1 /* 2 * Copyright (C) 2018 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.hardware.biometrics; 18 19 import static android.Manifest.permission.TEST_BIOMETRIC; 20 import static android.Manifest.permission.USE_BIOMETRIC; 21 import static android.Manifest.permission.USE_BIOMETRIC_INTERNAL; 22 import static android.Manifest.permission.WRITE_DEVICE_CONFIG; 23 24 import static com.android.internal.util.FrameworkStatsLog.AUTH_DEPRECATED_APIUSED__DEPRECATED_API__API_BIOMETRIC_MANAGER_CAN_AUTHENTICATE; 25 26 import android.annotation.ElapsedRealtimeLong; 27 import android.annotation.FlaggedApi; 28 import android.annotation.IntDef; 29 import android.annotation.NonNull; 30 import android.annotation.Nullable; 31 import android.annotation.RequiresPermission; 32 import android.annotation.SystemApi; 33 import android.annotation.SystemService; 34 import android.annotation.TestApi; 35 import android.app.KeyguardManager; 36 import android.content.Context; 37 import android.os.IBinder; 38 import android.os.RemoteException; 39 import android.os.UserHandle; 40 import android.security.keystore.KeyProperties; 41 import android.util.Slog; 42 43 import com.android.internal.util.FrameworkStatsLog; 44 45 import java.lang.annotation.Retention; 46 import java.lang.annotation.RetentionPolicy; 47 import java.util.ArrayList; 48 import java.util.List; 49 50 /** 51 * A class that contains biometric utilities. For authentication, see {@link BiometricPrompt}. 52 */ 53 @SystemService(Context.BIOMETRIC_SERVICE) 54 public class BiometricManager { 55 56 private static final String TAG = "BiometricManager"; 57 58 /** 59 * No error detected. 60 */ 61 public static final int BIOMETRIC_SUCCESS = 62 BiometricConstants.BIOMETRIC_SUCCESS; 63 64 /** 65 * The hardware is unavailable. Try again later. 66 */ 67 public static final int BIOMETRIC_ERROR_HW_UNAVAILABLE = 68 BiometricConstants.BIOMETRIC_ERROR_HW_UNAVAILABLE; 69 70 /** 71 * The user does not have any biometrics enrolled. 72 */ 73 public static final int BIOMETRIC_ERROR_NONE_ENROLLED = 74 BiometricConstants.BIOMETRIC_ERROR_NO_BIOMETRICS; 75 76 /** 77 * There is no biometric hardware. 78 */ 79 public static final int BIOMETRIC_ERROR_NO_HARDWARE = 80 BiometricConstants.BIOMETRIC_ERROR_HW_NOT_PRESENT; 81 82 /** 83 * Lockout error. 84 * @hide 85 */ 86 public static final int BIOMETRIC_ERROR_LOCKOUT = 87 BiometricConstants.BIOMETRIC_ERROR_LOCKOUT; 88 89 /** 90 * Identity Check is currently not active. 91 * 92 * This device either doesn't have this feature enabled, or it's not considered in a 93 * high-risk environment that requires extra security measures for accessing sensitive data. 94 */ 95 @FlaggedApi(Flags.FLAG_IDENTITY_CHECK_API) 96 public static final int BIOMETRIC_ERROR_IDENTITY_CHECK_NOT_ACTIVE = 97 BiometricConstants.BIOMETRIC_ERROR_IDENTITY_CHECK_NOT_ACTIVE; 98 99 /** 100 * Biometrics is not allowed to verify the user in apps. 101 */ 102 @FlaggedApi(Flags.FLAG_IDENTITY_CHECK_API) 103 public static final int BIOMETRIC_ERROR_NOT_ENABLED_FOR_APPS = 104 BiometricConstants.BIOMETRIC_ERROR_NOT_ENABLED_FOR_APPS; 105 106 /** 107 * A security vulnerability has been discovered and the sensor is unavailable until a 108 * security update has addressed this issue. This error can be received if for example, 109 * authentication was requested with {@link Authenticators#BIOMETRIC_STRONG}, but the 110 * sensor's strength can currently only meet {@link Authenticators#BIOMETRIC_WEAK}. 111 */ 112 public static final int BIOMETRIC_ERROR_SECURITY_UPDATE_REQUIRED = 113 BiometricConstants.BIOMETRIC_ERROR_SECURITY_UPDATE_REQUIRED; 114 115 /** 116 * Returned from {@link BiometricManager#getLastAuthenticationTime(int)} when no matching 117 * successful authentication has been performed since boot. 118 */ 119 public static final long BIOMETRIC_NO_AUTHENTICATION = 120 BiometricConstants.BIOMETRIC_NO_AUTHENTICATION; 121 122 private static final int GET_LAST_AUTH_TIME_ALLOWED_AUTHENTICATORS = 123 Authenticators.DEVICE_CREDENTIAL | Authenticators.BIOMETRIC_STRONG; 124 125 /** 126 * Enroll reason extra that can be used by settings to understand where this request came 127 * from. 128 * @hide 129 */ 130 public static final String EXTRA_ENROLL_REASON = "enroll_reason"; 131 132 /** 133 * @hide 134 */ 135 @IntDef({BIOMETRIC_SUCCESS, 136 BIOMETRIC_ERROR_HW_UNAVAILABLE, 137 BIOMETRIC_ERROR_NONE_ENROLLED, 138 BIOMETRIC_ERROR_NO_HARDWARE, 139 BIOMETRIC_ERROR_SECURITY_UPDATE_REQUIRED, 140 BIOMETRIC_ERROR_LOCKOUT, 141 BIOMETRIC_ERROR_IDENTITY_CHECK_NOT_ACTIVE}) 142 @Retention(RetentionPolicy.SOURCE) 143 public @interface BiometricError {} 144 145 /** 146 * Types of authenticators, defined at a level of granularity supported by 147 * {@link BiometricManager} and {@link BiometricPrompt}. 148 * 149 * <p>Types may combined via bitwise OR into a single integer representing multiple 150 * authenticators (e.g. <code>DEVICE_CREDENTIAL | BIOMETRIC_WEAK</code>). 151 * 152 * @see #canAuthenticate(int) 153 * @see BiometricPrompt.Builder#setAllowedAuthenticators(int) 154 */ 155 public interface Authenticators { 156 /** 157 * An {@link IntDef} representing valid combinations of authenticator types. 158 * @hide 159 */ 160 @IntDef(flag = true, value = { 161 BIOMETRIC_STRONG, 162 BIOMETRIC_WEAK, 163 BIOMETRIC_CONVENIENCE, 164 DEVICE_CREDENTIAL, 165 IDENTITY_CHECK, 166 }) 167 @Retention(RetentionPolicy.SOURCE) 168 @interface Types {} 169 170 /** 171 * Empty set with no authenticators specified. 172 * 173 * <p>This constant is intended for use by {@link android.provider.DeviceConfig} to adjust 174 * the reported strength of a biometric sensor. It is not a valid parameter for any of the 175 * public {@link android.hardware.biometrics} APIs. 176 * 177 * @hide 178 */ 179 @SystemApi 180 @RequiresPermission(WRITE_DEVICE_CONFIG) 181 int EMPTY_SET = 0x0000; 182 183 /** 184 * Placeholder for the theoretical strongest biometric security tier. 185 * @hide 186 */ 187 int BIOMETRIC_MAX_STRENGTH = 0x0001; 188 189 /** 190 * Any biometric (e.g. fingerprint, iris, or face) on the device that meets or exceeds the 191 * requirements for <strong>Class 3</strong> (formerly <strong>Strong</strong>), as defined 192 * by the Android CDD. 193 * 194 * <p>This corresponds to {@link KeyProperties#AUTH_BIOMETRIC_STRONG} during key generation. 195 * 196 * @see android.security.keystore.KeyGenParameterSpec.Builder 197 */ 198 int BIOMETRIC_STRONG = 0x000F; 199 200 /** 201 * Any biometric (e.g. fingerprint, iris, or face) on the device that meets or exceeds the 202 * requirements for <strong>Class 2</strong> (formerly <strong>Weak</strong>), as defined by 203 * the Android CDD. 204 * 205 * <p>Note that this is a superset of {@link #BIOMETRIC_STRONG} and is defined such that 206 * {@code BIOMETRIC_STRONG | BIOMETRIC_WEAK == BIOMETRIC_WEAK}. 207 */ 208 int BIOMETRIC_WEAK = 0x00FF; 209 210 /** 211 * Any biometric (e.g. fingerprint, iris, or face) on the device that meets or exceeds the 212 * requirements for <strong>Class 1</strong> (formerly <strong>Convenience</strong>), as 213 * defined by the Android CDD. 214 * 215 * <p>This constant is intended for use by {@link android.provider.DeviceConfig} to adjust 216 * the reported strength of a biometric sensor. It is not a valid parameter for any of the 217 * public {@link android.hardware.biometrics} APIs. 218 * 219 * @hide 220 */ 221 @SystemApi 222 @RequiresPermission(WRITE_DEVICE_CONFIG) 223 int BIOMETRIC_CONVENIENCE = 0x0FFF; 224 225 /** 226 * Placeholder for the theoretical weakest biometric security tier. 227 * @hide 228 */ 229 int BIOMETRIC_MIN_STRENGTH = 0x7FFF; 230 231 /** 232 * The non-biometric credential used to secure the device (i.e., PIN, pattern, or password). 233 * This should typically only be used in combination with a biometric auth type, such as 234 * {@link #BIOMETRIC_WEAK}. 235 * 236 * <p>This corresponds to {@link KeyProperties#AUTH_DEVICE_CREDENTIAL} during key 237 * generation. 238 * 239 * @see android.security.keystore.KeyGenParameterSpec.Builder 240 */ 241 int DEVICE_CREDENTIAL = 1 << 15; 242 243 /** 244 * The bit is used to request for Identity Check. 245 * 246 * Identity Check is a feature which requires class 3 biometric authentication to access 247 * sensitive surfaces when the device is outside trusted places. 248 * 249 * <p> The requirements to trigger Identity Check are as follows: 250 * 1. User must have enabled the toggle for Identity Check in settings 251 * 2. User must have enrollments for at least one {@link #BIOMETRIC_STRONG} sensor 252 * 3. The device is determined to be in a high risk environment, for example if it is 253 * outside of the user's trusted locations or fails to meet similar conditions. 254 * 4. The Identity Check requirements bit must be true 255 * </p> 256 * 257 * <p> If all the above conditions are satisfied, only {@link #BIOMETRIC_STRONG} sensors 258 * will be eligible for authentication, and device credential fallback will be dropped. 259 */ 260 @FlaggedApi(Flags.FLAG_IDENTITY_CHECK_API) 261 int IDENTITY_CHECK = 1 << 16; 262 } 263 264 /** 265 * @hide 266 * returns a string representation of an authenticator type. 267 */ authenticatorToStr(@uthenticators.Types int authenticatorType)268 @NonNull public static String authenticatorToStr(@Authenticators.Types int authenticatorType) { 269 switch(authenticatorType) { 270 case Authenticators.BIOMETRIC_STRONG: 271 return "BIOMETRIC_STRONG"; 272 case Authenticators.BIOMETRIC_WEAK: 273 return "BIOMETRIC_WEAK"; 274 case Authenticators.BIOMETRIC_CONVENIENCE: 275 return "BIOMETRIC_CONVENIENCE"; 276 case Authenticators.DEVICE_CREDENTIAL: 277 return "DEVICE_CREDENTIAL"; 278 default: 279 return "Unknown authenticator type: " + authenticatorType; 280 } 281 } 282 283 /** 284 * Provides localized strings for an application that uses {@link BiometricPrompt} to 285 * authenticate the user. 286 */ 287 public static class Strings { 288 @NonNull private final Context mContext; 289 @NonNull private final IAuthService mService; 290 @Authenticators.Types int mAuthenticators; 291 Strings(@onNull Context context, @NonNull IAuthService service, @Authenticators.Types int authenticators)292 private Strings(@NonNull Context context, @NonNull IAuthService service, 293 @Authenticators.Types int authenticators) { 294 mContext = context; 295 mService = service; 296 mAuthenticators = authenticators; 297 } 298 299 /** 300 * Provides a localized string that can be used as the label for a button that invokes 301 * {@link BiometricPrompt}. 302 * 303 * <p>When possible, this method should use the given authenticator requirements to more 304 * precisely specify the authentication type that will be used. For example, if 305 * <strong>Class 3</strong> biometric authentication is requested on a device with a 306 * <strong>Class 3</strong> fingerprint sensor and a <strong>Class 2</strong> face sensor, 307 * the returned string should indicate that fingerprint authentication will be used. 308 * 309 * <p>This method should also try to specify which authentication method(s) will be used in 310 * practice when multiple authenticators meet the given requirements. For example, if 311 * biometric authentication is requested on a device with both face and fingerprint sensors 312 * but the user has selected face as their preferred method, the returned string should 313 * indicate that face authentication will be used. 314 * 315 * <p>This method may return {@code null} if none of the requested authenticator types are 316 * available, but this should <em>not</em> be relied upon for checking the status of 317 * authenticators. Instead, use {@link #canAuthenticate(int)}. 318 * 319 * @return The label for a button that invokes {@link BiometricPrompt} for authentication. 320 */ 321 @RequiresPermission(USE_BIOMETRIC) 322 @Nullable getButtonLabel()323 public CharSequence getButtonLabel() { 324 final int userId = mContext.getUserId(); 325 final String opPackageName = mContext.getOpPackageName(); 326 try { 327 return mService.getButtonLabel(userId, opPackageName, mAuthenticators); 328 } catch (RemoteException e) { 329 throw e.rethrowFromSystemServer(); 330 } 331 } 332 333 /** 334 * Provides a localized string that can be shown while the user is authenticating with 335 * {@link BiometricPrompt}. 336 * 337 * <p>When possible, this method should use the given authenticator requirements to more 338 * precisely specify the authentication type that will be used. For example, if 339 * <strong>Class 3</strong> biometric authentication is requested on a device with a 340 * <strong>Class 3</strong> fingerprint sensor and a <strong>Class 2</strong> face sensor, 341 * the returned string should indicate that fingerprint authentication will be used. 342 * 343 * <p>This method should also try to specify which authentication method(s) will be used in 344 * practice when multiple authenticators meet the given requirements. For example, if 345 * biometric authentication is requested on a device with both face and fingerprint sensors 346 * but the user has selected face as their preferred method, the returned string should 347 * indicate that face authentication will be used. 348 * 349 * <p>This method may return {@code null} if none of the requested authenticator types are 350 * available, but this should <em>not</em> be relied upon for checking the status of 351 * authenticators. Instead, use {@link #canAuthenticate(int)}. 352 * 353 * @return The label for a button that invokes {@link BiometricPrompt} for authentication. 354 */ 355 @RequiresPermission(USE_BIOMETRIC) 356 @Nullable getPromptMessage()357 public CharSequence getPromptMessage() { 358 final int userId = mContext.getUserId(); 359 final String opPackageName = mContext.getOpPackageName(); 360 try { 361 return mService.getPromptMessage(userId, opPackageName, mAuthenticators); 362 } catch (RemoteException e) { 363 throw e.rethrowFromSystemServer(); 364 } 365 } 366 367 /** 368 * Provides a localized string that can be shown as the title for an app setting that 369 * enables authentication with {@link BiometricPrompt}. 370 * 371 * <p>When possible, this method should use the given authenticator requirements to more 372 * precisely specify the authentication type that will be used. For example, if 373 * <strong>Class 3</strong> biometric authentication is requested on a device with a 374 * <strong>Class 3</strong> fingerprint sensor and a <strong>Class 2</strong> face sensor, 375 * the returned string should indicate that fingerprint authentication will be used. 376 * 377 * <p>This method should <em>not</em> try to specify which authentication method(s) will be 378 * used in practice when multiple authenticators meet the given requirements. For example, 379 * if biometric authentication is requested on a device with both face and fingerprint 380 * sensors, the returned string should indicate that either face or fingerprint 381 * authentication may be used, regardless of whether the user has enrolled or selected 382 * either as their preferred method. 383 * 384 * <p>This method may return {@code null} if none of the requested authenticator types are 385 * supported by the system, but this should <em>not</em> be relied upon for checking the 386 * status of authenticators. Instead, use {@link #canAuthenticate(int)} or 387 * {@link android.content.pm.PackageManager#hasSystemFeature(String)}. 388 * 389 * @return The label for a button that invokes {@link BiometricPrompt} for authentication. 390 */ 391 @RequiresPermission(USE_BIOMETRIC) 392 @Nullable getSettingName()393 public CharSequence getSettingName() { 394 final int userId = mContext.getUserId(); 395 final String opPackageName = mContext.getOpPackageName(); 396 try { 397 return mService.getSettingName(userId, opPackageName, mAuthenticators); 398 } catch (RemoteException e) { 399 throw e.rethrowFromSystemServer(); 400 } 401 } 402 } 403 404 @NonNull private final Context mContext; 405 @NonNull private final IAuthService mService; 406 407 /** 408 * @hide 409 * @param context 410 * @param service 411 */ BiometricManager(@onNull Context context, @NonNull IAuthService service)412 public BiometricManager(@NonNull Context context, @NonNull IAuthService service) { 413 mContext = context; 414 mService = service; 415 } 416 417 /** 418 * @return A list of {@link SensorProperties} 419 * @hide 420 */ 421 @TestApi 422 @NonNull 423 @RequiresPermission(TEST_BIOMETRIC) getSensorProperties()424 public List<SensorProperties> getSensorProperties() { 425 try { 426 final List<SensorPropertiesInternal> internalProperties = 427 mService.getSensorProperties(mContext.getOpPackageName()); 428 final List<SensorProperties> properties = new ArrayList<>(); 429 for (SensorPropertiesInternal internalProp : internalProperties) { 430 properties.add(SensorProperties.from(internalProp)); 431 } 432 return properties; 433 } catch (RemoteException e) { 434 throw e.rethrowFromSystemServer(); 435 } 436 } 437 438 /** 439 * Retrieves a test session for BiometricManager/BiometricPrompt. 440 * @hide 441 */ 442 @TestApi 443 @NonNull 444 @RequiresPermission(TEST_BIOMETRIC) createTestSession(int sensorId)445 public BiometricTestSession createTestSession(int sensorId) { 446 try { 447 return new BiometricTestSession(mContext, getSensorProperties(), sensorId, 448 (context, sensorId1, callback) -> mService 449 .createTestSession(sensorId1, callback, context.getOpPackageName())); 450 } catch (RemoteException e) { 451 throw e.rethrowFromSystemServer(); 452 } 453 } 454 455 /** 456 * Retrieves the package where BiometricPrompt's UI is implemented. 457 * @hide 458 */ 459 @TestApi 460 @NonNull 461 @RequiresPermission(TEST_BIOMETRIC) getUiPackage()462 public String getUiPackage() { 463 try { 464 return mService.getUiPackage(); 465 } catch (RemoteException e) { 466 throw e.rethrowFromSystemServer(); 467 } 468 } 469 470 /** 471 * Determine if biometrics can be used. In other words, determine if 472 * {@link BiometricPrompt} can be expected to be shown (hardware available, templates enrolled, 473 * user-enabled). This is the equivalent of {@link #canAuthenticate(int)} with 474 * {@link Authenticators#BIOMETRIC_WEAK} 475 * 476 * @return {@link #BIOMETRIC_ERROR_NONE_ENROLLED} if the user does not have any strong 477 * biometrics enrolled, or {@link #BIOMETRIC_ERROR_HW_UNAVAILABLE} if none are currently 478 * supported/enabled. Returns {@link #BIOMETRIC_SUCCESS} if a strong biometric can currently 479 * be used (enrolled and available). 480 * 481 * @deprecated See {@link #canAuthenticate(int)}. 482 */ 483 @Deprecated 484 @RequiresPermission(USE_BIOMETRIC) 485 @BiometricError canAuthenticate()486 public int canAuthenticate() { 487 @BiometricError final int result = canAuthenticate(mContext.getUserId(), 488 Authenticators.BIOMETRIC_WEAK); 489 490 FrameworkStatsLog.write(FrameworkStatsLog.AUTH_MANAGER_CAN_AUTHENTICATE_INVOKED, 491 false /* isAllowedAuthenticatorsSet */, Authenticators.EMPTY_SET, result); 492 FrameworkStatsLog.write(FrameworkStatsLog.AUTH_DEPRECATED_API_USED, 493 AUTH_DEPRECATED_APIUSED__DEPRECATED_API__API_BIOMETRIC_MANAGER_CAN_AUTHENTICATE, 494 mContext.getApplicationInfo().uid, 495 mContext.getApplicationInfo().targetSdkVersion); 496 497 return result; 498 } 499 500 /** 501 * Determine if any of the provided authenticators can be used. In other words, determine if 502 * {@link BiometricPrompt} can be expected to be shown (hardware available, templates enrolled, 503 * user-enabled). 504 * 505 * For biometric authenticators, determine if the device can currently authenticate with at 506 * least the requested strength. For example, invoking this API with 507 * {@link Authenticators#BIOMETRIC_WEAK} on a device that currently only has 508 * {@link Authenticators#BIOMETRIC_STRONG} enrolled will return {@link #BIOMETRIC_SUCCESS}. 509 * 510 * Invoking this API with {@link Authenticators#DEVICE_CREDENTIAL} can be used to determine 511 * if the user has a PIN/Pattern/Password set up. 512 * 513 * @param authenticators bit field consisting of constants defined in {@link Authenticators}. 514 * If multiple authenticators are queried, a logical OR will be applied. 515 * For example, if {@link Authenticators#DEVICE_CREDENTIAL} | 516 * {@link Authenticators#BIOMETRIC_STRONG} is queried and only 517 * {@link Authenticators#DEVICE_CREDENTIAL} is set up, this API will 518 * return {@link #BIOMETRIC_SUCCESS} 519 * 520 * @return {@link #BIOMETRIC_ERROR_NONE_ENROLLED} if the user does not have any of the 521 * requested authenticators enrolled, or {@link #BIOMETRIC_ERROR_HW_UNAVAILABLE} if none are 522 * currently supported/enabled. Returns {@link #BIOMETRIC_SUCCESS} if one of the requested 523 * authenticators can currently be used (enrolled and available). 524 */ 525 @RequiresPermission(USE_BIOMETRIC) 526 @BiometricError canAuthenticate(@uthenticators.Types int authenticators)527 public int canAuthenticate(@Authenticators.Types int authenticators) { 528 @BiometricError final int result = canAuthenticate(mContext.getUserId(), authenticators); 529 530 FrameworkStatsLog.write(FrameworkStatsLog.AUTH_MANAGER_CAN_AUTHENTICATE_INVOKED, 531 true /* isAllowedAuthenticatorsSet */, authenticators, result); 532 533 return result; 534 } 535 536 /** 537 * @hide 538 */ 539 @RequiresPermission(USE_BIOMETRIC_INTERNAL) 540 @BiometricError canAuthenticate(int userId, @Authenticators.Types int authenticators)541 public int canAuthenticate(int userId, @Authenticators.Types int authenticators) { 542 if (mService != null) { 543 try { 544 final String opPackageName = mContext.getOpPackageName(); 545 return mService.canAuthenticate(opPackageName, userId, authenticators); 546 } catch (RemoteException e) { 547 throw e.rethrowFromSystemServer(); 548 } 549 } else { 550 Slog.w(TAG, "canAuthenticate(): Service not connected"); 551 return BIOMETRIC_ERROR_HW_UNAVAILABLE; 552 } 553 } 554 555 /** 556 * Produces an instance of the {@link Strings} class, which provides localized strings for an 557 * application, given a set of allowed authenticator types. 558 * 559 * @param authenticators A bit field representing the types of {@link Authenticators} that may 560 * be used for authentication. 561 * @return A {@link Strings} collection for the given allowed authenticator types. 562 */ 563 @RequiresPermission(USE_BIOMETRIC) 564 @NonNull getStrings(@uthenticators.Types int authenticators)565 public Strings getStrings(@Authenticators.Types int authenticators) { 566 return new Strings(mContext, mService, authenticators); 567 } 568 569 /** 570 * @hide 571 * @param userId 572 * @return 573 */ 574 @RequiresPermission(USE_BIOMETRIC_INTERNAL) hasEnrolledBiometrics(int userId)575 public boolean hasEnrolledBiometrics(int userId) { 576 if (mService != null) { 577 try { 578 return mService.hasEnrolledBiometrics(userId, mContext.getOpPackageName()); 579 } catch (RemoteException e) { 580 Slog.w(TAG, "Remote exception in hasEnrolledBiometrics(): " + e); 581 return false; 582 } 583 } else { 584 return false; 585 } 586 } 587 588 /** 589 * Listens for changes to biometric eligibility on keyguard from user settings. 590 * @param callback 591 * @hide 592 */ 593 @RequiresPermission(USE_BIOMETRIC_INTERNAL) registerEnabledOnKeyguardCallback(IBiometricEnabledOnKeyguardCallback callback)594 public void registerEnabledOnKeyguardCallback(IBiometricEnabledOnKeyguardCallback callback) { 595 if (mService != null) { 596 try { 597 mService.registerEnabledOnKeyguardCallback(callback); 598 } catch (RemoteException e) { 599 throw e.rethrowFromSystemServer(); 600 } 601 } else { 602 Slog.w(TAG, "registerEnabledOnKeyguardCallback(): Service not connected"); 603 } 604 } 605 606 /** 607 * Registers listener for changes to biometric authentication state. 608 * Only sends callbacks for events that occur after the callback has been registered. 609 * @param listener Listener for changes to biometric authentication state 610 * @hide 611 */ 612 @RequiresPermission(USE_BIOMETRIC_INTERNAL) registerAuthenticationStateListener(AuthenticationStateListener listener)613 public void registerAuthenticationStateListener(AuthenticationStateListener listener) { 614 if (mService != null) { 615 try { 616 mService.registerAuthenticationStateListener(listener); 617 } catch (RemoteException e) { 618 throw e.rethrowFromSystemServer(); 619 } 620 } else { 621 Slog.w(TAG, "registerAuthenticationStateListener(): Service not connected"); 622 } 623 } 624 625 /** 626 * Unregisters listener for changes to biometric authentication state. 627 * @param listener Listener for changes to biometric authentication state 628 * @hide 629 */ 630 @RequiresPermission(USE_BIOMETRIC_INTERNAL) unregisterAuthenticationStateListener(AuthenticationStateListener listener)631 public void unregisterAuthenticationStateListener(AuthenticationStateListener listener) { 632 if (mService != null) { 633 try { 634 mService.unregisterAuthenticationStateListener(listener); 635 } catch (RemoteException e) { 636 throw e.rethrowFromSystemServer(); 637 } 638 } else { 639 Slog.w(TAG, "unregisterAuthenticationStateListener(): Service not connected"); 640 } 641 } 642 643 644 /** 645 * Requests all {@link Authenticators.Types#BIOMETRIC_STRONG} sensors to have their 646 * authenticatorId invalidated for the specified user. This happens when enrollments have been 647 * added on devices with multiple biometric sensors. 648 * 649 * @param userId userId that the authenticatorId should be invalidated for 650 * @param fromSensorId sensor that triggered the invalidation request 651 * @hide 652 */ 653 @RequiresPermission(USE_BIOMETRIC_INTERNAL) invalidateAuthenticatorIds(int userId, int fromSensorId, @NonNull IInvalidationCallback callback)654 public void invalidateAuthenticatorIds(int userId, int fromSensorId, 655 @NonNull IInvalidationCallback callback) { 656 if (mService != null) { 657 try { 658 mService.invalidateAuthenticatorIds(userId, fromSensorId, callback); 659 } catch (RemoteException e) { 660 throw e.rethrowFromSystemServer(); 661 } 662 } 663 } 664 665 /** 666 * Get a list of AuthenticatorIDs for biometric authenticators which have 1) enrolled templates, 667 * and 2) meet the requirements for integrating with Keystore. The AuthenticatorIDs are known 668 * in Keystore land as SIDs, and are used during key generation. 669 * @hide 670 */ getAuthenticatorIds()671 public long[] getAuthenticatorIds() { 672 return getAuthenticatorIds(UserHandle.myUserId()); 673 } 674 675 /** 676 * Get a list of AuthenticatorIDs for biometric authenticators which have 1) enrolled templates, 677 * and 2) meet the requirements for integrating with Keystore. The AuthenticatorIDs are known 678 * in Keystore land as SIDs, and are used during key generation. 679 * 680 * @param userId Android user ID for user to look up. 681 * 682 * @hide 683 */ getAuthenticatorIds(int userId)684 public long[] getAuthenticatorIds(int userId) { 685 if (mService != null) { 686 try { 687 return mService.getAuthenticatorIds(userId); 688 } catch (RemoteException e) { 689 throw e.rethrowFromSystemServer(); 690 } 691 } else { 692 Slog.w(TAG, "getAuthenticatorIds(): Service not connected"); 693 return new long[0]; 694 } 695 } 696 697 /** 698 * Requests all other biometric sensors to resetLockout. Note that this is a "time bound" 699 * See the {@link android.hardware.biometrics.fingerprint.ISession#resetLockout(int, 700 * HardwareAuthToken)} and {@link android.hardware.biometrics.face.ISession#resetLockout(int, 701 * HardwareAuthToken)} documentation for complete details. 702 * 703 * @param token A binder from the caller, for the service to linkToDeath 704 * @param opPackageName Caller's package name 705 * @param fromSensorId The originating sensor that just authenticated. Note that this MUST 706 * be a sensor that meets {@link Authenticators#BIOMETRIC_STRONG} strength. 707 * The strength will also be enforced on the BiometricService side. 708 * @param userId The user that authentication succeeded for, and also the user that resetLockout 709 * should be applied to. 710 * @param hardwareAuthToken A valid HAT generated upon successful biometric authentication. Note 711 * that it is not necessary for the HAT to contain a challenge. 712 * @hide 713 */ 714 @RequiresPermission(USE_BIOMETRIC_INTERNAL) resetLockoutTimeBound(IBinder token, String opPackageName, int fromSensorId, int userId, byte[] hardwareAuthToken)715 public void resetLockoutTimeBound(IBinder token, String opPackageName, int fromSensorId, 716 int userId, byte[] hardwareAuthToken) { 717 if (mService != null) { 718 try { 719 mService.resetLockoutTimeBound(token, opPackageName, fromSensorId, userId, 720 hardwareAuthToken); 721 } catch (RemoteException e) { 722 throw e.rethrowFromSystemServer(); 723 } 724 } 725 } 726 727 /** 728 * Notifies AuthService that keyguard has been dismissed for the given userId. 729 * 730 * @param userId 731 * @param hardwareAuthToken 732 * @hide 733 */ 734 @RequiresPermission(USE_BIOMETRIC_INTERNAL) resetLockout(int userId, byte[] hardwareAuthToken)735 public void resetLockout(int userId, byte[] hardwareAuthToken) { 736 if (mService != null) { 737 try { 738 mService.resetLockout(userId, hardwareAuthToken); 739 } catch (RemoteException e) { 740 throw e.rethrowFromSystemServer(); 741 } 742 } 743 744 } 745 746 /** 747 * Gets the last time the user successfully authenticated using one of the given authenticators. 748 * The returned value is time in 749 * {@link android.os.SystemClock#elapsedRealtime SystemClock.elapsedRealtime()} (time since 750 * boot, including sleep). 751 * <p> 752 * {@link BiometricManager#BIOMETRIC_NO_AUTHENTICATION} is returned in the case where there 753 * has been no successful authentication using any of the given authenticators since boot. 754 * <p> 755 * Currently, only {@link Authenticators#DEVICE_CREDENTIAL} and 756 * {@link Authenticators#BIOMETRIC_STRONG} are accepted. {@link IllegalArgumentException} will 757 * be thrown if {@code authenticators} contains other authenticator types. 758 * <p> 759 * Note that this may return successful authentication times even if the device is currently 760 * locked. You may use {@link KeyguardManager#isDeviceLocked()} to determine if the device 761 * is unlocked or not. Additionally, this method may return valid times for an authentication 762 * method that is no longer available. For instance, if the user unlocked the device with a 763 * {@link Authenticators#BIOMETRIC_STRONG} authenticator but then deleted that authenticator 764 * (e.g., fingerprint data), this method will still return the time of that unlock for 765 * {@link Authenticators#BIOMETRIC_STRONG} if it is the most recent successful event. The caveat 766 * is that {@link BiometricManager#BIOMETRIC_NO_AUTHENTICATION} will be returned if the device 767 * no longer has a secure lock screen at all, even if there were successful authentications 768 * performed before the lock screen was made insecure. 769 * 770 * @param authenticators bit field consisting of constants defined in {@link Authenticators}. 771 * @return the time of last authentication or 772 * {@link BiometricManager#BIOMETRIC_NO_AUTHENTICATION} 773 * @throws IllegalArgumentException if {@code authenticators} contains values other than 774 * {@link Authenticators#DEVICE_CREDENTIAL} and {@link Authenticators#BIOMETRIC_STRONG} or is 775 * 0. 776 */ 777 @RequiresPermission(USE_BIOMETRIC) 778 @ElapsedRealtimeLong getLastAuthenticationTime( @iometricManager.Authenticators.Types int authenticators)779 public long getLastAuthenticationTime( 780 @BiometricManager.Authenticators.Types int authenticators) { 781 if (authenticators == 0 782 || (GET_LAST_AUTH_TIME_ALLOWED_AUTHENTICATORS & authenticators) != authenticators) { 783 throw new IllegalArgumentException( 784 "Only BIOMETRIC_STRONG and DEVICE_CREDENTIAL authenticators may be used."); 785 } 786 787 if (mService != null) { 788 try { 789 return mService.getLastAuthenticationTime(UserHandle.myUserId(), authenticators); 790 } catch (RemoteException e) { 791 throw e.rethrowFromSystemServer(); 792 } 793 } else { 794 return BIOMETRIC_NO_AUTHENTICATION; 795 } 796 } 797 } 798 799