Revert "Swap the order of synthetic password wrapping"

* To be reverted. This reverts commit 926c144.
crdroidandroid · Feb 12, 2018 · 0a431cf · 0a431cf · gwolf2u · Mar 9, 2018
1 parent 31ea6ba
commit 0a431cf
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 38 deletions.
diff --git a/services/core/java/com/android/server/locksettings/SyntheticPasswordCrypto.java b/services/core/java/com/android/server/locksettings/SyntheticPasswordCrypto.java
@@ -112,28 +112,14 @@ public static byte[] decrypt(byte[] keyBytes, byte[] personalisation, byte[] cip
         }
     }
 
-    public static byte[] decryptBlobV1(String keyAlias, byte[] blob, byte[] applicationId) {
+    public static byte[] decryptBlob(String keyAlias, byte[] blob, byte[] applicationId) {
         try {
             KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
             keyStore.load(null);
 
             SecretKey decryptionKey = (SecretKey) keyStore.getKey(keyAlias, null);
             byte[] intermediate = decrypt(applicationId, APPLICATION_ID_PERSONALIZATION, blob);
             return decrypt(decryptionKey, intermediate);
-        } catch (Exception e) {
-            e.printStackTrace();
-            throw new RuntimeException("Failed to decrypt blob", e);
-        }
-    }
-
-    public static byte[] decryptBlob(String keyAlias, byte[] blob, byte[] applicationId) {
-        try {
-            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
-            keyStore.load(null);
-
-            SecretKey decryptionKey = (SecretKey) keyStore.getKey(keyAlias, null);
-            byte[] intermediate = decrypt(decryptionKey, blob);
-            return decrypt(applicationId, APPLICATION_ID_PERSONALIZATION, intermediate);
         } catch (CertificateException | IOException | BadPaddingException
                 | IllegalBlockSizeException
                 | KeyStoreException | NoSuchPaddingException | NoSuchAlgorithmException
@@ -164,8 +150,9 @@ public static byte[] createBlob(String keyAlias, byte[] data, byte[] application
             keyStore.setEntry(keyAlias,
                     new KeyStore.SecretKeyEntry(secretKey),
                     builder.build());
-            byte[] intermediate = encrypt(applicationId, APPLICATION_ID_PERSONALIZATION, data);
-            return encrypt(secretKey, intermediate);
+            byte[] intermediate = encrypt(secretKey, data);
+            return encrypt(applicationId, APPLICATION_ID_PERSONALIZATION, intermediate);
+
         } catch (CertificateException | IOException | BadPaddingException
                 | IllegalBlockSizeException
                 | KeyStoreException | NoSuchPaddingException | NoSuchAlgorithmException

diff --git a/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java b/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java
@@ -101,8 +101,7 @@ public class SyntheticPasswordManager {
     private static final byte WEAVER_VERSION = 1;
     private static final int INVALID_WEAVER_SLOT = -1;
 
-    private static final byte SYNTHETIC_PASSWORD_VERSION_V1 = 1;
-    private static final byte SYNTHETIC_PASSWORD_VERSION = 2;
+    private static final byte SYNTHETIC_PASSWORD_VERSION = 1;
     private static final byte SYNTHETIC_PASSWORD_PASSWORD_BASED = 0;
     private static final byte SYNTHETIC_PASSWORD_TOKEN_BASED = 1;
 
@@ -793,7 +792,6 @@ public AuthenticationResult unwrapPasswordBasedSyntheticPassword(IGateKeeperServ
         byte[] pwdToken = computePasswordToken(credential, pwd);
 
         final byte[] applicationId;
-        final long sid;
         int weaverSlot = loadWeaverSlot(handle, userId);
         if (weaverSlot != INVALID_WEAVER_SLOT) {
             // Weaver based user password
@@ -806,7 +804,6 @@ public AuthenticationResult unwrapPasswordBasedSyntheticPassword(IGateKeeperServ
             if (result.gkResponse.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) {
                 return result;
             }
-            sid = GateKeeper.INVALID_SECURE_USER_ID;
             applicationId = transformUnderWeaverSecret(pwdToken, result.gkResponse.getPayload());
         } else {
             byte[] gkPwdToken = passwordTokenToGkInput(pwdToken);
@@ -839,13 +836,12 @@ public AuthenticationResult unwrapPasswordBasedSyntheticPassword(IGateKeeperServ
                 result.gkResponse = VerifyCredentialResponse.ERROR;
                 return result;
             }
-            sid = sidFromPasswordHandle(pwd.passwordHandle);
             applicationId = transformUnderSecdiscardable(pwdToken,
                     loadSecdiscardable(handle, userId));
         }
 
         result.authToken = unwrapSyntheticPasswordBlob(handle, SYNTHETIC_PASSWORD_PASSWORD_BASED,
-                applicationId, sid, userId);
+                applicationId, userId);
 
         // Perform verifyChallenge to refresh auth tokens for GK if user password exists.
         result.gkResponse = verifyChallenge(gatekeeper, result.authToken, 0L, userId);
@@ -881,7 +877,7 @@ public AuthenticationResult unwrapPasswordBasedSyntheticPassword(IGateKeeperServ
         }
         byte[] applicationId = transformUnderSecdiscardable(token, secdiscardable);
         result.authToken = unwrapSyntheticPasswordBlob(handle, SYNTHETIC_PASSWORD_TOKEN_BASED,
-                applicationId, 0L, userId);
+                applicationId, userId);
         if (result.authToken != null) {
             result.gkResponse = verifyChallenge(gatekeeper, result.authToken, 0L, userId);
             if (result.gkResponse == null) {
@@ -896,26 +892,19 @@ public AuthenticationResult unwrapPasswordBasedSyntheticPassword(IGateKeeperServ
     }
 
     private AuthenticationToken unwrapSyntheticPasswordBlob(long handle, byte type,
-            byte[] applicationId, long sid, int userId) {
+            byte[] applicationId, int userId) {
         byte[] blob = loadState(SP_BLOB_NAME, handle, userId);
         if (blob == null) {
             return null;
         }
-        final byte version = blob[0];
-        if (version != SYNTHETIC_PASSWORD_VERSION && version != SYNTHETIC_PASSWORD_VERSION_V1) {
+        if (blob[0] != SYNTHETIC_PASSWORD_VERSION) {
             throw new RuntimeException("Unknown blob version");
         }
         if (blob[1] != type) {
             throw new RuntimeException("Invalid blob type");
         }
-        final byte[] secret;
-        if (version == SYNTHETIC_PASSWORD_VERSION_V1) {
-            secret = SyntheticPasswordCrypto.decryptBlobV1(getHandleName(handle),
-                    Arrays.copyOfRange(blob, 2, blob.length), applicationId);
-        } else {
-            secret = decryptSPBlob(getHandleName(handle),
+        byte[] secret = decryptSPBlob(getHandleName(handle),
                 Arrays.copyOfRange(blob, 2, blob.length), applicationId);
-        }
         if (secret == null) {
             Log.e(TAG, "Fail to decrypt SP for user " + userId);
             return null;
@@ -930,10 +919,6 @@ private AuthenticationToken unwrapSyntheticPasswordBlob(long handle, byte type,
         } else {
             result.syntheticPassword = new String(secret);
         }
-        if (version == SYNTHETIC_PASSWORD_VERSION_V1) {
-            Log.i(TAG, "Upgrade v1 SP blob for user " + userId + ", type = " + type);
-            createSyntheticPasswordBlob(handle, type, result, applicationId, sid, userId);
-        }
         return result;
     }