Do not require USE_FINGERPRINT for getAuthenticatorId.

This removes the requirement to hold the USE_FINGERPRINT permission to successfully invoke FingerprintManager.getAuthenticatorId(). This is needed because Android Keystore classes which run inside app processes occasionally need to access this authenticator ID. The access however is not necessarily triggered by the developer using APIs to do with fingerprints. Thus, if an app does not hold the USE_FINGERPRINT permission and uses Android Keystore API, it may unexpectedly encounter a SecurityException. It's OK to provide access to authenticator ID without requiring USE_FINGERPRINT permission because there are other ways to access this ID without holding that permission, such as though hidden KeyStore API. Once Android Keystore code is restructured to no longer require access to authenticator ID, this CL can be reverted. Bug: 21030147 Change-Id: I9af29830abce34c46e29e5c1682cc3ab88c95c00
author: Alex Klyubin <klyubin@google.com> 2015-06-11 13:27:34 -0700
committer: Alex Klyubin <klyubin@google.com> 2015-06-11 13:41:04 -0700
commit: a99b8b5e3fe456b74b9f86e12bebebb5e418f58e (patch)
tree: f0d63f11cf4443531abc30effc3c4d9b9e8a0193 /keystore
parent: 8a26514687ccf651eb73d5acdd3ae7c62d247d97 (diff)
download: frameworks_base-a99b8b5e3fe456b74b9f86e12bebebb5e418f58e.zip
frameworks_base-a99b8b5e3fe456b74b9f86e12bebebb5e418f58e.tar.gz
frameworks_base-a99b8b5e3fe456b74b9f86e12bebebb5e418f58e.tar.bz2
2 files changed, 9 insertions, 20 deletions
diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java
index 35fcda6..6a08368 100644
--- a/keystore/java/android/security/KeyStore.java
+++ b/keystore/java/android/security/KeyStore.java
@@ -108,15 +108,10 @@ public class KeyStore {
     }
 
     public static Context getApplicationContext() {
-        ActivityThread activityThread = ActivityThread.currentActivityThread();
-        if (activityThread == null) {
-            throw new IllegalStateException(
-                    "Failed to obtain application Context: no ActivityThread");
-        }
-        Application application = activityThread.getApplication();
+        Application application = ActivityThread.currentApplication();
         if (application == null) {
             throw new IllegalStateException(
-                    "Failed to obtain application Context: no Application");
+                    "Failed to obtain application Context from ActivityThread");
         }
         return application;
     }
@@ -698,16 +693,13 @@ public class KeyStore {
     }
 
     private long getFingerprintOnlySid() {
-        FingerprintManager fingerprintManager =
-                mContext.getSystemService(FingerprintManager.class);
+        FingerprintManager fingerprintManager = mContext.getSystemService(FingerprintManager.class);
         if (fingerprintManager == null) {
             return 0;
         }
 
-        if (!fingerprintManager.isHardwareDetected()) {
-            return 0;
-        }
-
+        // TODO: Restore USE_FINGERPRINT permission check in
+        // FingerprintManager.getAuthenticatorId once the ID is no longer needed here.
         return fingerprintManager.getAuthenticatorId();
     }
 
diff --git a/keystore/java/android/security/keystore/KeymasterUtils.java b/keystore/java/android/security/keystore/KeymasterUtils.java
index 0639d49..4b37d90 100644
--- a/keystore/java/android/security/keystore/KeymasterUtils.java
+++ b/keystore/java/android/security/keystore/KeymasterUtils.java
@@ -101,13 +101,10 @@ public abstract class KeymasterUtils {
             // fingerprint-only auth.
             FingerprintManager fingerprintManager =
                     KeyStore.getApplicationContext().getSystemService(FingerprintManager.class);
-            if ((fingerprintManager == null) || (!fingerprintManager.isHardwareDetected())) {
-                throw new IllegalStateException(
-                        "This device does not support keys which require authentication for every"
-                        + " use -- this requires fingerprint authentication which is not"
-                        + " available on this device");
-            }
-            long fingerprintOnlySid = fingerprintManager.getAuthenticatorId();
+            // TODO: Restore USE_FINGERPRINT permission check in
+            // FingerprintManager.getAuthenticatorId once the ID is no longer needed here.
+            long fingerprintOnlySid =
+                    (fingerprintManager != null) ? fingerprintManager.getAuthenticatorId() : 0;
             if (fingerprintOnlySid == 0) {
                 throw new IllegalStateException(
                         "At least one fingerprint must be enrolled to create keys requiring user"
author	Alex Klyubin <klyubin@google.com>	2015-06-11 13:27:34 -0700
committer	Alex Klyubin <klyubin@google.com>	2015-06-11 13:41:04 -0700
commit	a99b8b5e3fe456b74b9f86e12bebebb5e418f58e (patch)
tree	f0d63f11cf4443531abc30effc3c4d9b9e8a0193 /keystore
parent	8a26514687ccf651eb73d5acdd3ae7c62d247d97 (diff)
download	frameworks_base-a99b8b5e3fe456b74b9f86e12bebebb5e418f58e.zip frameworks_base-a99b8b5e3fe456b74b9f86e12bebebb5e418f58e.tar.gz frameworks_base-a99b8b5e3fe456b74b9f86e12bebebb5e418f58e.tar.bz2