基于android7.1.1第一次指纹设置必须安全解锁分析

环境:ubuntu14.04
基于高通的android7.1.1代码(同aosp差别不大)

1.现象:第一次直接设置指纹后,然后锁屏,不能够直接使用指纹进行解锁而是提示使用密码,pin码,图案等安全锁屏方式才能进行解锁?

分析:手机的解锁方式分为pin码,图案,密码等,从KeyguardSecurityModel类中即可看出来:

    /**
     * The different types of security available.
     * @see KeyguardSecurityContainer#showSecurityScreen
     */
    public enum SecurityMode {
        Invalid, // NULL state
        None, // No security enabled
        Pattern, // Unlock by drawing a pattern.
        Password, // Unlock by entering an alphanumeric password
        PIN, // Strictly numeric password
        SimPin, // Unlock by entering a sim pin.
        SimPuk // Unlock by entering a sim puk
    }

指纹等生物解锁密码等只是一种辅助用来解锁的手段,不能单独存在,而且指纹注册时必须要基于安全锁屏方式来获取Token才能注册成功.

查看代码ViewMediatorCallback接口为:

    /**
     * @return one of the reasons why the bouncer needs to be shown right now and the user can't use
     *         his normal unlock method like fingerprint or trust agents. See
     *         {@link KeyguardSecurityView#PROMPT_REASON_NONE},
     *         {@link KeyguardSecurityView#PROMPT_REASON_RESTART} and
     *         {@link KeyguardSecurityView#PROMPT_REASON_TIMEOUT}.
     */
    int getBouncerPromptReason();

在KeyguardViewMediator中实现了此接口方法:

        @Override
        public int getBouncerPromptReason() {
            int currentUser = ActivityManager.getCurrentUser();
            boolean trust = mTrustManager.isTrustUsuallyManaged(currentUser);
            boolean fingerprint = mUpdateMonitor.isUnlockWithFingerprintPossible(currentUser);
            boolean any = trust || fingerprint;
            KeyguardUpdateMonitor.StrongAuthTracker strongAuthTracker =
                    mUpdateMonitor.getStrongAuthTracker();
            int strongAuth = strongAuthTracker.getStrongAuthForUser(currentUser);
            if (any && !strongAuthTracker.hasUserAuthenticatedSinceBoot()) {
                //第一次重启机器
                return KeyguardSecurityView.PROMPT_REASON_RESTART;
            } else if (fingerprint && mUpdateMonitor.hasFingerprintUnlockTimedOut(currentUser)) {
                //所需要查看问题所在,当之前没有安全解锁方式解锁成功时,指纹第一次被设置时不能使用指纹解锁
                return KeyguardSecurityView.PROMPT_REASON_TIMEOUT;
            } else if (any && (strongAuth & STRONG_AUTH_REQUIRED_AFTER_DPM_LOCK_NOW) != 0) {
                return KeyguardSecurityView.PROMPT_REASON_DEVICE_ADMIN;
            } else if (trust && (strongAuth & SOME_AUTH_REQUIRED_AFTER_USER_REQUEST) != 0) {
                //用户指纹和安全解锁方式都可以正常使用所提示的信息
                return KeyguardSecurityView.PROMPT_REASON_USER_REQUEST;
            } else if (any && (strongAuth & STRONG_AUTH_REQUIRED_AFTER_LOCKOUT) != 0) {
                return KeyguardSecurityView.PROMPT_REASON_AFTER_LOCKOUT;
            }
            return KeyguardSecurityView.PROMPT_REASON_NONE;
        }

ViewMediatorCallback实例化传递给StatusBarKeyguardViewManager,然后在传递给KeyguardBouncer

mStatusBarKeyguardViewManager =
                SystemUIFactory.getInstance().createStatusBarKeyguardViewManager(mContext,
                        mViewMediatorCallback, mLockPatternUtils);

mBouncer = SystemUIFactory.getInstance().createKeyguardBouncer(mContext,
                mViewMediatorCallback, mLockPatternUtils, mStatusBarWindowManager, container);

接下来就需要查看在KeyguardBouncer中如何调用此方法了,查看代码:
有两个地方:

                public void onStrongAuthStateChanged(int userId) {
                    //跟踪了相关代码,这个是在解锁完成之后才会调用触发
                    mBouncerPromptReason = mCallback.getBouncerPromptReason();
                }

    public void prepare() {
        boolean wasInitialized = mRoot != null;
        ensureView();
        if (wasInitialized) {
            //每次准备解锁界面时才会调用此方法,就是这个问题所需要的时机
            mKeyguardView.showPrimarySecurityScreen();
        }
        mBouncerPromptReason = mCallback.getBouncerPromptReason();
    }

锁屏准备解锁界面时会调用上述逻辑,那么还是要在具体实现看,具体实现类,为什么会走入对应分支,也就是

                else if (fingerprint && mUpdateMonitor.hasFingerprintUnlockTimedOut(currentUser)) {
                //所需要查看问题所在,当之前没有安全解锁方式解锁成功时,指纹第一次被设置时不能使用指纹解锁
                return KeyguardSecurityView.PROMPT_REASON_TIMEOUT;
                }

/**
     * @return true if the user hasn't use strong authentication (pattern, PIN, password) since a
     *         while and thus can't unlock with fingerprint, false otherwise
     */
    public boolean hasFingerprintUnlockTimedOut(int userId) {
        //通过判断这个集合里面是否有当前用户ID,需要查看的就是添加到集合的时机
        return !mStrongAuthNotTimedOut.contains(userId);
    }

查看添加集合的时机为:

    //
   public void reportSuccessfulStrongAuthUnlockAttempt() {
        mStrongAuthNotTimedOut.add(sCurrentUser);
        scheduleStrongAuthTimeout();
        if (mFpm != null) {
            byte[] token = null; /* TODO: pass real auth token once fp HAL supports it */
            mFpm.resetTimeout(token);
        }
    }

此方法是在解锁完成之后会调用的

        @Override
        public void keyguardDone(boolean strongAuth) {
            if (!mKeyguardDonePending) {
                KeyguardViewMediator.this.keyguardDone(true /* authenticated */);
            }
            if (strongAuth) {
                mUpdateMonitor.reportSuccessfulStrongAuthUnlockAttempt();
            }
        }

这样我们就清楚了整个流程,只有在使用了安全的解锁方式解锁之后才会在集合中添加当前用户ID,代表之后设置指纹可以正常使用,如果在之前没有使用过安全的解锁方式,那么就不可以直接使用生物信息解锁,必须要使用安全解锁,这样在代码里会添加当前用户ID,代表用安全解锁方式认证完毕,所以可以使用指纹了.