package com.android.server.security;

import android.app.AppOpsManager;
import android.content.Context;
import android.content.pm.PackageManagerInternal;
import android.os.Binder;
import android.os.Environment;
import android.os.IBinder;
import android.os.UserHandle;
import android.security.IFileIntegrityService;
import android.util.Slog;
import com.android.internal.security.VerityUtils;
import com.android.server.LocalServices;
import com.android.server.SystemService;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;

/* loaded from: input_file:com/android/server/security/FileIntegrityService.class */
public class FileIntegrityService extends SystemService {
    private static final String TAG = "FileIntegrityService";
    private static CertificateFactory sCertFactory;
    private Collection<X509Certificate> mTrustedCertificates;
    private final IBinder mService;

    public FileIntegrityService(Context context) {
        super(context);
        this.mTrustedCertificates = new ArrayList();
        this.mService = new IFileIntegrityService.Stub() { // from class: com.android.server.security.FileIntegrityService.1
            @Override // android.security.IFileIntegrityService
            public boolean isApkVeritySupported() {
                return VerityUtils.isFsVeritySupported();
            }

            @Override // android.security.IFileIntegrityService
            public boolean isAppSourceCertificateTrusted(byte[] bArr, String str) {
                checkCallerPermission(str);
                try {
                    if (!VerityUtils.isFsVeritySupported()) {
                        return false;
                    }
                    if (bArr != null) {
                        return FileIntegrityService.this.mTrustedCertificates.contains(FileIntegrityService.toCertificate(bArr));
                    }
                    Slog.w(FileIntegrityService.TAG, "Received a null certificate");
                    return false;
                } catch (CertificateException e) {
                    Slog.e(FileIntegrityService.TAG, "Failed to convert the certificate: " + e);
                    return false;
                }
            }

            private void checkCallerPermission(String str) {
                int callingUid = Binder.getCallingUid();
                if (callingUid != ((PackageManagerInternal) LocalServices.getService(PackageManagerInternal.class)).getPackageUid(str, 0L, UserHandle.getUserId(callingUid))) {
                    throw new SecurityException("Calling uid " + callingUid + " does not own package " + str);
                }
                if (FileIntegrityService.this.getContext().checkCallingPermission("android.permission.INSTALL_PACKAGES") != 0 && ((AppOpsManager) FileIntegrityService.this.getContext().getSystemService(AppOpsManager.class)).checkOpNoThrow(66, callingUid, str) != 0) {
                    throw new SecurityException("Caller should have INSTALL_PACKAGES or REQUEST_INSTALL_PACKAGES");
                }
            }
        };
        try {
            sCertFactory = CertificateFactory.getInstance("X.509");
        } catch (CertificateException e) {
            Slog.wtf(TAG, "Cannot get an instance of X.509 certificate factory");
        }
    }

    @Override // com.android.server.SystemService
    public void onStart() {
        loadAllCertificates();
        publishBinderService("file_integrity", this.mService);
    }

    private void loadAllCertificates() {
        loadCertificatesFromDirectory(Environment.getRootDirectory().toPath().resolve("etc/security/fsverity"));
        loadCertificatesFromDirectory(Environment.getProductDirectory().toPath().resolve("etc/security/fsverity"));
    }

    private void loadCertificatesFromDirectory(Path path) {
        try {
            File[] listFiles = path.toFile().listFiles();
            if (listFiles == null) {
                return;
            }
            for (File file : listFiles) {
                byte[] readAllBytes = Files.readAllBytes(file.toPath());
                if (readAllBytes == null) {
                    Slog.w(TAG, "The certificate file is empty, ignoring " + file);
                } else {
                    collectCertificate(readAllBytes);
                }
            }
        } catch (IOException e) {
            Slog.wtf(TAG, "Failed to load fs-verity certificate from " + path, e);
        }
    }

    private void collectCertificate(byte[] bArr) {
        try {
            this.mTrustedCertificates.add(toCertificate(bArr));
        } catch (CertificateException e) {
            Slog.e(TAG, "Invalid certificate, ignored: " + e);
        }
    }

    private static X509Certificate toCertificate(byte[] bArr) throws CertificateException {
        Certificate generateCertificate = sCertFactory.generateCertificate(new ByteArrayInputStream(bArr));
        if (generateCertificate instanceof X509Certificate) {
            return (X509Certificate) generateCertificate;
        }
        throw new CertificateException("Expected to contain an X.509 certificate");
    }
}
