCache; @@ -623,6 +624,10 @@ public class LockSettingsService extends ILockSettings.Stub { } } + public KeyStoreAuthorization getKeyStoreAuthorization() { + return KeyStoreAuthorization.getInstance(); + } + public @NonNull UnifiedProfilePasswordCache getUnifiedProfilePasswordCache(KeyStore ks) { return new UnifiedProfilePasswordCache(ks); } @@ -646,6 +651,7 @@ public class LockSettingsService extends ILockSettings.Stub { mInjector = injector; mContext = injector.getContext(); mKeyStore = injector.getKeyStore(); + mKeyStoreAuthorization = injector.getKeyStoreAuthorization(); mRecoverableKeyStoreManager = injector.getRecoverableKeyStoreManager(); mHandler = injector.getHandler(injector.getServiceThread()); mStrongAuth = injector.getStrongAuth(); @@ -1434,7 +1440,7 @@ public class LockSettingsService extends ILockSettings.Stub { } private void unlockKeystore(int userId, SyntheticPassword sp) { - Authorization.onDeviceUnlocked(userId, sp.deriveKeyStorePassword()); + mKeyStoreAuthorization.onDeviceUnlocked(userId, sp.deriveKeyStorePassword()); } @VisibleForTesting /** Note: this method is overridden in unit tests */ diff --git a/services/core/java/com/android/server/trust/TrustManagerService.java b/services/core/java/com/android/server/trust/TrustManagerService.java index e5a8a6dd2a3a..7794048e615c 100644 --- a/services/core/java/com/android/server/trust/TrustManagerService.java +++ b/services/core/java/com/android/server/trust/TrustManagerService.java @@ -61,7 +61,7 @@ import android.os.SystemClock; import android.os.UserHandle; import android.os.UserManager; import android.provider.Settings; -import android.security.Authorization; +import android.security.KeyStoreAuthorization; import android.service.trust.GrantTrustResult; import android.service.trust.TrustAgentService; import android.text.TextUtils; @@ -156,6 +156,7 @@ public class TrustManagerService extends SystemService { /* package */ final TrustArchive mArchive = new TrustArchive(); private final Context mContext; private final LockPatternUtils mLockPatternUtils; + private final KeyStoreAuthorization mKeyStoreAuthorization; private final UserManager mUserManager; private final ActivityManager mActivityManager; private FingerprintManager mFingerprintManager; @@ -249,25 +250,27 @@ public class TrustManagerService extends SystemService { * cases. */ protected static class Injector { - private final LockPatternUtils mLockPatternUtils; - private final Looper mLooper; + private final Context mContext; - public Injector(LockPatternUtils lockPatternUtils, Looper looper) { - mLockPatternUtils = lockPatternUtils; - mLooper = looper; + public Injector(Context context) { + mContext = context; } LockPatternUtils getLockPatternUtils() { - return mLockPatternUtils; + return new LockPatternUtils(mContext); + } + + KeyStoreAuthorization getKeyStoreAuthorization() { + return KeyStoreAuthorization.getInstance(); } Looper getLooper() { - return mLooper; + return Looper.myLooper(); } } public TrustManagerService(Context context) { - this(context, new Injector(new LockPatternUtils(context), Looper.myLooper())); + this(context, new Injector(context)); } protected TrustManagerService(Context context, Injector injector) { @@ -277,6 +280,7 @@ public class TrustManagerService extends SystemService { mUserManager = (UserManager) mContext.getSystemService(Context.USER_SERVICE); mActivityManager = (ActivityManager) mContext.getSystemService(Context.ACTIVITY_SERVICE); mLockPatternUtils = injector.getLockPatternUtils(); + mKeyStoreAuthorization = injector.getKeyStoreAuthorization(); mStrongAuthTracker = new StrongAuthTracker(context, injector.getLooper()); mAlarmManager = (AlarmManager) mContext.getSystemService(Context.ALARM_SERVICE); } @@ -908,16 +912,16 @@ public class TrustManagerService extends SystemService { int authUserId = mLockPatternUtils.isProfileWithUnifiedChallenge(userId) ? resolveProfileParent(userId) : userId; - Authorization.onDeviceLocked(userId, getBiometricSids(authUserId), + mKeyStoreAuthorization.onDeviceLocked(userId, getBiometricSids(authUserId), isWeakUnlockMethodEnabled(authUserId)); } else { - Authorization.onDeviceLocked(userId, getBiometricSids(userId), false); + mKeyStoreAuthorization.onDeviceLocked(userId, getBiometricSids(userId), false); } } else { // Notify Keystore that the device is now unlocked for the user. Note that for unlocks // with LSKF, this is redundant with the call from LockSettingsService which provides // the password. However, for unlocks with biometric or trust agent, this is required. - Authorization.onDeviceUnlocked(userId, /* password= */ null); + mKeyStoreAuthorization.onDeviceUnlocked(userId, /* password= */ null); } } diff --git a/services/tests/mockingservicestests/src/com/android/server/trust/TrustManagerServiceTest.java b/services/tests/mockingservicestests/src/com/android/server/trust/TrustManagerServiceTest.java index b41568298dbc..0532e04257d4 100644 --- a/services/tests/mockingservicestests/src/com/android/server/trust/TrustManagerServiceTest.java +++ b/services/tests/mockingservicestests/src/com/android/server/trust/TrustManagerServiceTest.java @@ -55,6 +55,7 @@ import android.os.Bundle; import android.os.Handler; import android.os.HandlerThread; import android.os.IBinder; +import android.os.Looper; import android.os.RemoteException; import android.os.ServiceManager; import android.os.UserHandle; @@ -63,8 +64,7 @@ import android.platform.test.annotations.RequiresFlagsEnabled; import android.platform.test.flag.junit.CheckFlagsRule; import android.platform.test.flag.junit.DeviceFlagsValueProvider; import android.provider.Settings; -import android.security.Authorization; -import android.security.authorization.IKeystoreAuthorization; +import android.security.KeyStoreAuthorization; import android.service.trust.TrustAgentService; import android.testing.TestableContext; import android.view.IWindowManager; @@ -96,7 +96,6 @@ public class TrustManagerServiceTest { @Rule public final ExtendedMockitoRule mExtendedMockitoRule = new ExtendedMockitoRule.Builder(this) .spyStatic(ActivityManager.class) - .spyStatic(Authorization.class) .mockStatic(ServiceManager.class) .mockStatic(WindowManagerGlobal.class) .build(); @@ -126,14 +125,13 @@ public class TrustManagerServiceTest { private @Mock DevicePolicyManager mDevicePolicyManager; private @Mock FaceManager mFaceManager; private @Mock FingerprintManager mFingerprintManager; - private @Mock IKeystoreAuthorization mKeystoreAuthorization; + private @Mock KeyStoreAuthorization mKeyStoreAuthorization; private @Mock LockPatternUtils mLockPatternUtils; private @Mock PackageManager mPackageManager; private @Mock UserManager mUserManager; private @Mock IWindowManager mWindowManager; private HandlerThread mHandlerThread; - private TrustManagerService.Injector mInjector; private TrustManagerService mService; private ITrustManager mTrustManager; @@ -145,8 +143,6 @@ public class TrustManagerServiceTest { when(mFaceManager.getSensorProperties()).thenReturn(List.of()); when(mFingerprintManager.getSensorProperties()).thenReturn(List.of()); - doReturn(mKeystoreAuthorization).when(() -> Authorization.getService()); - when(mLockPatternUtils.getDevicePolicyManager()).thenReturn(mDevicePolicyManager); when(mLockPatternUtils.isSecure(TEST_USER_ID)).thenReturn(true); when(mLockPatternUtils.getKnownTrustAgents(TEST_USER_ID)).thenReturn(mKnownTrustAgents); @@ -193,8 +189,7 @@ public class TrustManagerServiceTest { mHandlerThread = new HandlerThread("handler"); mHandlerThread.start(); - mInjector = new TrustManagerService.Injector(mLockPatternUtils, mHandlerThread.getLooper()); - mService = new TrustManagerService(mMockContext, mInjector); + mService = new TrustManagerService(mMockContext, new MockInjector(mMockContext)); // Get the ITrustManager from the new TrustManagerService. mService.onStart(); @@ -204,6 +199,27 @@ public class TrustManagerServiceTest { mTrustManager = ITrustManager.Stub.asInterface(binderArgumentCaptor.getValue()); } + private class MockInjector extends TrustManagerService.Injector { + MockInjector(Context context) { + super(context); + } + + @Override + LockPatternUtils getLockPatternUtils() { + return mLockPatternUtils; + } + + @Override + KeyStoreAuthorization getKeyStoreAuthorization() { + return mKeyStoreAuthorization; + } + + @Override + Looper getLooper() { + return mHandlerThread.getLooper(); + } + } + @After public void tearDown() { LocalServices.removeServiceForTest(SystemServiceManager.class); @@ -371,14 +387,14 @@ public class TrustManagerServiceTest { when(mWindowManager.isKeyguardLocked()).thenReturn(false); mTrustManager.reportKeyguardShowingChanged(); - verify(mKeystoreAuthorization).onDeviceUnlocked(PARENT_USER_ID, null); - verify(mKeystoreAuthorization).onDeviceUnlocked(PROFILE_USER_ID, null); + verify(mKeyStoreAuthorization).onDeviceUnlocked(PARENT_USER_ID, null); + verify(mKeyStoreAuthorization).onDeviceUnlocked(PROFILE_USER_ID, null); when(mWindowManager.isKeyguardLocked()).thenReturn(true); mTrustManager.reportKeyguardShowingChanged(); - verify(mKeystoreAuthorization) + verify(mKeyStoreAuthorization) .onDeviceLocked(eq(PARENT_USER_ID), eq(PARENT_BIOMETRIC_SIDS), eq(false)); - verify(mKeystoreAuthorization) + verify(mKeyStoreAuthorization) .onDeviceLocked(eq(PROFILE_USER_ID), eq(PARENT_BIOMETRIC_SIDS), eq(false)); } @@ -392,10 +408,10 @@ public class TrustManagerServiceTest { setupMocksForProfile(/* unifiedChallenge= */ false); mTrustManager.setDeviceLockedForUser(PROFILE_USER_ID, false); - verify(mKeystoreAuthorization).onDeviceUnlocked(PROFILE_USER_ID, null); + verify(mKeyStoreAuthorization).onDeviceUnlocked(PROFILE_USER_ID, null); mTrustManager.setDeviceLockedForUser(PROFILE_USER_ID, true); - verify(mKeystoreAuthorization) + verify(mKeyStoreAuthorization) .onDeviceLocked(eq(PROFILE_USER_ID), eq(PROFILE_BIOMETRIC_SIDS), eq(false)); } @@ -572,11 +588,11 @@ public class TrustManagerServiceTest { private void verifyWeakUnlockValue(boolean expectedWeakUnlockEnabled) throws Exception { when(mWindowManager.isKeyguardLocked()).thenReturn(false); mTrustManager.reportKeyguardShowingChanged(); - verify(mKeystoreAuthorization).onDeviceUnlocked(TEST_USER_ID, null); + verify(mKeyStoreAuthorization).onDeviceUnlocked(TEST_USER_ID, null); when(mWindowManager.isKeyguardLocked()).thenReturn(true); mTrustManager.reportKeyguardShowingChanged(); - verify(mKeystoreAuthorization).onDeviceLocked(eq(TEST_USER_ID), any(), + verify(mKeyStoreAuthorization).onDeviceLocked(eq(TEST_USER_ID), any(), eq(expectedWeakUnlockEnabled)); } diff --git a/services/tests/servicestests/src/com/android/server/biometrics/AuthSessionTest.java b/services/tests/servicestests/src/com/android/server/biometrics/AuthSessionTest.java index 74eb79d7554c..34092b6855b1 100644 --- a/services/tests/servicestests/src/com/android/server/biometrics/AuthSessionTest.java +++ b/services/tests/servicestests/src/com/android/server/biometrics/AuthSessionTest.java @@ -68,7 +68,7 @@ import android.os.Binder; import android.os.IBinder; import android.os.RemoteException; import android.platform.test.annotations.Presubmit; -import android.security.KeyStore; +import android.security.KeyStoreAuthorization; import androidx.test.filters.SmallTest; @@ -105,7 +105,7 @@ public class AuthSessionTest { @Mock private IBiometricServiceReceiver mClientReceiver; @Mock private IStatusBarService mStatusBarService; @Mock private IBiometricSysuiReceiver mSysuiReceiver; - @Mock private KeyStore mKeyStore; + @Mock private KeyStoreAuthorization mKeyStoreAuthorization; @Mock private AuthSession.ClientDeathReceiver mClientDeathReceiver; @Mock private BiometricFrameworkStatsLogger mBiometricFrameworkStatsLogger; @Mock private BiometricCameraManager mBiometricCameraManager; @@ -665,9 +665,10 @@ public class AuthSessionTest { final PreAuthInfo preAuthInfo = createPreAuthInfo(sensors, userId, promptInfo, checkDevicePolicyManager); return new AuthSession(mContext, mBiometricContext, mStatusBarService, mSysuiReceiver, - mKeyStore, mRandom, mClientDeathReceiver, preAuthInfo, mToken, requestId, - operationId, userId, mSensorReceiver, mClientReceiver, TEST_PACKAGE, promptInfo, - false /* debugEnabled */, mFingerprintSensorProps, mBiometricFrameworkStatsLogger); + mKeyStoreAuthorization, mRandom, mClientDeathReceiver, preAuthInfo, mToken, + requestId, operationId, userId, mSensorReceiver, mClientReceiver, TEST_PACKAGE, + promptInfo, false /* debugEnabled */, mFingerprintSensorProps, + mBiometricFrameworkStatsLogger); } private PromptInfo createPromptInfo(@Authenticators.Types int authenticators) { diff --git a/services/tests/servicestests/src/com/android/server/biometrics/BiometricServiceTest.java b/services/tests/servicestests/src/com/android/server/biometrics/BiometricServiceTest.java index 408442bcceed..3eaf9af65593 100644 --- a/services/tests/servicestests/src/com/android/server/biometrics/BiometricServiceTest.java +++ b/services/tests/servicestests/src/com/android/server/biometrics/BiometricServiceTest.java @@ -80,8 +80,7 @@ import android.os.UserManager; import android.platform.test.annotations.Presubmit; import android.platform.test.flag.junit.SetFlagsRule; import android.security.GateKeeper; -import android.security.KeyStore; -import android.security.authorization.IKeystoreAuthorization; +import android.security.KeyStoreAuthorization; import android.service.gatekeeper.IGateKeeperService; import android.view.Display; import android.view.DisplayInfo; @@ -173,7 +172,7 @@ public class BiometricServiceTest { private BiometricCameraManager mBiometricCameraManager; @Mock - private IKeystoreAuthorization mKeystoreAuthService; + private KeyStoreAuthorization mKeyStoreAuthorization; @Mock private IGateKeeperService mGateKeeperService; @@ -195,7 +194,7 @@ public class BiometricServiceTest { when(mInjector.getStatusBarService()).thenReturn(mock(IStatusBarService.class)); when(mInjector.getSettingObserver(any(), any(), any())) .thenReturn(mock(BiometricService.SettingObserver.class)); - when(mInjector.getKeyStore()).thenReturn(mock(KeyStore.class)); + when(mInjector.getKeyStoreAuthorization()).thenReturn(mock(KeyStoreAuthorization.class)); when(mInjector.isDebugEnabled(any(), anyInt())).thenReturn(false); when(mInjector.getBiometricStrengthController(any())) .thenReturn(mock(BiometricStrengthController.class)); @@ -231,7 +230,7 @@ public class BiometricServiceTest { mStatusBarService, null /* handler */, mAuthSessionCoordinator); when(mInjector.getBiometricContext(any())).thenReturn(mBiometricContextProvider); - when(mInjector.getKeystoreAuthorizationService()).thenReturn(mKeystoreAuthService); + when(mInjector.getKeyStoreAuthorization()).thenReturn(mKeyStoreAuthorization); when(mInjector.getGateKeeperService()).thenReturn(mGateKeeperService); when(mGateKeeperService.getSecureUserId(anyInt())).thenReturn(42L); @@ -661,9 +660,9 @@ public class BiometricServiceTest { waitForIdle(); // HAT sent to keystore if (isStrongBiometric) { - verify(mBiometricService.mKeyStore).addAuthToken(AdditionalMatchers.aryEq(HAT)); + verify(mKeyStoreAuthorization).addAuthToken(AdditionalMatchers.aryEq(HAT)); } else { - verify(mBiometricService.mKeyStore, never()).addAuthToken(any(byte[].class)); + verify(mKeyStoreAuthorization, never()).addAuthToken(any(byte[].class)); } // Send onAuthenticated to client verify(mReceiver1).onAuthenticationSucceeded( @@ -726,7 +725,7 @@ public class BiometricServiceTest { waitForIdle(); // Waiting for SystemUI to send confirmation callback assertEquals(STATE_AUTH_PENDING_CONFIRM, mBiometricService.mAuthSession.getState()); - verify(mBiometricService.mKeyStore, never()).addAuthToken(any(byte[].class)); + verify(mKeyStoreAuthorization, never()).addAuthToken(any(byte[].class)); // SystemUI sends confirm, HAT is sent to keystore and client is notified. mBiometricService.mAuthSession.mSysuiReceiver.onDialogDismissed( @@ -734,9 +733,9 @@ public class BiometricServiceTest { null /* credentialAttestation */); waitForIdle(); if (isStrongBiometric) { - verify(mBiometricService.mKeyStore).addAuthToken(AdditionalMatchers.aryEq(HAT)); + verify(mKeyStoreAuthorization).addAuthToken(AdditionalMatchers.aryEq(HAT)); } else { - verify(mBiometricService.mKeyStore, never()).addAuthToken(any(byte[].class)); + verify(mKeyStoreAuthorization, never()).addAuthToken(any(byte[].class)); } verify(mReceiver1).onAuthenticationSucceeded( BiometricPrompt.AUTHENTICATION_RESULT_TYPE_BIOMETRIC); @@ -1292,7 +1291,7 @@ public class BiometricServiceTest { eq(TYPE_FACE), eq(BiometricConstants.BIOMETRIC_ERROR_USER_CANCELED), eq(0 /* vendorCode */)); - verify(mBiometricService.mKeyStore, never()).addAuthToken(any(byte[].class)); + verify(mKeyStoreAuthorization, never()).addAuthToken(any(byte[].class)); assertNull(mBiometricService.mAuthSession); } @@ -1796,7 +1795,7 @@ public class BiometricServiceTest { final long expectedResult = 31337L; - when(mKeystoreAuthService.getLastAuthTime(eq(secureUserId), eq(hardwareAuthenticators))) + when(mKeyStoreAuthorization.getLastAuthTime(eq(secureUserId), eq(hardwareAuthenticators))) .thenReturn(expectedResult); mBiometricService = new BiometricService(mContext, mInjector); @@ -1805,7 +1804,8 @@ public class BiometricServiceTest { Authenticators.BIOMETRIC_STRONG | Authenticators.DEVICE_CREDENTIAL); assertEquals(expectedResult, result); - verify(mKeystoreAuthService).getLastAuthTime(eq(secureUserId), eq(hardwareAuthenticators)); + verify(mKeyStoreAuthorization).getLastAuthTime(eq(secureUserId), + eq(hardwareAuthenticators)); } // Helper methods |