Credential FRP: remove GateKeeper
From O-DR, all new credentials will be synthetic password based. A
GateKeeper credential could be enrolled but that would require
`adb shell cmd lock_settings sp 0`.
Credential FRP won't be released before O-DR so there is no need to
handle GateKeeper credentials. The protocol constants have been updated
because they are not yet in use.
Bug: 36814845
Test: runtest frameworks-services -p com.android.server.locksettings
Change-Id: Id0def06bb56fef47f3151f4f5cd0db738b35979f
diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java
index 8d53447..a105c84 100644
--- a/services/core/java/com/android/server/locksettings/LockSettingsService.java
+++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java
@@ -1132,12 +1132,6 @@
fixateNewestUserKeyAuth(userId);
synchronizeUnifiedWorkChallengeForProfiles(userId, null);
notifyActivePasswordMetricsAvailable(null, userId);
-
- if (mStorage.getPersistentDataBlock() != null
- && LockPatternUtils.userOwnsFrpCredential(mUserManager.getUserInfo(userId))) {
- // If owner, write to persistent storage for FRP
- mStorage.writePersistentDataBlock(PersistentData.TYPE_NONE, userId, 0, null);
- }
return;
}
if (credential == null) {
@@ -1190,12 +1184,6 @@
// Refresh the auth token
doVerifyCredential(credential, credentialType, true, 0, userId, null /* progressCallback */);
synchronizeUnifiedWorkChallengeForProfiles(userId, null);
- if (mStorage.getPersistentDataBlock() != null
- && LockPatternUtils.userOwnsFrpCredential(mUserManager.getUserInfo(userId))) {
- // If owner, write to persistent storage for FRP
- mStorage.writePersistentDataBlock(PersistentData.TYPE_GATEKEEPER, userId,
- requestedQuality, willStore.toBytes());
- }
} else {
throw new RemoteException("Failed to enroll " +
(credentialType == LockPatternUtils.CREDENTIAL_TYPE_PASSWORD ? "password"
@@ -1443,18 +1431,12 @@
return response;
}
- final CredentialHash storedHash;
if (userId == USER_FRP) {
- PersistentData data = mStorage.readPersistentDataBlock();
- if (data.type != PersistentData.TYPE_GATEKEEPER) {
- Slog.wtf(TAG, "Expected PersistentData.TYPE_GATEKEEPER, but was: " + data.type);
- return VerifyCredentialResponse.ERROR;
- }
- return verifyFrpCredential(credential, credentialType, data, progressCallback);
- } else {
- storedHash = mStorage.readCredentialHash(userId);
+ Slog.wtf(TAG, "Unexpected FRP credential type, should be SP based.");
+ return VerifyCredentialResponse.ERROR;
}
+ final CredentialHash storedHash = mStorage.readCredentialHash(userId);
if (storedHash.type != credentialType) {
Slog.wtf(TAG, "doVerifyCredential type mismatch with stored credential??"
+ " stored: " + storedHash.type + " passed in: " + credentialType);
@@ -1485,29 +1467,6 @@
return response;
}
- private VerifyCredentialResponse verifyFrpCredential(String credential, int credentialType,
- PersistentData data, ICheckCredentialProgressCallback progressCallback)
- throws RemoteException {
- CredentialHash storedHash = CredentialHash.fromBytes(data.payload);
- if (storedHash.type != credentialType) {
- Slog.wtf(TAG, "doVerifyCredential type mismatch with stored credential??"
- + " stored: " + storedHash.type + " passed in: " + credentialType);
- return VerifyCredentialResponse.ERROR;
- }
- if (ArrayUtils.isEmpty(storedHash.hash) || TextUtils.isEmpty(credential)) {
- Slog.e(TAG, "Stored hash or credential is empty");
- return VerifyCredentialResponse.ERROR;
- }
- VerifyCredentialResponse response = VerifyCredentialResponse.fromGateKeeperResponse(
- getGateKeeperService().verifyChallenge(data.userId, 0 /* challenge */,
- storedHash.hash, credential.getBytes()));
- if (progressCallback != null
- && response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) {
- progressCallback.onCredentialVerified();
- }
- return response;
- }
-
@Override
public VerifyCredentialResponse verifyTiedProfileChallenge(String credential, int type,
long challenge, int userId) throws RemoteException {
diff --git a/services/core/java/com/android/server/locksettings/LockSettingsStorage.java b/services/core/java/com/android/server/locksettings/LockSettingsStorage.java
index 79372e48..b4c10ec 100644
--- a/services/core/java/com/android/server/locksettings/LockSettingsStorage.java
+++ b/services/core/java/com/android/server/locksettings/LockSettingsStorage.java
@@ -635,9 +635,8 @@
static final int VERSION_1_HEADER_SIZE = 1 + 1 + 4 + 4;
public static final int TYPE_NONE = 0;
- public static final int TYPE_GATEKEEPER = 1;
- public static final int TYPE_SP = 2;
- public static final int TYPE_SP_WEAVER = 3;
+ public static final int TYPE_SP = 1;
+ public static final int TYPE_SP_WEAVER = 2;
public static final PersistentData NONE = new PersistentData(TYPE_NONE,
UserHandle.USER_NULL, DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED, null);
diff --git a/services/tests/servicestests/src/com/android/server/locksettings/LockSettingsStorageTests.java b/services/tests/servicestests/src/com/android/server/locksettings/LockSettingsStorageTests.java
index 4c77f62..b0325cb 100644
--- a/services/tests/servicestests/src/com/android/server/locksettings/LockSettingsStorageTests.java
+++ b/services/tests/servicestests/src/com/android/server/locksettings/LockSettingsStorageTests.java
@@ -347,11 +347,11 @@
}
public void testPersistentData_serializeUnserialize() {
- byte[] serialized = PersistentData.toBytes(PersistentData.TYPE_GATEKEEPER, SOME_USER_ID,
+ byte[] serialized = PersistentData.toBytes(PersistentData.TYPE_SP, SOME_USER_ID,
DevicePolicyManager.PASSWORD_QUALITY_COMPLEX, PAYLOAD);
PersistentData deserialized = PersistentData.fromBytes(serialized);
- assertEquals(PersistentData.TYPE_GATEKEEPER, deserialized.type);
+ assertEquals(PersistentData.TYPE_SP, deserialized.type);
assertEquals(DevicePolicyManager.PASSWORD_QUALITY_COMPLEX, deserialized.qualityForUi);
assertArrayEquals(PAYLOAD, deserialized.payload);
}
@@ -371,7 +371,7 @@
// the wire format in the future.
byte[] serializedVersion1 = new byte[] {
1, /* PersistentData.VERSION_1 */
- 2, /* PersistentData.TYPE_SP */
+ 1, /* PersistentData.TYPE_SP */
0x00, 0x00, 0x04, 0x0A, /* SOME_USER_ID */
0x00, 0x03, 0x00, 0x00, /* PASSWORD_NUMERIC_COMPLEX */
1, 2, -1, -2, 33, /* PAYLOAD */
@@ -385,9 +385,8 @@
// Make sure the constants we use on the wire do not change.
assertEquals(0, PersistentData.TYPE_NONE);
- assertEquals(1, PersistentData.TYPE_GATEKEEPER);
- assertEquals(2, PersistentData.TYPE_SP);
- assertEquals(3, PersistentData.TYPE_SP_WEAVER);
+ assertEquals(1, PersistentData.TYPE_SP);
+ assertEquals(2, PersistentData.TYPE_SP_WEAVER);
}
public void testCredentialHash_serializeUnserialize() {