From c78e369c4c27004e0a438f10d15e3709ec629619 Mon Sep 17 00:00:00 2001 From: Seth Moore Date: Wed, 1 Dec 2021 14:08:15 -0800 Subject: [PATCH] Fix incorrect SID matching for bio prompts The default value for canUnlockViaBiometrics, which determines if we are able to show a bio prompt, is true. However, if there are 0 biometric authenticator IDs, then it's impossible for the user to satisfy a bio prompt. In this case, we should set canUnlockViaBiometrics to false. The loop that is normally expected to invert canUnlockViaBiometrics was never run in the case of 0 bio authenticator ids, so we mistakenly let the crypto init operation succeed when we should have blocked it. Bug: 188864794 Test: Manual, using sample app that displays a biometric prompt. Change-Id: Ib95b0564aa098157718b8d4a45b11baa69dad71b --- .../security/keystore2/KeyStoreCryptoOperationUtils.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keystore/java/android/security/keystore2/KeyStoreCryptoOperationUtils.java b/keystore/java/android/security/keystore2/KeyStoreCryptoOperationUtils.java index 850c55166edc..6fa1a694eb67 100644 --- a/keystore/java/android/security/keystore2/KeyStoreCryptoOperationUtils.java +++ b/keystore/java/android/security/keystore2/KeyStoreCryptoOperationUtils.java @@ -89,7 +89,7 @@ abstract class KeyStoreCryptoOperationUtils { // specific sensor (the one that hasn't changed), and 2) currently the only // signal to developers is the UserNotAuthenticatedException, which doesn't // indicate a specific sensor. - boolean canUnlockViaBiometrics = true; + boolean canUnlockViaBiometrics = biometricSids.length > 0; for (long sid : biometricSids) { if (!keySids.contains(sid)) { canUnlockViaBiometrics = false;