3 files changed, 153 insertions, 7 deletions

diff --git a/core/java/android/service/gatekeeper/GateKeeperResponse.aidl b/core/java/android/service/gatekeeper/GateKeeperResponse.aidl
new file mode 100644
index 0000000..966606e
--- /dev/null
+++ b/core/java/android/service/gatekeeper/GateKeeperResponse.aidl
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2015 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.service.gatekeeper;
+
+/**
+ * Response object for a GateKeeper verification request.
+ * @hide
+ */
+parcelable GateKeeperResponse;
+
diff --git a/core/java/android/service/gatekeeper/GateKeeperResponse.java b/core/java/android/service/gatekeeper/GateKeeperResponse.java
new file mode 100644
index 0000000..a512957
--- /dev/null
+++ b/core/java/android/service/gatekeeper/GateKeeperResponse.java
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) 2015 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.service.gatekeeper;
+
+import android.os.Parcel;
+import android.os.Parcelable;
+
+/**
+ * Response object for a GateKeeper verification request.
+ * @hide
+ */
+public final class GateKeeperResponse implements Parcelable {
+
+    public static final int RESPONSE_ERROR = -1;
+    public static final int RESPONSE_OK = 0;
+    public static final int RESPONSE_RETRY = 1;
+
+    private final int mResponseCode;
+
+    private int mTimeout;
+    private byte[] mPayload;
+    private boolean mShouldReEnroll;
+
+    private GateKeeperResponse(int responseCode) {
+        mResponseCode = responseCode;
+    }
+
+    private GateKeeperResponse(int responseCode, int timeout) {
+        mResponseCode = responseCode;
+    }
+
+    @Override
+    public int describeContents() {
+        return 0;
+    }
+
+    public static final Parcelable.Creator<GateKeeperResponse> CREATOR
+            = new Parcelable.Creator<GateKeeperResponse>() {
+        @Override
+        public GateKeeperResponse createFromParcel(Parcel source) {
+            int responseCode = source.readInt();
+            GateKeeperResponse response = new GateKeeperResponse(responseCode);
+            if (responseCode == RESPONSE_RETRY) {
+                response.setTimeout(source.readInt());
+            } else if (responseCode == RESPONSE_OK) {
+                response.setShouldReEnroll(source.readInt() == 1);
+                int size = source.readInt();
+                if (size > 0) {
+                    byte[] payload = new byte[size];
+                    source.readByteArray(payload);
+                    response.setPayload(payload);
+                }
+            }
+            return response;
+        }
+
+        @Override
+        public GateKeeperResponse[] newArray(int size) {
+            return new GateKeeperResponse[size];
+        }
+
+    };
+
+    @Override
+    public void writeToParcel(Parcel dest, int flags) {
+        dest.writeInt(mResponseCode);
+        if (mResponseCode == RESPONSE_RETRY) {
+            dest.writeInt(mTimeout);
+        } else if (mResponseCode == RESPONSE_OK) {
+            dest.writeInt(mShouldReEnroll ? 1 : 0);
+            if (mPayload != null) {
+                dest.writeInt(mPayload.length);
+                dest.writeByteArray(mPayload);
+            }
+        }
+    }
+
+    public byte[] getPayload() {
+        return mPayload;
+    }
+
+    public int getTimeout() {
+        return mTimeout;
+    }
+
+    public boolean getShouldReEnroll() {
+        return mShouldReEnroll;
+    }
+
+    public int getResponseCode() {
+        return mResponseCode;
+    }
+
+    private void setTimeout(int timeout) {
+        mTimeout = timeout;
+    }
+
+    private void setShouldReEnroll(boolean shouldReEnroll) {
+        mShouldReEnroll = shouldReEnroll;
+    }
+
+    private void setPayload(byte[] payload) {
+        mPayload = payload;
+    }
+
+}
diff --git a/core/java/android/service/gatekeeper/IGateKeeperService.aidl b/core/java/android/service/gatekeeper/IGateKeeperService.aidl
index 4f46701..6db2110 100644
--- a/core/java/android/service/gatekeeper/IGateKeeperService.aidl
+++ b/core/java/android/service/gatekeeper/IGateKeeperService.aidl
@@ -16,6 +16,8 @@
 
 package android.service.gatekeeper;
 
+import android.service.gatekeeper.GateKeeperResponse;
+
 /**
  * Interface for communication with GateKeeper, the
  * secure password storage daemon.
@@ -34,9 +36,9 @@ interface IGateKeeperService {
      *                        If provided, must verify against the currentPasswordHandle.
      * @param desiredPassword The new desired password, for which a handle will be returned
      *                        upon success.
-     * @return the handle corresponding to desiredPassword, or null
+     * @return an EnrollResponse or null on failure
      */
-    byte[] enroll(int uid, in byte[] currentPasswordHandle, in byte[] currentPassword,
+    GateKeeperResponse enroll(int uid, in byte[] currentPasswordHandle, in byte[] currentPassword,
             in byte[] desiredPassword);
 
     /**
@@ -45,10 +47,10 @@ interface IGateKeeperService {
      * @param enrolledPasswordHandle The handle against which the provided password will be
      *                               verified.
      * @param The plaintext blob to verify against enrolledPassword.
-     * @return True if the authentication was successful
+     * @return a VerifyResponse, or null on failure.
      */
-    boolean verify(int uid, in byte[] enrolledPasswordHandle,
-            in byte[] providedPassword);
+    GateKeeperResponse verify(int uid, in byte[] enrolledPasswordHandle, in byte[] providedPassword);
+
     /**
      * Verifies an enrolled handle against a provided, plaintext blob.
      * @param uid The Android user ID associated to this enrollment
@@ -58,9 +60,9 @@ interface IGateKeeperService {
      * @param enrolledPasswordHandle The handle against which the provided password will be
      *                               verified.
      * @param The plaintext blob to verify against enrolledPassword.
-     * @return an opaque attestation of authentication on success, or null.
+     * @return a VerifyResponse with an attestation, or null on failure.
      */
-    byte[] verifyChallenge(int uid, long challenge, in byte[] enrolledPasswordHandle,
+    GateKeeperResponse verifyChallenge(int uid, long challenge, in byte[] enrolledPasswordHandle,
             in byte[] providedPassword);
 
     /**