IGateKeeperService.aidl revision ca38add3ea7ac7e28bd915a52a861261a944f2bd 
1/*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package android.service.gatekeeper;
18
19/**
20 * Interface for communication with GateKeeper, the
21 * secure password storage daemon.
22 *
23 * This must be kept manually in sync with system/core/gatekeeperd
24 * until AIDL can generate both C++ and Java bindings.
25 *
26 * @hide
27 */
28interface IGateKeeperService {
29    /**
30     * Enrolls a password, returning the handle to the enrollment to be stored locally.
31     * @param uid The Android user ID associated to this enrollment
32     * @param currentPasswordHandle The previously enrolled handle, or null if none
33     * @param currentPassword The previously enrolled plaintext password, or null if none.
34     *                        If provided, must verify against the currentPasswordHandle.
35     * @param desiredPassword The new desired password, for which a handle will be returned
36     *                        upon success.
37     * @return the handle corresponding to desiredPassword, or null
38     */
39    byte[] enroll(int uid, in byte[] currentPasswordHandle, in byte[] currentPassword,
40            in byte[] desiredPassword);
41
42    /**
43     * Verifies an enrolled handle against a provided, plaintext blob.
44     * @param uid The Android user ID associated to this enrollment
45     * @param enrolledPasswordHandle The handle against which the provided password will be
46     *                               verified.
47     * @param The plaintext blob to verify against enrolledPassword.
48     * @return True if the authentication was successful
49     */
50    boolean verify(int uid, in byte[] enrolledPasswordHandle,
51            in byte[] providedPassword);
52    /**
53     * Verifies an enrolled handle against a provided, plaintext blob.
54     * @param uid The Android user ID associated to this enrollment
55     * @param challenge a challenge to authenticate agaisnt the device credential. If successful
56     *                  authentication occurs, this value will be written to the returned
57     *                  authentication attestation.
58     * @param enrolledPasswordHandle The handle against which the provided password will be
59     *                               verified.
60     * @param The plaintext blob to verify against enrolledPassword.
61     * @return an opaque attestation of authentication on success, or null.
62     */
63    byte[] verifyChallenge(int uid, long challenge, in byte[] enrolledPasswordHandle,
64            in byte[] providedPassword);
65
66    /**
67     * Retrieves the secure identifier for the user with the provided Android ID,
68     * or 0 if none is found.
69     * @param uid the Android user id
70     */
71    long getSecureUserId(int uid);
72}
73