diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2017-12-14 21:22:17 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2017-12-14 21:22:17 +0000 |
| commit | 23fbf77b8d604a062abbfc53841935e3437876b7 (patch) | |
| tree | ba7443f16c7e06d24325d1b556662a788c14e3cc | |
| parent | df0b5eed48a59c6f4f86b082352a957e0e6610ba (diff) | |
| parent | 926c1445fd8a79abe5ed497d8a705e84653bbc9f (diff) | |
| download | base-23fbf77b8d604a062abbfc53841935e3437876b7.tar.gz | |
Merge cherrypicks of [3365569, 3365570, 3366860, 3366878, 3365571, 3365572, 3366918, 3365573, 3365589, 3365590, 3366938, 3366902, 3365574, 3365575, 3365576, 3365577, 3366958, 3365824, 3365591, 3366959, 3366960, 3366961, 3366962, 3366963, 3366964, 3366965, 3366919, 3366966, 3366967, 3366968, 3366969, 3366970, 3367018, 3367019, 3365592, 3365593, 3366985, 3365825, 3366988, 3366989, 3366990, 3366991, 3366992, 3366993, 3366994, 3367004, 3367005, 3367006, 3367007, 3367008, 3367009, 3367010, 3367011, 3367012, 3367013, 3367014, 3367015, 3367016, 3367017, 3367038, 3367039, 3367040, 3367041, 3367042, 3367044, 3367045, 3367046, 3367049, 3367050, 3367052, 3367053, 3367054, 3367055, 3367056, 3366920, 3366921, 3366922, 3367079] into oc-mr1-releaseandroid-vts-8.1_r3android-8.1.0_r12android-8.1.0_r11android-8.1.0_r10
Change-Id: Iae843903b50e7df11a333cabfff45861e4a17355
| -rw-r--r-- | services/core/java/com/android/server/locksettings/SyntheticPasswordCrypto.java | 21 | ||||
| -rw-r--r-- | services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java | 27 |
2 files changed, 38 insertions, 10 deletions
diff --git a/services/core/java/com/android/server/locksettings/SyntheticPasswordCrypto.java b/services/core/java/com/android/server/locksettings/SyntheticPasswordCrypto.java index b7bca1fb1c4a..ef94000d3a6b 100644 --- a/services/core/java/com/android/server/locksettings/SyntheticPasswordCrypto.java +++ b/services/core/java/com/android/server/locksettings/SyntheticPasswordCrypto.java @@ -112,7 +112,7 @@ public class SyntheticPasswordCrypto { } } - public static byte[] decryptBlob(String keyAlias, byte[] blob, byte[] applicationId) { + public static byte[] decryptBlobV1(String keyAlias, byte[] blob, byte[] applicationId) { try { KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore"); keyStore.load(null); @@ -120,6 +120,20 @@ public class SyntheticPasswordCrypto { SecretKey decryptionKey = (SecretKey) keyStore.getKey(keyAlias, null); byte[] intermediate = decrypt(applicationId, APPLICATION_ID_PERSONALIZATION, blob); return decrypt(decryptionKey, intermediate); + } catch (Exception e) { + e.printStackTrace(); + throw new RuntimeException("Failed to decrypt blob", e); + } + } + + public static byte[] decryptBlob(String keyAlias, byte[] blob, byte[] applicationId) { + try { + KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore"); + keyStore.load(null); + + SecretKey decryptionKey = (SecretKey) keyStore.getKey(keyAlias, null); + byte[] intermediate = decrypt(decryptionKey, blob); + return decrypt(applicationId, APPLICATION_ID_PERSONALIZATION, intermediate); } catch (CertificateException | IOException | BadPaddingException | IllegalBlockSizeException | KeyStoreException | NoSuchPaddingException | NoSuchAlgorithmException @@ -150,9 +164,8 @@ public class SyntheticPasswordCrypto { keyStore.setEntry(keyAlias, new KeyStore.SecretKeyEntry(secretKey), builder.build()); - byte[] intermediate = encrypt(secretKey, data); - return encrypt(applicationId, APPLICATION_ID_PERSONALIZATION, intermediate); - + byte[] intermediate = encrypt(applicationId, APPLICATION_ID_PERSONALIZATION, data); + return encrypt(secretKey, intermediate); } catch (CertificateException | IOException | BadPaddingException | IllegalBlockSizeException | KeyStoreException | NoSuchPaddingException | NoSuchAlgorithmException diff --git a/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java b/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java index 9440f17164aa..ca6c9e78d0a2 100644 --- a/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java +++ b/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java @@ -101,7 +101,8 @@ public class SyntheticPasswordManager { private static final byte WEAVER_VERSION = 1; private static final int INVALID_WEAVER_SLOT = -1; - private static final byte SYNTHETIC_PASSWORD_VERSION = 1; + private static final byte SYNTHETIC_PASSWORD_VERSION_V1 = 1; + private static final byte SYNTHETIC_PASSWORD_VERSION = 2; private static final byte SYNTHETIC_PASSWORD_PASSWORD_BASED = 0; private static final byte SYNTHETIC_PASSWORD_TOKEN_BASED = 1; @@ -792,6 +793,7 @@ public class SyntheticPasswordManager { byte[] pwdToken = computePasswordToken(credential, pwd); final byte[] applicationId; + final long sid; int weaverSlot = loadWeaverSlot(handle, userId); if (weaverSlot != INVALID_WEAVER_SLOT) { // Weaver based user password @@ -804,6 +806,7 @@ public class SyntheticPasswordManager { if (result.gkResponse.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) { return result; } + sid = GateKeeper.INVALID_SECURE_USER_ID; applicationId = transformUnderWeaverSecret(pwdToken, result.gkResponse.getPayload()); } else { byte[] gkPwdToken = passwordTokenToGkInput(pwdToken); @@ -836,12 +839,13 @@ public class SyntheticPasswordManager { result.gkResponse = VerifyCredentialResponse.ERROR; return result; } + sid = sidFromPasswordHandle(pwd.passwordHandle); applicationId = transformUnderSecdiscardable(pwdToken, loadSecdiscardable(handle, userId)); } result.authToken = unwrapSyntheticPasswordBlob(handle, SYNTHETIC_PASSWORD_PASSWORD_BASED, - applicationId, userId); + applicationId, sid, userId); // Perform verifyChallenge to refresh auth tokens for GK if user password exists. result.gkResponse = verifyChallenge(gatekeeper, result.authToken, 0L, userId); @@ -877,7 +881,7 @@ public class SyntheticPasswordManager { } byte[] applicationId = transformUnderSecdiscardable(token, secdiscardable); result.authToken = unwrapSyntheticPasswordBlob(handle, SYNTHETIC_PASSWORD_TOKEN_BASED, - applicationId, userId); + applicationId, 0L, userId); if (result.authToken != null) { result.gkResponse = verifyChallenge(gatekeeper, result.authToken, 0L, userId); if (result.gkResponse == null) { @@ -892,19 +896,26 @@ public class SyntheticPasswordManager { } private AuthenticationToken unwrapSyntheticPasswordBlob(long handle, byte type, - byte[] applicationId, int userId) { + byte[] applicationId, long sid, int userId) { byte[] blob = loadState(SP_BLOB_NAME, handle, userId); if (blob == null) { return null; } - if (blob[0] != SYNTHETIC_PASSWORD_VERSION) { + final byte version = blob[0]; + if (version != SYNTHETIC_PASSWORD_VERSION && version != SYNTHETIC_PASSWORD_VERSION_V1) { throw new RuntimeException("Unknown blob version"); } if (blob[1] != type) { throw new RuntimeException("Invalid blob type"); } - byte[] secret = decryptSPBlob(getHandleName(handle), + final byte[] secret; + if (version == SYNTHETIC_PASSWORD_VERSION_V1) { + secret = SyntheticPasswordCrypto.decryptBlobV1(getHandleName(handle), + Arrays.copyOfRange(blob, 2, blob.length), applicationId); + } else { + secret = decryptSPBlob(getHandleName(handle), Arrays.copyOfRange(blob, 2, blob.length), applicationId); + } if (secret == null) { Log.e(TAG, "Fail to decrypt SP for user " + userId); return null; @@ -919,6 +930,10 @@ public class SyntheticPasswordManager { } else { result.syntheticPassword = new String(secret); } + if (version == SYNTHETIC_PASSWORD_VERSION_V1) { + Log.i(TAG, "Upgrade v1 SP blob for user " + userId + ", type = " + type); + createSyntheticPasswordBlob(handle, type, result, applicationId, sid, userId); + } return result; } |