1 /* 2 * Copyright (C) 2020 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.security; 18 19 import android.annotation.NonNull; 20 import android.annotation.Nullable; 21 import android.hardware.security.keymint.HardwareAuthToken; 22 import android.os.RemoteException; 23 import android.os.ServiceManager; 24 import android.os.ServiceSpecificException; 25 import android.security.authorization.IKeystoreAuthorization; 26 import android.security.authorization.LockScreenEvent; 27 import android.system.keystore2.ResponseCode; 28 import android.util.Log; 29 30 /** 31 * @hide This is the client side for IKeystoreAuthorization AIDL. 32 * It shall only be used by biometric authentication providers and Gatekeeper. 33 */ 34 public class Authorization { 35 private static final String TAG = "KeystoreAuthorization"; 36 37 public static final int SYSTEM_ERROR = ResponseCode.SYSTEM_ERROR; 38 getService()39 private static IKeystoreAuthorization getService() { 40 return IKeystoreAuthorization.Stub.asInterface( 41 ServiceManager.checkService("android.security.authorization")); 42 } 43 44 /** 45 * Adds an auth token to keystore2. 46 * 47 * @param authToken created by Android authenticators. 48 * @return 0 if successful or {@code ResponseCode.SYSTEM_ERROR}. 49 */ addAuthToken(@onNull HardwareAuthToken authToken)50 public static int addAuthToken(@NonNull HardwareAuthToken authToken) { 51 try { 52 getService().addAuthToken(authToken); 53 return 0; 54 } catch (RemoteException | NullPointerException e) { 55 Log.w(TAG, "Can not connect to keystore", e); 56 return SYSTEM_ERROR; 57 } catch (ServiceSpecificException e) { 58 return e.errorCode; 59 } 60 } 61 62 /** 63 * Add an auth token to Keystore 2.0 in the legacy serialized auth token format. 64 * @param authToken 65 * @return 0 if successful or a {@code ResponseCode}. 66 */ addAuthToken(@onNull byte[] authToken)67 public static int addAuthToken(@NonNull byte[] authToken) { 68 return addAuthToken(AuthTokenUtils.toHardwareAuthToken(authToken)); 69 } 70 71 /** 72 * Informs keystore2 about lock screen event. 73 * 74 * @param locked - whether it is a lock (true) or unlock (false) event 75 * @param syntheticPassword - if it is an unlock event with the password, pass the synthetic 76 * password provided by the LockSettingService 77 * @param unlockingSids - KeyMint secure user IDs that should be permitted to unlock 78 * UNLOCKED_DEVICE_REQUIRED keys. 79 * 80 * @return 0 if successful or a {@code ResponseCode}. 81 */ onLockScreenEvent(@onNull boolean locked, @NonNull int userId, @Nullable byte[] syntheticPassword, @Nullable long[] unlockingSids)82 public static int onLockScreenEvent(@NonNull boolean locked, @NonNull int userId, 83 @Nullable byte[] syntheticPassword, @Nullable long[] unlockingSids) { 84 try { 85 if (locked) { 86 getService().onLockScreenEvent(LockScreenEvent.LOCK, userId, null, unlockingSids); 87 } else { 88 getService().onLockScreenEvent( 89 LockScreenEvent.UNLOCK, userId, syntheticPassword, unlockingSids); 90 } 91 return 0; 92 } catch (RemoteException | NullPointerException e) { 93 Log.w(TAG, "Can not connect to keystore", e); 94 return SYSTEM_ERROR; 95 } catch (ServiceSpecificException e) { 96 return e.errorCode; 97 } 98 } 99 100 } 101