services/core/java/com/android/server/biometrics/AuthenticationClient.java - platform/frameworks/base - Gitiles

 /*
  * Copyright (C) 2018 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License
  */

 package com.android.server.biometrics;

 import android.content.Context;
 import android.hardware.biometrics.BiometricAuthenticator;
 import android.hardware.biometrics.BiometricConstants;
 import android.hardware.biometrics.BiometricPrompt;
 import android.hardware.biometrics.IBiometricPromptReceiver;
 import android.os.Bundle;
 import android.os.Handler;
 import android.os.IBinder;
 import android.os.Looper;
 import android.os.RemoteException;
 import android.security.KeyStore;
 import android.util.Slog;

 import com.android.internal.statusbar.IStatusBarService;

 import java.util.ArrayList;

 /**
  * A class to keep track of the authentication state for a given client.
  */
 public abstract class AuthenticationClient extends ClientMonitor {
     private long mOpId;
     private Handler mHandler;

     public abstract int handleFailedAttempt();
     public abstract void resetFailedAttempts();
     public abstract String getErrorString(int error, int vendorCode);
     public abstract String getAcquiredString(int acquireInfo, int vendorCode);
     /**
       * @return one of {@link #TYPE_FINGERPRINT} {@link #TYPE_IRIS} or {@link #TYPE_FACE}
       */
     public abstract int getBiometricType();

     public static final int LOCKOUT_NONE = 0;
     public static final int LOCKOUT_TIMED = 1;
     public static final int LOCKOUT_PERMANENT = 2;

     private final boolean mRequireConfirmation;
     // Callback mechanism received from the client
     // (BiometricPrompt -> BiometricPromptService -> <Biometric>Service -> AuthenticationClient)
     private IBiometricPromptReceiver mDialogReceiverFromClient;
     private Bundle mBundle;
     private IStatusBarService mStatusBarService;
     private boolean mInLockout;
     private TokenEscrow mEscrow;
     protected boolean mDialogDismissed;

     /**
      * Container that holds the identifier and authToken. For biometrics that require user
      * confirmation, these should not be sent to their final destinations until the user confirms.
      */
     class TokenEscrow {
         final BiometricAuthenticator.Identifier mIdentifier;
         final ArrayList<Byte> mToken;

         TokenEscrow(BiometricAuthenticator.Identifier identifier, ArrayList<Byte> token) {
             mIdentifier = identifier;
             mToken = token;
         }

         BiometricAuthenticator.Identifier getIdentifier() {
             return mIdentifier;
         }

         ArrayList<Byte> getToken() {
             return mToken;
         }
     }

     // Receives events from SystemUI and handles them before forwarding them to BiometricDialog
     protected IBiometricPromptReceiver mDialogReceiver = new IBiometricPromptReceiver.Stub() {
         @Override // binder call
         public void onDialogDismissed(int reason) {
             if (mBundle != null && mDialogReceiverFromClient != null) {
                 try {
                     if (reason != BiometricPrompt.DISMISSED_REASON_POSITIVE) {
                         // Positive button is used by passive modalities as a "confirm" button,
                         // do not send to client
                         mDialogReceiverFromClient.onDialogDismissed(reason);
                     }
                     if (reason == BiometricPrompt.DISMISSED_REASON_USER_CANCEL) {
                         onError(getHalDeviceId(), BiometricConstants.BIOMETRIC_ERROR_USER_CANCELED,
                                 0 /* vendorCode */);
                     } else if (reason == BiometricPrompt.DISMISSED_REASON_POSITIVE) {
                         // Have the service send the token to KeyStore, and send onAuthenticated
                         // to the application.
                         if (mEscrow != null) {
                             if (DEBUG) Slog.d(getLogTag(), "Confirmed");
                             addTokenToKeyStore(mEscrow.getToken());
                             notifyClientAuthenticationSucceeded(mEscrow.getIdentifier());
                             mEscrow = null;
                             onAuthenticationConfirmed();
                         } else {
                             Slog.e(getLogTag(), "Escrow is null!!!");
                         }
                     }
                     mDialogDismissed = true;
                 } catch (RemoteException e) {
                     Slog.e(getLogTag(), "Remote exception", e);
                 }
                 stop(true /* initiatedByClient */);
             }
         }
     };

     /**
      * This method is called when authentication starts.
      */
     public abstract void onStart();

     /**
      * This method is called when a biometric is authenticated or authentication is stopped
      * (cancelled by the user, or an error such as lockout has occurred).
      */
     public abstract void onStop();

     /**
      * This method is called when biometric authentication was confirmed by the user. The client
      * should be removed.
      */
     public abstract void onAuthenticationConfirmed();

     public AuthenticationClient(Context context, Metrics metrics,
             BiometricServiceBase.DaemonWrapper daemon, long halDeviceId, IBinder token,
             BiometricServiceBase.ServiceListener listener, int targetUserId, int groupId, long opId,
             boolean restricted, String owner, Bundle bundle,
             IBiometricPromptReceiver dialogReceiver, IStatusBarService statusBarService,
             boolean requireConfirmation) {
         super(context, metrics, daemon, halDeviceId, token, listener, targetUserId, groupId,
                 restricted, owner);
         mOpId = opId;
         mBundle = bundle;
         mDialogReceiverFromClient = dialogReceiver;
         mStatusBarService = statusBarService;
         mHandler = new Handler(Looper.getMainLooper());
         mRequireConfirmation = requireConfirmation;
     }

     @Override
     public void binderDied() {
         super.binderDied();
         // When the binder dies, we should stop the client. This probably belongs in
         // ClientMonitor's binderDied(), but testing all the cases would be tricky.
         // AuthenticationClient is the most user-visible case.
         stop(false /* initiatedByClient */);
     }

     @Override
     public boolean onAcquired(int acquiredInfo, int vendorCode) {
         // If the dialog is showing, the client doesn't need to receive onAcquired messages.
         if (mBundle != null) {
             try {
                 if (acquiredInfo != BiometricConstants.BIOMETRIC_ACQUIRED_GOOD) {
                     mStatusBarService.onBiometricHelp(getAcquiredString(acquiredInfo, vendorCode));
                 }
                 return false; // acquisition continues
             } catch (RemoteException e) {
                 Slog.e(getLogTag(), "Remote exception when sending acquired message", e);
                 return true; // client failed
             } finally {
                 // Good scans will keep the device awake
                 if (acquiredInfo == BiometricConstants.BIOMETRIC_ACQUIRED_GOOD) {
                     notifyUserActivity();
                 }
             }
         } else {
             return super.onAcquired(acquiredInfo, vendorCode);
         }
     }

     @Override
     public boolean onError(long deviceId, int error, int vendorCode) {
         if (mDialogDismissed) {
             // If user cancels authentication, the application has already received the
             // ERROR_USER_CANCELED message from onDialogDismissed()
             // and stopped the biometric hardware, so there is no need to send a
             // ERROR_CANCELED message.
             return true;
         }
         if (mBundle != null) {
             try {
                 mStatusBarService.onBiometricError(getErrorString(error, vendorCode));
             } catch (RemoteException e) {
                 Slog.e(getLogTag(), "Remote exception when sending error", e);
             }
         }
         return super.onError(deviceId, error, vendorCode);
     }

     private void notifyClientAuthenticationSucceeded(BiometricAuthenticator.Identifier identifier)
             throws RemoteException {
         final BiometricServiceBase.ServiceListener listener = getListener();
         // Explicitly have if/else here to make it super obvious in case the code is
         // touched in the future.
         if (!getIsRestricted()) {
             listener.onAuthenticationSucceeded(
                     getHalDeviceId(), identifier, getTargetUserId());
         } else {
             listener.onAuthenticationSucceeded(
                     getHalDeviceId(), null, getTargetUserId());
         }
     }

     private void addTokenToKeyStore(ArrayList<Byte> token) {
         // Send the token to KeyStore
         final byte[] byteToken = new byte[token.size()];
         for (int i = 0; i < token.size(); i++) {
             byteToken[i] = token.get(i);
         }
         KeyStore.getInstance().addAuthToken(byteToken);
     }

     @Override
     public boolean onAuthenticated(BiometricAuthenticator.Identifier identifier,
             boolean authenticated, ArrayList<Byte> token) {
         if (authenticated) {
             if (mRequireConfirmation) {
                 // Store the token so it can be sent to keystore after the user presses confirm
                 mEscrow = new TokenEscrow(identifier, token);
             } else {
                 addTokenToKeyStore(token);
             }
         }

         boolean result = false;

         // If the biometric dialog is showing, notify authentication succeeded
         if (mBundle != null) {
             try {
                 if (authenticated) {
                     mStatusBarService.onBiometricAuthenticated();
                 } else {
                     mStatusBarService.onBiometricHelp(getContext().getResources().getString(
                             com.android.internal.R.string.biometric_not_recognized));
                 }
             } catch (RemoteException e) {
                 Slog.e(getLogTag(), "Failed to notify Authenticated:", e);
             }
         }

         final BiometricServiceBase.ServiceListener listener = getListener();
         if (listener != null) {
             try {
                 mMetricsLogger.action(mMetrics.actionBiometricAuth(), authenticated);
                 if (!authenticated) {
                     listener.onAuthenticationFailed(getHalDeviceId());
                 } else {
                     if (DEBUG) {
                         Slog.v(getLogTag(), "onAuthenticated(owner=" + getOwnerString()
                                 + ", id=" + identifier.getBiometricId());
                     }
                     if (!mRequireConfirmation) {
                         notifyClientAuthenticationSucceeded(identifier);
                     }
                 }
             } catch (RemoteException e) {
                 Slog.w(getLogTag(), "Failed to notify Authenticated:", e);
                 result = true; // client failed
             }
         } else {
             result = true; // client not listening
         }
         if (!authenticated) {
             if (listener != null) {
                 vibrateError();
             }
             // allow system-defined limit of number of attempts before giving up
             int lockoutMode =  handleFailedAttempt();
             if (lockoutMode != LOCKOUT_NONE) {
                 try {
                     mInLockout = true;
                     Slog.w(getLogTag(), "Forcing lockout (fp driver code should do this!), mode(" +
                             lockoutMode + ")");
                     stop(false);
                     int errorCode = lockoutMode == LOCKOUT_TIMED ?
                             BiometricConstants.BIOMETRIC_ERROR_LOCKOUT :
                             BiometricConstants.BIOMETRIC_ERROR_LOCKOUT_PERMANENT;

                     // Send the lockout message to the system dialog
                     if (mBundle != null) {
                         mStatusBarService.onBiometricError(
                                 getErrorString(errorCode, 0 /* vendorCode */));
                         mHandler.postDelayed(() -> {
                             try {
                                 listener.onError(getHalDeviceId(), errorCode, 0 /* vendorCode */);
                             } catch (RemoteException e) {
                                 Slog.w(getLogTag(), "RemoteException while sending error");
                             }
                         }, BiometricPrompt.HIDE_DIALOG_DELAY);
                     } else {
                         listener.onError(getHalDeviceId(), errorCode, 0 /* vendorCode */);
                     }
                 } catch (RemoteException e) {
                     Slog.w(getLogTag(), "Failed to notify lockout:", e);
                 }
             }
             result |= lockoutMode != LOCKOUT_NONE; // in a lockout mode
         } else {
             if (listener != null) {
                 vibrateSuccess();
             }
             // we have a valid biometric that doesn't require confirmation, done
             result |= !mRequireConfirmation;
             resetFailedAttempts();
             onStop();
         }
         return result;
     }

     /**
      * Start authentication
      */
     @Override
     public int start() {
         onStart();
         try {
             final int result = getDaemonWrapper().authenticate(mOpId, getGroupId());
             if (result != 0) {
                 Slog.w(getLogTag(), "startAuthentication failed, result=" + result);
                 mMetricsLogger.histogram(mMetrics.tagAuthStartError(), result);
                 onError(getHalDeviceId(), BiometricConstants.BIOMETRIC_ERROR_HW_UNAVAILABLE,
                         0 /* vendorCode */);
                 return result;
             }
             if (DEBUG) Slog.w(getLogTag(), "client " + getOwnerString() + " is authenticating...");

             // If authenticating with system dialog, show the dialog
             if (mBundle != null) {
                 try {
                     mStatusBarService.showBiometricDialog(mBundle, mDialogReceiver,
                             getBiometricType(), mRequireConfirmation);
                 } catch (RemoteException e) {
                     Slog.e(getLogTag(), "Unable to show biometric dialog", e);
                 }
             }
         } catch (RemoteException e) {
             Slog.e(getLogTag(), "startAuthentication failed", e);
             return ERROR_ESRCH;
         }
         return 0; // success
     }

     @Override
     public int stop(boolean initiatedByClient) {
         if (mAlreadyCancelled) {
             Slog.w(getLogTag(), "stopAuthentication: already cancelled!");
             return 0;
         }

         onStop();

         try {
             final int result = getDaemonWrapper().cancel();
             if (result != 0) {
                 Slog.w(getLogTag(), "stopAuthentication failed, result=" + result);
                 return result;
             }
             if (DEBUG) Slog.w(getLogTag(), "client " + getOwnerString() +
                     " is no longer authenticating");
         } catch (RemoteException e) {
             Slog.e(getLogTag(), "stopAuthentication failed", e);
             return ERROR_ESRCH;
         } finally {
             // If the user already cancelled authentication (via some interaction with the
             // dialog, we do not need to hide it since it's already hidden.
             // If the device is in lockout, don't hide the dialog - it will automatically hide
             // after BiometricPrompt.HIDE_DIALOG_DELAY
             if (mBundle != null && !mDialogDismissed && !mInLockout) {
                 try {
                     mStatusBarService.hideBiometricDialog();
                 } catch (RemoteException e) {
                     Slog.e(getLogTag(), "Unable to hide biometric dialog", e);
                 }
             }
         }

         mAlreadyCancelled = true;
         return 0; // success
     }

     @Override
     public boolean onEnrollResult(BiometricAuthenticator.Identifier identifier,
             int remaining) {
         if (DEBUG) Slog.w(getLogTag(), "onEnrollResult() called for authenticate!");
         return true; // Invalid for Authenticate
     }

     @Override
     public boolean onRemoved(BiometricAuthenticator.Identifier identifier, int remaining) {
         if (DEBUG) Slog.w(getLogTag(), "onRemoved() called for authenticate!");
         return true; // Invalid for Authenticate
     }

     @Override
     public boolean onEnumerationResult(BiometricAuthenticator.Identifier identifier,
             int remaining) {
         if (DEBUG) Slog.w(getLogTag(), "onEnumerationResult() called for authenticate!");
         return true; // Invalid for Authenticate
     }
 }
	/*
	* Copyright (C) 2018 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License
	*/

	package com.android.server.biometrics;

	import android.content.Context;
	import android.hardware.biometrics.BiometricAuthenticator;
	import android.hardware.biometrics.BiometricConstants;
	import android.hardware.biometrics.BiometricPrompt;
	import android.hardware.biometrics.IBiometricPromptReceiver;
	import android.os.Bundle;
	import android.os.Handler;
	import android.os.IBinder;
	import android.os.Looper;
	import android.os.RemoteException;
	import android.security.KeyStore;
	import android.util.Slog;

	import com.android.internal.statusbar.IStatusBarService;

	import java.util.ArrayList;

	/**
	* A class to keep track of the authentication state for a given client.
	*/
	public abstract class AuthenticationClient extends ClientMonitor {
	private long mOpId;
	private Handler mHandler;

	public abstract int handleFailedAttempt();
	public abstract void resetFailedAttempts();
	public abstract String getErrorString(int error, int vendorCode);
	public abstract String getAcquiredString(int acquireInfo, int vendorCode);
	/**
	* @return one of {@link #TYPE_FINGERPRINT} {@link #TYPE_IRIS} or {@link #TYPE_FACE}
	*/
	public abstract int getBiometricType();

	public static final int LOCKOUT_NONE = 0;
	public static final int LOCKOUT_TIMED = 1;
	public static final int LOCKOUT_PERMANENT = 2;

	private final boolean mRequireConfirmation;
	// Callback mechanism received from the client
	// (BiometricPrompt -> BiometricPromptService -> <Biometric>Service -> AuthenticationClient)
	private IBiometricPromptReceiver mDialogReceiverFromClient;
	private Bundle mBundle;
	private IStatusBarService mStatusBarService;
	private boolean mInLockout;
	private TokenEscrow mEscrow;
	protected boolean mDialogDismissed;

	/**
	* Container that holds the identifier and authToken. For biometrics that require user
	* confirmation, these should not be sent to their final destinations until the user confirms.
	*/
	class TokenEscrow {
	final BiometricAuthenticator.Identifier mIdentifier;
	final ArrayList<Byte> mToken;

	TokenEscrow(BiometricAuthenticator.Identifier identifier, ArrayList<Byte> token) {
	mIdentifier = identifier;
	mToken = token;
	}

	BiometricAuthenticator.Identifier getIdentifier() {
	return mIdentifier;
	}

	ArrayList<Byte> getToken() {
	return mToken;
	}
	}

	// Receives events from SystemUI and handles them before forwarding them to BiometricDialog
	protected IBiometricPromptReceiver mDialogReceiver = new IBiometricPromptReceiver.Stub() {
	@Override // binder call
	public void onDialogDismissed(int reason) {
	if (mBundle != null && mDialogReceiverFromClient != null) {
	try {
	if (reason != BiometricPrompt.DISMISSED_REASON_POSITIVE) {
	// Positive button is used by passive modalities as a "confirm" button,
	// do not send to client
	mDialogReceiverFromClient.onDialogDismissed(reason);
	}
	if (reason == BiometricPrompt.DISMISSED_REASON_USER_CANCEL) {
	onError(getHalDeviceId(), BiometricConstants.BIOMETRIC_ERROR_USER_CANCELED,
	0 /* vendorCode */);
	} else if (reason == BiometricPrompt.DISMISSED_REASON_POSITIVE) {
	// Have the service send the token to KeyStore, and send onAuthenticated
	// to the application.
	if (mEscrow != null) {
	if (DEBUG) Slog.d(getLogTag(), "Confirmed");
	addTokenToKeyStore(mEscrow.getToken());
	notifyClientAuthenticationSucceeded(mEscrow.getIdentifier());
	mEscrow = null;
	onAuthenticationConfirmed();
	} else {
	Slog.e(getLogTag(), "Escrow is null!!!");
	}
	}
	mDialogDismissed = true;
	} catch (RemoteException e) {
	Slog.e(getLogTag(), "Remote exception", e);
	}
	stop(true /* initiatedByClient */);
	}
	}
	};

	/**
	* This method is called when authentication starts.
	*/
	public abstract void onStart();

	/**
	* This method is called when a biometric is authenticated or authentication is stopped
	* (cancelled by the user, or an error such as lockout has occurred).
	*/
	public abstract void onStop();

	/**
	* This method is called when biometric authentication was confirmed by the user. The client
	* should be removed.
	*/
	public abstract void onAuthenticationConfirmed();

	public AuthenticationClient(Context context, Metrics metrics,
	BiometricServiceBase.DaemonWrapper daemon, long halDeviceId, IBinder token,
	BiometricServiceBase.ServiceListener listener, int targetUserId, int groupId, long opId,
	boolean restricted, String owner, Bundle bundle,
	IBiometricPromptReceiver dialogReceiver, IStatusBarService statusBarService,
	boolean requireConfirmation) {
	super(context, metrics, daemon, halDeviceId, token, listener, targetUserId, groupId,
	restricted, owner);
	mOpId = opId;
	mBundle = bundle;
	mDialogReceiverFromClient = dialogReceiver;
	mStatusBarService = statusBarService;
	mHandler = new Handler(Looper.getMainLooper());
	mRequireConfirmation = requireConfirmation;
	}

	@Override
	public void binderDied() {
	super.binderDied();
	// When the binder dies, we should stop the client. This probably belongs in
	// ClientMonitor's binderDied(), but testing all the cases would be tricky.
	// AuthenticationClient is the most user-visible case.
	stop(false /* initiatedByClient */);
	}

	@Override
	public boolean onAcquired(int acquiredInfo, int vendorCode) {
	// If the dialog is showing, the client doesn't need to receive onAcquired messages.
	if (mBundle != null) {
	try {
	if (acquiredInfo != BiometricConstants.BIOMETRIC_ACQUIRED_GOOD) {
	mStatusBarService.onBiometricHelp(getAcquiredString(acquiredInfo, vendorCode));
	}
	return false; // acquisition continues
	} catch (RemoteException e) {
	Slog.e(getLogTag(), "Remote exception when sending acquired message", e);
	return true; // client failed
	} finally {
	// Good scans will keep the device awake
	if (acquiredInfo == BiometricConstants.BIOMETRIC_ACQUIRED_GOOD) {
	notifyUserActivity();
	}
	}
	} else {
	return super.onAcquired(acquiredInfo, vendorCode);
	}
	}

	@Override
	public boolean onError(long deviceId, int error, int vendorCode) {
	if (mDialogDismissed) {
	// If user cancels authentication, the application has already received the
	// ERROR_USER_CANCELED message from onDialogDismissed()
	// and stopped the biometric hardware, so there is no need to send a
	// ERROR_CANCELED message.
	return true;
	}
	if (mBundle != null) {
	try {
	mStatusBarService.onBiometricError(getErrorString(error, vendorCode));
	} catch (RemoteException e) {
	Slog.e(getLogTag(), "Remote exception when sending error", e);
	}
	}
	return super.onError(deviceId, error, vendorCode);
	}

	private void notifyClientAuthenticationSucceeded(BiometricAuthenticator.Identifier identifier)
	throws RemoteException {
	final BiometricServiceBase.ServiceListener listener = getListener();
	// Explicitly have if/else here to make it super obvious in case the code is
	// touched in the future.
	if (!getIsRestricted()) {
	listener.onAuthenticationSucceeded(
	getHalDeviceId(), identifier, getTargetUserId());
	} else {
	listener.onAuthenticationSucceeded(
	getHalDeviceId(), null, getTargetUserId());
	}
	}

	private void addTokenToKeyStore(ArrayList<Byte> token) {
	// Send the token to KeyStore
	final byte[] byteToken = new byte[token.size()];
	for (int i = 0; i < token.size(); i++) {
	byteToken[i] = token.get(i);
	}
	KeyStore.getInstance().addAuthToken(byteToken);
	}

	@Override
	public boolean onAuthenticated(BiometricAuthenticator.Identifier identifier,
	boolean authenticated, ArrayList<Byte> token) {
	if (authenticated) {
	if (mRequireConfirmation) {
	// Store the token so it can be sent to keystore after the user presses confirm
	mEscrow = new TokenEscrow(identifier, token);
	} else {
	addTokenToKeyStore(token);
	}
	}

	boolean result = false;

	// If the biometric dialog is showing, notify authentication succeeded
	if (mBundle != null) {
	try {
	if (authenticated) {
	mStatusBarService.onBiometricAuthenticated();
	} else {
	mStatusBarService.onBiometricHelp(getContext().getResources().getString(
	com.android.internal.R.string.biometric_not_recognized));
	}
	} catch (RemoteException e) {
	Slog.e(getLogTag(), "Failed to notify Authenticated:", e);
	}
	}

	final BiometricServiceBase.ServiceListener listener = getListener();
	if (listener != null) {
	try {
	mMetricsLogger.action(mMetrics.actionBiometricAuth(), authenticated);
	if (!authenticated) {
	listener.onAuthenticationFailed(getHalDeviceId());
	} else {
	if (DEBUG) {
	Slog.v(getLogTag(), "onAuthenticated(owner=" + getOwnerString()
	+ ", id=" + identifier.getBiometricId());
	}
	if (!mRequireConfirmation) {
	notifyClientAuthenticationSucceeded(identifier);
	}
	}
	} catch (RemoteException e) {
	Slog.w(getLogTag(), "Failed to notify Authenticated:", e);
	result = true; // client failed
	}
	} else {
	result = true; // client not listening
	}
	if (!authenticated) {
	if (listener != null) {
	vibrateError();
	}
	// allow system-defined limit of number of attempts before giving up
	int lockoutMode = handleFailedAttempt();
	if (lockoutMode != LOCKOUT_NONE) {
	try {
	mInLockout = true;
	Slog.w(getLogTag(), "Forcing lockout (fp driver code should do this!), mode(" +
	lockoutMode + ")");
	stop(false);
	int errorCode = lockoutMode == LOCKOUT_TIMED ?
	BiometricConstants.BIOMETRIC_ERROR_LOCKOUT :
	BiometricConstants.BIOMETRIC_ERROR_LOCKOUT_PERMANENT;

	// Send the lockout message to the system dialog
	if (mBundle != null) {
	mStatusBarService.onBiometricError(
	getErrorString(errorCode, 0 /* vendorCode */));
	mHandler.postDelayed(() -> {
	try {
	listener.onError(getHalDeviceId(), errorCode, 0 /* vendorCode */);
	} catch (RemoteException e) {
	Slog.w(getLogTag(), "RemoteException while sending error");
	}
	}, BiometricPrompt.HIDE_DIALOG_DELAY);
	} else {
	listener.onError(getHalDeviceId(), errorCode, 0 /* vendorCode */);
	}
	} catch (RemoteException e) {
	Slog.w(getLogTag(), "Failed to notify lockout:", e);
	}
	}
	result \|= lockoutMode != LOCKOUT_NONE; // in a lockout mode
	} else {
	if (listener != null) {
	vibrateSuccess();
	}
	// we have a valid biometric that doesn't require confirmation, done
	result \|= !mRequireConfirmation;
	resetFailedAttempts();
	onStop();
	}
	return result;
	}

	/**
	* Start authentication
	*/
	@Override
	public int start() {
	onStart();
	try {
	final int result = getDaemonWrapper().authenticate(mOpId, getGroupId());
	if (result != 0) {
	Slog.w(getLogTag(), "startAuthentication failed, result=" + result);
	mMetricsLogger.histogram(mMetrics.tagAuthStartError(), result);
	onError(getHalDeviceId(), BiometricConstants.BIOMETRIC_ERROR_HW_UNAVAILABLE,
	0 /* vendorCode */);
	return result;
	}
	if (DEBUG) Slog.w(getLogTag(), "client " + getOwnerString() + " is authenticating...");

	// If authenticating with system dialog, show the dialog
	if (mBundle != null) {
	try {
	mStatusBarService.showBiometricDialog(mBundle, mDialogReceiver,
	getBiometricType(), mRequireConfirmation);
	} catch (RemoteException e) {
	Slog.e(getLogTag(), "Unable to show biometric dialog", e);
	}
	}
	} catch (RemoteException e) {
	Slog.e(getLogTag(), "startAuthentication failed", e);
	return ERROR_ESRCH;
	}
	return 0; // success
	}

	@Override
	public int stop(boolean initiatedByClient) {
	if (mAlreadyCancelled) {
	Slog.w(getLogTag(), "stopAuthentication: already cancelled!");
	return 0;
	}

	onStop();

	try {
	final int result = getDaemonWrapper().cancel();
	if (result != 0) {
	Slog.w(getLogTag(), "stopAuthentication failed, result=" + result);
	return result;
	}
	if (DEBUG) Slog.w(getLogTag(), "client " + getOwnerString() +
	" is no longer authenticating");
	} catch (RemoteException e) {
	Slog.e(getLogTag(), "stopAuthentication failed", e);
	return ERROR_ESRCH;
	} finally {
	// If the user already cancelled authentication (via some interaction with the
	// dialog, we do not need to hide it since it's already hidden.
	// If the device is in lockout, don't hide the dialog - it will automatically hide
	// after BiometricPrompt.HIDE_DIALOG_DELAY
	if (mBundle != null && !mDialogDismissed && !mInLockout) {
	try {
	mStatusBarService.hideBiometricDialog();
	} catch (RemoteException e) {
	Slog.e(getLogTag(), "Unable to hide biometric dialog", e);
	}
	}
	}

	mAlreadyCancelled = true;
	return 0; // success
	}

	@Override
	public boolean onEnrollResult(BiometricAuthenticator.Identifier identifier,
	int remaining) {
	if (DEBUG) Slog.w(getLogTag(), "onEnrollResult() called for authenticate!");
	return true; // Invalid for Authenticate
	}

	@Override
	public boolean onRemoved(BiometricAuthenticator.Identifier identifier, int remaining) {
	if (DEBUG) Slog.w(getLogTag(), "onRemoved() called for authenticate!");
	return true; // Invalid for Authenticate
	}

	@Override
	public boolean onEnumerationResult(BiometricAuthenticator.Identifier identifier,
	int remaining) {
	if (DEBUG) Slog.w(getLogTag(), "onEnumerationResult() called for authenticate!");
	return true; // Invalid for Authenticate
	}
	}