Android密码验证这条流程几乎没什么log,遇到无法解锁或者解锁慢的问题需要手动添加log

(1)frameworks层log

/frameworks/base/services/core/java/com/android/server/locksettings/LockSettingsService.java

private static final boolean DEBUG = false; //改为trueprivate VerifyCredentialResponse doVerifyCredential(String credential, int credentialType,1542 boolean hasChallenge, long challenge, int userId,1543 ICheckCredentialProgressCallback progressCallback) throws RemoteException {1544 if (TextUtils.isEmpty(credential)) {1545 throw new IllegalArgumentException("Credential can't be null or empty");1546 }1547 if (userId == USER_FRP && Settings.Global.getInt(mContext.getContentResolver(),1548 Settings.Global.DEVICE_PROVISIONED, 0) != 0) {1549 Slog.e(TAG, "FRP credential can only be verified prior to provisioning.");1550 return VerifyCredentialResponse.ERROR;1551 }1552 VerifyCredentialResponse response = null;+Slog.d(TAG, "debug_unlock call spBasedDoVerifyCredential begin");1553 response = spBasedDoVerifyCredential(credential, credentialType, hasChallenge, challenge,1554 userId, progressCallback);+Slog.d(TAG, "debug_unlock call spBasedDoVerifyCredential end, (response==null)="+(response==null)+" userId="+userId);1555 // The user employs synthetic password based credential.1556 if (response != null) {1557 return response;1558 }15591560 if (userId == USER_FRP) {1561 Slog.wtf(TAG, "Unexpected FRP credential type, should be SP based.");1562 return VerifyCredentialResponse.ERROR;1563 }15641565 final CredentialHash storedHash = mStorage.readCredentialHash(userId);1566 if (storedHash.type != credentialType) {1567 Slog.wtf(TAG, "doVerifyCredential type mismatch with stored credential??"1568 + " stored: " + storedHash.type + " passed in: " + credentialType);1569 return VerifyCredentialResponse.ERROR;1570 }15711572 boolean shouldReEnrollBaseZero = storedHash.type == LockPatternUtils.CREDENTIAL_TYPE_PATTERN1573 && storedHash.isBaseZeroPattern;15741575 String credentialToVerify;1576 if (shouldReEnrollBaseZero) {1577 credentialToVerify = LockPatternUtils.patternStringToBaseZero(credential);1578 } else {1579 credentialToVerify = credential;1580 }1581+Slog.d(TAG, "call verifyCredential begin");1582 response = verifyCredential(userId, storedHash, credentialToVerify,1583 hasChallenge, challenge, progressCallback);+Slog.d(TAG, "debug_unlock call verifyCredential end, response.getResponseCode()="+response.getResponseCode());15841585 if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) {1586 mStrongAuth.reportSuccessfulStrongAuthUnlock(userId);1587 if (shouldReEnrollBaseZero) {1588 setLockCredentialInternal(credential, storedHash.type, credentialToVerify,1589 DevicePolicyManager.PASSWORD_QUALITY_SOMETHING, userId);1590 }1591 }15921593 return response;1594 }1638 private VerifyCredentialResponse verifyCredential(int userId, CredentialHash storedHash,1639 String credential, boolean hasChallenge, long challenge,1640 ICheckCredentialProgressCallback progressCallback) throws RemoteException {+Slog.d(TAG, "debug_unlock call verifyCredential enter");1641 if ((storedHash == null || storedHash.hash.length == 0) && TextUtils.isEmpty(credential)) {1642 // don't need to pass empty credentials to GateKeeper1643 return VerifyCredentialResponse.OK;1644 }16451646 if (storedHash == null || TextUtils.isEmpty(credential)) {1647 return VerifyCredentialResponse.ERROR;1648 }16491650 // We're potentially going to be doing a bunch of disk I/O below as part1651 // of unlocking the user, so yell if calling from the main thread.1652 StrictMode.noteDiskRead();16531654 if (storedHash.version == CredentialHash.VERSION_LEGACY) {1655 final byte[] hash;1656 if (storedHash.type == LockPatternUtils.CREDENTIAL_TYPE_PATTERN) {1657 hash = LockPatternUtils.patternToHash(LockPatternUtils.stringToPattern(credential));1658 } else {1659 hash = mLockPatternUtils.passwordToHash(credential, userId);1660 }1661 if (Arrays.equals(hash, storedHash.hash)) {1662 if (storedHash.type == LockPatternUtils.CREDENTIAL_TYPE_PATTERN) {1663 unlockKeystore(LockPatternUtils.patternStringToBaseZero(credential), userId);1664 } else {1665 unlockKeystore(credential, userId);1666 }1667 // Users with legacy credentials don't have credential-backed1668 // FBE keys, so just pass through a fake token/secret1669 Slog.i(TAG, "Unlocking user with fake token: " + userId);1670 final byte[] fakeToken = String.valueOf(userId).getBytes();1671 unlockUser(userId, fakeToken, fakeToken);16721673 // migrate credential to GateKeeper+Slog.d(TAG, "debug_unlock call setLockCredentialInternal begin");1674 setLockCredentialInternal(credential, storedHash.type, null,1675 storedHash.type == LockPatternUtils.CREDENTIAL_TYPE_PATTERN1676 ? DevicePolicyManager.PASSWORD_QUALITY_SOMETHING1677 : DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC1678 /* TODO(roosa): keep the same password quality */, userId);1679 if (!hasChallenge) {1680 notifyActivePasswordMetricsAvailable(credential, userId);1681 return VerifyCredentialResponse.OK;1682 }1683 // Fall through to get the auth token. Technically this should never happen,1684 // as a user that had a legacy credential would have to unlock their device1685 // before getting to a flow with a challenge, but supporting for consistency.1686 } else {1687 return VerifyCredentialResponse.ERROR;1688 }1689 }+Slog.d(TAG, "debug_unlock call gatekeeper.verifyChallenge begin");1690 GateKeeperResponse gateKeeperResponse = getGateKeeperService()1691 .verifyChallenge(userId, challenge, storedHash.hash, credential.getBytes());1692 VerifyCredentialResponse response = convertResponse(gateKeeperResponse);1693 boolean shouldReEnroll = gateKeeperResponse.getShouldReEnroll();1694+Slog.d(TAG, "debug_unlock call gatekeeper.verifyChallenge end, response.getResponseCode()="+response.getResponseCode()+" shouldReEnroll="+shouldReEnroll);1695 if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) {16961697 // credential has matched16981699 if (progressCallback != null) {1700 progressCallback.onCredentialVerified();1701 }1702 notifyActivePasswordMetricsAvailable(credential, userId);1703 unlockKeystore(credential, userId);17041705 Slog.i(TAG, "Unlocking user " + userId + " with token length "1706 + response.getPayload().length);1707 unlockUser(userId, response.getPayload(), secretFromCredential(credential));17081709 if (isManagedProfileWithSeparatedLock(userId)) {1710 TrustManager trustManager =1711 (TrustManager) mContext.getSystemService(Context.TRUST_SERVICE);1712 trustManager.setDeviceLockedForUser(userId, false);1713 }1714 int reEnrollQuality = storedHash.type == LockPatternUtils.CREDENTIAL_TYPE_PATTERN1715 ? DevicePolicyManager.PASSWORD_QUALITY_SOMETHING1716 : DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC1717 /* TODO(roosa): keep the same password quality */;1718 if (shouldReEnroll) {+Slog.d(TAG, "debug_unlock should reenroll, call setLockCredentialInternal once more begin");1719 setLockCredentialInternal(credential, storedHash.type, credential,1720 reEnrollQuality, userId);1721 } else {1722 // Now that we've cleared of all required GK migration, let's do the final1723 // migration to synthetic password.1724 synchronized (mSpManager) {1725 if (shouldMigrateToSyntheticPasswordLocked(userId)) {1726 AuthenticationToken auth = initializeSyntheticPasswordLocked(1727 storedHash.hash, credential, storedHash.type, reEnrollQuality,1728 userId);1729 activateEscrowTokens(auth, userId);1730 }1731 }1732 }1733 } else if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_RETRY) {1734 if (response.getTimeout() > 0) {1735 requireStrongAuth(STRONG_AUTH_REQUIRED_AFTER_LOCKOUT, userId);1736 }1737 }1738+Slog.d(TAG, "debug_unlock verifyCredential start to return, response="+response);1739 return response;1740 }2085 private VerifyCredentialResponse spBasedDoVerifyCredential(String userCredential, int2086 credentialType, boolean hasChallenge, long challenge, int userId,2087 ICheckCredentialProgressCallback progressCallback) throws RemoteException {2088 if (DEBUG) Slog.d(TAG, "spBasedDoVerifyCredential: user=" + userId);2089 if (credentialType == LockPatternUtils.CREDENTIAL_TYPE_NONE) {2090 userCredential = null;2091 }20922093 final AuthenticationResult authResult;2094 VerifyCredentialResponse response;2095 synchronized (mSpManager) {2096 if (!isSyntheticPasswordBasedCredentialLocked(userId)) {2097 return null;2098 }2099 if (userId == USER_FRP) {+Slog.d(TAG, "debug_unlock call mSpManager.verifyFrpCredential()");2100 return mSpManager.verifyFrpCredential(getGateKeeperService(),2101 userCredential, credentialType, progressCallback);2102 }21032104 long handle = getSyntheticPasswordHandleLocked(userId);+Slog.d(TAG, "debug_unlock call mSpManager.unwrapPasswordBasedSyntheticPassword() begin");2105 authResult = mSpManager.unwrapPasswordBasedSyntheticPassword(2106 getGateKeeperService(), handle, userCredential, userId);21072108 if (authResult.credentialType != credentialType) {2109 Slog.e(TAG, "Credential type mismatch.");2110 return VerifyCredentialResponse.ERROR;2111 }2112 response = authResult.gkResponse;2113 // credential has matched+Slog.d(TAG, "debug_unlock call mSpManager.unwrapPasswordBasedSyntheticPassword() end, response.getResponseCode()="+response.getResponseCode());2114 if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) {2115 // perform verifyChallenge with synthetic password which generates the real GK auth2116 // token and response for the current user+Slog.d(TAG, "debug_unlock call mSpManager.verifyChallenge() begin");2117 response = mSpManager.verifyChallenge(getGateKeeperService(), authResult.authToken,2118 challenge, userId);+Slog.d(TAG, "debug_unlock call mSpManager.verifyChallenge() end, response.getResponseCode()="+response.getResponseCode());2119 if (response.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) {2120 // This shouldn't really happen: the unwrapping of SP succeeds, but SP doesn't2121 // match the recorded GK password handle.2122 Slog.wtf(TAG, "verifyChallenge with SP failed.");2123 return VerifyCredentialResponse.ERROR;2124 }2125 }2126 }21272128 if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) {2129 if (progressCallback != null) {2130 progressCallback.onCredentialVerified();2131 }2132 notifyActivePasswordMetricsAvailable(userCredential, userId);2133 unlockKeystore(authResult.authToken.deriveKeyStorePassword(), userId);21342135 final byte[] secret = authResult.authToken.deriveDiskEncryptionKey();2136 Slog.i(TAG, "Unlocking user " + userId + " with secret only, length " + secret.length);2137 unlockUser(userId, null, secret);21382139 activateEscrowTokens(authResult.authToken, userId);21402141 if (isManagedProfileWithSeparatedLock(userId)) {2142 TrustManager trustManager =2143 (TrustManager) mContext.getSystemService(Context.TRUST_SERVICE);2144 trustManager.setDeviceLockedForUser(userId, false);2145 }2146 mStrongAuth.reportSuccessfulStrongAuthUnlock(userId);2147 } else if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_RETRY) {2148 if (response.getTimeout() > 0) {2149 requireStrongAuth(STRONG_AUTH_REQUIRED_AFTER_LOCKOUT, userId);2150 }2151 }21522153 return response;2154 }

/frameworks/base/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java

public VerifyCredentialResponse verifyFrpCredential(IGateKeeperService gatekeeper,627 String userCredential, int credentialType,628 ICheckCredentialProgressCallback progressCallback) throws RemoteException {629 PersistentData persistentData = mStorage.readPersistentDataBlock();+Slog.d(TAG, "debug_unlock persistentData.type="+persistentData.type);630 if (persistentData.type == PersistentData.TYPE_SP) {631 PasswordData pwd = PasswordData.fromBytes(persistentData.payload);632 byte[] pwdToken = computePasswordToken(userCredential, pwd);633634 GateKeeperResponse response = gatekeeper.verifyChallenge(fakeUid(persistentData.userId),635 0 /* challenge */, pwd.passwordHandle, passwordTokenToGkInput(pwdToken));636 return VerifyCredentialResponse.fromGateKeeperResponse(response);637 } else if (persistentData.type == PersistentData.TYPE_SP_WEAVER) {638 PasswordData pwd = PasswordData.fromBytes(persistentData.payload);639 byte[] pwdToken = computePasswordToken(userCredential, pwd);640 int weaverSlot = persistentData.userId;641642 return weaverVerify(weaverSlot, passwordTokenToWeaverKey(pwdToken)).stripPayload();643 } else {644 Log.e(TAG, "persistentData.type must be TYPE_SP or TYPE_SP_WEAVER, but is "645 + persistentData.type);646 return VerifyCredentialResponse.ERROR;647 }648 } 785 public AuthenticationResult unwrapPasswordBasedSyntheticPassword(IGateKeeperService gatekeeper,786 long handle, String credential, int userId) throws RemoteException {787 if (credential == null) {788 credential = DEFAULT_PASSWORD;789 }790 AuthenticationResult result = new AuthenticationResult();791 PasswordData pwd = PasswordData.fromBytes(loadState(PASSWORD_DATA_NAME, handle, userId));792 result.credentialType = pwd.passwordType;793 byte[] pwdToken = computePasswordToken(credential, pwd);794795 final byte[] applicationId;796 final long sid;797 int weaverSlot = loadWeaverSlot(handle, userId);+Slog.d(TAG, "debug_unlock weaverSlot="+weaverSlot);798 if (weaverSlot != INVALID_WEAVER_SLOT) {799 // Weaver based user password800 if (!isWeaverAvailable()) {801 Log.e(TAG, "No weaver service to unwrap password based SP");802 result.gkResponse = VerifyCredentialResponse.ERROR;803 return result;804 }805 result.gkResponse = weaverVerify(weaverSlot, passwordTokenToWeaverKey(pwdToken));806 if (result.gkResponse.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) {807 return result;808 }809 sid = GateKeeper.INVALID_SECURE_USER_ID;810 applicationId = transformUnderWeaverSecret(pwdToken, result.gkResponse.getPayload());811 } else {812 byte[] gkPwdToken = passwordTokenToGkInput(pwdToken);+Slog.d(TAG, "debug_unlock call gatekeeper.verifyChallenge begin");813 GateKeeperResponse response = gatekeeper.verifyChallenge(fakeUid(userId), 0L,814 pwd.passwordHandle, gkPwdToken);815 int responseCode = response.getResponseCode();+Slog.d(TAG, "debug_unlock call gatekeeper.verifyChallenge end responseCode="+responseCode);816 if (responseCode == GateKeeperResponse.RESPONSE_OK) {817 result.gkResponse = VerifyCredentialResponse.OK;818 if (response.getShouldReEnroll()) {819 GateKeeperResponse reenrollResponse = gatekeeper.enroll(fakeUid(userId),820 pwd.passwordHandle, gkPwdToken, gkPwdToken);821 if (reenrollResponse.getResponseCode() == GateKeeperResponse.RESPONSE_OK) {822 pwd.passwordHandle = reenrollResponse.getPayload();823 saveState(PASSWORD_DATA_NAME, pwd.toBytes(), handle, userId);824 synchronizeFrpPassword(pwd,825 pwd.passwordType == LockPatternUtils.CREDENTIAL_TYPE_PATTERN826 ? DevicePolicyManager.PASSWORD_QUALITY_SOMETHING827 : DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC828 /* TODO(roosa): keep the same password quality */,829 userId);830 } else {831 Log.w(TAG, "Fail to re-enroll user password for user " + userId);832 // continue the flow anyway833 }834 }835 } else if (responseCode == GateKeeperResponse.RESPONSE_RETRY) {836 result.gkResponse = new VerifyCredentialResponse(response.getTimeout());837 return result;838 } else {839 result.gkResponse = VerifyCredentialResponse.ERROR;840 return result;841 }842 sid = sidFromPasswordHandle(pwd.passwordHandle);843 applicationId = transformUnderSecdiscardable(pwdToken,844 loadSecdiscardable(handle, userId));845 }846847 result.authToken = unwrapSyntheticPasswordBlob(handle, SYNTHETIC_PASSWORD_PASSWORD_BASED,848 applicationId, sid, userId);849850 // Perform verifyChallenge to refresh auth tokens for GK if user password exists.851 result.gkResponse = verifyChallenge(gatekeeper, result.authToken, 0L, userId);852 return result;853 }

(2)native层

/system/core/gatekeeperd/gatekeeperd.cpp

140 virtual int enroll(uint32_t uid,141 const uint8_t *current_password_handle, uint32_t current_password_handle_length,142 const uint8_t *current_password, uint32_t current_password_length,143 const uint8_t *desired_password, uint32_t desired_password_length,144 uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) {145 IPCThreadState* ipc = IPCThreadState::self();146 const int calling_pid = ipc->getCallingPid();147 const int calling_uid = ipc->getCallingUid();+ALOGD("debug_unlock, gatekeeper enroll enter\n");148 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {149 return PERMISSION_DENIED;150 }151152 // Make sure to clear any state from before factory reset as soon as a credential is153 // enrolled (which may happen during device setup).154 clear_state_if_needed();155156 // need a desired password to enroll157 if (desired_password_length == 0) return -EINVAL;158159 int ret;160 if (hw_device != nullptr) {161 const gatekeeper::password_handle_t *handle =162 reinterpret_cast<const gatekeeper::password_handle_t *>(current_password_handle);163164 if (handle != NULL && handle->version != 0 && !handle->hardware_backed) {165 // handle is being re-enrolled from a software version. HAL probably won't accept166 // the handle as valid, so we nullify it and enroll from scratch167 current_password_handle = NULL;168 current_password_handle_length = 0;169 current_password = NULL;170 current_password_length = 0;171 }172173 android::hardware::hidl_vec<uint8_t> curPwdHandle;174 curPwdHandle.setToExternal(const_cast<uint8_t*>(current_password_handle),175 current_password_handle_length);176 android::hardware::hidl_vec<uint8_t> curPwd;177 curPwd.setToExternal(const_cast<uint8_t*>(current_password),178 current_password_length);179 android::hardware::hidl_vec<uint8_t> newPwd;180 newPwd.setToExternal(const_cast<uint8_t*>(desired_password),181 desired_password_length);182+ALOGI("debug_unlock hardware gatekeeper enroll begin.");183 Return<void> hwRes = hw_device->enroll(uid, curPwdHandle, curPwd, newPwd,184 [&ret, enrolled_password_handle, enrolled_password_handle_length]185 (const GatekeeperResponse &rsp) {+ALOGI("debug_unlock hardware gatekeeper enroll end. rsp.code=%d, rsp.timeout=%d", rsp.code, rsp.timeout);186 ret = static_cast<int>(rsp.code); // propagate errors187 if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {188 if (enrolled_password_handle != nullptr &&189 enrolled_password_handle_length != nullptr) {190 *enrolled_password_handle = new uint8_t[rsp.data.size()];191 *enrolled_password_handle_length = rsp.data.size();192 memcpy(*enrolled_password_handle, rsp.data.data(),193 *enrolled_password_handle_length);194 }195 ret = 0; // all success states are reported as 0196 } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT && rsp.timeout > 0) {197 ret = rsp.timeout;198 }199 });200 if (!hwRes.isOk()) {201 ALOGE("enroll transaction failed\n");202 ret = -1;203 }204 } else {+ALOGI("debug_unlock software enroll begin.");205 ret = soft_device->enroll(uid,206 current_password_handle, current_password_handle_length,207 current_password, current_password_length,208 desired_password, desired_password_length,209 enrolled_password_handle, enrolled_password_handle_length);210 }+ALOGI("debug_unlock gatekeeper ret=%d\n", ret);211212 if (ret == GATEKEEPER_RESPONSE_OK && (*enrolled_password_handle == nullptr ||213 *enrolled_password_handle_length != sizeof(password_handle_t))) {214 ret = GATEKEEPER_RESPONSE_ERROR;215 ALOGE("HAL: password_handle=%p size_of_handle=%" PRIu32 "\n",216 *enrolled_password_handle, *enrolled_password_handle_length);217 }218219 if (ret == GATEKEEPER_RESPONSE_OK) {220 gatekeeper::password_handle_t *handle =221 reinterpret_cast<gatekeeper::password_handle_t *>(*enrolled_password_handle);222 store_sid(uid, handle->user_id);223 bool rr;224225 // immediately verify this password so we don't ask the user to enter it again226 // if they just created it.227 verify(uid, *enrolled_password_handle, sizeof(password_handle_t), desired_password,228 desired_password_length, &rr);229 }230231 return ret;232 }244 virtual int verifyChallenge(uint32_t uid, uint64_t challenge,245 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,246 const uint8_t *provided_password, uint32_t provided_password_length,247 uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll) {248 IPCThreadState* ipc = IPCThreadState::self();249 const int calling_pid = ipc->getCallingPid();250 const int calling_uid = ipc->getCallingUid();+ALOGD("debug_unlock, gatekeeper verifyChallenge enter\n");251 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {252 return PERMISSION_DENIED;253 }254255 // can't verify if we're missing either param256 if ((enrolled_password_handle_length | provided_password_length) == 0)257 return -EINVAL;258259 int ret;260 if (hw_device != nullptr) {261 const gatekeeper::password_handle_t *handle =262 reinterpret_cast<const gatekeeper::password_handle_t *>(enrolled_password_handle);263 // handle version 0 does not have hardware backed flag, and thus cannot be upgraded to264 // a HAL if there was none before265 if (handle->version == 0 || handle->hardware_backed) {266 android::hardware::hidl_vec<uint8_t> curPwdHandle;267 curPwdHandle.setToExternal(const_cast<uint8_t*>(enrolled_password_handle),268 enrolled_password_handle_length);269 android::hardware::hidl_vec<uint8_t> enteredPwd;270 enteredPwd.setToExternal(const_cast<uint8_t*>(provided_password),271 provided_password_length);+ALOGD("debug_unlock, hardware gatekeeper verify begin\n");272 Return<void> hwRes = hw_device->verify(uid, challenge, curPwdHandle, enteredPwd,273 [&ret, request_reenroll, auth_token, auth_token_length]274 (const GatekeeperResponse &rsp) {275 ret = static_cast<int>(rsp.code); // propagate errors276 if (auth_token != nullptr && auth_token_length != nullptr &&277 rsp.code >= GatekeeperStatusCode::STATUS_OK) {278 *auth_token = new uint8_t[rsp.data.size()];279 *auth_token_length = rsp.data.size();280 memcpy(*auth_token, rsp.data.data(), *auth_token_length);281 if (request_reenroll != nullptr) {282 *request_reenroll = (rsp.code == GatekeeperStatusCode::STATUS_REENROLL);283 }284 ret = 0; // all success states are reported as 0285 } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT &&286 rsp.timeout > 0) {287 ret = rsp.timeout;288 }289 });290 if (!hwRes.isOk()) {291 ALOGE("verify transaction failed\n");292 ret = -1;293 }294 } else {295 // upgrade scenario, a HAL has been added to this device where there was none before296 SoftGateKeeperDevice soft_dev;+ALOGD("debug_unlock, software verify begin\n");297 ret = soft_dev.verify(uid, challenge,298 enrolled_password_handle, enrolled_password_handle_length,299 provided_password, provided_password_length, auth_token, auth_token_length,300 request_reenroll);301302 if (ret == 0) {303 // success! re-enroll with HAL304 *request_reenroll = true;305 }306 }307 } else {+ALOGD("debug_unlock, software verify begin\n");308 ret = soft_device->verify(uid, challenge,309 enrolled_password_handle, enrolled_password_handle_length,310 provided_password, provided_password_length, auth_token, auth_token_length,311 request_reenroll);312 }313+ALOGD("debug_unlock, verifyChallenge ret=%d\n", ret);314 if (ret == 0 && *auth_token != NULL && *auth_token_length > 0) {315 // TODO: cache service?316 sp<IServiceManager> sm = defaultServiceManager();317 sp<IBinder> binder = sm->getService(String16("android.security.keystore"));318 sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);319 if (service != NULL) {320 auto ret = service->addAuthToken(*auth_token, *auth_token_length);321 if (!ret.isOk()) {322 ALOGE("Failure sending auth token to KeyStore: %" PRId32, int32_t(ret));323 }324 } else {325 ALOGE("Unable to communicate with KeyStore");326 }327 }328329 if (ret == 0) {330 maybe_store_sid(uid, reinterpret_cast<const gatekeeper::password_handle_t *>(331 enrolled_password_handle)->user_id);332 }333+ALOGD("debug_unlock, verifyChallenge return ret=%d\n", ret);334 return ret;335 }

项目上在take MTK 提供的某个漏洞patch 导致在设置特定次数锁会出现一个问题“一个setting下清空锁屏密码后会无法进入锁屏密码设置的情况”
log输出:

03-13 13:35:22.602   473   473 I GateKeeperService: BnGateKeeperService::onTransact....code = :303-13 13:35:22.602   473   473 I gatekeeperd: verifyChallenge start.03-13 13:35:22.602   473   473 I gatekeeperd: hardware gatekeeper verify begin.03-13 13:35:22.602   473   473 I gatekeeperd: gatekeeper hw_device->verify before: �,6403-13 13:35:22.621   473   473 I gatekeeperd: gatekeeper static_cast<int>(rsp.code): 003-13 13:35:22.621   473   473 I gatekeeperd: gatekeeper verify end. ret: 003-13 13:35:22.640   792  1020 D LockSettingsService: setLockCredentialWithAuthTokenLocked: user=003-13 13:35:22.684   473   473 I GateKeeperService: BnGateKeeperService::onTransact....code = :503-13 13:35:22.685   473   473 I GateKeeperService: BnGateKeeperService::onTransact....code = :103-13 13:35:22.685   473   473 I gatekeeperd: enroll03-13 13:35:22.695   473   473 I gatekeeperd: hardware gatekeeper enroll begin.03-13 13:35:22.695   473   473 I gatekeeperd: enroll end. ret: 003-13 13:35:22.696   473   473 I gatekeeperd: internal verify begin.03-13 13:35:22.696   473   473 I gatekeeperd: verify.......03-13 13:35:22.696   473   473 I gatekeeperd: verifyChallenge start.03-13 13:35:22.696   473   473 I gatekeeperd: hardware gatekeeper verify begin.03-13 13:35:22.696   473   473 I gatekeeperd: gatekeeper hw_device->verify before: m,6403-13 13:35:22.707   473   473 I gatekeeperd: gatekeeper static_cast<int>(rsp.code): -103-13 13:35:22.707   473   473 I gatekeeperd: gatekeeper verify end. ret: -103-13 13:35:22.707   473   473 I gatekeeperd: internal verify end.03-13 13:35:22.779   473   473 I GateKeeperService: BnGateKeeperService::onTransact....code = :103-13 13:35:22.779   473   473 I gatekeeperd: enroll03-13 13:35:22.789   473   473 I gatekeeperd: hardware gatekeeper enroll begin.03-13 13:35:22.789   473   473 I gatekeeperd: enroll end. ret: 003-13 13:35:22.789   473   473 I gatekeeperd: internal verify begin.03-13 13:35:22.789   473   473 I gatekeeperd: verify.......03-13 13:35:22.789   473   473 I gatekeeperd: verifyChallenge start.03-13 13:35:22.789   473   473 I gatekeeperd: hardware gatekeeper verify begin.03-13 13:35:22.789   473   473 I gatekeeperd: gatekeeper hw_device->verify before: �,6403-13 13:35:22.800   473   473 I gatekeeperd: gatekeeper static_cast<int>(rsp.code): -103-13 13:35:22.800   473   473 I gatekeeperd: gatekeeper verify end. ret: -103-13 13:35:22.800   473   473 I gatekeeperd: internal verify end.03-13 13:35:22.804   473   473 I GateKeeperService: BnGateKeeperService::onTransact....code = :303-13 13:35:22.804   473   473 I gatekeeperd: verifyChallenge start.03-13 13:35:22.805   473   473 I gatekeeperd: hardware gatekeeper verify begin.03-13 13:35:22.805   473   473 I gatekeeperd: gatekeeper hw_device->verify before: �,6403-13 13:35:22.815   473   473 I gatekeeperd: gatekeeper static_cast<int>(rsp.code): -103-13 13:35:22.815   473   473 I gatekeeperd: gatekeeper verify end. ret: -103-13 13:35:22.815   792  1020 D LockSettingsService: setAuthlessUserKeyProtectiond: user=003-13 13:35:22.820   792  1020 D LockSettingsService: fixateNewestUserKeyAuth: user=003-13 13:35:22.969   792  1020 V LockSettingsService: Remove keystore profile key for user: 0

在tee中验证密码:
/hardware/interfaces/gatekeeper/1.0/default/Gatekeeper.cpp

85  Return<void> Gatekeeper::verify(uint32_t uid,86                                  uint64_t challenge,87                                  const hidl_vec<uint8_t>& enrolledPasswordHandle,88                                  const hidl_vec<uint8_t>& providedPassword,89                                  verify_cb cb)90  {91      GatekeeperResponse rsp;92      uint8_t *auth_token = nullptr;93      uint32_t auth_token_length = 0;94      bool request_reenroll = false;95  96      int ret = device->verify(device, uid, challenge,97              enrolledPasswordHandle.data(), enrolledPasswordHandle.size(),98              providedPassword.data(), providedPassword.size(),99              &auth_token, &auth_token_length,100              &request_reenroll);101      if (!ret) {102          rsp.data.setToExternal(auth_token, auth_token_length, true);103          if (request_reenroll) {104              rsp.code = GatekeeperStatusCode::STATUS_REENROLL;105          } else {106              rsp.code = GatekeeperStatusCode::STATUS_OK;107          }108      } else if (ret > 0) {109          rsp.timeout = ret;110          rsp.code = GatekeeperStatusCode::ERROR_RETRY_TIMEOUT;111      } else {112          rsp.code = GatekeeperStatusCode::ERROR_GENERAL_FAILURE;113      }114      cb(rsp);115      return Void();116  }

更多相关文章

  1. Android(安卓)屏幕设置
  2. [APP] Android(安卓)开发笔记 006-使用短信验证SDK进行短信验证
  3. scrollview 滚动条
  4. android实践项目一实现简单的验证码和spinner下拉选项效果
  5. Android(安卓)属性动画(Property Animation) 完全解析 (下)
  6. Android(安卓)设置EditText光标Curso颜色及粗细
  7. Android修改字体样式
  8. Android中的常用的对话框
  9. android EditText使用指南

随机推荐

  1. android事件分发机制一
  2. android webview file标签点击弹出选择文
  3. Android Studio 各个依赖包存放目录
  4. PHP 和 Android(安卓)MD5 加密出来结果是
  5. Mac 完全卸载 Android Studio
  6. android 按钮置灰效果
  7. android studio 配置Kotlin报错Error:Cau
  8. Android Studio常用插件
  9. TabHost
  10. Android Studio 使用技巧(6)