package com.android.server.locksettings;

import android.annotation.NonNull;
import android.annotation.Nullable;
import android.annotation.RequiresPermission;
import android.app.ActivityManager;
import android.app.IActivityManager;
import android.app.KeyguardManager;
import android.app.Notification;
import android.app.NotificationManager;
import android.app.PendingIntent;
import android.app.RemoteLockscreenValidationResult;
import android.app.RemoteLockscreenValidationSession;
import android.app.admin.DevicePolicyManager;
import android.app.admin.DevicePolicyManagerInternal;
import android.app.admin.DeviceStateCache;
import android.app.admin.PasswordMetrics;
import android.app.trust.IStrongAuthTracker;
import android.app.trust.TrustManager;
import android.content.BroadcastReceiver;
import android.content.ContentResolver;
import android.content.Context;
import android.content.Intent;
import android.content.IntentFilter;
import android.content.pm.PackageManager;
import android.content.pm.UserInfo;
import android.content.pm.UserProperties;
import android.content.res.Resources;
import android.database.ContentObserver;
import android.database.sqlite.SQLiteDatabase;
import android.hardware.authsecret.IAuthSecret;
import android.hardware.biometrics.BiometricManager;
import android.hardware.face.Face;
import android.hardware.face.FaceManager;
import android.hardware.fingerprint.Fingerprint;
import android.hardware.fingerprint.FingerprintManager;
import android.net.Uri;
import android.os.Binder;
import android.os.Bundle;
import android.os.Handler;
import android.os.IBinder;
import android.os.IProgressListener;
import android.os.RemoteException;
import android.os.ResultReceiver;
import android.os.ServiceManager;
import android.os.ShellCallback;
import android.os.SystemProperties;
import android.os.UserHandle;
import android.os.UserManager;
import android.os.storage.ICeStorageLockEventListener;
import android.os.storage.IStorageManager;
import android.os.storage.StorageManager;
import android.os.storage.StorageManagerInternal;
import android.provider.DeviceConfig;
import android.provider.Settings;
import android.security.AndroidKeyStoreMaintenance;
import android.security.Flags;
import android.security.KeyStoreAuthorization;
import android.security.keystore.KeyProtection;
import android.security.keystore.recovery.KeyChainProtectionParams;
import android.security.keystore.recovery.KeyChainSnapshot;
import android.security.keystore.recovery.RecoveryCertPath;
import android.security.keystore.recovery.WrappedApplicationKey;
import android.security.keystore2.AndroidKeyStoreLoadStoreParameter;
import android.security.keystore2.AndroidKeyStoreProvider;
import android.service.gatekeeper.IGateKeeperService;
import android.service.notification.StatusBarNotification;
import android.text.TextUtils;
import android.util.ArrayMap;
import android.util.ArraySet;
import android.util.Log;
import android.util.LongSparseArray;
import android.util.Slog;
import android.util.SparseArray;
import android.util.SparseIntArray;
import android.view.textclassifier.TextClassifier;
import com.android.ims.ImsManager;
import com.android.internal.annotations.GuardedBy;
import com.android.internal.annotations.VisibleForTesting;
import com.android.internal.notification.SystemNotificationChannels;
import com.android.internal.util.ArrayUtils;
import com.android.internal.util.DumpUtils;
import com.android.internal.util.IndentingPrintWriter;
import com.android.internal.util.Preconditions;
import com.android.internal.widget.ICheckCredentialProgressCallback;
import com.android.internal.widget.ILockSettings;
import com.android.internal.widget.IWeakEscrowTokenActivatedListener;
import com.android.internal.widget.IWeakEscrowTokenRemovedListener;
import com.android.internal.widget.LockPatternUtils;
import com.android.internal.widget.LockSettingsInternal;
import com.android.internal.widget.LockSettingsStateListener;
import com.android.internal.widget.LockscreenCredential;
import com.android.internal.widget.RebootEscrowListener;
import com.android.internal.widget.VerifyCredentialResponse;
import com.android.server.LocalServices;
import com.android.server.ServiceThread;
import com.android.server.SystemService;
import com.android.server.job.controllers.JobStatus;
import com.android.server.locksettings.LockSettingsStorage;
import com.android.server.locksettings.RebootEscrowManager;
import com.android.server.locksettings.SyntheticPasswordManager;
import com.android.server.locksettings.recoverablekeystore.RecoverableKeyStoreManager;
import com.android.server.pm.UserManagerInternal;
import com.android.server.utils.Slogf;
import com.android.server.wm.WindowManagerInternal;
import java.io.FileDescriptor;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.PrintWriter;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Objects;
import java.util.Set;
import java.util.StringJoiner;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import libcore.util.HexEncoding;

/* loaded from: input_file:com/android/server/locksettings/LockSettingsService.class */
public class LockSettingsService extends ILockSettings.Stub {
    private static final String TAG = "LockSettingsService";
    private static final String PERMISSION = "android.permission.ACCESS_KEYGUARD_SECURE_STORAGE";
    private static final String BIOMETRIC_PERMISSION = "android.permission.MANAGE_BIOMETRIC";
    private static final int PROFILE_KEY_IV_SIZE = 12;
    private static final String SEPARATE_PROFILE_CHALLENGE_KEY = "lockscreen.profilechallenge";
    private static final String PREV_LSKF_BASED_PROTECTOR_ID_KEY = "prev-sp-handle";
    private static final String LSKF_LAST_CHANGED_TIME_KEY = "sp-handle-ts";
    private static final String USER_SERIAL_NUMBER_KEY = "serial-number";
    private static final String MIGRATED_FRP2 = "migrated_frp2";
    private static final String MIGRATED_KEYSTORE_NS = "migrated_keystore_namespace";
    private static final String MIGRATED_SP_CE_ONLY = "migrated_all_users_to_sp_and_bound_ce";
    private static final String MIGRATED_SP_FULL = "migrated_all_users_to_sp_and_bound_keys";
    private static final int GK_PW_HANDLE_STORE_DURATION_MS = 600000;
    private static final String PROFILE_KEY_NAME_ENCRYPT = "profile_key_name_encrypt_";
    private static final String PROFILE_KEY_NAME_DECRYPT = "profile_key_name_decrypt_";
    private static final int HEADLESS_VENDOR_AUTH_SECRET_LENGTH = 32;
    private final Object mSeparateChallengeLock;
    private final DeviceProvisionedObserver mDeviceProvisionedObserver;
    private final Injector mInjector;
    private final Context mContext;

    @VisibleForTesting
    protected final Handler mHandler;

    @VisibleForTesting
    protected final LockSettingsStorage mStorage;
    private final LockSettingsStrongAuth mStrongAuth;
    private final SynchronizedStrongAuthTracker mStrongAuthTracker;
    private final BiometricDeferredQueue mBiometricDeferredQueue;
    private final LongSparseArray<byte[]> mGatekeeperPasswords;
    private final NotificationManager mNotificationManager;
    protected final UserManager mUserManager;
    private final IStorageManager mStorageManager;
    private final IActivityManager mActivityManager;
    private final SyntheticPasswordManager mSpManager;
    private final KeyStore mKeyStore;
    private final KeyStoreAuthorization mKeyStoreAuthorization;
    private final RecoverableKeyStoreManager mRecoverableKeyStoreManager;
    private final UnifiedProfilePasswordCache mUnifiedProfilePasswordCache;
    private final RebootEscrowManager mRebootEscrowManager;
    private final Object mUserCreationAndRemovalLock;

    @GuardedBy({"mUserCreationAndRemovalLock"})
    private SparseIntArray mEarlyCreatedUsers;

    @GuardedBy({"mUserCreationAndRemovalLock"})
    private SparseIntArray mEarlyRemovedUsers;

    @GuardedBy({"mUserCreationAndRemovalLock"})
    private boolean mThirdPartyAppsStarted;

    @GuardedBy({"this"})
    private final SparseArray<PasswordMetrics> mUserPasswordMetrics;

    @VisibleForTesting
    protected boolean mHasSecureLockScreen;

    @VisibleForTesting
    protected final Object mHeadlessAuthSecretLock;

    @VisibleForTesting
    @GuardedBy({"mHeadlessAuthSecretLock"})
    protected byte[] mAuthSecret;
    protected IGateKeeperService mGateKeeperService;
    protected IAuthSecret mAuthSecretService;
    private HashMap<UserHandle, UserManager> mUserManagerCache;
    private final CopyOnWriteArrayList<LockSettingsStateListener> mLockSettingsStateListeners;
    private final StorageManagerInternal mStorageManagerInternal;
    private final BroadcastReceiver mBroadcastReceiver;
    private final ICeStorageLockEventListener mCeStorageLockEventListener;
    private static final boolean FIX_UNLOCKED_DEVICE_REQUIRED_KEYS = Flags.fixUnlockedDeviceRequiredKeysV2();
    private static final int[] SYSTEM_CREDENTIAL_UIDS = {1016, 0, 1000};

    /* loaded from: input_file:com/android/server/locksettings/LockSettingsService$DeviceProvisionedObserver.class */
    private class DeviceProvisionedObserver extends ContentObserver {
        private final Uri mDeviceProvisionedUri;
        private boolean mRegistered;

        public DeviceProvisionedObserver() {
            super(null);
            this.mDeviceProvisionedUri = Settings.Global.getUriFor("device_provisioned");
        }

        @Override // android.database.ContentObserver
        public void onChange(boolean z, Uri uri, int i) {
            if (this.mDeviceProvisionedUri.equals(uri)) {
                updateRegistration();
                if (isProvisioned()) {
                    Slog.i(LockSettingsService.TAG, "Reporting device setup complete to IGateKeeperService");
                    reportDeviceSetupComplete();
                    clearFrpCredentialIfOwnerNotSecure();
                }
            }
        }

        public void onSystemReady() {
            if (LockPatternUtils.frpCredentialEnabled(LockSettingsService.this.mContext)) {
                updateRegistration();
            } else {
                if (isProvisioned()) {
                    return;
                }
                Slog.i(LockSettingsService.TAG, "FRP credential disabled, reporting device setup complete to Gatekeeper immediately");
                reportDeviceSetupComplete();
            }
        }

        private void reportDeviceSetupComplete() {
            try {
                LockSettingsService.this.getGateKeeperService().reportDeviceSetupComplete();
            } catch (RemoteException e) {
                Slog.e(LockSettingsService.TAG, "Failure reporting to IGateKeeperService", e);
            }
        }

        private void clearFrpCredentialIfOwnerNotSecure() {
            for (UserInfo userInfo : LockSettingsService.this.mUserManager.getUsers()) {
                if (LockPatternUtils.userOwnsFrpCredential(LockSettingsService.this.mContext, userInfo)) {
                    if (LockSettingsService.this.isUserSecure(userInfo.id)) {
                        return;
                    }
                    Slogf.d(LockSettingsService.TAG, "Clearing FRP credential tied to user %d", Integer.valueOf(userInfo.id));
                    LockSettingsService.this.mStorage.writePersistentDataBlock(0, userInfo.id, 0, null);
                    return;
                }
            }
        }

        private void updateRegistration() {
            boolean z = !isProvisioned();
            if (z == this.mRegistered) {
                return;
            }
            if (z) {
                LockSettingsService.this.mContext.getContentResolver().registerContentObserver(this.mDeviceProvisionedUri, false, this);
            } else {
                LockSettingsService.this.mContext.getContentResolver().unregisterContentObserver(this);
            }
            this.mRegistered = z;
        }

        private boolean isProvisioned() {
            return Settings.Global.getInt(LockSettingsService.this.mContext.getContentResolver(), "device_provisioned", 0) != 0;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/android/server/locksettings/LockSettingsService$GateKeeperDiedRecipient.class */
    public class GateKeeperDiedRecipient implements IBinder.DeathRecipient {
        private GateKeeperDiedRecipient() {
        }

        @Override // android.os.IBinder.DeathRecipient
        public void binderDied() {
            LockSettingsService.this.mGateKeeperService.asBinder().unlinkToDeath(this, 0);
            LockSettingsService.this.mGateKeeperService = null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/android/server/locksettings/LockSettingsService$Injector.class */
    public static class Injector {
        protected Context mContext;
        private ServiceThread mHandlerThread;
        private Handler mHandler;

        public Injector(Context context) {
            this.mContext = context;
        }

        public Context getContext() {
            return this.mContext;
        }

        public ServiceThread getServiceThread() {
            if (this.mHandlerThread == null) {
                this.mHandlerThread = new ServiceThread(LockSettingsService.TAG, 10, true);
                this.mHandlerThread.start();
            }
            return this.mHandlerThread;
        }

        public Handler getHandler(ServiceThread serviceThread) {
            if (this.mHandler == null) {
                this.mHandler = new Handler(serviceThread.getLooper());
            }
            return this.mHandler;
        }

        public LockSettingsStorage getStorage() {
            final LockSettingsStorage lockSettingsStorage = new LockSettingsStorage(this.mContext);
            lockSettingsStorage.setDatabaseOnCreateCallback(new LockSettingsStorage.Callback() { // from class: com.android.server.locksettings.LockSettingsService.Injector.1
                @Override // com.android.server.locksettings.LockSettingsStorage.Callback
                public void initialize(SQLiteDatabase sQLiteDatabase) {
                    if (SystemProperties.getBoolean("ro.lockscreen.disable.default", false)) {
                        lockSettingsStorage.writeKeyValue(sQLiteDatabase, "lockscreen.disabled", "1", 0);
                    }
                }
            });
            return lockSettingsStorage;
        }

        public LockSettingsStrongAuth getStrongAuth() {
            return new LockSettingsStrongAuth(this.mContext);
        }

        public SynchronizedStrongAuthTracker getStrongAuthTracker() {
            return new SynchronizedStrongAuthTracker(this.mContext);
        }

        public IActivityManager getActivityManager() {
            return ActivityManager.getService();
        }

        public NotificationManager getNotificationManager() {
            return (NotificationManager) this.mContext.getSystemService(TextClassifier.WIDGET_TYPE_NOTIFICATION);
        }

        public UserManager getUserManager() {
            return (UserManager) this.mContext.getSystemService("user");
        }

        public UserManagerInternal getUserManagerInternal() {
            return (UserManagerInternal) LocalServices.getService(UserManagerInternal.class);
        }

        public DevicePolicyManager getDevicePolicyManager() {
            return (DevicePolicyManager) this.mContext.getSystemService("device_policy");
        }

        public DeviceStateCache getDeviceStateCache() {
            return DeviceStateCache.getInstance();
        }

        public RecoverableKeyStoreManager getRecoverableKeyStoreManager() {
            return RecoverableKeyStoreManager.getInstance(this.mContext);
        }

        public IStorageManager getStorageManager() {
            IBinder service = ServiceManager.getService("mount");
            if (service != null) {
                return IStorageManager.Stub.asInterface(service);
            }
            return null;
        }

        public StorageManagerInternal getStorageManagerInternal() {
            return (StorageManagerInternal) LocalServices.getService(StorageManagerInternal.class);
        }

        public SyntheticPasswordManager getSyntheticPasswordManager(LockSettingsStorage lockSettingsStorage) {
            return new SyntheticPasswordManager(getContext(), lockSettingsStorage, getUserManager(), new PasswordSlotManager());
        }

        public RebootEscrowManager getRebootEscrowManager(RebootEscrowManager.Callbacks callbacks, LockSettingsStorage lockSettingsStorage) {
            return new RebootEscrowManager(this.mContext, callbacks, lockSettingsStorage, getHandler(getServiceThread()), getUserManagerInternal());
        }

        public int binderGetCallingUid() {
            return Binder.getCallingUid();
        }

        public boolean isGsiRunning() {
            return LockPatternUtils.isGsiRunning();
        }

        public FingerprintManager getFingerprintManager() {
            if (this.mContext.getPackageManager().hasSystemFeature("android.hardware.fingerprint")) {
                return (FingerprintManager) this.mContext.getSystemService("fingerprint");
            }
            return null;
        }

        public FaceManager getFaceManager() {
            if (this.mContext.getPackageManager().hasSystemFeature("android.hardware.biometrics.face")) {
                return (FaceManager) this.mContext.getSystemService("face");
            }
            return null;
        }

        public BiometricManager getBiometricManager() {
            return (BiometricManager) this.mContext.getSystemService("biometric");
        }

        public KeyStore getKeyStore() {
            try {
                KeyStore keyStore = KeyStore.getInstance(SyntheticPasswordCrypto.androidKeystoreProviderName());
                keyStore.load(new AndroidKeyStoreLoadStoreParameter(SyntheticPasswordCrypto.keyNamespace()));
                return keyStore;
            } catch (Exception e) {
                throw new IllegalStateException("Cannot load keystore", e);
            }
        }

        public KeyStoreAuthorization getKeyStoreAuthorization() {
            return KeyStoreAuthorization.getInstance();
        }

        @NonNull
        public UnifiedProfilePasswordCache getUnifiedProfilePasswordCache(KeyStore keyStore) {
            return new UnifiedProfilePasswordCache(keyStore);
        }

        public boolean isHeadlessSystemUserMode() {
            return UserManager.isHeadlessSystemUserMode();
        }

        public boolean isMainUserPermanentAdmin() {
            return Resources.getSystem().getBoolean(17891763);
        }
    }

    /* loaded from: input_file:com/android/server/locksettings/LockSettingsService$Lifecycle.class */
    public static final class Lifecycle extends SystemService {
        private LockSettingsService mLockSettingsService;

        public Lifecycle(Context context) {
            super(context);
        }

        @Override // com.android.server.SystemService
        public void onStart() {
            AndroidKeyStoreProvider.install();
            this.mLockSettingsService = new LockSettingsService(getContext());
            publishBinderService("lock_settings", this.mLockSettingsService);
        }

        @Override // com.android.server.SystemService
        public void onBootPhase(int i) {
            super.onBootPhase(i);
            if (i == 550) {
                this.mLockSettingsService.migrateOldDataAfterSystemReady();
                this.mLockSettingsService.deleteRepairModePersistentDataIfNeeded();
            } else if (i == 1000) {
                this.mLockSettingsService.loadEscrowData();
            }
        }

        @Override // com.android.server.SystemService
        public void onUserStarting(@NonNull SystemService.TargetUser targetUser) {
            this.mLockSettingsService.onUserStarting(targetUser.getUserIdentifier());
        }

        @Override // com.android.server.SystemService
        public void onUserUnlocking(@NonNull SystemService.TargetUser targetUser) {
            this.mLockSettingsService.onUserUnlocking(targetUser.getUserIdentifier());
        }

        @Override // com.android.server.SystemService
        public void onUserStopped(@NonNull SystemService.TargetUser targetUser) {
            this.mLockSettingsService.onUserStopped(targetUser.getUserIdentifier());
        }
    }

    /* loaded from: input_file:com/android/server/locksettings/LockSettingsService$LocalService.class */
    private final class LocalService extends LockSettingsInternal {
        private LocalService() {
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public void onThirdPartyAppsStarted() {
            LockSettingsService.this.onThirdPartyAppsStarted();
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public void createNewUser(int i, int i2) {
            LockSettingsService.this.createNewUser(i, i2);
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public void removeUser(int i) {
            LockSettingsService.this.removeUser(i);
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public long addEscrowToken(byte[] bArr, int i, LockPatternUtils.EscrowTokenStateChangeCallback escrowTokenStateChangeCallback) {
            return LockSettingsService.this.addEscrowToken(bArr, 0, i, escrowTokenStateChangeCallback);
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public boolean removeEscrowToken(long j, int i) {
            return LockSettingsService.this.removeEscrowToken(j, i);
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public boolean isEscrowTokenActive(long j, int i) {
            return LockSettingsService.this.isEscrowTokenActive(j, i);
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public boolean setLockCredentialWithToken(LockscreenCredential lockscreenCredential, long j, byte[] bArr, int i) {
            if (!LockSettingsService.this.mHasSecureLockScreen && lockscreenCredential != null && lockscreenCredential.getType() != -1) {
                throw new UnsupportedOperationException("This operation requires secure lock screen feature.");
            }
            if (!LockSettingsService.this.setLockCredentialWithToken(lockscreenCredential, j, bArr, i)) {
                return false;
            }
            LockSettingsService.this.onPostPasswordChanged(lockscreenCredential, i);
            return true;
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public boolean unlockUserWithToken(long j, byte[] bArr, int i) {
            return LockSettingsService.this.unlockUserWithToken(j, bArr, i);
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public PasswordMetrics getUserPasswordMetrics(int i) {
            long clearCallingIdentity = Binder.clearCallingIdentity();
            try {
                if (LockSettingsService.this.isProfileWithUnifiedLock(i)) {
                    Slog.w(LockSettingsService.TAG, "Querying password metrics for unified challenge profile: " + i);
                }
                PasswordMetrics userPasswordMetrics = LockSettingsService.this.getUserPasswordMetrics(i);
                Binder.restoreCallingIdentity(clearCallingIdentity);
                return userPasswordMetrics;
            } catch (Throwable th) {
                Binder.restoreCallingIdentity(clearCallingIdentity);
                throw th;
            }
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public boolean prepareRebootEscrow() {
            if (!LockSettingsService.this.mRebootEscrowManager.prepareRebootEscrow()) {
                return false;
            }
            LockSettingsService.this.mStrongAuth.requireStrongAuth(64, -1);
            return true;
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public void setRebootEscrowListener(RebootEscrowListener rebootEscrowListener) {
            LockSettingsService.this.mRebootEscrowManager.setRebootEscrowListener(rebootEscrowListener);
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public boolean clearRebootEscrow() {
            if (!LockSettingsService.this.mRebootEscrowManager.clearRebootEscrow()) {
                return false;
            }
            LockSettingsService.this.mStrongAuth.noLongerRequireStrongAuth(64, -1);
            return true;
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public int armRebootEscrow() {
            return LockSettingsService.this.mRebootEscrowManager.armRebootEscrowIfNeeded();
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public void refreshStrongAuthTimeout(int i) {
            LockSettingsService.this.mStrongAuth.refreshStrongAuthTimeout(i);
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public void registerLockSettingsStateListener(@NonNull LockSettingsStateListener lockSettingsStateListener) {
            Objects.requireNonNull(lockSettingsStateListener, "listener cannot be null");
            LockSettingsService.this.mLockSettingsStateListeners.add(lockSettingsStateListener);
        }

        @Override // com.android.internal.widget.LockSettingsInternal
        public void unregisterLockSettingsStateListener(@NonNull LockSettingsStateListener lockSettingsStateListener) {
            LockSettingsService.this.mLockSettingsStateListeners.remove(lockSettingsStateListener);
        }
    }

    /* loaded from: input_file:com/android/server/locksettings/LockSettingsService$RebootEscrowCallbacks.class */
    private class RebootEscrowCallbacks implements RebootEscrowManager.Callbacks {
        private RebootEscrowCallbacks() {
        }

        @Override // com.android.server.locksettings.RebootEscrowManager.Callbacks
        public boolean isUserSecure(int i) {
            return LockSettingsService.this.isUserSecure(i);
        }

        @Override // com.android.server.locksettings.RebootEscrowManager.Callbacks
        public void onRebootEscrowRestored(byte b, byte[] bArr, int i) {
            SyntheticPasswordManager.SyntheticPassword syntheticPassword = new SyntheticPasswordManager.SyntheticPassword(b);
            syntheticPassword.recreateDirectly(bArr);
            synchronized (LockSettingsService.this.mSpManager) {
                LockSettingsService.this.mSpManager.verifyChallenge(LockSettingsService.this.getGateKeeperService(), syntheticPassword, 0L, i);
            }
            Slogf.i(LockSettingsService.TAG, "Restored synthetic password for user %d using reboot escrow", Integer.valueOf(i));
            LockSettingsService.this.onCredentialVerified(syntheticPassword, LockSettingsService.this.loadPasswordMetrics(syntheticPassword, i), i);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @VisibleForTesting
    /* loaded from: input_file:com/android/server/locksettings/LockSettingsService$SynchronizedStrongAuthTracker.class */
    public static class SynchronizedStrongAuthTracker extends LockPatternUtils.StrongAuthTracker {
        public SynchronizedStrongAuthTracker(Context context) {
            super(context);
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // com.android.internal.widget.LockPatternUtils.StrongAuthTracker
        public void handleStrongAuthRequiredChanged(int i, int i2) {
            synchronized (this) {
                super.handleStrongAuthRequiredChanged(i, i2);
            }
        }

        @Override // com.android.internal.widget.LockPatternUtils.StrongAuthTracker
        public int getStrongAuthForUser(int i) {
            int strongAuthForUser;
            synchronized (this) {
                strongAuthForUser = super.getStrongAuthForUser(i);
            }
            return strongAuthForUser;
        }

        void register(LockSettingsStrongAuth lockSettingsStrongAuth) {
            lockSettingsStrongAuth.registerStrongAuthTracker(getStub());
        }
    }

    private LockscreenCredential generateRandomProfilePassword() {
        byte[] randomBytes = SecureRandomUtils.randomBytes(40);
        char[] encode = HexEncoding.encode(randomBytes);
        byte[] bArr = new byte[encode.length];
        for (int i = 0; i < encode.length; i++) {
            bArr[i] = (byte) encode[i];
        }
        LockscreenCredential createUnifiedProfilePassword = LockscreenCredential.createUnifiedProfilePassword(bArr);
        Arrays.fill(encode, (char) 0);
        Arrays.fill(bArr, (byte) 0);
        Arrays.fill(randomBytes, (byte) 0);
        return createUnifiedProfilePassword;
    }

    private void tieProfileLockIfNecessary(int i, LockscreenCredential lockscreenCredential) {
        UserInfo profileParent;
        if (!isCredentialSharableWithParent(i) || getSeparateProfileChallengeEnabledInternal(i) || this.mStorage.hasChildProfileLock(i) || (profileParent = this.mUserManager.getProfileParent(i)) == null) {
            return;
        }
        if (!isUserSecure(profileParent.id) && !lockscreenCredential.isNone()) {
            Slogf.i(TAG, "Clearing password for profile user %d to match parent", Integer.valueOf(i));
            setLockCredentialInternal(LockscreenCredential.createNone(), lockscreenCredential, i, true);
            return;
        }
        try {
            long secureUserId = getGateKeeperService().getSecureUserId(profileParent.id);
            if (secureUserId == 0) {
                return;
            }
            LockscreenCredential generateRandomProfilePassword = generateRandomProfilePassword();
            try {
                setLockCredentialInternal(generateRandomProfilePassword, lockscreenCredential, i, true);
                tieProfileLockToParent(i, profileParent.id, generateRandomProfilePassword);
                this.mUnifiedProfilePasswordCache.storePassword(i, generateRandomProfilePassword, secureUserId);
                if (generateRandomProfilePassword != null) {
                    generateRandomProfilePassword.close();
                }
            } catch (Throwable th) {
                if (generateRandomProfilePassword != null) {
                    try {
                        generateRandomProfilePassword.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (RemoteException e) {
            Slog.e(TAG, "Failed to talk to GateKeeper service", e);
        }
    }

    public LockSettingsService(Context context) {
        this(new Injector(context));
    }

    @VisibleForTesting
    protected LockSettingsService(Injector injector) {
        this.mSeparateChallengeLock = new Object();
        this.mDeviceProvisionedObserver = new DeviceProvisionedObserver();
        this.mUserCreationAndRemovalLock = new Object();
        this.mEarlyCreatedUsers = new SparseIntArray();
        this.mEarlyRemovedUsers = new SparseIntArray();
        this.mUserPasswordMetrics = new SparseArray<>();
        this.mHeadlessAuthSecretLock = new Object();
        this.mUserManagerCache = new HashMap<>();
        this.mLockSettingsStateListeners = new CopyOnWriteArrayList<>();
        this.mBroadcastReceiver = new BroadcastReceiver() { // from class: com.android.server.locksettings.LockSettingsService.2
            @Override // android.content.BroadcastReceiver
            public void onReceive(Context context, Intent intent) {
                if ("android.intent.action.USER_ADDED".equals(intent.getAction())) {
                    if (LockSettingsService.FIX_UNLOCKED_DEVICE_REQUIRED_KEYS) {
                        return;
                    }
                    AndroidKeyStoreMaintenance.onUserAdded(intent.getIntExtra("android.intent.extra.user_handle", 0));
                } else if ("android.intent.action.USER_STARTING".equals(intent.getAction())) {
                    LockSettingsService.this.mStorage.prefetchUser(intent.getIntExtra("android.intent.extra.user_handle", 0));
                } else if ("android.intent.action.LOCALE_CHANGED".equals(intent.getAction())) {
                    LockSettingsService.this.updateActivatedEncryptionNotifications("locale changed");
                }
            }
        };
        this.mCeStorageLockEventListener = new ICeStorageLockEventListener() { // from class: com.android.server.locksettings.LockSettingsService.3
            @Override // android.os.storage.ICeStorageLockEventListener
            public void onStorageLocked(int i) {
                Slog.i(LockSettingsService.TAG, "Storage lock event received for " + i);
                if (com.android.internal.hidden_from_bootclasspath.android.os.Flags.allowPrivateProfile() && android.multiuser.Flags.enablePrivateSpaceFeatures() && android.multiuser.Flags.enableBiometricsToUnlockPrivateSpace()) {
                    LockSettingsService.this.mHandler.post(() -> {
                        try {
                            UserProperties userProperties = LockSettingsService.this.mUserManager.getUserProperties(UserHandle.of(i));
                            if (userProperties != null && userProperties.getAllowStoppingUserWithDelayedLocking()) {
                                LockSettingsService.this.requireStrongAuth(LockPatternUtils.StrongAuthTracker.getDefaultFlags(LockSettingsService.this.mContext), i);
                            }
                        } catch (IllegalArgumentException e) {
                            Slogf.d(LockSettingsService.TAG, "User %d does not exist or has been removed", Integer.valueOf(i));
                        }
                    });
                }
            }
        };
        this.mInjector = injector;
        this.mContext = injector.getContext();
        this.mKeyStore = injector.getKeyStore();
        this.mKeyStoreAuthorization = injector.getKeyStoreAuthorization();
        this.mRecoverableKeyStoreManager = injector.getRecoverableKeyStoreManager();
        this.mHandler = injector.getHandler(injector.getServiceThread());
        this.mStrongAuth = injector.getStrongAuth();
        this.mActivityManager = injector.getActivityManager();
        IntentFilter intentFilter = new IntentFilter();
        intentFilter.addAction("android.intent.action.USER_ADDED");
        intentFilter.addAction("android.intent.action.USER_STARTING");
        intentFilter.addAction("android.intent.action.LOCALE_CHANGED");
        injector.getContext().registerReceiverAsUser(this.mBroadcastReceiver, UserHandle.ALL, intentFilter, null, null);
        this.mStorage = injector.getStorage();
        this.mNotificationManager = injector.getNotificationManager();
        this.mUserManager = injector.getUserManager();
        this.mStorageManager = injector.getStorageManager();
        this.mStorageManagerInternal = injector.getStorageManagerInternal();
        this.mStrongAuthTracker = injector.getStrongAuthTracker();
        this.mStrongAuthTracker.register(this.mStrongAuth);
        this.mGatekeeperPasswords = new LongSparseArray<>();
        this.mSpManager = injector.getSyntheticPasswordManager(this.mStorage);
        this.mUnifiedProfilePasswordCache = injector.getUnifiedProfilePasswordCache(this.mKeyStore);
        this.mBiometricDeferredQueue = new BiometricDeferredQueue(this.mSpManager);
        this.mRebootEscrowManager = injector.getRebootEscrowManager(new RebootEscrowCallbacks(), this.mStorage);
        LocalServices.addService(LockSettingsInternal.class, new LocalService());
    }

    private void updateActivatedEncryptionNotifications(String str) {
        for (UserInfo userInfo : this.mUserManager.getUsers()) {
            StatusBarNotification[] activeNotifications = ((NotificationManager) this.mContext.createContextAsUser(UserHandle.of(userInfo.id), 0).getSystemService(TextClassifier.WIDGET_TYPE_NOTIFICATION)).getActiveNotifications();
            int length = activeNotifications.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                if (activeNotifications[i].getId() == 9) {
                    maybeShowEncryptionNotificationForUser(userInfo.id, str);
                    break;
                }
                i++;
            }
        }
    }

    private void maybeShowEncryptionNotificationForUser(int i, String str) {
        UserInfo profileParent;
        UserInfo userInfo = this.mUserManager.getUserInfo(i);
        if (userInfo.isManagedProfile() && !isCeStorageUnlocked(i)) {
            UserHandle userHandle = userInfo.getUserHandle();
            if (!isUserSecure(i) || this.mUserManager.isUserUnlockingOrUnlocked(userHandle) || (profileParent = this.mUserManager.getProfileParent(i)) == null || !this.mUserManager.isUserUnlockingOrUnlocked(profileParent.getUserHandle()) || this.mUserManager.isQuietModeEnabled(userHandle)) {
                return;
            }
            showEncryptionNotificationForProfile(userHandle, profileParent.getUserHandle(), str);
        }
    }

    private void showEncryptionNotificationForProfile(UserHandle userHandle, UserHandle userHandle2, String str) {
        String encryptionNotificationTitle = getEncryptionNotificationTitle();
        String encryptionNotificationMessage = getEncryptionNotificationMessage();
        String encryptionNotificationDetail = getEncryptionNotificationDetail();
        Intent createConfirmDeviceCredentialIntent = ((KeyguardManager) this.mContext.getSystemService("keyguard")).createConfirmDeviceCredentialIntent(null, null, userHandle.getIdentifier());
        if (createConfirmDeviceCredentialIntent != null && StorageManager.isFileEncrypted()) {
            createConfirmDeviceCredentialIntent.setFlags(276824064);
            PendingIntent activityAsUser = android.app.admin.flags.Flags.hsumUnlockNotificationFix() ? PendingIntent.getActivityAsUser(this.mContext, 0, createConfirmDeviceCredentialIntent, 167772160, null, userHandle2) : PendingIntent.getActivity(this.mContext, 0, createConfirmDeviceCredentialIntent, 167772160);
            Slogf.d(TAG, "Showing encryption notification for user %d; reason: %s", Integer.valueOf(userHandle.getIdentifier()), str);
            showEncryptionNotification(userHandle, encryptionNotificationTitle, encryptionNotificationMessage, encryptionNotificationDetail, activityAsUser);
        }
    }

    private String getEncryptionNotificationTitle() {
        return this.mInjector.getDevicePolicyManager().getResources().getString("Core.PROFILE_ENCRYPTED_TITLE", () -> {
            return this.mContext.getString(17041532);
        });
    }

    private String getEncryptionNotificationDetail() {
        return this.mInjector.getDevicePolicyManager().getResources().getString("Core.PROFILE_ENCRYPTED_DETAIL", () -> {
            return this.mContext.getString(17041530);
        });
    }

    private String getEncryptionNotificationMessage() {
        return this.mInjector.getDevicePolicyManager().getResources().getString("Core.PROFILE_ENCRYPTED_MESSAGE", () -> {
            return this.mContext.getString(17041531);
        });
    }

    private void showEncryptionNotification(UserHandle userHandle, CharSequence charSequence, CharSequence charSequence2, CharSequence charSequence3, PendingIntent pendingIntent) {
        this.mNotificationManager.notifyAsUser(null, 9, new Notification.Builder(this.mContext, SystemNotificationChannels.DEVICE_ADMIN).setSmallIcon(17302969).setWhen(0L).setOngoing(true).setTicker(charSequence).setColor(this.mContext.getColor(17170460)).setContentTitle(charSequence).setContentText(charSequence2).setSubText(charSequence3).setVisibility(1).setContentIntent(pendingIntent).build(), userHandle);
    }

    private void hideEncryptionNotification(UserHandle userHandle) {
        Slogf.d(TAG, "Hiding encryption notification for user %d", Integer.valueOf(userHandle.getIdentifier()));
        this.mNotificationManager.cancelAsUser(null, 9, userHandle);
    }

    @RequiresPermission(anyOf = {"android.permission.MANAGE_USERS", "android.permission.QUERY_USERS", "android.permission.INTERACT_ACROSS_USERS"}, conditional = true)
    @VisibleForTesting
    void onUserStopped(int i) {
        UserProperties userProperties;
        hideEncryptionNotification(new UserHandle(i));
        if (com.android.internal.hidden_from_bootclasspath.android.os.Flags.allowPrivateProfile() && android.multiuser.Flags.enableBiometricsToUnlockPrivateSpace() && android.multiuser.Flags.enablePrivateSpaceFeatures() && (userProperties = this.mUserManager.getUserProperties(UserHandle.of(i))) != null && userProperties.getAllowStoppingUserWithDelayedLocking()) {
            return;
        }
        requireStrongAuth(LockPatternUtils.StrongAuthTracker.getDefaultFlags(this.mContext), i);
        synchronized (this) {
            this.mUserPasswordMetrics.remove(i);
        }
    }

    private void onUserStarting(int i) {
        maybeShowEncryptionNotificationForUser(i, "user started");
    }

    private void removeStateForReusedUserIdIfNecessary(int i, int i2) {
        int i3;
        if (i == 0 || (i3 = this.mStorage.getInt(USER_SERIAL_NUMBER_KEY, -1, i)) == i2) {
            return;
        }
        if (i3 != -1) {
            Slogf.i(TAG, "Removing stale state for reused userId %d (serial %d => %d)", Integer.valueOf(i), Integer.valueOf(i3), Integer.valueOf(i2));
            removeUserState(i);
        }
        this.mStorage.setInt(USER_SERIAL_NUMBER_KEY, i2, i);
    }

    private void onUserUnlocking(final int i) {
        this.mHandler.post(new Runnable() { // from class: com.android.server.locksettings.LockSettingsService.1
            @Override // java.lang.Runnable
            public void run() {
                LockSettingsService.this.hideEncryptionNotification(new UserHandle(i));
                if (LockSettingsService.this.isCredentialSharableWithParent(i)) {
                    LockSettingsService.this.tieProfileLockIfNecessary(i, LockscreenCredential.createNone());
                }
            }
        });
    }

    @Override // com.android.internal.widget.ILockSettings
    public void systemReady() {
        checkWritePermission();
        this.mHasSecureLockScreen = this.mContext.getPackageManager().hasSystemFeature("android.software.secure_lock_screen");
        migrateOldData();
        getAuthSecretHal();
        this.mDeviceProvisionedObserver.onSystemReady();
        LockPatternUtils.invalidateCredentialTypeCache();
        this.mStorage.prefetchUser(0);
        this.mBiometricDeferredQueue.systemReady(this.mInjector.getFingerprintManager(), this.mInjector.getFaceManager(), this.mInjector.getBiometricManager());
        if (com.android.internal.hidden_from_bootclasspath.android.os.Flags.allowPrivateProfile() && android.multiuser.Flags.enablePrivateSpaceFeatures() && android.multiuser.Flags.enableBiometricsToUnlockPrivateSpace()) {
            this.mStorageManagerInternal.registerStorageLockEventListener(this.mCeStorageLockEventListener);
        }
    }

    private void loadEscrowData() {
        this.mRebootEscrowManager.loadRebootEscrowDataIfAvailable(this.mHandler);
    }

    private void getAuthSecretHal() {
        this.mAuthSecretService = IAuthSecret.Stub.asInterface(ServiceManager.waitForDeclaredService(IAuthSecret.DESCRIPTOR + "/default"));
        if (this.mAuthSecretService != null) {
            Slog.i(TAG, "Device implements AIDL AuthSecret HAL");
            return;
        }
        try {
            this.mAuthSecretService = new AuthSecretHidlAdapter(android.hardware.authsecret.V1_0.IAuthSecret.getService(true));
            Slog.i(TAG, "Device implements HIDL AuthSecret HAL");
        } catch (RemoteException e) {
            Slog.w(TAG, "Failed to get AuthSecret HAL(hidl)", e);
        } catch (NoSuchElementException e2) {
            Slog.i(TAG, "Device doesn't implement AuthSecret HAL");
        }
    }

    private void migrateOldData() {
        boolean migrateKeyNamespace;
        if (getString(MIGRATED_KEYSTORE_NS, null, 0) == null) {
            synchronized (this.mSpManager) {
                migrateKeyNamespace = true & this.mSpManager.migrateKeyNamespace();
            }
            if (!migrateKeyNamespace || !migrateProfileLockKeys()) {
                Slog.w(TAG, "Failed to migrate keys to LSS namespace");
            } else {
                setString(MIGRATED_KEYSTORE_NS, ImsManager.TRUE, 0);
                Slog.i(TAG, "Migrated keys to LSS namespace");
            }
        }
    }

    @VisibleForTesting
    void migrateOldDataAfterSystemReady() {
        if (!LockPatternUtils.frpCredentialEnabled(this.mContext) || getBoolean(MIGRATED_FRP2, false, 0)) {
            return;
        }
        migrateFrpCredential();
        setBoolean(MIGRATED_FRP2, true, 0);
    }

    private void migrateFrpCredential() {
        LockSettingsStorage.PersistentData readPersistentDataBlock = this.mStorage.readPersistentDataBlock();
        if (readPersistentDataBlock == LockSettingsStorage.PersistentData.NONE || readPersistentDataBlock.isBadFormatFromAndroid14Beta()) {
            for (UserInfo userInfo : this.mUserManager.getUsers()) {
                if (LockPatternUtils.userOwnsFrpCredential(this.mContext, userInfo) && isUserSecure(userInfo.id)) {
                    synchronized (this.mSpManager) {
                        this.mSpManager.migrateFrpPasswordLocked(getCurrentLskfBasedProtectorId(userInfo.id), userInfo, redactActualQualityToMostLenientEquivalentQuality((int) getLong("lockscreen.password_type", 0L, userInfo.id)));
                    }
                    return;
                }
            }
        }
    }

    private boolean migrateProfileLockKeys() {
        boolean z = true;
        List<UserInfo> users = this.mUserManager.getUsers();
        int size = users.size();
        for (int i = 0; i < size; i++) {
            UserInfo userInfo = users.get(i);
            if (isCredentialSharableWithParent(userInfo.id) && !getSeparateProfileChallengeEnabledInternal(userInfo.id)) {
                z = z & SyntheticPasswordCrypto.migrateLockSettingsKey(PROFILE_KEY_NAME_ENCRYPT + userInfo.id) & SyntheticPasswordCrypto.migrateLockSettingsKey(PROFILE_KEY_NAME_DECRYPT + userInfo.id);
            }
        }
        return z;
    }

    @VisibleForTesting
    void deleteRepairModePersistentDataIfNeeded() {
        if (!LockPatternUtils.isRepairModeSupported(this.mContext) || LockPatternUtils.isRepairModeActive(this.mContext) || this.mInjector.isGsiRunning()) {
            return;
        }
        this.mStorage.deleteRepairModePersistentData();
    }

    private void onThirdPartyAppsStarted() {
        synchronized (this.mUserCreationAndRemovalLock) {
            for (int i = 0; i < this.mEarlyRemovedUsers.size(); i++) {
                int keyAt = this.mEarlyRemovedUsers.keyAt(i);
                Slogf.i(TAG, "Removing locksettings state for removed user %d now that boot is complete", Integer.valueOf(keyAt));
                removeUserState(keyAt);
            }
            this.mEarlyRemovedUsers = null;
            for (int i2 = 0; i2 < this.mEarlyCreatedUsers.size(); i2++) {
                int keyAt2 = this.mEarlyCreatedUsers.keyAt(i2);
                removeStateForReusedUserIdIfNecessary(keyAt2, this.mEarlyCreatedUsers.valueAt(i2));
                Slogf.i(TAG, "Creating locksettings state for user %d now that boot is complete", Integer.valueOf(keyAt2));
                initializeSyntheticPassword(keyAt2);
            }
            this.mEarlyCreatedUsers = null;
            if (FIX_UNLOCKED_DEVICE_REQUIRED_KEYS) {
                if (!getBoolean(MIGRATED_SP_FULL, false, 0)) {
                    for (UserInfo userInfo : this.mUserManager.getAliveUsers()) {
                        removeStateForReusedUserIdIfNecessary(userInfo.id, userInfo.serialNumber);
                        synchronized (this.mSpManager) {
                            migrateUserToSpWithBoundKeysLocked(userInfo.id);
                        }
                    }
                    setBoolean(MIGRATED_SP_FULL, true, 0);
                }
                this.mThirdPartyAppsStarted = true;
            } else {
                if (getString(MIGRATED_SP_CE_ONLY, null, 0) == null) {
                    for (UserInfo userInfo2 : this.mUserManager.getAliveUsers()) {
                        removeStateForReusedUserIdIfNecessary(userInfo2.id, userInfo2.serialNumber);
                        synchronized (this.mSpManager) {
                            migrateUserToSpWithBoundCeKeyLocked(userInfo2.id);
                        }
                    }
                    setString(MIGRATED_SP_CE_ONLY, ImsManager.TRUE, 0);
                }
                if (getBoolean(MIGRATED_SP_FULL, false, 0)) {
                    setBoolean(MIGRATED_SP_FULL, false, 0);
                }
                this.mThirdPartyAppsStarted = true;
            }
        }
    }

    @GuardedBy({"mSpManager"})
    private void migrateUserToSpWithBoundCeKeyLocked(int i) {
        if (isUserSecure(i)) {
            Slogf.d(TAG, "User %d is secured; no migration needed", Integer.valueOf(i));
            return;
        }
        long currentLskfBasedProtectorId = getCurrentLskfBasedProtectorId(i);
        if (currentLskfBasedProtectorId == 0) {
            Slogf.i(TAG, "Migrating unsecured user %d to SP-based credential", Integer.valueOf(i));
            initializeSyntheticPassword(i);
            return;
        }
        Slogf.i(TAG, "Existing unsecured user %d has a synthetic password; re-encrypting CE key with it", Integer.valueOf(i));
        SyntheticPasswordManager.AuthenticationResult unlockLskfBasedProtector = this.mSpManager.unlockLskfBasedProtector(getGateKeeperService(), currentLskfBasedProtectorId, LockscreenCredential.createNone(), i, null);
        if (unlockLskfBasedProtector.syntheticPassword == null) {
            Slogf.wtf(TAG, "Failed to unwrap synthetic password for unsecured user %d", Integer.valueOf(i));
        } else {
            setCeStorageProtection(i, unlockLskfBasedProtector.syntheticPassword);
        }
    }

    @GuardedBy({"mSpManager"})
    private void migrateUserToSpWithBoundKeysLocked(int i) {
        if (isUserSecure(i)) {
            Slogf.d(TAG, "User %d is secured; no migration needed", Integer.valueOf(i));
            return;
        }
        long currentLskfBasedProtectorId = getCurrentLskfBasedProtectorId(i);
        if (currentLskfBasedProtectorId == 0) {
            Slogf.i(TAG, "Migrating unsecured user %d to SP-based credential", Integer.valueOf(i));
            initializeSyntheticPassword(i);
            return;
        }
        Slogf.i(TAG, "Existing unsecured user %d has a synthetic password", Integer.valueOf(i));
        SyntheticPasswordManager.SyntheticPassword syntheticPassword = this.mSpManager.unlockLskfBasedProtector(getGateKeeperService(), currentLskfBasedProtectorId, LockscreenCredential.createNone(), i, null).syntheticPassword;
        if (syntheticPassword == null) {
            Slogf.wtf(TAG, "Failed to unwrap synthetic password for unsecured user %d", Integer.valueOf(i));
            return;
        }
        if (getString(MIGRATED_SP_CE_ONLY, null, 0) == null) {
            Slogf.i(TAG, "Encrypting CE key of user %d with synthetic password", Integer.valueOf(i));
            setCeStorageProtection(i, syntheticPassword);
        }
        Slogf.i(TAG, "Initializing Keystore super keys for user %d", Integer.valueOf(i));
        initKeystoreSuperKeys(i, syntheticPassword, true);
    }

    private int redactActualQualityToMostLenientEquivalentQuality(int i) {
        switch (i) {
            case 0:
            case 32768:
            case 65536:
            case 524288:
            default:
                return i;
            case 131072:
            case 196608:
                return 131072;
            case 262144:
            case 327680:
            case 393216:
                return 262144;
        }
    }

    private void enforceFrpNotActive() {
        int mainUserId = this.mInjector.getUserManagerInternal().getMainUserId();
        if (mainUserId < 0) {
            Slog.d(TAG, "No Main user on device; skipping enforceFrpNotActive");
            return;
        }
        ContentResolver contentResolver = this.mContext.getContentResolver();
        if (Flags.frpEnforcement() ? this.mStorage.isFactoryResetProtectionActive() : Settings.Global.getInt(contentResolver, "secure_frp_mode", 0) == 1 && (Settings.Secure.getIntForUser(contentResolver, "user_setup_complete", 0, mainUserId) == 0)) {
            throw new SecurityException("Cannot change credential while factory reset protection is active");
        }
    }

    private final void checkWritePermission() {
        this.mContext.enforceCallingOrSelfPermission(PERMISSION, "LockSettingsWrite");
    }

    private final void checkPasswordReadPermission() {
        this.mContext.enforceCallingOrSelfPermission(PERMISSION, "LockSettingsRead");
    }

    private final void checkPasswordHavePermission() {
        this.mContext.enforceCallingOrSelfPermission(PERMISSION, "LockSettingsHave");
    }

    private final void checkDatabaseReadPermission(String str, int i) {
        if (!hasPermission(PERMISSION)) {
            throw new SecurityException("uid=" + getCallingUid() + " needs permission " + PERMISSION + " to read " + str + " for user " + i);
        }
    }

    private final void checkBiometricPermission() {
        this.mContext.enforceCallingOrSelfPermission(BIOMETRIC_PERMISSION, "LockSettingsBiometric");
    }

    private boolean hasPermission(String str) {
        return this.mContext.checkCallingOrSelfPermission(str) == 0;
    }

    private void checkManageWeakEscrowTokenMethodUsage() {
        this.mContext.enforceCallingOrSelfPermission("android.permission.MANAGE_WEAK_ESCROW_TOKEN", "Requires MANAGE_WEAK_ESCROW_TOKEN permission.");
        if (!this.mContext.getPackageManager().hasSystemFeature("android.hardware.type.automotive")) {
            throw new IllegalArgumentException("Weak escrow token are only for automotive devices.");
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean hasSecureLockScreen() {
        return this.mHasSecureLockScreen;
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean getSeparateProfileChallengeEnabled(int i) {
        checkDatabaseReadPermission(SEPARATE_PROFILE_CHALLENGE_KEY, i);
        return getSeparateProfileChallengeEnabledInternal(i);
    }

    private boolean getSeparateProfileChallengeEnabledInternal(int i) {
        boolean z;
        synchronized (this.mSeparateChallengeLock) {
            z = this.mStorage.getBoolean(SEPARATE_PROFILE_CHALLENGE_KEY, false, i);
        }
        return z;
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setSeparateProfileChallengeEnabled(int i, boolean z, LockscreenCredential lockscreenCredential) {
        checkWritePermission();
        if (!this.mHasSecureLockScreen && lockscreenCredential != null && lockscreenCredential.getType() != -1) {
            throw new UnsupportedOperationException("This operation requires secure lock screen feature.");
        }
        synchronized (this.mSeparateChallengeLock) {
            setSeparateProfileChallengeEnabledLocked(i, z, lockscreenCredential != null ? lockscreenCredential : LockscreenCredential.createNone());
        }
        notifySeparateProfileChallengeChanged(i);
    }

    @GuardedBy({"mSeparateChallengeLock"})
    private void setSeparateProfileChallengeEnabledLocked(int i, boolean z, LockscreenCredential lockscreenCredential) {
        boolean z2 = getBoolean(SEPARATE_PROFILE_CHALLENGE_KEY, false, i);
        setBoolean(SEPARATE_PROFILE_CHALLENGE_KEY, z, i);
        try {
            if (z) {
                this.mStorage.removeChildProfileLock(i);
                removeKeystoreProfileKey(i);
            } else {
                tieProfileLockIfNecessary(i, lockscreenCredential);
            }
        } catch (IllegalStateException e) {
            setBoolean(SEPARATE_PROFILE_CHALLENGE_KEY, z2, i);
            throw e;
        }
    }

    private void notifySeparateProfileChallengeChanged(int i) {
        this.mHandler.post(() -> {
            DevicePolicyManagerInternal devicePolicyManagerInternal = (DevicePolicyManagerInternal) LocalServices.getService(DevicePolicyManagerInternal.class);
            if (devicePolicyManagerInternal != null) {
                devicePolicyManagerInternal.reportSeparateProfileChallengeChanged(i);
            }
        });
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setBoolean(String str, boolean z, int i) {
        checkWritePermission();
        Objects.requireNonNull(str);
        this.mStorage.setBoolean(str, z, i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setLong(String str, long j, int i) {
        checkWritePermission();
        Objects.requireNonNull(str);
        this.mStorage.setLong(str, j, i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setString(String str, String str2, int i) {
        checkWritePermission();
        Objects.requireNonNull(str);
        this.mStorage.setString(str, str2, i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean getBoolean(String str, boolean z, int i) {
        checkDatabaseReadPermission(str, i);
        return this.mStorage.getBoolean(str, z, i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public long getLong(String str, long j, int i) {
        checkDatabaseReadPermission(str, i);
        return this.mStorage.getLong(str, j, i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public String getString(String str, String str2, int i) {
        checkDatabaseReadPermission(str, i);
        return this.mStorage.getString(str, str2, i);
    }

    private int getKeyguardStoredQuality(int i) {
        return (int) this.mStorage.getLong("lockscreen.password_type", 0L, i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public int getPinLength(int i) {
        checkPasswordHavePermission();
        PasswordMetrics userPasswordMetrics = getUserPasswordMetrics(i);
        if (userPasswordMetrics != null && userPasswordMetrics.credType == 3) {
            return userPasswordMetrics.length;
        }
        synchronized (this.mSpManager) {
            long currentLskfBasedProtectorId = getCurrentLskfBasedProtectorId(i);
            if (currentLskfBasedProtectorId == 0) {
                return -1;
            }
            return this.mSpManager.getPinLength(currentLskfBasedProtectorId, i);
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean refreshStoredPinLength(int i) {
        checkPasswordHavePermission();
        synchronized (this.mSpManager) {
            PasswordMetrics userPasswordMetrics = getUserPasswordMetrics(i);
            if (userPasswordMetrics == null) {
                Log.w(TAG, "PasswordMetrics is not available");
                return false;
            }
            return this.mSpManager.refreshPinLengthOnDisk(userPasswordMetrics, getCurrentLskfBasedProtectorId(i), i);
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public int getCredentialType(int i) {
        checkPasswordHavePermission();
        return getCredentialTypeInternal(i);
    }

    private int getCredentialTypeInternal(int i) {
        if (LockPatternUtils.isSpecialUserId(i)) {
            return this.mSpManager.getSpecialUserCredentialType(i);
        }
        synchronized (this.mSpManager) {
            long currentLskfBasedProtectorId = getCurrentLskfBasedProtectorId(i);
            if (currentLskfBasedProtectorId == 0) {
                return -1;
            }
            int credentialType = this.mSpManager.getCredentialType(currentLskfBasedProtectorId, i);
            if (credentialType != 2) {
                return credentialType;
            }
            return LockPatternUtils.pinOrPasswordQualityToCredentialType(getKeyguardStoredQuality(i));
        }
    }

    private boolean isUserSecure(int i) {
        return getCredentialTypeInternal(i) != -1;
    }

    @VisibleForTesting
    void setKeystorePassword(byte[] bArr, int i) {
        AndroidKeyStoreMaintenance.onUserPasswordChanged(i, bArr);
    }

    @VisibleForTesting
    void initKeystoreSuperKeys(int i, SyntheticPasswordManager.SyntheticPassword syntheticPassword, boolean z) {
        byte[] deriveKeyStorePassword = syntheticPassword.deriveKeyStorePassword();
        try {
            if (AndroidKeyStoreMaintenance.initUserSuperKeys(i, deriveKeyStorePassword, z) != 0) {
                throw new IllegalStateException("Failed to initialize Keystore super keys for user " + i);
            }
        } finally {
            Arrays.fill(deriveKeyStorePassword, (byte) 0);
        }
    }

    private void unlockKeystore(int i, SyntheticPasswordManager.SyntheticPassword syntheticPassword) {
        this.mKeyStoreAuthorization.onDeviceUnlocked(i, syntheticPassword.deriveKeyStorePassword());
    }

    @VisibleForTesting
    protected LockscreenCredential getDecryptedPasswordForTiedProfile(int i) throws KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException, CertificateException, IOException {
        Slogf.d(TAG, "Decrypting password for tied profile %d", Integer.valueOf(i));
        byte[] readChildProfileLock = this.mStorage.readChildProfileLock(i);
        if (readChildProfileLock == null) {
            throw new FileNotFoundException("Child profile lock file not found");
        }
        byte[] copyOfRange = Arrays.copyOfRange(readChildProfileLock, 0, 12);
        byte[] copyOfRange2 = Arrays.copyOfRange(readChildProfileLock, 12, readChildProfileLock.length);
        SecretKey secretKey = (SecretKey) this.mKeyStore.getKey(PROFILE_KEY_NAME_DECRYPT + i, null);
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        cipher.init(2, secretKey, new GCMParameterSpec(128, copyOfRange));
        byte[] doFinal = cipher.doFinal(copyOfRange2);
        LockscreenCredential createUnifiedProfilePassword = LockscreenCredential.createUnifiedProfilePassword(doFinal);
        Arrays.fill(doFinal, (byte) 0);
        try {
            this.mUnifiedProfilePasswordCache.storePassword(i, createUnifiedProfilePassword, getGateKeeperService().getSecureUserId(this.mUserManager.getProfileParent(i).id));
        } catch (RemoteException e) {
            Slogf.w(TAG, "Failed to talk to GateKeeper service", e);
        }
        return createUnifiedProfilePassword;
    }

    private void unlockChildProfile(int i) {
        try {
            doVerifyCredential(getDecryptedPasswordForTiedProfile(i), i, null, 0);
        } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            if (e instanceof FileNotFoundException) {
                Slog.i(TAG, "Child profile key not found");
            } else {
                Slog.e(TAG, "Failed to decrypt child profile key", e);
            }
        }
    }

    private void unlockUser(int i) {
        boolean isUserUnlockingOrUnlocked = this.mUserManager.isUserUnlockingOrUnlocked(i);
        final CountDownLatch countDownLatch = new CountDownLatch(1);
        try {
            this.mActivityManager.unlockUser2(i, new IProgressListener.Stub() { // from class: com.android.server.locksettings.LockSettingsService.4
                @Override // android.os.IProgressListener
                public void onStarted(int i2, Bundle bundle) throws RemoteException {
                    Slog.d(LockSettingsService.TAG, "unlockUser started");
                }

                @Override // android.os.IProgressListener
                public void onProgress(int i2, int i3, Bundle bundle) throws RemoteException {
                    Slog.d(LockSettingsService.TAG, "unlockUser progress " + i3);
                }

                @Override // android.os.IProgressListener
                public void onFinished(int i2, Bundle bundle) throws RemoteException {
                    Slog.d(LockSettingsService.TAG, "unlockUser finished");
                    countDownLatch.countDown();
                }
            });
            try {
                countDownLatch.await(15L, TimeUnit.SECONDS);
            } catch (InterruptedException e) {
                Thread.currentThread().interrupt();
            }
            if (isCredentialSharableWithParent(i)) {
                if (hasUnifiedChallenge(i)) {
                    return;
                }
                this.mBiometricDeferredQueue.processPendingLockoutResets();
                return;
            }
            for (UserInfo userInfo : this.mUserManager.getProfiles(i)) {
                if (userInfo.id != i && isCredentialSharableWithParent(userInfo.id)) {
                    if (hasUnifiedChallenge(userInfo.id)) {
                        if (this.mUserManager.isUserRunning(userInfo.id)) {
                            unlockChildProfile(userInfo.id);
                        } else {
                            try {
                                getDecryptedPasswordForTiedProfile(userInfo.id);
                            } catch (IOException | GeneralSecurityException e2) {
                                Slog.d(TAG, "Cache unified profile password failed", e2);
                            }
                        }
                    }
                    if (isUserUnlockingOrUnlocked) {
                        continue;
                    } else {
                        long clearCallingIdentity = clearCallingIdentity();
                        try {
                            maybeShowEncryptionNotificationForUser(userInfo.id, "parent unlocked");
                            restoreCallingIdentity(clearCallingIdentity);
                        } catch (Throwable th) {
                            restoreCallingIdentity(clearCallingIdentity);
                            throw th;
                        }
                    }
                }
            }
            this.mBiometricDeferredQueue.processPendingLockoutResets();
        } catch (RemoteException e3) {
            throw e3.rethrowAsRuntimeException();
        }
    }

    private boolean hasUnifiedChallenge(int i) {
        return !getSeparateProfileChallengeEnabledInternal(i) && this.mStorage.hasChildProfileLock(i);
    }

    private Map<Integer, LockscreenCredential> getDecryptedPasswordsForAllTiedProfiles(int i) {
        if (isCredentialSharableWithParent(i)) {
            return null;
        }
        ArrayMap arrayMap = new ArrayMap();
        List<UserInfo> profiles = this.mUserManager.getProfiles(i);
        int size = profiles.size();
        for (int i2 = 0; i2 < size; i2++) {
            UserInfo userInfo = profiles.get(i2);
            if (isCredentialSharableWithParent(userInfo.id)) {
                int i3 = userInfo.id;
                if (!getSeparateProfileChallengeEnabledInternal(i3)) {
                    try {
                        arrayMap.put(Integer.valueOf(i3), getDecryptedPasswordForTiedProfile(i3));
                    } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
                        Slog.e(TAG, "getDecryptedPasswordsForAllTiedProfiles failed for user " + i3, e);
                    }
                }
            }
        }
        return arrayMap;
    }

    private void synchronizeUnifiedChallengeForProfiles(int i, Map<Integer, LockscreenCredential> map) {
        if (isCredentialSharableWithParent(i)) {
            return;
        }
        boolean isUserSecure = isUserSecure(i);
        List<UserInfo> profiles = this.mUserManager.getProfiles(i);
        int size = profiles.size();
        for (int i2 = 0; i2 < size; i2++) {
            int i3 = profiles.get(i2).id;
            if (isCredentialSharableWithParent(i3) && !getSeparateProfileChallengeEnabledInternal(i3)) {
                if (isUserSecure) {
                    tieProfileLockIfNecessary(i3, LockscreenCredential.createNone());
                } else if (map == null || !map.containsKey(Integer.valueOf(i3))) {
                    Slog.wtf(TAG, "Attempt to clear tied challenge, but no password supplied.");
                } else {
                    setLockCredentialInternal(LockscreenCredential.createNone(), map.get(Integer.valueOf(i3)), i3, true);
                    this.mStorage.removeChildProfileLock(i3);
                    removeKeystoreProfileKey(i3);
                }
            }
        }
    }

    private boolean isProfileWithUnifiedLock(int i) {
        return isCredentialSharableWithParent(i) && !getSeparateProfileChallengeEnabledInternal(i);
    }

    private void sendCredentialsOnUnlockIfRequired(LockscreenCredential lockscreenCredential, int i) {
        if (LockPatternUtils.isSpecialUserId(i) || lockscreenCredential.isNone() || isProfileWithUnifiedLock(i)) {
            return;
        }
        Iterator<Integer> it = getProfilesWithSameLockScreen(i).iterator();
        while (it.hasNext()) {
            this.mRecoverableKeyStoreManager.lockScreenSecretAvailable(lockscreenCredential.getType(), lockscreenCredential.getCredential(), it.next().intValue());
        }
    }

    private void sendCredentialsOnChangeIfRequired(LockscreenCredential lockscreenCredential, int i, boolean z) {
        if (z) {
            return;
        }
        byte[] credential = lockscreenCredential.isNone() ? null : lockscreenCredential.getCredential();
        Iterator<Integer> it = getProfilesWithSameLockScreen(i).iterator();
        while (it.hasNext()) {
            this.mRecoverableKeyStoreManager.lockScreenSecretChanged(lockscreenCredential.getType(), credential, it.next().intValue());
        }
    }

    private Set<Integer> getProfilesWithSameLockScreen(int i) {
        ArraySet arraySet = new ArraySet();
        for (UserInfo userInfo : this.mUserManager.getProfiles(i)) {
            if (userInfo.id == i || (userInfo.profileGroupId == i && isProfileWithUnifiedLock(userInfo.id))) {
                arraySet.add(Integer.valueOf(userInfo.id));
            }
        }
        return arraySet;
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean setLockCredential(LockscreenCredential lockscreenCredential, LockscreenCredential lockscreenCredential2, int i) {
        if (!this.mHasSecureLockScreen && lockscreenCredential != null && lockscreenCredential.getType() != -1) {
            throw new UnsupportedOperationException("This operation requires secure lock screen feature");
        }
        if (!hasPermission(PERMISSION) && !hasPermission("android.permission.SET_AND_VERIFY_LOCKSCREEN_CREDENTIALS") && (!hasPermission("android.permission.SET_INITIAL_LOCK") || !lockscreenCredential2.isNone())) {
            throw new SecurityException("setLockCredential requires SET_AND_VERIFY_LOCKSCREEN_CREDENTIALS or android.permission.ACCESS_KEYGUARD_SECURE_STORAGE");
        }
        lockscreenCredential.validateBasicRequirements();
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            enforceFrpNotActive();
            if (!lockscreenCredential2.isNone() && isProfileWithUnifiedLock(i)) {
                verifyCredential(lockscreenCredential2, this.mUserManager.getProfileParent(i).id, 0);
                lockscreenCredential2.zeroize();
                lockscreenCredential2 = LockscreenCredential.createNone();
            }
            synchronized (this.mSeparateChallengeLock) {
                if (!setLockCredentialInternal(lockscreenCredential, lockscreenCredential2, i, false)) {
                    scheduleGc();
                    return false;
                }
                setSeparateProfileChallengeEnabledLocked(i, true, null);
                notifyPasswordChanged(lockscreenCredential, i);
                if (isCredentialSharableWithParent(i)) {
                    setDeviceUnlockedForUser(i);
                }
                notifySeparateProfileChallengeChanged(i);
                onPostPasswordChanged(lockscreenCredential, i);
                scheduleGc();
                Binder.restoreCallingIdentity(clearCallingIdentity);
                return true;
            }
        } finally {
            Binder.restoreCallingIdentity(clearCallingIdentity);
        }
    }

    private boolean setLockCredentialInternal(LockscreenCredential lockscreenCredential, LockscreenCredential lockscreenCredential2, int i, boolean z) {
        Objects.requireNonNull(lockscreenCredential);
        Objects.requireNonNull(lockscreenCredential2);
        synchronized (this.mSpManager) {
            if (lockscreenCredential2.isNone() && isProfileWithUnifiedLock(i)) {
                try {
                    lockscreenCredential2 = getDecryptedPasswordForTiedProfile(i);
                } catch (FileNotFoundException e) {
                    Slog.i(TAG, "Child profile key not found");
                } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e2) {
                    Slog.e(TAG, "Failed to decrypt child profile key", e2);
                }
            }
            SyntheticPasswordManager.AuthenticationResult unlockLskfBasedProtector = this.mSpManager.unlockLskfBasedProtector(getGateKeeperService(), getCurrentLskfBasedProtectorId(i), lockscreenCredential2, i, null);
            VerifyCredentialResponse verifyCredentialResponse = unlockLskfBasedProtector.gkResponse;
            SyntheticPasswordManager.SyntheticPassword syntheticPassword = unlockLskfBasedProtector.syntheticPassword;
            if (syntheticPassword != null) {
                onSyntheticPasswordUnlocked(i, syntheticPassword);
                setLockCredentialWithSpLocked(lockscreenCredential, syntheticPassword, i);
                sendCredentialsOnChangeIfRequired(lockscreenCredential, i, z);
                return true;
            }
            if (verifyCredentialResponse == null || verifyCredentialResponse.getResponseCode() == -1) {
                Slog.w(TAG, "Failed to enroll: incorrect credential.");
                return false;
            }
            if (verifyCredentialResponse.getResponseCode() != 1) {
                throw new IllegalStateException("password change failed");
            }
            Slog.w(TAG, "Failed to enroll: rate limit exceeded.");
            return false;
        }
    }

    private void onPostPasswordChanged(LockscreenCredential lockscreenCredential, int i) {
        updatePasswordHistory(lockscreenCredential, i);
        ((TrustManager) this.mContext.getSystemService(TrustManager.class)).reportEnabledTrustAgentsChanged(i);
        sendMainUserCredentialChangedNotificationIfNeeded(i);
    }

    private void updatePasswordHistory(LockscreenCredential lockscreenCredential, int i) {
        String obj;
        if (lockscreenCredential.isNone() || lockscreenCredential.isPattern()) {
            return;
        }
        String string = getString("lockscreen.passwordhistory", null, i);
        if (string == null) {
            string = "";
        }
        int requestedPasswordHistoryLength = getRequestedPasswordHistoryLength(i);
        if (requestedPasswordHistoryLength == 0) {
            obj = "";
        } else {
            Slogf.d(TAG, "Adding new password to password history for user %d", Integer.valueOf(i));
            String passwordToHistoryHash = lockscreenCredential.passwordToHistoryHash(getSalt(i).getBytes(), getHashFactor(lockscreenCredential, i));
            if (passwordToHistoryHash == null) {
                Slog.e(TAG, "Failed to compute password hash; password history won't be updated");
                return;
            }
            if (TextUtils.isEmpty(string)) {
                obj = passwordToHistoryHash;
            } else {
                String[] split = string.split(",");
                StringJoiner stringJoiner = new StringJoiner(",");
                stringJoiner.add(passwordToHistoryHash);
                for (int i2 = 0; i2 < requestedPasswordHistoryLength - 1 && i2 < split.length; i2++) {
                    stringJoiner.add(split[i2]);
                }
                obj = stringJoiner.toString();
            }
        }
        setString("lockscreen.passwordhistory", obj, i);
    }

    private String getSalt(int i) {
        long j = getLong("lockscreen.password_salt", 0L, i);
        if (j == 0) {
            j = SecureRandomUtils.randomLong();
            setLong("lockscreen.password_salt", j, i);
        }
        return Long.toHexString(j);
    }

    private int getRequestedPasswordHistoryLength(int i) {
        return this.mInjector.getDevicePolicyManager().getPasswordHistoryLength(null, i);
    }

    private UserManager getUserManagerFromCache(int i) {
        UserHandle of = UserHandle.of(i);
        if (this.mUserManagerCache.containsKey(of)) {
            return this.mUserManagerCache.get(of);
        }
        try {
            UserManager userManager = (UserManager) this.mContext.createPackageContextAsUser("system", 0, of).getSystemService(UserManager.class);
            this.mUserManagerCache.put(of, userManager);
            return userManager;
        } catch (PackageManager.NameNotFoundException e) {
            throw new RuntimeException("Failed to create context for user " + of, e);
        }
    }

    @VisibleForTesting
    protected boolean isCredentialSharableWithParent(int i) {
        return getUserManagerFromCache(i).isCredentialSharableWithParent();
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean registerWeakEscrowTokenRemovedListener(@NonNull IWeakEscrowTokenRemovedListener iWeakEscrowTokenRemovedListener) {
        checkManageWeakEscrowTokenMethodUsage();
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            boolean registerWeakEscrowTokenRemovedListener = this.mSpManager.registerWeakEscrowTokenRemovedListener(iWeakEscrowTokenRemovedListener);
            Binder.restoreCallingIdentity(clearCallingIdentity);
            return registerWeakEscrowTokenRemovedListener;
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean unregisterWeakEscrowTokenRemovedListener(@NonNull IWeakEscrowTokenRemovedListener iWeakEscrowTokenRemovedListener) {
        checkManageWeakEscrowTokenMethodUsage();
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            boolean unregisterWeakEscrowTokenRemovedListener = this.mSpManager.unregisterWeakEscrowTokenRemovedListener(iWeakEscrowTokenRemovedListener);
            Binder.restoreCallingIdentity(clearCallingIdentity);
            return unregisterWeakEscrowTokenRemovedListener;
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public long addWeakEscrowToken(byte[] bArr, int i, @NonNull IWeakEscrowTokenActivatedListener iWeakEscrowTokenActivatedListener) {
        checkManageWeakEscrowTokenMethodUsage();
        Objects.requireNonNull(iWeakEscrowTokenActivatedListener, "Listener can not be null.");
        LockPatternUtils.EscrowTokenStateChangeCallback escrowTokenStateChangeCallback = (j, i2) -> {
            try {
                iWeakEscrowTokenActivatedListener.onWeakEscrowTokenActivated(j, i2);
            } catch (RemoteException e) {
                Slog.e(TAG, "Exception while notifying weak escrow token has been activated", e);
            }
        };
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            long addEscrowToken = addEscrowToken(bArr, 1, i, escrowTokenStateChangeCallback);
            Binder.restoreCallingIdentity(clearCallingIdentity);
            return addEscrowToken;
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean removeWeakEscrowToken(long j, int i) {
        checkManageWeakEscrowTokenMethodUsage();
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            boolean removeEscrowToken = removeEscrowToken(j, i);
            Binder.restoreCallingIdentity(clearCallingIdentity);
            return removeEscrowToken;
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean isWeakEscrowTokenActive(long j, int i) {
        checkManageWeakEscrowTokenMethodUsage();
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            boolean isEscrowTokenActive = isEscrowTokenActive(j, i);
            Binder.restoreCallingIdentity(clearCallingIdentity);
            return isEscrowTokenActive;
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    /*  JADX ERROR: NullPointerException in pass: AttachTryCatchVisitor
        java.lang.NullPointerException
        */
    @Override // com.android.internal.widget.ILockSettings
    public boolean isWeakEscrowTokenValid(long r8, byte[] r10, int r11) {
        /*
            r7 = this;
            r0 = r7
            r0.checkManageWeakEscrowTokenMethodUsage()
            long r0 = android.os.Binder.clearCallingIdentity()
            r12 = r0
            r0 = r7
            com.android.server.locksettings.SyntheticPasswordManager r0 = r0.mSpManager
            r1 = r0
            r14 = r1
            monitor-enter(r0)
            r0 = r7
            com.android.server.locksettings.SyntheticPasswordManager r0 = r0.mSpManager
            r1 = r11
            boolean r0 = r0.hasEscrowData(r1)
            if (r0 != 0) goto L34
            java.lang.String r0 = "LockSettingsService"
            java.lang.String r1 = "Escrow token is disabled on the current user"
            int r0 = android.util.Slog.w(r0, r1)
            r0 = 0
            r15 = r0
            r0 = r14
            monitor-exit(r0)
            r0 = r12
            android.os.Binder.restoreCallingIdentity(r0)
            r0 = r15
            return r0
            r0 = r7
            com.android.server.locksettings.SyntheticPasswordManager r0 = r0.mSpManager
            r1 = r7
            android.service.gatekeeper.IGateKeeperService r1 = r1.getGateKeeperService()
            r2 = r8
            r3 = r10
            r4 = r11
            com.android.server.locksettings.SyntheticPasswordManager$AuthenticationResult r0 = r0.unlockWeakTokenBasedProtector(r1, r2, r3, r4)
            r15 = r0
            r0 = r15
            com.android.server.locksettings.SyntheticPasswordManager$SyntheticPassword r0 = r0.syntheticPassword
            if (r0 != 0) goto L64
            java.lang.String r0 = "LockSettingsService"
            java.lang.String r1 = "Invalid escrow token supplied"
            int r0 = android.util.Slog.w(r0, r1)
            r0 = 0
            r16 = r0
            r0 = r14
            monitor-exit(r0)
            r0 = r12
            android.os.Binder.restoreCallingIdentity(r0)
            r0 = r16
            return r0
            r0 = 1
            r16 = r0
            r0 = r14
            monitor-exit(r0)
            r0 = r12
            android.os.Binder.restoreCallingIdentity(r0)
            r0 = r16
            return r0
            r17 = move-exception
            r0 = r14
            monitor-exit(r0)
            r0 = r17
            throw r0
            r18 = move-exception
            r0 = r12
            android.os.Binder.restoreCallingIdentity(r0)
            r0 = r18
            throw r0
        */
        throw new UnsupportedOperationException("Method not decompiled: com.android.server.locksettings.LockSettingsService.isWeakEscrowTokenValid(long, byte[], int):boolean");
    }

    /* JADX WARN: Type inference failed for: r2v25, types: [byte[], byte[][]] */
    @VisibleForTesting
    protected void tieProfileLockToParent(int i, int i2, LockscreenCredential lockscreenCredential) {
        Slogf.i(TAG, "Tying lock for profile user %d to parent user %d", Integer.valueOf(i), Integer.valueOf(i2));
        try {
            long secureUserId = getGateKeeperService().getSecureUserId(i2);
            try {
                KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
                keyGenerator.init(new SecureRandom());
                SecretKey generateKey = keyGenerator.generateKey();
                try {
                    this.mKeyStore.setEntry(PROFILE_KEY_NAME_ENCRYPT + i, new KeyStore.SecretKeyEntry(generateKey), new KeyProtection.Builder(1).setBlockModes("GCM").setEncryptionPaddings("NoPadding").build());
                    this.mKeyStore.setEntry(PROFILE_KEY_NAME_DECRYPT + i, new KeyStore.SecretKeyEntry(generateKey), new KeyProtection.Builder(2).setBlockModes("GCM").setEncryptionPaddings("NoPadding").setUserAuthenticationRequired(true).setBoundToSpecificSecureUserId(secureUserId).setUserAuthenticationValidityDurationSeconds(30).build());
                    SecretKey secretKey = (SecretKey) this.mKeyStore.getKey(PROFILE_KEY_NAME_ENCRYPT + i, null);
                    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
                    cipher.init(1, secretKey);
                    byte[] doFinal = cipher.doFinal(lockscreenCredential.getCredential());
                    byte[] iv = cipher.getIV();
                    this.mKeyStore.deleteEntry(PROFILE_KEY_NAME_ENCRYPT + i);
                    if (iv.length != 12) {
                        throw new IllegalArgumentException("Invalid iv length: " + iv.length);
                    }
                    this.mStorage.writeChildProfileLock(i, ArrayUtils.concat(new byte[]{iv, doFinal}));
                } catch (Throwable th) {
                    this.mKeyStore.deleteEntry(PROFILE_KEY_NAME_ENCRYPT + i);
                    throw th;
                }
            } catch (InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
                throw new IllegalStateException("Failed to encrypt key", e);
            }
        } catch (RemoteException e2) {
            throw new IllegalStateException("Failed to talk to GateKeeper service", e2);
        }
    }

    private void setCeStorageProtection(int i, SyntheticPasswordManager.SyntheticPassword syntheticPassword) {
        byte[] deriveFileBasedEncryptionKey = syntheticPassword.deriveFileBasedEncryptionKey();
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            try {
                this.mStorageManager.setCeStorageProtection(i, deriveFileBasedEncryptionKey);
                Binder.restoreCallingIdentity(clearCallingIdentity);
            } catch (RemoteException e) {
                throw new IllegalStateException("Failed to protect CE key for user " + i, e);
            }
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    private boolean isCeStorageUnlocked(int i) {
        try {
            return this.mStorageManager.isCeStorageUnlocked(i);
        } catch (RemoteException e) {
            Slog.e(TAG, "Error checking whether CE storage is unlocked", e);
            return false;
        }
    }

    private void unlockCeStorage(int i, SyntheticPasswordManager.SyntheticPassword syntheticPassword) {
        if (isCeStorageUnlocked(i)) {
            Slogf.d(TAG, "CE storage for user %d is already unlocked", Integer.valueOf(i));
            return;
        }
        String str = isUserSecure(i) ? "secured" : "unsecured";
        byte[] deriveFileBasedEncryptionKey = syntheticPassword.deriveFileBasedEncryptionKey();
        try {
            try {
                this.mStorageManager.unlockCeStorage(i, deriveFileBasedEncryptionKey);
                Slogf.i(TAG, "Unlocked CE storage for %s user %d", str, Integer.valueOf(i));
                Arrays.fill(deriveFileBasedEncryptionKey, (byte) 0);
            } catch (RemoteException e) {
                Slogf.wtf(TAG, e, "Failed to unlock CE storage for %s user %d", str, Integer.valueOf(i));
                Arrays.fill(deriveFileBasedEncryptionKey, (byte) 0);
            }
        } catch (Throwable th) {
            Arrays.fill(deriveFileBasedEncryptionKey, (byte) 0);
            throw th;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public void unlockUserKeyIfUnsecured(int i) {
        checkPasswordReadPermission();
        synchronized (this.mSpManager) {
            if (isCeStorageUnlocked(i)) {
                Slogf.d(TAG, "CE storage for user %d is already unlocked", Integer.valueOf(i));
                return;
            }
            if (isUserSecure(i)) {
                Slogf.d(TAG, "Not unlocking CE storage for user %d yet because user is secured", Integer.valueOf(i));
                return;
            }
            Slogf.i(TAG, "Unwrapping synthetic password for unsecured user %d", Integer.valueOf(i));
            SyntheticPasswordManager.AuthenticationResult unlockLskfBasedProtector = this.mSpManager.unlockLskfBasedProtector(getGateKeeperService(), getCurrentLskfBasedProtectorId(i), LockscreenCredential.createNone(), i, null);
            if (unlockLskfBasedProtector.syntheticPassword == null) {
                Slogf.wtf(TAG, "Failed to unwrap synthetic password for unsecured user %d", Integer.valueOf(i));
                return;
            }
            onSyntheticPasswordUnlocked(i, unlockLskfBasedProtector.syntheticPassword);
            if (FIX_UNLOCKED_DEVICE_REQUIRED_KEYS) {
                unlockKeystore(i, unlockLskfBasedProtector.syntheticPassword);
            }
            unlockCeStorage(i, unlockLskfBasedProtector.syntheticPassword);
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public void resetKeyStore(int i) {
        checkWritePermission();
        Slogf.d(TAG, "Resetting keystore for user %d", Integer.valueOf(i));
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        for (UserInfo userInfo : this.mUserManager.getProfiles(i)) {
            if (isCredentialSharableWithParent(userInfo.id) && !getSeparateProfileChallengeEnabledInternal(userInfo.id) && this.mStorage.hasChildProfileLock(userInfo.id)) {
                try {
                    arrayList2.add(getDecryptedPasswordForTiedProfile(userInfo.id));
                    arrayList.add(Integer.valueOf(userInfo.id));
                } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
                    Slog.e(TAG, "Failed to decrypt child profile key", e);
                }
            }
        }
        try {
            for (int i2 : this.mUserManager.getProfileIdsWithDisabled(i)) {
                int length = SYSTEM_CREDENTIAL_UIDS.length;
                for (int i3 = 0; i3 < length; i3++) {
                    AndroidKeyStoreMaintenance.clearNamespace(0, UserHandle.getUid(i2, r0[i3]));
                }
            }
            if (this.mUserManager.getUserInfo(i).isPrimary()) {
                AndroidKeyStoreMaintenance.clearNamespace(2, 102L);
            }
            for (int i4 = 0; i4 < arrayList.size(); i4++) {
                int intValue = ((Integer) arrayList.get(i4)).intValue();
                LockscreenCredential lockscreenCredential = (LockscreenCredential) arrayList2.get(i4);
                if (intValue != -1 && lockscreenCredential != null) {
                    tieProfileLockToParent(intValue, i, lockscreenCredential);
                }
                if (lockscreenCredential != null) {
                    lockscreenCredential.zeroize();
                }
            }
        } catch (Throwable th) {
            for (int i5 = 0; i5 < arrayList.size(); i5++) {
                int intValue2 = ((Integer) arrayList.get(i5)).intValue();
                LockscreenCredential lockscreenCredential2 = (LockscreenCredential) arrayList2.get(i5);
                if (intValue2 != -1 && lockscreenCredential2 != null) {
                    tieProfileLockToParent(intValue2, i, lockscreenCredential2);
                }
                if (lockscreenCredential2 != null) {
                    lockscreenCredential2.zeroize();
                }
            }
            throw th;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public VerifyCredentialResponse checkCredential(LockscreenCredential lockscreenCredential, int i, ICheckCredentialProgressCallback iCheckCredentialProgressCallback) {
        checkPasswordReadPermission();
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            VerifyCredentialResponse doVerifyCredential = doVerifyCredential(lockscreenCredential, i, iCheckCredentialProgressCallback, 0);
            Binder.restoreCallingIdentity(clearCallingIdentity);
            scheduleGc();
            return doVerifyCredential;
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            scheduleGc();
            throw th;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    @Nullable
    public VerifyCredentialResponse verifyCredential(LockscreenCredential lockscreenCredential, int i, int i2) {
        if (!hasPermission(PERMISSION) && !hasPermission("android.permission.SET_AND_VERIFY_LOCKSCREEN_CREDENTIALS")) {
            throw new SecurityException("verifyCredential requires SET_AND_VERIFY_LOCKSCREEN_CREDENTIALS or android.permission.ACCESS_KEYGUARD_SECURE_STORAGE");
        }
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            VerifyCredentialResponse doVerifyCredential = doVerifyCredential(lockscreenCredential, i, null, i2);
            Binder.restoreCallingIdentity(clearCallingIdentity);
            scheduleGc();
            return doVerifyCredential;
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            scheduleGc();
            throw th;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public VerifyCredentialResponse verifyGatekeeperPasswordHandle(long j, long j2, int i) {
        byte[] bArr;
        VerifyCredentialResponse verifyChallengeInternal;
        checkPasswordReadPermission();
        synchronized (this.mGatekeeperPasswords) {
            bArr = this.mGatekeeperPasswords.get(j);
        }
        synchronized (this.mSpManager) {
            if (bArr == null) {
                Slog.d(TAG, "No gatekeeper password for handle");
                verifyChallengeInternal = VerifyCredentialResponse.ERROR;
            } else {
                verifyChallengeInternal = this.mSpManager.verifyChallengeInternal(getGateKeeperService(), bArr, j2, i);
            }
        }
        return verifyChallengeInternal;
    }

    @Override // com.android.internal.widget.ILockSettings
    public void removeGatekeeperPasswordHandle(long j) {
        checkPasswordReadPermission();
        synchronized (this.mGatekeeperPasswords) {
            this.mGatekeeperPasswords.remove(j);
        }
    }

    private VerifyCredentialResponse doVerifyCredential(LockscreenCredential lockscreenCredential, int i, ICheckCredentialProgressCallback iCheckCredentialProgressCallback, int i2) {
        if (lockscreenCredential == null || lockscreenCredential.isNone()) {
            throw new IllegalArgumentException("Credential can't be null or empty");
        }
        if (i == -9999 && Settings.Global.getInt(this.mContext.getContentResolver(), "device_provisioned", 0) != 0) {
            Slog.e(TAG, "FRP credential can only be verified prior to provisioning.");
            return VerifyCredentialResponse.ERROR;
        }
        if (i == -9998 && !LockPatternUtils.isRepairModeActive(this.mContext)) {
            Slog.e(TAG, "Repair mode is not active on the device.");
            return VerifyCredentialResponse.ERROR;
        }
        Slogf.i(TAG, "Verifying lockscreen credential for user %d", Integer.valueOf(i));
        synchronized (this.mSpManager) {
            if (LockPatternUtils.isSpecialUserId(i)) {
                VerifyCredentialResponse verifySpecialUserCredential = this.mSpManager.verifySpecialUserCredential(i, getGateKeeperService(), lockscreenCredential, iCheckCredentialProgressCallback);
                if (Flags.frpEnforcement() && verifySpecialUserCredential.isMatched() && i == -9999) {
                    this.mStorage.deactivateFactoryResetProtectionWithoutSecret();
                }
                return verifySpecialUserCredential;
            }
            long currentLskfBasedProtectorId = getCurrentLskfBasedProtectorId(i);
            SyntheticPasswordManager.AuthenticationResult unlockLskfBasedProtector = this.mSpManager.unlockLskfBasedProtector(getGateKeeperService(), currentLskfBasedProtectorId, lockscreenCredential, i, iCheckCredentialProgressCallback);
            VerifyCredentialResponse verifyCredentialResponse = unlockLskfBasedProtector.gkResponse;
            if (verifyCredentialResponse.getResponseCode() == 0) {
                if ((i2 & 2) != 0 && !this.mSpManager.writeRepairModeCredentialLocked(currentLskfBasedProtectorId, i)) {
                    Slog.e(TAG, "Failed to write repair mode credential");
                    return VerifyCredentialResponse.ERROR;
                }
                this.mBiometricDeferredQueue.addPendingLockoutResetForUser(i, unlockLskfBasedProtector.syntheticPassword.deriveGkPassword());
            }
            if (verifyCredentialResponse.getResponseCode() == 0) {
                Slogf.i(TAG, "Successfully verified lockscreen credential for user %d", Integer.valueOf(i));
                onCredentialVerified(unlockLskfBasedProtector.syntheticPassword, PasswordMetrics.computeForCredential(lockscreenCredential), i);
                if ((i2 & 1) != 0) {
                    verifyCredentialResponse = new VerifyCredentialResponse.Builder().setGatekeeperPasswordHandle(storeGatekeeperPasswordTemporarily(unlockLskfBasedProtector.syntheticPassword.deriveGkPassword())).build();
                }
                sendCredentialsOnUnlockIfRequired(lockscreenCredential, i);
            } else if (verifyCredentialResponse.getResponseCode() == 1 && verifyCredentialResponse.getTimeout() > 0) {
                requireStrongAuth(8, i);
            }
            if (Flags.reportPrimaryAuthAttempts()) {
                notifyLockSettingsStateListeners(verifyCredentialResponse.getResponseCode() == 0, i);
            }
            return verifyCredentialResponse;
        }
    }

    private void notifyLockSettingsStateListeners(boolean z, int i) {
        Iterator<LockSettingsStateListener> it = this.mLockSettingsStateListeners.iterator();
        while (it.hasNext()) {
            LockSettingsStateListener next = it.next();
            if (z) {
                next.onAuthenticationSucceeded(i);
            } else {
                next.onAuthenticationFailed(i);
            }
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public VerifyCredentialResponse verifyTiedProfileChallenge(LockscreenCredential lockscreenCredential, int i, int i2) {
        checkPasswordReadPermission();
        Slogf.i(TAG, "Verifying tied profile challenge for user %d", Integer.valueOf(i));
        if (!isProfileWithUnifiedLock(i)) {
            throw new IllegalArgumentException("User id must be managed/clone profile with unified lock");
        }
        VerifyCredentialResponse doVerifyCredential = doVerifyCredential(lockscreenCredential, this.mUserManager.getProfileParent(i).id, null, i2);
        try {
            if (doVerifyCredential.getResponseCode() != 0) {
                return doVerifyCredential;
            }
            try {
                VerifyCredentialResponse doVerifyCredential2 = doVerifyCredential(getDecryptedPasswordForTiedProfile(i), i, null, i2);
                scheduleGc();
                return doVerifyCredential2;
            } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
                Slog.e(TAG, "Failed to decrypt child profile key", e);
                throw new IllegalStateException("Unable to get tied profile token");
            }
        } catch (Throwable th) {
            scheduleGc();
            throw th;
        }
    }

    private void setUserPasswordMetrics(LockscreenCredential lockscreenCredential, int i) {
        synchronized (this) {
            this.mUserPasswordMetrics.put(i, PasswordMetrics.computeForCredential(lockscreenCredential));
        }
    }

    @VisibleForTesting
    PasswordMetrics getUserPasswordMetrics(int i) {
        PasswordMetrics passwordMetrics;
        if (!isUserSecure(i)) {
            return new PasswordMetrics(-1);
        }
        synchronized (this) {
            passwordMetrics = this.mUserPasswordMetrics.get(i);
        }
        return passwordMetrics;
    }

    @Nullable
    private PasswordMetrics loadPasswordMetrics(SyntheticPasswordManager.SyntheticPassword syntheticPassword, int i) {
        synchronized (this.mSpManager) {
            if (!isUserSecure(i)) {
                return null;
            }
            return this.mSpManager.getPasswordMetrics(syntheticPassword, getCurrentLskfBasedProtectorId(i), i);
        }
    }

    private void notifyPasswordChanged(LockscreenCredential lockscreenCredential, int i) {
        this.mHandler.post(() -> {
            this.mInjector.getDevicePolicyManager().reportPasswordChanged(PasswordMetrics.computeForCredential(lockscreenCredential), i);
            ((WindowManagerInternal) LocalServices.getService(WindowManagerInternal.class)).reportPasswordChanged(i);
        });
    }

    private void createNewUser(int i, int i2) {
        if (FIX_UNLOCKED_DEVICE_REQUIRED_KEYS) {
            AndroidKeyStoreMaintenance.onUserAdded(i);
        }
        synchronized (this.mUserCreationAndRemovalLock) {
            if (this.mThirdPartyAppsStarted) {
                removeStateForReusedUserIdIfNecessary(i, i2);
                initializeSyntheticPassword(i);
            } else {
                Slogf.i(TAG, "Delaying locksettings state creation for user %d until third-party apps are started", Integer.valueOf(i));
                this.mEarlyCreatedUsers.put(i, i2);
                this.mEarlyRemovedUsers.delete(i);
            }
        }
    }

    private void removeUser(int i) {
        synchronized (this.mUserCreationAndRemovalLock) {
            if (this.mThirdPartyAppsStarted) {
                Slogf.i(TAG, "Removing state for user %d", Integer.valueOf(i));
                removeUserState(i);
            } else {
                Slogf.i(TAG, "Delaying locksettings state removal for user %d until third-party apps are started", Integer.valueOf(i));
                if (this.mEarlyCreatedUsers.indexOfKey(i) >= 0) {
                    this.mEarlyCreatedUsers.delete(i);
                } else {
                    this.mEarlyRemovedUsers.put(i, -1);
                }
            }
        }
    }

    private void removeUserState(int i) {
        removeBiometricsForUser(i);
        this.mSpManager.removeUser(getGateKeeperService(), i);
        this.mStrongAuth.removeUser(i);
        AndroidKeyStoreMaintenance.onUserRemoved(i);
        this.mUnifiedProfilePasswordCache.removePassword(i);
        gateKeeperClearSecureUserId(i);
        removeKeystoreProfileKey(i);
        this.mStorage.removeUser(i);
    }

    private void removeKeystoreProfileKey(int i) {
        String str = PROFILE_KEY_NAME_ENCRYPT + i;
        String str2 = PROFILE_KEY_NAME_DECRYPT + i;
        try {
            if (this.mKeyStore.containsAlias(str) || this.mKeyStore.containsAlias(str2)) {
                Slogf.i(TAG, "Removing keystore profile key for user %d", Integer.valueOf(i));
                this.mKeyStore.deleteEntry(str);
                this.mKeyStore.deleteEntry(str2);
            }
        } catch (KeyStoreException e) {
            Slogf.e(TAG, e, "Error removing keystore profile key for user %d", Integer.valueOf(i));
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public void registerStrongAuthTracker(IStrongAuthTracker iStrongAuthTracker) {
        checkPasswordReadPermission();
        this.mStrongAuth.registerStrongAuthTracker(iStrongAuthTracker);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void unregisterStrongAuthTracker(IStrongAuthTracker iStrongAuthTracker) {
        checkPasswordReadPermission();
        this.mStrongAuth.unregisterStrongAuthTracker(iStrongAuthTracker);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void requireStrongAuth(int i, int i2) {
        checkWritePermission();
        this.mStrongAuth.requireStrongAuth(i, i2);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void reportSuccessfulBiometricUnlock(boolean z, int i) {
        checkBiometricPermission();
        this.mStrongAuth.reportSuccessfulBiometricUnlock(z, i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void scheduleNonStrongBiometricIdleTimeout(int i) {
        checkBiometricPermission();
        this.mStrongAuth.scheduleNonStrongBiometricIdleTimeout(i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void userPresent(int i) {
        checkWritePermission();
        this.mStrongAuth.reportUnlock(i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public int getStrongAuthForUser(int i) {
        checkPasswordReadPermission();
        return this.mStrongAuthTracker.getStrongAuthForUser(i);
    }

    private boolean isCallerShell() {
        int callingUid = Binder.getCallingUid();
        return callingUid == 2000 || callingUid == 0;
    }

    private void enforceShell() {
        if (!isCallerShell()) {
            throw new SecurityException("Caller must be shell");
        }
    }

    @Override // android.os.Binder
    public void onShellCommand(FileDescriptor fileDescriptor, FileDescriptor fileDescriptor2, FileDescriptor fileDescriptor3, String[] strArr, ShellCallback shellCallback, ResultReceiver resultReceiver) {
        enforceShell();
        int callingPid = Binder.getCallingPid();
        int callingUid = Binder.getCallingUid();
        Object[] objArr = new Object[3];
        objArr[0] = ArrayUtils.isEmpty(strArr) ? "" : strArr[0];
        objArr[1] = Integer.valueOf(callingPid);
        objArr[2] = Integer.valueOf(callingUid);
        Slogf.i(TAG, "Executing shell command '%s'; callingPid=%d, callingUid=%d", objArr);
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            new LockSettingsShellCommand(new LockPatternUtils(this.mContext), this.mContext, callingPid, callingUid).exec(this, fileDescriptor, fileDescriptor2, fileDescriptor3, strArr, shellCallback, resultReceiver);
            Binder.restoreCallingIdentity(clearCallingIdentity);
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public void initRecoveryServiceWithSigFile(@NonNull String str, @NonNull byte[] bArr, @NonNull byte[] bArr2) throws RemoteException {
        this.mRecoverableKeyStoreManager.initRecoveryServiceWithSigFile(str, bArr, bArr2);
    }

    @Override // com.android.internal.widget.ILockSettings
    @NonNull
    public KeyChainSnapshot getKeyChainSnapshot() throws RemoteException {
        return this.mRecoverableKeyStoreManager.getKeyChainSnapshot();
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setSnapshotCreatedPendingIntent(@Nullable PendingIntent pendingIntent) throws RemoteException {
        this.mRecoverableKeyStoreManager.setSnapshotCreatedPendingIntent(pendingIntent);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setServerParams(byte[] bArr) throws RemoteException {
        this.mRecoverableKeyStoreManager.setServerParams(bArr);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setRecoveryStatus(String str, int i) throws RemoteException {
        this.mRecoverableKeyStoreManager.setRecoveryStatus(str, i);
    }

    @Override // com.android.internal.widget.ILockSettings
    @NonNull
    public Map getRecoveryStatus() throws RemoteException {
        return this.mRecoverableKeyStoreManager.getRecoveryStatus();
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setRecoverySecretTypes(@NonNull int[] iArr) throws RemoteException {
        this.mRecoverableKeyStoreManager.setRecoverySecretTypes(iArr);
    }

    @Override // com.android.internal.widget.ILockSettings
    @NonNull
    public int[] getRecoverySecretTypes() throws RemoteException {
        return this.mRecoverableKeyStoreManager.getRecoverySecretTypes();
    }

    @Override // com.android.internal.widget.ILockSettings
    @NonNull
    public byte[] startRecoverySessionWithCertPath(@NonNull String str, @NonNull String str2, @NonNull RecoveryCertPath recoveryCertPath, @NonNull byte[] bArr, @NonNull byte[] bArr2, @NonNull List<KeyChainProtectionParams> list) throws RemoteException {
        return this.mRecoverableKeyStoreManager.startRecoverySessionWithCertPath(str, str2, recoveryCertPath, bArr, bArr2, list);
    }

    @Override // com.android.internal.widget.ILockSettings
    public Map<String, String> recoverKeyChainSnapshot(@NonNull String str, @NonNull byte[] bArr, @NonNull List<WrappedApplicationKey> list) throws RemoteException {
        return this.mRecoverableKeyStoreManager.recoverKeyChainSnapshot(str, bArr, list);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void closeSession(@NonNull String str) throws RemoteException {
        this.mRecoverableKeyStoreManager.closeSession(str);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void removeKey(@NonNull String str) throws RemoteException {
        this.mRecoverableKeyStoreManager.removeKey(str);
    }

    @Override // com.android.internal.widget.ILockSettings
    @Nullable
    public String generateKey(@NonNull String str) throws RemoteException {
        return this.mRecoverableKeyStoreManager.generateKey(str);
    }

    @Override // com.android.internal.widget.ILockSettings
    @Nullable
    public String generateKeyWithMetadata(@NonNull String str, @Nullable byte[] bArr) throws RemoteException {
        return this.mRecoverableKeyStoreManager.generateKeyWithMetadata(str, bArr);
    }

    @Override // com.android.internal.widget.ILockSettings
    @Nullable
    public String importKey(@NonNull String str, @NonNull byte[] bArr) throws RemoteException {
        return this.mRecoverableKeyStoreManager.importKey(str, bArr);
    }

    @Override // com.android.internal.widget.ILockSettings
    @Nullable
    public String importKeyWithMetadata(@NonNull String str, @NonNull byte[] bArr, @Nullable byte[] bArr2) throws RemoteException {
        return this.mRecoverableKeyStoreManager.importKeyWithMetadata(str, bArr, bArr2);
    }

    @Override // com.android.internal.widget.ILockSettings
    @Nullable
    public String getKey(@NonNull String str) throws RemoteException {
        return this.mRecoverableKeyStoreManager.getKey(str);
    }

    @Override // com.android.internal.widget.ILockSettings
    @NonNull
    public RemoteLockscreenValidationSession startRemoteLockscreenValidation() {
        return this.mRecoverableKeyStoreManager.startRemoteLockscreenValidation(this);
    }

    @Override // com.android.internal.widget.ILockSettings
    @NonNull
    public RemoteLockscreenValidationResult validateRemoteLockscreen(@NonNull byte[] bArr) {
        return this.mRecoverableKeyStoreManager.validateRemoteLockscreen(bArr, this);
    }

    private synchronized IGateKeeperService getGateKeeperService() {
        if (this.mGateKeeperService != null) {
            return this.mGateKeeperService;
        }
        IBinder waitForService = ServiceManager.waitForService(IGateKeeperService.DESCRIPTOR);
        if (waitForService == null) {
            Slog.e(TAG, "Unable to acquire GateKeeperService");
            return null;
        }
        try {
            waitForService.linkToDeath(new GateKeeperDiedRecipient(), 0);
        } catch (RemoteException e) {
            Slog.w(TAG, " Unable to register death recipient", e);
        }
        this.mGateKeeperService = IGateKeeperService.Stub.asInterface(waitForService);
        return this.mGateKeeperService;
    }

    private void gateKeeperClearSecureUserId(int i) {
        try {
            getGateKeeperService().clearSecureUserId(i);
        } catch (RemoteException e) {
            Slog.w(TAG, "Failed to clear SID", e);
        }
    }

    private void onSyntheticPasswordCreated(int i, SyntheticPasswordManager.SyntheticPassword syntheticPassword) {
        onSyntheticPasswordKnown(i, syntheticPassword, true);
    }

    private void onSyntheticPasswordUnlocked(int i, SyntheticPasswordManager.SyntheticPassword syntheticPassword) {
        onSyntheticPasswordKnown(i, syntheticPassword, false);
    }

    private void onSyntheticPasswordKnown(int i, SyntheticPasswordManager.SyntheticPassword syntheticPassword, boolean z) {
        if (this.mInjector.isGsiRunning()) {
            Slog.w(TAG, "Running in GSI; skipping calls to AuthSecret and RebootEscrow");
        } else {
            this.mRebootEscrowManager.callToRebootEscrowIfNeeded(i, syntheticPassword.getVersion(), syntheticPassword.getSyntheticPassword());
            callToAuthSecretIfNeeded(i, syntheticPassword, z);
        }
    }

    private void callToAuthSecretIfNeeded(int i, SyntheticPasswordManager.SyntheticPassword syntheticPassword, boolean z) {
        UserInfo userInfo;
        byte[] readVendorAuthSecret;
        if (this.mAuthSecretService == null || (userInfo = this.mInjector.getUserManagerInternal().getUserInfo(i)) == null) {
            return;
        }
        if (this.mInjector.isHeadlessSystemUserMode()) {
            if (!this.mInjector.isMainUserPermanentAdmin() || !userInfo.isFull()) {
                return;
            }
            if (z) {
                if (userInfo.isMain()) {
                    Slog.i(TAG, "Generating new vendor auth secret and storing for user: " + i);
                    readVendorAuthSecret = SecureRandomUtils.randomBytes(32);
                    synchronized (this.mHeadlessAuthSecretLock) {
                        this.mAuthSecret = readVendorAuthSecret;
                    }
                } else {
                    synchronized (this.mHeadlessAuthSecretLock) {
                        readVendorAuthSecret = this.mAuthSecret;
                    }
                    if (readVendorAuthSecret == null) {
                        Slog.e(TAG, "Creating non-main user " + i + " but vendor auth secret is not in memory");
                        return;
                    }
                }
                this.mSpManager.writeVendorAuthSecret(readVendorAuthSecret, syntheticPassword, i);
            } else {
                readVendorAuthSecret = this.mSpManager.readVendorAuthSecret(syntheticPassword, i);
                if (readVendorAuthSecret == null) {
                    Slog.e(TAG, "Unable to read vendor auth secret for user: " + i);
                    return;
                } else {
                    synchronized (this.mHeadlessAuthSecretLock) {
                        this.mAuthSecret = readVendorAuthSecret;
                    }
                }
            }
        } else if (i != 0) {
            return;
        } else {
            readVendorAuthSecret = syntheticPassword.deriveVendorAuthSecret();
        }
        Slog.i(TAG, "Sending vendor auth secret to IAuthSecret HAL as user: " + i);
        try {
            this.mAuthSecretService.setPrimaryUserCredential(readVendorAuthSecret);
        } catch (RemoteException e) {
            Slog.w(TAG, "Failed to send vendor auth secret to IAuthSecret HAL", e);
        }
    }

    @VisibleForTesting
    SyntheticPasswordManager.SyntheticPassword initializeSyntheticPassword(int i) {
        SyntheticPasswordManager.SyntheticPassword newSyntheticPassword;
        synchronized (this.mSpManager) {
            Slogf.i(TAG, "Initializing synthetic password for user %d", Integer.valueOf(i));
            Preconditions.checkState(getCurrentLskfBasedProtectorId(i) == 0, "Cannot reinitialize SP");
            newSyntheticPassword = this.mSpManager.newSyntheticPassword(i);
            setCurrentLskfBasedProtectorId(this.mSpManager.createLskfBasedProtector(getGateKeeperService(), LockscreenCredential.createNone(), newSyntheticPassword, i), i);
            setCeStorageProtection(i, newSyntheticPassword);
            if (FIX_UNLOCKED_DEVICE_REQUIRED_KEYS) {
                initKeystoreSuperKeys(i, newSyntheticPassword, false);
            }
            onSyntheticPasswordCreated(i, newSyntheticPassword);
            Slogf.i(TAG, "Successfully initialized synthetic password for user %d", Integer.valueOf(i));
        }
        return newSyntheticPassword;
    }

    @VisibleForTesting
    long getCurrentLskfBasedProtectorId(int i) {
        return getLong("sp-handle", 0L, i);
    }

    private void setCurrentLskfBasedProtectorId(long j, int i) {
        long currentLskfBasedProtectorId = getCurrentLskfBasedProtectorId(i);
        setLong("sp-handle", j, i);
        setLong(PREV_LSKF_BASED_PROTECTOR_ID_KEY, currentLskfBasedProtectorId, i);
        setLong(LSKF_LAST_CHANGED_TIME_KEY, System.currentTimeMillis(), i);
    }

    private long storeGatekeeperPasswordTemporarily(byte[] bArr) {
        long j = 0;
        synchronized (this.mGatekeeperPasswords) {
            while (true) {
                if (j != 0) {
                    if (this.mGatekeeperPasswords.get(j) == null) {
                        this.mGatekeeperPasswords.put(j, bArr);
                    }
                }
                j = SecureRandomUtils.randomLong();
            }
        }
        long j2 = j;
        this.mHandler.postDelayed(() -> {
            synchronized (this.mGatekeeperPasswords) {
                if (this.mGatekeeperPasswords.get(j2) != null) {
                    Slogf.d(TAG, "Cached Gatekeeper password with handle %016x has expired", Long.valueOf(j2));
                    this.mGatekeeperPasswords.remove(j2);
                }
            }
        }, 600000L);
        return j;
    }

    private void onCredentialVerified(SyntheticPasswordManager.SyntheticPassword syntheticPassword, @Nullable PasswordMetrics passwordMetrics, int i) {
        if (passwordMetrics != null) {
            synchronized (this) {
                this.mUserPasswordMetrics.put(i, passwordMetrics);
            }
        }
        unlockKeystore(i, syntheticPassword);
        unlockCeStorage(i, syntheticPassword);
        unlockUser(i);
        activateEscrowTokens(syntheticPassword, i);
        if (isCredentialSharableWithParent(i)) {
            if (getSeparateProfileChallengeEnabledInternal(i)) {
                setDeviceUnlockedForUser(i);
            } else {
                this.mStrongAuth.reportUnlock(i);
            }
        }
        this.mStrongAuth.reportSuccessfulStrongAuthUnlock(i);
        onSyntheticPasswordUnlocked(i, syntheticPassword);
    }

    private void setDeviceUnlockedForUser(int i) {
        ((TrustManager) this.mContext.getSystemService(TrustManager.class)).setDeviceLockedForUser(i, false);
    }

    @GuardedBy({"mSpManager"})
    private long setLockCredentialWithSpLocked(LockscreenCredential lockscreenCredential, SyntheticPasswordManager.SyntheticPassword syntheticPassword, int i) {
        Map<Integer, LockscreenCredential> decryptedPasswordsForAllTiedProfiles;
        Slogf.i(TAG, "Changing lockscreen credential of user %d; newCredentialType=%s\n", Integer.valueOf(i), LockPatternUtils.credentialTypeToString(lockscreenCredential.getType()));
        int credentialTypeInternal = getCredentialTypeInternal(i);
        long currentLskfBasedProtectorId = getCurrentLskfBasedProtectorId(i);
        long createLskfBasedProtector = this.mSpManager.createLskfBasedProtector(getGateKeeperService(), lockscreenCredential, syntheticPassword, i);
        if (lockscreenCredential.isNone()) {
            decryptedPasswordsForAllTiedProfiles = getDecryptedPasswordsForAllTiedProfiles(i);
            this.mSpManager.clearSidForUser(i);
            gateKeeperClearSecureUserId(i);
            unlockCeStorage(i, syntheticPassword);
            unlockKeystore(i, syntheticPassword);
            if (FIX_UNLOCKED_DEVICE_REQUIRED_KEYS) {
                AndroidKeyStoreMaintenance.onUserLskfRemoved(i);
            } else {
                setKeystorePassword(null, i);
            }
            removeBiometricsForUser(i);
        } else {
            decryptedPasswordsForAllTiedProfiles = null;
            if (!this.mSpManager.hasSidForUser(i)) {
                this.mSpManager.newSidForUser(getGateKeeperService(), syntheticPassword, i);
                this.mSpManager.verifyChallenge(getGateKeeperService(), syntheticPassword, 0L, i);
                if (!FIX_UNLOCKED_DEVICE_REQUIRED_KEYS) {
                    setKeystorePassword(syntheticPassword.deriveKeyStorePassword(), i);
                }
            }
        }
        setCurrentLskfBasedProtectorId(createLskfBasedProtector, i);
        LockPatternUtils.invalidateCredentialTypeCache();
        synchronizeUnifiedChallengeForProfiles(i, decryptedPasswordsForAllTiedProfiles);
        setUserPasswordMetrics(lockscreenCredential, i);
        this.mUnifiedProfilePasswordCache.removePassword(i);
        if (credentialTypeInternal != -1) {
            this.mSpManager.destroyAllWeakTokenBasedProtectors(i);
        }
        if (decryptedPasswordsForAllTiedProfiles != null) {
            Iterator<Map.Entry<Integer, LockscreenCredential>> it = decryptedPasswordsForAllTiedProfiles.entrySet().iterator();
            while (it.hasNext()) {
                it.next().getValue().zeroize();
            }
        }
        this.mSpManager.destroyLskfBasedProtector(currentLskfBasedProtectorId, i);
        Slogf.i(TAG, "Successfully changed lockscreen credential of user %d", Integer.valueOf(i));
        return createLskfBasedProtector;
    }

    private void sendMainUserCredentialChangedNotificationIfNeeded(int i) {
        if (Flags.frpEnforcement() && i == this.mInjector.getUserManagerInternal().getMainUserId()) {
            sendBroadcast(new Intent("android.intent.action.MAIN_USER_LOCKSCREEN_KNOWLEDGE_FACTOR_CHANGED"), UserHandle.of(i), "android.permission.CONFIGURE_FACTORY_RESET_PROTECTION");
        }
    }

    @VisibleForTesting
    void sendBroadcast(Intent intent, UserHandle userHandle, String str) {
        this.mContext.sendBroadcastAsUser(intent, userHandle, str, (Bundle) null);
    }

    private void removeBiometricsForUser(int i) {
        removeAllFingerprintForUser(i);
        removeAllFaceForUser(i);
    }

    private void removeAllFingerprintForUser(int i) {
        FingerprintManager fingerprintManager = this.mInjector.getFingerprintManager();
        if (fingerprintManager != null && fingerprintManager.isHardwareDetected() && fingerprintManager.hasEnrolledFingerprints(i)) {
            CountDownLatch countDownLatch = new CountDownLatch(1);
            fingerprintManager.removeAll(i, fingerprintManagerRemovalCallback(countDownLatch));
            try {
                countDownLatch.await(JobStatus.DEFAULT_TRIGGER_UPDATE_DELAY, TimeUnit.MILLISECONDS);
            } catch (InterruptedException e) {
                Slog.e(TAG, "Latch interrupted when removing fingerprint", e);
            }
        }
    }

    private void removeAllFaceForUser(int i) {
        FaceManager faceManager = this.mInjector.getFaceManager();
        if (faceManager != null && faceManager.isHardwareDetected() && faceManager.hasEnrolledTemplates(i)) {
            CountDownLatch countDownLatch = new CountDownLatch(1);
            faceManager.removeAll(i, faceManagerRemovalCallback(countDownLatch));
            try {
                countDownLatch.await(JobStatus.DEFAULT_TRIGGER_UPDATE_DELAY, TimeUnit.MILLISECONDS);
            } catch (InterruptedException e) {
                Slog.e(TAG, "Latch interrupted when removing face", e);
            }
        }
    }

    private FingerprintManager.RemovalCallback fingerprintManagerRemovalCallback(final CountDownLatch countDownLatch) {
        return new FingerprintManager.RemovalCallback() { // from class: com.android.server.locksettings.LockSettingsService.5
            @Override // android.hardware.fingerprint.FingerprintManager.RemovalCallback
            public void onRemovalError(@Nullable Fingerprint fingerprint, int i, CharSequence charSequence) {
                Slog.e(LockSettingsService.TAG, "Unable to remove fingerprint, error: " + ((Object) charSequence));
                countDownLatch.countDown();
            }

            @Override // android.hardware.fingerprint.FingerprintManager.RemovalCallback
            public void onRemovalSucceeded(Fingerprint fingerprint, int i) {
                if (i == 0) {
                    countDownLatch.countDown();
                }
            }
        };
    }

    private FaceManager.RemovalCallback faceManagerRemovalCallback(final CountDownLatch countDownLatch) {
        return new FaceManager.RemovalCallback() { // from class: com.android.server.locksettings.LockSettingsService.6
            @Override // android.hardware.face.FaceManager.RemovalCallback
            public void onRemovalError(@Nullable Face face, int i, CharSequence charSequence) {
                Slog.e(LockSettingsService.TAG, "Unable to remove face, error: " + ((Object) charSequence));
                countDownLatch.countDown();
            }

            @Override // android.hardware.face.FaceManager.RemovalCallback
            public void onRemovalSucceeded(Face face, int i) {
                if (i == 0) {
                    countDownLatch.countDown();
                }
            }
        };
    }

    /*  JADX ERROR: NullPointerException in pass: AttachTryCatchVisitor
        java.lang.NullPointerException
        */
    @Override // com.android.internal.widget.ILockSettings
    public byte[] getHashFactor(com.android.internal.widget.LockscreenCredential r9, int r10) {
        /*
            r8 = this;
            r0 = r8
            r0.checkPasswordReadPermission()
            java.lang.String r0 = "LockSettingsService"
            java.lang.String r1 = "Getting password history hash factor for user %d"
            r2 = 1
            java.lang.Object[] r2 = new java.lang.Object[r2]
            r3 = r2
            r4 = 0
            r5 = r10
            java.lang.Integer r5 = java.lang.Integer.valueOf(r5)
            r3[r4] = r5
            com.android.server.utils.Slogf.d(r0, r1, r2)
            r0 = r8
            r1 = r10
            boolean r0 = r0.isProfileWithUnifiedLock(r1)
            if (r0 == 0) goto L3d
            r0 = r8     // Catch: java.lang.Exception -> L28
            r1 = r10     // Catch: java.lang.Exception -> L28
            com.android.internal.widget.LockscreenCredential r0 = r0.getDecryptedPasswordForTiedProfile(r1)     // Catch: java.lang.Exception -> L28
            r9 = r0     // Catch: java.lang.Exception -> L28
            goto L3d     // Catch: java.lang.Exception -> L28
        L28:
            r11 = move-exception
            java.lang.String r0 = "LockSettingsService"
            java.lang.String r1 = "Failed to get unified profile password"
            r2 = r11
            int r0 = android.util.Slog.e(r0, r1, r2)
            r0 = 0
            r12 = r0
            r0 = r8
            r0.scheduleGc()
            r0 = r12
            return r0
            r0 = r8     // Catch: java.lang.Throwable -> L94
            com.android.server.locksettings.SyntheticPasswordManager r0 = r0.mSpManager     // Catch: java.lang.Throwable -> L94
            r1 = r0     // Catch: java.lang.Throwable -> L94
            r11 = r1     // Catch: java.lang.Throwable -> L94
            monitor-enter(r0)     // Catch: java.lang.Throwable -> L94
            r0 = r8     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            r1 = r10     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            long r0 = r0.getCurrentLskfBasedProtectorId(r1)     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            r12 = r0     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            r0 = r8     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            com.android.server.locksettings.SyntheticPasswordManager r0 = r0.mSpManager     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            r1 = r8     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            android.service.gatekeeper.IGateKeeperService r1 = r1.getGateKeeperService()     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            r2 = r12     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            r3 = r9     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            r4 = r10     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            r5 = 0     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            com.android.server.locksettings.SyntheticPasswordManager$AuthenticationResult r0 = r0.unlockLskfBasedProtector(r1, r2, r3, r4, r5)     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            r14 = r0     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            r0 = r14     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            com.android.server.locksettings.SyntheticPasswordManager$SyntheticPassword r0 = r0.syntheticPassword     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            if (r0 != 0) goto L7a     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            java.lang.String r0 = "LockSettingsService"     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            java.lang.String r1 = "Current credential is incorrect"     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            int r0 = android.util.Slog.w(r0, r1)     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            r0 = 0     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            r15 = r0     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            r0 = r11     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            monitor-exit(r0)     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            r0 = r8     // Catch: java.lang.Throwable -> L8d java.lang.Throwable -> L94
            r0.scheduleGc()
            r0 = r15
            return r0
            r0 = r14
            com.android.server.locksettings.SyntheticPasswordManager$SyntheticPassword r0 = r0.syntheticPassword
            byte[] r0 = r0.derivePasswordHashFactor()
            r15 = r0
            r0 = r11
            monitor-exit(r0)
            r0 = r8
            r0.scheduleGc()
            r0 = r15
            return r0
        L8d:
            r16 = move-exception
            r0 = r11
            monitor-exit(r0)
            r0 = r16
            throw r0
        L94:
            r17 = move-exception
            r0 = r8
            r0.scheduleGc()
            r0 = r17
            throw r0
        */
        throw new UnsupportedOperationException("Method not decompiled: com.android.server.locksettings.LockSettingsService.getHashFactor(com.android.internal.widget.LockscreenCredential, int):byte[]");
    }

    private long addEscrowToken(@NonNull byte[] bArr, int i, int i2, @NonNull LockPatternUtils.EscrowTokenStateChangeCallback escrowTokenStateChangeCallback) {
        long addPendingToken;
        Slogf.i(TAG, "Adding escrow token for user %d", Integer.valueOf(i2));
        synchronized (this.mSpManager) {
            SyntheticPasswordManager.SyntheticPassword syntheticPassword = null;
            if (!isUserSecure(i2)) {
                syntheticPassword = this.mSpManager.unlockLskfBasedProtector(getGateKeeperService(), getCurrentLskfBasedProtectorId(i2), LockscreenCredential.createNone(), i2, null).syntheticPassword;
            }
            disableEscrowTokenOnNonManagedDevicesIfNeeded(i2);
            if (!this.mSpManager.hasEscrowData(i2)) {
                throw new SecurityException("Escrow token is disabled on the current user");
            }
            addPendingToken = this.mSpManager.addPendingToken(bArr, i, i2, escrowTokenStateChangeCallback);
            if (syntheticPassword != null) {
                Slogf.i(TAG, "Immediately activating escrow token %016x", Long.valueOf(addPendingToken));
                this.mSpManager.createTokenBasedProtector(addPendingToken, syntheticPassword, i2);
            } else {
                Slogf.i(TAG, "Escrow token %016x will be activated when user is unlocked", Long.valueOf(addPendingToken));
            }
        }
        return addPendingToken;
    }

    private void activateEscrowTokens(SyntheticPasswordManager.SyntheticPassword syntheticPassword, int i) {
        synchronized (this.mSpManager) {
            disableEscrowTokenOnNonManagedDevicesIfNeeded(i);
            Iterator<Long> it = this.mSpManager.getPendingTokensForUser(i).iterator();
            while (it.hasNext()) {
                long longValue = it.next().longValue();
                Slogf.i(TAG, "Activating escrow token %016x for user %d", Long.valueOf(longValue), Integer.valueOf(i));
                this.mSpManager.createTokenBasedProtector(longValue, syntheticPassword, i);
            }
        }
    }

    private boolean isEscrowTokenActive(long j, int i) {
        boolean protectorExists;
        synchronized (this.mSpManager) {
            protectorExists = this.mSpManager.protectorExists(j, i);
        }
        return protectorExists;
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean hasPendingEscrowToken(int i) {
        boolean z;
        checkPasswordReadPermission();
        synchronized (this.mSpManager) {
            z = !this.mSpManager.getPendingTokensForUser(i).isEmpty();
        }
        return z;
    }

    private boolean removeEscrowToken(long j, int i) {
        synchronized (this.mSpManager) {
            if (j == getCurrentLskfBasedProtectorId(i)) {
                Slog.w(TAG, "Escrow token handle equals LSKF-based protector ID");
                return false;
            }
            if (this.mSpManager.removePendingToken(j, i)) {
                return true;
            }
            if (!this.mSpManager.protectorExists(j, i)) {
                return false;
            }
            this.mSpManager.destroyTokenBasedProtector(j, i);
            return true;
        }
    }

    private boolean setLockCredentialWithToken(LockscreenCredential lockscreenCredential, long j, byte[] bArr, int i) {
        lockscreenCredential.validateBasicRequirements();
        synchronized (this.mSpManager) {
            if (!this.mSpManager.hasEscrowData(i)) {
                throw new SecurityException("Escrow token is disabled on the current user");
            }
            if (!isEscrowTokenActive(j, i)) {
                Slog.e(TAG, "Unknown or unactivated token: " + Long.toHexString(j));
                return false;
            }
            boolean lockCredentialWithTokenInternalLocked = setLockCredentialWithTokenInternalLocked(lockscreenCredential, j, bArr, i);
            if (lockCredentialWithTokenInternalLocked) {
                synchronized (this.mSeparateChallengeLock) {
                    setSeparateProfileChallengeEnabledLocked(i, true, null);
                }
                if (lockscreenCredential.isNone()) {
                    this.mHandler.post(() -> {
                        unlockUser(i);
                    });
                }
                notifyPasswordChanged(lockscreenCredential, i);
                notifySeparateProfileChallengeChanged(i);
            }
            return lockCredentialWithTokenInternalLocked;
        }
    }

    @GuardedBy({"mSpManager"})
    private boolean setLockCredentialWithTokenInternalLocked(LockscreenCredential lockscreenCredential, long j, byte[] bArr, int i) {
        Slogf.i(TAG, "Resetting lockscreen credential of user %d using escrow token %016x", Integer.valueOf(i), Long.valueOf(j));
        SyntheticPasswordManager.AuthenticationResult unlockTokenBasedProtector = this.mSpManager.unlockTokenBasedProtector(getGateKeeperService(), j, bArr, i);
        if (unlockTokenBasedProtector.syntheticPassword == null) {
            Slog.w(TAG, "Invalid escrow token supplied");
            return false;
        }
        if (unlockTokenBasedProtector.gkResponse.getResponseCode() != 0) {
            Slog.e(TAG, "Obsolete token: synthetic password decrypted but it fails GK verification.");
            return false;
        }
        onSyntheticPasswordUnlocked(i, unlockTokenBasedProtector.syntheticPassword);
        setLockCredentialWithSpLocked(lockscreenCredential, unlockTokenBasedProtector.syntheticPassword, i);
        return true;
    }

    private boolean unlockUserWithToken(long j, byte[] bArr, int i) {
        synchronized (this.mSpManager) {
            Slogf.i(TAG, "Unlocking user %d using escrow token %016x", Integer.valueOf(i), Long.valueOf(j));
            if (!this.mSpManager.hasEscrowData(i)) {
                Slogf.w(TAG, "Escrow token support is disabled on user %d", Integer.valueOf(i));
                return false;
            }
            SyntheticPasswordManager.AuthenticationResult unlockTokenBasedProtector = this.mSpManager.unlockTokenBasedProtector(getGateKeeperService(), j, bArr, i);
            if (unlockTokenBasedProtector.syntheticPassword == null) {
                Slog.w(TAG, "Invalid escrow token supplied");
                return false;
            }
            Slogf.i(TAG, "Unlocked synthetic password for user %d using escrow token", Integer.valueOf(i));
            onCredentialVerified(unlockTokenBasedProtector.syntheticPassword, loadPasswordMetrics(unlockTokenBasedProtector.syntheticPassword, i), i);
            return true;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean tryUnlockWithCachedUnifiedChallenge(int i) {
        checkPasswordReadPermission();
        LockscreenCredential retrievePassword = this.mUnifiedProfilePasswordCache.retrievePassword(i);
        if (retrievePassword == null) {
            if (retrievePassword != null) {
                retrievePassword.close();
            }
            return false;
        }
        try {
            boolean z = doVerifyCredential(retrievePassword, i, null, 0).getResponseCode() == 0;
            if (retrievePassword != null) {
                retrievePassword.close();
            }
            return z;
        } catch (Throwable th) {
            if (retrievePassword != null) {
                try {
                    retrievePassword.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public void removeCachedUnifiedChallenge(int i) {
        checkWritePermission();
        this.mUnifiedProfilePasswordCache.removePassword(i);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String timestampToString(long j) {
        return new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new Date(j));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // android.os.Binder
    public void dump(FileDescriptor fileDescriptor, PrintWriter printWriter, String[] strArr) {
        if (DumpUtils.checkDumpPermission(this.mContext, TAG, printWriter)) {
            long clearCallingIdentity = Binder.clearCallingIdentity();
            try {
                dumpInternal(printWriter);
                Binder.restoreCallingIdentity(clearCallingIdentity);
            } catch (Throwable th) {
                Binder.restoreCallingIdentity(clearCallingIdentity);
                throw th;
            }
        }
    }

    private void dumpInternal(PrintWriter printWriter) {
        IndentingPrintWriter indentingPrintWriter = new IndentingPrintWriter(printWriter, "  ");
        indentingPrintWriter.println("Current lock settings service state:");
        indentingPrintWriter.println();
        indentingPrintWriter.println("User State:");
        indentingPrintWriter.increaseIndent();
        List<UserInfo> users = this.mUserManager.getUsers();
        for (int i = 0; i < users.size(); i++) {
            int i2 = users.get(i).id;
            indentingPrintWriter.println("User " + i2);
            indentingPrintWriter.increaseIndent();
            synchronized (this.mSpManager) {
                indentingPrintWriter.println(TextUtils.formatSimple("LSKF-based SP protector ID: %016x", Long.valueOf(getCurrentLskfBasedProtectorId(i2))));
                indentingPrintWriter.println(TextUtils.formatSimple("LSKF last changed: %s (previous protector: %016x)", timestampToString(getLong(LSKF_LAST_CHANGED_TIME_KEY, 0L, i2)), Long.valueOf(getLong(PREV_LSKF_BASED_PROTECTOR_ID_KEY, 0L, i2))));
            }
            try {
                indentingPrintWriter.println(TextUtils.formatSimple("SID: %016x", Long.valueOf(getGateKeeperService().getSecureUserId(i2))));
            } catch (RemoteException e) {
            }
            indentingPrintWriter.println("Quality: " + getKeyguardStoredQuality(i2));
            indentingPrintWriter.println("CredentialType: " + LockPatternUtils.credentialTypeToString(getCredentialTypeInternal(i2)));
            indentingPrintWriter.println("SeparateChallenge: " + getSeparateProfileChallengeEnabledInternal(i2));
            Object[] objArr = new Object[1];
            objArr[0] = getUserPasswordMetrics(i2) != null ? "known" : "unknown";
            indentingPrintWriter.println(TextUtils.formatSimple("Metrics: %s", objArr));
            indentingPrintWriter.decreaseIndent();
        }
        indentingPrintWriter.println();
        indentingPrintWriter.decreaseIndent();
        indentingPrintWriter.println("Keys in namespace:");
        indentingPrintWriter.increaseIndent();
        dumpKeystoreKeys(indentingPrintWriter);
        indentingPrintWriter.println();
        indentingPrintWriter.decreaseIndent();
        indentingPrintWriter.println("Storage:");
        indentingPrintWriter.increaseIndent();
        this.mStorage.dump(indentingPrintWriter);
        indentingPrintWriter.println();
        indentingPrintWriter.decreaseIndent();
        indentingPrintWriter.println("StrongAuth:");
        indentingPrintWriter.increaseIndent();
        this.mStrongAuth.dump(indentingPrintWriter);
        indentingPrintWriter.println();
        indentingPrintWriter.decreaseIndent();
        indentingPrintWriter.println("RebootEscrow:");
        indentingPrintWriter.increaseIndent();
        this.mRebootEscrowManager.dump(indentingPrintWriter);
        indentingPrintWriter.println();
        indentingPrintWriter.decreaseIndent();
        indentingPrintWriter.println("PasswordHandleCount: " + this.mGatekeeperPasswords.size());
        synchronized (this.mUserCreationAndRemovalLock) {
            indentingPrintWriter.println("ThirdPartyAppsStarted: " + this.mThirdPartyAppsStarted);
        }
    }

    private void dumpKeystoreKeys(IndentingPrintWriter indentingPrintWriter) {
        try {
            Enumeration<String> aliases = this.mKeyStore.aliases();
            while (aliases.hasMoreElements()) {
                indentingPrintWriter.println(aliases.nextElement());
            }
        } catch (KeyStoreException e) {
            indentingPrintWriter.println("Unable to get keys: " + e.toString());
            Slog.d(TAG, "Dump error", e);
        }
    }

    private void disableEscrowTokenOnNonManagedDevicesIfNeeded(int i) {
        if (this.mSpManager.hasAnyEscrowData(i)) {
            long clearCallingIdentity = Binder.clearCallingIdentity();
            try {
                if (!DeviceConfig.getBoolean("device_policy_manager", "deprecate_usermanagerinternal_devicepolicy", true)) {
                    UserManagerInternal userManagerInternal = this.mInjector.getUserManagerInternal();
                    if (userManagerInternal.isUserManaged(i)) {
                        Slog.i(TAG, "Managed profile can have escrow token");
                        Binder.restoreCallingIdentity(clearCallingIdentity);
                        return;
                    } else if (userManagerInternal.isDeviceManaged()) {
                        Slog.i(TAG, "Corp-owned device can have escrow token");
                        Binder.restoreCallingIdentity(clearCallingIdentity);
                        return;
                    }
                } else if (this.mInjector.getDeviceStateCache().isUserOrganizationManaged(i)) {
                    Slog.i(TAG, "Organization managed users can have escrow token");
                    Binder.restoreCallingIdentity(clearCallingIdentity);
                    return;
                }
                Binder.restoreCallingIdentity(clearCallingIdentity);
                if (!this.mInjector.getDeviceStateCache().isDeviceProvisioned()) {
                    Slog.i(TAG, "Postpone disabling escrow tokens until device is provisioned");
                } else {
                    if (this.mContext.getPackageManager().hasSystemFeature("android.hardware.type.automotive")) {
                        return;
                    }
                    Slogf.i(TAG, "Permanently disabling support for escrow tokens on user %d", Integer.valueOf(i));
                    this.mSpManager.destroyEscrowData(i);
                }
            } catch (Throwable th) {
                Binder.restoreCallingIdentity(clearCallingIdentity);
                throw th;
            }
        }
    }

    private void scheduleGc() {
        this.mHandler.postDelayed(() -> {
            System.gc();
            System.runFinalization();
            System.gc();
        }, 2000L);
    }
}
