Merge "Small fix to addconfig in statsd."
diff --git a/core/java/android/os/Binder.java b/core/java/android/os/Binder.java
index b7a4645..33470f3 100644
--- a/core/java/android/os/Binder.java
+++ b/core/java/android/os/Binder.java
@@ -35,6 +35,9 @@
import java.lang.ref.WeakReference;
import java.lang.reflect.Modifier;
import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Map;
/**
* Base class for a remotable object, the core part of a lightweight
@@ -901,17 +904,62 @@
keyArray[size] = key;
}
if (size >= mWarnBucketSize) {
- final int total_size = size();
+ final int totalSize = size();
Log.v(Binder.TAG, "BinderProxy map growth! bucket size = " + size
- + " total = " + total_size);
+ + " total = " + totalSize);
mWarnBucketSize += WARN_INCREMENT;
- if (Build.IS_DEBUGGABLE && total_size > CRASH_AT_SIZE) {
- throw new AssertionError("Binder ProxyMap has too many entries. "
- + "BinderProxy leak?");
+ if (Build.IS_DEBUGGABLE && totalSize > CRASH_AT_SIZE) {
+ diagnosticCrash();
}
}
}
+ /**
+ * Dump a histogram to the logcat, then throw an assertion error. Used to diagnose
+ * abnormally large proxy maps.
+ */
+ private void diagnosticCrash() {
+ Map<String, Integer> counts = new HashMap<>();
+ for (ArrayList<WeakReference<BinderProxy>> a : mMainIndexValues) {
+ if (a != null) {
+ for (WeakReference<BinderProxy> weakRef : a) {
+ BinderProxy bp = weakRef.get();
+ String key;
+ if (bp == null) {
+ key = "<cleared weak-ref>";
+ } else {
+ try {
+ key = bp.getInterfaceDescriptor();
+ } catch (Throwable t) {
+ key = "<exception during getDescriptor>";
+ }
+ }
+ Integer i = counts.get(key);
+ if (i == null) {
+ counts.put(key, 1);
+ } else {
+ counts.put(key, i + 1);
+ }
+ }
+ }
+ }
+ Map.Entry<String, Integer>[] sorted = counts.entrySet().toArray(
+ new Map.Entry[counts.size()]);
+ Arrays.sort(sorted, (Map.Entry<String, Integer> a, Map.Entry<String, Integer> b)
+ -> b.getValue().compareTo(a.getValue()));
+ Log.v(Binder.TAG, "BinderProxy descriptor histogram (top ten):");
+ int printLength = Math.min(10, sorted.length);
+ for (int i = 0; i < printLength; i++) {
+ Log.v(Binder.TAG, " #" + (i + 1) + ": " + sorted[i].getKey() + " x"
+ + sorted[i].getValue());
+ }
+
+ // Now throw an assertion.
+ final int totalSize = size();
+ throw new AssertionError("Binder ProxyMap has too many entries: " + totalSize
+ + ". BinderProxy leak?");
+ }
+
// Corresponding ArrayLists in the following two arrays always have the same size.
// They contain no empty entries. However WeakReferences in the values ArrayLists
// may have been cleared.
diff --git a/core/java/android/security/recoverablekeystore/RecoverableKeyStoreLoader.java b/core/java/android/security/recoverablekeystore/RecoverableKeyStoreLoader.java
index d8fb03f..72a138a 100644
--- a/core/java/android/security/recoverablekeystore/RecoverableKeyStoreLoader.java
+++ b/core/java/android/security/recoverablekeystore/RecoverableKeyStoreLoader.java
@@ -45,6 +45,8 @@
public static final int NO_ERROR = KeyStore.NO_ERROR;
public static final int SYSTEM_ERROR = KeyStore.SYSTEM_ERROR;
public static final int UNINITIALIZED_RECOVERY_PUBLIC_KEY = 20;
+ public static final int NO_SNAPSHOT_PENDING_ERROR = 21;
+
/**
* Rate limit is enforced to prevent using too many trusted remote devices, since each device
* can have its own number of user secret guesses allowed.
diff --git a/packages/SystemUI/src/com/android/systemui/statusbar/NotificationLockscreenUserManager.java b/packages/SystemUI/src/com/android/systemui/statusbar/NotificationLockscreenUserManager.java
index 06e7f0a..bcdc269 100644
--- a/packages/SystemUI/src/com/android/systemui/statusbar/NotificationLockscreenUserManager.java
+++ b/packages/SystemUI/src/com/android/systemui/statusbar/NotificationLockscreenUserManager.java
@@ -108,29 +108,15 @@
// Start the overview connection to the launcher service
Dependency.get(OverviewProxyService.class).startConnectionToCurrentUser();
} else if (Intent.ACTION_USER_PRESENT.equals(action)) {
- List<ActivityManager.RecentTaskInfo> recentTask = null;
try {
- recentTask = ActivityManager.getService().getRecentTasks(1,
- ActivityManager.RECENT_WITH_EXCLUDED,
- mCurrentUserId).getList();
+ final int lastResumedActivityUserId =
+ ActivityManager.getService().getLastResumedActivityUserId();
+ if (mUserManager.isManagedProfile(lastResumedActivityUserId)) {
+ showForegroundManagedProfileActivityToast();
+ }
} catch (RemoteException e) {
// Abandon hope activity manager not running.
}
- if (recentTask != null && recentTask.size() > 0) {
- UserInfo user = mUserManager.getUserInfo(recentTask.get(0).userId);
- if (user != null && user.isManagedProfile()) {
- Toast toast = Toast.makeText(mContext,
- R.string.managed_profile_foreground_toast,
- Toast.LENGTH_SHORT);
- TextView text = toast.getView().findViewById(android.R.id.message);
- text.setCompoundDrawablesRelativeWithIntrinsicBounds(
- R.drawable.stat_sys_managed_profile_status, 0, 0, 0);
- int paddingPx = mContext.getResources().getDimensionPixelSize(
- R.dimen.managed_profile_toast_padding);
- text.setCompoundDrawablePadding(paddingPx);
- toast.show();
- }
- }
} else if (NOTIFICATION_UNLOCKED_BY_WORK_CHALLENGE_ACTION.equals(action)) {
final IntentSender intentSender = intent.getParcelableExtra(Intent.EXTRA_INTENT);
final String notificationKey = intent.getStringExtra(Intent.EXTRA_INDEX);
@@ -245,6 +231,19 @@
mSettingsObserver.onChange(false); // set up
}
+ private void showForegroundManagedProfileActivityToast() {
+ Toast toast = Toast.makeText(mContext,
+ R.string.managed_profile_foreground_toast,
+ Toast.LENGTH_SHORT);
+ TextView text = toast.getView().findViewById(android.R.id.message);
+ text.setCompoundDrawablesRelativeWithIntrinsicBounds(
+ R.drawable.stat_sys_managed_profile_status, 0, 0, 0);
+ int paddingPx = mContext.getResources().getDimensionPixelSize(
+ R.dimen.managed_profile_toast_padding);
+ text.setCompoundDrawablePadding(paddingPx);
+ toast.show();
+ }
+
public boolean shouldShowLockscreenNotifications() {
return mShowLockscreenNotifications;
}
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java
index 3434eee..f6f5e59 100644
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/KeySyncTask.java
@@ -16,14 +16,20 @@
package com.android.server.locksettings.recoverablekeystore;
+import static android.security.recoverablekeystore.KeyStoreRecoveryMetadata.TYPE_LOCKSCREEN;
+
import android.annotation.NonNull;
import android.content.Context;
+import android.security.recoverablekeystore.KeyDerivationParameters;
+import android.security.recoverablekeystore.KeyEntryRecoveryData;
+import android.security.recoverablekeystore.KeyStoreRecoveryData;
import android.security.recoverablekeystore.KeyStoreRecoveryMetadata;
import android.util.Log;
import com.android.internal.annotations.VisibleForTesting;
import com.android.internal.widget.LockPatternUtils;
import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDb;
+import com.android.server.locksettings.recoverablekeystore.storage.RecoverySnapshotStorage;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
@@ -36,6 +42,8 @@
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
+import java.util.ArrayList;
+import java.util.List;
import java.util.Map;
import javax.crypto.KeyGenerator;
@@ -58,28 +66,30 @@
private final RecoverableKeyStoreDb mRecoverableKeyStoreDb;
private final int mUserId;
- private final RecoverableSnapshotConsumer mSnapshotConsumer;
private final int mCredentialType;
private final String mCredential;
private final PlatformKeyManager.Factory mPlatformKeyManagerFactory;
private final VaultKeySupplier mVaultKeySupplier;
+ private final RecoverySnapshotStorage mRecoverySnapshotStorage;
+ private final RecoverySnapshotListenersStorage mSnapshotListenersStorage;
public static KeySyncTask newInstance(
Context context,
RecoverableKeyStoreDb recoverableKeyStoreDb,
+ RecoverySnapshotStorage snapshotStorage,
+ RecoverySnapshotListenersStorage recoverySnapshotListenersStorage,
int userId,
int credentialType,
String credential
) throws NoSuchAlgorithmException, KeyStoreException, InsecureUserException {
return new KeySyncTask(
recoverableKeyStoreDb,
+ snapshotStorage,
+ recoverySnapshotListenersStorage,
userId,
credentialType,
credential,
() -> PlatformKeyManager.getInstance(context, recoverableKeyStoreDb, userId),
- (salt, recoveryKey, applicationKeys) -> {
- // TODO: implement sending intent
- },
() -> {
throw new UnsupportedOperationException("Not implemented vault key.");
});
@@ -99,19 +109,21 @@
@VisibleForTesting
KeySyncTask(
RecoverableKeyStoreDb recoverableKeyStoreDb,
+ RecoverySnapshotStorage snapshotStorage,
+ RecoverySnapshotListenersStorage recoverySnapshotListenersStorage,
int userId,
int credentialType,
String credential,
PlatformKeyManager.Factory platformKeyManagerFactory,
- RecoverableSnapshotConsumer snapshotConsumer,
VaultKeySupplier vaultKeySupplier) {
+ mSnapshotListenersStorage = recoverySnapshotListenersStorage;
mRecoverableKeyStoreDb = recoverableKeyStoreDb;
mUserId = userId;
mCredentialType = credentialType;
mCredential = credential;
mPlatformKeyManagerFactory = platformKeyManagerFactory;
- mSnapshotConsumer = snapshotConsumer;
mVaultKeySupplier = vaultKeySupplier;
+ mRecoverySnapshotStorage = snapshotStorage;
}
@Override
@@ -129,6 +141,18 @@
return;
}
+ int recoveryAgentUid = mRecoverableKeyStoreDb.getRecoveryAgentUid(mUserId);
+
+ if (recoveryAgentUid == -1) {
+ Log.w(TAG, "No recovery agent initialized for user " + mUserId);
+ return;
+ }
+
+ if (!mSnapshotListenersStorage.hasListener(recoveryAgentUid)) {
+ Log.w(TAG, "No pending intent registered for recovery agent " + recoveryAgentUid);
+ return;
+ }
+
byte[] salt = generateSalt();
byte[] localLskfHash = hashCredentials(salt, mCredential);
@@ -185,7 +209,21 @@
return;
}
- mSnapshotConsumer.accept(salt, encryptedRecoveryKey, encryptedApplicationKeys);
+ KeyStoreRecoveryMetadata metadata = new KeyStoreRecoveryMetadata(
+ /*userSecretType=*/ TYPE_LOCKSCREEN,
+ /*lockScreenUiFormat=*/ mCredentialType,
+ /*keyDerivationParameters=*/ KeyDerivationParameters.createSHA256Parameters(salt),
+ /*secret=*/ new byte[0]);
+ ArrayList<KeyStoreRecoveryMetadata> metadataList = new ArrayList<>();
+ metadataList.add(metadata);
+
+ // TODO: implement snapshot version
+ mRecoverySnapshotStorage.put(mUserId, new KeyStoreRecoveryData(
+ /*snapshotVersion=*/ 1,
+ /*recoveryMetadata=*/ metadataList,
+ /*applicationKeyBlobs=*/ createApplicationKeyEntries(encryptedApplicationKeys),
+ /*encryptedRecoveryKeyblob=*/ encryptedRecoveryKey));
+ mSnapshotListenersStorage.recoverySnapshotAvailable(recoveryAgentUid);
}
private PublicKey getVaultPublicKey() {
@@ -290,15 +328,16 @@
return keyGenerator.generateKey();
}
- /**
- * TODO: just replace with the Intent call. I'm not sure exactly what this looks like, hence
- * this interface, so I can test in the meantime.
- */
- public interface RecoverableSnapshotConsumer {
- void accept(
- byte[] salt,
- byte[] encryptedRecoveryKey,
- Map<String, byte[]> encryptedApplicationKeys);
+ private static List<KeyEntryRecoveryData> createApplicationKeyEntries(
+ Map<String, byte[]> encryptedApplicationKeys) {
+ ArrayList<KeyEntryRecoveryData> keyEntries = new ArrayList<>();
+ for (String alias : encryptedApplicationKeys.keySet()) {
+ keyEntries.add(
+ new KeyEntryRecoveryData(
+ alias.getBytes(StandardCharsets.UTF_8),
+ encryptedApplicationKeys.get(alias)));
+ }
+ return keyEntries;
}
/**
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/ListenersStorage.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/ListenersStorage.java
deleted file mode 100644
index 0f17294..0000000
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/ListenersStorage.java
+++ /dev/null
@@ -1,68 +0,0 @@
-/*
- * Copyright (C) 2017 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package com.android.server.locksettings.recoverablekeystore;
-
-import android.annotation.Nullable;
-import android.app.PendingIntent;
-
-import com.android.internal.annotations.VisibleForTesting;
-
-import java.util.Map;
-import java.util.HashMap;
-
-/**
- * In memory storage for listeners to be notified when new recovery snapshot is available.
- * Note: implementation is not thread safe and it is used to mock final {@link PendingIntent}
- * class.
- *
- * @hide
- */
-public class ListenersStorage {
- private Map<Integer, PendingIntent> mAgentIntents = new HashMap<>();
-
- private static final ListenersStorage mInstance = new ListenersStorage();
- public static ListenersStorage getInstance() {
- return mInstance;
- }
-
- /**
- * Sets new listener for the recovery agent, identified by {@code uid}
- *
- * @param recoveryAgentUid uid
- * @param intent PendingIntent which will be triggered than new snapshot is available.
- */
- public void setSnapshotListener(int recoveryAgentUid, @Nullable PendingIntent intent) {
- mAgentIntents.put(recoveryAgentUid, intent);
- }
-
- /**
- * Notifies recovery agent, that new snapshot is available.
- * Does nothing if a listener was not registered.
- *
- * @param recoveryAgentUid uid.
- */
- public void recoverySnapshotAvailable(int recoveryAgentUid) {
- PendingIntent intent = mAgentIntents.get(recoveryAgentUid);
- if (intent != null) {
- try {
- intent.send();
- } catch (PendingIntent.CanceledException e) {
- // Ignore - sending intent is not allowed.
- }
- }
- }
-}
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
index 426dc8a..11f4e9c 100644
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
@@ -34,6 +34,7 @@
import com.android.internal.annotations.VisibleForTesting;
import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDb;
import com.android.server.locksettings.recoverablekeystore.storage.RecoverySessionStorage;
+import com.android.server.locksettings.recoverablekeystore.storage.RecoverySnapshotStorage;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
@@ -44,7 +45,6 @@
import java.security.UnrecoverableKeyException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
-import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
@@ -73,8 +73,9 @@
private final RecoverableKeyStoreDb mDatabase;
private final RecoverySessionStorage mRecoverySessionStorage;
private final ExecutorService mExecutorService;
- private final ListenersStorage mListenersStorage;
+ private final RecoverySnapshotListenersStorage mListenersStorage;
private final RecoverableKeyGenerator mRecoverableKeyGenerator;
+ private final RecoverySnapshotStorage mSnapshotStorage;
/**
* Returns a new or existing instance.
@@ -89,7 +90,8 @@
db,
new RecoverySessionStorage(),
Executors.newSingleThreadExecutor(),
- ListenersStorage.getInstance());
+ new RecoverySnapshotStorage(),
+ new RecoverySnapshotListenersStorage());
}
return mInstance;
}
@@ -100,12 +102,14 @@
RecoverableKeyStoreDb recoverableKeyStoreDb,
RecoverySessionStorage recoverySessionStorage,
ExecutorService executorService,
- ListenersStorage listenersStorage) {
+ RecoverySnapshotStorage snapshotStorage,
+ RecoverySnapshotListenersStorage listenersStorage) {
mContext = context;
mDatabase = recoverableKeyStoreDb;
mRecoverySessionStorage = recoverySessionStorage;
mExecutorService = executorService;
mListenersStorage = listenersStorage;
+ mSnapshotStorage = snapshotStorage;
try {
mRecoverableKeyGenerator = RecoverableKeyGenerator.newInstance(mDatabase);
} catch (NoSuchAlgorithmException e) {
@@ -143,24 +147,12 @@
public @NonNull KeyStoreRecoveryData getRecoveryData(@NonNull byte[] account, int userId)
throws RemoteException {
checkRecoverKeyStorePermission();
- final int callingUid = Binder.getCallingUid(); // Recovery agent uid.
- final int callingUserId = UserHandle.getCallingUserId();
- final long callingIdentiy = Binder.clearCallingIdentity();
- try {
- // TODO: Return the latest snapshot for the calling recovery agent.
- } finally {
- Binder.restoreCallingIdentity(callingIdentiy);
- }
- // KeyStoreRecoveryData without application keys and empty recovery blob.
- KeyStoreRecoveryData recoveryData =
- new KeyStoreRecoveryData(
- /*snapshotVersion=*/ 1,
- new ArrayList<KeyStoreRecoveryMetadata>(),
- new ArrayList<KeyEntryRecoveryData>(),
- /*encryptedRecoveryKeyBlob=*/ new byte[] {});
- throw new ServiceSpecificException(
- RecoverableKeyStoreLoader.UNINITIALIZED_RECOVERY_PUBLIC_KEY);
+ KeyStoreRecoveryData snapshot = mSnapshotStorage.get(UserHandle.getCallingUserId());
+ if (snapshot == null) {
+ throw new ServiceSpecificException(RecoverableKeyStoreLoader.NO_SNAPSHOT_PENDING_ERROR);
+ }
+ return snapshot;
}
public void setSnapshotCreatedPendingIntent(@Nullable PendingIntent intent, int userId)
@@ -469,7 +461,7 @@
/**
* This function can only be used inside LockSettingsService.
*
- * @param storedHashType from {@Code CredentialHash}
+ * @param storedHashType from {@code CredentialHash}
* @param credential - unencrypted String. Password length should be at most 16 symbols {@code
* mPasswordMaxLength}
* @param userId for user who just unlocked the device.
@@ -480,7 +472,13 @@
// So as not to block the critical path unlocking the phone, defer to another thread.
try {
mExecutorService.execute(KeySyncTask.newInstance(
- mContext, mDatabase, userId, storedHashType, credential));
+ mContext,
+ mDatabase,
+ mSnapshotStorage,
+ mListenersStorage,
+ userId,
+ storedHashType,
+ credential));
} catch (NoSuchAlgorithmException e) {
Log.wtf(TAG, "Should never happen - algorithm unavailable for KeySync", e);
} catch (KeyStoreException e) {
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverySnapshotListenersStorage.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverySnapshotListenersStorage.java
new file mode 100644
index 0000000..c925329
--- /dev/null
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverySnapshotListenersStorage.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server.locksettings.recoverablekeystore;
+
+import android.annotation.Nullable;
+import android.app.PendingIntent;
+import android.util.Log;
+import android.util.SparseArray;
+
+import com.android.internal.annotations.GuardedBy;
+
+/**
+ * In memory storage for listeners to be notified when new recovery snapshot is available. This
+ * class is thread-safe. It is used on two threads - the service thread and the thread that runs the
+ * {@link KeySyncTask}.
+ *
+ * @hide
+ */
+public class RecoverySnapshotListenersStorage {
+ private static final String TAG = "RecoverySnapshotLstnrs";
+
+ @GuardedBy("this")
+ private SparseArray<PendingIntent> mAgentIntents = new SparseArray<>();
+
+ /**
+ * Sets new listener for the recovery agent, identified by {@code uid}.
+ *
+ * @param recoveryAgentUid uid of the recovery agent.
+ * @param intent PendingIntent which will be triggered when new snapshot is available.
+ */
+ public synchronized void setSnapshotListener(
+ int recoveryAgentUid, @Nullable PendingIntent intent) {
+ Log.i(TAG, "Registered listener for agent with uid " + recoveryAgentUid);
+ mAgentIntents.put(recoveryAgentUid, intent);
+ }
+
+ /**
+ * Returns {@code true} if a listener has been set for the recovery agent.
+ */
+ public synchronized boolean hasListener(int recoveryAgentUid) {
+ return mAgentIntents.get(recoveryAgentUid) != null;
+ }
+
+ /**
+ * Notifies recovery agent that new snapshot is available. Does nothing if a listener was not
+ * registered.
+ *
+ * @param recoveryAgentUid uid of recovery agent.
+ */
+ public synchronized void recoverySnapshotAvailable(int recoveryAgentUid) {
+ PendingIntent intent = mAgentIntents.get(recoveryAgentUid);
+ if (intent != null) {
+ try {
+ intent.send();
+ } catch (PendingIntent.CanceledException e) {
+ Log.e(TAG,
+ "Failed to trigger PendingIntent for " + recoveryAgentUid,
+ e);
+ }
+ }
+ }
+}
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDb.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDb.java
index d213115..156d5ba 100644
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDb.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDb.java
@@ -330,6 +330,36 @@
}
/**
+ * Returns the uid of the recovery agent for the given user, or -1 if none is set.
+ */
+ public int getRecoveryAgentUid(int userId) {
+ SQLiteDatabase db = mKeyStoreDbHelper.getReadableDatabase();
+
+ String[] projection = { RecoveryServiceMetadataEntry.COLUMN_NAME_UID };
+ String selection = RecoveryServiceMetadataEntry.COLUMN_NAME_USER_ID + " = ?";
+ String[] selectionArguments = { Integer.toString(userId) };
+
+ try (
+ Cursor cursor = db.query(
+ RecoveryServiceMetadataEntry.TABLE_NAME,
+ projection,
+ selection,
+ selectionArguments,
+ /*groupBy=*/ null,
+ /*having=*/ null,
+ /*orderBy=*/ null)
+ ) {
+ int count = cursor.getCount();
+ if (count == 0) {
+ return -1;
+ }
+ cursor.moveToFirst();
+ return cursor.getInt(
+ cursor.getColumnIndexOrThrow(RecoveryServiceMetadataEntry.COLUMN_NAME_UID));
+ }
+ }
+
+ /**
* Returns the public key of the recovery service.
*
* @param userId The uid of the profile the application is running under.
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbHelper.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbHelper.java
index 80fa20a..c87812d 100644
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbHelper.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbHelper.java
@@ -1,3 +1,19 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
package com.android.server.locksettings.recoverablekeystore.storage;
import android.content.Context;
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorage.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorage.java
new file mode 100644
index 0000000..d1a1629
--- /dev/null
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorage.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server.locksettings.recoverablekeystore.storage;
+
+import android.annotation.Nullable;
+import android.security.recoverablekeystore.KeyStoreRecoveryData;
+import android.util.SparseArray;
+
+import com.android.internal.annotations.GuardedBy;
+
+/**
+ * In-memory storage for recovery snapshots.
+ *
+ * <p>Recovery snapshots are generated after a successful screen unlock. They are only generated if
+ * the recoverable keystore has been mutated since the previous snapshot. This class stores only the
+ * latest snapshot for each user.
+ *
+ * <p>This class is thread-safe. It is used both on the service thread and the
+ * {@link com.android.server.locksettings.recoverablekeystore.KeySyncTask} thread.
+ */
+public class RecoverySnapshotStorage {
+ @GuardedBy("this")
+ private final SparseArray<KeyStoreRecoveryData> mSnapshotByUserId = new SparseArray<>();
+
+ /**
+ * Sets the latest {@code snapshot} for the user {@code userId}.
+ */
+ public synchronized void put(int userId, KeyStoreRecoveryData snapshot) {
+ mSnapshotByUserId.put(userId, snapshot);
+ }
+
+ /**
+ * Returns the latest snapshot for user {@code userId}, or null if none exists.
+ */
+ @Nullable
+ public synchronized KeyStoreRecoveryData get(int userId) {
+ return mSnapshotByUserId.get(userId);
+ }
+
+ /**
+ * Removes any (if any) snapshot associated with user {@code userId}.
+ */
+ public synchronized void remove(int userId) {
+ mSnapshotByUserId.remove(userId);
+ }
+}
diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java
index b8000c4..8c3bf5d 100644
--- a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java
+++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/KeySyncTaskTest.java
@@ -26,27 +26,29 @@
import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.verifyZeroInteractions;
import static org.mockito.Mockito.when;
import android.content.Context;
import android.security.keystore.AndroidKeyStoreSecretKey;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyProperties;
+import android.security.recoverablekeystore.KeyDerivationParameters;
+import android.security.recoverablekeystore.KeyEntryRecoveryData;
+import android.security.recoverablekeystore.KeyStoreRecoveryData;
import android.support.test.InstrumentationRegistry;
import android.support.test.filters.SmallTest;
import android.support.test.runner.AndroidJUnit4;
import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDb;
+import com.android.server.locksettings.recoverablekeystore.storage.RecoverySnapshotStorage;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
-import org.mockito.ArgumentCaptor;
-import org.mockito.Captor;
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;
@@ -54,7 +56,7 @@
import java.nio.charset.StandardCharsets;
import java.security.KeyPair;
import java.util.Arrays;
-import java.util.Map;
+import java.util.List;
import java.util.Random;
import javax.crypto.KeyGenerator;
@@ -69,6 +71,7 @@
private static final String DATABASE_FILE_NAME = "recoverablekeystore.db";
private static final int TEST_USER_ID = 1000;
private static final int TEST_APP_UID = 10009;
+ private static final int TEST_RECOVERY_AGENT_UID = 90873;
private static final String TEST_APP_KEY_ALIAS = "rcleaver";
private static final int TEST_GENERATION_ID = 2;
private static final int TEST_CREDENTIAL_TYPE = CREDENTIAL_TYPE_PASSWORD;
@@ -76,13 +79,10 @@
private static final byte[] THM_ENCRYPTED_RECOVERY_KEY_HEADER =
"V1 THM_encrypted_recovery_key".getBytes(StandardCharsets.UTF_8);
- @Mock private KeySyncTask.RecoverableSnapshotConsumer mRecoverableSnapshotConsumer;
@Mock private PlatformKeyManager mPlatformKeyManager;
+ @Mock private RecoverySnapshotListenersStorage mSnapshotListenersStorage;
- @Captor private ArgumentCaptor<byte[]> mSaltCaptor;
- @Captor private ArgumentCaptor<byte[]> mEncryptedRecoveryKeyCaptor;
- @Captor private ArgumentCaptor<Map<String, byte[]>> mEncryptedApplicationKeysCaptor;
-
+ private RecoverySnapshotStorage mRecoverySnapshotStorage;
private RecoverableKeyStoreDb mRecoverableKeyStoreDb;
private File mDatabaseFile;
private KeyPair mKeyPair;
@@ -100,13 +100,16 @@
mRecoverableKeyStoreDb = RecoverableKeyStoreDb.newInstance(context);
mKeyPair = SecureBox.genKeyPair();
+ mRecoverySnapshotStorage = new RecoverySnapshotStorage();
+
mKeySyncTask = new KeySyncTask(
mRecoverableKeyStoreDb,
+ mRecoverySnapshotStorage,
+ mSnapshotListenersStorage,
TEST_USER_ID,
TEST_CREDENTIAL_TYPE,
TEST_CREDENTIAL,
() -> mPlatformKeyManager,
- mRecoverableSnapshotConsumer,
() -> mKeyPair.getPublic());
mWrappingKey = generateAndroidKeyStoreKey();
@@ -199,7 +202,40 @@
// to be synced.
mKeySyncTask.run();
- verifyZeroInteractions(mRecoverableSnapshotConsumer);
+ assertNull(mRecoverySnapshotStorage.get(TEST_USER_ID));
+ }
+
+ @Test
+ public void run_doesNotSendAnythingIfNoRecoveryAgentSet() throws Exception {
+ SecretKey applicationKey = generateKey();
+ mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID);
+ mRecoverableKeyStoreDb.insertKey(
+ TEST_USER_ID,
+ TEST_APP_UID,
+ TEST_APP_KEY_ALIAS,
+ WrappedKey.fromSecretKey(mEncryptKey, applicationKey));
+ when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true);
+
+ mKeySyncTask.run();
+
+ assertNull(mRecoverySnapshotStorage.get(TEST_USER_ID));
+ }
+
+ @Test
+ public void run_doesNotSendAnythingIfNoRecoveryAgentPendingIntentRegistered() throws Exception {
+ SecretKey applicationKey = generateKey();
+ mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID);
+ mRecoverableKeyStoreDb.insertKey(
+ TEST_USER_ID,
+ TEST_APP_UID,
+ TEST_APP_KEY_ALIAS,
+ WrappedKey.fromSecretKey(mEncryptKey, applicationKey));
+ mRecoverableKeyStoreDb.setRecoveryServicePublicKey(
+ TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic());
+
+ mKeySyncTask.run();
+
+ assertNull(mRecoverySnapshotStorage.get(TEST_USER_ID));
}
@Test
@@ -211,24 +247,32 @@
TEST_APP_UID,
TEST_APP_KEY_ALIAS,
WrappedKey.fromSecretKey(mEncryptKey, applicationKey));
+ mRecoverableKeyStoreDb.setRecoveryServicePublicKey(
+ TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic());
+ when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true);
mKeySyncTask.run();
- verify(mRecoverableSnapshotConsumer).accept(
- mSaltCaptor.capture(),
- mEncryptedRecoveryKeyCaptor.capture(),
- mEncryptedApplicationKeysCaptor.capture());
+ KeyStoreRecoveryData recoveryData = mRecoverySnapshotStorage.get(TEST_USER_ID);
+ KeyDerivationParameters keyDerivationParameters =
+ recoveryData.getRecoveryMetadata().get(0).getKeyDerivationParameters();
+ assertEquals(KeyDerivationParameters.ALGORITHM_SHA256,
+ keyDerivationParameters.getAlgorithm());
+ verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID);
byte[] lockScreenHash = KeySyncTask.hashCredentials(
- mSaltCaptor.getValue(), TEST_CREDENTIAL);
+ keyDerivationParameters.getSalt(),
+ TEST_CREDENTIAL);
// TODO: what should vault params be here?
byte[] recoveryKey = decryptThmEncryptedKey(
lockScreenHash,
- mEncryptedRecoveryKeyCaptor.getValue(),
+ recoveryData.getEncryptedRecoveryKeyBlob(),
/*vaultParams=*/ new byte[0]);
- Map<String, byte[]> applicationKeys = mEncryptedApplicationKeysCaptor.getValue();
+ List<KeyEntryRecoveryData> applicationKeys = recoveryData.getApplicationKeyBlobs();
assertEquals(1, applicationKeys.size());
+ KeyEntryRecoveryData keyData = applicationKeys.get(0);
+ assertArrayEquals(TEST_APP_KEY_ALIAS.getBytes(StandardCharsets.UTF_8), keyData.getAlias());
byte[] appKey = KeySyncUtils.decryptApplicationKey(
- recoveryKey, applicationKeys.get(TEST_APP_KEY_ALIAS));
+ recoveryKey, keyData.getEncryptedKeyMaterial());
assertArrayEquals(applicationKey.getEncoded(), appKey);
}
diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java
index c2166e5..2c9b356 100644
--- a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java
+++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManagerTest.java
@@ -48,6 +48,7 @@
import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDb;
import com.android.server.locksettings.recoverablekeystore.storage.RecoverySessionStorage;
+import com.android.server.locksettings.recoverablekeystore.storage.RecoverySnapshotStorage;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
@@ -107,13 +108,14 @@
private static final int GCM_TAG_SIZE_BITS = 128;
@Mock private Context mMockContext;
- @Mock private ListenersStorage mMockListenersStorage;
+ @Mock private RecoverySnapshotListenersStorage mMockListenersStorage;
@Mock private KeyguardManager mKeyguardManager;
private RecoverableKeyStoreDb mRecoverableKeyStoreDb;
private File mDatabaseFile;
private RecoverableKeyStoreManager mRecoverableKeyStoreManager;
private RecoverySessionStorage mRecoverySessionStorage;
+ private RecoverySnapshotStorage mRecoverySnapshotStorage;
@Before
public void setUp() {
@@ -135,6 +137,7 @@
mRecoverableKeyStoreDb,
mRecoverySessionStorage,
Executors.newSingleThreadExecutor(),
+ mRecoverySnapshotStorage,
mMockListenersStorage);
}
diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverySnapshotListenersStorageTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverySnapshotListenersStorageTest.java
new file mode 100644
index 0000000..b9c1764
--- /dev/null
+++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/RecoverySnapshotListenersStorageTest.java
@@ -0,0 +1,37 @@
+package com.android.server.locksettings.recoverablekeystore;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import android.app.PendingIntent;
+import android.content.Intent;
+import android.support.test.InstrumentationRegistry;
+import android.support.test.filters.SmallTest;
+import android.support.test.runner.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@SmallTest
+@RunWith(AndroidJUnit4.class)
+public class RecoverySnapshotListenersStorageTest {
+
+ private final RecoverySnapshotListenersStorage mStorage =
+ new RecoverySnapshotListenersStorage();
+
+ @Test
+ public void hasListener_isFalseForUnregisteredUid() {
+ assertFalse(mStorage.hasListener(1000));
+ }
+
+ @Test
+ public void hasListener_isTrueForRegisteredUid() {
+ int recoveryAgentUid = 1000;
+ PendingIntent intent = PendingIntent.getBroadcast(
+ InstrumentationRegistry.getTargetContext(), /*requestCode=*/1,
+ new Intent(), /*flags=*/ 0);
+ mStorage.setSnapshotListener(recoveryAgentUid, intent);
+
+ assertTrue(mStorage.hasListener(recoveryAgentUid));
+ }
+}
diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbTest.java
index 9cde074..373a7bc 100644
--- a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbTest.java
+++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverableKeyStoreDbTest.java
@@ -328,6 +328,20 @@
}
@Test
+ public void getRecoveryAgentUid_returnsUidIfSet() throws Exception {
+ int userId = 12;
+ int uid = 190992;
+ mRecoverableKeyStoreDb.setRecoveryServicePublicKey(userId, uid, genRandomPublicKey());
+
+ assertThat(mRecoverableKeyStoreDb.getRecoveryAgentUid(userId)).isEqualTo(uid);
+ }
+
+ @Test
+ public void getRecoveryAgentUid_returnsMinusOneForNonexistentAgent() throws Exception {
+ assertThat(mRecoverableKeyStoreDb.getRecoveryAgentUid(12)).isEqualTo(-1);
+ }
+
+ @Test
public void setServerParameters_replaceOldValue() throws Exception {
int userId = 12;
int uid = 10009;
diff --git a/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorageTest.java b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorageTest.java
new file mode 100644
index 0000000..2759e39
--- /dev/null
+++ b/services/tests/servicestests/src/com/android/server/locksettings/recoverablekeystore/storage/RecoverySnapshotStorageTest.java
@@ -0,0 +1,53 @@
+package com.android.server.locksettings.recoverablekeystore.storage;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+
+import android.security.recoverablekeystore.KeyStoreRecoveryData;
+import android.support.test.filters.SmallTest;
+import android.support.test.runner.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.ArrayList;
+
+@SmallTest
+@RunWith(AndroidJUnit4.class)
+public class RecoverySnapshotStorageTest {
+
+ private final RecoverySnapshotStorage mRecoverySnapshotStorage = new RecoverySnapshotStorage();
+
+ @Test
+ public void get_isNullForNonExistentSnapshot() {
+ assertNull(mRecoverySnapshotStorage.get(1000));
+ }
+
+ @Test
+ public void get_returnsSetSnapshot() {
+ int userId = 1000;
+ KeyStoreRecoveryData recoveryData = new KeyStoreRecoveryData(
+ /*snapshotVersion=*/ 1,
+ new ArrayList<>(),
+ new ArrayList<>(),
+ new byte[0]);
+ mRecoverySnapshotStorage.put(userId, recoveryData);
+
+ assertEquals(recoveryData, mRecoverySnapshotStorage.get(userId));
+ }
+
+ @Test
+ public void remove_removesSnapshots() {
+ int userId = 1000;
+ KeyStoreRecoveryData recoveryData = new KeyStoreRecoveryData(
+ /*snapshotVersion=*/ 1,
+ new ArrayList<>(),
+ new ArrayList<>(),
+ new byte[0]);
+ mRecoverySnapshotStorage.put(userId, recoveryData);
+
+ mRecoverySnapshotStorage.remove(userId);
+
+ assertNull(mRecoverySnapshotStorage.get(1000));
+ }
+}
diff --git a/services/tests/servicestests/src/com/android/server/net/ConnOnActivityStartTest.java b/services/tests/servicestests/src/com/android/server/net/ConnOnActivityStartTest.java
index 8581079..c7fa62e 100644
--- a/services/tests/servicestests/src/com/android/server/net/ConnOnActivityStartTest.java
+++ b/services/tests/servicestests/src/com/android/server/net/ConnOnActivityStartTest.java
@@ -38,6 +38,7 @@
import android.support.test.filters.LargeTest;
import android.support.test.runner.AndroidJUnit4;
import android.support.test.uiautomator.UiDevice;
+import android.text.TextUtils;
import android.util.Log;
import org.junit.AfterClass;
@@ -214,7 +215,6 @@
try{
turnBatteryOff();
setAppIdle(true);
- SystemClock.sleep(30000);
turnScreenOn();
startActivityAndCheckNetworkAccess();
} finally {
@@ -286,7 +286,7 @@
private void setAppIdle(boolean enabled) throws Exception {
executeCommand("am set-inactive " + TEST_PKG + " " + enabled);
assertDelayedCommandResult("am get-inactive " + TEST_PKG, "Idle=" + enabled,
- 10 /* maxTries */, 2000 /* napTimeMs */);
+ 15 /* maxTries */, 2000 /* napTimeMs */);
}
private void updateRestrictBackgroundBlacklist(boolean add) throws Exception {
@@ -407,13 +407,35 @@
private static void dumpOnFailure() throws Exception {
dump("network_management");
dump("netpolicy");
- dump("usagestats");
+ dumpUsageStats();
+ }
+
+ private static void dumpUsageStats() throws Exception {
+ final String output = executeSilentCommand("dumpsys usagestats");
+ final StringBuilder sb = new StringBuilder();
+ final TextUtils.SimpleStringSplitter splitter = new TextUtils.SimpleStringSplitter('\n');
+ splitter.setString(output);
+ String str;
+ while (splitter.hasNext()) {
+ str = splitter.next();
+ if (str.contains("package=") && !str.contains(TEST_PKG)) {
+ continue;
+ }
+ if (str.trim().startsWith("config=") || str.trim().startsWith("time=")) {
+ continue;
+ }
+ sb.append(str).append('\n');
+ }
+ dump("usagestats", sb.toString());
}
private static void dump(String service) throws Exception {
+ dump(service, executeSilentCommand("dumpsys " + service));
+ }
+
+ private static void dump(String service, String dump) throws Exception {
Log.d(TAG, ">>> Begin dump " + service);
- Log.printlns(Log.LOG_ID_MAIN, Log.DEBUG,
- TAG, executeSilentCommand("dumpsys " + service), null);
+ Log.printlns(Log.LOG_ID_MAIN, Log.DEBUG, TAG, dump, null);
Log.d(TAG, "<<< End dump " + service);
}