package com.android.server.locksettings;

import android.content.Context;
import android.content.pm.UserInfo;
import android.hardware.weaver.V1_0.IWeaver;
import android.hardware.weaver.V1_0.WeaverConfig;
import android.os.RemoteException;
import android.os.UserManager;
import android.security.Scrypt;
import android.service.gatekeeper.GateKeeperResponse;
import android.service.gatekeeper.IGateKeeperService;
import android.util.ArrayMap;
import android.util.Log;
import android.util.Slog;
import com.android.internal.annotations.VisibleForTesting;
import com.android.internal.util.ArrayUtils;
import com.android.internal.widget.ICheckCredentialProgressCallback;
import com.android.internal.widget.LockPatternUtils;
import com.android.internal.widget.VerifyCredentialResponse;
import com.android.server.locksettings.LockSettingsStorage;
import java.nio.ByteBuffer;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Set;
import libcore.util.HexEncoding;

/* loaded from: input_file:com/android/server/locksettings/SyntheticPasswordManager.class */
public class SyntheticPasswordManager {
    private static final String SP_BLOB_NAME = "spblob";
    private static final String SP_E0_NAME = "e0";
    private static final String SP_P1_NAME = "p1";
    private static final String SP_HANDLE_NAME = "handle";
    private static final String SECDISCARDABLE_NAME = "secdis";
    private static final int SECDISCARDABLE_LENGTH = 16384;
    private static final String PASSWORD_DATA_NAME = "pwd";
    private static final String WEAVER_SLOT_NAME = "weaver";
    public static final long DEFAULT_HANDLE = 0;
    private static final byte WEAVER_VERSION = 1;
    private static final int INVALID_WEAVER_SLOT = -1;
    private static final byte SYNTHETIC_PASSWORD_VERSION_V1 = 1;
    private static final byte SYNTHETIC_PASSWORD_VERSION_V2 = 2;
    private static final byte SYNTHETIC_PASSWORD_VERSION_V3 = 3;
    private static final byte SYNTHETIC_PASSWORD_PASSWORD_BASED = 0;
    private static final byte SYNTHETIC_PASSWORD_TOKEN_BASED = 1;
    private static final byte SYNTHETIC_PASSWORD_LENGTH = 32;
    private static final int PASSWORD_SCRYPT_N = 11;
    private static final int PASSWORD_SCRYPT_R = 3;
    private static final int PASSWORD_SCRYPT_P = 1;
    private static final int PASSWORD_SALT_LENGTH = 16;
    private static final int PASSWORD_TOKEN_LENGTH = 32;
    private static final String TAG = "SyntheticPasswordManager";
    private final Context mContext;
    private LockSettingsStorage mStorage;
    private IWeaver mWeaver;
    private WeaverConfig mWeaverConfig;
    private PasswordSlotManager mPasswordSlotManager;
    private final UserManager mUserManager;
    private ArrayMap<Integer, ArrayMap<Long, TokenData>> tokenMap = new ArrayMap<>();
    private static final byte[] DEFAULT_PASSWORD = "default-password".getBytes();
    private static final byte[] PERSONALISATION_SECDISCARDABLE = "secdiscardable-transform".getBytes();
    private static final byte[] PERSONALIZATION_KEY_STORE_PASSWORD = "keystore-password".getBytes();
    private static final byte[] PERSONALIZATION_USER_GK_AUTH = "user-gk-authentication".getBytes();
    private static final byte[] PERSONALIZATION_SP_GK_AUTH = "sp-gk-authentication".getBytes();
    private static final byte[] PERSONALIZATION_FBE_KEY = "fbe-key".getBytes();
    private static final byte[] PERSONALIZATION_AUTHSECRET_KEY = "authsecret-hal".getBytes();
    private static final byte[] PERSONALIZATION_SP_SPLIT = "sp-split".getBytes();
    private static final byte[] PERSONALIZATION_PASSWORD_HASH = "pw-hash".getBytes();
    private static final byte[] PERSONALIZATION_E0 = "e0-encryption".getBytes();
    private static final byte[] PERSONALISATION_WEAVER_PASSWORD = "weaver-pwd".getBytes();
    private static final byte[] PERSONALISATION_WEAVER_KEY = "weaver-key".getBytes();
    private static final byte[] PERSONALISATION_WEAVER_TOKEN = "weaver-token".getBytes();
    private static final byte[] PERSONALISATION_CONTEXT = "android-synthetic-password-personalization-context".getBytes();
    protected static final byte[] HEX_ARRAY = "0123456789ABCDEF".getBytes();

    /* loaded from: input_file:com/android/server/locksettings/SyntheticPasswordManager$AuthenticationResult.class */
    static class AuthenticationResult {
        public AuthenticationToken authToken;
        public VerifyCredentialResponse gkResponse;
        public int credentialType;

        AuthenticationResult() {
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/android/server/locksettings/SyntheticPasswordManager$AuthenticationToken.class */
    public static class AuthenticationToken {
        private final byte mVersion;
        private byte[] E0;
        private byte[] P1;
        private String syntheticPassword;

        AuthenticationToken(byte b) {
            this.mVersion = b;
        }

        /* JADX WARN: Type inference failed for: r1v2, types: [byte[], byte[][]] */
        private byte[] derivePassword(byte[] bArr) {
            return this.mVersion == 3 ? new SP800Derive(this.syntheticPassword.getBytes()).withContext(bArr, SyntheticPasswordManager.PERSONALISATION_CONTEXT) : SyntheticPasswordCrypto.personalisedHash(bArr, new byte[]{this.syntheticPassword.getBytes()});
        }

        public byte[] deriveKeyStorePassword() {
            return SyntheticPasswordManager.bytesToHex(derivePassword(SyntheticPasswordManager.PERSONALIZATION_KEY_STORE_PASSWORD));
        }

        public byte[] deriveGkPassword() {
            return derivePassword(SyntheticPasswordManager.PERSONALIZATION_SP_GK_AUTH);
        }

        public byte[] deriveDiskEncryptionKey() {
            return derivePassword(SyntheticPasswordManager.PERSONALIZATION_FBE_KEY);
        }

        public byte[] deriveVendorAuthSecret() {
            return derivePassword(SyntheticPasswordManager.PERSONALIZATION_AUTHSECRET_KEY);
        }

        public byte[] derivePasswordHashFactor() {
            return derivePassword(SyntheticPasswordManager.PERSONALIZATION_PASSWORD_HASH);
        }

        /* JADX WARN: Type inference failed for: r2v1, types: [byte[], byte[][]] */
        private void initialize(byte[] bArr, byte[] bArr2) {
            this.P1 = bArr2;
            this.syntheticPassword = String.valueOf(HexEncoding.encode(SyntheticPasswordCrypto.personalisedHash(SyntheticPasswordManager.PERSONALIZATION_SP_SPLIT, new byte[]{bArr, bArr2})));
            this.E0 = SyntheticPasswordCrypto.encrypt(this.syntheticPassword.getBytes(), SyntheticPasswordManager.PERSONALIZATION_E0, bArr);
        }

        public void recreate(byte[] bArr) {
            initialize(bArr, this.P1);
        }

        protected static AuthenticationToken create() {
            AuthenticationToken authenticationToken = new AuthenticationToken((byte) 3);
            authenticationToken.initialize(SyntheticPasswordManager.secureRandom(32), SyntheticPasswordManager.secureRandom(32));
            return authenticationToken;
        }

        public byte[] computeP0() {
            if (this.E0 == null) {
                return null;
            }
            return SyntheticPasswordCrypto.decrypt(this.syntheticPassword.getBytes(), SyntheticPasswordManager.PERSONALIZATION_E0, this.E0);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/android/server/locksettings/SyntheticPasswordManager$PasswordData.class */
    public static class PasswordData {
        byte scryptN;
        byte scryptR;
        byte scryptP;
        public int passwordType;
        byte[] salt;
        public byte[] passwordHandle;

        PasswordData() {
        }

        public static PasswordData create(int i) {
            PasswordData passwordData = new PasswordData();
            passwordData.scryptN = (byte) 11;
            passwordData.scryptR = (byte) 3;
            passwordData.scryptP = (byte) 1;
            passwordData.passwordType = i;
            passwordData.salt = SyntheticPasswordManager.secureRandom(16);
            return passwordData;
        }

        public static PasswordData fromBytes(byte[] bArr) {
            PasswordData passwordData = new PasswordData();
            ByteBuffer allocate = ByteBuffer.allocate(bArr.length);
            allocate.put(bArr, 0, bArr.length);
            allocate.flip();
            passwordData.passwordType = allocate.getInt();
            passwordData.scryptN = allocate.get();
            passwordData.scryptR = allocate.get();
            passwordData.scryptP = allocate.get();
            passwordData.salt = new byte[allocate.getInt()];
            allocate.get(passwordData.salt);
            int i = allocate.getInt();
            if (i > 0) {
                passwordData.passwordHandle = new byte[i];
                allocate.get(passwordData.passwordHandle);
            } else {
                passwordData.passwordHandle = null;
            }
            return passwordData;
        }

        public byte[] toBytes() {
            ByteBuffer allocate = ByteBuffer.allocate(11 + this.salt.length + 4 + (this.passwordHandle != null ? this.passwordHandle.length : 0));
            allocate.putInt(this.passwordType);
            allocate.put(this.scryptN);
            allocate.put(this.scryptR);
            allocate.put(this.scryptP);
            allocate.putInt(this.salt.length);
            allocate.put(this.salt);
            if (this.passwordHandle == null || this.passwordHandle.length <= 0) {
                allocate.putInt(0);
            } else {
                allocate.putInt(this.passwordHandle.length);
                allocate.put(this.passwordHandle);
            }
            return allocate.array();
        }
    }

    /* loaded from: input_file:com/android/server/locksettings/SyntheticPasswordManager$TokenData.class */
    static class TokenData {
        byte[] secdiscardableOnDisk;
        byte[] weaverSecret;
        byte[] aggregatedSecret;
        LockPatternUtils.EscrowTokenStateChangeCallback mCallback;

        TokenData() {
        }
    }

    public SyntheticPasswordManager(Context context, LockSettingsStorage lockSettingsStorage, UserManager userManager, PasswordSlotManager passwordSlotManager) {
        this.mContext = context;
        this.mStorage = lockSettingsStorage;
        this.mUserManager = userManager;
        this.mPasswordSlotManager = passwordSlotManager;
    }

    @VisibleForTesting
    protected IWeaver getWeaverService() throws RemoteException {
        try {
            return IWeaver.getService();
        } catch (NoSuchElementException e) {
            Slog.i(TAG, "Device does not support weaver");
            return null;
        }
    }

    public synchronized void initWeaverService() {
        if (this.mWeaver != null) {
            return;
        }
        try {
            this.mWeaverConfig = null;
            this.mWeaver = getWeaverService();
            if (this.mWeaver != null) {
                this.mWeaver.getConfig((i, weaverConfig) -> {
                    if (i == 0 && weaverConfig.slots > 0) {
                        this.mWeaverConfig = weaverConfig;
                    } else {
                        Slog.e(TAG, "Failed to get weaver config, status " + i + " slots: " + weaverConfig.slots);
                        this.mWeaver = null;
                    }
                });
                this.mPasswordSlotManager.refreshActiveSlots(getUsedWeaverSlots());
            }
        } catch (RemoteException e) {
            Slog.e(TAG, "Failed to get weaver service", e);
        }
    }

    private synchronized boolean isWeaverAvailable() {
        if (this.mWeaver == null) {
            initWeaverService();
        }
        return this.mWeaver != null && this.mWeaverConfig.slots > 0;
    }

    private byte[] weaverEnroll(int i, byte[] bArr, byte[] bArr2) throws RemoteException {
        if (i == -1 || i >= this.mWeaverConfig.slots) {
            throw new RuntimeException("Invalid slot for weaver");
        }
        if (bArr == null) {
            bArr = new byte[this.mWeaverConfig.keySize];
        } else if (bArr.length != this.mWeaverConfig.keySize) {
            throw new RuntimeException("Invalid key size for weaver");
        }
        if (bArr2 == null) {
            bArr2 = secureRandom(this.mWeaverConfig.valueSize);
        }
        int write = this.mWeaver.write(i, toByteArrayList(bArr), toByteArrayList(bArr2));
        if (write == 0) {
            return bArr2;
        }
        Log.e(TAG, "weaver write failed, slot: " + i + " status: " + write);
        return null;
    }

    private VerifyCredentialResponse weaverVerify(int i, byte[] bArr) throws RemoteException {
        if (i == -1 || i >= this.mWeaverConfig.slots) {
            throw new RuntimeException("Invalid slot for weaver");
        }
        if (bArr == null) {
            bArr = new byte[this.mWeaverConfig.keySize];
        } else if (bArr.length != this.mWeaverConfig.keySize) {
            throw new RuntimeException("Invalid key size for weaver");
        }
        VerifyCredentialResponse[] verifyCredentialResponseArr = new VerifyCredentialResponse[1];
        this.mWeaver.read(i, toByteArrayList(bArr), (i2, weaverReadResponse) -> {
            switch (i2) {
                case 0:
                    verifyCredentialResponseArr[0] = new VerifyCredentialResponse(fromByteArrayList(weaverReadResponse.value));
                    return;
                case 1:
                    verifyCredentialResponseArr[0] = VerifyCredentialResponse.ERROR;
                    Log.e(TAG, "weaver read failed (FAILED), slot: " + i);
                    return;
                case 2:
                    if (weaverReadResponse.timeout == 0) {
                        verifyCredentialResponseArr[0] = VerifyCredentialResponse.ERROR;
                        Log.e(TAG, "weaver read failed (INCORRECT_KEY), slot: " + i);
                        return;
                    } else {
                        verifyCredentialResponseArr[0] = new VerifyCredentialResponse(weaverReadResponse.timeout);
                        Log.e(TAG, "weaver read failed (INCORRECT_KEY/THROTTLE), slot: " + i);
                        return;
                    }
                case 3:
                    verifyCredentialResponseArr[0] = new VerifyCredentialResponse(weaverReadResponse.timeout);
                    Log.e(TAG, "weaver read failed (THROTTLE), slot: " + i);
                    return;
                default:
                    verifyCredentialResponseArr[0] = VerifyCredentialResponse.ERROR;
                    Log.e(TAG, "weaver read unknown status " + i2 + ", slot: " + i);
                    return;
            }
        });
        return verifyCredentialResponseArr[0];
    }

    public void removeUser(int i) {
        Iterator<Long> it = this.mStorage.listSyntheticPasswordHandlesForUser(SP_BLOB_NAME, i).iterator();
        while (it.hasNext()) {
            long longValue = it.next().longValue();
            destroyWeaverSlot(longValue, i);
            destroySPBlobKey(getHandleName(longValue));
        }
    }

    public int getCredentialType(long j, int i) {
        byte[] loadState = loadState(PASSWORD_DATA_NAME, j, i);
        if (loadState != null) {
            return PasswordData.fromBytes(loadState).passwordType;
        }
        Log.w(TAG, "getCredentialType: encountered empty password data for user " + i);
        return -1;
    }

    public AuthenticationToken newSyntheticPasswordAndSid(IGateKeeperService iGateKeeperService, byte[] bArr, byte[] bArr2, int i) throws RemoteException {
        AuthenticationToken create = AuthenticationToken.create();
        if (bArr != null) {
            GateKeeperResponse enroll = iGateKeeperService.enroll(i, bArr, bArr2, create.deriveGkPassword());
            if (enroll.getResponseCode() != 0) {
                Log.w(TAG, "Fail to migrate SID, assuming no SID, user " + i);
                clearSidForUser(i);
            } else {
                saveSyntheticPasswordHandle(enroll.getPayload(), i);
            }
        } else {
            clearSidForUser(i);
        }
        saveEscrowData(create, i);
        return create;
    }

    public void newSidForUser(IGateKeeperService iGateKeeperService, AuthenticationToken authenticationToken, int i) throws RemoteException {
        GateKeeperResponse enroll = iGateKeeperService.enroll(i, null, null, authenticationToken.deriveGkPassword());
        if (enroll.getResponseCode() != 0) {
            Log.e(TAG, "Fail to create new SID for user " + i);
        } else {
            saveSyntheticPasswordHandle(enroll.getPayload(), i);
        }
    }

    public void clearSidForUser(int i) {
        destroyState(SP_HANDLE_NAME, 0L, i);
    }

    public boolean hasSidForUser(int i) {
        return hasState(SP_HANDLE_NAME, 0L, i);
    }

    private byte[] loadSyntheticPasswordHandle(int i) {
        return loadState(SP_HANDLE_NAME, 0L, i);
    }

    private void saveSyntheticPasswordHandle(byte[] bArr, int i) {
        saveState(SP_HANDLE_NAME, bArr, 0L, i);
    }

    private boolean loadEscrowData(AuthenticationToken authenticationToken, int i) {
        authenticationToken.E0 = loadState(SP_E0_NAME, 0L, i);
        authenticationToken.P1 = loadState(SP_P1_NAME, 0L, i);
        return (authenticationToken.E0 == null || authenticationToken.P1 == null) ? false : true;
    }

    private void saveEscrowData(AuthenticationToken authenticationToken, int i) {
        saveState(SP_E0_NAME, authenticationToken.E0, 0L, i);
        saveState(SP_P1_NAME, authenticationToken.P1, 0L, i);
    }

    public boolean hasEscrowData(int i) {
        return hasState(SP_E0_NAME, 0L, i) && hasState(SP_P1_NAME, 0L, i);
    }

    public void destroyEscrowData(int i) {
        destroyState(SP_E0_NAME, 0L, i);
        destroyState(SP_P1_NAME, 0L, i);
    }

    private int loadWeaverSlot(long j, int i) {
        byte[] loadState = loadState(WEAVER_SLOT_NAME, j, i);
        if (loadState == null || loadState.length != 5) {
            return -1;
        }
        ByteBuffer allocate = ByteBuffer.allocate(5);
        allocate.put(loadState, 0, loadState.length);
        allocate.flip();
        if (allocate.get() == 1) {
            return allocate.getInt();
        }
        Log.e(TAG, "Invalid weaver slot version of handle " + j);
        return -1;
    }

    private void saveWeaverSlot(int i, long j, int i2) {
        ByteBuffer allocate = ByteBuffer.allocate(5);
        allocate.put((byte) 1);
        allocate.putInt(i);
        saveState(WEAVER_SLOT_NAME, allocate.array(), j, i2);
    }

    private void destroyWeaverSlot(long j, int i) {
        int loadWeaverSlot = loadWeaverSlot(j, i);
        destroyState(WEAVER_SLOT_NAME, j, i);
        if (loadWeaverSlot != -1) {
            if (getUsedWeaverSlots().contains(Integer.valueOf(loadWeaverSlot))) {
                Log.w(TAG, "Skip destroying reused weaver slot " + loadWeaverSlot + " for user " + i);
                return;
            }
            Log.i(TAG, "Destroy weaver slot " + loadWeaverSlot + " for user " + i);
            try {
                weaverEnroll(loadWeaverSlot, null, null);
                this.mPasswordSlotManager.markSlotDeleted(loadWeaverSlot);
            } catch (RemoteException e) {
                Log.w(TAG, "Failed to destroy slot", e);
            }
        }
    }

    private Set<Integer> getUsedWeaverSlots() {
        Map<Integer, List<Long>> listSyntheticPasswordHandlesForAllUsers = this.mStorage.listSyntheticPasswordHandlesForAllUsers(WEAVER_SLOT_NAME);
        HashSet hashSet = new HashSet();
        for (Map.Entry<Integer, List<Long>> entry : listSyntheticPasswordHandlesForAllUsers.entrySet()) {
            Iterator<Long> it = entry.getValue().iterator();
            while (it.hasNext()) {
                hashSet.add(Integer.valueOf(loadWeaverSlot(it.next().longValue(), entry.getKey().intValue())));
            }
        }
        return hashSet;
    }

    private int getNextAvailableWeaverSlot() {
        Set<Integer> usedWeaverSlots = getUsedWeaverSlots();
        usedWeaverSlots.addAll(this.mPasswordSlotManager.getUsedSlots());
        for (int i = 0; i < this.mWeaverConfig.slots; i++) {
            if (!usedWeaverSlots.contains(Integer.valueOf(i))) {
                return i;
            }
        }
        throw new RuntimeException("Run out of weaver slots.");
    }

    public long createPasswordBasedSyntheticPassword(IGateKeeperService iGateKeeperService, byte[] bArr, int i, AuthenticationToken authenticationToken, int i2, int i3) throws RemoteException {
        long sidFromPasswordHandle;
        byte[] transformUnderSecdiscardable;
        if (bArr == null || i == -1) {
            i = -1;
            bArr = DEFAULT_PASSWORD;
        }
        long generateHandle = generateHandle();
        PasswordData create = PasswordData.create(i);
        byte[] computePasswordToken = computePasswordToken(bArr, create);
        if (isWeaverAvailable()) {
            int nextAvailableWeaverSlot = getNextAvailableWeaverSlot();
            Log.i(TAG, "Weaver enroll password to slot " + nextAvailableWeaverSlot + " for user " + i3);
            byte[] weaverEnroll = weaverEnroll(nextAvailableWeaverSlot, passwordTokenToWeaverKey(computePasswordToken), null);
            if (weaverEnroll == null) {
                Log.e(TAG, "Fail to enroll user password under weaver " + i3);
                return 0L;
            }
            saveWeaverSlot(nextAvailableWeaverSlot, generateHandle, i3);
            this.mPasswordSlotManager.markSlotInUse(nextAvailableWeaverSlot);
            synchronizeWeaverFrpPassword(create, i2, i3, nextAvailableWeaverSlot);
            create.passwordHandle = null;
            sidFromPasswordHandle = 0;
            transformUnderSecdiscardable = transformUnderWeaverSecret(computePasswordToken, weaverEnroll);
        } else {
            iGateKeeperService.clearSecureUserId(fakeUid(i3));
            GateKeeperResponse enroll = iGateKeeperService.enroll(fakeUid(i3), null, null, passwordTokenToGkInput(computePasswordToken));
            if (enroll.getResponseCode() != 0) {
                Log.e(TAG, "Fail to enroll user password when creating SP for user " + i3);
                return 0L;
            }
            create.passwordHandle = enroll.getPayload();
            sidFromPasswordHandle = sidFromPasswordHandle(create.passwordHandle);
            transformUnderSecdiscardable = transformUnderSecdiscardable(computePasswordToken, createSecdiscardable(generateHandle, i3));
            synchronizeFrpPassword(create, i2, i3);
        }
        saveState(PASSWORD_DATA_NAME, create.toBytes(), generateHandle, i3);
        createSyntheticPasswordBlob(generateHandle, (byte) 0, authenticationToken, transformUnderSecdiscardable, sidFromPasswordHandle, i3);
        return generateHandle;
    }

    public VerifyCredentialResponse verifyFrpCredential(IGateKeeperService iGateKeeperService, byte[] bArr, int i, ICheckCredentialProgressCallback iCheckCredentialProgressCallback) throws RemoteException {
        LockSettingsStorage.PersistentData readPersistentDataBlock = this.mStorage.readPersistentDataBlock();
        if (readPersistentDataBlock.type == 1) {
            PasswordData fromBytes = PasswordData.fromBytes(readPersistentDataBlock.payload);
            return VerifyCredentialResponse.fromGateKeeperResponse(iGateKeeperService.verifyChallenge(fakeUid(readPersistentDataBlock.userId), 0L, fromBytes.passwordHandle, passwordTokenToGkInput(computePasswordToken(bArr, fromBytes))));
        }
        if (readPersistentDataBlock.type == 2) {
            return weaverVerify(readPersistentDataBlock.userId, passwordTokenToWeaverKey(computePasswordToken(bArr, PasswordData.fromBytes(readPersistentDataBlock.payload)))).stripPayload();
        }
        Log.e(TAG, "persistentData.type must be TYPE_SP or TYPE_SP_WEAVER, but is " + readPersistentDataBlock.type);
        return VerifyCredentialResponse.ERROR;
    }

    public void migrateFrpPasswordLocked(long j, UserInfo userInfo, int i) {
        if (this.mStorage.getPersistentDataBlock() == null || !LockPatternUtils.userOwnsFrpCredential(this.mContext, userInfo)) {
            return;
        }
        PasswordData fromBytes = PasswordData.fromBytes(loadState(PASSWORD_DATA_NAME, j, userInfo.id));
        if (fromBytes.passwordType != -1) {
            int loadWeaverSlot = loadWeaverSlot(j, userInfo.id);
            if (loadWeaverSlot != -1) {
                synchronizeWeaverFrpPassword(fromBytes, i, userInfo.id, loadWeaverSlot);
            } else {
                synchronizeFrpPassword(fromBytes, i, userInfo.id);
            }
        }
    }

    private void synchronizeFrpPassword(PasswordData passwordData, int i, int i2) {
        if (this.mStorage.getPersistentDataBlock() == null || !LockPatternUtils.userOwnsFrpCredential(this.mContext, this.mUserManager.getUserInfo(i2))) {
            return;
        }
        if (passwordData.passwordType != -1) {
            this.mStorage.writePersistentDataBlock(1, i2, i, passwordData.toBytes());
        } else {
            this.mStorage.writePersistentDataBlock(0, i2, 0, null);
        }
    }

    private void synchronizeWeaverFrpPassword(PasswordData passwordData, int i, int i2, int i3) {
        if (this.mStorage.getPersistentDataBlock() == null || !LockPatternUtils.userOwnsFrpCredential(this.mContext, this.mUserManager.getUserInfo(i2))) {
            return;
        }
        if (passwordData.passwordType != -1) {
            this.mStorage.writePersistentDataBlock(2, i3, i, passwordData.toBytes());
        } else {
            this.mStorage.writePersistentDataBlock(0, 0, 0, null);
        }
    }

    public long createTokenBasedSyntheticPassword(byte[] bArr, int i, LockPatternUtils.EscrowTokenStateChangeCallback escrowTokenStateChangeCallback) {
        long generateHandle = generateHandle();
        if (!this.tokenMap.containsKey(Integer.valueOf(i))) {
            this.tokenMap.put(Integer.valueOf(i), new ArrayMap<>());
        }
        TokenData tokenData = new TokenData();
        byte[] secureRandom = secureRandom(16384);
        if (isWeaverAvailable()) {
            tokenData.weaverSecret = secureRandom(this.mWeaverConfig.valueSize);
            tokenData.secdiscardableOnDisk = SyntheticPasswordCrypto.encrypt(tokenData.weaverSecret, PERSONALISATION_WEAVER_TOKEN, secureRandom);
        } else {
            tokenData.secdiscardableOnDisk = secureRandom;
            tokenData.weaverSecret = null;
        }
        tokenData.aggregatedSecret = transformUnderSecdiscardable(bArr, secureRandom);
        tokenData.mCallback = escrowTokenStateChangeCallback;
        this.tokenMap.get(Integer.valueOf(i)).put(Long.valueOf(generateHandle), tokenData);
        return generateHandle;
    }

    public Set<Long> getPendingTokensForUser(int i) {
        return !this.tokenMap.containsKey(Integer.valueOf(i)) ? Collections.emptySet() : this.tokenMap.get(Integer.valueOf(i)).keySet();
    }

    public boolean removePendingToken(long j, int i) {
        return this.tokenMap.containsKey(Integer.valueOf(i)) && this.tokenMap.get(Integer.valueOf(i)).remove(Long.valueOf(j)) != null;
    }

    public boolean activateTokenBasedSyntheticPassword(long j, AuthenticationToken authenticationToken, int i) {
        TokenData tokenData;
        if (!this.tokenMap.containsKey(Integer.valueOf(i)) || (tokenData = this.tokenMap.get(Integer.valueOf(i)).get(Long.valueOf(j))) == null) {
            return false;
        }
        if (!loadEscrowData(authenticationToken, i)) {
            Log.w(TAG, "User is not escrowable");
            return false;
        }
        if (isWeaverAvailable()) {
            int nextAvailableWeaverSlot = getNextAvailableWeaverSlot();
            try {
                Log.i(TAG, "Weaver enroll token to slot " + nextAvailableWeaverSlot + " for user " + i);
                weaverEnroll(nextAvailableWeaverSlot, null, tokenData.weaverSecret);
                saveWeaverSlot(nextAvailableWeaverSlot, j, i);
                this.mPasswordSlotManager.markSlotInUse(nextAvailableWeaverSlot);
            } catch (RemoteException e) {
                Log.e(TAG, "Failed to enroll weaver secret when activating token", e);
                return false;
            }
        }
        saveSecdiscardable(j, tokenData.secdiscardableOnDisk, i);
        createSyntheticPasswordBlob(j, (byte) 1, authenticationToken, tokenData.aggregatedSecret, 0L, i);
        this.tokenMap.get(Integer.valueOf(i)).remove(Long.valueOf(j));
        if (tokenData.mCallback == null) {
            return true;
        }
        tokenData.mCallback.onEscrowTokenActivated(j, i);
        return true;
    }

    private void createSyntheticPasswordBlob(long j, byte b, AuthenticationToken authenticationToken, byte[] bArr, long j2, int i) {
        byte[] createSPBlob = createSPBlob(getHandleName(j), b == 1 ? authenticationToken.computeP0() : authenticationToken.syntheticPassword.getBytes(), bArr, j2);
        byte[] bArr2 = new byte[createSPBlob.length + 1 + 1];
        if (authenticationToken.mVersion == 3) {
            bArr2[0] = 3;
        } else {
            bArr2[0] = 2;
        }
        bArr2[1] = b;
        System.arraycopy(createSPBlob, 0, bArr2, 2, createSPBlob.length);
        saveState(SP_BLOB_NAME, bArr2, j, i);
    }

    public AuthenticationResult unwrapPasswordBasedSyntheticPassword(IGateKeeperService iGateKeeperService, long j, byte[] bArr, int i, ICheckCredentialProgressCallback iCheckCredentialProgressCallback) throws RemoteException {
        long sidFromPasswordHandle;
        byte[] transformUnderSecdiscardable;
        if (bArr == null) {
            bArr = DEFAULT_PASSWORD;
        }
        AuthenticationResult authenticationResult = new AuthenticationResult();
        PasswordData fromBytes = PasswordData.fromBytes(loadState(PASSWORD_DATA_NAME, j, i));
        authenticationResult.credentialType = fromBytes.passwordType;
        byte[] computePasswordToken = computePasswordToken(bArr, fromBytes);
        int loadWeaverSlot = loadWeaverSlot(j, i);
        if (loadWeaverSlot == -1) {
            byte[] passwordTokenToGkInput = passwordTokenToGkInput(computePasswordToken);
            GateKeeperResponse verifyChallenge = iGateKeeperService.verifyChallenge(fakeUid(i), 0L, fromBytes.passwordHandle, passwordTokenToGkInput);
            int responseCode = verifyChallenge.getResponseCode();
            if (responseCode != 0) {
                if (responseCode == 1) {
                    authenticationResult.gkResponse = new VerifyCredentialResponse(verifyChallenge.getTimeout());
                    return authenticationResult;
                }
                authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
                return authenticationResult;
            }
            authenticationResult.gkResponse = VerifyCredentialResponse.OK;
            if (verifyChallenge.getShouldReEnroll()) {
                GateKeeperResponse enroll = iGateKeeperService.enroll(fakeUid(i), fromBytes.passwordHandle, passwordTokenToGkInput, passwordTokenToGkInput);
                if (enroll.getResponseCode() == 0) {
                    fromBytes.passwordHandle = enroll.getPayload();
                    saveState(PASSWORD_DATA_NAME, fromBytes.toBytes(), j, i);
                    synchronizeFrpPassword(fromBytes, fromBytes.passwordType == 1 ? 65536 : 327680, i);
                } else {
                    Log.w(TAG, "Fail to re-enroll user password for user " + i);
                }
            }
            sidFromPasswordHandle = sidFromPasswordHandle(fromBytes.passwordHandle);
            transformUnderSecdiscardable = transformUnderSecdiscardable(computePasswordToken, loadSecdiscardable(j, i));
        } else {
            if (!isWeaverAvailable()) {
                Log.e(TAG, "No weaver service to unwrap password based SP");
                authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
                return authenticationResult;
            }
            authenticationResult.gkResponse = weaverVerify(loadWeaverSlot, passwordTokenToWeaverKey(computePasswordToken));
            if (authenticationResult.gkResponse.getResponseCode() != 0) {
                return authenticationResult;
            }
            sidFromPasswordHandle = 0;
            transformUnderSecdiscardable = transformUnderWeaverSecret(computePasswordToken, authenticationResult.gkResponse.getPayload());
        }
        if (iCheckCredentialProgressCallback != null) {
            iCheckCredentialProgressCallback.onCredentialVerified();
        }
        authenticationResult.authToken = unwrapSyntheticPasswordBlob(j, (byte) 0, transformUnderSecdiscardable, sidFromPasswordHandle, i);
        authenticationResult.gkResponse = verifyChallenge(iGateKeeperService, authenticationResult.authToken, 0L, i);
        return authenticationResult;
    }

    public AuthenticationResult unwrapTokenBasedSyntheticPassword(IGateKeeperService iGateKeeperService, long j, byte[] bArr, int i) throws RemoteException {
        AuthenticationResult authenticationResult = new AuthenticationResult();
        byte[] loadSecdiscardable = loadSecdiscardable(j, i);
        int loadWeaverSlot = loadWeaverSlot(j, i);
        if (loadWeaverSlot != -1) {
            if (!isWeaverAvailable()) {
                Log.e(TAG, "No weaver service to unwrap token based SP");
                authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
                return authenticationResult;
            }
            VerifyCredentialResponse weaverVerify = weaverVerify(loadWeaverSlot, null);
            if (weaverVerify.getResponseCode() != 0 || weaverVerify.getPayload() == null) {
                Log.e(TAG, "Failed to retrieve weaver secret when unwrapping token");
                authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
                return authenticationResult;
            }
            loadSecdiscardable = SyntheticPasswordCrypto.decrypt(weaverVerify.getPayload(), PERSONALISATION_WEAVER_TOKEN, loadSecdiscardable);
        }
        authenticationResult.authToken = unwrapSyntheticPasswordBlob(j, (byte) 1, transformUnderSecdiscardable(bArr, loadSecdiscardable), 0L, i);
        if (authenticationResult.authToken != null) {
            authenticationResult.gkResponse = verifyChallenge(iGateKeeperService, authenticationResult.authToken, 0L, i);
            if (authenticationResult.gkResponse == null) {
                authenticationResult.gkResponse = VerifyCredentialResponse.OK;
            }
        } else {
            authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
        }
        return authenticationResult;
    }

    private AuthenticationToken unwrapSyntheticPasswordBlob(long j, byte b, byte[] bArr, long j2, int i) {
        byte[] loadState = loadState(SP_BLOB_NAME, j, i);
        if (loadState == null) {
            return null;
        }
        byte b2 = loadState[0];
        if (b2 != 3 && b2 != 2 && b2 != 1) {
            throw new RuntimeException("Unknown blob version");
        }
        if (loadState[1] != b) {
            throw new RuntimeException("Invalid blob type");
        }
        byte[] decryptBlobV1 = b2 == 1 ? SyntheticPasswordCrypto.decryptBlobV1(getHandleName(j), Arrays.copyOfRange(loadState, 2, loadState.length), bArr) : decryptSPBlob(getHandleName(j), Arrays.copyOfRange(loadState, 2, loadState.length), bArr);
        if (decryptBlobV1 == null) {
            Log.e(TAG, "Fail to decrypt SP for user " + i);
            return null;
        }
        AuthenticationToken authenticationToken = new AuthenticationToken(b2);
        if (b != 1) {
            authenticationToken.syntheticPassword = new String(decryptBlobV1);
        } else {
            if (!loadEscrowData(authenticationToken, i)) {
                Log.e(TAG, "User is not escrowable: " + i);
                return null;
            }
            authenticationToken.recreate(decryptBlobV1);
        }
        if (b2 == 1) {
            Log.i(TAG, "Upgrade v1 SP blob for user " + i + ", type = " + ((int) b));
            createSyntheticPasswordBlob(j, b, authenticationToken, bArr, j2, i);
        }
        return authenticationToken;
    }

    public VerifyCredentialResponse verifyChallenge(IGateKeeperService iGateKeeperService, AuthenticationToken authenticationToken, long j, int i) throws RemoteException {
        VerifyCredentialResponse verifyCredentialResponse;
        byte[] loadSyntheticPasswordHandle = loadSyntheticPasswordHandle(i);
        if (loadSyntheticPasswordHandle == null) {
            return null;
        }
        GateKeeperResponse verifyChallenge = iGateKeeperService.verifyChallenge(i, j, loadSyntheticPasswordHandle, authenticationToken.deriveGkPassword());
        int responseCode = verifyChallenge.getResponseCode();
        if (responseCode == 0) {
            verifyCredentialResponse = new VerifyCredentialResponse(verifyChallenge.getPayload());
            if (verifyChallenge.getShouldReEnroll()) {
                GateKeeperResponse enroll = iGateKeeperService.enroll(i, loadSyntheticPasswordHandle, loadSyntheticPasswordHandle, authenticationToken.deriveGkPassword());
                if (enroll.getResponseCode() == 0) {
                    saveSyntheticPasswordHandle(enroll.getPayload(), i);
                    return verifyChallenge(iGateKeeperService, authenticationToken, j, i);
                }
                Log.w(TAG, "Fail to re-enroll SP handle for user " + i);
            }
        } else {
            verifyCredentialResponse = responseCode == 1 ? new VerifyCredentialResponse(verifyChallenge.getTimeout()) : VerifyCredentialResponse.ERROR;
        }
        return verifyCredentialResponse;
    }

    public boolean existsHandle(long j, int i) {
        return hasState(SP_BLOB_NAME, j, i);
    }

    public void destroyTokenBasedSyntheticPassword(long j, int i) {
        destroySyntheticPassword(j, i);
        destroyState(SECDISCARDABLE_NAME, j, i);
    }

    public void destroyPasswordBasedSyntheticPassword(long j, int i) {
        destroySyntheticPassword(j, i);
        destroyState(SECDISCARDABLE_NAME, j, i);
        destroyState(PASSWORD_DATA_NAME, j, i);
    }

    private void destroySyntheticPassword(long j, int i) {
        destroyState(SP_BLOB_NAME, j, i);
        destroySPBlobKey(getHandleName(j));
        if (hasState(WEAVER_SLOT_NAME, j, i)) {
            destroyWeaverSlot(j, i);
        }
    }

    /* JADX WARN: Type inference failed for: r1v1, types: [byte[], byte[][]] */
    private byte[] transformUnderWeaverSecret(byte[] bArr, byte[] bArr2) {
        byte[] personalisedHash = SyntheticPasswordCrypto.personalisedHash(PERSONALISATION_WEAVER_PASSWORD, new byte[]{bArr2});
        byte[] bArr3 = new byte[bArr.length + personalisedHash.length];
        System.arraycopy(bArr, 0, bArr3, 0, bArr.length);
        System.arraycopy(personalisedHash, 0, bArr3, bArr.length, personalisedHash.length);
        return bArr3;
    }

    /* JADX WARN: Type inference failed for: r1v1, types: [byte[], byte[][]] */
    private byte[] transformUnderSecdiscardable(byte[] bArr, byte[] bArr2) {
        byte[] personalisedHash = SyntheticPasswordCrypto.personalisedHash(PERSONALISATION_SECDISCARDABLE, new byte[]{bArr2});
        byte[] bArr3 = new byte[bArr.length + personalisedHash.length];
        System.arraycopy(bArr, 0, bArr3, 0, bArr.length);
        System.arraycopy(personalisedHash, 0, bArr3, bArr.length, personalisedHash.length);
        return bArr3;
    }

    private byte[] createSecdiscardable(long j, int i) {
        byte[] secureRandom = secureRandom(16384);
        saveSecdiscardable(j, secureRandom, i);
        return secureRandom;
    }

    private void saveSecdiscardable(long j, byte[] bArr, int i) {
        saveState(SECDISCARDABLE_NAME, bArr, j, i);
    }

    private byte[] loadSecdiscardable(long j, int i) {
        return loadState(SECDISCARDABLE_NAME, j, i);
    }

    private boolean hasState(String str, long j, int i) {
        return !ArrayUtils.isEmpty(loadState(str, j, i));
    }

    private byte[] loadState(String str, long j, int i) {
        return this.mStorage.readSyntheticPasswordState(i, j, str);
    }

    private void saveState(String str, byte[] bArr, long j, int i) {
        this.mStorage.writeSyntheticPasswordState(i, j, str, bArr);
    }

    private void destroyState(String str, long j, int i) {
        this.mStorage.deleteSyntheticPasswordState(i, j, str);
    }

    protected byte[] decryptSPBlob(String str, byte[] bArr, byte[] bArr2) {
        return SyntheticPasswordCrypto.decryptBlob(str, bArr, bArr2);
    }

    protected byte[] createSPBlob(String str, byte[] bArr, byte[] bArr2, long j) {
        return SyntheticPasswordCrypto.createBlob(str, bArr, bArr2, j);
    }

    protected void destroySPBlobKey(String str) {
        SyntheticPasswordCrypto.destroyBlobKey(str);
    }

    public static long generateHandle() {
        long nextLong;
        SecureRandom secureRandom = new SecureRandom();
        do {
            nextLong = secureRandom.nextLong();
        } while (nextLong == 0);
        return nextLong;
    }

    private int fakeUid(int i) {
        return 100000 + i;
    }

    protected static byte[] secureRandom(int i) {
        try {
            return SecureRandom.getInstance("SHA1PRNG").generateSeed(i);
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
            return null;
        }
    }

    private String getHandleName(long j) {
        return String.format("%s%x", "synthetic_password_", Long.valueOf(j));
    }

    private byte[] computePasswordToken(byte[] bArr, PasswordData passwordData) {
        return scrypt(bArr, passwordData.salt, 1 << passwordData.scryptN, 1 << passwordData.scryptR, 1 << passwordData.scryptP, 32);
    }

    /* JADX WARN: Type inference failed for: r1v1, types: [byte[], byte[][]] */
    private byte[] passwordTokenToGkInput(byte[] bArr) {
        return SyntheticPasswordCrypto.personalisedHash(PERSONALIZATION_USER_GK_AUTH, new byte[]{bArr});
    }

    /* JADX WARN: Type inference failed for: r1v1, types: [byte[], byte[][]] */
    private byte[] passwordTokenToWeaverKey(byte[] bArr) {
        byte[] personalisedHash = SyntheticPasswordCrypto.personalisedHash(PERSONALISATION_WEAVER_KEY, new byte[]{bArr});
        if (personalisedHash.length < this.mWeaverConfig.keySize) {
            throw new RuntimeException("weaver key length too small");
        }
        return Arrays.copyOf(personalisedHash, this.mWeaverConfig.keySize);
    }

    protected long sidFromPasswordHandle(byte[] bArr) {
        return nativeSidFromPasswordHandle(bArr);
    }

    protected byte[] scrypt(byte[] bArr, byte[] bArr2, int i, int i2, int i3, int i4) {
        return new Scrypt().scrypt(bArr, bArr2, i, i2, i3, i4);
    }

    native long nativeSidFromPasswordHandle(byte[] bArr);

    protected static ArrayList<Byte> toByteArrayList(byte[] bArr) {
        ArrayList<Byte> arrayList = new ArrayList<>(bArr.length);
        for (byte b : bArr) {
            arrayList.add(Byte.valueOf(b));
        }
        return arrayList;
    }

    protected static byte[] fromByteArrayList(ArrayList<Byte> arrayList) {
        byte[] bArr = new byte[arrayList.size()];
        for (int i = 0; i < arrayList.size(); i++) {
            bArr[i] = arrayList.get(i).byteValue();
        }
        return bArr;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static byte[] bytesToHex(byte[] bArr) {
        if (bArr == null) {
            return "null".getBytes();
        }
        byte[] bArr2 = new byte[bArr.length * 2];
        for (int i = 0; i < bArr.length; i++) {
            int i2 = bArr[i] & 255;
            bArr2[i * 2] = HEX_ARRAY[i2 >>> 4];
            bArr2[(i * 2) + 1] = HEX_ARRAY[i2 & 15];
        }
        return bArr2;
    }
}
