package com.android.server.locksettings;

import android.Manifest;
import android.accessibilityservice.AccessibilityTrace;
import android.app.ActivityManager;
import android.app.IActivityManager;
import android.app.KeyguardManager;
import android.app.Notification;
import android.app.NotificationManager;
import android.app.PendingIntent;
import android.app.StatsManager;
import android.app.admin.DevicePolicyManager;
import android.app.admin.DevicePolicyManagerInternal;
import android.app.admin.DeviceStateCache;
import android.app.admin.PasswordMetrics;
import android.app.trust.IStrongAuthTracker;
import android.app.trust.TrustManager;
import android.content.BroadcastReceiver;
import android.content.ContentResolver;
import android.content.Context;
import android.content.Intent;
import android.content.IntentFilter;
import android.content.pm.PackageManager;
import android.content.pm.UserInfo;
import android.content.res.Resources;
import android.database.ContentObserver;
import android.database.sqlite.SQLiteDatabase;
import android.hardware.authsecret.V1_0.IAuthSecret;
import android.hardware.biometrics.BiometricManager;
import android.hardware.face.Face;
import android.hardware.face.FaceManager;
import android.hardware.fingerprint.Fingerprint;
import android.hardware.fingerprint.FingerprintManager;
import android.net.Uri;
import android.net.wifi.WifiEnterpriseConfig;
import android.os.Binder;
import android.os.Bundle;
import android.os.Handler;
import android.os.IBinder;
import android.os.IProgressListener;
import android.os.RemoteException;
import android.os.ResultReceiver;
import android.os.ServiceManager;
import android.os.ShellCallback;
import android.os.StrictMode;
import android.os.SystemProperties;
import android.os.UserHandle;
import android.os.UserManager;
import android.os.storage.IStorageManager;
import android.os.storage.StorageManager;
import android.provider.Settings;
import android.security.AndroidKeyStoreMaintenance;
import android.security.Authorization;
import android.security.KeyStore;
import android.security.keystore.KeyProperties;
import android.security.keystore.KeyProtection;
import android.security.keystore.UserNotAuthenticatedException;
import android.security.keystore.recovery.KeyChainProtectionParams;
import android.security.keystore.recovery.KeyChainSnapshot;
import android.security.keystore.recovery.RecoveryCertPath;
import android.security.keystore.recovery.WrappedApplicationKey;
import android.security.keystore2.AndroidKeyStoreLoadStoreParameter;
import android.security.keystore2.AndroidKeyStoreProvider;
import android.service.gatekeeper.GateKeeperResponse;
import android.service.gatekeeper.IGateKeeperService;
import android.text.TextUtils;
import android.util.ArrayMap;
import android.util.ArraySet;
import android.util.EventLog;
import android.util.LongSparseArray;
import android.util.Slog;
import android.util.SparseArray;
import com.android.ims.ImsManager;
import com.android.internal.R;
import com.android.internal.annotations.GuardedBy;
import com.android.internal.annotations.VisibleForTesting;
import com.android.internal.notification.SystemNotificationChannels;
import com.android.internal.util.DumpUtils;
import com.android.internal.util.IndentingPrintWriter;
import com.android.internal.util.Preconditions;
import com.android.internal.widget.ICheckCredentialProgressCallback;
import com.android.internal.widget.ILockSettings;
import com.android.internal.widget.LockPatternUtils;
import com.android.internal.widget.LockSettingsInternal;
import com.android.internal.widget.LockscreenCredential;
import com.android.internal.widget.RebootEscrowListener;
import com.android.internal.widget.VerifyCredentialResponse;
import com.android.server.LocalServices;
import com.android.server.ServiceThread;
import com.android.server.SystemService;
import com.android.server.locksettings.LockSettingsStorage;
import com.android.server.locksettings.RebootEscrowManager;
import com.android.server.locksettings.SyntheticPasswordManager;
import com.android.server.locksettings.recoverablekeystore.RecoverableKeyStoreManager;
import com.android.server.pm.UserManagerInternal;
import com.android.server.wm.WindowManagerInternal;
import java.io.ByteArrayOutputStream;
import java.io.FileDescriptor;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.PrintWriter;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Objects;
import java.util.Random;
import java.util.Set;
import java.util.StringJoiner;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import libcore.util.HexEncoding;

/* loaded from: input_file:com/android/server/locksettings/LockSettingsService.class */
public class LockSettingsService extends ILockSettings.Stub {
    private static final String TAG = "LockSettingsService";
    private static final String PERMISSION = "android.permission.ACCESS_KEYGUARD_SECURE_STORAGE";
    private static final String BIOMETRIC_PERMISSION = "android.permission.MANAGE_BIOMETRIC";
    private static final boolean DEBUG = false;
    private static final int PROFILE_KEY_IV_SIZE = 12;
    private static final String PREV_SYNTHETIC_PASSWORD_HANDLE_KEY = "prev-sp-handle";
    private static final String SYNTHETIC_PASSWORD_UPDATE_TIME_KEY = "sp-handle-ts";
    private static final String USER_SERIAL_NUMBER_KEY = "serial-number";
    private static final int GK_PW_HANDLE_STORE_DURATION_MS = 600000;
    private final Object mSeparateChallengeLock;
    private final DeviceProvisionedObserver mDeviceProvisionedObserver;
    private final Injector mInjector;
    private final Context mContext;

    @VisibleForTesting
    protected final Handler mHandler;

    @VisibleForTesting
    protected final LockSettingsStorage mStorage;
    private final LockSettingsStrongAuth mStrongAuth;
    private final SynchronizedStrongAuthTracker mStrongAuthTracker;
    private final BiometricDeferredQueue mBiometricDeferredQueue;
    private final LongSparseArray<byte[]> mGatekeeperPasswords;
    private final Random mRandom;
    private final NotificationManager mNotificationManager;
    private final UserManager mUserManager;
    private final IStorageManager mStorageManager;
    private final IActivityManager mActivityManager;
    private final SyntheticPasswordManager mSpManager;
    private final KeyStore mKeyStore;
    private final java.security.KeyStore mJavaKeyStore;
    private final RecoverableKeyStoreManager mRecoverableKeyStoreManager;
    private ManagedProfilePasswordCache mManagedProfilePasswordCache;
    private final RebootEscrowManager mRebootEscrowManager;
    private boolean mFirstCallToVold;

    @GuardedBy({"this"})
    final SparseArray<PasswordMetrics> mUserPasswordMetrics;

    @VisibleForTesting
    protected boolean mHasSecureLockScreen;
    protected IGateKeeperService mGateKeeperService;
    protected IAuthSecret mAuthSecretService;
    private static final String GSI_RUNNING_PROP = "ro.gsid.image_running";
    private final BroadcastReceiver mBroadcastReceiver;
    private static final int[] SYSTEM_CREDENTIAL_UIDS = {1016, 0, 1000};
    private static final String[] VALID_SETTINGS = {LockPatternUtils.LOCKOUT_PERMANENT_KEY, LockPatternUtils.PATTERN_EVER_CHOSEN_KEY, LockPatternUtils.PASSWORD_TYPE_KEY, LockPatternUtils.PASSWORD_TYPE_ALTERNATE_KEY, LockPatternUtils.LOCK_PASSWORD_SALT_KEY, "lockscreen.disabled", LockPatternUtils.LOCKSCREEN_OPTIONS, LockPatternUtils.LOCKSCREEN_BIOMETRIC_WEAK_FALLBACK, LockPatternUtils.BIOMETRIC_WEAK_EVER_CHOSEN_KEY, LockPatternUtils.LOCKSCREEN_POWER_BUTTON_INSTANTLY_LOCKS, LockPatternUtils.PASSWORD_HISTORY_KEY, "lock_pattern_autolock", Settings.Secure.LOCK_BIOMETRIC_WEAK_FLAGS, "lock_pattern_visible_pattern", "lock_pattern_tactile_feedback_enabled"};
    private static final String[] READ_CONTACTS_PROTECTED_SETTINGS = {Settings.Secure.LOCK_SCREEN_OWNER_INFO_ENABLED, Settings.Secure.LOCK_SCREEN_OWNER_INFO};
    private static final String SEPARATE_PROFILE_CHALLENGE_KEY = "lockscreen.profilechallenge";
    private static final String[] READ_PASSWORD_PROTECTED_SETTINGS = {LockPatternUtils.LOCK_PASSWORD_SALT_KEY, LockPatternUtils.PASSWORD_HISTORY_KEY, LockPatternUtils.PASSWORD_TYPE_KEY, SEPARATE_PROFILE_CHALLENGE_KEY};

    /* loaded from: input_file:com/android/server/locksettings/LockSettingsService$DeviceProvisionedObserver.class */
    private class DeviceProvisionedObserver extends ContentObserver {
        private final Uri mDeviceProvisionedUri;
        private boolean mRegistered;

        public DeviceProvisionedObserver() {
            super(null);
            this.mDeviceProvisionedUri = Settings.Global.getUriFor("device_provisioned");
        }

        @Override // android.database.ContentObserver
        public void onChange(boolean z, Uri uri, int i) {
            if (this.mDeviceProvisionedUri.equals(uri)) {
                updateRegistration();
                if (isProvisioned()) {
                    Slog.i(LockSettingsService.TAG, "Reporting device setup complete to IGateKeeperService");
                    reportDeviceSetupComplete();
                    clearFrpCredentialIfOwnerNotSecure();
                }
            }
        }

        public void onSystemReady() {
            if (LockPatternUtils.frpCredentialEnabled(LockSettingsService.this.mContext)) {
                updateRegistration();
            } else {
                if (isProvisioned()) {
                    return;
                }
                Slog.i(LockSettingsService.TAG, "FRP credential disabled, reporting device setup complete to Gatekeeper immediately");
                reportDeviceSetupComplete();
            }
        }

        private void reportDeviceSetupComplete() {
            try {
                LockSettingsService.this.getGateKeeperService().reportDeviceSetupComplete();
            } catch (RemoteException e) {
                Slog.e(LockSettingsService.TAG, "Failure reporting to IGateKeeperService", e);
            }
        }

        private void clearFrpCredentialIfOwnerNotSecure() {
            for (UserInfo userInfo : LockSettingsService.this.mUserManager.getUsers()) {
                if (LockPatternUtils.userOwnsFrpCredential(LockSettingsService.this.mContext, userInfo)) {
                    if (LockSettingsService.this.isUserSecure(userInfo.id)) {
                        return;
                    }
                    LockSettingsService.this.mStorage.writePersistentDataBlock(0, userInfo.id, 0, null);
                    return;
                }
            }
        }

        private void updateRegistration() {
            boolean z = !isProvisioned();
            if (z == this.mRegistered) {
                return;
            }
            if (z) {
                LockSettingsService.this.mContext.getContentResolver().registerContentObserver(this.mDeviceProvisionedUri, false, this);
            } else {
                LockSettingsService.this.mContext.getContentResolver().unregisterContentObserver(this);
            }
            this.mRegistered = z;
        }

        private boolean isProvisioned() {
            return Settings.Global.getInt(LockSettingsService.this.mContext.getContentResolver(), "device_provisioned", 0) != 0;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/android/server/locksettings/LockSettingsService$GateKeeperDiedRecipient.class */
    public class GateKeeperDiedRecipient implements IBinder.DeathRecipient {
        private GateKeeperDiedRecipient() {
        }

        @Override // android.os.IBinder.DeathRecipient
        public void binderDied() {
            LockSettingsService.this.mGateKeeperService.asBinder().unlinkToDeath(this, 0);
            LockSettingsService.this.mGateKeeperService = null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/android/server/locksettings/LockSettingsService$Injector.class */
    public static class Injector {
        protected Context mContext;

        public Injector(Context context) {
            this.mContext = context;
        }

        public Context getContext() {
            return this.mContext;
        }

        public ServiceThread getServiceThread() {
            ServiceThread serviceThread = new ServiceThread(LockSettingsService.TAG, 10, true);
            serviceThread.start();
            return serviceThread;
        }

        public Handler getHandler(ServiceThread serviceThread) {
            return new Handler(serviceThread.getLooper());
        }

        public LockSettingsStorage getStorage() {
            final LockSettingsStorage lockSettingsStorage = new LockSettingsStorage(this.mContext);
            lockSettingsStorage.setDatabaseOnCreateCallback(new LockSettingsStorage.Callback() { // from class: com.android.server.locksettings.LockSettingsService.Injector.1
                @Override // com.android.server.locksettings.LockSettingsStorage.Callback
                public void initialize(SQLiteDatabase sQLiteDatabase) {
                    if (SystemProperties.getBoolean("ro.lockscreen.disable.default", false)) {
                        lockSettingsStorage.writeKeyValue(sQLiteDatabase, "lockscreen.disabled", WifiEnterpriseConfig.ENGINE_ENABLE, 0);
                    }
                }
            });
            return lockSettingsStorage;
        }

        public LockSettingsStrongAuth getStrongAuth() {
            return new LockSettingsStrongAuth(this.mContext);
        }

        public SynchronizedStrongAuthTracker getStrongAuthTracker() {
            return new SynchronizedStrongAuthTracker(this.mContext);
        }

        public IActivityManager getActivityManager() {
            return ActivityManager.getService();
        }

        public NotificationManager getNotificationManager() {
            return (NotificationManager) this.mContext.getSystemService("notification");
        }

        public UserManager getUserManager() {
            return (UserManager) this.mContext.getSystemService("user");
        }

        public UserManagerInternal getUserManagerInternal() {
            return (UserManagerInternal) LocalServices.getService(UserManagerInternal.class);
        }

        public DevicePolicyManager getDevicePolicyManager() {
            return (DevicePolicyManager) this.mContext.getSystemService(Context.DEVICE_POLICY_SERVICE);
        }

        public DeviceStateCache getDeviceStateCache() {
            return DeviceStateCache.getInstance();
        }

        public KeyStore getKeyStore() {
            return KeyStore.getInstance();
        }

        public RecoverableKeyStoreManager getRecoverableKeyStoreManager() {
            return RecoverableKeyStoreManager.getInstance(this.mContext);
        }

        public IStorageManager getStorageManager() {
            IBinder service = ServiceManager.getService("mount");
            if (service != null) {
                return IStorageManager.Stub.asInterface(service);
            }
            return null;
        }

        public SyntheticPasswordManager getSyntheticPasswordManager(LockSettingsStorage lockSettingsStorage) {
            return new SyntheticPasswordManager(getContext(), lockSettingsStorage, getUserManager(), new PasswordSlotManager());
        }

        public RebootEscrowManager getRebootEscrowManager(RebootEscrowManager.Callbacks callbacks, LockSettingsStorage lockSettingsStorage) {
            return new RebootEscrowManager(this.mContext, callbacks, lockSettingsStorage);
        }

        public boolean hasEnrolledBiometrics(int i) {
            return ((BiometricManager) this.mContext.getSystemService(BiometricManager.class)).hasEnrolledBiometrics(i);
        }

        public int binderGetCallingUid() {
            return Binder.getCallingUid();
        }

        public boolean isGsiRunning() {
            return SystemProperties.getInt(LockSettingsService.GSI_RUNNING_PROP, 0) > 0;
        }

        public FingerprintManager getFingerprintManager() {
            if (this.mContext.getPackageManager().hasSystemFeature(PackageManager.FEATURE_FINGERPRINT)) {
                return (FingerprintManager) this.mContext.getSystemService(Context.FINGERPRINT_SERVICE);
            }
            return null;
        }

        public FaceManager getFaceManager() {
            if (this.mContext.getPackageManager().hasSystemFeature(PackageManager.FEATURE_FACE)) {
                return (FaceManager) this.mContext.getSystemService(Context.FACE_SERVICE);
            }
            return null;
        }

        public int settingsGlobalGetInt(ContentResolver contentResolver, String str, int i) {
            return Settings.Global.getInt(contentResolver, str, i);
        }

        public int settingsSecureGetInt(ContentResolver contentResolver, String str, int i, int i2) {
            return Settings.Secure.getIntForUser(contentResolver, str, i, i2);
        }

        public java.security.KeyStore getJavaKeyStore() {
            try {
                java.security.KeyStore keyStore = java.security.KeyStore.getInstance(SyntheticPasswordCrypto.androidKeystoreProviderName());
                keyStore.load(new AndroidKeyStoreLoadStoreParameter(SyntheticPasswordCrypto.keyNamespace()));
                return keyStore;
            } catch (Exception e) {
                throw new IllegalStateException("Cannot load keystore", e);
            }
        }

        public ManagedProfilePasswordCache getManagedProfilePasswordCache(java.security.KeyStore keyStore) {
            return new ManagedProfilePasswordCache(keyStore, getUserManager());
        }
    }

    /* loaded from: input_file:com/android/server/locksettings/LockSettingsService$Lifecycle.class */
    public static final class Lifecycle extends SystemService {
        private LockSettingsService mLockSettingsService;

        public Lifecycle(Context context) {
            super(context);
        }

        @Override // com.android.server.SystemService
        public void onStart() {
            AndroidKeyStoreProvider.install();
            this.mLockSettingsService = new LockSettingsService(getContext());
            publishBinderService("lock_settings", this.mLockSettingsService);
        }

        @Override // com.android.server.SystemService
        public void onBootPhase(int i) {
            super.onBootPhase(i);
            if (i == 550) {
                this.mLockSettingsService.migrateOldDataAfterSystemReady();
                this.mLockSettingsService.loadEscrowData();
            }
        }

        @Override // com.android.server.SystemService
        public void onUserStarting(SystemService.TargetUser targetUser) {
            this.mLockSettingsService.onStartUser(targetUser.getUserIdentifier());
        }

        @Override // com.android.server.SystemService
        public void onUserUnlocking(SystemService.TargetUser targetUser) {
            this.mLockSettingsService.onUnlockUser(targetUser.getUserIdentifier());
        }

        @Override // com.android.server.SystemService
        public void onUserStopped(SystemService.TargetUser targetUser) {
            this.mLockSettingsService.onCleanupUser(targetUser.getUserIdentifier());
        }
    }

    /* loaded from: input_file:com/android/server/locksettings/LockSettingsService$LocalService.class */
    private final class LocalService extends LockSettingsInternal {
        private LocalService() {
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public long addEscrowToken(byte[] bArr, int i, LockPatternUtils.EscrowTokenStateChangeCallback escrowTokenStateChangeCallback) {
            return LockSettingsService.this.addEscrowToken(bArr, i, escrowTokenStateChangeCallback);
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public boolean removeEscrowToken(long j, int i) {
            return LockSettingsService.this.removeEscrowToken(j, i);
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public boolean isEscrowTokenActive(long j, int i) {
            return LockSettingsService.this.isEscrowTokenActive(j, i);
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public boolean setLockCredentialWithToken(LockscreenCredential lockscreenCredential, long j, byte[] bArr, int i) {
            if (!LockSettingsService.this.mHasSecureLockScreen && lockscreenCredential != null && lockscreenCredential.getType() != -1) {
                throw new UnsupportedOperationException("This operation requires secure lock screen feature.");
            }
            if (!LockSettingsService.this.setLockCredentialWithToken(lockscreenCredential, j, bArr, i)) {
                return false;
            }
            LockSettingsService.this.onPostPasswordChanged(lockscreenCredential, i);
            return true;
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public boolean unlockUserWithToken(long j, byte[] bArr, int i) {
            return LockSettingsService.this.unlockUserWithToken(j, bArr, i);
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public PasswordMetrics getUserPasswordMetrics(int i) {
            long clearCallingIdentity = Binder.clearCallingIdentity();
            try {
                if (LockSettingsService.this.isManagedProfileWithUnifiedLock(i)) {
                    Slog.w(LockSettingsService.TAG, "Querying password metrics for unified challenge profile: " + i);
                }
                return LockSettingsService.this.getUserPasswordMetrics(i);
            } finally {
                Binder.restoreCallingIdentity(clearCallingIdentity);
            }
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public boolean prepareRebootEscrow() {
            if (!LockSettingsService.this.mRebootEscrowManager.prepareRebootEscrow()) {
                return false;
            }
            LockSettingsService.this.mStrongAuth.requireStrongAuth(64, -1);
            return true;
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public void setRebootEscrowListener(RebootEscrowListener rebootEscrowListener) {
            LockSettingsService.this.mRebootEscrowManager.setRebootEscrowListener(rebootEscrowListener);
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public boolean clearRebootEscrow() {
            if (!LockSettingsService.this.mRebootEscrowManager.clearRebootEscrow()) {
                return false;
            }
            LockSettingsService.this.mStrongAuth.noLongerRequireStrongAuth(64, -1);
            return true;
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public int armRebootEscrow() {
            return LockSettingsService.this.mRebootEscrowManager.armRebootEscrowIfNeeded();
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public void refreshStrongAuthTimeout(int i) {
            LockSettingsService.this.mStrongAuth.refreshStrongAuthTimeout(i);
        }
    }

    /* loaded from: input_file:com/android/server/locksettings/LockSettingsService$RebootEscrowCallbacks.class */
    private class RebootEscrowCallbacks implements RebootEscrowManager.Callbacks {
        private RebootEscrowCallbacks() {
        }

        @Override // com.android.server.locksettings.RebootEscrowManager.Callbacks
        public boolean isUserSecure(int i) {
            return LockSettingsService.this.isUserSecure(i);
        }

        @Override // com.android.server.locksettings.RebootEscrowManager.Callbacks
        public void onRebootEscrowRestored(byte b, byte[] bArr, int i) {
            SyntheticPasswordManager.AuthenticationToken authenticationToken = new SyntheticPasswordManager.AuthenticationToken(b);
            authenticationToken.recreateDirectly(bArr);
            synchronized (LockSettingsService.this.mSpManager) {
                LockSettingsService.this.mSpManager.verifyChallenge(LockSettingsService.this.getGateKeeperService(), authenticationToken, 0L, i);
            }
            LockSettingsService.this.onCredentialVerified(authenticationToken, LockSettingsService.this.loadPasswordMetrics(authenticationToken, i), i);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @VisibleForTesting
    /* loaded from: input_file:com/android/server/locksettings/LockSettingsService$SynchronizedStrongAuthTracker.class */
    public static class SynchronizedStrongAuthTracker extends LockPatternUtils.StrongAuthTracker {
        public SynchronizedStrongAuthTracker(Context context) {
            super(context);
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // com.android.internal.widget.LockPatternUtils.StrongAuthTracker
        public void handleStrongAuthRequiredChanged(int i, int i2) {
            synchronized (this) {
                super.handleStrongAuthRequiredChanged(i, i2);
            }
        }

        @Override // com.android.internal.widget.LockPatternUtils.StrongAuthTracker
        public int getStrongAuthForUser(int i) {
            int strongAuthForUser;
            synchronized (this) {
                strongAuthForUser = super.getStrongAuthForUser(i);
            }
            return strongAuthForUser;
        }

        void register(LockSettingsStrongAuth lockSettingsStrongAuth) {
            lockSettingsStrongAuth.registerStrongAuthTracker(getStub());
        }
    }

    private LockscreenCredential generateRandomProfilePassword() {
        byte[] bArr = new byte[0];
        try {
            byte[] generateSeed = SecureRandom.getInstance("SHA1PRNG").generateSeed(40);
            char[] encode = HexEncoding.encode(generateSeed);
            byte[] bArr2 = new byte[encode.length];
            for (int i = 0; i < encode.length; i++) {
                bArr2[i] = (byte) encode[i];
            }
            LockscreenCredential createManagedPassword = LockscreenCredential.createManagedPassword(bArr2);
            Arrays.fill(encode, (char) 0);
            Arrays.fill(bArr2, (byte) 0);
            Arrays.fill(generateSeed, (byte) 0);
            return createManagedPassword;
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("Fail to generate profile password", e);
        }
    }

    public void tieManagedProfileLockIfNecessary(int i, LockscreenCredential lockscreenCredential) {
        if (!this.mUserManager.getUserInfo(i).isManagedProfile() || getSeparateProfileChallengeEnabledInternal(i) || this.mStorage.hasChildProfileLock(i)) {
            return;
        }
        int i2 = this.mUserManager.getProfileParent(i).id;
        if (!isUserSecure(i2) && !lockscreenCredential.isNone()) {
            setLockCredentialInternal(LockscreenCredential.createNone(), lockscreenCredential, i, true);
            return;
        }
        try {
            if (getGateKeeperService().getSecureUserId(i2) == 0) {
                return;
            }
            LockscreenCredential generateRandomProfilePassword = generateRandomProfilePassword();
            try {
                setLockCredentialInternal(generateRandomProfilePassword, lockscreenCredential, i, true);
                tieProfileLockToParent(i, generateRandomProfilePassword);
                this.mManagedProfilePasswordCache.storePassword(i, generateRandomProfilePassword);
                if (generateRandomProfilePassword != null) {
                    generateRandomProfilePassword.close();
                }
            } catch (Throwable th) {
                if (generateRandomProfilePassword != null) {
                    try {
                        generateRandomProfilePassword.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (RemoteException e) {
            Slog.e(TAG, "Failed to talk to GateKeeper service", e);
        }
    }

    public LockSettingsService(Context context) {
        this(new Injector(context));
    }

    @VisibleForTesting
    protected LockSettingsService(Injector injector) {
        this.mSeparateChallengeLock = new Object();
        this.mDeviceProvisionedObserver = new DeviceProvisionedObserver();
        this.mUserPasswordMetrics = new SparseArray<>();
        this.mBroadcastReceiver = new BroadcastReceiver() { // from class: com.android.server.locksettings.LockSettingsService.2
            @Override // android.content.BroadcastReceiver
            public void onReceive(Context context, Intent intent) {
                int intExtra;
                if (Intent.ACTION_USER_ADDED.equals(intent.getAction())) {
                    AndroidKeyStoreMaintenance.onUserAdded(intent.getIntExtra(Intent.EXTRA_USER_HANDLE, 0));
                    return;
                }
                if (Intent.ACTION_USER_STARTING.equals(intent.getAction())) {
                    LockSettingsService.this.mStorage.prefetchUser(intent.getIntExtra(Intent.EXTRA_USER_HANDLE, 0));
                } else {
                    if (!Intent.ACTION_USER_REMOVED.equals(intent.getAction()) || (intExtra = intent.getIntExtra(Intent.EXTRA_USER_HANDLE, 0)) <= 0) {
                        return;
                    }
                    LockSettingsService.this.removeUser(intExtra, false);
                }
            }
        };
        this.mInjector = injector;
        this.mContext = injector.getContext();
        this.mKeyStore = injector.getKeyStore();
        this.mJavaKeyStore = injector.getJavaKeyStore();
        this.mRecoverableKeyStoreManager = injector.getRecoverableKeyStoreManager();
        this.mHandler = injector.getHandler(injector.getServiceThread());
        this.mStrongAuth = injector.getStrongAuth();
        this.mActivityManager = injector.getActivityManager();
        this.mFirstCallToVold = true;
        IntentFilter intentFilter = new IntentFilter();
        intentFilter.addAction(Intent.ACTION_USER_ADDED);
        intentFilter.addAction(Intent.ACTION_USER_STARTING);
        intentFilter.addAction(Intent.ACTION_USER_REMOVED);
        injector.getContext().registerReceiverAsUser(this.mBroadcastReceiver, UserHandle.ALL, intentFilter, null, null);
        this.mStorage = injector.getStorage();
        this.mNotificationManager = injector.getNotificationManager();
        this.mUserManager = injector.getUserManager();
        this.mStorageManager = injector.getStorageManager();
        this.mStrongAuthTracker = injector.getStrongAuthTracker();
        this.mStrongAuthTracker.register(this.mStrongAuth);
        this.mGatekeeperPasswords = new LongSparseArray<>();
        this.mRandom = new SecureRandom();
        this.mSpManager = injector.getSyntheticPasswordManager(this.mStorage);
        this.mManagedProfilePasswordCache = injector.getManagedProfilePasswordCache(this.mJavaKeyStore);
        this.mBiometricDeferredQueue = new BiometricDeferredQueue(this.mContext, this.mSpManager, this.mHandler);
        this.mRebootEscrowManager = injector.getRebootEscrowManager(new RebootEscrowCallbacks(), this.mStorage);
        LocalServices.addService(LockSettingsInternal.class, new LocalService());
    }

    private void maybeShowEncryptionNotificationForUser(int i) {
        UserInfo profileParent;
        UserInfo userInfo = this.mUserManager.getUserInfo(i);
        if (userInfo.isManagedProfile() && !isUserKeyUnlocked(i)) {
            UserHandle userHandle = userInfo.getUserHandle();
            if (!isUserSecure(i) || this.mUserManager.isUserUnlockingOrUnlocked(userHandle) || (profileParent = this.mUserManager.getProfileParent(i)) == null || !this.mUserManager.isUserUnlockingOrUnlocked(profileParent.getUserHandle()) || this.mUserManager.isQuietModeEnabled(userHandle)) {
                return;
            }
            showEncryptionNotificationForProfile(userHandle);
        }
    }

    private void showEncryptionNotificationForProfile(UserHandle userHandle) {
        Resources resources = this.mContext.getResources();
        CharSequence text = resources.getText(R.string.profile_encrypted_title);
        CharSequence text2 = resources.getText(R.string.profile_encrypted_message);
        CharSequence text3 = resources.getText(R.string.profile_encrypted_detail);
        Intent createConfirmDeviceCredentialIntent = ((KeyguardManager) this.mContext.getSystemService(Context.KEYGUARD_SERVICE)).createConfirmDeviceCredentialIntent(null, null, userHandle.getIdentifier());
        if (createConfirmDeviceCredentialIntent == null) {
            return;
        }
        createConfirmDeviceCredentialIntent.setFlags(276824064);
        showEncryptionNotification(userHandle, text, text2, text3, PendingIntent.getActivity(this.mContext, 0, createConfirmDeviceCredentialIntent, 167772160));
    }

    private void showEncryptionNotification(UserHandle userHandle, CharSequence charSequence, CharSequence charSequence2, CharSequence charSequence3, PendingIntent pendingIntent) {
        if (StorageManager.isFileEncryptedNativeOrEmulated()) {
            this.mNotificationManager.notifyAsUser(null, 9, new Notification.Builder(this.mContext, SystemNotificationChannels.DEVICE_ADMIN).setSmallIcon(R.drawable.ic_user_secure).setWhen(0L).setOngoing(true).setTicker(charSequence).setColor(this.mContext.getColor(17170460)).setContentTitle(charSequence).setContentText(charSequence2).setSubText(charSequence3).setVisibility(1).setContentIntent(pendingIntent).build(), userHandle);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void hideEncryptionNotification(UserHandle userHandle) {
        this.mNotificationManager.cancelAsUser(null, 9, userHandle);
    }

    public void onCleanupUser(int i) {
        hideEncryptionNotification(new UserHandle(i));
        requireStrongAuth(LockPatternUtils.StrongAuthTracker.getDefaultFlags(this.mContext), i);
        synchronized (this) {
            this.mUserPasswordMetrics.remove(i);
        }
    }

    public void onStartUser(int i) {
        maybeShowEncryptionNotificationForUser(i);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void cleanupDataForReusedUserIdIfNecessary(int i) {
        int userSerialNumber;
        int i2;
        if (i == 0 || (i2 = this.mStorage.getInt(USER_SERIAL_NUMBER_KEY, -1, i)) == (userSerialNumber = this.mUserManager.getUserSerialNumber(i))) {
            return;
        }
        if (i2 != -1) {
            removeUser(i, true);
        }
        this.mStorage.setInt(USER_SERIAL_NUMBER_KEY, userSerialNumber, i);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void ensureProfileKeystoreUnlocked(int i) {
        if (KeyStore.getInstance().state(i) == KeyStore.State.LOCKED && this.mUserManager.getUserInfo(i).isManagedProfile() && hasUnifiedChallenge(i)) {
            Slog.i(TAG, "Managed profile got unlocked, will unlock its keystore");
            unlockChildProfile(i, true);
        }
    }

    public void onUnlockUser(final int i) {
        this.mHandler.post(new Runnable() { // from class: com.android.server.locksettings.LockSettingsService.1
            @Override // java.lang.Runnable
            public void run() {
                LockSettingsService.this.cleanupDataForReusedUserIdIfNecessary(i);
                LockSettingsService.this.ensureProfileKeystoreUnlocked(i);
                LockSettingsService.this.hideEncryptionNotification(new UserHandle(i));
                if (LockSettingsService.this.mUserManager.getUserInfo(i).isManagedProfile()) {
                    LockSettingsService.this.tieManagedProfileLockIfNecessary(i, LockscreenCredential.createNone());
                }
                if (!LockSettingsService.this.mUserManager.getUserInfo(i).isPrimary() || LockSettingsService.this.isUserSecure(i)) {
                    return;
                }
                LockSettingsService.this.tryDeriveAuthTokenForUnsecuredPrimaryUser(i);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void tryDeriveAuthTokenForUnsecuredPrimaryUser(int i) {
        synchronized (this.mSpManager) {
            if (isSyntheticPasswordBasedCredentialLocked(i)) {
                SyntheticPasswordManager.AuthenticationResult unwrapPasswordBasedSyntheticPassword = this.mSpManager.unwrapPasswordBasedSyntheticPassword(getGateKeeperService(), getSyntheticPasswordHandleLocked(i), LockscreenCredential.createNone(), i, null);
                if (unwrapPasswordBasedSyntheticPassword.authToken != null) {
                    Slog.i(TAG, "Retrieved auth token for user " + i);
                    onAuthTokenKnownForUser(i, unwrapPasswordBasedSyntheticPassword.authToken);
                } else {
                    Slog.e(TAG, "Auth token not available for user " + i);
                }
            }
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public void systemReady() {
        if (this.mContext.checkCallingOrSelfPermission("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE") != 0) {
            EventLog.writeEvent(1397638484, "28251513", Integer.valueOf(getCallingUid()), "");
        }
        checkWritePermission(0);
        this.mHasSecureLockScreen = this.mContext.getPackageManager().hasSystemFeature(PackageManager.FEATURE_SECURE_LOCK_SCREEN);
        migrateOldData();
        getGateKeeperService();
        this.mSpManager.initWeaverService();
        getAuthSecretHal();
        this.mDeviceProvisionedObserver.onSystemReady();
        this.mStorage.prefetchUser(0);
        this.mBiometricDeferredQueue.systemReady(this.mInjector.getFingerprintManager(), this.mInjector.getFaceManager());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void loadEscrowData() {
        this.mRebootEscrowManager.loadRebootEscrowDataIfAvailable(this.mHandler);
    }

    private void getAuthSecretHal() {
        try {
            this.mAuthSecretService = IAuthSecret.getService(true);
        } catch (RemoteException e) {
            Slog.w(TAG, "Failed to get AuthSecret HAL", e);
        } catch (NoSuchElementException e2) {
            Slog.i(TAG, "Device doesn't implement AuthSecret HAL");
        }
    }

    private void migrateOldData() {
        boolean migrateKeyNamespace;
        if (getString("migrated", null, 0) == null) {
            ContentResolver contentResolver = this.mContext.getContentResolver();
            for (String str : VALID_SETTINGS) {
                String stringForUser = Settings.Secure.getStringForUser(contentResolver, str, contentResolver.getUserId());
                if (stringForUser != null) {
                    setString(str, stringForUser, 0);
                }
            }
            setString("migrated", ImsManager.TRUE, 0);
            Slog.i(TAG, "Migrated lock settings to new location");
        }
        if (getString("migrated_user_specific", null, 0) == null) {
            ContentResolver contentResolver2 = this.mContext.getContentResolver();
            List<UserInfo> users = this.mUserManager.getUsers();
            for (int i = 0; i < users.size(); i++) {
                int i2 = users.get(i).id;
                String stringForUser2 = Settings.Secure.getStringForUser(contentResolver2, Settings.Secure.LOCK_SCREEN_OWNER_INFO, i2);
                if (!TextUtils.isEmpty(stringForUser2)) {
                    setString(Settings.Secure.LOCK_SCREEN_OWNER_INFO, stringForUser2, i2);
                    Settings.Secure.putStringForUser(contentResolver2, Settings.Secure.LOCK_SCREEN_OWNER_INFO, "", i2);
                }
                try {
                    setLong(Settings.Secure.LOCK_SCREEN_OWNER_INFO_ENABLED, Settings.Secure.getIntForUser(contentResolver2, Settings.Secure.LOCK_SCREEN_OWNER_INFO_ENABLED, i2) != 0 ? 1L : 0L, i2);
                } catch (Settings.SettingNotFoundException e) {
                    if (!TextUtils.isEmpty(stringForUser2)) {
                        setLong(Settings.Secure.LOCK_SCREEN_OWNER_INFO_ENABLED, 1L, i2);
                    }
                }
                Settings.Secure.putIntForUser(contentResolver2, Settings.Secure.LOCK_SCREEN_OWNER_INFO_ENABLED, 0, i2);
            }
            setString("migrated_user_specific", ImsManager.TRUE, 0);
            Slog.i(TAG, "Migrated per-user lock settings to new location");
        }
        if (getString("migrated_biometric_weak", null, 0) == null) {
            List<UserInfo> users2 = this.mUserManager.getUsers();
            for (int i3 = 0; i3 < users2.size(); i3++) {
                int i4 = users2.get(i3).id;
                long j = getLong(LockPatternUtils.PASSWORD_TYPE_KEY, 0L, i4);
                long j2 = getLong(LockPatternUtils.PASSWORD_TYPE_ALTERNATE_KEY, 0L, i4);
                if (j == 32768) {
                    setLong(LockPatternUtils.PASSWORD_TYPE_KEY, j2, i4);
                }
                setLong(LockPatternUtils.PASSWORD_TYPE_ALTERNATE_KEY, 0L, i4);
            }
            setString("migrated_biometric_weak", ImsManager.TRUE, 0);
            Slog.i(TAG, "Migrated biometric weak to use the fallback instead");
        }
        if (getString("migrated_lockscreen_disabled", null, 0) == null) {
            List<UserInfo> users3 = this.mUserManager.getUsers();
            int size = users3.size();
            int i5 = 0;
            for (int i6 = 0; i6 < size; i6++) {
                if (users3.get(i6).supportsSwitchTo()) {
                    i5++;
                }
            }
            if (i5 > 1) {
                for (int i7 = 0; i7 < size; i7++) {
                    int i8 = users3.get(i7).id;
                    if (getBoolean("lockscreen.disabled", false, i8)) {
                        setBoolean("lockscreen.disabled", false, i8);
                    }
                }
            }
            setString("migrated_lockscreen_disabled", ImsManager.TRUE, 0);
            Slog.i(TAG, "Migrated lockscreen disabled flag");
        }
        if (this.mContext.getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH) && getString("migrated_wear_lockscreen_disabled", null, 0) == null) {
            List<UserInfo> users4 = this.mUserManager.getUsers();
            int size2 = users4.size();
            for (int i9 = 0; i9 < size2; i9++) {
                setBoolean("lockscreen.disabled", false, users4.get(i9).id);
            }
            setString("migrated_wear_lockscreen_disabled", ImsManager.TRUE, 0);
            Slog.i(TAG, "Migrated lockscreen_disabled for Wear devices");
        }
        if (getString("migrated_keystore_namespace", null, 0) == null) {
            synchronized (this.mSpManager) {
                migrateKeyNamespace = true & this.mSpManager.migrateKeyNamespace();
            }
            if (migrateKeyNamespace && migrateProfileLockKeys()) {
                setString("migrated_keystore_namespace", ImsManager.TRUE, 0);
                Slog.i(TAG, "Migrated keys to LSS namespace");
            } else {
                Slog.w(TAG, "Failed to migrate keys to LSS namespace");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void migrateOldDataAfterSystemReady() {
        if (!LockPatternUtils.frpCredentialEnabled(this.mContext) || getBoolean("migrated_frp", false, 0)) {
            return;
        }
        migrateFrpCredential();
        setBoolean("migrated_frp", true, 0);
        Slog.i(TAG, "Migrated migrated_frp.");
    }

    private void migrateFrpCredential() {
        if (this.mStorage.readPersistentDataBlock() != LockSettingsStorage.PersistentData.NONE) {
            return;
        }
        for (UserInfo userInfo : this.mUserManager.getUsers()) {
            if (LockPatternUtils.userOwnsFrpCredential(this.mContext, userInfo) && isUserSecure(userInfo.id)) {
                synchronized (this.mSpManager) {
                    if (isSyntheticPasswordBasedCredentialLocked(userInfo.id)) {
                        this.mSpManager.migrateFrpPasswordLocked(getSyntheticPasswordHandleLocked(userInfo.id), userInfo, redactActualQualityToMostLenientEquivalentQuality((int) getLong(LockPatternUtils.PASSWORD_TYPE_KEY, 0L, userInfo.id)));
                    }
                }
                return;
            }
        }
    }

    private boolean migrateProfileLockKeys() {
        boolean z = true;
        List<UserInfo> users = this.mUserManager.getUsers();
        int size = users.size();
        for (int i = 0; i < size; i++) {
            UserInfo userInfo = users.get(i);
            if (userInfo.isManagedProfile() && !getSeparateProfileChallengeEnabledInternal(userInfo.id)) {
                z = z & SyntheticPasswordCrypto.migrateLockSettingsKey(LockPatternUtils.PROFILE_KEY_NAME_ENCRYPT + userInfo.id) & SyntheticPasswordCrypto.migrateLockSettingsKey(LockPatternUtils.PROFILE_KEY_NAME_DECRYPT + userInfo.id);
            }
        }
        return z;
    }

    private int redactActualQualityToMostLenientEquivalentQuality(int i) {
        switch (i) {
            case 0:
            case 32768:
            case 65536:
            case 524288:
            default:
                return i;
            case 131072:
            case 196608:
                return 131072;
            case 262144:
            case 327680:
            case 393216:
                return 262144;
        }
    }

    private void enforceFrpResolved() {
        ContentResolver contentResolver = this.mContext.getContentResolver();
        boolean z = this.mInjector.settingsSecureGetInt(contentResolver, Settings.Secure.USER_SETUP_COMPLETE, 0, 0) == 0;
        boolean z2 = this.mInjector.settingsSecureGetInt(contentResolver, Settings.Secure.SECURE_FRP_MODE, 0, 0) == 1;
        if (z && z2) {
            throw new SecurityException("Cannot change credential in SUW while factory reset protection is not resolved yet");
        }
    }

    private final void checkWritePermission(int i) {
        this.mContext.enforceCallingOrSelfPermission("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE", "LockSettingsWrite");
    }

    private final void checkPasswordReadPermission() {
        this.mContext.enforceCallingOrSelfPermission("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE", "LockSettingsRead");
    }

    private final void checkPasswordHavePermission(int i) {
        if (this.mContext.checkCallingOrSelfPermission("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE") != 0) {
            EventLog.writeEvent(1397638484, "28251513", Integer.valueOf(getCallingUid()), "");
        }
        this.mContext.enforceCallingOrSelfPermission("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE", "LockSettingsHave");
    }

    private final void checkReadPermission(String str, int i) {
        int callingUid = Binder.getCallingUid();
        for (int i2 = 0; i2 < READ_CONTACTS_PROTECTED_SETTINGS.length; i2++) {
            if (READ_CONTACTS_PROTECTED_SETTINGS[i2].equals(str) && this.mContext.checkCallingOrSelfPermission(Manifest.permission.READ_CONTACTS) != 0) {
                throw new SecurityException("uid=" + callingUid + " needs permission " + Manifest.permission.READ_CONTACTS + " to read " + str + " for user " + i);
            }
        }
        for (int i3 = 0; i3 < READ_PASSWORD_PROTECTED_SETTINGS.length; i3++) {
            if (READ_PASSWORD_PROTECTED_SETTINGS[i3].equals(str) && this.mContext.checkCallingOrSelfPermission("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE") != 0) {
                throw new SecurityException("uid=" + callingUid + " needs permission android.permission.ACCESS_KEYGUARD_SECURE_STORAGE to read " + str + " for user " + i);
            }
        }
    }

    private final void checkBiometricPermission() {
        this.mContext.enforceCallingOrSelfPermission("android.permission.MANAGE_BIOMETRIC", "LockSettingsBiometric");
    }

    private boolean hasPermission(String str) {
        return this.mContext.checkCallingOrSelfPermission(str) == 0;
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean hasSecureLockScreen() {
        return this.mHasSecureLockScreen;
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean getSeparateProfileChallengeEnabled(int i) {
        checkReadPermission(SEPARATE_PROFILE_CHALLENGE_KEY, i);
        return getSeparateProfileChallengeEnabledInternal(i);
    }

    private boolean getSeparateProfileChallengeEnabledInternal(int i) {
        boolean z;
        synchronized (this.mSeparateChallengeLock) {
            z = this.mStorage.getBoolean(SEPARATE_PROFILE_CHALLENGE_KEY, false, i);
        }
        return z;
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setSeparateProfileChallengeEnabled(int i, boolean z, LockscreenCredential lockscreenCredential) {
        checkWritePermission(i);
        if (!this.mHasSecureLockScreen && lockscreenCredential != null && lockscreenCredential.getType() != -1) {
            throw new UnsupportedOperationException("This operation requires secure lock screen feature.");
        }
        synchronized (this.mSeparateChallengeLock) {
            setSeparateProfileChallengeEnabledLocked(i, z, lockscreenCredential != null ? lockscreenCredential : LockscreenCredential.createNone());
        }
        notifySeparateProfileChallengeChanged(i);
    }

    @GuardedBy({"mSeparateChallengeLock"})
    private void setSeparateProfileChallengeEnabledLocked(int i, boolean z, LockscreenCredential lockscreenCredential) {
        boolean z2 = getBoolean(SEPARATE_PROFILE_CHALLENGE_KEY, false, i);
        setBoolean(SEPARATE_PROFILE_CHALLENGE_KEY, z, i);
        try {
            if (z) {
                this.mStorage.removeChildProfileLock(i);
                removeKeystoreProfileKey(i);
            } else {
                tieManagedProfileLockIfNecessary(i, lockscreenCredential);
            }
        } catch (IllegalStateException e) {
            setBoolean(SEPARATE_PROFILE_CHALLENGE_KEY, z2, i);
            throw e;
        }
    }

    private void notifySeparateProfileChallengeChanged(int i) {
        this.mHandler.post(() -> {
            DevicePolicyManagerInternal devicePolicyManagerInternal = (DevicePolicyManagerInternal) LocalServices.getService(DevicePolicyManagerInternal.class);
            if (devicePolicyManagerInternal != null) {
                devicePolicyManagerInternal.reportSeparateProfileChallengeChanged(i);
            }
        });
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setBoolean(String str, boolean z, int i) {
        checkWritePermission(i);
        this.mStorage.setBoolean(str, z, i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setLong(String str, long j, int i) {
        checkWritePermission(i);
        this.mStorage.setLong(str, j, i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setString(String str, String str2, int i) {
        checkWritePermission(i);
        this.mStorage.setString(str, str2, i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean getBoolean(String str, boolean z, int i) {
        checkReadPermission(str, i);
        return "lock_pattern_autolock".equals(str) ? getCredentialTypeInternal(i) == 1 : this.mStorage.getBoolean(str, z, i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public long getLong(String str, long j, int i) {
        checkReadPermission(str, i);
        return this.mStorage.getLong(str, j, i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public String getString(String str, String str2, int i) {
        checkReadPermission(str, i);
        return this.mStorage.getString(str, str2, i);
    }

    private void setKeyguardStoredQuality(int i, int i2) {
        this.mStorage.setLong(LockPatternUtils.PASSWORD_TYPE_KEY, i, i2);
    }

    private int getKeyguardStoredQuality(int i) {
        return (int) this.mStorage.getLong(LockPatternUtils.PASSWORD_TYPE_KEY, 0L, i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public int getCredentialType(int i) {
        checkPasswordHavePermission(i);
        return getCredentialTypeInternal(i);
    }

    public int getCredentialTypeInternal(int i) {
        if (i == -9999) {
            return getFrpCredentialType();
        }
        synchronized (this.mSpManager) {
            if (isSyntheticPasswordBasedCredentialLocked(i)) {
                int credentialType = this.mSpManager.getCredentialType(getSyntheticPasswordHandleLocked(i), i);
                if (credentialType != 2) {
                    return credentialType;
                }
                return pinOrPasswordQualityToCredentialType(getKeyguardStoredQuality(i));
            }
            int keyguardStoredQuality = getKeyguardStoredQuality(i);
            if (keyguardStoredQuality == 65536 && this.mStorage.hasPattern(i)) {
                return 1;
            }
            if (keyguardStoredQuality < 131072 || !this.mStorage.hasPassword(i)) {
                return -1;
            }
            return pinOrPasswordQualityToCredentialType(keyguardStoredQuality);
        }
    }

    private int getFrpCredentialType() {
        LockSettingsStorage.PersistentData readPersistentDataBlock = this.mStorage.readPersistentDataBlock();
        if (readPersistentDataBlock.type != 1 && readPersistentDataBlock.type != 2) {
            return -1;
        }
        int frpCredentialType = SyntheticPasswordManager.getFrpCredentialType(readPersistentDataBlock.payload);
        return frpCredentialType != 2 ? frpCredentialType : pinOrPasswordQualityToCredentialType(readPersistentDataBlock.qualityForUi);
    }

    private static int pinOrPasswordQualityToCredentialType(int i) {
        if (LockPatternUtils.isQualityAlphabeticPassword(i)) {
            return 4;
        }
        if (LockPatternUtils.isQualityNumericPin(i)) {
            return 3;
        }
        throw new IllegalArgumentException("Quality is neither Pin nor password: " + i);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isUserSecure(int i) {
        return getCredentialTypeInternal(i) != -1;
    }

    @VisibleForTesting
    void setKeystorePassword(byte[] bArr, int i) {
        AndroidKeyStoreMaintenance.onUserPasswordChanged(i, bArr);
    }

    private void unlockKeystore(byte[] bArr, int i) {
        Authorization.onLockScreenEvent(false, i, bArr, null);
    }

    @VisibleForTesting
    protected LockscreenCredential getDecryptedPasswordForTiedProfile(int i) throws KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException, CertificateException, IOException {
        byte[] readChildProfileLock = this.mStorage.readChildProfileLock(i);
        if (readChildProfileLock == null) {
            throw new FileNotFoundException("Child profile lock file not found");
        }
        byte[] copyOfRange = Arrays.copyOfRange(readChildProfileLock, 0, 12);
        byte[] copyOfRange2 = Arrays.copyOfRange(readChildProfileLock, 12, readChildProfileLock.length);
        SecretKey secretKey = (SecretKey) this.mJavaKeyStore.getKey(LockPatternUtils.PROFILE_KEY_NAME_DECRYPT + i, null);
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        cipher.init(2, secretKey, new GCMParameterSpec(128, copyOfRange));
        byte[] doFinal = cipher.doFinal(copyOfRange2);
        LockscreenCredential createManagedPassword = LockscreenCredential.createManagedPassword(doFinal);
        Arrays.fill(doFinal, (byte) 0);
        this.mManagedProfilePasswordCache.storePassword(i, createManagedPassword);
        return createManagedPassword;
    }

    private void unlockChildProfile(int i, boolean z) {
        try {
            doVerifyCredential(getDecryptedPasswordForTiedProfile(i), i, null, 0);
        } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            if (e instanceof FileNotFoundException) {
                Slog.i(TAG, "Child profile key not found");
            } else if (z && (e instanceof UserNotAuthenticatedException)) {
                Slog.i(TAG, "Parent keystore seems locked, ignoring");
            } else {
                Slog.e(TAG, "Failed to decrypt child profile key", e);
            }
        }
    }

    private void unlockUser(int i, byte[] bArr, byte[] bArr2) {
        Slog.i(TAG, "Unlocking user " + i + " with secret only, length " + (bArr2 != null ? bArr2.length : 0));
        boolean isUserUnlockingOrUnlocked = this.mUserManager.isUserUnlockingOrUnlocked(i);
        final CountDownLatch countDownLatch = new CountDownLatch(1);
        try {
            this.mActivityManager.unlockUser(i, bArr, bArr2, new IProgressListener.Stub() { // from class: com.android.server.locksettings.LockSettingsService.3
                @Override // android.os.IProgressListener
                public void onStarted(int i2, Bundle bundle) throws RemoteException {
                    Slog.d(LockSettingsService.TAG, "unlockUser started");
                }

                @Override // android.os.IProgressListener
                public void onProgress(int i2, int i3, Bundle bundle) throws RemoteException {
                    Slog.d(LockSettingsService.TAG, "unlockUser progress " + i3);
                }

                @Override // android.os.IProgressListener
                public void onFinished(int i2, Bundle bundle) throws RemoteException {
                    Slog.d(LockSettingsService.TAG, "unlockUser finished");
                    countDownLatch.countDown();
                }
            });
            try {
                countDownLatch.await(15L, TimeUnit.SECONDS);
            } catch (InterruptedException e) {
                Thread.currentThread().interrupt();
            }
            if (this.mUserManager.getUserInfo(i).isManagedProfile()) {
                if (hasUnifiedChallenge(i)) {
                    return;
                }
                this.mBiometricDeferredQueue.processPendingLockoutResets();
                return;
            }
            for (UserInfo userInfo : this.mUserManager.getProfiles(i)) {
                if (userInfo.id != i && userInfo.isManagedProfile()) {
                    if (hasUnifiedChallenge(userInfo.id)) {
                        if (this.mUserManager.isUserRunning(userInfo.id)) {
                            unlockChildProfile(userInfo.id, false);
                        } else {
                            try {
                                getDecryptedPasswordForTiedProfile(userInfo.id);
                            } catch (IOException | GeneralSecurityException e2) {
                                Slog.d(TAG, "Cache work profile password failed", e2);
                            }
                        }
                    }
                    if (isUserUnlockingOrUnlocked) {
                        continue;
                    } else {
                        long clearCallingIdentity = clearCallingIdentity();
                        try {
                            maybeShowEncryptionNotificationForUser(userInfo.id);
                            restoreCallingIdentity(clearCallingIdentity);
                        } catch (Throwable th) {
                            restoreCallingIdentity(clearCallingIdentity);
                            throw th;
                        }
                    }
                }
            }
            this.mBiometricDeferredQueue.processPendingLockoutResets();
        } catch (RemoteException e3) {
            throw e3.rethrowAsRuntimeException();
        }
    }

    private boolean hasUnifiedChallenge(int i) {
        return !getSeparateProfileChallengeEnabledInternal(i) && this.mStorage.hasChildProfileLock(i);
    }

    private Map<Integer, LockscreenCredential> getDecryptedPasswordsForAllTiedProfiles(int i) {
        if (this.mUserManager.getUserInfo(i).isManagedProfile()) {
            return null;
        }
        ArrayMap arrayMap = new ArrayMap();
        List<UserInfo> profiles = this.mUserManager.getProfiles(i);
        int size = profiles.size();
        for (int i2 = 0; i2 < size; i2++) {
            UserInfo userInfo = profiles.get(i2);
            if (userInfo.isManagedProfile()) {
                int i3 = userInfo.id;
                if (!getSeparateProfileChallengeEnabledInternal(i3)) {
                    try {
                        arrayMap.put(Integer.valueOf(i3), getDecryptedPasswordForTiedProfile(i3));
                    } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
                        Slog.e(TAG, "getDecryptedPasswordsForAllTiedProfiles failed for user " + i3, e);
                    }
                }
            }
        }
        return arrayMap;
    }

    private void synchronizeUnifiedWorkChallengeForProfiles(int i, Map<Integer, LockscreenCredential> map) {
        if (this.mUserManager.getUserInfo(i).isManagedProfile()) {
            return;
        }
        boolean isUserSecure = isUserSecure(i);
        List<UserInfo> profiles = this.mUserManager.getProfiles(i);
        int size = profiles.size();
        for (int i2 = 0; i2 < size; i2++) {
            UserInfo userInfo = profiles.get(i2);
            if (userInfo.isManagedProfile()) {
                int i3 = userInfo.id;
                if (!getSeparateProfileChallengeEnabledInternal(i3)) {
                    if (isUserSecure) {
                        tieManagedProfileLockIfNecessary(i3, LockscreenCredential.createNone());
                    } else if (map == null || !map.containsKey(Integer.valueOf(i3))) {
                        Slog.wtf(TAG, "Attempt to clear tied challenge, but no password supplied.");
                    } else {
                        setLockCredentialInternal(LockscreenCredential.createNone(), map.get(Integer.valueOf(i3)), i3, true);
                        this.mStorage.removeChildProfileLock(i3);
                        removeKeystoreProfileKey(i3);
                    }
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isManagedProfileWithUnifiedLock(int i) {
        return this.mUserManager.getUserInfo(i).isManagedProfile() && !getSeparateProfileChallengeEnabledInternal(i);
    }

    private boolean isManagedProfileWithSeparatedLock(int i) {
        return this.mUserManager.getUserInfo(i).isManagedProfile() && getSeparateProfileChallengeEnabledInternal(i);
    }

    private void sendCredentialsOnUnlockIfRequired(LockscreenCredential lockscreenCredential, int i) {
        if (i == -9999 || isManagedProfileWithUnifiedLock(i)) {
            return;
        }
        byte[] credential = lockscreenCredential.isNone() ? null : lockscreenCredential.getCredential();
        Iterator<Integer> it = getProfilesWithSameLockScreen(i).iterator();
        while (it.hasNext()) {
            this.mRecoverableKeyStoreManager.lockScreenSecretAvailable(lockscreenCredential.getType(), credential, it.next().intValue());
        }
    }

    private void sendCredentialsOnChangeIfRequired(LockscreenCredential lockscreenCredential, int i, boolean z) {
        if (z) {
            return;
        }
        byte[] credential = lockscreenCredential.isNone() ? null : lockscreenCredential.getCredential();
        Iterator<Integer> it = getProfilesWithSameLockScreen(i).iterator();
        while (it.hasNext()) {
            this.mRecoverableKeyStoreManager.lockScreenSecretChanged(lockscreenCredential.getType(), credential, it.next().intValue());
        }
    }

    private Set<Integer> getProfilesWithSameLockScreen(int i) {
        ArraySet arraySet = new ArraySet();
        for (UserInfo userInfo : this.mUserManager.getProfiles(i)) {
            if (userInfo.id == i || (userInfo.profileGroupId == i && isManagedProfileWithUnifiedLock(userInfo.id))) {
                arraySet.add(Integer.valueOf(userInfo.id));
            }
        }
        return arraySet;
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean setLockCredential(LockscreenCredential lockscreenCredential, LockscreenCredential lockscreenCredential2, int i) {
        if (!this.mHasSecureLockScreen && lockscreenCredential != null && lockscreenCredential.getType() != -1) {
            throw new UnsupportedOperationException("This operation requires secure lock screen feature");
        }
        if (!hasPermission("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE") && !hasPermission(Manifest.permission.SET_AND_VERIFY_LOCKSCREEN_CREDENTIALS)) {
            throw new SecurityException("setLockCredential requires SET_AND_VERIFY_LOCKSCREEN_CREDENTIALS or android.permission.ACCESS_KEYGUARD_SECURE_STORAGE");
        }
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            enforceFrpResolved();
            if (!lockscreenCredential2.isNone() && isManagedProfileWithUnifiedLock(i)) {
                verifyCredential(lockscreenCredential2, this.mUserManager.getProfileParent(i).id, 0);
                lockscreenCredential2.zeroize();
                lockscreenCredential2 = LockscreenCredential.createNone();
            }
            synchronized (this.mSeparateChallengeLock) {
                if (!setLockCredentialInternal(lockscreenCredential, lockscreenCredential2, i, false)) {
                    scheduleGc();
                    return false;
                }
                setSeparateProfileChallengeEnabledLocked(i, true, null);
                notifyPasswordChanged(i);
                if (this.mUserManager.getUserInfo(i).isManagedProfile()) {
                    setDeviceUnlockedForUser(i);
                }
                notifySeparateProfileChallengeChanged(i);
                onPostPasswordChanged(lockscreenCredential, i);
                scheduleGc();
                Binder.restoreCallingIdentity(clearCallingIdentity);
                return true;
            }
        } finally {
            Binder.restoreCallingIdentity(clearCallingIdentity);
        }
    }

    private boolean setLockCredentialInternal(LockscreenCredential lockscreenCredential, LockscreenCredential lockscreenCredential2, int i, boolean z) {
        Objects.requireNonNull(lockscreenCredential);
        Objects.requireNonNull(lockscreenCredential2);
        synchronized (this.mSpManager) {
            if (isSyntheticPasswordBasedCredentialLocked(i)) {
                return spBasedSetLockCredentialInternalLocked(lockscreenCredential, lockscreenCredential2, i, z);
            }
            if (lockscreenCredential.isNone()) {
                clearUserKeyProtection(i, null);
                gateKeeperClearSecureUserId(i);
                this.mStorage.writeCredentialHash(LockSettingsStorage.CredentialHash.createEmptyHash(), i);
                setKeyguardStoredQuality(0, i);
                setKeystorePassword(null, i);
                fixateNewestUserKeyAuth(i);
                synchronizeUnifiedWorkChallengeForProfiles(i, null);
                setUserPasswordMetrics(LockscreenCredential.createNone(), i);
                sendCredentialsOnChangeIfRequired(lockscreenCredential, i, z);
                return true;
            }
            LockSettingsStorage.CredentialHash readCredentialHash = this.mStorage.readCredentialHash(i);
            if (isManagedProfileWithUnifiedLock(i)) {
                if (lockscreenCredential2.isNone()) {
                    try {
                        lockscreenCredential2 = getDecryptedPasswordForTiedProfile(i);
                    } catch (FileNotFoundException e) {
                        Slog.i(TAG, "Child profile key not found");
                    } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e2) {
                        Slog.e(TAG, "Failed to decrypt child profile key", e2);
                    }
                }
            } else if (readCredentialHash.hash == null) {
                if (!lockscreenCredential2.isNone()) {
                    Slog.w(TAG, "Saved credential provided, but none stored");
                }
                lockscreenCredential2.close();
                lockscreenCredential2 = LockscreenCredential.createNone();
            }
            synchronized (this.mSpManager) {
                if (shouldMigrateToSyntheticPasswordLocked(i)) {
                    initializeSyntheticPasswordLocked(readCredentialHash.hash, lockscreenCredential2, i);
                    return spBasedSetLockCredentialInternalLocked(lockscreenCredential, lockscreenCredential2, i, z);
                }
                byte[] enrollCredential = enrollCredential(readCredentialHash.hash, lockscreenCredential2.getCredential(), lockscreenCredential.getCredential(), i);
                if (enrollCredential == null) {
                    Object[] objArr = new Object[1];
                    objArr[0] = lockscreenCredential.isPattern() ? "pattern" : "password";
                    Slog.w(TAG, String.format("Failed to enroll %s: incorrect credential", objArr));
                    return false;
                }
                LockSettingsStorage.CredentialHash create = LockSettingsStorage.CredentialHash.create(enrollCredential, lockscreenCredential.getType());
                this.mStorage.writeCredentialHash(create, i);
                setKeyguardStoredQuality(LockPatternUtils.credentialTypeToPasswordQuality(lockscreenCredential.getType()), i);
                try {
                    setUserKeyProtection(i, lockscreenCredential, convertResponse(getGateKeeperService().verifyChallenge(i, 0L, create.hash, lockscreenCredential.getCredential())));
                    fixateNewestUserKeyAuth(i);
                    doVerifyCredential(lockscreenCredential, i, null, 0);
                    synchronizeUnifiedWorkChallengeForProfiles(i, null);
                    sendCredentialsOnChangeIfRequired(lockscreenCredential, i, z);
                    return true;
                } catch (RemoteException e3) {
                    throw new IllegalStateException("Failed to verify current credential", e3);
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void onPostPasswordChanged(LockscreenCredential lockscreenCredential, int i) {
        updateEncryptionPasswordIfNeeded(lockscreenCredential, i);
        if (lockscreenCredential.isPattern()) {
            setBoolean(LockPatternUtils.PATTERN_EVER_CHOSEN_KEY, true, i);
        }
        updatePasswordHistory(lockscreenCredential, i);
        ((TrustManager) this.mContext.getSystemService(TrustManager.class)).reportEnabledTrustAgentsChanged(i);
    }

    private void updateEncryptionPasswordIfNeeded(LockscreenCredential lockscreenCredential, int i) {
        if (i == 0 && isDeviceEncryptionEnabled()) {
            if (!shouldEncryptWithCredentials()) {
                updateEncryptionPassword(1, null);
                return;
            }
            if (lockscreenCredential.isNone()) {
                setCredentialRequiredToDecrypt(false);
            }
            updateEncryptionPassword(lockscreenCredential.getStorageCryptType(), lockscreenCredential.getCredential());
        }
    }

    private void updatePasswordHistory(LockscreenCredential lockscreenCredential, int i) {
        String stringJoiner;
        if (lockscreenCredential.isNone() || lockscreenCredential.isPattern()) {
            return;
        }
        String string = getString(LockPatternUtils.PASSWORD_HISTORY_KEY, null, i);
        if (string == null) {
            string = "";
        }
        int requestedPasswordHistoryLength = getRequestedPasswordHistoryLength(i);
        if (requestedPasswordHistoryLength == 0) {
            stringJoiner = "";
        } else {
            byte[] hashFactor = getHashFactor(lockscreenCredential, i);
            byte[] bytes = getSalt(i).getBytes();
            String passwordToHistoryHash = lockscreenCredential.passwordToHistoryHash(bytes, hashFactor);
            if (passwordToHistoryHash == null) {
                Slog.e(TAG, "Compute new style password hash failed, fallback to legacy style");
                passwordToHistoryHash = lockscreenCredential.legacyPasswordToHash(bytes);
            }
            if (TextUtils.isEmpty(string)) {
                stringJoiner = passwordToHistoryHash;
            } else {
                String[] split = string.split(",");
                StringJoiner stringJoiner2 = new StringJoiner(",");
                stringJoiner2.add(passwordToHistoryHash);
                for (int i2 = 0; i2 < requestedPasswordHistoryLength - 1 && i2 < split.length; i2++) {
                    stringJoiner2.add(split[i2]);
                }
                stringJoiner = stringJoiner2.toString();
            }
        }
        setString(LockPatternUtils.PASSWORD_HISTORY_KEY, stringJoiner, i);
    }

    private String getSalt(int i) {
        long j = getLong(LockPatternUtils.LOCK_PASSWORD_SALT_KEY, 0L, i);
        if (j == 0) {
            try {
                j = SecureRandom.getInstance("SHA1PRNG").nextLong();
                setLong(LockPatternUtils.LOCK_PASSWORD_SALT_KEY, j, i);
                Slog.v(TAG, "Initialized lock password salt for user: " + i);
            } catch (NoSuchAlgorithmException e) {
                throw new IllegalStateException("Couldn't get SecureRandom number", e);
            }
        }
        return Long.toHexString(j);
    }

    private int getRequestedPasswordHistoryLength(int i) {
        return this.mInjector.getDevicePolicyManager().getPasswordHistoryLength(null, i);
    }

    private static boolean isDeviceEncryptionEnabled() {
        return StorageManager.isEncrypted();
    }

    private boolean shouldEncryptWithCredentials() {
        return isCredentialRequiredToDecrypt() && !isDoNotAskCredentialsOnBootSet();
    }

    private boolean isDoNotAskCredentialsOnBootSet() {
        return this.mInjector.getDevicePolicyManager().getDoNotAskCredentialsOnBoot();
    }

    private boolean isCredentialRequiredToDecrypt() {
        return Settings.Global.getInt(this.mContext.getContentResolver(), Settings.Global.REQUIRE_PASSWORD_TO_DECRYPT, -1) != 0;
    }

    private VerifyCredentialResponse convertResponse(GateKeeperResponse gateKeeperResponse) {
        return VerifyCredentialResponse.fromGateKeeperResponse(gateKeeperResponse);
    }

    private void setCredentialRequiredToDecrypt(boolean z) {
        if (isDeviceEncryptionEnabled()) {
            Settings.Global.putInt(this.mContext.getContentResolver(), Settings.Global.REQUIRE_PASSWORD_TO_DECRYPT, z ? 1 : 0);
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public void updateEncryptionPassword(int i, byte[] bArr) {
        if (!hasSecureLockScreen() && bArr != null && bArr.length != 0) {
            throw new UnsupportedOperationException("This operation requires the lock screen feature.");
        }
        if (isDeviceEncryptionEnabled()) {
            if (ServiceManager.getService("mount") == null) {
                Slog.e(TAG, "Could not find the mount service to update the encryption password");
            } else {
                String str = bArr != null ? new String(bArr) : null;
                this.mHandler.post(() -> {
                    try {
                        this.mInjector.getStorageManager().changeEncryptionPassword(i, str);
                    } catch (RemoteException e) {
                        Slog.e(TAG, "Error changing encryption password", e);
                    }
                });
            }
        }
    }

    @VisibleForTesting
    protected void tieProfileLockToParent(int i, LockscreenCredential lockscreenCredential) {
        try {
            KeyGenerator keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES);
            keyGenerator.init(new SecureRandom());
            SecretKey generateKey = keyGenerator.generateKey();
            try {
                this.mJavaKeyStore.setEntry(LockPatternUtils.PROFILE_KEY_NAME_ENCRYPT + i, new KeyStore.SecretKeyEntry(generateKey), new KeyProtection.Builder(1).setBlockModes(KeyProperties.BLOCK_MODE_GCM).setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE).build());
                this.mJavaKeyStore.setEntry(LockPatternUtils.PROFILE_KEY_NAME_DECRYPT + i, new KeyStore.SecretKeyEntry(generateKey), new KeyProtection.Builder(2).setBlockModes(KeyProperties.BLOCK_MODE_GCM).setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE).setUserAuthenticationRequired(true).setUserAuthenticationValidityDurationSeconds(30).build());
                SecretKey secretKey = (SecretKey) this.mJavaKeyStore.getKey(LockPatternUtils.PROFILE_KEY_NAME_ENCRYPT + i, null);
                Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
                cipher.init(1, secretKey);
                byte[] doFinal = cipher.doFinal(lockscreenCredential.getCredential());
                byte[] iv = cipher.getIV();
                this.mJavaKeyStore.deleteEntry(LockPatternUtils.PROFILE_KEY_NAME_ENCRYPT + i);
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                try {
                    if (iv.length != 12) {
                        throw new IllegalArgumentException("Invalid iv length: " + iv.length);
                    }
                    byteArrayOutputStream.write(iv);
                    byteArrayOutputStream.write(doFinal);
                    this.mStorage.writeChildProfileLock(i, byteArrayOutputStream.toByteArray());
                } catch (IOException e) {
                    throw new IllegalStateException("Failed to concatenate byte arrays", e);
                }
            } catch (Throwable th) {
                this.mJavaKeyStore.deleteEntry(LockPatternUtils.PROFILE_KEY_NAME_ENCRYPT + i);
                throw th;
            }
        } catch (InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e2) {
            throw new IllegalStateException("Failed to encrypt key", e2);
        }
    }

    private byte[] enrollCredential(byte[] bArr, byte[] bArr2, byte[] bArr3, int i) {
        checkWritePermission(i);
        try {
            GateKeeperResponse enroll = getGateKeeperService().enroll(i, bArr, bArr2, bArr3);
            if (enroll == null) {
                return null;
            }
            byte[] payload = enroll.getPayload();
            if (payload != null) {
                setKeystorePassword(bArr3, i);
            } else {
                Slog.e(TAG, "Throttled while enrolling a password");
            }
            return payload;
        } catch (RemoteException e) {
            Slog.e(TAG, "Failed to enroll credential", e);
            return null;
        }
    }

    private void setAuthlessUserKeyProtection(int i, byte[] bArr) {
        addUserKeyAuth(i, null, bArr);
    }

    private void setUserKeyProtection(int i, LockscreenCredential lockscreenCredential, VerifyCredentialResponse verifyCredentialResponse) {
        if (verifyCredentialResponse == null) {
            throw new IllegalArgumentException("Null response verifying a credential we just set");
        }
        if (verifyCredentialResponse.getResponseCode() != 0) {
            throw new IllegalArgumentException("Non-OK response verifying a credential we just set " + verifyCredentialResponse.getResponseCode());
        }
        byte[] gatekeeperHAT = verifyCredentialResponse.getGatekeeperHAT();
        if (gatekeeperHAT == null) {
            throw new IllegalArgumentException("Empty payload verifying a credential we just set");
        }
        addUserKeyAuth(i, gatekeeperHAT, secretFromCredential(lockscreenCredential));
    }

    private void clearUserKeyProtection(int i, byte[] bArr) {
        UserInfo userInfo = this.mUserManager.getUserInfo(i);
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            try {
                this.mStorageManager.clearUserKeyAuth(i, userInfo.serialNumber, null, bArr);
                Binder.restoreCallingIdentity(clearCallingIdentity);
            } catch (RemoteException e) {
                throw new IllegalStateException("clearUserKeyAuth failed user=" + i);
            }
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    private static byte[] secretFromCredential(LockscreenCredential lockscreenCredential) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(KeyProperties.DIGEST_SHA512);
            messageDigest.update(Arrays.copyOf("Android FBE credential hash".getBytes(), 128));
            messageDigest.update(lockscreenCredential.getCredential());
            return messageDigest.digest();
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("NoSuchAlgorithmException for SHA-512");
        }
    }

    private boolean isUserKeyUnlocked(int i) {
        try {
            return this.mStorageManager.isUserKeyUnlocked(i);
        } catch (RemoteException e) {
            Slog.e(TAG, "failed to check user key locked state", e);
            return false;
        }
    }

    private void unlockUserKey(int i, byte[] bArr, byte[] bArr2) {
        try {
            this.mStorageManager.unlockUserKey(i, this.mUserManager.getUserInfo(i).serialNumber, bArr, bArr2);
        } catch (RemoteException e) {
            throw new IllegalStateException("Failed to unlock user key " + i, e);
        }
    }

    private void addUserKeyAuth(int i, byte[] bArr, byte[] bArr2) {
        UserInfo userInfo = this.mUserManager.getUserInfo(i);
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            try {
                this.mStorageManager.addUserKeyAuth(i, userInfo.serialNumber, bArr, bArr2);
                Binder.restoreCallingIdentity(clearCallingIdentity);
            } catch (RemoteException e) {
                throw new IllegalStateException("Failed to add new key to vold " + i, e);
            }
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    private void fixateNewestUserKeyAuth(int i) {
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            try {
                this.mStorageManager.fixateNewestUserKeyAuth(i);
                Binder.restoreCallingIdentity(clearCallingIdentity);
            } catch (RemoteException e) {
                Slog.w(TAG, "fixateNewestUserKeyAuth failed", e);
                Binder.restoreCallingIdentity(clearCallingIdentity);
            }
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    /* JADX WARN: Finally extract failed */
    @Override // com.android.internal.widget.ILockSettings
    public void resetKeyStore(int i) {
        checkWritePermission(i);
        int i2 = -1;
        LockscreenCredential lockscreenCredential = null;
        for (UserInfo userInfo : this.mUserManager.getProfiles(i)) {
            if (userInfo.isManagedProfile() && !getSeparateProfileChallengeEnabledInternal(userInfo.id) && this.mStorage.hasChildProfileLock(userInfo.id)) {
                if (i2 == -1) {
                    try {
                        lockscreenCredential = getDecryptedPasswordForTiedProfile(userInfo.id);
                        i2 = userInfo.id;
                    } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
                        Slog.e(TAG, "Failed to decrypt child profile key", e);
                    }
                } else {
                    Slog.e(TAG, "More than one managed profile, uid1:" + i2 + ", uid2:" + userInfo.id);
                }
            }
        }
        try {
            for (int i3 : this.mUserManager.getProfileIdsWithDisabled(i)) {
                int length = SYSTEM_CREDENTIAL_UIDS.length;
                for (int i4 = 0; i4 < length; i4++) {
                    AndroidKeyStoreMaintenance.clearNamespace(0, UserHandle.getUid(i3, r0[i4]));
                }
            }
            if (this.mUserManager.getUserInfo(i).isPrimary()) {
                AndroidKeyStoreMaintenance.clearNamespace(2, 102L);
            }
            if (i2 != -1 && lockscreenCredential != null) {
                tieProfileLockToParent(i2, lockscreenCredential);
            }
            if (lockscreenCredential != null) {
                lockscreenCredential.zeroize();
            }
        } catch (Throwable th) {
            if (i2 != -1 && lockscreenCredential != null) {
                tieProfileLockToParent(i2, lockscreenCredential);
            }
            throw th;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public VerifyCredentialResponse checkCredential(LockscreenCredential lockscreenCredential, int i, ICheckCredentialProgressCallback iCheckCredentialProgressCallback) {
        checkPasswordReadPermission();
        try {
            VerifyCredentialResponse doVerifyCredential = doVerifyCredential(lockscreenCredential, i, iCheckCredentialProgressCallback, 0);
            scheduleGc();
            return doVerifyCredential;
        } catch (Throwable th) {
            scheduleGc();
            throw th;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public VerifyCredentialResponse verifyCredential(LockscreenCredential lockscreenCredential, int i, int i2) {
        if (!hasPermission("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE") && !hasPermission(Manifest.permission.SET_AND_VERIFY_LOCKSCREEN_CREDENTIALS)) {
            throw new SecurityException("verifyCredential requires SET_AND_VERIFY_LOCKSCREEN_CREDENTIALS or android.permission.ACCESS_KEYGUARD_SECURE_STORAGE");
        }
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            VerifyCredentialResponse doVerifyCredential = doVerifyCredential(lockscreenCredential, i, null, i2);
            Binder.restoreCallingIdentity(clearCallingIdentity);
            scheduleGc();
            return doVerifyCredential;
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            scheduleGc();
            throw th;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public VerifyCredentialResponse verifyGatekeeperPasswordHandle(long j, long j2, int i) {
        byte[] bArr;
        VerifyCredentialResponse verifyChallengeInternal;
        checkPasswordReadPermission();
        synchronized (this.mGatekeeperPasswords) {
            bArr = this.mGatekeeperPasswords.get(j);
        }
        synchronized (this.mSpManager) {
            if (bArr == null) {
                Slog.d(TAG, "No gatekeeper password for handle");
                verifyChallengeInternal = VerifyCredentialResponse.ERROR;
            } else {
                verifyChallengeInternal = this.mSpManager.verifyChallengeInternal(getGateKeeperService(), bArr, j2, i);
            }
        }
        return verifyChallengeInternal;
    }

    @Override // com.android.internal.widget.ILockSettings
    public void removeGatekeeperPasswordHandle(long j) {
        checkPasswordReadPermission();
        synchronized (this.mGatekeeperPasswords) {
            this.mGatekeeperPasswords.remove(j);
        }
    }

    private VerifyCredentialResponse doVerifyCredential(LockscreenCredential lockscreenCredential, int i, ICheckCredentialProgressCallback iCheckCredentialProgressCallback, int i2) {
        if (lockscreenCredential == null || lockscreenCredential.isNone()) {
            throw new IllegalArgumentException("Credential can't be null or empty");
        }
        if (i == -9999 && this.mInjector.settingsGlobalGetInt(this.mContext.getContentResolver(), "device_provisioned", 0) != 0) {
            Slog.e(TAG, "FRP credential can only be verified prior to provisioning.");
            return VerifyCredentialResponse.ERROR;
        }
        VerifyCredentialResponse spBasedDoVerifyCredential = spBasedDoVerifyCredential(lockscreenCredential, i, iCheckCredentialProgressCallback, i2);
        if (spBasedDoVerifyCredential != null) {
            if (spBasedDoVerifyCredential.getResponseCode() == 0) {
                sendCredentialsOnUnlockIfRequired(lockscreenCredential, i);
            }
            return spBasedDoVerifyCredential;
        }
        if (i == -9999) {
            Slog.wtf(TAG, "Unexpected FRP credential type, should be SP based.");
            return VerifyCredentialResponse.ERROR;
        }
        LockSettingsStorage.CredentialHash readCredentialHash = this.mStorage.readCredentialHash(i);
        if (!lockscreenCredential.checkAgainstStoredType(readCredentialHash.type)) {
            Slog.wtf(TAG, "doVerifyCredential type mismatch with stored credential?? stored: " + readCredentialHash.type + " passed in: " + lockscreenCredential.getType());
            return VerifyCredentialResponse.ERROR;
        }
        VerifyCredentialResponse verifyCredential = verifyCredential(i, readCredentialHash, lockscreenCredential, iCheckCredentialProgressCallback);
        if (verifyCredential.getResponseCode() == 0) {
            this.mStrongAuth.reportSuccessfulStrongAuthUnlock(i);
        }
        return verifyCredential;
    }

    @Override // com.android.internal.widget.ILockSettings
    public VerifyCredentialResponse verifyTiedProfileChallenge(LockscreenCredential lockscreenCredential, int i, int i2) {
        checkPasswordReadPermission();
        if (!isManagedProfileWithUnifiedLock(i)) {
            throw new IllegalArgumentException("User id must be managed profile with unified lock");
        }
        VerifyCredentialResponse doVerifyCredential = doVerifyCredential(lockscreenCredential, this.mUserManager.getProfileParent(i).id, null, i2);
        try {
            if (doVerifyCredential.getResponseCode() != 0) {
                return doVerifyCredential;
            }
            try {
                VerifyCredentialResponse doVerifyCredential2 = doVerifyCredential(getDecryptedPasswordForTiedProfile(i), i, null, i2);
                scheduleGc();
                return doVerifyCredential2;
            } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
                Slog.e(TAG, "Failed to decrypt child profile key", e);
                throw new IllegalStateException("Unable to get tied profile token");
            }
        } catch (Throwable th) {
            scheduleGc();
            throw th;
        }
    }

    private VerifyCredentialResponse verifyCredential(int i, LockSettingsStorage.CredentialHash credentialHash, LockscreenCredential lockscreenCredential, ICheckCredentialProgressCallback iCheckCredentialProgressCallback) {
        GateKeeperResponse gateKeeperResponse;
        if ((credentialHash == null || credentialHash.hash.length == 0) && lockscreenCredential.isNone()) {
            return VerifyCredentialResponse.OK;
        }
        if (credentialHash == null || credentialHash.hash.length == 0 || lockscreenCredential.isNone()) {
            return VerifyCredentialResponse.ERROR;
        }
        StrictMode.noteDiskRead();
        try {
            gateKeeperResponse = getGateKeeperService().verifyChallenge(i, 0L, credentialHash.hash, lockscreenCredential.getCredential());
        } catch (RemoteException e) {
            Slog.e(TAG, "gatekeeper verify failed", e);
            gateKeeperResponse = GateKeeperResponse.ERROR;
        }
        VerifyCredentialResponse convertResponse = convertResponse(gateKeeperResponse);
        boolean shouldReEnroll = gateKeeperResponse.getShouldReEnroll();
        if (convertResponse.getResponseCode() == 0) {
            if (iCheckCredentialProgressCallback != null) {
                try {
                    iCheckCredentialProgressCallback.onCredentialVerified();
                } catch (RemoteException e2) {
                    Slog.w(TAG, "progressCallback throws exception", e2);
                }
            }
            setUserPasswordMetrics(lockscreenCredential, i);
            unlockKeystore(lockscreenCredential.getCredential(), i);
            Slog.i(TAG, "Unlocking user " + i + " with token length " + convertResponse.getGatekeeperHAT().length);
            unlockUser(i, convertResponse.getGatekeeperHAT(), secretFromCredential(lockscreenCredential));
            if (isManagedProfileWithSeparatedLock(i)) {
                setDeviceUnlockedForUser(i);
            }
            if (shouldReEnroll) {
                setLockCredentialInternal(lockscreenCredential, lockscreenCredential, i, false);
            } else {
                synchronized (this.mSpManager) {
                    if (shouldMigrateToSyntheticPasswordLocked(i)) {
                        activateEscrowTokens(initializeSyntheticPasswordLocked(credentialHash.hash, lockscreenCredential, i), i);
                    }
                }
            }
            sendCredentialsOnUnlockIfRequired(lockscreenCredential, i);
        } else if (convertResponse.getResponseCode() == 1 && convertResponse.getTimeout() > 0) {
            requireStrongAuth(8, i);
        }
        return convertResponse;
    }

    private void setUserPasswordMetrics(LockscreenCredential lockscreenCredential, int i) {
        synchronized (this) {
            this.mUserPasswordMetrics.put(i, PasswordMetrics.computeForCredential(lockscreenCredential));
        }
    }

    @VisibleForTesting
    PasswordMetrics getUserPasswordMetrics(int i) {
        PasswordMetrics passwordMetrics;
        if (!isUserSecure(i)) {
            return new PasswordMetrics(-1);
        }
        synchronized (this) {
            passwordMetrics = this.mUserPasswordMetrics.get(i);
        }
        return passwordMetrics;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public PasswordMetrics loadPasswordMetrics(SyntheticPasswordManager.AuthenticationToken authenticationToken, int i) {
        PasswordMetrics passwordMetrics;
        synchronized (this.mSpManager) {
            passwordMetrics = this.mSpManager.getPasswordMetrics(authenticationToken, getSyntheticPasswordHandleLocked(i), i);
        }
        return passwordMetrics;
    }

    private void notifyPasswordChanged(int i) {
        this.mHandler.post(() -> {
            this.mInjector.getDevicePolicyManager().reportPasswordChanged(i);
            ((WindowManagerInternal) LocalServices.getService(WindowManagerInternal.class)).reportPasswordChanged(i);
        });
    }

    private LockscreenCredential createPattern(String str) {
        byte[] bytes = str.getBytes();
        LockscreenCredential createPattern = LockscreenCredential.createPattern(LockPatternUtils.byteArrayToPattern(bytes));
        Arrays.fill(bytes, (byte) 0);
        return createPattern;
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean checkVoldPassword(int i) {
        LockscreenCredential lockscreenCredential;
        if (!this.mFirstCallToVold) {
            return false;
        }
        this.mFirstCallToVold = false;
        checkPasswordReadPermission();
        IStorageManager storageManager = this.mInjector.getStorageManager();
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            try {
                String password = storageManager.getPassword();
                storageManager.clearPassword();
                Binder.restoreCallingIdentity(clearCallingIdentity);
                if (TextUtils.isEmpty(password)) {
                    return false;
                }
                try {
                    switch (getCredentialTypeInternal(i)) {
                        case 1:
                            lockscreenCredential = createPattern(password);
                            break;
                        case 2:
                        default:
                            lockscreenCredential = null;
                            Slog.e(TAG, "Unknown credential type");
                            break;
                        case 3:
                            lockscreenCredential = LockscreenCredential.createPin(password);
                            break;
                        case 4:
                            lockscreenCredential = LockscreenCredential.createPassword(password);
                            break;
                    }
                    if (lockscreenCredential != null) {
                        return checkCredential(lockscreenCredential, i, null).getResponseCode() == 0;
                    }
                    return false;
                } catch (Exception e) {
                    Slog.e(TAG, "checkVoldPassword failed: ", e);
                    return false;
                }
            } catch (RemoteException e2) {
                Slog.w(TAG, "vold getPassword() failed", e2);
                Binder.restoreCallingIdentity(clearCallingIdentity);
                return false;
            }
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void removeUser(int i, boolean z) {
        Slog.i(TAG, "RemoveUser: " + i);
        removeBiometricsForUser(i);
        this.mSpManager.removeUser(i);
        this.mStrongAuth.removeUser(i);
        AndroidKeyStoreMaintenance.onUserRemoved(i);
        this.mManagedProfilePasswordCache.removePassword(i);
        gateKeeperClearSecureUserId(i);
        if (z || this.mUserManager.getUserInfo(i).isManagedProfile()) {
            removeKeystoreProfileKey(i);
        }
        this.mStorage.removeUser(i);
    }

    private void removeKeystoreProfileKey(int i) {
        Slog.i(TAG, "Remove keystore profile key for user: " + i);
        try {
            this.mJavaKeyStore.deleteEntry(LockPatternUtils.PROFILE_KEY_NAME_ENCRYPT + i);
            this.mJavaKeyStore.deleteEntry(LockPatternUtils.PROFILE_KEY_NAME_DECRYPT + i);
        } catch (KeyStoreException e) {
            Slog.e(TAG, "Unable to remove keystore profile key for user:" + i, e);
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public void registerStrongAuthTracker(IStrongAuthTracker iStrongAuthTracker) {
        checkPasswordReadPermission();
        this.mStrongAuth.registerStrongAuthTracker(iStrongAuthTracker);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void unregisterStrongAuthTracker(IStrongAuthTracker iStrongAuthTracker) {
        checkPasswordReadPermission();
        this.mStrongAuth.unregisterStrongAuthTracker(iStrongAuthTracker);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void requireStrongAuth(int i, int i2) {
        checkWritePermission(i2);
        this.mStrongAuth.requireStrongAuth(i, i2);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void reportSuccessfulBiometricUnlock(boolean z, int i) {
        checkBiometricPermission();
        this.mStrongAuth.reportSuccessfulBiometricUnlock(z, i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void scheduleNonStrongBiometricIdleTimeout(int i) {
        checkBiometricPermission();
        this.mStrongAuth.scheduleNonStrongBiometricIdleTimeout(i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void userPresent(int i) {
        checkWritePermission(i);
        this.mStrongAuth.reportUnlock(i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public int getStrongAuthForUser(int i) {
        checkPasswordReadPermission();
        return this.mStrongAuthTracker.getStrongAuthForUser(i);
    }

    private boolean isCallerShell() {
        int callingUid = Binder.getCallingUid();
        return callingUid == 2000 || callingUid == 0;
    }

    private void enforceShell() {
        if (!isCallerShell()) {
            throw new SecurityException("Caller must be shell");
        }
    }

    @Override // android.os.Binder
    public void onShellCommand(FileDescriptor fileDescriptor, FileDescriptor fileDescriptor2, FileDescriptor fileDescriptor3, String[] strArr, ShellCallback shellCallback, ResultReceiver resultReceiver) {
        enforceShell();
        int callingPid = Binder.getCallingPid();
        int callingUid = Binder.getCallingUid();
        long clearCallingIdentity = Binder.clearCallingIdentity();
        Slog.e(TAG, "Caller pid " + callingPid + " Caller uid " + callingUid);
        try {
            new LockSettingsShellCommand(new LockPatternUtils(this.mContext), this.mContext, callingPid, callingUid).exec(this, fileDescriptor, fileDescriptor2, fileDescriptor3, strArr, shellCallback, resultReceiver);
            Binder.restoreCallingIdentity(clearCallingIdentity);
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public void initRecoveryServiceWithSigFile(String str, byte[] bArr, byte[] bArr2) throws RemoteException {
        this.mRecoverableKeyStoreManager.initRecoveryServiceWithSigFile(str, bArr, bArr2);
    }

    @Override // com.android.internal.widget.ILockSettings
    public KeyChainSnapshot getKeyChainSnapshot() throws RemoteException {
        return this.mRecoverableKeyStoreManager.getKeyChainSnapshot();
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setSnapshotCreatedPendingIntent(PendingIntent pendingIntent) throws RemoteException {
        this.mRecoverableKeyStoreManager.setSnapshotCreatedPendingIntent(pendingIntent);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setServerParams(byte[] bArr) throws RemoteException {
        this.mRecoverableKeyStoreManager.setServerParams(bArr);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setRecoveryStatus(String str, int i) throws RemoteException {
        this.mRecoverableKeyStoreManager.setRecoveryStatus(str, i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public Map getRecoveryStatus() throws RemoteException {
        return this.mRecoverableKeyStoreManager.getRecoveryStatus();
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setRecoverySecretTypes(int[] iArr) throws RemoteException {
        this.mRecoverableKeyStoreManager.setRecoverySecretTypes(iArr);
    }

    @Override // com.android.internal.widget.ILockSettings
    public int[] getRecoverySecretTypes() throws RemoteException {
        return this.mRecoverableKeyStoreManager.getRecoverySecretTypes();
    }

    @Override // com.android.internal.widget.ILockSettings
    public byte[] startRecoverySessionWithCertPath(String str, String str2, RecoveryCertPath recoveryCertPath, byte[] bArr, byte[] bArr2, List<KeyChainProtectionParams> list) throws RemoteException {
        return this.mRecoverableKeyStoreManager.startRecoverySessionWithCertPath(str, str2, recoveryCertPath, bArr, bArr2, list);
    }

    @Override // com.android.internal.widget.ILockSettings
    public Map<String, String> recoverKeyChainSnapshot(String str, byte[] bArr, List<WrappedApplicationKey> list) throws RemoteException {
        return this.mRecoverableKeyStoreManager.recoverKeyChainSnapshot(str, bArr, list);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void closeSession(String str) throws RemoteException {
        this.mRecoverableKeyStoreManager.closeSession(str);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void removeKey(String str) throws RemoteException {
        this.mRecoverableKeyStoreManager.removeKey(str);
    }

    @Override // com.android.internal.widget.ILockSettings
    public String generateKey(String str) throws RemoteException {
        return this.mRecoverableKeyStoreManager.generateKey(str);
    }

    @Override // com.android.internal.widget.ILockSettings
    public String generateKeyWithMetadata(String str, byte[] bArr) throws RemoteException {
        return this.mRecoverableKeyStoreManager.generateKeyWithMetadata(str, bArr);
    }

    @Override // com.android.internal.widget.ILockSettings
    public String importKey(String str, byte[] bArr) throws RemoteException {
        return this.mRecoverableKeyStoreManager.importKey(str, bArr);
    }

    @Override // com.android.internal.widget.ILockSettings
    public String importKeyWithMetadata(String str, byte[] bArr, byte[] bArr2) throws RemoteException {
        return this.mRecoverableKeyStoreManager.importKeyWithMetadata(str, bArr, bArr2);
    }

    @Override // com.android.internal.widget.ILockSettings
    public String getKey(String str) throws RemoteException {
        return this.mRecoverableKeyStoreManager.getKey(str);
    }

    protected synchronized IGateKeeperService getGateKeeperService() {
        if (this.mGateKeeperService != null) {
            return this.mGateKeeperService;
        }
        IBinder service = ServiceManager.getService("android.service.gatekeeper.IGateKeeperService");
        if (service == null) {
            Slog.e(TAG, "Unable to acquire GateKeeperService");
            return null;
        }
        try {
            service.linkToDeath(new GateKeeperDiedRecipient(), 0);
        } catch (RemoteException e) {
            Slog.w(TAG, " Unable to register death recipient", e);
        }
        this.mGateKeeperService = IGateKeeperService.Stub.asInterface(service);
        return this.mGateKeeperService;
    }

    private void gateKeeperClearSecureUserId(int i) {
        try {
            getGateKeeperService().clearSecureUserId(i);
        } catch (RemoteException e) {
            Slog.w(TAG, "Failed to clear SID", e);
        }
    }

    private void onAuthTokenKnownForUser(int i, SyntheticPasswordManager.AuthenticationToken authenticationToken) {
        if (this.mInjector.isGsiRunning()) {
            Slog.w(TAG, "Running in GSI; skipping calls to AuthSecret and RebootEscrow");
        } else {
            this.mRebootEscrowManager.callToRebootEscrowIfNeeded(i, authenticationToken.getVersion(), authenticationToken.getSyntheticPassword());
            callToAuthSecretIfNeeded(i, authenticationToken);
        }
    }

    private void callToAuthSecretIfNeeded(int i, SyntheticPasswordManager.AuthenticationToken authenticationToken) {
        if (this.mAuthSecretService == null || !this.mUserManager.getUserInfo(i).isPrimary()) {
            return;
        }
        try {
            byte[] deriveVendorAuthSecret = authenticationToken.deriveVendorAuthSecret();
            ArrayList<Byte> arrayList = new ArrayList<>(deriveVendorAuthSecret.length);
            for (byte b : deriveVendorAuthSecret) {
                arrayList.add(Byte.valueOf(b));
            }
            this.mAuthSecretService.primaryUserCredential(arrayList);
        } catch (RemoteException e) {
            Slog.w(TAG, "Failed to pass primary user secret to AuthSecret HAL", e);
        }
    }

    @GuardedBy({"mSpManager"})
    @VisibleForTesting
    protected SyntheticPasswordManager.AuthenticationToken initializeSyntheticPasswordLocked(byte[] bArr, LockscreenCredential lockscreenCredential, int i) {
        Slog.i(TAG, "Initialize SyntheticPassword for user: " + i);
        Preconditions.checkState(getSyntheticPasswordHandleLocked(i) == 0, "Cannot reinitialize SP");
        SyntheticPasswordManager.AuthenticationToken newSyntheticPasswordAndSid = this.mSpManager.newSyntheticPasswordAndSid(getGateKeeperService(), bArr, lockscreenCredential, i);
        if (newSyntheticPasswordAndSid == null) {
            Slog.wtf(TAG, "initializeSyntheticPasswordLocked returns null auth token");
            return null;
        }
        long createPasswordBasedSyntheticPassword = this.mSpManager.createPasswordBasedSyntheticPassword(getGateKeeperService(), lockscreenCredential, newSyntheticPasswordAndSid, i);
        if (lockscreenCredential.isNone()) {
            clearUserKeyProtection(i, null);
            setKeystorePassword(null, i);
            gateKeeperClearSecureUserId(i);
        } else {
            if (bArr == null) {
                this.mSpManager.newSidForUser(getGateKeeperService(), newSyntheticPasswordAndSid, i);
            }
            this.mSpManager.verifyChallenge(getGateKeeperService(), newSyntheticPasswordAndSid, 0L, i);
            setAuthlessUserKeyProtection(i, newSyntheticPasswordAndSid.deriveDiskEncryptionKey());
            setKeystorePassword(newSyntheticPasswordAndSid.deriveKeyStorePassword(), i);
        }
        fixateNewestUserKeyAuth(i);
        setSyntheticPasswordHandleLocked(createPasswordBasedSyntheticPassword, i);
        onAuthTokenKnownForUser(i, newSyntheticPasswordAndSid);
        return newSyntheticPasswordAndSid;
    }

    @VisibleForTesting
    long getSyntheticPasswordHandleLocked(int i) {
        return getLong(LockPatternUtils.SYNTHETIC_PASSWORD_HANDLE_KEY, 0L, i);
    }

    private void setSyntheticPasswordHandleLocked(long j, int i) {
        long syntheticPasswordHandleLocked = getSyntheticPasswordHandleLocked(i);
        setLong(LockPatternUtils.SYNTHETIC_PASSWORD_HANDLE_KEY, j, i);
        setLong(PREV_SYNTHETIC_PASSWORD_HANDLE_KEY, syntheticPasswordHandleLocked, i);
        setLong(SYNTHETIC_PASSWORD_UPDATE_TIME_KEY, System.currentTimeMillis(), i);
    }

    @VisibleForTesting
    boolean isSyntheticPasswordBasedCredential(int i) {
        boolean isSyntheticPasswordBasedCredentialLocked;
        synchronized (this.mSpManager) {
            isSyntheticPasswordBasedCredentialLocked = isSyntheticPasswordBasedCredentialLocked(i);
        }
        return isSyntheticPasswordBasedCredentialLocked;
    }

    private boolean isSyntheticPasswordBasedCredentialLocked(int i) {
        if (i != -9999) {
            return getSyntheticPasswordHandleLocked(i) != 0;
        }
        int i2 = this.mStorage.readPersistentDataBlock().type;
        return i2 == 1 || i2 == 2;
    }

    @VisibleForTesting
    protected boolean shouldMigrateToSyntheticPasswordLocked(int i) {
        return getSyntheticPasswordHandleLocked(i) == 0;
    }

    private VerifyCredentialResponse spBasedDoVerifyCredential(LockscreenCredential lockscreenCredential, int i, ICheckCredentialProgressCallback iCheckCredentialProgressCallback, int i2) {
        Slog.d(TAG, "spBasedDoVerifyCredential: user=" + i + " hasEnrolledBiometrics=" + this.mInjector.hasEnrolledBiometrics(i));
        boolean z = (i2 & 1) != 0;
        synchronized (this.mSpManager) {
            if (!isSyntheticPasswordBasedCredentialLocked(i)) {
                return null;
            }
            if (i == -9999) {
                return this.mSpManager.verifyFrpCredential(getGateKeeperService(), lockscreenCredential, iCheckCredentialProgressCallback);
            }
            SyntheticPasswordManager.AuthenticationResult unwrapPasswordBasedSyntheticPassword = this.mSpManager.unwrapPasswordBasedSyntheticPassword(getGateKeeperService(), getSyntheticPasswordHandleLocked(i), lockscreenCredential, i, iCheckCredentialProgressCallback);
            VerifyCredentialResponse verifyCredentialResponse = unwrapPasswordBasedSyntheticPassword.gkResponse;
            if (verifyCredentialResponse.getResponseCode() == 0) {
                this.mBiometricDeferredQueue.addPendingLockoutResetForUser(i, unwrapPasswordBasedSyntheticPassword.authToken.deriveGkPassword());
                verifyCredentialResponse = this.mSpManager.verifyChallenge(getGateKeeperService(), unwrapPasswordBasedSyntheticPassword.authToken, 0L, i);
                if (verifyCredentialResponse.getResponseCode() != 0) {
                    Slog.wtf(TAG, "verifyChallenge with SP failed.");
                    return VerifyCredentialResponse.ERROR;
                }
            }
            if (verifyCredentialResponse.getResponseCode() == 0) {
                onCredentialVerified(unwrapPasswordBasedSyntheticPassword.authToken, PasswordMetrics.computeForCredential(lockscreenCredential), i);
            } else if (verifyCredentialResponse.getResponseCode() == 1 && verifyCredentialResponse.getTimeout() > 0) {
                requireStrongAuth(8, i);
            }
            if (verifyCredentialResponse.isMatched() && z) {
                return new VerifyCredentialResponse.Builder().setGatekeeperPasswordHandle(storeGatekeeperPasswordTemporarily(unwrapPasswordBasedSyntheticPassword.authToken.deriveGkPassword())).build();
            }
            return verifyCredentialResponse;
        }
    }

    private long storeGatekeeperPasswordTemporarily(byte[] bArr) {
        long j = 0;
        synchronized (this.mGatekeeperPasswords) {
            while (true) {
                if (j != 0) {
                    if (this.mGatekeeperPasswords.get(j) == null) {
                        this.mGatekeeperPasswords.put(j, bArr);
                    }
                }
                j = this.mRandom.nextLong();
            }
        }
        long j2 = j;
        this.mHandler.postDelayed(() -> {
            synchronized (this.mGatekeeperPasswords) {
                Slog.d(TAG, "Removing handle: " + j2);
                this.mGatekeeperPasswords.remove(j2);
            }
        }, 600000L);
        return j;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void onCredentialVerified(SyntheticPasswordManager.AuthenticationToken authenticationToken, PasswordMetrics passwordMetrics, int i) {
        if (passwordMetrics != null) {
            synchronized (this) {
                this.mUserPasswordMetrics.put(i, passwordMetrics);
            }
        } else {
            Slog.wtf(TAG, "Null metrics after credential verification");
        }
        unlockKeystore(authenticationToken.deriveKeyStorePassword(), i);
        byte[] deriveDiskEncryptionKey = authenticationToken.deriveDiskEncryptionKey();
        unlockUser(i, null, deriveDiskEncryptionKey);
        Arrays.fill(deriveDiskEncryptionKey, (byte) 0);
        activateEscrowTokens(authenticationToken, i);
        if (isManagedProfileWithSeparatedLock(i)) {
            setDeviceUnlockedForUser(i);
        }
        this.mStrongAuth.reportSuccessfulStrongAuthUnlock(i);
        onAuthTokenKnownForUser(i, authenticationToken);
    }

    private void setDeviceUnlockedForUser(int i) {
        ((TrustManager) this.mContext.getSystemService(TrustManager.class)).setDeviceLockedForUser(i, false);
    }

    @GuardedBy({"mSpManager"})
    private long setLockCredentialWithAuthTokenLocked(LockscreenCredential lockscreenCredential, SyntheticPasswordManager.AuthenticationToken authenticationToken, int i) {
        Map<Integer, LockscreenCredential> decryptedPasswordsForAllTiedProfiles;
        long createPasswordBasedSyntheticPassword = this.mSpManager.createPasswordBasedSyntheticPassword(getGateKeeperService(), lockscreenCredential, authenticationToken, i);
        if (lockscreenCredential.isNone()) {
            decryptedPasswordsForAllTiedProfiles = getDecryptedPasswordsForAllTiedProfiles(i);
            this.mSpManager.clearSidForUser(i);
            gateKeeperClearSecureUserId(i);
            unlockUserKey(i, null, authenticationToken.deriveDiskEncryptionKey());
            clearUserKeyProtection(i, authenticationToken.deriveDiskEncryptionKey());
            fixateNewestUserKeyAuth(i);
            unlockKeystore(authenticationToken.deriveKeyStorePassword(), i);
            setKeystorePassword(null, i);
            removeBiometricsForUser(i);
        } else {
            decryptedPasswordsForAllTiedProfiles = null;
            if (this.mSpManager.hasSidForUser(i)) {
                this.mSpManager.verifyChallenge(getGateKeeperService(), authenticationToken, 0L, i);
            } else {
                this.mSpManager.newSidForUser(getGateKeeperService(), authenticationToken, i);
                this.mSpManager.verifyChallenge(getGateKeeperService(), authenticationToken, 0L, i);
                setAuthlessUserKeyProtection(i, authenticationToken.deriveDiskEncryptionKey());
                fixateNewestUserKeyAuth(i);
                setKeystorePassword(authenticationToken.deriveKeyStorePassword(), i);
            }
        }
        setSyntheticPasswordHandleLocked(createPasswordBasedSyntheticPassword, i);
        synchronizeUnifiedWorkChallengeForProfiles(i, decryptedPasswordsForAllTiedProfiles);
        setUserPasswordMetrics(lockscreenCredential, i);
        this.mManagedProfilePasswordCache.removePassword(i);
        if (decryptedPasswordsForAllTiedProfiles != null) {
            Iterator<Map.Entry<Integer, LockscreenCredential>> it = decryptedPasswordsForAllTiedProfiles.entrySet().iterator();
            while (it.hasNext()) {
                it.next().getValue().zeroize();
            }
        }
        return createPasswordBasedSyntheticPassword;
    }

    private void removeBiometricsForUser(int i) {
        removeAllFingerprintForUser(i);
        removeAllFaceForUser(i);
    }

    private void removeAllFingerprintForUser(int i) {
        FingerprintManager fingerprintManager = this.mInjector.getFingerprintManager();
        if (fingerprintManager != null && fingerprintManager.isHardwareDetected() && fingerprintManager.hasEnrolledFingerprints(i)) {
            CountDownLatch countDownLatch = new CountDownLatch(1);
            fingerprintManager.removeAll(i, fingerprintManagerRemovalCallback(countDownLatch));
            try {
                countDownLatch.await(10000L, TimeUnit.MILLISECONDS);
            } catch (InterruptedException e) {
                Slog.e(TAG, "Latch interrupted when removing fingerprint", e);
            }
        }
    }

    private void removeAllFaceForUser(int i) {
        FaceManager faceManager = this.mInjector.getFaceManager();
        if (faceManager != null && faceManager.isHardwareDetected() && faceManager.hasEnrolledTemplates(i)) {
            CountDownLatch countDownLatch = new CountDownLatch(1);
            faceManager.removeAll(i, faceManagerRemovalCallback(countDownLatch));
            try {
                countDownLatch.await(10000L, TimeUnit.MILLISECONDS);
            } catch (InterruptedException e) {
                Slog.e(TAG, "Latch interrupted when removing face", e);
            }
        }
    }

    private FingerprintManager.RemovalCallback fingerprintManagerRemovalCallback(final CountDownLatch countDownLatch) {
        return new FingerprintManager.RemovalCallback() { // from class: com.android.server.locksettings.LockSettingsService.4
            @Override // android.hardware.fingerprint.FingerprintManager.RemovalCallback
            public void onRemovalError(Fingerprint fingerprint, int i, CharSequence charSequence) {
                Slog.e(LockSettingsService.TAG, "Unable to remove fingerprint, error: " + ((Object) charSequence));
                countDownLatch.countDown();
            }

            @Override // android.hardware.fingerprint.FingerprintManager.RemovalCallback
            public void onRemovalSucceeded(Fingerprint fingerprint, int i) {
                if (i == 0) {
                    countDownLatch.countDown();
                }
            }
        };
    }

    private FaceManager.RemovalCallback faceManagerRemovalCallback(final CountDownLatch countDownLatch) {
        return new FaceManager.RemovalCallback() { // from class: com.android.server.locksettings.LockSettingsService.5
            @Override // android.hardware.face.FaceManager.RemovalCallback
            public void onRemovalError(Face face, int i, CharSequence charSequence) {
                Slog.e(LockSettingsService.TAG, "Unable to remove face, error: " + ((Object) charSequence));
                countDownLatch.countDown();
            }

            @Override // android.hardware.face.FaceManager.RemovalCallback
            public void onRemovalSucceeded(Face face, int i) {
                if (i == 0) {
                    countDownLatch.countDown();
                }
            }
        };
    }

    @GuardedBy({"mSpManager"})
    private boolean spBasedSetLockCredentialInternalLocked(LockscreenCredential lockscreenCredential, LockscreenCredential lockscreenCredential2, int i, boolean z) {
        if (lockscreenCredential2.isNone() && isManagedProfileWithUnifiedLock(i)) {
            try {
                lockscreenCredential2 = getDecryptedPasswordForTiedProfile(i);
            } catch (FileNotFoundException e) {
                Slog.i(TAG, "Child profile key not found");
            } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e2) {
                Slog.e(TAG, "Failed to decrypt child profile key", e2);
            }
        }
        long syntheticPasswordHandleLocked = getSyntheticPasswordHandleLocked(i);
        SyntheticPasswordManager.AuthenticationResult unwrapPasswordBasedSyntheticPassword = this.mSpManager.unwrapPasswordBasedSyntheticPassword(getGateKeeperService(), syntheticPasswordHandleLocked, lockscreenCredential2, i, null);
        VerifyCredentialResponse verifyCredentialResponse = unwrapPasswordBasedSyntheticPassword.gkResponse;
        SyntheticPasswordManager.AuthenticationToken authenticationToken = unwrapPasswordBasedSyntheticPassword.authToken;
        if (authenticationToken != null) {
            onAuthTokenKnownForUser(i, authenticationToken);
            setLockCredentialWithAuthTokenLocked(lockscreenCredential, authenticationToken, i);
            this.mSpManager.destroyPasswordBasedSyntheticPassword(syntheticPasswordHandleLocked, i);
            sendCredentialsOnChangeIfRequired(lockscreenCredential, i, z);
            return true;
        }
        if (verifyCredentialResponse == null || verifyCredentialResponse.getResponseCode() == -1) {
            Slog.w(TAG, "Failed to enroll: incorrect credential.");
            return false;
        }
        if (verifyCredentialResponse.getResponseCode() != 1) {
            throw new IllegalStateException("password change failed");
        }
        Slog.w(TAG, "Failed to enroll: rate limit exceeded.");
        return false;
    }

    /*  JADX ERROR: NullPointerException in pass: AttachTryCatchVisitor
        java.lang.NullPointerException
        */
    @Override // com.android.internal.widget.ILockSettings
    public byte[] getHashFactor(com.android.internal.widget.LockscreenCredential r9, int r10) {
        /*
            r8 = this;
            r0 = r8
            r0.checkPasswordReadPermission()
            r0 = r8
            r1 = r10
            boolean r0 = r0.isManagedProfileWithUnifiedLock(r1)
            if (r0 == 0) goto L2a
            r0 = r8
            r1 = r10
            com.android.internal.widget.LockscreenCredential r0 = r0.getDecryptedPasswordForTiedProfile(r1)
            r9 = r0
            goto L2a
            r11 = move-exception
            java.lang.String r0 = "LockSettingsService"
            java.lang.String r1 = "Failed to get work profile credential"
            r2 = r11
            int r0 = android.util.Slog.e(r0, r1, r2)
            r0 = 0
            r12 = r0
            r0 = r8
            r0.scheduleGc()
            r0 = r12
            return r0
            r0 = r8
            com.android.server.locksettings.SyntheticPasswordManager r0 = r0.mSpManager
            r1 = r0
            r11 = r1
            monitor-enter(r0)
            r0 = r8
            r1 = r10
            boolean r0 = r0.isSyntheticPasswordBasedCredentialLocked(r1)
            if (r0 != 0) goto L4e
            java.lang.String r0 = "LockSettingsService"
            java.lang.String r1 = "Synthetic password not enabled"
            int r0 = android.util.Slog.w(r0, r1)
            r0 = 0
            r12 = r0
            r0 = r11
            monitor-exit(r0)
            r0 = r8
            r0.scheduleGc()
            r0 = r12
            return r0
            r0 = r8
            r1 = r10
            long r0 = r0.getSyntheticPasswordHandleLocked(r1)
            r12 = r0
            r0 = r8
            com.android.server.locksettings.SyntheticPasswordManager r0 = r0.mSpManager
            r1 = r8
            android.service.gatekeeper.IGateKeeperService r1 = r1.getGateKeeperService()
            r2 = r12
            r3 = r9
            r4 = r10
            r5 = 0
            com.android.server.locksettings.SyntheticPasswordManager$AuthenticationResult r0 = r0.unwrapPasswordBasedSyntheticPassword(r1, r2, r3, r4, r5)
            r14 = r0
            r0 = r14
            com.android.server.locksettings.SyntheticPasswordManager$AuthenticationToken r0 = r0.authToken
            if (r0 != 0) goto L84
            java.lang.String r0 = "LockSettingsService"
            java.lang.String r1 = "Current credential is incorrect"
            int r0 = android.util.Slog.w(r0, r1)
            r0 = 0
            r15 = r0
            r0 = r11
            monitor-exit(r0)
            r0 = r8
            r0.scheduleGc()
            r0 = r15
            return r0
            r0 = r14
            com.android.server.locksettings.SyntheticPasswordManager$AuthenticationToken r0 = r0.authToken
            byte[] r0 = r0.derivePasswordHashFactor()
            r15 = r0
            r0 = r11
            monitor-exit(r0)
            r0 = r8
            r0.scheduleGc()
            r0 = r15
            return r0
            r16 = move-exception
            r0 = r11
            monitor-exit(r0)
            r0 = r16
            throw r0
            r17 = move-exception
            r0 = r8
            r0.scheduleGc()
            r0 = r17
            throw r0
        */
        throw new UnsupportedOperationException("Method not decompiled: com.android.server.locksettings.LockSettingsService.getHashFactor(com.android.internal.widget.LockscreenCredential, int):byte[]");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public long addEscrowToken(byte[] bArr, int i, LockPatternUtils.EscrowTokenStateChangeCallback escrowTokenStateChangeCallback) {
        long createTokenBasedSyntheticPassword;
        synchronized (this.mSpManager) {
            SyntheticPasswordManager.AuthenticationToken authenticationToken = null;
            if (!isUserSecure(i)) {
                if (shouldMigrateToSyntheticPasswordLocked(i)) {
                    authenticationToken = initializeSyntheticPasswordLocked(null, LockscreenCredential.createNone(), i);
                } else {
                    authenticationToken = this.mSpManager.unwrapPasswordBasedSyntheticPassword(getGateKeeperService(), getSyntheticPasswordHandleLocked(i), LockscreenCredential.createNone(), i, null).authToken;
                }
            }
            if (isSyntheticPasswordBasedCredentialLocked(i)) {
                disableEscrowTokenOnNonManagedDevicesIfNeeded(i);
                if (!this.mSpManager.hasEscrowData(i)) {
                    throw new SecurityException("Escrow token is disabled on the current user");
                }
            }
            createTokenBasedSyntheticPassword = this.mSpManager.createTokenBasedSyntheticPassword(bArr, i, escrowTokenStateChangeCallback);
            if (authenticationToken != null) {
                this.mSpManager.activateTokenBasedSyntheticPassword(createTokenBasedSyntheticPassword, authenticationToken, i);
            }
        }
        return createTokenBasedSyntheticPassword;
    }

    private void activateEscrowTokens(SyntheticPasswordManager.AuthenticationToken authenticationToken, int i) {
        synchronized (this.mSpManager) {
            disableEscrowTokenOnNonManagedDevicesIfNeeded(i);
            Iterator<Long> it = this.mSpManager.getPendingTokensForUser(i).iterator();
            while (it.hasNext()) {
                long longValue = it.next().longValue();
                Slog.i(TAG, String.format("activateEscrowTokens: %x %d ", Long.valueOf(longValue), Integer.valueOf(i)));
                this.mSpManager.activateTokenBasedSyntheticPassword(longValue, authenticationToken, i);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isEscrowTokenActive(long j, int i) {
        boolean existsHandle;
        synchronized (this.mSpManager) {
            existsHandle = this.mSpManager.existsHandle(j, i);
        }
        return existsHandle;
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean hasPendingEscrowToken(int i) {
        boolean z;
        checkPasswordReadPermission();
        synchronized (this.mSpManager) {
            z = !this.mSpManager.getPendingTokensForUser(i).isEmpty();
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean removeEscrowToken(long j, int i) {
        synchronized (this.mSpManager) {
            if (j == getSyntheticPasswordHandleLocked(i)) {
                Slog.w(TAG, "Cannot remove password handle");
                return false;
            }
            if (this.mSpManager.removePendingToken(j, i)) {
                return true;
            }
            if (!this.mSpManager.existsHandle(j, i)) {
                return false;
            }
            this.mSpManager.destroyTokenBasedSyntheticPassword(j, i);
            return true;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean setLockCredentialWithToken(LockscreenCredential lockscreenCredential, long j, byte[] bArr, int i) {
        boolean lockCredentialWithTokenInternalLocked;
        synchronized (this.mSpManager) {
            if (!this.mSpManager.hasEscrowData(i)) {
                throw new SecurityException("Escrow token is disabled on the current user");
            }
            lockCredentialWithTokenInternalLocked = setLockCredentialWithTokenInternalLocked(lockscreenCredential, j, bArr, i);
        }
        if (lockCredentialWithTokenInternalLocked) {
            synchronized (this.mSeparateChallengeLock) {
                setSeparateProfileChallengeEnabledLocked(i, true, null);
            }
            if (lockscreenCredential.isNone()) {
                this.mHandler.post(() -> {
                    unlockUser(i, null, null);
                });
            }
            notifyPasswordChanged(i);
            notifySeparateProfileChallengeChanged(i);
        }
        return lockCredentialWithTokenInternalLocked;
    }

    @GuardedBy({"mSpManager"})
    private boolean setLockCredentialWithTokenInternalLocked(LockscreenCredential lockscreenCredential, long j, byte[] bArr, int i) {
        SyntheticPasswordManager.AuthenticationResult unwrapTokenBasedSyntheticPassword = this.mSpManager.unwrapTokenBasedSyntheticPassword(getGateKeeperService(), j, bArr, i);
        if (unwrapTokenBasedSyntheticPassword.authToken == null) {
            Slog.w(TAG, "Invalid escrow token supplied");
            return false;
        }
        if (unwrapTokenBasedSyntheticPassword.gkResponse.getResponseCode() != 0) {
            Slog.e(TAG, "Obsolete token: synthetic password derived but it fails GK verification.");
            return false;
        }
        onAuthTokenKnownForUser(i, unwrapTokenBasedSyntheticPassword.authToken);
        long syntheticPasswordHandleLocked = getSyntheticPasswordHandleLocked(i);
        setLockCredentialWithAuthTokenLocked(lockscreenCredential, unwrapTokenBasedSyntheticPassword.authToken, i);
        this.mSpManager.destroyPasswordBasedSyntheticPassword(syntheticPasswordHandleLocked, i);
        return true;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean unlockUserWithToken(long j, byte[] bArr, int i) {
        synchronized (this.mSpManager) {
            if (!this.mSpManager.hasEscrowData(i)) {
                throw new SecurityException("Escrow token is disabled on the current user");
            }
            SyntheticPasswordManager.AuthenticationResult unwrapTokenBasedSyntheticPassword = this.mSpManager.unwrapTokenBasedSyntheticPassword(getGateKeeperService(), j, bArr, i);
            if (unwrapTokenBasedSyntheticPassword.authToken == null) {
                Slog.w(TAG, "Invalid escrow token supplied");
                return false;
            }
            onCredentialVerified(unwrapTokenBasedSyntheticPassword.authToken, loadPasswordMetrics(unwrapTokenBasedSyntheticPassword.authToken, i), i);
            return true;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean tryUnlockWithCachedUnifiedChallenge(int i) {
        LockscreenCredential retrievePassword = this.mManagedProfilePasswordCache.retrievePassword(i);
        if (retrievePassword == null) {
            if (retrievePassword != null) {
                retrievePassword.close();
            }
            return false;
        }
        try {
            boolean z = doVerifyCredential(retrievePassword, i, null, 0).getResponseCode() == 0;
            if (retrievePassword != null) {
                retrievePassword.close();
            }
            return z;
        } catch (Throwable th) {
            if (retrievePassword != null) {
                try {
                    retrievePassword.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public void removeCachedUnifiedChallenge(int i) {
        this.mManagedProfilePasswordCache.removePassword(i);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String timestampToString(long j) {
        return new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new Date(j));
    }

    private static String credentialTypeToString(int i) {
        switch (i) {
            case -1:
                return AccessibilityTrace.NAME_NONE;
            case 0:
            case 2:
            default:
                return "Unknown " + i;
            case 1:
                return "Pattern";
            case 3:
                return "Pin";
            case 4:
                return "Password";
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // android.os.Binder
    public void dump(FileDescriptor fileDescriptor, PrintWriter printWriter, String[] strArr) {
        if (DumpUtils.checkDumpPermission(this.mContext, TAG, printWriter)) {
            IndentingPrintWriter indentingPrintWriter = new IndentingPrintWriter(printWriter, "  ");
            indentingPrintWriter.println("Current lock settings service state:");
            indentingPrintWriter.println();
            indentingPrintWriter.println("User State:");
            indentingPrintWriter.increaseIndent();
            List<UserInfo> users = this.mUserManager.getUsers();
            for (int i = 0; i < users.size(); i++) {
                int i2 = users.get(i).id;
                indentingPrintWriter.println("User " + i2);
                indentingPrintWriter.increaseIndent();
                synchronized (this.mSpManager) {
                    indentingPrintWriter.println(String.format("SP Handle: %x", Long.valueOf(getSyntheticPasswordHandleLocked(i2))));
                    indentingPrintWriter.println(String.format("Last changed: %s (%x)", timestampToString(getLong(SYNTHETIC_PASSWORD_UPDATE_TIME_KEY, 0L, i2)), Long.valueOf(getLong(PREV_SYNTHETIC_PASSWORD_HANDLE_KEY, 0L, i2))));
                }
                try {
                    indentingPrintWriter.println(String.format("SID: %x", Long.valueOf(getGateKeeperService().getSecureUserId(i2))));
                } catch (RemoteException e) {
                }
                indentingPrintWriter.println("Quality: " + getKeyguardStoredQuality(i2));
                indentingPrintWriter.println("CredentialType: " + credentialTypeToString(getCredentialTypeInternal(i2)));
                indentingPrintWriter.println("SeparateChallenge: " + getSeparateProfileChallengeEnabledInternal(i2));
                Object[] objArr = new Object[1];
                objArr[0] = getUserPasswordMetrics(i2) != null ? "known" : "unknown";
                indentingPrintWriter.println(String.format("Metrics: %s", objArr));
                indentingPrintWriter.decreaseIndent();
            }
            indentingPrintWriter.println();
            indentingPrintWriter.decreaseIndent();
            indentingPrintWriter.println("Keys in namespace:");
            indentingPrintWriter.increaseIndent();
            dumpKeystoreKeys(indentingPrintWriter);
            indentingPrintWriter.println();
            indentingPrintWriter.decreaseIndent();
            indentingPrintWriter.println("Storage:");
            indentingPrintWriter.increaseIndent();
            this.mStorage.dump(indentingPrintWriter);
            indentingPrintWriter.println();
            indentingPrintWriter.decreaseIndent();
            indentingPrintWriter.println("StrongAuth:");
            indentingPrintWriter.increaseIndent();
            this.mStrongAuth.dump(indentingPrintWriter);
            indentingPrintWriter.println();
            indentingPrintWriter.decreaseIndent();
            indentingPrintWriter.println("RebootEscrow:");
            indentingPrintWriter.increaseIndent();
            this.mRebootEscrowManager.dump(indentingPrintWriter);
            indentingPrintWriter.println();
            indentingPrintWriter.decreaseIndent();
            indentingPrintWriter.println("PasswordHandleCount: " + this.mGatekeeperPasswords.size());
        }
    }

    private void dumpKeystoreKeys(IndentingPrintWriter indentingPrintWriter) {
        try {
            Enumeration<String> aliases = this.mJavaKeyStore.aliases();
            while (aliases.hasMoreElements()) {
                indentingPrintWriter.println(aliases.nextElement());
            }
        } catch (KeyStoreException e) {
            indentingPrintWriter.println("Unable to get keys: " + e.toString());
            Slog.d(TAG, "Dump error", e);
        }
    }

    private void disableEscrowTokenOnNonManagedDevicesIfNeeded(int i) {
        UserManagerInternal userManagerInternal = this.mInjector.getUserManagerInternal();
        if (userManagerInternal.isUserManaged(i)) {
            Slog.i(TAG, "Managed profile can have escrow token");
            return;
        }
        if (userManagerInternal.isDeviceManaged()) {
            Slog.i(TAG, "Corp-owned device can have escrow token");
            return;
        }
        if (!this.mInjector.getDeviceStateCache().isDeviceProvisioned()) {
            Slog.i(TAG, "Postpone disabling escrow tokens until device is provisioned");
        } else {
            if (this.mContext.getPackageManager().hasSystemFeature(PackageManager.FEATURE_AUTOMOTIVE)) {
                return;
            }
            Slog.i(TAG, "Disabling escrow token on user " + i);
            if (isSyntheticPasswordBasedCredentialLocked(i)) {
                this.mSpManager.destroyEscrowData(i);
            }
        }
    }

    private void scheduleGc() {
        this.mHandler.postDelayed(() -> {
            System.gc();
            System.runFinalization();
            System.gc();
        }, StatsManager.DEFAULT_TIMEOUT_MILLIS);
    }
}
