package com.android.server;

import android.os.RemoteException;
import android.service.gatekeeper.GateKeeperResponse;
import android.service.gatekeeper.IGateKeeperService;
import android.util.ArrayMap;
import android.util.Log;
import com.android.internal.util.ArrayUtils;
import com.android.internal.widget.VerifyCredentialResponse;
import java.nio.ByteBuffer;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Collections;
import java.util.Set;
import libcore.util.HexEncoding;

/* loaded from: input_file:com/android/server/SyntheticPasswordManager.class */
public class SyntheticPasswordManager {
    private static final String SP_BLOB_NAME = "spblob";
    private static final String SP_E0_NAME = "e0";
    private static final String SP_P1_NAME = "p1";
    private static final String SP_HANDLE_NAME = "handle";
    private static final String SECDISCARDABLE_NAME = "secdis";
    private static final int SECDISCARDABLE_LENGTH = 16384;
    private static final String PASSWORD_DATA_NAME = "pwd";
    public static final long DEFAULT_HANDLE = 0;
    private static final String DEFAULT_PASSWORD = "default-password";
    private static final byte SYNTHETIC_PASSWORD_VERSION = 1;
    private static final byte SYNTHETIC_PASSWORD_PASSWORD_BASED = 0;
    private static final byte SYNTHETIC_PASSWORD_TOKEN_BASED = 1;
    private static final byte SYNTHETIC_PASSWORD_LENGTH = 32;
    private static final int PASSWORD_SCRYPT_N = 11;
    private static final int PASSWORD_SCRYPT_R = 3;
    private static final int PASSWORD_SCRYPT_P = 1;
    private static final int PASSWORD_SALT_LENGTH = 16;
    private static final int PASSWORD_TOKEN_LENGTH = 32;
    private static final String TAG = "SyntheticPasswordManager";
    private LockSettingsStorage mStorage;
    private ArrayMap<Integer, ArrayMap<Long, byte[]>> tokenMap = new ArrayMap<>();
    private static final byte[] PERSONALISATION_SECDISCARDABLE = "secdiscardable-transform".getBytes();
    private static final byte[] PERSONALIZATION_KEY_STORE_PASSWORD = "keystore-password".getBytes();
    private static final byte[] PERSONALIZATION_USER_GK_AUTH = "user-gk-authentication".getBytes();
    private static final byte[] PERSONALIZATION_SP_GK_AUTH = "sp-gk-authentication".getBytes();
    private static final byte[] PERSONALIZATION_FBE_KEY = "fbe-key".getBytes();
    private static final byte[] PERSONALIZATION_SP_SPLIT = "sp-split".getBytes();
    private static final byte[] PERSONALIZATION_E0 = "e0-encryption".getBytes();
    protected static final char[] hexArray = "0123456789ABCDEF".toCharArray();

    /* loaded from: input_file:com/android/server/SyntheticPasswordManager$AuthenticationResult.class */
    static class AuthenticationResult {
        public AuthenticationToken authToken;
        public VerifyCredentialResponse gkResponse;

        AuthenticationResult() {
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/android/server/SyntheticPasswordManager$AuthenticationToken.class */
    public static class AuthenticationToken {
        private byte[] E0;
        private byte[] P1;
        private String syntheticPassword;

        AuthenticationToken() {
        }

        /* JADX WARN: Type inference failed for: r1v1, types: [byte[], byte[][]] */
        public String deriveKeyStorePassword() {
            return SyntheticPasswordManager.bytesToHex(SyntheticPasswordCrypto.personalisedHash(SyntheticPasswordManager.PERSONALIZATION_KEY_STORE_PASSWORD, new byte[]{this.syntheticPassword.getBytes()}));
        }

        /* JADX WARN: Type inference failed for: r1v1, types: [byte[], byte[][]] */
        public byte[] deriveGkPassword() {
            return SyntheticPasswordCrypto.personalisedHash(SyntheticPasswordManager.PERSONALIZATION_SP_GK_AUTH, new byte[]{this.syntheticPassword.getBytes()});
        }

        /* JADX WARN: Type inference failed for: r1v1, types: [byte[], byte[][]] */
        public byte[] deriveDiskEncryptionKey() {
            return SyntheticPasswordCrypto.personalisedHash(SyntheticPasswordManager.PERSONALIZATION_FBE_KEY, new byte[]{this.syntheticPassword.getBytes()});
        }

        /* JADX WARN: Type inference failed for: r2v1, types: [byte[], byte[][]] */
        private void initialize(byte[] bArr, byte[] bArr2) {
            this.P1 = bArr2;
            this.syntheticPassword = String.valueOf(HexEncoding.encode(SyntheticPasswordCrypto.personalisedHash(SyntheticPasswordManager.PERSONALIZATION_SP_SPLIT, new byte[]{bArr, bArr2})));
            this.E0 = SyntheticPasswordCrypto.encrypt(this.syntheticPassword.getBytes(), SyntheticPasswordManager.PERSONALIZATION_E0, bArr);
        }

        public void recreate(byte[] bArr) {
            initialize(bArr, this.P1);
        }

        protected static AuthenticationToken create() {
            AuthenticationToken authenticationToken = new AuthenticationToken();
            authenticationToken.initialize(SyntheticPasswordManager.secureRandom(32), SyntheticPasswordManager.secureRandom(32));
            return authenticationToken;
        }

        public byte[] computeP0() {
            if (this.E0 == null) {
                return null;
            }
            return SyntheticPasswordCrypto.decrypt(this.syntheticPassword.getBytes(), SyntheticPasswordManager.PERSONALIZATION_E0, this.E0);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/android/server/SyntheticPasswordManager$PasswordData.class */
    public static class PasswordData {
        byte scryptN;
        byte scryptR;
        byte scryptP;
        public int passwordType;
        byte[] salt;
        public byte[] passwordHandle;

        PasswordData() {
        }

        public static PasswordData create(int i) {
            PasswordData passwordData = new PasswordData();
            passwordData.scryptN = (byte) 11;
            passwordData.scryptR = (byte) 3;
            passwordData.scryptP = (byte) 1;
            passwordData.passwordType = i;
            passwordData.salt = SyntheticPasswordManager.secureRandom(16);
            return passwordData;
        }

        public static PasswordData fromBytes(byte[] bArr) {
            PasswordData passwordData = new PasswordData();
            ByteBuffer allocate = ByteBuffer.allocate(bArr.length);
            allocate.put(bArr, 0, bArr.length);
            allocate.flip();
            passwordData.passwordType = allocate.getInt();
            passwordData.scryptN = allocate.get();
            passwordData.scryptR = allocate.get();
            passwordData.scryptP = allocate.get();
            passwordData.salt = new byte[allocate.getInt()];
            allocate.get(passwordData.salt);
            passwordData.passwordHandle = new byte[allocate.getInt()];
            allocate.get(passwordData.passwordHandle);
            return passwordData;
        }

        public byte[] toBytes() {
            ByteBuffer allocate = ByteBuffer.allocate(11 + this.salt.length + 4 + this.passwordHandle.length);
            allocate.putInt(this.passwordType);
            allocate.put(this.scryptN);
            allocate.put(this.scryptR);
            allocate.put(this.scryptP);
            allocate.putInt(this.salt.length);
            allocate.put(this.salt);
            allocate.putInt(this.passwordHandle.length);
            allocate.put(this.passwordHandle);
            return allocate.array();
        }
    }

    public SyntheticPasswordManager(LockSettingsStorage lockSettingsStorage) {
        this.mStorage = lockSettingsStorage;
    }

    public int getCredentialType(long j, int i) {
        byte[] loadState = loadState(PASSWORD_DATA_NAME, j, i);
        if (loadState != null) {
            return PasswordData.fromBytes(loadState).passwordType;
        }
        Log.w(TAG, "getCredentialType: encountered empty password data for user " + i);
        return -1;
    }

    public AuthenticationToken newSyntheticPasswordAndSid(IGateKeeperService iGateKeeperService, byte[] bArr, String str, int i) throws RemoteException {
        AuthenticationToken create = AuthenticationToken.create();
        if (bArr != null) {
            GateKeeperResponse enroll = iGateKeeperService.enroll(i, bArr, str.getBytes(), create.deriveGkPassword());
            if (enroll.getResponseCode() != 0) {
                Log.w(TAG, "Fail to migrate SID, assuming no SID, user " + i);
                clearSidForUser(i);
            } else {
                saveSyntheticPasswordHandle(enroll.getPayload(), i);
            }
        } else {
            clearSidForUser(i);
        }
        saveEscrowData(create, i);
        return create;
    }

    public void newSidForUser(IGateKeeperService iGateKeeperService, AuthenticationToken authenticationToken, int i) throws RemoteException {
        GateKeeperResponse enroll = iGateKeeperService.enroll(i, null, null, authenticationToken.deriveGkPassword());
        if (enroll.getResponseCode() != 0) {
            Log.e(TAG, "Fail to create new SID for user " + i);
        } else {
            saveSyntheticPasswordHandle(enroll.getPayload(), i);
        }
    }

    public void clearSidForUser(int i) {
        destroyState(SP_HANDLE_NAME, 0L, i);
    }

    public boolean hasSidForUser(int i) {
        return hasState(SP_HANDLE_NAME, 0L, i);
    }

    private byte[] loadSyntheticPasswordHandle(int i) {
        return loadState(SP_HANDLE_NAME, 0L, i);
    }

    private void saveSyntheticPasswordHandle(byte[] bArr, int i) {
        saveState(SP_HANDLE_NAME, bArr, 0L, i);
    }

    private boolean loadEscrowData(AuthenticationToken authenticationToken, int i) {
        authenticationToken.E0 = loadState(SP_E0_NAME, 0L, i);
        authenticationToken.P1 = loadState(SP_P1_NAME, 0L, i);
        return (authenticationToken.E0 == null || authenticationToken.P1 == null) ? false : true;
    }

    private void saveEscrowData(AuthenticationToken authenticationToken, int i) {
        saveState(SP_E0_NAME, authenticationToken.E0, 0L, i);
        saveState(SP_P1_NAME, authenticationToken.P1, 0L, i);
    }

    public boolean hasEscrowData(int i) {
        return hasState(SP_E0_NAME, 0L, i) && hasState(SP_P1_NAME, 0L, i);
    }

    public void destroyEscrowData(int i) {
        destroyState(SP_E0_NAME, 0L, i);
        destroyState(SP_P1_NAME, 0L, i);
    }

    public long createPasswordBasedSyntheticPassword(IGateKeeperService iGateKeeperService, String str, int i, AuthenticationToken authenticationToken, int i2) throws RemoteException {
        if (str == null || i == -1) {
            i = -1;
            str = DEFAULT_PASSWORD;
        }
        long generateHandle = generateHandle();
        PasswordData create = PasswordData.create(i);
        byte[] computePasswordToken = computePasswordToken(str, create);
        iGateKeeperService.clearSecureUserId(fakeUid(i2));
        GateKeeperResponse enroll = iGateKeeperService.enroll(fakeUid(i2), null, null, passwordTokenToGkInput(computePasswordToken));
        if (enroll.getResponseCode() != 0) {
            Log.e(TAG, "Fail to enroll user password when creating SP for user " + i2);
            return 0L;
        }
        create.passwordHandle = enroll.getPayload();
        long sidFromPasswordHandle = sidFromPasswordHandle(create.passwordHandle);
        saveState(PASSWORD_DATA_NAME, create.toBytes(), generateHandle, i2);
        createSyntheticPasswordBlob(generateHandle, (byte) 0, authenticationToken, transformUnderSecdiscardable(computePasswordToken, createSecdiscardable(generateHandle, i2)), sidFromPasswordHandle, i2);
        return generateHandle;
    }

    public long createTokenBasedSyntheticPassword(byte[] bArr, int i) {
        long generateHandle = generateHandle();
        byte[] transformUnderSecdiscardable = transformUnderSecdiscardable(bArr, createSecdiscardable(generateHandle, i));
        if (!this.tokenMap.containsKey(Integer.valueOf(i))) {
            this.tokenMap.put(Integer.valueOf(i), new ArrayMap<>());
        }
        this.tokenMap.get(Integer.valueOf(i)).put(Long.valueOf(generateHandle), transformUnderSecdiscardable);
        return generateHandle;
    }

    public Set<Long> getPendingTokensForUser(int i) {
        return !this.tokenMap.containsKey(Integer.valueOf(i)) ? Collections.emptySet() : this.tokenMap.get(Integer.valueOf(i)).keySet();
    }

    public boolean removePendingToken(long j, int i) {
        return this.tokenMap.containsKey(Integer.valueOf(i)) && this.tokenMap.get(Integer.valueOf(i)).remove(Long.valueOf(j)) != null;
    }

    public boolean activateTokenBasedSyntheticPassword(long j, AuthenticationToken authenticationToken, int i) {
        byte[] bArr;
        if (!this.tokenMap.containsKey(Integer.valueOf(i)) || (bArr = this.tokenMap.get(Integer.valueOf(i)).get(Long.valueOf(j))) == null) {
            return false;
        }
        if (!loadEscrowData(authenticationToken, i)) {
            Log.w(TAG, "User is not escrowable");
            return false;
        }
        createSyntheticPasswordBlob(j, (byte) 1, authenticationToken, bArr, 0L, i);
        this.tokenMap.get(Integer.valueOf(i)).remove(Long.valueOf(j));
        return true;
    }

    private void createSyntheticPasswordBlob(long j, byte b, AuthenticationToken authenticationToken, byte[] bArr, long j2, int i) {
        byte[] createSPBlob = createSPBlob(getHandleName(j), b == 1 ? authenticationToken.computeP0() : authenticationToken.syntheticPassword.getBytes(), bArr, j2);
        byte[] bArr2 = new byte[createSPBlob.length + 1 + 1];
        bArr2[0] = 1;
        bArr2[1] = b;
        System.arraycopy(createSPBlob, 0, bArr2, 2, createSPBlob.length);
        saveState(SP_BLOB_NAME, bArr2, j, i);
    }

    public AuthenticationResult unwrapPasswordBasedSyntheticPassword(IGateKeeperService iGateKeeperService, long j, String str, int i) throws RemoteException {
        if (str == null) {
            str = DEFAULT_PASSWORD;
        }
        AuthenticationResult authenticationResult = new AuthenticationResult();
        PasswordData fromBytes = PasswordData.fromBytes(loadState(PASSWORD_DATA_NAME, j, i));
        byte[] computePasswordToken = computePasswordToken(str, fromBytes);
        byte[] passwordTokenToGkInput = passwordTokenToGkInput(computePasswordToken);
        GateKeeperResponse verifyChallenge = iGateKeeperService.verifyChallenge(fakeUid(i), 0L, fromBytes.passwordHandle, passwordTokenToGkInput);
        int responseCode = verifyChallenge.getResponseCode();
        if (responseCode != 0) {
            if (responseCode == 1) {
                authenticationResult.gkResponse = new VerifyCredentialResponse(verifyChallenge.getTimeout());
                return authenticationResult;
            }
            authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
            return authenticationResult;
        }
        authenticationResult.gkResponse = VerifyCredentialResponse.OK;
        if (verifyChallenge.getShouldReEnroll()) {
            GateKeeperResponse enroll = iGateKeeperService.enroll(fakeUid(i), fromBytes.passwordHandle, passwordTokenToGkInput, passwordTokenToGkInput);
            if (enroll.getResponseCode() == 0) {
                fromBytes.passwordHandle = enroll.getPayload();
                saveState(PASSWORD_DATA_NAME, fromBytes.toBytes(), j, i);
            } else {
                Log.w(TAG, "Fail to re-enroll user password for user " + i);
            }
        }
        authenticationResult.authToken = unwrapSyntheticPasswordBlob(j, (byte) 0, transformUnderSecdiscardable(computePasswordToken, loadSecdiscardable(j, i)), i);
        authenticationResult.gkResponse = verifyChallenge(iGateKeeperService, authenticationResult.authToken, 0L, i);
        return authenticationResult;
    }

    public AuthenticationResult unwrapTokenBasedSyntheticPassword(IGateKeeperService iGateKeeperService, long j, byte[] bArr, int i) throws RemoteException {
        AuthenticationResult authenticationResult = new AuthenticationResult();
        authenticationResult.authToken = unwrapSyntheticPasswordBlob(j, (byte) 1, transformUnderSecdiscardable(bArr, loadSecdiscardable(j, i)), i);
        if (authenticationResult.authToken != null) {
            authenticationResult.gkResponse = verifyChallenge(iGateKeeperService, authenticationResult.authToken, 0L, i);
            if (authenticationResult.gkResponse == null) {
                authenticationResult.gkResponse = VerifyCredentialResponse.OK;
            }
        } else {
            authenticationResult.gkResponse = VerifyCredentialResponse.ERROR;
        }
        return authenticationResult;
    }

    private AuthenticationToken unwrapSyntheticPasswordBlob(long j, byte b, byte[] bArr, int i) {
        byte[] loadState = loadState(SP_BLOB_NAME, j, i);
        if (loadState == null) {
            return null;
        }
        if (loadState[0] != 1) {
            throw new RuntimeException("Unknown blob version");
        }
        if (loadState[1] != b) {
            throw new RuntimeException("Invalid blob type");
        }
        byte[] decryptSPBlob = decryptSPBlob(getHandleName(j), Arrays.copyOfRange(loadState, 2, loadState.length), bArr);
        if (decryptSPBlob == null) {
            Log.e(TAG, "Fail to decrypt SP for user " + i);
            return null;
        }
        AuthenticationToken authenticationToken = new AuthenticationToken();
        if (b != 1) {
            authenticationToken.syntheticPassword = new String(decryptSPBlob);
        } else {
            if (!loadEscrowData(authenticationToken, i)) {
                Log.e(TAG, "User is not escrowable: " + i);
                return null;
            }
            authenticationToken.recreate(decryptSPBlob);
        }
        return authenticationToken;
    }

    public VerifyCredentialResponse verifyChallenge(IGateKeeperService iGateKeeperService, AuthenticationToken authenticationToken, long j, int i) throws RemoteException {
        VerifyCredentialResponse verifyCredentialResponse;
        byte[] loadSyntheticPasswordHandle = loadSyntheticPasswordHandle(i);
        if (loadSyntheticPasswordHandle == null) {
            return null;
        }
        GateKeeperResponse verifyChallenge = iGateKeeperService.verifyChallenge(i, j, loadSyntheticPasswordHandle, authenticationToken.deriveGkPassword());
        int responseCode = verifyChallenge.getResponseCode();
        if (responseCode == 0) {
            verifyCredentialResponse = new VerifyCredentialResponse(verifyChallenge.getPayload());
            if (verifyChallenge.getShouldReEnroll()) {
                GateKeeperResponse enroll = iGateKeeperService.enroll(i, loadSyntheticPasswordHandle, loadSyntheticPasswordHandle, authenticationToken.deriveGkPassword());
                if (enroll.getResponseCode() == 0) {
                    saveSyntheticPasswordHandle(enroll.getPayload(), i);
                    return verifyChallenge(iGateKeeperService, authenticationToken, j, i);
                }
                Log.w(TAG, "Fail to re-enroll SP handle for user " + i);
            }
        } else {
            verifyCredentialResponse = responseCode == 1 ? new VerifyCredentialResponse(verifyChallenge.getTimeout()) : VerifyCredentialResponse.ERROR;
        }
        return verifyCredentialResponse;
    }

    public boolean existsHandle(long j, int i) {
        return hasState(SP_BLOB_NAME, j, i);
    }

    public void destroyTokenBasedSyntheticPassword(long j, int i) {
        destroySyntheticPassword(j, i);
        destroyState(SECDISCARDABLE_NAME, j, i);
    }

    public void destroyPasswordBasedSyntheticPassword(long j, int i) {
        destroySyntheticPassword(j, i);
        destroyState(SECDISCARDABLE_NAME, j, i);
        destroyState(PASSWORD_DATA_NAME, j, i);
    }

    private void destroySyntheticPassword(long j, int i) {
        destroyState(SP_BLOB_NAME, j, i);
        destroySPBlobKey(getHandleName(j));
    }

    /* JADX WARN: Type inference failed for: r1v1, types: [byte[], byte[][]] */
    private byte[] transformUnderSecdiscardable(byte[] bArr, byte[] bArr2) {
        byte[] personalisedHash = SyntheticPasswordCrypto.personalisedHash(PERSONALISATION_SECDISCARDABLE, new byte[]{bArr2});
        byte[] bArr3 = new byte[bArr.length + personalisedHash.length];
        System.arraycopy(bArr, 0, bArr3, 0, bArr.length);
        System.arraycopy(personalisedHash, 0, bArr3, bArr.length, personalisedHash.length);
        return bArr3;
    }

    private byte[] createSecdiscardable(long j, int i) {
        byte[] secureRandom = secureRandom(16384);
        saveState(SECDISCARDABLE_NAME, secureRandom, j, i);
        return secureRandom;
    }

    private byte[] loadSecdiscardable(long j, int i) {
        return loadState(SECDISCARDABLE_NAME, j, i);
    }

    private boolean hasState(String str, long j, int i) {
        return !ArrayUtils.isEmpty(loadState(str, j, i));
    }

    private byte[] loadState(String str, long j, int i) {
        return this.mStorage.readSyntheticPasswordState(i, j, str);
    }

    private void saveState(String str, byte[] bArr, long j, int i) {
        this.mStorage.writeSyntheticPasswordState(i, j, str, bArr);
    }

    private void destroyState(String str, long j, int i) {
        this.mStorage.deleteSyntheticPasswordState(i, j, str);
    }

    protected byte[] decryptSPBlob(String str, byte[] bArr, byte[] bArr2) {
        return SyntheticPasswordCrypto.decryptBlob(str, bArr, bArr2);
    }

    protected byte[] createSPBlob(String str, byte[] bArr, byte[] bArr2, long j) {
        return SyntheticPasswordCrypto.createBlob(str, bArr, bArr2, j);
    }

    protected void destroySPBlobKey(String str) {
        SyntheticPasswordCrypto.destroyBlobKey(str);
    }

    public static long generateHandle() {
        long nextLong;
        SecureRandom secureRandom = new SecureRandom();
        do {
            nextLong = secureRandom.nextLong();
        } while (nextLong == 0);
        return nextLong;
    }

    private int fakeUid(int i) {
        return 100000 + i;
    }

    protected static byte[] secureRandom(int i) {
        try {
            return SecureRandom.getInstance("SHA1PRNG").generateSeed(i);
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
            return null;
        }
    }

    private String getHandleName(long j) {
        return String.format("%s%x", "synthetic_password_", Long.valueOf(j));
    }

    private byte[] computePasswordToken(String str, PasswordData passwordData) {
        return scrypt(str, passwordData.salt, 1 << passwordData.scryptN, 1 << passwordData.scryptR, 1 << passwordData.scryptP, 32);
    }

    /* JADX WARN: Type inference failed for: r1v1, types: [byte[], byte[][]] */
    private byte[] passwordTokenToGkInput(byte[] bArr) {
        return SyntheticPasswordCrypto.personalisedHash(PERSONALIZATION_USER_GK_AUTH, new byte[]{bArr});
    }

    protected long sidFromPasswordHandle(byte[] bArr) {
        return nativeSidFromPasswordHandle(bArr);
    }

    protected byte[] scrypt(String str, byte[] bArr, int i, int i2, int i3, int i4) {
        return nativeScrypt(str.getBytes(), bArr, i, i2, i3, i4);
    }

    native long nativeSidFromPasswordHandle(byte[] bArr);

    native byte[] nativeScrypt(byte[] bArr, byte[] bArr2, int i, int i2, int i3, int i4);

    public static String bytesToHex(byte[] bArr) {
        if (bArr == null) {
            return "null";
        }
        char[] cArr = new char[bArr.length * 2];
        for (int i = 0; i < bArr.length; i++) {
            int i2 = bArr[i] & 255;
            cArr[i * 2] = hexArray[i2 >>> 4];
            cArr[(i * 2) + 1] = hexArray[i2 & 15];
        }
        return new String(cArr);
    }
}
