package com.android.server.locksettings;

import android.annotation.NonNull;
import android.annotation.Nullable;
import android.app.admin.PasswordMetrics;
import android.content.Context;
import android.content.pm.UserInfo;
import android.hardware.weaver.IWeaver;
import android.hardware.weaver.WeaverConfig;
import android.hardware.weaver.WeaverReadResponse;
import android.os.IBinder;
import android.os.RemoteCallbackList;
import android.os.RemoteException;
import android.os.ServiceManager;
import android.os.ServiceSpecificException;
import android.os.UserManager;
import android.provider.Settings;
import android.security.Scrypt;
import android.service.gatekeeper.GateKeeperResponse;
import android.service.gatekeeper.IGateKeeperService;
import android.text.TextUtils;
import android.util.ArrayMap;
import android.util.ArraySet;
import android.util.Slog;
import com.android.internal.annotations.VisibleForTesting;
import com.android.internal.util.ArrayUtils;
import com.android.internal.util.Preconditions;
import com.android.internal.widget.ICheckCredentialProgressCallback;
import com.android.internal.widget.IWeakEscrowTokenRemovedListener;
import com.android.internal.widget.LockPatternUtils;
import com.android.internal.widget.LockscreenCredential;
import com.android.internal.widget.VerifyCredentialResponse;
import com.android.server.locksettings.LockSettingsStorage;
import com.android.server.utils.Slogf;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.nio.ByteBuffer;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Objects;
import java.util.Set;
import libcore.util.HexEncoding;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/android/server/locksettings/SyntheticPasswordManager.class */
public class SyntheticPasswordManager {
    private static final String SP_BLOB_NAME = "spblob";
    private static final String SP_E0_NAME = "e0";
    private static final String SP_P1_NAME = "p1";
    private static final String SP_HANDLE_NAME = "handle";
    private static final String SECDISCARDABLE_NAME = "secdis";
    private static final int SECDISCARDABLE_LENGTH = 16384;
    private static final String PASSWORD_DATA_NAME = "pwd";
    private static final String WEAVER_SLOT_NAME = "weaver";
    private static final String PASSWORD_METRICS_NAME = "metrics";
    private static final String VENDOR_AUTH_SECRET_NAME = "vendor_auth_secret";
    public static final long NULL_PROTECTOR_ID = 0;
    private static final byte WEAVER_VERSION = 1;
    private static final int INVALID_WEAVER_SLOT = -1;
    private static final byte SYNTHETIC_PASSWORD_VERSION_V1 = 1;
    private static final byte SYNTHETIC_PASSWORD_VERSION_V2 = 2;
    private static final byte SYNTHETIC_PASSWORD_VERSION_V3 = 3;
    private static final byte PROTECTOR_TYPE_LSKF_BASED = 0;
    private static final byte PROTECTOR_TYPE_STRONG_TOKEN_BASED = 1;
    private static final byte PROTECTOR_TYPE_WEAK_TOKEN_BASED = 2;
    private static final String PROTECTOR_KEY_ALIAS_PREFIX = "synthetic_password_";
    private static final int SYNTHETIC_PASSWORD_SECURITY_STRENGTH = 32;
    private static final int PASSWORD_SCRYPT_LOG_N = 11;
    private static final int PASSWORD_SCRYPT_LOG_R = 3;
    private static final int PASSWORD_SCRYPT_LOG_P = 1;
    private static final int PASSWORD_SALT_LENGTH = 16;
    private static final int STRETCHED_LSKF_LENGTH = 32;
    private static final String TAG = "SyntheticPasswordManager";
    static final int TOKEN_TYPE_STRONG = 0;
    static final int TOKEN_TYPE_WEAK = 1;
    private final Context mContext;
    private LockSettingsStorage mStorage;
    private volatile IWeaver mWeaver;
    private WeaverConfig mWeaverConfig;
    private PasswordSlotManager mPasswordSlotManager;
    private final UserManager mUserManager;
    private final RemoteCallbackList<IWeakEscrowTokenRemovedListener> mListeners = new RemoteCallbackList<>();
    private ArrayMap<Integer, ArrayMap<Long, TokenData>> tokenMap = new ArrayMap<>();
    private static final byte[] DEFAULT_PASSWORD = "default-password".getBytes();
    private static final byte[] PERSONALIZATION_SECDISCARDABLE = "secdiscardable-transform".getBytes();
    private static final byte[] PERSONALIZATION_KEY_STORE_PASSWORD = "keystore-password".getBytes();
    private static final byte[] PERSONALIZATION_USER_GK_AUTH = "user-gk-authentication".getBytes();
    private static final byte[] PERSONALIZATION_SP_GK_AUTH = "sp-gk-authentication".getBytes();
    private static final byte[] PERSONALIZATION_FBE_KEY = "fbe-key".getBytes();
    private static final byte[] PERSONALIZATION_AUTHSECRET_KEY = "authsecret-hal".getBytes();
    private static final byte[] PERSONALIZATION_AUTHSECRET_ENCRYPTION_KEY = "vendor-authsecret-encryption-key".getBytes();
    private static final byte[] PERSONALIZATION_SP_SPLIT = "sp-split".getBytes();
    private static final byte[] PERSONALIZATION_PASSWORD_HASH = "pw-hash".getBytes();
    private static final byte[] PERSONALIZATION_E0 = "e0-encryption".getBytes();
    private static final byte[] PERSONALIZATION_WEAVER_PASSWORD = "weaver-pwd".getBytes();
    private static final byte[] PERSONALIZATION_WEAVER_KEY = "weaver-key".getBytes();
    private static final byte[] PERSONALIZATION_WEAVER_TOKEN = "weaver-token".getBytes();
    private static final byte[] PERSONALIZATION_PASSWORD_METRICS = "password-metrics".getBytes();
    private static final byte[] PERSONALIZATION_CONTEXT = "android-synthetic-password-personalization-context".getBytes();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/android/server/locksettings/SyntheticPasswordManager$AuthenticationResult.class */
    public static class AuthenticationResult {

        @Nullable
        public SyntheticPassword syntheticPassword;

        @Nullable
        public VerifyCredentialResponse gkResponse;

        AuthenticationResult() {
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/android/server/locksettings/SyntheticPasswordManager$PasswordData.class */
    public static class PasswordData {
        byte scryptLogN;
        byte scryptLogR;
        byte scryptLogP;
        public int credentialType;
        byte[] salt;
        public byte[] passwordHandle;
        public int pinLength;

        PasswordData() {
        }

        public static PasswordData create(int i, int i2) {
            PasswordData passwordData = new PasswordData();
            passwordData.scryptLogN = (byte) 11;
            passwordData.scryptLogR = (byte) 3;
            passwordData.scryptLogP = (byte) 1;
            passwordData.credentialType = i;
            passwordData.pinLength = i2;
            passwordData.salt = SecureRandomUtils.randomBytes(16);
            return passwordData;
        }

        public static boolean isBadFormatFromAndroid14Beta(byte[] bArr) {
            return bArr != null && bArr.length >= 2 && bArr[0] == 0 && bArr[1] == 2;
        }

        public static PasswordData fromBytes(byte[] bArr) {
            PasswordData passwordData = new PasswordData();
            ByteBuffer allocate = ByteBuffer.allocate(bArr.length);
            allocate.put(bArr, 0, bArr.length);
            allocate.flip();
            passwordData.credentialType = (short) allocate.getInt();
            passwordData.scryptLogN = allocate.get();
            passwordData.scryptLogR = allocate.get();
            passwordData.scryptLogP = allocate.get();
            passwordData.salt = new byte[allocate.getInt()];
            allocate.get(passwordData.salt);
            int i = allocate.getInt();
            if (i > 0) {
                passwordData.passwordHandle = new byte[i];
                allocate.get(passwordData.passwordHandle);
            } else {
                passwordData.passwordHandle = null;
            }
            if (allocate.remaining() >= 4) {
                passwordData.pinLength = allocate.getInt();
            } else {
                passwordData.pinLength = -1;
            }
            return passwordData;
        }

        public byte[] toBytes() {
            ByteBuffer allocate = ByteBuffer.allocate(11 + this.salt.length + 4 + (this.passwordHandle != null ? this.passwordHandle.length : 0) + 4);
            if (this.credentialType < -32768 || this.credentialType > 32767) {
                throw new IllegalArgumentException("Unknown credential type: " + this.credentialType);
            }
            allocate.putInt(this.credentialType);
            allocate.put(this.scryptLogN);
            allocate.put(this.scryptLogR);
            allocate.put(this.scryptLogP);
            allocate.putInt(this.salt.length);
            allocate.put(this.salt);
            if (this.passwordHandle == null || this.passwordHandle.length <= 0) {
                allocate.putInt(0);
            } else {
                allocate.putInt(this.passwordHandle.length);
                allocate.put(this.passwordHandle);
            }
            allocate.putInt(this.pinLength);
            return allocate.array();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/android/server/locksettings/SyntheticPasswordManager$SyntheticPassword.class */
    public static class SyntheticPassword {
        private final byte mVersion;

        @NonNull
        private byte[] mSyntheticPassword;

        @Nullable
        private byte[] mEncryptedEscrowSplit0;

        @Nullable
        private byte[] mEscrowSplit1;

        /* JADX INFO: Access modifiers changed from: package-private */
        public SyntheticPassword(byte b) {
            this.mVersion = b;
        }

        /* JADX WARN: Type inference failed for: r1v2, types: [byte[], byte[][]] */
        private byte[] deriveSubkey(byte[] bArr) {
            return this.mVersion == 3 ? new SP800Derive(this.mSyntheticPassword).withContext(bArr, SyntheticPasswordManager.PERSONALIZATION_CONTEXT) : SyntheticPasswordCrypto.personalizedHash(bArr, new byte[]{this.mSyntheticPassword});
        }

        public byte[] deriveKeyStorePassword() {
            return SyntheticPasswordManager.bytesToHex(deriveSubkey(SyntheticPasswordManager.PERSONALIZATION_KEY_STORE_PASSWORD));
        }

        public byte[] deriveGkPassword() {
            return deriveSubkey(SyntheticPasswordManager.PERSONALIZATION_SP_GK_AUTH);
        }

        public byte[] deriveFileBasedEncryptionKey() {
            return deriveSubkey(SyntheticPasswordManager.PERSONALIZATION_FBE_KEY);
        }

        public byte[] deriveVendorAuthSecret() {
            return deriveSubkey(SyntheticPasswordManager.PERSONALIZATION_AUTHSECRET_KEY);
        }

        public byte[] derivePasswordHashFactor() {
            return deriveSubkey(SyntheticPasswordManager.PERSONALIZATION_PASSWORD_HASH);
        }

        public byte[] deriveMetricsKey() {
            return deriveSubkey(SyntheticPasswordManager.PERSONALIZATION_PASSWORD_METRICS);
        }

        public byte[] deriveVendorAuthSecretEncryptionKey() {
            return deriveSubkey(SyntheticPasswordManager.PERSONALIZATION_AUTHSECRET_ENCRYPTION_KEY);
        }

        public void setEscrowData(@Nullable byte[] bArr, @Nullable byte[] bArr2) {
            this.mEncryptedEscrowSplit0 = bArr;
            this.mEscrowSplit1 = bArr2;
        }

        public void recreateFromEscrow(byte[] bArr) {
            Objects.requireNonNull(this.mEscrowSplit1);
            Objects.requireNonNull(this.mEncryptedEscrowSplit0);
            recreate(bArr, this.mEscrowSplit1);
        }

        public void recreateDirectly(byte[] bArr) {
            this.mSyntheticPassword = Arrays.copyOf(bArr, bArr.length);
        }

        static SyntheticPassword create() {
            SyntheticPassword syntheticPassword = new SyntheticPassword((byte) 3);
            byte[] randomBytes = SecureRandomUtils.randomBytes(32);
            byte[] randomBytes2 = SecureRandomUtils.randomBytes(32);
            syntheticPassword.recreate(randomBytes, randomBytes2);
            syntheticPassword.setEscrowData(SyntheticPasswordCrypto.encrypt(syntheticPassword.mSyntheticPassword, SyntheticPasswordManager.PERSONALIZATION_E0, randomBytes), randomBytes2);
            return syntheticPassword;
        }

        /* JADX WARN: Type inference failed for: r2v1, types: [byte[], byte[][]] */
        private void recreate(byte[] bArr, byte[] bArr2) {
            this.mSyntheticPassword = SyntheticPasswordManager.bytesToHex(SyntheticPasswordCrypto.personalizedHash(SyntheticPasswordManager.PERSONALIZATION_SP_SPLIT, new byte[]{bArr, bArr2}));
        }

        public byte[] getEscrowSecret() {
            if (this.mEncryptedEscrowSplit0 == null) {
                return null;
            }
            return SyntheticPasswordCrypto.decrypt(this.mSyntheticPassword, SyntheticPasswordManager.PERSONALIZATION_E0, this.mEncryptedEscrowSplit0);
        }

        public byte[] getSyntheticPassword() {
            return this.mSyntheticPassword;
        }

        public byte getVersion() {
            return this.mVersion;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/android/server/locksettings/SyntheticPasswordManager$SyntheticPasswordBlob.class */
    public static class SyntheticPasswordBlob {
        byte mVersion;
        byte mProtectorType;
        byte[] mContent;

        private SyntheticPasswordBlob() {
        }

        public static SyntheticPasswordBlob create(byte b, byte b2, byte[] bArr) {
            SyntheticPasswordBlob syntheticPasswordBlob = new SyntheticPasswordBlob();
            syntheticPasswordBlob.mVersion = b;
            syntheticPasswordBlob.mProtectorType = b2;
            syntheticPasswordBlob.mContent = bArr;
            return syntheticPasswordBlob;
        }

        public static SyntheticPasswordBlob fromBytes(byte[] bArr) {
            SyntheticPasswordBlob syntheticPasswordBlob = new SyntheticPasswordBlob();
            syntheticPasswordBlob.mVersion = bArr[0];
            syntheticPasswordBlob.mProtectorType = bArr[1];
            syntheticPasswordBlob.mContent = Arrays.copyOfRange(bArr, 2, bArr.length);
            return syntheticPasswordBlob;
        }

        public byte[] toByte() {
            byte[] bArr = new byte[this.mContent.length + 1 + 1];
            bArr[0] = this.mVersion;
            bArr[1] = this.mProtectorType;
            System.arraycopy(this.mContent, 0, bArr, 2, this.mContent.length);
            return bArr;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/android/server/locksettings/SyntheticPasswordManager$TokenData.class */
    public static class TokenData {
        byte[] secdiscardableOnDisk;
        byte[] weaverSecret;
        byte[] aggregatedSecret;
        int mType;
        LockPatternUtils.EscrowTokenStateChangeCallback mCallback;

        private TokenData() {
        }
    }

    @Retention(RetentionPolicy.SOURCE)
    /* loaded from: input_file:com/android/server/locksettings/SyntheticPasswordManager$TokenType.class */
    @interface TokenType {
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/android/server/locksettings/SyntheticPasswordManager$WeaverDiedRecipient.class */
    public class WeaverDiedRecipient implements IBinder.DeathRecipient {
        private WeaverDiedRecipient() {
        }

        @Override // android.os.IBinder.DeathRecipient
        public void binderDied() {
            Slog.wtf(SyntheticPasswordManager.TAG, "Weaver service has died");
            SyntheticPasswordManager.this.mWeaver.asBinder().unlinkToDeath(this, 0);
            SyntheticPasswordManager.this.mWeaver = null;
        }
    }

    public SyntheticPasswordManager(Context context, LockSettingsStorage lockSettingsStorage, UserManager userManager, PasswordSlotManager passwordSlotManager) {
        this.mContext = context;
        this.mStorage = lockSettingsStorage;
        this.mUserManager = userManager;
        this.mPasswordSlotManager = passwordSlotManager;
    }

    private boolean isDeviceProvisioned() {
        return Settings.Global.getInt(this.mContext.getContentResolver(), "device_provisioned", 0) != 0;
    }

    @VisibleForTesting
    protected android.hardware.weaver.V1_0.IWeaver getWeaverHidlService() throws RemoteException {
        try {
            return android.hardware.weaver.V1_0.IWeaver.getService(true);
        } catch (NoSuchElementException e) {
            return null;
        }
    }

    @Nullable
    private IWeaver getWeaverAidlService() {
        try {
            IWeaver asInterface = IWeaver.Stub.asInterface(ServiceManager.waitForDeclaredService(IWeaver.DESCRIPTOR + "/default"));
            if (asInterface == null) {
                return null;
            }
            try {
                int interfaceVersion = asInterface.getInterfaceVersion();
                if (interfaceVersion < 2) {
                    Slog.w(TAG, "Ignoring AIDL weaver service v" + interfaceVersion + " because only v2 and later are supported");
                    return null;
                }
                Slog.i(TAG, "Found AIDL weaver service v" + interfaceVersion);
                return asInterface;
            } catch (RemoteException e) {
                Slog.e(TAG, "Cannot get AIDL weaver service version", e);
                return null;
            }
        } catch (SecurityException e2) {
            Slog.w(TAG, "Does not have permissions to get AIDL weaver service");
            return null;
        }
    }

    @Nullable
    private IWeaver getWeaverServiceInternal() {
        IWeaver weaverAidlService = getWeaverAidlService();
        if (weaverAidlService != null) {
            Slog.i(TAG, "Using AIDL weaver service");
            try {
                weaverAidlService.asBinder().linkToDeath(new WeaverDiedRecipient(), 0);
            } catch (RemoteException e) {
                Slog.w(TAG, "Unable to register Weaver death recipient", e);
            }
            return weaverAidlService;
        }
        try {
            android.hardware.weaver.V1_0.IWeaver weaverHidlService = getWeaverHidlService();
            if (weaverHidlService != null) {
                Slog.i(TAG, "Using HIDL weaver service");
                return new WeaverHidlAdapter(weaverHidlService);
            }
        } catch (RemoteException e2) {
            Slog.w(TAG, "Failed to get HIDL weaver service.", e2);
        }
        Slog.w(TAG, "Device does not support weaver");
        return null;
    }

    @VisibleForTesting
    public boolean isAutoPinConfirmationFeatureAvailable() {
        return LockPatternUtils.isAutoPinConfirmFeatureAvailable();
    }

    @Nullable
    private synchronized IWeaver getWeaverService() {
        IWeaver iWeaver = this.mWeaver;
        if (iWeaver != null) {
            return iWeaver;
        }
        IWeaver weaverServiceInternal = getWeaverServiceInternal();
        if (weaverServiceInternal == null) {
            return null;
        }
        try {
            WeaverConfig config = weaverServiceInternal.getConfig();
            if (config == null || config.slots <= 0) {
                Slog.e(TAG, "Invalid weaver config");
                return null;
            }
            this.mWeaver = weaverServiceInternal;
            this.mWeaverConfig = config;
            this.mPasswordSlotManager.refreshActiveSlots(getUsedWeaverSlots());
            Slog.i(TAG, "Weaver service initialized");
            return weaverServiceInternal;
        } catch (RemoteException | ServiceSpecificException e) {
            Slog.e(TAG, "Failed to get weaver config", e);
            return null;
        }
    }

    private byte[] weaverEnroll(IWeaver iWeaver, int i, byte[] bArr, @Nullable byte[] bArr2) {
        if (i == -1 || i >= this.mWeaverConfig.slots) {
            throw new IllegalArgumentException("Invalid slot for weaver");
        }
        if (bArr == null) {
            bArr = new byte[this.mWeaverConfig.keySize];
        } else if (bArr.length != this.mWeaverConfig.keySize) {
            throw new IllegalArgumentException("Invalid key size for weaver");
        }
        if (bArr2 == null) {
            bArr2 = SecureRandomUtils.randomBytes(this.mWeaverConfig.valueSize);
        }
        try {
            iWeaver.write(i, bArr, bArr2);
            return bArr2;
        } catch (RemoteException e) {
            Slog.e(TAG, "weaver write binder call failed, slot: " + i, e);
            return null;
        } catch (ServiceSpecificException e2) {
            Slog.e(TAG, "weaver write failed, slot: " + i, e2);
            return null;
        }
    }

    private static VerifyCredentialResponse responseFromTimeout(WeaverReadResponse weaverReadResponse) {
        return VerifyCredentialResponse.fromTimeout((weaverReadResponse.timeout > 2147483647L || weaverReadResponse.timeout < 0) ? Integer.MAX_VALUE : (int) weaverReadResponse.timeout);
    }

    private VerifyCredentialResponse weaverVerify(IWeaver iWeaver, int i, byte[] bArr) {
        if (i == -1 || i >= this.mWeaverConfig.slots) {
            throw new IllegalArgumentException("Invalid slot for weaver");
        }
        if (bArr == null) {
            bArr = new byte[this.mWeaverConfig.keySize];
        } else if (bArr.length != this.mWeaverConfig.keySize) {
            throw new IllegalArgumentException("Invalid key size for weaver");
        }
        try {
            WeaverReadResponse read = iWeaver.read(i, bArr);
            switch (read.status) {
                case 0:
                    return new VerifyCredentialResponse.Builder().setGatekeeperHAT(read.value).build();
                case 1:
                    Slog.e(TAG, "weaver read failed (FAILED), slot: " + i);
                    return VerifyCredentialResponse.ERROR;
                case 2:
                    if (read.timeout == 0) {
                        Slog.e(TAG, "weaver read failed (INCORRECT_KEY), slot: " + i);
                        return VerifyCredentialResponse.ERROR;
                    }
                    Slog.e(TAG, "weaver read failed (INCORRECT_KEY/THROTTLE), slot: " + i);
                    return responseFromTimeout(read);
                case 3:
                    Slog.e(TAG, "weaver read failed (THROTTLE), slot: " + i);
                    return responseFromTimeout(read);
                default:
                    Slog.e(TAG, "weaver read unknown status " + read.status + ", slot: " + i);
                    return VerifyCredentialResponse.ERROR;
            }
        } catch (RemoteException e) {
            Slog.e(TAG, "weaver read failed, slot: " + i, e);
            return VerifyCredentialResponse.ERROR;
        }
    }

    public void removeUser(IGateKeeperService iGateKeeperService, int i) {
        Iterator<Long> it = this.mStorage.listSyntheticPasswordProtectorsForUser(SP_BLOB_NAME, i).iterator();
        while (it.hasNext()) {
            long longValue = it.next().longValue();
            destroyWeaverSlot(longValue, i);
            destroyProtectorKey(getProtectorKeyAlias(longValue));
        }
        try {
            iGateKeeperService.clearSecureUserId(fakeUserId(i));
        } catch (RemoteException e) {
            Slog.w(TAG, "Failed to clear SID from gatekeeper");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getPinLength(long j, int i) {
        byte[] loadState = loadState(PASSWORD_DATA_NAME, j, i);
        if (loadState == null) {
            return -1;
        }
        return PasswordData.fromBytes(loadState).pinLength;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getCredentialType(long j, int i) {
        byte[] loadState = loadState(PASSWORD_DATA_NAME, j, i);
        if (loadState == null) {
            return -1;
        }
        return PasswordData.fromBytes(loadState).credentialType;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getSpecialUserCredentialType(int i) {
        LockSettingsStorage.PersistentData specialUserPersistentData = getSpecialUserPersistentData(i);
        if ((specialUserPersistentData.type != 1 && specialUserPersistentData.type != 2) || specialUserPersistentData.payload == null) {
            return -1;
        }
        int i2 = PasswordData.fromBytes(specialUserPersistentData.payload).credentialType;
        return i2 != 2 ? i2 : LockPatternUtils.pinOrPasswordQualityToCredentialType(specialUserPersistentData.qualityForUi);
    }

    private LockSettingsStorage.PersistentData getSpecialUserPersistentData(int i) {
        if (i == -9999) {
            return this.mStorage.readPersistentDataBlock();
        }
        if (i == -9998) {
            return this.mStorage.readRepairModePersistentData();
        }
        throw new IllegalArgumentException("Unknown special user id " + i);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SyntheticPassword newSyntheticPassword(int i) {
        clearSidForUser(i);
        SyntheticPassword create = SyntheticPassword.create();
        saveEscrowData(create, i);
        return create;
    }

    public void newSidForUser(IGateKeeperService iGateKeeperService, SyntheticPassword syntheticPassword, int i) {
        try {
            GateKeeperResponse enroll = iGateKeeperService.enroll(i, null, null, syntheticPassword.deriveGkPassword());
            if (enroll.getResponseCode() != 0) {
                throw new IllegalStateException("Fail to create new SID for user " + i + " response: " + enroll.getResponseCode());
            }
            saveSyntheticPasswordHandle(enroll.getPayload(), i);
        } catch (RemoteException e) {
            throw new IllegalStateException("Failed to create new SID for user", e);
        }
    }

    public void clearSidForUser(int i) {
        destroyState(SP_HANDLE_NAME, 0L, i);
    }

    public boolean hasSidForUser(int i) {
        return hasState(SP_HANDLE_NAME, 0L, i);
    }

    private byte[] loadSyntheticPasswordHandle(int i) {
        return loadState(SP_HANDLE_NAME, 0L, i);
    }

    private void saveSyntheticPasswordHandle(byte[] bArr, int i) {
        saveState(SP_HANDLE_NAME, bArr, 0L, i);
        syncState(i);
    }

    private boolean loadEscrowData(SyntheticPassword syntheticPassword, int i) {
        byte[] loadState = loadState(SP_E0_NAME, 0L, i);
        byte[] loadState2 = loadState(SP_P1_NAME, 0L, i);
        syntheticPassword.setEscrowData(loadState, loadState2);
        return (loadState == null || loadState2 == null) ? false : true;
    }

    private void saveEscrowData(SyntheticPassword syntheticPassword, int i) {
        saveState(SP_E0_NAME, syntheticPassword.mEncryptedEscrowSplit0, 0L, i);
        saveState(SP_P1_NAME, syntheticPassword.mEscrowSplit1, 0L, i);
    }

    public boolean hasEscrowData(int i) {
        return hasState(SP_E0_NAME, 0L, i) && hasState(SP_P1_NAME, 0L, i);
    }

    public boolean hasAnyEscrowData(int i) {
        return hasState(SP_E0_NAME, 0L, i) || hasState(SP_P1_NAME, 0L, i);
    }

    public void destroyEscrowData(int i) {
        destroyState(SP_E0_NAME, 0L, i);
        destroyState(SP_P1_NAME, 0L, i);
    }

    private int loadWeaverSlot(long j, int i) {
        byte[] loadState = loadState(WEAVER_SLOT_NAME, j, i);
        if (loadState == null || loadState.length != 5) {
            return -1;
        }
        ByteBuffer allocate = ByteBuffer.allocate(5);
        allocate.put(loadState, 0, loadState.length);
        allocate.flip();
        if (allocate.get() == 1) {
            return allocate.getInt();
        }
        Slog.e(TAG, "Invalid weaver slot version for protector " + j);
        return -1;
    }

    private void saveWeaverSlot(int i, long j, int i2) {
        ByteBuffer allocate = ByteBuffer.allocate(5);
        allocate.put((byte) 1);
        allocate.putInt(i);
        saveState(WEAVER_SLOT_NAME, allocate.array(), j, i2);
    }

    private void destroyWeaverSlot(long j, int i) {
        int loadWeaverSlot = loadWeaverSlot(j, i);
        destroyState(WEAVER_SLOT_NAME, j, i);
        if (loadWeaverSlot != -1) {
            IWeaver weaverService = getWeaverService();
            if (weaverService == null) {
                Slog.e(TAG, "Cannot erase Weaver slot because Weaver is unavailable");
            } else {
                if (getUsedWeaverSlots().contains(Integer.valueOf(loadWeaverSlot))) {
                    Slogf.i(TAG, "Weaver slot %d was already reused; not erasing it", Integer.valueOf(loadWeaverSlot));
                    return;
                }
                Slogf.i(TAG, "Erasing Weaver slot %d", Integer.valueOf(loadWeaverSlot));
                weaverEnroll(weaverService, loadWeaverSlot, null, null);
                this.mPasswordSlotManager.markSlotDeleted(loadWeaverSlot);
            }
        }
    }

    private Set<Integer> getUsedWeaverSlots() {
        Map<Integer, List<Long>> listSyntheticPasswordProtectorsForAllUsers = this.mStorage.listSyntheticPasswordProtectorsForAllUsers(WEAVER_SLOT_NAME);
        HashSet hashSet = new HashSet();
        for (Map.Entry<Integer, List<Long>> entry : listSyntheticPasswordProtectorsForAllUsers.entrySet()) {
            Iterator<Long> it = entry.getValue().iterator();
            while (it.hasNext()) {
                hashSet.add(Integer.valueOf(loadWeaverSlot(it.next().longValue(), entry.getKey().intValue())));
            }
        }
        return hashSet;
    }

    private int getNextAvailableWeaverSlot() {
        LockSettingsStorage.PersistentData readPersistentDataBlock;
        Set<Integer> usedWeaverSlots = getUsedWeaverSlots();
        usedWeaverSlots.addAll(this.mPasswordSlotManager.getUsedSlots());
        if (!isDeviceProvisioned() && (readPersistentDataBlock = this.mStorage.readPersistentDataBlock()) != null && readPersistentDataBlock.type == 2) {
            usedWeaverSlots.add(Integer.valueOf(readPersistentDataBlock.userId));
        }
        for (int i = 0; i < this.mWeaverConfig.slots; i++) {
            if (!usedWeaverSlots.contains(Integer.valueOf(i))) {
                return i;
            }
        }
        throw new IllegalStateException("Run out of weaver slots.");
    }

    public long createLskfBasedProtector(IGateKeeperService iGateKeeperService, LockscreenCredential lockscreenCredential, SyntheticPassword syntheticPassword, int i) {
        byte[] transformUnderSecdiscardable;
        long generateProtectorId = generateProtectorId();
        int i2 = -1;
        if (isAutoPinConfirmationFeatureAvailable()) {
            i2 = derivePinLength(lockscreenCredential.size(), lockscreenCredential.isPin(), i);
        }
        PasswordData create = lockscreenCredential.isNone() ? null : PasswordData.create(lockscreenCredential.getType(), i2);
        byte[] stretchLskf = stretchLskf(lockscreenCredential, create);
        long j = 0;
        Slogf.i(TAG, "Creating LSKF-based protector %016x for user %d", Long.valueOf(generateProtectorId), Integer.valueOf(i));
        IWeaver weaverService = getWeaverService();
        if (weaverService != null) {
            int nextAvailableWeaverSlot = getNextAvailableWeaverSlot();
            Slogf.i(TAG, "Enrolling LSKF for user %d into Weaver slot %d", Integer.valueOf(i), Integer.valueOf(nextAvailableWeaverSlot));
            byte[] weaverEnroll = weaverEnroll(weaverService, nextAvailableWeaverSlot, stretchedLskfToWeaverKey(stretchLskf), null);
            if (weaverEnroll == null) {
                throw new IllegalStateException("Fail to enroll user password under weaver " + i);
            }
            saveWeaverSlot(nextAvailableWeaverSlot, generateProtectorId, i);
            this.mPasswordSlotManager.markSlotInUse(nextAvailableWeaverSlot);
            synchronizeWeaverFrpPassword(create, 0, i, nextAvailableWeaverSlot);
            transformUnderSecdiscardable = transformUnderWeaverSecret(stretchLskf, weaverEnroll);
        } else {
            if (!lockscreenCredential.isNone()) {
                try {
                    iGateKeeperService.clearSecureUserId(fakeUserId(i));
                } catch (RemoteException e) {
                    Slog.w(TAG, "Failed to clear SID from gatekeeper");
                }
                Slogf.i(TAG, "Enrolling LSKF for user %d into Gatekeeper", Integer.valueOf(i));
                try {
                    GateKeeperResponse enroll = iGateKeeperService.enroll(fakeUserId(i), null, null, stretchedLskfToGkPassword(stretchLskf));
                    if (enroll.getResponseCode() != 0) {
                        throw new IllegalStateException("Failed to enroll LSKF for new SP protector for user " + i);
                    }
                    create.passwordHandle = enroll.getPayload();
                    j = sidFromPasswordHandle(create.passwordHandle);
                } catch (RemoteException e2) {
                    throw new IllegalStateException("Failed to enroll LSKF for new SP protector for user " + i, e2);
                }
            }
            transformUnderSecdiscardable = transformUnderSecdiscardable(stretchLskf, createSecdiscardable(generateProtectorId, i));
            synchronizeGatekeeperFrpPassword(create, 0, i);
        }
        if (!lockscreenCredential.isNone()) {
            saveState(PASSWORD_DATA_NAME, create.toBytes(), generateProtectorId, i);
            savePasswordMetrics(lockscreenCredential, syntheticPassword, generateProtectorId, i);
        }
        createSyntheticPasswordBlob(generateProtectorId, (byte) 0, syntheticPassword, transformUnderSecdiscardable, j, i);
        syncState(i);
        return generateProtectorId;
    }

    private int derivePinLength(int i, boolean z, int i2) {
        if (z && this.mStorage.isAutoPinConfirmSettingEnabled(i2) && i >= 6) {
            return i;
        }
        return -1;
    }

    public VerifyCredentialResponse verifySpecialUserCredential(int i, IGateKeeperService iGateKeeperService, LockscreenCredential lockscreenCredential, ICheckCredentialProgressCallback iCheckCredentialProgressCallback) {
        LockSettingsStorage.PersistentData specialUserPersistentData = getSpecialUserPersistentData(i);
        if (specialUserPersistentData.type == 1) {
            PasswordData fromBytes = PasswordData.fromBytes(specialUserPersistentData.payload);
            try {
                return VerifyCredentialResponse.fromGateKeeperResponse(iGateKeeperService.verifyChallenge(fakeUserId(specialUserPersistentData.userId), 0L, fromBytes.passwordHandle, stretchedLskfToGkPassword(stretchLskf(lockscreenCredential, fromBytes))));
            } catch (RemoteException e) {
                Slog.e(TAG, "Persistent data credential verifyChallenge failed", e);
                return VerifyCredentialResponse.ERROR;
            }
        }
        if (specialUserPersistentData.type != 2) {
            Slog.e(TAG, "persistentData.type must be TYPE_SP_GATEKEEPER or TYPE_SP_WEAVER, but is " + specialUserPersistentData.type);
            return VerifyCredentialResponse.ERROR;
        }
        IWeaver weaverService = getWeaverService();
        if (weaverService == null) {
            Slog.e(TAG, "No weaver service to verify SP-based persistent data credential");
            return VerifyCredentialResponse.ERROR;
        }
        return weaverVerify(weaverService, specialUserPersistentData.userId, stretchedLskfToWeaverKey(stretchLskf(lockscreenCredential, PasswordData.fromBytes(specialUserPersistentData.payload)))).stripPayload();
    }

    public void migrateFrpPasswordLocked(long j, UserInfo userInfo, int i) {
        if (this.mStorage.getPersistentDataBlockManager() == null || !LockPatternUtils.userOwnsFrpCredential(this.mContext, userInfo) || getCredentialType(j, userInfo.id) == -1) {
            return;
        }
        Slog.i(TAG, "Migrating FRP credential to persistent data block");
        PasswordData fromBytes = PasswordData.fromBytes(loadState(PASSWORD_DATA_NAME, j, userInfo.id));
        int loadWeaverSlot = loadWeaverSlot(j, userInfo.id);
        if (loadWeaverSlot != -1) {
            synchronizeWeaverFrpPassword(fromBytes, i, userInfo.id, loadWeaverSlot);
        } else {
            synchronizeGatekeeperFrpPassword(fromBytes, i, userInfo.id);
        }
    }

    private static boolean isNoneCredential(PasswordData passwordData) {
        return passwordData == null || passwordData.credentialType == -1;
    }

    private boolean shouldSynchronizeFrpCredential(@Nullable PasswordData passwordData, int i) {
        if (this.mStorage.getPersistentDataBlockManager() == null) {
            return false;
        }
        if (!LockPatternUtils.userOwnsFrpCredential(this.mContext, this.mUserManager.getUserInfo(i))) {
            return false;
        }
        if (!isNoneCredential(passwordData) || isDeviceProvisioned()) {
            return true;
        }
        Slog.d(TAG, "Not clearing FRP credential yet because device is not yet provisioned");
        return false;
    }

    private void synchronizeGatekeeperFrpPassword(@Nullable PasswordData passwordData, int i, int i2) {
        if (shouldSynchronizeFrpCredential(passwordData, i2)) {
            Slogf.d(TAG, "Syncing Gatekeeper-based FRP credential tied to user %d", Integer.valueOf(i2));
            if (isNoneCredential(passwordData)) {
                this.mStorage.writePersistentDataBlock(0, i2, 0, null);
            } else {
                this.mStorage.writePersistentDataBlock(1, i2, i, passwordData.toBytes());
            }
        }
    }

    private void synchronizeWeaverFrpPassword(@Nullable PasswordData passwordData, int i, int i2, int i3) {
        if (shouldSynchronizeFrpCredential(passwordData, i2)) {
            Slogf.d(TAG, "Syncing Weaver-based FRP credential tied to user %d", Integer.valueOf(i2));
            if (isNoneCredential(passwordData)) {
                this.mStorage.writePersistentDataBlock(0, 0, 0, null);
            } else {
                this.mStorage.writePersistentDataBlock(2, i3, i, passwordData.toBytes());
            }
        }
    }

    public boolean writeRepairModeCredentialLocked(long j, int i) {
        if (!shouldWriteRepairModeCredential(i)) {
            return false;
        }
        byte[] loadState = loadState(PASSWORD_DATA_NAME, j, i);
        if (loadState == null) {
            Slogf.w(TAG, "Password data not found for user %d", Integer.valueOf(i));
            return false;
        }
        PasswordData fromBytes = PasswordData.fromBytes(loadState);
        if (isNoneCredential(fromBytes)) {
            Slogf.w(TAG, "User %d has NONE credential", Integer.valueOf(i));
            return false;
        }
        Slogf.d(TAG, "Writing repair mode credential tied to user %d", Integer.valueOf(i));
        int loadWeaverSlot = loadWeaverSlot(j, i);
        if (loadWeaverSlot != -1) {
            this.mStorage.writeRepairModePersistentData(2, loadWeaverSlot, fromBytes.toBytes());
            return true;
        }
        this.mStorage.writeRepairModePersistentData(1, i, fromBytes.toBytes());
        return true;
    }

    private boolean shouldWriteRepairModeCredential(int i) {
        if (!LockPatternUtils.canUserEnterRepairMode(this.mContext, this.mUserManager.getUserInfo(i))) {
            Slogf.w(TAG, "User %d can't enter repair mode", Integer.valueOf(i));
            return false;
        }
        if (LockPatternUtils.isRepairModeActive(this.mContext)) {
            Slog.w(TAG, "Can't write repair mode credential while repair mode is already active");
            return false;
        }
        if (!LockPatternUtils.isGsiRunning()) {
            return true;
        }
        Slog.w(TAG, "Can't write repair mode credential while GSI is running");
        return false;
    }

    public long addPendingToken(byte[] bArr, int i, int i2, @Nullable LockPatternUtils.EscrowTokenStateChangeCallback escrowTokenStateChangeCallback) {
        long generateProtectorId = generateProtectorId();
        if (!this.tokenMap.containsKey(Integer.valueOf(i2))) {
            this.tokenMap.put(Integer.valueOf(i2), new ArrayMap<>());
        }
        TokenData tokenData = new TokenData();
        tokenData.mType = i;
        byte[] randomBytes = SecureRandomUtils.randomBytes(16384);
        if (getWeaverService() != null) {
            tokenData.weaverSecret = SecureRandomUtils.randomBytes(this.mWeaverConfig.valueSize);
            tokenData.secdiscardableOnDisk = SyntheticPasswordCrypto.encrypt(tokenData.weaverSecret, PERSONALIZATION_WEAVER_TOKEN, randomBytes);
        } else {
            tokenData.secdiscardableOnDisk = randomBytes;
            tokenData.weaverSecret = null;
        }
        tokenData.aggregatedSecret = transformUnderSecdiscardable(bArr, randomBytes);
        tokenData.mCallback = escrowTokenStateChangeCallback;
        this.tokenMap.get(Integer.valueOf(i2)).put(Long.valueOf(generateProtectorId), tokenData);
        return generateProtectorId;
    }

    public Set<Long> getPendingTokensForUser(int i) {
        return !this.tokenMap.containsKey(Integer.valueOf(i)) ? Collections.emptySet() : new ArraySet(this.tokenMap.get(Integer.valueOf(i)).keySet());
    }

    public boolean removePendingToken(long j, int i) {
        return this.tokenMap.containsKey(Integer.valueOf(i)) && this.tokenMap.get(Integer.valueOf(i)).remove(Long.valueOf(j)) != null;
    }

    public boolean createTokenBasedProtector(long j, SyntheticPassword syntheticPassword, int i) {
        TokenData tokenData;
        if (!this.tokenMap.containsKey(Integer.valueOf(i)) || (tokenData = this.tokenMap.get(Integer.valueOf(i)).get(Long.valueOf(j))) == null) {
            return false;
        }
        if (!loadEscrowData(syntheticPassword, i)) {
            Slog.w(TAG, "User is not escrowable");
            return false;
        }
        Slogf.i(TAG, "Creating token-based protector %016x for user %d", Long.valueOf(j), Integer.valueOf(i));
        IWeaver weaverService = getWeaverService();
        if (weaverService != null) {
            int nextAvailableWeaverSlot = getNextAvailableWeaverSlot();
            Slogf.i(TAG, "Using Weaver slot %d for new token-based protector", Integer.valueOf(nextAvailableWeaverSlot));
            if (weaverEnroll(weaverService, nextAvailableWeaverSlot, null, tokenData.weaverSecret) == null) {
                Slog.e(TAG, "Failed to enroll weaver secret when activating token");
                return false;
            }
            saveWeaverSlot(nextAvailableWeaverSlot, j, i);
            this.mPasswordSlotManager.markSlotInUse(nextAvailableWeaverSlot);
        }
        saveSecdiscardable(j, tokenData.secdiscardableOnDisk, i);
        createSyntheticPasswordBlob(j, getTokenBasedProtectorType(tokenData.mType), syntheticPassword, tokenData.aggregatedSecret, 0L, i);
        syncState(i);
        this.tokenMap.get(Integer.valueOf(i)).remove(Long.valueOf(j));
        if (tokenData.mCallback == null) {
            return true;
        }
        tokenData.mCallback.onEscrowTokenActivated(j, i);
        return true;
    }

    private void createSyntheticPasswordBlob(long j, byte b, SyntheticPassword syntheticPassword, byte[] bArr, long j2, int i) {
        saveState(SP_BLOB_NAME, SyntheticPasswordBlob.create(syntheticPassword.mVersion == 3 ? (byte) 3 : (byte) 2, b, createSpBlob(getProtectorKeyAlias(j), (b == 1 || b == 2) ? syntheticPassword.getEscrowSecret() : syntheticPassword.getSyntheticPassword(), bArr, j2)).toByte(), j, i);
    }

    public AuthenticationResult unlockLskfBasedProtector(IGateKeeperService iGateKeeperService, long j, @NonNull LockscreenCredential lockscreenCredential, int i, ICheckCredentialProgressCallback iCheckCredentialProgressCallback) {
        byte[] transformUnderSecdiscardable;
        GateKeeperResponse gateKeeperResponse;
        AuthenticationResult authenticationResult = new AuthenticationResult();
        if (j == 0) {
            Slogf.wtf(TAG, "Synthetic password not found for user %d", Integer.valueOf(i));
            authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
            return authenticationResult;
        }
        byte[] loadState = loadState(PASSWORD_DATA_NAME, j, i);
        PasswordData passwordData = null;
        int i2 = -1;
        if (loadState != null) {
            passwordData = PasswordData.fromBytes(loadState);
            i2 = passwordData.credentialType;
        }
        if (!lockscreenCredential.checkAgainstStoredType(i2)) {
            Slogf.e(TAG, "Credential type mismatch: stored type is %s but provided type is %s", LockPatternUtils.credentialTypeToString(i2), LockPatternUtils.credentialTypeToString(lockscreenCredential.getType()));
            authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
            return authenticationResult;
        }
        byte[] stretchLskf = stretchLskf(lockscreenCredential, passwordData);
        long j2 = 0;
        int loadWeaverSlot = loadWeaverSlot(j, i);
        if (loadWeaverSlot != -1) {
            IWeaver weaverService = getWeaverService();
            if (weaverService == null) {
                Slog.e(TAG, "Protector uses Weaver, but Weaver is unavailable");
                authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
                return authenticationResult;
            }
            authenticationResult.gkResponse = weaverVerify(weaverService, loadWeaverSlot, stretchedLskfToWeaverKey(stretchLskf));
            if (authenticationResult.gkResponse.getResponseCode() != 0) {
                return authenticationResult;
            }
            transformUnderSecdiscardable = transformUnderWeaverSecret(stretchLskf, authenticationResult.gkResponse.getGatekeeperHAT());
        } else {
            if (passwordData != null && passwordData.passwordHandle != null) {
                byte[] stretchedLskfToGkPassword = stretchedLskfToGkPassword(stretchLskf);
                try {
                    GateKeeperResponse verifyChallenge = iGateKeeperService.verifyChallenge(fakeUserId(i), 0L, passwordData.passwordHandle, stretchedLskfToGkPassword);
                    int responseCode = verifyChallenge.getResponseCode();
                    if (responseCode != 0) {
                        if (responseCode == 1) {
                            authenticationResult.gkResponse = VerifyCredentialResponse.fromTimeout(verifyChallenge.getTimeout());
                            return authenticationResult;
                        }
                        authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
                        return authenticationResult;
                    }
                    authenticationResult.gkResponse = VerifyCredentialResponse.OK;
                    if (verifyChallenge.getShouldReEnroll()) {
                        try {
                            gateKeeperResponse = iGateKeeperService.enroll(fakeUserId(i), passwordData.passwordHandle, stretchedLskfToGkPassword, stretchedLskfToGkPassword);
                        } catch (RemoteException e) {
                            Slog.w(TAG, "Fail to invoke gatekeeper.enroll", e);
                            gateKeeperResponse = GateKeeperResponse.ERROR;
                        }
                        if (gateKeeperResponse.getResponseCode() == 0) {
                            passwordData.passwordHandle = gateKeeperResponse.getPayload();
                            passwordData.credentialType = lockscreenCredential.getType();
                            saveState(PASSWORD_DATA_NAME, passwordData.toBytes(), j, i);
                            syncState(i);
                            synchronizeGatekeeperFrpPassword(passwordData, 0, i);
                        } else {
                            Slog.w(TAG, "Fail to re-enroll user password for user " + i);
                        }
                    }
                    j2 = sidFromPasswordHandle(passwordData.passwordHandle);
                } catch (RemoteException e2) {
                    Slog.e(TAG, "gatekeeper verify failed", e2);
                    authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
                    return authenticationResult;
                }
            } else if (!lockscreenCredential.isNone()) {
                Slog.e(TAG, "Missing Gatekeeper password handle for nonempty LSKF");
                authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
                return authenticationResult;
            }
            byte[] loadSecdiscardable = loadSecdiscardable(j, i);
            if (loadSecdiscardable == null) {
                Slog.e(TAG, "secdiscardable file not found");
                authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
                return authenticationResult;
            }
            transformUnderSecdiscardable = transformUnderSecdiscardable(stretchLskf, loadSecdiscardable);
        }
        if (iCheckCredentialProgressCallback != null) {
            try {
                iCheckCredentialProgressCallback.onCredentialVerified();
            } catch (RemoteException e3) {
                Slog.w(TAG, "progressCallback throws exception", e3);
            }
        }
        authenticationResult.syntheticPassword = unwrapSyntheticPasswordBlob(j, (byte) 0, transformUnderSecdiscardable, j2, i);
        authenticationResult.gkResponse = verifyChallenge(iGateKeeperService, authenticationResult.syntheticPassword, 0L, i);
        if (authenticationResult.syntheticPassword != null && !lockscreenCredential.isNone() && !hasPasswordMetrics(j, i)) {
            savePasswordMetrics(lockscreenCredential, authenticationResult.syntheticPassword, j, i);
            syncState(i);
        }
        return authenticationResult;
    }

    public boolean refreshPinLengthOnDisk(PasswordMetrics passwordMetrics, long j, int i) {
        byte[] loadState;
        if (!isAutoPinConfirmationFeatureAvailable() || (loadState = loadState(PASSWORD_DATA_NAME, j, i)) == null) {
            return false;
        }
        PasswordData fromBytes = PasswordData.fromBytes(loadState);
        int derivePinLength = derivePinLength(passwordMetrics.length, passwordMetrics.credType == 3, i);
        if (fromBytes.pinLength == derivePinLength) {
            return true;
        }
        fromBytes.pinLength = derivePinLength;
        saveState(PASSWORD_DATA_NAME, fromBytes.toBytes(), j, i);
        syncState(i);
        return true;
    }

    @NonNull
    public AuthenticationResult unlockTokenBasedProtector(IGateKeeperService iGateKeeperService, long j, byte[] bArr, int i) {
        byte[] loadState = loadState(SP_BLOB_NAME, j, i);
        if (loadState != null) {
            return unlockTokenBasedProtectorInternal(iGateKeeperService, j, SyntheticPasswordBlob.fromBytes(loadState).mProtectorType, bArr, i);
        }
        AuthenticationResult authenticationResult = new AuthenticationResult();
        authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
        Slogf.w(TAG, "spblob not found for protector %016x, user %d", Long.valueOf(j), Integer.valueOf(i));
        return authenticationResult;
    }

    @NonNull
    public AuthenticationResult unlockStrongTokenBasedProtector(IGateKeeperService iGateKeeperService, long j, byte[] bArr, int i) {
        return unlockTokenBasedProtectorInternal(iGateKeeperService, j, (byte) 1, bArr, i);
    }

    @NonNull
    public AuthenticationResult unlockWeakTokenBasedProtector(IGateKeeperService iGateKeeperService, long j, byte[] bArr, int i) {
        return unlockTokenBasedProtectorInternal(iGateKeeperService, j, (byte) 2, bArr, i);
    }

    @NonNull
    private AuthenticationResult unlockTokenBasedProtectorInternal(IGateKeeperService iGateKeeperService, long j, byte b, byte[] bArr, int i) {
        AuthenticationResult authenticationResult = new AuthenticationResult();
        byte[] loadSecdiscardable = loadSecdiscardable(j, i);
        if (loadSecdiscardable == null) {
            Slog.e(TAG, "secdiscardable file not found");
            authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
            return authenticationResult;
        }
        int loadWeaverSlot = loadWeaverSlot(j, i);
        if (loadWeaverSlot != -1) {
            IWeaver weaverService = getWeaverService();
            if (weaverService == null) {
                Slog.e(TAG, "Protector uses Weaver, but Weaver is unavailable");
                authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
                return authenticationResult;
            }
            VerifyCredentialResponse weaverVerify = weaverVerify(weaverService, loadWeaverSlot, null);
            if (weaverVerify.getResponseCode() != 0 || weaverVerify.getGatekeeperHAT() == null) {
                Slog.e(TAG, "Failed to retrieve Weaver secret when unlocking token-based protector");
                authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
                return authenticationResult;
            }
            loadSecdiscardable = SyntheticPasswordCrypto.decrypt(weaverVerify.getGatekeeperHAT(), PERSONALIZATION_WEAVER_TOKEN, loadSecdiscardable);
        }
        authenticationResult.syntheticPassword = unwrapSyntheticPasswordBlob(j, b, transformUnderSecdiscardable(bArr, loadSecdiscardable), 0L, i);
        if (authenticationResult.syntheticPassword != null) {
            authenticationResult.gkResponse = verifyChallenge(iGateKeeperService, authenticationResult.syntheticPassword, 0L, i);
            if (authenticationResult.gkResponse == null) {
                authenticationResult.gkResponse = VerifyCredentialResponse.OK;
            }
        } else {
            authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
        }
        return authenticationResult;
    }

    private SyntheticPassword unwrapSyntheticPasswordBlob(long j, byte b, byte[] bArr, long j2, int i) {
        byte[] loadState = loadState(SP_BLOB_NAME, j, i);
        if (loadState == null) {
            return null;
        }
        SyntheticPasswordBlob fromBytes = SyntheticPasswordBlob.fromBytes(loadState);
        if (fromBytes.mVersion != 3 && fromBytes.mVersion != 2 && fromBytes.mVersion != 1) {
            throw new IllegalArgumentException("Unknown blob version: " + ((int) fromBytes.mVersion));
        }
        if (fromBytes.mProtectorType != b) {
            throw new IllegalArgumentException("Invalid protector type: " + ((int) fromBytes.mProtectorType));
        }
        byte[] decryptBlobV1 = fromBytes.mVersion == 1 ? SyntheticPasswordCrypto.decryptBlobV1(getProtectorKeyAlias(j), fromBytes.mContent, bArr) : decryptSpBlob(getProtectorKeyAlias(j), fromBytes.mContent, bArr);
        if (decryptBlobV1 == null) {
            Slog.e(TAG, "Fail to decrypt SP for user " + i);
            return null;
        }
        SyntheticPassword syntheticPassword = new SyntheticPassword(fromBytes.mVersion);
        if (fromBytes.mProtectorType != 1 && fromBytes.mProtectorType != 2) {
            syntheticPassword.recreateDirectly(decryptBlobV1);
        } else {
            if (!loadEscrowData(syntheticPassword, i)) {
                Slog.e(TAG, "User is not escrowable: " + i);
                return null;
            }
            syntheticPassword.recreateFromEscrow(decryptBlobV1);
        }
        if (fromBytes.mVersion == 1) {
            Slog.i(TAG, "Upgrading v1 SP blob for user " + i + ", protectorType = " + ((int) fromBytes.mProtectorType));
            createSyntheticPasswordBlob(j, fromBytes.mProtectorType, syntheticPassword, bArr, j2, i);
            syncState(i);
        }
        return syntheticPassword;
    }

    @Nullable
    public VerifyCredentialResponse verifyChallenge(IGateKeeperService iGateKeeperService, @NonNull SyntheticPassword syntheticPassword, long j, int i) {
        return verifyChallengeInternal(iGateKeeperService, syntheticPassword.deriveGkPassword(), j, i);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nullable
    public VerifyCredentialResponse verifyChallengeInternal(IGateKeeperService iGateKeeperService, @NonNull byte[] bArr, long j, int i) {
        GateKeeperResponse gateKeeperResponse;
        byte[] loadSyntheticPasswordHandle = loadSyntheticPasswordHandle(i);
        if (loadSyntheticPasswordHandle == null) {
            return null;
        }
        try {
            GateKeeperResponse verifyChallenge = iGateKeeperService.verifyChallenge(i, j, loadSyntheticPasswordHandle, bArr);
            int responseCode = verifyChallenge.getResponseCode();
            if (responseCode != 0) {
                if (responseCode == 1) {
                    Slog.e(TAG, "Gatekeeper verification of synthetic password failed with RESPONSE_RETRY");
                    return VerifyCredentialResponse.fromTimeout(verifyChallenge.getTimeout());
                }
                Slog.e(TAG, "Gatekeeper verification of synthetic password failed with RESPONSE_ERROR");
                return VerifyCredentialResponse.ERROR;
            }
            VerifyCredentialResponse build = new VerifyCredentialResponse.Builder().setGatekeeperHAT(verifyChallenge.getPayload()).build();
            if (verifyChallenge.getShouldReEnroll()) {
                try {
                    gateKeeperResponse = iGateKeeperService.enroll(i, loadSyntheticPasswordHandle, loadSyntheticPasswordHandle, bArr);
                } catch (RemoteException e) {
                    Slog.e(TAG, "Failed to invoke gatekeeper.enroll", e);
                    gateKeeperResponse = GateKeeperResponse.ERROR;
                }
                if (gateKeeperResponse.getResponseCode() == 0) {
                    saveSyntheticPasswordHandle(gateKeeperResponse.getPayload(), i);
                    return verifyChallengeInternal(iGateKeeperService, bArr, j, i);
                }
                Slog.w(TAG, "Fail to re-enroll SP handle for user " + i);
            }
            return build;
        } catch (RemoteException e2) {
            Slog.e(TAG, "Fail to verify with gatekeeper " + i, e2);
            return VerifyCredentialResponse.ERROR;
        }
    }

    public boolean protectorExists(long j, int i) {
        return hasState(SP_BLOB_NAME, j, i);
    }

    public void destroyTokenBasedProtector(long j, int i) {
        Slogf.i(TAG, "Destroying token-based protector %016x for user %d", Long.valueOf(j), Integer.valueOf(i));
        SyntheticPasswordBlob fromBytes = SyntheticPasswordBlob.fromBytes(loadState(SP_BLOB_NAME, j, i));
        destroyProtectorCommon(j, i);
        if (fromBytes.mProtectorType == 2) {
            notifyWeakEscrowTokenRemovedListeners(j, i);
        }
    }

    public void destroyAllWeakTokenBasedProtectors(int i) {
        Iterator<Long> it = this.mStorage.listSyntheticPasswordProtectorsForUser(SP_BLOB_NAME, i).iterator();
        while (it.hasNext()) {
            long longValue = it.next().longValue();
            if (SyntheticPasswordBlob.fromBytes(loadState(SP_BLOB_NAME, longValue, i)).mProtectorType == 2) {
                destroyTokenBasedProtector(longValue, i);
            }
        }
    }

    public void destroyLskfBasedProtector(long j, int i) {
        Slogf.i(TAG, "Destroying LSKF-based protector %016x for user %d", Long.valueOf(j), Integer.valueOf(i));
        destroyProtectorCommon(j, i);
        destroyState(PASSWORD_DATA_NAME, j, i);
        destroyState(PASSWORD_METRICS_NAME, j, i);
    }

    private void destroyProtectorCommon(long j, int i) {
        destroyState(SP_BLOB_NAME, j, i);
        destroyProtectorKey(getProtectorKeyAlias(j));
        destroyState(SECDISCARDABLE_NAME, j, i);
        if (hasState(WEAVER_SLOT_NAME, j, i)) {
            destroyWeaverSlot(j, i);
        }
    }

    /* JADX WARN: Type inference failed for: r0v3, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r1v1, types: [byte[], byte[][]] */
    private byte[] transformUnderWeaverSecret(byte[] bArr, byte[] bArr2) {
        return ArrayUtils.concat(new byte[]{bArr, SyntheticPasswordCrypto.personalizedHash(PERSONALIZATION_WEAVER_PASSWORD, new byte[]{bArr2})});
    }

    /* JADX WARN: Type inference failed for: r0v3, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r1v1, types: [byte[], byte[][]] */
    private byte[] transformUnderSecdiscardable(byte[] bArr, byte[] bArr2) {
        return ArrayUtils.concat(new byte[]{bArr, SyntheticPasswordCrypto.personalizedHash(PERSONALIZATION_SECDISCARDABLE, new byte[]{bArr2})});
    }

    private byte[] createSecdiscardable(long j, int i) {
        byte[] randomBytes = SecureRandomUtils.randomBytes(16384);
        saveSecdiscardable(j, randomBytes, i);
        return randomBytes;
    }

    private void saveSecdiscardable(long j, byte[] bArr, int i) {
        saveState(SECDISCARDABLE_NAME, bArr, j, i);
    }

    private byte[] loadSecdiscardable(long j, int i) {
        return loadState(SECDISCARDABLE_NAME, j, i);
    }

    private byte getTokenBasedProtectorType(int i) {
        switch (i) {
            case 0:
            default:
                return (byte) 1;
            case 1:
                return (byte) 2;
        }
    }

    @VisibleForTesting
    boolean hasPasswordData(long j, int i) {
        return hasState(PASSWORD_DATA_NAME, j, i);
    }

    @Nullable
    public PasswordMetrics getPasswordMetrics(SyntheticPassword syntheticPassword, long j, int i) {
        byte[] loadState = loadState(PASSWORD_METRICS_NAME, j, i);
        if (loadState == null) {
            Slogf.e(TAG, "Failed to read password metrics file for user %d", Integer.valueOf(i));
            return null;
        }
        byte[] decrypt = SyntheticPasswordCrypto.decrypt(syntheticPassword.deriveMetricsKey(), new byte[0], loadState);
        if (decrypt != null) {
            return VersionedPasswordMetrics.deserialize(decrypt).getMetrics();
        }
        Slogf.e(TAG, "Failed to decrypt password metrics file for user %d", Integer.valueOf(i));
        return null;
    }

    private void savePasswordMetrics(LockscreenCredential lockscreenCredential, SyntheticPassword syntheticPassword, long j, int i) {
        saveState(PASSWORD_METRICS_NAME, SyntheticPasswordCrypto.encrypt(syntheticPassword.deriveMetricsKey(), new byte[0], new VersionedPasswordMetrics(lockscreenCredential).serialize()), j, i);
    }

    @VisibleForTesting
    boolean hasPasswordMetrics(long j, int i) {
        return hasState(PASSWORD_METRICS_NAME, j, i);
    }

    private boolean hasState(String str, long j, int i) {
        return !ArrayUtils.isEmpty(loadState(str, j, i));
    }

    private byte[] loadState(String str, long j, int i) {
        return this.mStorage.readSyntheticPasswordState(i, j, str);
    }

    private void saveState(String str, byte[] bArr, long j, int i) {
        this.mStorage.writeSyntheticPasswordState(i, j, str, bArr);
    }

    private void syncState(int i) {
        this.mStorage.syncSyntheticPasswordState(i);
    }

    private void destroyState(String str, long j, int i) {
        this.mStorage.deleteSyntheticPasswordState(i, j, str);
    }

    @VisibleForTesting
    protected byte[] decryptSpBlob(String str, byte[] bArr, byte[] bArr2) {
        return SyntheticPasswordCrypto.decryptBlob(str, bArr, bArr2);
    }

    @VisibleForTesting
    protected byte[] createSpBlob(String str, byte[] bArr, byte[] bArr2, long j) {
        return SyntheticPasswordCrypto.createBlob(str, bArr, bArr2, j);
    }

    @VisibleForTesting
    protected void destroyProtectorKey(String str) {
        SyntheticPasswordCrypto.destroyProtectorKey(str);
    }

    private static long generateProtectorId() {
        long randomLong;
        do {
            randomLong = SecureRandomUtils.randomLong();
        } while (randomLong == 0);
        return randomLong;
    }

    @VisibleForTesting
    static int fakeUserId(int i) {
        return 100000 + i;
    }

    private String getProtectorKeyAlias(long j) {
        return TextUtils.formatSimple("%s%x", PROTECTOR_KEY_ALIAS_PREFIX, Long.valueOf(j));
    }

    @VisibleForTesting
    byte[] stretchLskf(LockscreenCredential lockscreenCredential, @Nullable PasswordData passwordData) {
        byte[] credential = lockscreenCredential.isNone() ? DEFAULT_PASSWORD : lockscreenCredential.getCredential();
        if (passwordData != null) {
            return scrypt(credential, passwordData.salt, 1 << passwordData.scryptLogN, 1 << passwordData.scryptLogR, 1 << passwordData.scryptLogP, 32);
        }
        Preconditions.checkArgument(lockscreenCredential.isNone());
        return Arrays.copyOf(credential, 32);
    }

    /* JADX WARN: Type inference failed for: r1v1, types: [byte[], byte[][]] */
    private byte[] stretchedLskfToGkPassword(byte[] bArr) {
        return SyntheticPasswordCrypto.personalizedHash(PERSONALIZATION_USER_GK_AUTH, new byte[]{bArr});
    }

    /* JADX WARN: Type inference failed for: r1v1, types: [byte[], byte[][]] */
    private byte[] stretchedLskfToWeaverKey(byte[] bArr) {
        byte[] personalizedHash = SyntheticPasswordCrypto.personalizedHash(PERSONALIZATION_WEAVER_KEY, new byte[]{bArr});
        if (personalizedHash.length < this.mWeaverConfig.keySize) {
            throw new IllegalArgumentException("weaver key length too small");
        }
        return Arrays.copyOf(personalizedHash, this.mWeaverConfig.keySize);
    }

    @VisibleForTesting
    protected long sidFromPasswordHandle(byte[] bArr) {
        return nativeSidFromPasswordHandle(bArr);
    }

    @VisibleForTesting
    protected byte[] scrypt(byte[] bArr, byte[] bArr2, int i, int i2, int i3, int i4) {
        return new Scrypt().scrypt(bArr, bArr2, i, i2, i3, i4);
    }

    private native long nativeSidFromPasswordHandle(byte[] bArr);

    @VisibleForTesting
    static byte[] bytesToHex(byte[] bArr) {
        return HexEncoding.encodeToString(bArr).getBytes();
    }

    public boolean migrateKeyNamespace() {
        boolean z = true;
        Iterator<List<Long>> it = this.mStorage.listSyntheticPasswordProtectorsForAllUsers(SP_BLOB_NAME).values().iterator();
        while (it.hasNext()) {
            Iterator<Long> it2 = it.next().iterator();
            while (it2.hasNext()) {
                z &= SyntheticPasswordCrypto.migrateLockSettingsKey(getProtectorKeyAlias(it2.next().longValue()));
            }
        }
        return z;
    }

    public boolean registerWeakEscrowTokenRemovedListener(IWeakEscrowTokenRemovedListener iWeakEscrowTokenRemovedListener) {
        return this.mListeners.register(iWeakEscrowTokenRemovedListener);
    }

    public boolean unregisterWeakEscrowTokenRemovedListener(IWeakEscrowTokenRemovedListener iWeakEscrowTokenRemovedListener) {
        return this.mListeners.unregister(iWeakEscrowTokenRemovedListener);
    }

    private void notifyWeakEscrowTokenRemovedListeners(long j, int i) {
        int beginBroadcast = this.mListeners.beginBroadcast();
        while (beginBroadcast > 0) {
            try {
                beginBroadcast--;
                try {
                    this.mListeners.getBroadcastItem(beginBroadcast).onWeakEscrowTokenRemoved(j, i);
                } catch (RemoteException e) {
                    Slog.e(TAG, "Exception while notifying WeakEscrowTokenRemovedListener.", e);
                }
            } finally {
                this.mListeners.finishBroadcast();
            }
        }
    }

    public void writeVendorAuthSecret(@NonNull byte[] bArr, @NonNull SyntheticPassword syntheticPassword, int i) {
        saveState(VENDOR_AUTH_SECRET_NAME, SyntheticPasswordCrypto.encrypt(syntheticPassword.deriveVendorAuthSecretEncryptionKey(), new byte[0], bArr), 0L, i);
        syncState(i);
    }

    @Nullable
    public byte[] readVendorAuthSecret(@NonNull SyntheticPassword syntheticPassword, int i) {
        byte[] loadState = loadState(VENDOR_AUTH_SECRET_NAME, 0L, i);
        if (loadState == null) {
            return null;
        }
        return SyntheticPasswordCrypto.decrypt(syntheticPassword.deriveVendorAuthSecretEncryptionKey(), new byte[0], loadState);
    }
}
