From 8fa5665f0e757cec0063fb4cf1354f1596f93a91 Mon Sep 17 00:00:00 2001 From: Andres Morales Date: Tue, 31 Mar 2015 09:19:50 -0700 Subject: Wire up GateKeeper to LockSettingsService Adds: - Communication to GKService - password upgrade flow - enroll takes previous credential Change-Id: I0161b64642be3d0e34ff4a9e6e3ca8569f2d7c0a --- .../service/gatekeeper/IGateKeeperService.aidl | 51 ++++++++++++++++++++++ .../com/android/internal/widget/ILockSettings.aidl | 4 +- .../android/internal/widget/LockPatternUtils.java | 28 +++++++----- 3 files changed, 71 insertions(+), 12 deletions(-) create mode 100644 core/java/android/service/gatekeeper/IGateKeeperService.aidl (limited to 'core/java') diff --git a/core/java/android/service/gatekeeper/IGateKeeperService.aidl b/core/java/android/service/gatekeeper/IGateKeeperService.aidl new file mode 100644 index 000000000000..675374d3dd2f --- /dev/null +++ b/core/java/android/service/gatekeeper/IGateKeeperService.aidl @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2015 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.service.gatekeeper; + +/** + * Interface for communication with GateKeeper, the + * secure password storage daemon. + * + * This must be kept manually in sync with system/core/gatekeeperd + * until AIDL can generate both C++ and Java bindings. + * + * @hide + */ +interface IGateKeeperService { + /** + * Enrolls a password, returning the handle to the enrollment to be stored locally. + * @param uid The Android user ID associated to this enrollment + * @param currentPasswordHandle The previously enrolled handle, or null if none + * @param currentPassword The previously enrolled plaintext password, or null if none. + * If provided, must verify against the currentPasswordHandle. + * @param desiredPassword The new desired password, for which a handle will be returned + * upon success. + * @return the handle corresponding to desiredPassword, or null + */ + byte[] enroll(int uid, in byte[] currentPasswordHandle, in byte[] currentPassword, + in byte[] desiredPassword); + + /** + * Verifies an enrolled handle against a provided, plaintext blob. + * @param uid The Android user ID associated to this enrollment + * @param enrolledPasswordHandle The handle against which the provided password will be + * verified. + * @param The plaintext blob to verify against enrolledPassword. + * @return true if success, false if failure + */ + boolean verify(int uid, in byte[] enrolledPasswordHandle, in byte[] providedPassword); +} diff --git a/core/java/com/android/internal/widget/ILockSettings.aidl b/core/java/com/android/internal/widget/ILockSettings.aidl index 0cb1f38cf11f..53a860d71e6d 100644 --- a/core/java/com/android/internal/widget/ILockSettings.aidl +++ b/core/java/com/android/internal/widget/ILockSettings.aidl @@ -24,9 +24,9 @@ interface ILockSettings { boolean getBoolean(in String key, in boolean defaultValue, in int userId); long getLong(in String key, in long defaultValue, in int userId); String getString(in String key, in String defaultValue, in int userId); - void setLockPattern(in String pattern, int userId); + void setLockPattern(in String pattern, in String savedPattern, int userId); boolean checkPattern(in String pattern, int userId); - void setLockPassword(in String password, int userId); + void setLockPassword(in String password, in String savedPassword, int userId); boolean checkPassword(in String password, int userId); boolean checkVoldPassword(int userId); boolean havePattern(int userId); diff --git a/core/java/com/android/internal/widget/LockPatternUtils.java b/core/java/com/android/internal/widget/LockPatternUtils.java index 2967876b0098..fce57bd81d9d 100644 --- a/core/java/com/android/internal/widget/LockPatternUtils.java +++ b/core/java/com/android/internal/widget/LockPatternUtils.java @@ -425,8 +425,8 @@ public class LockPatternUtils { setLong(PASSWORD_TYPE_KEY, DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED, userHandle); try { - getLockSettings().setLockPassword(null, userHandle); - getLockSettings().setLockPattern(null, userHandle); + getLockSettings().setLockPassword(null, null, userHandle); + getLockSettings().setLockPattern(null, null, userHandle); } catch (RemoteException e) { // well, we tried... } @@ -477,24 +477,30 @@ public class LockPatternUtils { /** * Save a lock pattern. * @param pattern The new pattern to save. + * @param savedPattern The previously saved pattern, or null if none */ - public void saveLockPattern(List pattern) { - this.saveLockPattern(pattern, getCurrentOrCallingUserId()); + public void saveLockPattern(List pattern, + String savedPattern) { + this.saveLockPattern(pattern, savedPattern, getCurrentOrCallingUserId()); } + public void saveLockPattern(List pattern, int userId) { + this.saveLockPattern(pattern, null, userId); + } /** * Save a lock pattern. * @param pattern The new pattern to save. + * @param savedPattern The previously saved pattern, converted to String format * @param userId the user whose pattern is to be saved. */ - public void saveLockPattern(List pattern, int userId) { + public void saveLockPattern(List pattern, String savedPattern, int userId) { try { if (pattern == null || pattern.size() < MIN_LOCK_PATTERN_SIZE) { throw new IllegalArgumentException("pattern must not be null and at least " + MIN_LOCK_PATTERN_SIZE + " dots long."); } - getLockSettings().setLockPattern(patternToString(pattern), userId); + getLockSettings().setLockPattern(patternToString(pattern), savedPattern, userId); DevicePolicyManager dpm = getDevicePolicyManager(); // Update the device encryption password. @@ -685,10 +691,11 @@ public class LockPatternUtils { * as the requested mode, but will adjust the mode to be as good as the * pattern. * @param password The password to save + * @param savedPassword The previously saved lock password, or null if none * @param quality {@see DevicePolicyManager#getPasswordQuality(android.content.ComponentName)} */ - public void saveLockPassword(String password, int quality) { - saveLockPassword(password, quality, getCurrentOrCallingUserId()); + public void saveLockPassword(String password, String savedPassword, int quality) { + saveLockPassword(password, savedPassword, quality, getCurrentOrCallingUserId()); } /** @@ -699,7 +706,8 @@ public class LockPatternUtils { * @param quality {@see DevicePolicyManager#getPasswordQuality(android.content.ComponentName)} * @param userHandle The userId of the user to change the password for */ - public void saveLockPassword(String password, int quality, int userHandle) { + public void saveLockPassword(String password, String savedPassword, int quality, + int userHandle) { try { DevicePolicyManager dpm = getDevicePolicyManager(); if (password == null || password.length() < MIN_LOCK_PASSWORD_SIZE) { @@ -707,7 +715,7 @@ public class LockPatternUtils { + "of length " + MIN_LOCK_PASSWORD_SIZE); } - getLockSettings().setLockPassword(password, userHandle); + getLockSettings().setLockPassword(password, savedPassword, userHandle); int computedQuality = computePasswordQuality(password); // Update the device encryption password. -- cgit v1.2.3 From d9fc85ac27742adbe89e54fd35f3cb2469e94b91 Mon Sep 17 00:00:00 2001 From: Andres Morales Date: Thu, 9 Apr 2015 19:14:42 -0700 Subject: Add challenge to IGateKeeperService required for enrolling secondary auth form-factors Change-Id: Id5a1eb1ed22f01fbaabe8e4ebddfc42d58322625 --- .../service/gatekeeper/IGateKeeperService.aidl | 18 +++++++++-- .../com/android/internal/widget/ILockSettings.aidl | 2 ++ .../android/internal/widget/LockPatternUtils.java | 36 ++++++++++++++++++++++ 3 files changed, 54 insertions(+), 2 deletions(-) (limited to 'core/java') diff --git a/core/java/android/service/gatekeeper/IGateKeeperService.aidl b/core/java/android/service/gatekeeper/IGateKeeperService.aidl index 675374d3dd2f..2f3e296f483f 100644 --- a/core/java/android/service/gatekeeper/IGateKeeperService.aidl +++ b/core/java/android/service/gatekeeper/IGateKeeperService.aidl @@ -45,7 +45,21 @@ interface IGateKeeperService { * @param enrolledPasswordHandle The handle against which the provided password will be * verified. * @param The plaintext blob to verify against enrolledPassword. - * @return true if success, false if failure + * @return True if the authentication was successful */ - boolean verify(int uid, in byte[] enrolledPasswordHandle, in byte[] providedPassword); + boolean verify(int uid, in byte[] enrolledPasswordHandle, + in byte[] providedPassword); + /** + * Verifies an enrolled handle against a provided, plaintext blob. + * @param uid The Android user ID associated to this enrollment + * @param challenge a challenge to authenticate agaisnt the device credential. If successful + * authentication occurs, this value will be written to the returned + * authentication attestation. + * @param enrolledPasswordHandle The handle against which the provided password will be + * verified. + * @param The plaintext blob to verify against enrolledPassword. + * @return an opaque attestation of authentication on success, or null. + */ + byte[] verifyChallenge(int uid, long challenge, in byte[] enrolledPasswordHandle, + in byte[] providedPassword); } diff --git a/core/java/com/android/internal/widget/ILockSettings.aidl b/core/java/com/android/internal/widget/ILockSettings.aidl index 53a860d71e6d..bfafff6ae903 100644 --- a/core/java/com/android/internal/widget/ILockSettings.aidl +++ b/core/java/com/android/internal/widget/ILockSettings.aidl @@ -26,8 +26,10 @@ interface ILockSettings { String getString(in String key, in String defaultValue, in int userId); void setLockPattern(in String pattern, in String savedPattern, int userId); boolean checkPattern(in String pattern, int userId); + byte[] verifyPattern(in String pattern, long challenge, int userId); void setLockPassword(in String password, in String savedPassword, int userId); boolean checkPassword(in String password, int userId); + byte[] verifyPassword(in String password, long challenge, int userId); boolean checkVoldPassword(int userId); boolean havePattern(int userId); boolean havePassword(int userId); diff --git a/core/java/com/android/internal/widget/LockPatternUtils.java b/core/java/com/android/internal/widget/LockPatternUtils.java index fce57bd81d9d..123d1ac21b97 100644 --- a/core/java/com/android/internal/widget/LockPatternUtils.java +++ b/core/java/com/android/internal/widget/LockPatternUtils.java @@ -279,6 +279,24 @@ public class LockPatternUtils { } } + /** + * Check to see if a pattern matches the saved pattern. + * If pattern matches, return an opaque attestation that the challenge + * was verified. + * + * @param pattern The pattern to check. + * @param challenge The challenge to verify against the pattern + * @return the attestation that the challenge was verified, or null. + */ + public byte[] verifyPattern(List pattern, long challenge) { + final int userId = getCurrentOrCallingUserId(); + try { + return getLockSettings().verifyPattern(patternToString(pattern), challenge, userId); + } catch (RemoteException re) { + return null; + } + } + /** * Check to see if a pattern matches the saved pattern. If no pattern exists, * always returns true. @@ -294,6 +312,24 @@ public class LockPatternUtils { } } + /** + * Check to see if a password matches the saved password. + * If password matches, return an opaque attestation that the challenge + * was verified. + * + * @param password The password to check. + * @param challenge The challenge to verify against the password + * @return the attestation that the challenge was verified, or null. + */ + public byte[] verifyPassword(String password, long challenge) { + final int userId = getCurrentOrCallingUserId(); + try { + return getLockSettings().verifyPassword(password, challenge, userId); + } catch (RemoteException re) { + return null; + } + } + /** * Check to see if a password matches the saved password. If no password exists, * always returns true. -- cgit v1.2.3