diff options
2 files changed, 36 insertions, 3 deletions
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java index 2c8bc4e37c9a..607987312f4d 100644 --- a/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java +++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java @@ -28,6 +28,7 @@ import android.security.recoverablekeystore.KeyStoreRecoveryMetadata; import android.util.Log; import com.android.internal.annotations.VisibleForTesting; +import com.android.internal.util.ArrayUtils; import com.android.internal.widget.LockPatternUtils; import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDb; import com.android.server.locksettings.recoverablekeystore.storage.RecoverySnapshotStorage; @@ -304,6 +305,12 @@ public class KeySyncTask implements Runnable { * @param recoveryAgentUid uid of the recovery agent. */ private boolean shoudCreateSnapshot(int recoveryAgentUid) { + int[] types = mRecoverableKeyStoreDb.getRecoverySecretTypes(mUserId, recoveryAgentUid); + if (!ArrayUtils.contains(types, KeyStoreRecoveryMetadata.TYPE_LOCKSCREEN)) { + // Only lockscreen type is supported. + // We will need to pass extra argument to KeySyncTask to support custom pass phrase. + return false; + } if (mCredentialUpdated) { // Sync credential if at least one snapshot was created. if (mRecoverableKeyStoreDb.getSnapshotVersion(mUserId, recoveryAgentUid) != null) { diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java index 8eaf50a8abc9..f798e9cb1a9e 100644 --- a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java +++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java @@ -16,6 +16,8 @@ package com.android.server.locksettings.recoverablekeystore; +import static android.security.recoverablekeystore.KeyStoreRecoveryMetadata.TYPE_LOCKSCREEN; + import static android.security.recoverablekeystore.KeyStoreRecoveryMetadata.TYPE_PASSWORD; import static android.security.recoverablekeystore.KeyStoreRecoveryMetadata.TYPE_PATTERN; import static android.security.recoverablekeystore.KeyStoreRecoveryMetadata.TYPE_PIN; @@ -104,6 +106,10 @@ public class KeySyncTaskTest { mRecoverableKeyStoreDb = RecoverableKeyStoreDb.newInstance(context); mKeyPair = SecureBox.genKeyPair(); + mRecoverableKeyStoreDb.setRecoverySecretTypes(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, + new int[] {TYPE_LOCKSCREEN}); + mRecoverableKeyStoreDb.setRecoverySecretTypes(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, + new int[] {TYPE_LOCKSCREEN}); mRecoverySnapshotStorage = new RecoverySnapshotStorage(); mKeySyncTask = new KeySyncTask( @@ -406,10 +412,8 @@ public class KeySyncTaskTest { isEqualTo(TYPE_PATTERN); } - @Test public void run_sendsEncryptedKeysWithTwoRegisteredAgents() throws Exception { - mRecoverableKeyStoreDb.setRecoveryServicePublicKey( TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); mRecoverableKeyStoreDb.setRecoveryServicePublicKey( @@ -425,13 +429,35 @@ public class KeySyncTaskTest { } @Test - public void run_doesNotSendKeyToNonregisteredAgent() throws Exception { + public void run_sendsEncryptedKeysOnlyForAgentWhichActiveUserSecretType() throws Exception { + mRecoverableKeyStoreDb.setRecoverySecretTypes(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, + new int[] {TYPE_LOCKSCREEN, 100}); + // Snapshot will not be created during unlock event. + mRecoverableKeyStoreDb.setRecoverySecretTypes(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, + new int[] {100}); mRecoverableKeyStoreDb.setRecoveryServicePublicKey( TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); mRecoverableKeyStoreDb.setRecoveryServicePublicKey( TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, mKeyPair.getPublic()); when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); + when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID2)).thenReturn(true); + addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); + addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, TEST_APP_KEY_ALIAS); + mKeySyncTask.run(); + + verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID); + verify(mSnapshotListenersStorage, never()). + recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID2); + } + + @Test + public void run_doesNotSendKeyToNonregisteredAgent() throws Exception { + mRecoverableKeyStoreDb.setRecoveryServicePublicKey( + TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); + mRecoverableKeyStoreDb.setRecoveryServicePublicKey( + TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, mKeyPair.getPublic()); + when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID2)).thenReturn(false); addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, TEST_APP_KEY_ALIAS); |