/* * Copyright (C) 2015 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package android.service.gatekeeper; import android.service.gatekeeper.GateKeeperResponse; /** * Interface for communication with GateKeeper, the * secure password storage daemon. * * This must be kept manually in sync with system/core/gatekeeperd * until AIDL can generate both C++ and Java bindings. * * @hide */ @SensitiveData interface IGateKeeperService { /** * Enrolls a password, returning the handle to the enrollment to be stored locally. * @param userId The Android user ID associated to this enrollment * @param currentPasswordHandle The previously enrolled handle, or null if none * @param currentPassword The previously enrolled plaintext password, or null if none. * If provided, must verify against the currentPasswordHandle. * @param desiredPassword The new desired password, for which a handle will be returned * upon success. * @return an EnrollResponse or null on failure */ GateKeeperResponse enroll(int userId, in @nullable byte[] currentPasswordHandle, in @nullable byte[] currentPassword, in byte[] desiredPassword); /** * Verifies an enrolled handle against a provided, plaintext blob. * @param userId The Android user ID associated to this enrollment * @param enrolledPasswordHandle The handle against which the provided password will be * verified. * @param The plaintext blob to verify against enrolledPassword. * @return a VerifyResponse, or null on failure. */ GateKeeperResponse verify(int userId, in byte[] enrolledPasswordHandle, in byte[] providedPassword); /** * Verifies an enrolled handle against a provided, plaintext blob. * @param userId The Android user ID associated to this enrollment * @param challenge a challenge to authenticate agaisnt the device credential. If successful * authentication occurs, this value will be written to the returned * authentication attestation. * @param enrolledPasswordHandle The handle against which the provided password will be * verified. * @param The plaintext blob to verify against enrolledPassword. * @return a VerifyResponse with an attestation, or null on failure. */ GateKeeperResponse verifyChallenge(int userId, long challenge, in byte[] enrolledPasswordHandle, in byte[] providedPassword); /** * Retrieves the secure identifier for the user with the provided Android ID, * or 0 if none is found. * @param userId the Android user id */ long getSecureUserId(int userId); /** * Clears secure user id associated with the provided Android ID. * Must be called when password is set to NONE. * @param userId the Android user id. */ void clearSecureUserId(int userId); /** * Notifies gatekeeper that device setup has been completed and any potentially still existing * state from before a factory reset can be cleaned up (if it has not been already). */ void reportDeviceSetupComplete(); }