package com.android.server;

import android.R;
import android.app.ActivityManager;
import android.app.IActivityManager;
import android.app.KeyguardManager;
import android.app.Notification;
import android.app.NotificationManager;
import android.app.PendingIntent;
import android.app.admin.DevicePolicyManager;
import android.app.admin.PasswordMetrics;
import android.app.backup.BackupManager;
import android.app.trust.IStrongAuthTracker;
import android.app.trust.TrustManager;
import android.content.BroadcastReceiver;
import android.content.ContentResolver;
import android.content.Context;
import android.content.Intent;
import android.content.IntentFilter;
import android.content.pm.UserInfo;
import android.content.res.Resources;
import android.database.sqlite.SQLiteDatabase;
import android.os.Binder;
import android.os.Bundle;
import android.os.Handler;
import android.os.IBinder;
import android.os.IProgressListener;
import android.os.RemoteException;
import android.os.ResultReceiver;
import android.os.ServiceManager;
import android.os.ShellCallback;
import android.os.StrictMode;
import android.os.SystemProperties;
import android.os.UserHandle;
import android.os.UserManager;
import android.os.storage.IStorageManager;
import android.os.storage.StorageManager;
import android.provider.Settings;
import android.security.KeyStore;
import android.security.keystore.AndroidKeyStoreProvider;
import android.security.keystore.KeyProtection;
import android.service.gatekeeper.GateKeeperResponse;
import android.service.gatekeeper.IGateKeeperService;
import android.text.TextUtils;
import android.util.ArrayMap;
import android.util.Log;
import android.util.Slog;
import com.android.ims.ImsConferenceState;
import com.android.ims.ImsManager;
import com.android.internal.notification.SystemNotificationChannels;
import com.android.internal.telephony.RILConstants;
import com.android.internal.util.ArrayUtils;
import com.android.internal.util.DumpUtils;
import com.android.internal.widget.ICheckCredentialProgressCallback;
import com.android.internal.widget.ILockSettings;
import com.android.internal.widget.LockPatternUtils;
import com.android.internal.widget.VerifyCredentialResponse;
import com.android.org.conscrypt.EvpMdRef;
import com.android.server.LockSettingsStorage;
import com.android.server.SyntheticPasswordManager;
import gov.nist.javax.sip.header.ParameterNames;
import java.io.ByteArrayOutputStream;
import java.io.FileDescriptor;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.PrintWriter;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import libcore.util.HexEncoding;

/* loaded from: input_file:com/android/server/LockSettingsService.class */
public class LockSettingsService extends ILockSettings.Stub {
    private static final String TAG = "LockSettingsService";
    private static final String PERMISSION = "android.permission.ACCESS_KEYGUARD_SECURE_STORAGE";
    private static final boolean DEBUG = false;
    private static final int PROFILE_KEY_IV_SIZE = 12;
    private final Object mSeparateChallengeLock;
    private final Injector mInjector;
    private final Context mContext;
    private final Handler mHandler;
    protected final LockSettingsStorage mStorage;
    private final LockSettingsStrongAuth mStrongAuth;
    private final SynchronizedStrongAuthTracker mStrongAuthTracker;
    private final LockPatternUtils mLockPatternUtils;
    private final NotificationManager mNotificationManager;
    private final UserManager mUserManager;
    private final IActivityManager mActivityManager;
    private final KeyStore mKeyStore;
    private boolean mFirstCallToVold;
    protected IGateKeeperService mGateKeeperService;
    private SyntheticPasswordManager mSpManager;
    private final BroadcastReceiver mBroadcastReceiver;
    private static final int[] SYSTEM_CREDENTIAL_UIDS = {RILConstants.RIL_UNSOL_DATA_CALL_LIST_CHANGED, 1016, 0, 1000};
    private static final String[] VALID_SETTINGS = {"lockscreen.lockedoutpermanently", "lockscreen.lockoutattemptdeadline", "lockscreen.patterneverchosen", "lockscreen.password_type", "lockscreen.password_type_alternate", "lockscreen.password_salt", "lockscreen.disabled", "lockscreen.options", "lockscreen.biometric_weak_fallback", "lockscreen.biometricweakeverchosen", "lockscreen.power_button_instantly_locks", "lockscreen.passwordhistory", "lock_pattern_autolock", "lock_biometric_weak_flags", "lock_pattern_visible_pattern", "lock_pattern_tactile_feedback_enabled"};
    private static final String[] READ_CONTACTS_PROTECTED_SETTINGS = {"lock_screen_owner_info_enabled", "lock_screen_owner_info"};
    private static final String SEPARATE_PROFILE_CHALLENGE_KEY = "lockscreen.profilechallenge";
    private static final String[] READ_PASSWORD_PROTECTED_SETTINGS = {"lockscreen.password_salt", "lockscreen.passwordhistory", "lockscreen.password_type", SEPARATE_PROFILE_CHALLENGE_KEY};
    private static final String[] SETTINGS_TO_BACKUP = {"lock_screen_owner_info_enabled", "lock_screen_owner_info"};

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/android/server/LockSettingsService$GateKeeperDiedRecipient.class */
    public class GateKeeperDiedRecipient implements IBinder.DeathRecipient {
        private GateKeeperDiedRecipient() {
        }

        @Override // android.os.IBinder.DeathRecipient
        public void binderDied() {
            LockSettingsService.this.mGateKeeperService.asBinder().unlinkToDeath(this, 0);
            LockSettingsService.this.mGateKeeperService = null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/android/server/LockSettingsService$Injector.class */
    public static class Injector {
        protected Context mContext;

        public Injector(Context context) {
            this.mContext = context;
        }

        public Context getContext() {
            return this.mContext;
        }

        public Handler getHandler() {
            return new Handler();
        }

        public LockSettingsStorage getStorage() {
            final LockSettingsStorage lockSettingsStorage = new LockSettingsStorage(this.mContext);
            lockSettingsStorage.setDatabaseOnCreateCallback(new LockSettingsStorage.Callback() { // from class: com.android.server.LockSettingsService.Injector.1
                @Override // com.android.server.LockSettingsStorage.Callback
                public void initialize(SQLiteDatabase sQLiteDatabase) {
                    if (SystemProperties.getBoolean("ro.lockscreen.disable.default", false)) {
                        lockSettingsStorage.writeKeyValue(sQLiteDatabase, "lockscreen.disabled", "1", 0);
                    }
                }
            });
            return lockSettingsStorage;
        }

        public LockSettingsStrongAuth getStrongAuth() {
            return new LockSettingsStrongAuth(this.mContext);
        }

        public SynchronizedStrongAuthTracker getStrongAuthTracker() {
            return new SynchronizedStrongAuthTracker(this.mContext);
        }

        public IActivityManager getActivityManager() {
            return ActivityManager.getService();
        }

        public LockPatternUtils getLockPatternUtils() {
            return new LockPatternUtils(this.mContext);
        }

        public NotificationManager getNotificationManager() {
            return (NotificationManager) this.mContext.getSystemService("notification");
        }

        public UserManager getUserManager() {
            return (UserManager) this.mContext.getSystemService(ImsConferenceState.USER);
        }

        public DevicePolicyManager getDevicePolicyManager() {
            return (DevicePolicyManager) this.mContext.getSystemService("device_policy");
        }

        public KeyStore getKeyStore() {
            return KeyStore.getInstance();
        }

        public IStorageManager getStorageManager() {
            IBinder service = ServiceManager.getService("mount");
            if (service != null) {
                return IStorageManager.Stub.asInterface(service);
            }
            return null;
        }

        public SyntheticPasswordManager getSyntheticPasswordManager(LockSettingsStorage lockSettingsStorage) {
            return new SyntheticPasswordManager(lockSettingsStorage);
        }

        public int binderGetCallingUid() {
            return Binder.getCallingUid();
        }
    }

    /* loaded from: input_file:com/android/server/LockSettingsService$Lifecycle.class */
    public static final class Lifecycle extends SystemService {
        private LockSettingsService mLockSettingsService;

        public Lifecycle(Context context) {
            super(context);
        }

        @Override // com.android.server.SystemService
        public void onStart() {
            AndroidKeyStoreProvider.install();
            this.mLockSettingsService = new LockSettingsService(getContext());
            publishBinderService("lock_settings", this.mLockSettingsService);
        }

        @Override // com.android.server.SystemService
        public void onStartUser(int i) {
            this.mLockSettingsService.onStartUser(i);
        }

        @Override // com.android.server.SystemService
        public void onUnlockUser(int i) {
            this.mLockSettingsService.onUnlockUser(i);
        }

        @Override // com.android.server.SystemService
        public void onCleanupUser(int i) {
            this.mLockSettingsService.onCleanupUser(i);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/android/server/LockSettingsService$SynchronizedStrongAuthTracker.class */
    public static class SynchronizedStrongAuthTracker extends LockPatternUtils.StrongAuthTracker {
        public SynchronizedStrongAuthTracker(Context context) {
            super(context);
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // com.android.internal.widget.LockPatternUtils.StrongAuthTracker
        public void handleStrongAuthRequiredChanged(int i, int i2) {
            synchronized (this) {
                super.handleStrongAuthRequiredChanged(i, i2);
            }
        }

        @Override // com.android.internal.widget.LockPatternUtils.StrongAuthTracker
        public int getStrongAuthForUser(int i) {
            int strongAuthForUser;
            synchronized (this) {
                strongAuthForUser = super.getStrongAuthForUser(i);
            }
            return strongAuthForUser;
        }

        void register(LockSettingsStrongAuth lockSettingsStrongAuth) {
            lockSettingsStrongAuth.registerStrongAuthTracker(this.mStub);
        }
    }

    public void tieManagedProfileLockIfNecessary(int i, String str) {
        if (!this.mUserManager.getUserInfo(i).isManagedProfile() || this.mLockPatternUtils.isSeparateProfileChallengeEnabled(i) || this.mStorage.hasChildProfileLock(i)) {
            return;
        }
        int i2 = this.mUserManager.getProfileParent(i).id;
        if (isUserSecure(i2)) {
            try {
                if (getGateKeeperService().getSecureUserId(i2) == 0) {
                    return;
                }
                byte[] bArr = new byte[0];
                try {
                    String valueOf = String.valueOf(HexEncoding.encode(SecureRandom.getInstance("SHA1PRNG").generateSeed(40)));
                    setLockCredentialInternal(valueOf, 2, str, i);
                    setLong("lockscreen.password_type", 327680L, i);
                    tieProfileLockToParent(i, valueOf);
                } catch (RemoteException | NoSuchAlgorithmException e) {
                    Slog.e(TAG, "Fail to tie managed profile", e);
                }
            } catch (RemoteException e2) {
                Slog.e(TAG, "Failed to talk to GateKeeper service", e2);
            }
        }
    }

    public LockSettingsService(Context context) {
        this(new Injector(context));
    }

    protected LockSettingsService(Injector injector) {
        this.mSeparateChallengeLock = new Object();
        this.mBroadcastReceiver = new BroadcastReceiver() { // from class: com.android.server.LockSettingsService.2
            @Override // android.content.BroadcastReceiver
            public void onReceive(Context context, Intent intent) {
                int intExtra;
                if ("android.intent.action.USER_ADDED".equals(intent.getAction())) {
                    int intExtra2 = intent.getIntExtra("android.intent.extra.user_handle", 0);
                    if (intExtra2 > 0) {
                        LockSettingsService.this.removeUser(intExtra2, true);
                    }
                    KeyStore keyStore = KeyStore.getInstance();
                    UserInfo profileParent = LockSettingsService.this.mUserManager.getProfileParent(intExtra2);
                    keyStore.onUserAdded(intExtra2, profileParent != null ? profileParent.id : -1);
                    return;
                }
                if ("android.intent.action.USER_STARTING".equals(intent.getAction())) {
                    LockSettingsService.this.mStorage.prefetchUser(intent.getIntExtra("android.intent.extra.user_handle", 0));
                } else {
                    if (!"android.intent.action.USER_REMOVED".equals(intent.getAction()) || (intExtra = intent.getIntExtra("android.intent.extra.user_handle", 0)) <= 0) {
                        return;
                    }
                    LockSettingsService.this.removeUser(intExtra, false);
                }
            }
        };
        this.mInjector = injector;
        this.mContext = injector.getContext();
        this.mKeyStore = injector.getKeyStore();
        this.mHandler = injector.getHandler();
        this.mStrongAuth = injector.getStrongAuth();
        this.mActivityManager = injector.getActivityManager();
        this.mLockPatternUtils = injector.getLockPatternUtils();
        this.mFirstCallToVold = true;
        IntentFilter intentFilter = new IntentFilter();
        intentFilter.addAction("android.intent.action.USER_ADDED");
        intentFilter.addAction("android.intent.action.USER_STARTING");
        intentFilter.addAction("android.intent.action.USER_REMOVED");
        injector.getContext().registerReceiverAsUser(this.mBroadcastReceiver, UserHandle.ALL, intentFilter, null, null);
        this.mStorage = injector.getStorage();
        this.mNotificationManager = injector.getNotificationManager();
        this.mUserManager = injector.getUserManager();
        this.mStrongAuthTracker = injector.getStrongAuthTracker();
        this.mStrongAuthTracker.register(this.mStrongAuth);
        this.mSpManager = injector.getSyntheticPasswordManager(this.mStorage);
    }

    private void maybeShowEncryptionNotificationForUser(int i) {
        UserInfo profileParent;
        UserInfo userInfo = this.mUserManager.getUserInfo(i);
        if (userInfo.isManagedProfile()) {
            UserHandle userHandle = userInfo.getUserHandle();
            if (!isUserSecure(i) || this.mUserManager.isUserUnlockingOrUnlocked(userHandle) || (profileParent = this.mUserManager.getProfileParent(i)) == null || !this.mUserManager.isUserUnlockingOrUnlocked(profileParent.getUserHandle()) || this.mUserManager.isQuietModeEnabled(userHandle)) {
                return;
            }
            showEncryptionNotificationForProfile(userHandle);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void showEncryptionNotificationForProfile(UserHandle userHandle) {
        Resources resources = this.mContext.getResources();
        CharSequence text = resources.getText(R.string.user_encrypted_title);
        CharSequence text2 = resources.getText(R.string.profile_encrypted_message);
        CharSequence text3 = resources.getText(R.string.profile_encrypted_detail);
        Intent createConfirmDeviceCredentialIntent = ((KeyguardManager) this.mContext.getSystemService("keyguard")).createConfirmDeviceCredentialIntent(null, null, userHandle.getIdentifier());
        if (createConfirmDeviceCredentialIntent == null) {
            return;
        }
        createConfirmDeviceCredentialIntent.setFlags(276824064);
        showEncryptionNotification(userHandle, text, text2, text3, PendingIntent.getActivity(this.mContext, 0, createConfirmDeviceCredentialIntent, 134217728));
    }

    private void showEncryptionNotification(UserHandle userHandle, CharSequence charSequence, CharSequence charSequence2, CharSequence charSequence3, PendingIntent pendingIntent) {
        if (StorageManager.isFileEncryptedNativeOrEmulated()) {
            this.mNotificationManager.notifyAsUser(null, 9, new Notification.Builder(this.mContext, SystemNotificationChannels.SECURITY).setSmallIcon(R.drawable.ic_user_secure).setWhen(0L).setOngoing(true).setTicker(charSequence).setColor(this.mContext.getColor(R.color.system_notification_accent_color)).setContentTitle(charSequence).setContentText(charSequence2).setSubText(charSequence3).setVisibility(1).setContentIntent(pendingIntent).build(), userHandle);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void hideEncryptionNotification(UserHandle userHandle) {
        this.mNotificationManager.cancelAsUser(null, 9, userHandle);
    }

    public void onCleanupUser(int i) {
        hideEncryptionNotification(new UserHandle(i));
    }

    public void onStartUser(int i) {
        maybeShowEncryptionNotificationForUser(i);
    }

    public void onUnlockUser(final int i) {
        this.mHandler.post(new Runnable() { // from class: com.android.server.LockSettingsService.1
            @Override // java.lang.Runnable
            public void run() {
                LockSettingsService.this.hideEncryptionNotification(new UserHandle(i));
                List<UserInfo> profiles = LockSettingsService.this.mUserManager.getProfiles(i);
                for (int i2 = 0; i2 < profiles.size(); i2++) {
                    UserInfo userInfo = profiles.get(i2);
                    if (LockSettingsService.this.isUserSecure(userInfo.id) && userInfo.isManagedProfile()) {
                        UserHandle userHandle = userInfo.getUserHandle();
                        if (!LockSettingsService.this.mUserManager.isUserUnlockingOrUnlocked(userHandle) && !LockSettingsService.this.mUserManager.isQuietModeEnabled(userHandle)) {
                            LockSettingsService.this.showEncryptionNotificationForProfile(userHandle);
                        }
                    }
                }
                if (LockSettingsService.this.mUserManager.getUserInfo(i).isManagedProfile()) {
                    LockSettingsService.this.tieManagedProfileLockIfNecessary(i, null);
                }
            }
        });
    }

    @Override // com.android.internal.widget.ILockSettings
    public void systemReady() {
        migrateOldData();
        try {
            getGateKeeperService();
        } catch (RemoteException e) {
            Slog.e(TAG, "Failure retrieving IGateKeeperService", e);
        }
        this.mStorage.prefetchUser(0);
    }

    private void migrateOldData() {
        try {
            if (getString("migrated", null, 0) == null) {
                ContentResolver contentResolver = this.mContext.getContentResolver();
                for (String str : VALID_SETTINGS) {
                    String string = Settings.Secure.getString(contentResolver, str);
                    if (string != null) {
                        setString(str, string, 0);
                    }
                }
                setString("migrated", ImsManager.TRUE, 0);
                Slog.i(TAG, "Migrated lock settings to new location");
            }
            if (getString("migrated_user_specific", null, 0) == null) {
                ContentResolver contentResolver2 = this.mContext.getContentResolver();
                List<UserInfo> users = this.mUserManager.getUsers();
                for (int i = 0; i < users.size(); i++) {
                    int i2 = users.get(i).id;
                    String stringForUser = Settings.Secure.getStringForUser(contentResolver2, "lock_screen_owner_info", i2);
                    if (!TextUtils.isEmpty(stringForUser)) {
                        setString("lock_screen_owner_info", stringForUser, i2);
                        Settings.Secure.putStringForUser(contentResolver2, "lock_screen_owner_info", "", i2);
                    }
                    try {
                        setLong("lock_screen_owner_info_enabled", Settings.Secure.getIntForUser(contentResolver2, "lock_screen_owner_info_enabled", i2) != 0 ? 1L : 0L, i2);
                    } catch (Settings.SettingNotFoundException e) {
                        if (!TextUtils.isEmpty(stringForUser)) {
                            setLong("lock_screen_owner_info_enabled", 1L, i2);
                        }
                    }
                    Settings.Secure.putIntForUser(contentResolver2, "lock_screen_owner_info_enabled", 0, i2);
                }
                setString("migrated_user_specific", ImsManager.TRUE, 0);
                Slog.i(TAG, "Migrated per-user lock settings to new location");
            }
            if (getString("migrated_biometric_weak", null, 0) == null) {
                List<UserInfo> users2 = this.mUserManager.getUsers();
                for (int i3 = 0; i3 < users2.size(); i3++) {
                    int i4 = users2.get(i3).id;
                    long j = getLong("lockscreen.password_type", 0L, i4);
                    long j2 = getLong("lockscreen.password_type_alternate", 0L, i4);
                    if (j == 32768) {
                        setLong("lockscreen.password_type", j2, i4);
                    }
                    setLong("lockscreen.password_type_alternate", 0L, i4);
                }
                setString("migrated_biometric_weak", ImsManager.TRUE, 0);
                Slog.i(TAG, "Migrated biometric weak to use the fallback instead");
            }
            if (getString("migrated_lockscreen_disabled", null, 0) == null) {
                List<UserInfo> users3 = this.mUserManager.getUsers();
                int size = users3.size();
                int i5 = 0;
                for (int i6 = 0; i6 < size; i6++) {
                    if (users3.get(i6).supportsSwitchTo()) {
                        i5++;
                    }
                }
                if (i5 > 1) {
                    for (int i7 = 0; i7 < size; i7++) {
                        int i8 = users3.get(i7).id;
                        if (getBoolean("lockscreen.disabled", false, i8)) {
                            setBoolean("lockscreen.disabled", false, i8);
                        }
                    }
                }
                setString("migrated_lockscreen_disabled", ImsManager.TRUE, 0);
                Slog.i(TAG, "Migrated lockscreen disabled flag");
            }
            List<UserInfo> users4 = this.mUserManager.getUsers();
            for (int i9 = 0; i9 < users4.size(); i9++) {
                UserInfo userInfo = users4.get(i9);
                if (userInfo.isManagedProfile() && this.mStorage.hasChildProfileLock(userInfo.id)) {
                    long j3 = getLong("lockscreen.password_type", 0L, userInfo.id);
                    if (j3 == 0) {
                        Slog.i(TAG, "Migrated tied profile lock type");
                        setLong("lockscreen.password_type", 327680L, userInfo.id);
                    } else if (j3 != 327680) {
                        Slog.e(TAG, "Invalid tied profile lock type: " + j3);
                    }
                }
                try {
                    String str2 = "profile_key_name_encrypt_" + userInfo.id;
                    java.security.KeyStore keyStore = java.security.KeyStore.getInstance("AndroidKeyStore");
                    keyStore.load(null);
                    if (keyStore.containsAlias(str2)) {
                        keyStore.deleteEntry(str2);
                    }
                } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e2) {
                    Slog.e(TAG, "Unable to remove tied profile key", e2);
                }
            }
            if (this.mContext.getPackageManager().hasSystemFeature("android.hardware.type.watch") && getString("migrated_wear_lockscreen_disabled", null, 0) == null) {
                int size2 = users4.size();
                for (int i10 = 0; i10 < size2; i10++) {
                    setBoolean("lockscreen.disabled", false, users4.get(i10).id);
                }
                setString("migrated_wear_lockscreen_disabled", ImsManager.TRUE, 0);
                Slog.i(TAG, "Migrated lockscreen_disabled for Wear devices");
            }
        } catch (RemoteException e3) {
            Slog.e(TAG, "Unable to migrate old data", e3);
        }
    }

    private final void checkWritePermission(int i) {
        this.mContext.enforceCallingOrSelfPermission(PERMISSION, "LockSettingsWrite");
    }

    private final void checkPasswordReadPermission(int i) {
        this.mContext.enforceCallingOrSelfPermission(PERMISSION, "LockSettingsRead");
    }

    private final void checkReadPermission(String str, int i) {
        int callingUid = Binder.getCallingUid();
        for (int i2 = 0; i2 < READ_CONTACTS_PROTECTED_SETTINGS.length; i2++) {
            if (READ_CONTACTS_PROTECTED_SETTINGS[i2].equals(str) && this.mContext.checkCallingOrSelfPermission("android.permission.READ_CONTACTS") != 0) {
                throw new SecurityException("uid=" + callingUid + " needs permission android.permission.READ_CONTACTS to read " + str + " for user " + i);
            }
        }
        for (int i3 = 0; i3 < READ_PASSWORD_PROTECTED_SETTINGS.length; i3++) {
            if (READ_PASSWORD_PROTECTED_SETTINGS[i3].equals(str) && this.mContext.checkCallingOrSelfPermission(PERMISSION) != 0) {
                throw new SecurityException("uid=" + callingUid + " needs permission " + PERMISSION + " to read " + str + " for user " + i);
            }
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean getSeparateProfileChallengeEnabled(int i) throws RemoteException {
        boolean z;
        checkReadPermission(SEPARATE_PROFILE_CHALLENGE_KEY, i);
        synchronized (this.mSeparateChallengeLock) {
            z = getBoolean(SEPARATE_PROFILE_CHALLENGE_KEY, false, i);
        }
        return z;
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setSeparateProfileChallengeEnabled(int i, boolean z, String str) throws RemoteException {
        checkWritePermission(i);
        synchronized (this.mSeparateChallengeLock) {
            setBoolean(SEPARATE_PROFILE_CHALLENGE_KEY, z, i);
            if (z) {
                this.mStorage.removeChildProfileLock(i);
                removeKeystoreProfileKey(i);
            } else {
                tieManagedProfileLockIfNecessary(i, str);
            }
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setBoolean(String str, boolean z, int i) throws RemoteException {
        checkWritePermission(i);
        setStringUnchecked(str, i, z ? "1" : AndroidHardcodedSystemProperties.JAVA_VERSION);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setLong(String str, long j, int i) throws RemoteException {
        checkWritePermission(i);
        setStringUnchecked(str, i, Long.toString(j));
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setString(String str, String str2, int i) throws RemoteException {
        checkWritePermission(i);
        setStringUnchecked(str, i, str2);
    }

    private void setStringUnchecked(String str, int i, String str2) {
        this.mStorage.writeKeyValue(str, str2, i);
        if (ArrayUtils.contains(SETTINGS_TO_BACKUP, str)) {
            BackupManager.dataChanged("com.android.providers.settings");
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean getBoolean(String str, boolean z, int i) throws RemoteException {
        checkReadPermission(str, i);
        String stringUnchecked = getStringUnchecked(str, null, i);
        return TextUtils.isEmpty(stringUnchecked) ? z : stringUnchecked.equals("1") || stringUnchecked.equals(ImsManager.TRUE);
    }

    @Override // com.android.internal.widget.ILockSettings
    public long getLong(String str, long j, int i) throws RemoteException {
        checkReadPermission(str, i);
        String stringUnchecked = getStringUnchecked(str, null, i);
        return TextUtils.isEmpty(stringUnchecked) ? j : Long.parseLong(stringUnchecked);
    }

    @Override // com.android.internal.widget.ILockSettings
    public String getString(String str, String str2, int i) throws RemoteException {
        checkReadPermission(str, i);
        return getStringUnchecked(str, str2, i);
    }

    public String getStringUnchecked(String str, String str2, int i) {
        if (!"lock_pattern_autolock".equals(str)) {
            if ("legacy_lock_pattern_enabled".equals(str)) {
                str = "lock_pattern_autolock";
            }
            return this.mStorage.readKeyValue(str, str2, i);
        }
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            return this.mLockPatternUtils.isLockPatternEnabled(i) ? "1" : AndroidHardcodedSystemProperties.JAVA_VERSION;
        } finally {
            Binder.restoreCallingIdentity(clearCallingIdentity);
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean havePassword(int i) throws RemoteException {
        synchronized (this.mSpManager) {
            if (isSyntheticPasswordBasedCredentialLocked(i)) {
                return this.mSpManager.getCredentialType(getSyntheticPasswordHandleLocked(i), i) == 2;
            }
            return this.mStorage.hasPassword(i);
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean havePattern(int i) throws RemoteException {
        synchronized (this.mSpManager) {
            if (isSyntheticPasswordBasedCredentialLocked(i)) {
                return this.mSpManager.getCredentialType(getSyntheticPasswordHandleLocked(i), i) == 1;
            }
            return this.mStorage.hasPattern(i);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isUserSecure(int i) {
        synchronized (this.mSpManager) {
            if (isSyntheticPasswordBasedCredentialLocked(i)) {
                return this.mSpManager.getCredentialType(getSyntheticPasswordHandleLocked(i), i) != -1;
            }
            return this.mStorage.hasCredential(i);
        }
    }

    private void setKeystorePassword(String str, int i) {
        KeyStore.getInstance().onUserPasswordChanged(i, str);
    }

    private void unlockKeystore(String str, int i) {
        KeyStore.getInstance().unlock(i, str);
    }

    protected String getDecryptedPasswordForTiedProfile(int i) throws KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException, CertificateException, IOException {
        byte[] readChildProfileLock = this.mStorage.readChildProfileLock(i);
        if (readChildProfileLock == null) {
            throw new FileNotFoundException("Child profile lock file not found");
        }
        byte[] copyOfRange = Arrays.copyOfRange(readChildProfileLock, 0, 12);
        byte[] copyOfRange2 = Arrays.copyOfRange(readChildProfileLock, 12, readChildProfileLock.length);
        java.security.KeyStore keyStore = java.security.KeyStore.getInstance("AndroidKeyStore");
        keyStore.load(null);
        SecretKey secretKey = (SecretKey) keyStore.getKey("profile_key_name_decrypt_" + i, null);
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        cipher.init(2, secretKey, new GCMParameterSpec(128, copyOfRange));
        return new String(cipher.doFinal(copyOfRange2), StandardCharsets.UTF_8);
    }

    private void unlockChildProfile(int i) throws RemoteException {
        try {
            doVerifyCredential(getDecryptedPasswordForTiedProfile(i), 2, false, 0L, i, null);
        } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            if (e instanceof FileNotFoundException) {
                Slog.i(TAG, "Child profile key not found");
            } else {
                Slog.e(TAG, "Failed to decrypt child profile key", e);
            }
        }
    }

    private void unlockUser(int i, byte[] bArr, byte[] bArr2) {
        final CountDownLatch countDownLatch = new CountDownLatch(1);
        try {
            this.mActivityManager.unlockUser(i, bArr, bArr2, new IProgressListener.Stub() { // from class: com.android.server.LockSettingsService.3
                @Override // android.os.IProgressListener
                public void onStarted(int i2, Bundle bundle) throws RemoteException {
                    Log.d(LockSettingsService.TAG, "unlockUser started");
                }

                @Override // android.os.IProgressListener
                public void onProgress(int i2, int i3, Bundle bundle) throws RemoteException {
                    Log.d(LockSettingsService.TAG, "unlockUser progress " + i3);
                }

                @Override // android.os.IProgressListener
                public void onFinished(int i2, Bundle bundle) throws RemoteException {
                    Log.d(LockSettingsService.TAG, "unlockUser finished");
                    countDownLatch.countDown();
                }
            });
            try {
                countDownLatch.await(15L, TimeUnit.SECONDS);
            } catch (InterruptedException e) {
                Thread.currentThread().interrupt();
            }
            try {
                if (!this.mUserManager.getUserInfo(i).isManagedProfile()) {
                    for (UserInfo userInfo : this.mUserManager.getProfiles(i)) {
                        if (userInfo.isManagedProfile() && !this.mLockPatternUtils.isSeparateProfileChallengeEnabled(userInfo.id) && this.mStorage.hasChildProfileLock(userInfo.id) && this.mUserManager.isUserRunning(userInfo.id)) {
                            unlockChildProfile(userInfo.id);
                        }
                    }
                }
            } catch (RemoteException e2) {
                Log.d(TAG, "Failed to unlock child profile", e2);
            }
        } catch (RemoteException e3) {
            throw e3.rethrowAsRuntimeException();
        }
    }

    private Map<Integer, String> getDecryptedPasswordsForAllTiedProfiles(int i) {
        if (this.mUserManager.getUserInfo(i).isManagedProfile()) {
            return null;
        }
        ArrayMap arrayMap = new ArrayMap();
        List<UserInfo> profiles = this.mUserManager.getProfiles(i);
        int size = profiles.size();
        for (int i2 = 0; i2 < size; i2++) {
            UserInfo userInfo = profiles.get(i2);
            if (userInfo.isManagedProfile()) {
                if (!this.mLockPatternUtils.isSeparateProfileChallengeEnabled(userInfo.id)) {
                    try {
                        arrayMap.put(Integer.valueOf(i), getDecryptedPasswordForTiedProfile(i));
                    } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
                    }
                }
            }
        }
        return arrayMap;
    }

    private void synchronizeUnifiedWorkChallengeForProfiles(int i, Map<Integer, String> map) throws RemoteException {
        if (this.mUserManager.getUserInfo(i).isManagedProfile()) {
            return;
        }
        boolean isUserSecure = isUserSecure(i);
        List<UserInfo> profiles = this.mUserManager.getProfiles(i);
        int size = profiles.size();
        for (int i2 = 0; i2 < size; i2++) {
            UserInfo userInfo = profiles.get(i2);
            if (userInfo.isManagedProfile()) {
                int i3 = userInfo.id;
                if (!this.mLockPatternUtils.isSeparateProfileChallengeEnabled(i3)) {
                    if (isUserSecure) {
                        tieManagedProfileLockIfNecessary(i3, null);
                    } else {
                        if (map == null || !map.containsKey(Integer.valueOf(i3))) {
                            Slog.wtf(TAG, "clear tied profile challenges, but no password supplied.");
                            setLockCredentialInternal(null, -1, null, i3);
                        } else {
                            setLockCredentialInternal(null, -1, map.get(Integer.valueOf(i3)), i3);
                        }
                        this.mStorage.removeChildProfileLock(i3);
                        removeKeystoreProfileKey(i3);
                    }
                }
            }
        }
    }

    private boolean isManagedProfileWithUnifiedLock(int i) {
        return this.mUserManager.getUserInfo(i).isManagedProfile() && !this.mLockPatternUtils.isSeparateProfileChallengeEnabled(i);
    }

    private boolean isManagedProfileWithSeparatedLock(int i) {
        return this.mUserManager.getUserInfo(i).isManagedProfile() && this.mLockPatternUtils.isSeparateProfileChallengeEnabled(i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void setLockCredential(String str, int i, String str2, int i2) throws RemoteException {
        checkWritePermission(i2);
        synchronized (this.mSeparateChallengeLock) {
            setLockCredentialInternal(str, i, str2, i2);
            setSeparateProfileChallengeEnabled(i2, true, null);
            notifyPasswordChanged(i2);
        }
    }

    private void setLockCredentialInternal(String str, int i, String str2, int i2) throws RemoteException {
        if (TextUtils.isEmpty(str2)) {
            str2 = null;
        }
        if (TextUtils.isEmpty(str)) {
            str = null;
        }
        synchronized (this.mSpManager) {
            if (isSyntheticPasswordBasedCredentialLocked(i2)) {
                spBasedSetLockCredentialInternalLocked(str, i, str2, i2);
                return;
            }
            if (i == -1) {
                if (str != null) {
                    Slog.wtf(TAG, "CredentialType is none, but credential is non-null.");
                }
                clearUserKeyProtection(i2);
                getGateKeeperService().clearSecureUserId(i2);
                this.mStorage.writeCredentialHash(LockSettingsStorage.CredentialHash.createEmptyHash(), i2);
                setKeystorePassword(null, i2);
                fixateNewestUserKeyAuth(i2);
                synchronizeUnifiedWorkChallengeForProfiles(i2, null);
                notifyActivePasswordMetricsAvailable(null, i2);
                return;
            }
            if (str == null) {
                throw new RemoteException("Null credential with mismatched credential type");
            }
            LockSettingsStorage.CredentialHash readCredentialHash = this.mStorage.readCredentialHash(i2);
            if (isManagedProfileWithUnifiedLock(i2)) {
                if (str2 == null) {
                    try {
                        str2 = getDecryptedPasswordForTiedProfile(i2);
                    } catch (FileNotFoundException e) {
                        Slog.i(TAG, "Child profile key not found");
                    } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e2) {
                        Slog.e(TAG, "Failed to decrypt child profile key", e2);
                    }
                }
            } else if (readCredentialHash.hash == null) {
                if (str2 != null) {
                    Slog.w(TAG, "Saved credential provided, but none stored");
                }
                str2 = null;
            }
            synchronized (this.mSpManager) {
                if (shouldMigrateToSyntheticPasswordLocked(i2)) {
                    initializeSyntheticPasswordLocked(readCredentialHash.hash, str2, readCredentialHash.type, i2);
                    spBasedSetLockCredentialInternalLocked(str, i, str2, i2);
                    return;
                }
                byte[] enrollCredential = enrollCredential(readCredentialHash.hash, str2, str, i2);
                if (enrollCredential == null) {
                    throw new RemoteException("Failed to enroll " + (i == 2 ? ParameterNames.PASSWORD : "pattern"));
                }
                LockSettingsStorage.CredentialHash create = LockSettingsStorage.CredentialHash.create(enrollCredential, i);
                this.mStorage.writeCredentialHash(create, i2);
                setUserKeyProtection(i2, str, convertResponse(getGateKeeperService().verifyChallenge(i2, 0L, create.hash, str.getBytes())));
                fixateNewestUserKeyAuth(i2);
                doVerifyCredential(str, i, true, 0L, i2, null);
                synchronizeUnifiedWorkChallengeForProfiles(i2, null);
            }
        }
    }

    private VerifyCredentialResponse convertResponse(GateKeeperResponse gateKeeperResponse) {
        VerifyCredentialResponse verifyCredentialResponse;
        int responseCode = gateKeeperResponse.getResponseCode();
        if (responseCode == 1) {
            verifyCredentialResponse = new VerifyCredentialResponse(gateKeeperResponse.getTimeout());
        } else if (responseCode == 0) {
            byte[] payload = gateKeeperResponse.getPayload();
            if (payload == null) {
                Slog.e(TAG, "verifyChallenge response had no associated payload");
                verifyCredentialResponse = VerifyCredentialResponse.ERROR;
            } else {
                verifyCredentialResponse = new VerifyCredentialResponse(payload);
            }
        } else {
            verifyCredentialResponse = VerifyCredentialResponse.ERROR;
        }
        return verifyCredentialResponse;
    }

    protected void tieProfileLockToParent(int i, String str) {
        byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
        try {
            KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
            keyGenerator.init(new SecureRandom());
            SecretKey generateKey = keyGenerator.generateKey();
            java.security.KeyStore keyStore = java.security.KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            try {
                keyStore.setEntry("profile_key_name_encrypt_" + i, new KeyStore.SecretKeyEntry(generateKey), new KeyProtection.Builder(1).setBlockModes("GCM").setEncryptionPaddings("NoPadding").build());
                keyStore.setEntry("profile_key_name_decrypt_" + i, new KeyStore.SecretKeyEntry(generateKey), new KeyProtection.Builder(2).setBlockModes("GCM").setEncryptionPaddings("NoPadding").setUserAuthenticationRequired(true).setUserAuthenticationValidityDurationSeconds(30).build());
                SecretKey secretKey = (SecretKey) keyStore.getKey("profile_key_name_encrypt_" + i, null);
                Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
                cipher.init(1, secretKey);
                byte[] doFinal = cipher.doFinal(bytes);
                byte[] iv = cipher.getIV();
                keyStore.deleteEntry("profile_key_name_encrypt_" + i);
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                try {
                    if (iv.length != 12) {
                        throw new RuntimeException("Invalid iv length: " + iv.length);
                    }
                    byteArrayOutputStream.write(iv);
                    byteArrayOutputStream.write(doFinal);
                    this.mStorage.writeChildProfileLock(i, byteArrayOutputStream.toByteArray());
                } catch (IOException e) {
                    throw new RuntimeException("Failed to concatenate byte arrays", e);
                }
            } catch (Throwable th) {
                keyStore.deleteEntry("profile_key_name_encrypt_" + i);
                throw th;
            }
        } catch (IOException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e2) {
            throw new RuntimeException("Failed to encrypt key", e2);
        }
    }

    private byte[] enrollCredential(byte[] bArr, String str, String str2, int i) throws RemoteException {
        checkWritePermission(i);
        GateKeeperResponse enroll = getGateKeeperService().enroll(i, bArr, str == null ? null : str.getBytes(), str2 == null ? null : str2.getBytes());
        if (enroll == null) {
            return null;
        }
        byte[] payload = enroll.getPayload();
        if (payload != null) {
            setKeystorePassword(str2, i);
        } else {
            Slog.e(TAG, "Throttled while enrolling a password");
        }
        return payload;
    }

    private void setAuthlessUserKeyProtection(int i, byte[] bArr) throws RemoteException {
        addUserKeyAuth(i, null, bArr);
    }

    private void setUserKeyProtection(int i, String str, VerifyCredentialResponse verifyCredentialResponse) throws RemoteException {
        if (verifyCredentialResponse == null) {
            throw new RemoteException("Null response verifying a credential we just set");
        }
        if (verifyCredentialResponse.getResponseCode() != 0) {
            throw new RemoteException("Non-OK response verifying a credential we just set: " + verifyCredentialResponse.getResponseCode());
        }
        byte[] payload = verifyCredentialResponse.getPayload();
        if (payload == null) {
            throw new RemoteException("Empty payload verifying a credential we just set");
        }
        addUserKeyAuth(i, payload, secretFromCredential(str));
    }

    private void clearUserKeyProtection(int i) throws RemoteException {
        addUserKeyAuth(i, null, null);
    }

    private static byte[] secretFromCredential(String str) throws RemoteException {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(EvpMdRef.SHA512.JCA_NAME);
            messageDigest.update(Arrays.copyOf("Android FBE credential hash".getBytes(StandardCharsets.UTF_8), 128));
            messageDigest.update(str.getBytes(StandardCharsets.UTF_8));
            return messageDigest.digest();
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("NoSuchAlgorithmException for SHA-512");
        }
    }

    private void addUserKeyAuth(int i, byte[] bArr, byte[] bArr2) throws RemoteException {
        UserInfo userInfo = this.mUserManager.getUserInfo(i);
        IStorageManager storageManager = this.mInjector.getStorageManager();
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            storageManager.addUserKeyAuth(i, userInfo.serialNumber, bArr, bArr2);
            Binder.restoreCallingIdentity(clearCallingIdentity);
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    private void fixateNewestUserKeyAuth(int i) throws RemoteException {
        IStorageManager storageManager = this.mInjector.getStorageManager();
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            storageManager.fixateNewestUserKeyAuth(i);
            Binder.restoreCallingIdentity(clearCallingIdentity);
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    /* JADX WARN: Finally extract failed */
    @Override // com.android.internal.widget.ILockSettings
    public void resetKeyStore(int i) throws RemoteException {
        checkWritePermission(i);
        int i2 = -1;
        String str = null;
        for (UserInfo userInfo : this.mUserManager.getProfiles(i)) {
            if (userInfo.isManagedProfile() && !this.mLockPatternUtils.isSeparateProfileChallengeEnabled(userInfo.id) && this.mStorage.hasChildProfileLock(userInfo.id)) {
                if (i2 == -1) {
                    try {
                        str = getDecryptedPasswordForTiedProfile(userInfo.id);
                        i2 = userInfo.id;
                    } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
                        Slog.e(TAG, "Failed to decrypt child profile key", e);
                    }
                } else {
                    Slog.e(TAG, "More than one managed profile, uid1:" + i2 + ", uid2:" + userInfo.id);
                }
            }
        }
        try {
            for (int i3 : this.mUserManager.getProfileIdsWithDisabled(i)) {
                for (int i4 : SYSTEM_CREDENTIAL_UIDS) {
                    this.mKeyStore.clearUid(UserHandle.getUid(i3, i4));
                }
            }
            if (i2 == -1 || str == null) {
                return;
            }
            tieProfileLockToParent(i2, str);
        } catch (Throwable th) {
            if (i2 != -1 && str != null) {
                tieProfileLockToParent(i2, str);
            }
            throw th;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public VerifyCredentialResponse checkCredential(String str, int i, int i2, ICheckCredentialProgressCallback iCheckCredentialProgressCallback) throws RemoteException {
        checkPasswordReadPermission(i2);
        return doVerifyCredential(str, i, false, 0L, i2, iCheckCredentialProgressCallback);
    }

    @Override // com.android.internal.widget.ILockSettings
    public VerifyCredentialResponse verifyCredential(String str, int i, long j, int i2) throws RemoteException {
        checkPasswordReadPermission(i2);
        return doVerifyCredential(str, i, true, j, i2, null);
    }

    private VerifyCredentialResponse doVerifyCredential(String str, int i, boolean z, long j, int i2, ICheckCredentialProgressCallback iCheckCredentialProgressCallback) throws RemoteException {
        if (TextUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Credential can't be null or empty");
        }
        synchronized (this.mSpManager) {
            if (isSyntheticPasswordBasedCredentialLocked(i2)) {
                VerifyCredentialResponse spBasedDoVerifyCredentialLocked = spBasedDoVerifyCredentialLocked(str, i, z, j, i2, iCheckCredentialProgressCallback);
                if (spBasedDoVerifyCredentialLocked.getResponseCode() == 0) {
                    this.mStrongAuth.reportSuccessfulStrongAuthUnlock(i2);
                }
                return spBasedDoVerifyCredentialLocked;
            }
            LockSettingsStorage.CredentialHash readCredentialHash = this.mStorage.readCredentialHash(i2);
            if (readCredentialHash.type != i) {
                Slog.wtf(TAG, "doVerifyCredential type mismatch with stored credential?? stored: " + readCredentialHash.type + " passed in: " + i);
                return VerifyCredentialResponse.ERROR;
            }
            boolean z2 = readCredentialHash.type == 1 && readCredentialHash.isBaseZeroPattern;
            String patternStringToBaseZero = z2 ? LockPatternUtils.patternStringToBaseZero(str) : str;
            VerifyCredentialResponse verifyCredential = verifyCredential(i2, readCredentialHash, patternStringToBaseZero, z, j, iCheckCredentialProgressCallback);
            if (verifyCredential.getResponseCode() == 0) {
                this.mStrongAuth.reportSuccessfulStrongAuthUnlock(i2);
                if (z2) {
                    setLockCredentialInternal(str, readCredentialHash.type, patternStringToBaseZero, i2);
                }
            }
            return verifyCredential;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public VerifyCredentialResponse verifyTiedProfileChallenge(String str, int i, long j, int i2) throws RemoteException {
        checkPasswordReadPermission(i2);
        if (!isManagedProfileWithUnifiedLock(i2)) {
            throw new RemoteException("User id must be managed profile with unified lock");
        }
        VerifyCredentialResponse doVerifyCredential = doVerifyCredential(str, i, true, j, this.mUserManager.getProfileParent(i2).id, null);
        if (doVerifyCredential.getResponseCode() != 0) {
            return doVerifyCredential;
        }
        try {
            return doVerifyCredential(getDecryptedPasswordForTiedProfile(i2), 2, true, j, i2, null);
        } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            Slog.e(TAG, "Failed to decrypt child profile key", e);
            throw new RemoteException("Unable to get tied profile token");
        }
    }

    private VerifyCredentialResponse verifyCredential(int i, LockSettingsStorage.CredentialHash credentialHash, String str, boolean z, long j, ICheckCredentialProgressCallback iCheckCredentialProgressCallback) throws RemoteException {
        if ((credentialHash == null || credentialHash.hash.length == 0) && TextUtils.isEmpty(str)) {
            return VerifyCredentialResponse.OK;
        }
        if (credentialHash == null || TextUtils.isEmpty(str)) {
            return VerifyCredentialResponse.ERROR;
        }
        StrictMode.noteDiskRead();
        if (credentialHash.version == 0) {
            if (!Arrays.equals(credentialHash.type == 1 ? LockPatternUtils.patternToHash(LockPatternUtils.stringToPattern(str)) : this.mLockPatternUtils.passwordToHash(str, i), credentialHash.hash)) {
                return VerifyCredentialResponse.ERROR;
            }
            if (credentialHash.type == 1) {
                unlockKeystore(LockPatternUtils.patternStringToBaseZero(str), i);
            } else {
                unlockKeystore(str, i);
            }
            Slog.i(TAG, "Unlocking user with fake token: " + i);
            byte[] bytes = String.valueOf(i).getBytes();
            unlockUser(i, bytes, bytes);
            setLockCredentialInternal(str, credentialHash.type, null, i);
            if (!z) {
                notifyActivePasswordMetricsAvailable(str, i);
                return VerifyCredentialResponse.OK;
            }
        }
        GateKeeperResponse verifyChallenge = getGateKeeperService().verifyChallenge(i, j, credentialHash.hash, str.getBytes());
        VerifyCredentialResponse convertResponse = convertResponse(verifyChallenge);
        boolean shouldReEnroll = verifyChallenge.getShouldReEnroll();
        if (convertResponse.getResponseCode() == 0) {
            if (iCheckCredentialProgressCallback != null) {
                iCheckCredentialProgressCallback.onCredentialVerified();
            }
            notifyActivePasswordMetricsAvailable(str, i);
            unlockKeystore(str, i);
            Slog.i(TAG, "Unlocking user " + i + " with token length " + convertResponse.getPayload().length);
            unlockUser(i, convertResponse.getPayload(), secretFromCredential(str));
            if (isManagedProfileWithSeparatedLock(i)) {
                ((TrustManager) this.mContext.getSystemService("trust")).setDeviceLockedForUser(i, false);
            }
            if (shouldReEnroll) {
                setLockCredentialInternal(str, credentialHash.type, str, i);
            } else {
                synchronized (this.mSpManager) {
                    if (shouldMigrateToSyntheticPasswordLocked(i)) {
                        activateEscrowTokens(initializeSyntheticPasswordLocked(credentialHash.hash, str, credentialHash.type, i), i);
                    }
                }
            }
        } else if (convertResponse.getResponseCode() == 1 && convertResponse.getTimeout() > 0) {
            requireStrongAuth(8, i);
        }
        return convertResponse;
    }

    private void notifyActivePasswordMetricsAvailable(String str, int i) {
        PasswordMetrics computeForPassword;
        if (str == null) {
            computeForPassword = new PasswordMetrics();
        } else {
            computeForPassword = PasswordMetrics.computeForPassword(str);
            computeForPassword.quality = this.mLockPatternUtils.getKeyguardStoredPasswordQuality(i);
        }
        PasswordMetrics passwordMetrics = computeForPassword;
        this.mHandler.post(() -> {
            ((DevicePolicyManager) this.mContext.getSystemService("device_policy")).setActivePasswordState(passwordMetrics, i);
        });
    }

    private void notifyPasswordChanged(int i) {
        this.mHandler.post(() -> {
            ((DevicePolicyManager) this.mContext.getSystemService("device_policy")).reportPasswordChanged(i);
        });
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean checkVoldPassword(int i) throws RemoteException {
        if (!this.mFirstCallToVold) {
            return false;
        }
        this.mFirstCallToVold = false;
        checkPasswordReadPermission(i);
        IStorageManager storageManager = this.mInjector.getStorageManager();
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            String password = storageManager.getPassword();
            storageManager.clearPassword();
            Binder.restoreCallingIdentity(clearCallingIdentity);
            if (password == null) {
                return false;
            }
            try {
                if (this.mLockPatternUtils.isLockPatternEnabled(i)) {
                    if (checkCredential(password, 1, i, null).getResponseCode() == 0) {
                        return true;
                    }
                }
            } catch (Exception e) {
            }
            try {
                if (this.mLockPatternUtils.isLockPasswordEnabled(i)) {
                    return checkCredential(password, 2, i, null).getResponseCode() == 0;
                }
                return false;
            } catch (Exception e2) {
                return false;
            }
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void removeUser(int i, boolean z) {
        this.mStorage.removeUser(i);
        this.mStrongAuth.removeUser(i);
        android.security.KeyStore.getInstance().onUserRemoved(i);
        try {
            IGateKeeperService gateKeeperService = getGateKeeperService();
            if (gateKeeperService != null) {
                gateKeeperService.clearSecureUserId(i);
            }
        } catch (RemoteException e) {
            Slog.w(TAG, "unable to clear GK secure user id");
        }
        if (z || this.mUserManager.getUserInfo(i).isManagedProfile()) {
            removeKeystoreProfileKey(i);
        }
    }

    private void removeKeystoreProfileKey(int i) {
        try {
            java.security.KeyStore keyStore = java.security.KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            keyStore.deleteEntry("profile_key_name_encrypt_" + i);
            keyStore.deleteEntry("profile_key_name_decrypt_" + i);
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            Slog.e(TAG, "Unable to remove keystore profile key for user:" + i, e);
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public void registerStrongAuthTracker(IStrongAuthTracker iStrongAuthTracker) {
        checkPasswordReadPermission(-1);
        this.mStrongAuth.registerStrongAuthTracker(iStrongAuthTracker);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void unregisterStrongAuthTracker(IStrongAuthTracker iStrongAuthTracker) {
        checkPasswordReadPermission(-1);
        this.mStrongAuth.unregisterStrongAuthTracker(iStrongAuthTracker);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void requireStrongAuth(int i, int i2) {
        checkWritePermission(i2);
        this.mStrongAuth.requireStrongAuth(i, i2);
    }

    @Override // com.android.internal.widget.ILockSettings
    public void userPresent(int i) {
        checkWritePermission(i);
        this.mStrongAuth.reportUnlock(i);
    }

    @Override // com.android.internal.widget.ILockSettings
    public int getStrongAuthForUser(int i) {
        checkPasswordReadPermission(i);
        return this.mStrongAuthTracker.getStrongAuthForUser(i);
    }

    private boolean isCallerShell() {
        int callingUid = Binder.getCallingUid();
        return callingUid == 2000 || callingUid == 0;
    }

    private void enforceShell() {
        if (!isCallerShell()) {
            throw new SecurityException("Caller must be shell");
        }
    }

    @Override // android.os.Binder
    public void onShellCommand(FileDescriptor fileDescriptor, FileDescriptor fileDescriptor2, FileDescriptor fileDescriptor3, String[] strArr, ShellCallback shellCallback, ResultReceiver resultReceiver) throws RemoteException {
        enforceShell();
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            new LockSettingsShellCommand(this.mContext, new LockPatternUtils(this.mContext)).exec(this, fileDescriptor, fileDescriptor2, fileDescriptor3, strArr, shellCallback, resultReceiver);
            Binder.restoreCallingIdentity(clearCallingIdentity);
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    protected synchronized IGateKeeperService getGateKeeperService() throws RemoteException {
        if (this.mGateKeeperService != null) {
            return this.mGateKeeperService;
        }
        IBinder service = ServiceManager.getService("android.service.gatekeeper.IGateKeeperService");
        if (service == null) {
            Slog.e(TAG, "Unable to acquire GateKeeperService");
            return null;
        }
        service.linkToDeath(new GateKeeperDiedRecipient(), 0);
        this.mGateKeeperService = IGateKeeperService.Stub.asInterface(service);
        return this.mGateKeeperService;
    }

    private SyntheticPasswordManager.AuthenticationToken initializeSyntheticPasswordLocked(byte[] bArr, String str, int i, int i2) throws RemoteException {
        Slog.i(TAG, "Initialize SyntheticPassword for user: " + i2);
        SyntheticPasswordManager.AuthenticationToken newSyntheticPasswordAndSid = this.mSpManager.newSyntheticPasswordAndSid(getGateKeeperService(), bArr, str, i2);
        if (newSyntheticPasswordAndSid == null) {
            Slog.wtf(TAG, "initializeSyntheticPasswordLocked returns null auth token");
            return null;
        }
        long createPasswordBasedSyntheticPassword = this.mSpManager.createPasswordBasedSyntheticPassword(getGateKeeperService(), str, i, newSyntheticPasswordAndSid, i2);
        if (str != null) {
            if (bArr == null) {
                this.mSpManager.newSidForUser(getGateKeeperService(), newSyntheticPasswordAndSid, i2);
            }
            this.mSpManager.verifyChallenge(getGateKeeperService(), newSyntheticPasswordAndSid, 0L, i2);
            setAuthlessUserKeyProtection(i2, newSyntheticPasswordAndSid.deriveDiskEncryptionKey());
            setKeystorePassword(newSyntheticPasswordAndSid.deriveKeyStorePassword(), i2);
        } else {
            clearUserKeyProtection(i2);
            setKeystorePassword(null, i2);
            getGateKeeperService().clearSecureUserId(i2);
        }
        fixateNewestUserKeyAuth(i2);
        setLong("sp-handle", createPasswordBasedSyntheticPassword, i2);
        return newSyntheticPasswordAndSid;
    }

    private long getSyntheticPasswordHandleLocked(int i) {
        try {
            return getLong("sp-handle", 0L, i);
        } catch (RemoteException e) {
            return 0L;
        }
    }

    private boolean isSyntheticPasswordBasedCredentialLocked(int i) throws RemoteException {
        return (getLong("enable-sp", 0L, 0) == 0 || getSyntheticPasswordHandleLocked(i) == 0) ? false : true;
    }

    private boolean shouldMigrateToSyntheticPasswordLocked(int i) throws RemoteException {
        return getLong("enable-sp", 0L, 0) != 0 && getSyntheticPasswordHandleLocked(i) == 0;
    }

    private void enableSyntheticPasswordLocked() throws RemoteException {
        setLong("enable-sp", 1L, 0);
    }

    private VerifyCredentialResponse spBasedDoVerifyCredentialLocked(String str, int i, boolean z, long j, int i2, ICheckCredentialProgressCallback iCheckCredentialProgressCallback) throws RemoteException {
        if (i == -1) {
            str = null;
        }
        SyntheticPasswordManager.AuthenticationResult unwrapPasswordBasedSyntheticPassword = this.mSpManager.unwrapPasswordBasedSyntheticPassword(getGateKeeperService(), getSyntheticPasswordHandleLocked(i2), str, i2);
        VerifyCredentialResponse verifyCredentialResponse = unwrapPasswordBasedSyntheticPassword.gkResponse;
        if (verifyCredentialResponse.getResponseCode() == 0) {
            verifyCredentialResponse = this.mSpManager.verifyChallenge(getGateKeeperService(), unwrapPasswordBasedSyntheticPassword.authToken, j, i2);
            if (verifyCredentialResponse.getResponseCode() != 0) {
                Slog.wtf(TAG, "verifyChallenge with SP failed.");
                return VerifyCredentialResponse.ERROR;
            }
            if (iCheckCredentialProgressCallback != null) {
                iCheckCredentialProgressCallback.onCredentialVerified();
            }
            notifyActivePasswordMetricsAvailable(str, i2);
            unlockKeystore(unwrapPasswordBasedSyntheticPassword.authToken.deriveKeyStorePassword(), i2);
            byte[] deriveDiskEncryptionKey = unwrapPasswordBasedSyntheticPassword.authToken.deriveDiskEncryptionKey();
            Slog.i(TAG, "Unlocking user " + i2 + " with secret only, length " + deriveDiskEncryptionKey.length);
            unlockUser(i2, null, deriveDiskEncryptionKey);
            if (isManagedProfileWithSeparatedLock(i2)) {
                ((TrustManager) this.mContext.getSystemService("trust")).setDeviceLockedForUser(i2, false);
            }
            activateEscrowTokens(unwrapPasswordBasedSyntheticPassword.authToken, i2);
        } else if (verifyCredentialResponse.getResponseCode() == 1 && verifyCredentialResponse.getTimeout() > 0) {
            requireStrongAuth(8, i2);
        }
        return verifyCredentialResponse;
    }

    private long setLockCredentialWithAuthTokenLocked(String str, int i, SyntheticPasswordManager.AuthenticationToken authenticationToken, int i2) throws RemoteException {
        Map<Integer, String> decryptedPasswordsForAllTiedProfiles;
        long createPasswordBasedSyntheticPassword = this.mSpManager.createPasswordBasedSyntheticPassword(getGateKeeperService(), str, i, authenticationToken, i2);
        if (str != null) {
            decryptedPasswordsForAllTiedProfiles = null;
            if (this.mSpManager.hasSidForUser(i2)) {
                this.mSpManager.verifyChallenge(getGateKeeperService(), authenticationToken, 0L, i2);
            } else {
                this.mSpManager.newSidForUser(getGateKeeperService(), authenticationToken, i2);
                this.mSpManager.verifyChallenge(getGateKeeperService(), authenticationToken, 0L, i2);
                setAuthlessUserKeyProtection(i2, authenticationToken.deriveDiskEncryptionKey());
                fixateNewestUserKeyAuth(i2);
                setKeystorePassword(authenticationToken.deriveKeyStorePassword(), i2);
            }
        } else {
            decryptedPasswordsForAllTiedProfiles = getDecryptedPasswordsForAllTiedProfiles(i2);
            this.mSpManager.clearSidForUser(i2);
            getGateKeeperService().clearSecureUserId(i2);
            clearUserKeyProtection(i2);
            fixateNewestUserKeyAuth(i2);
            setKeystorePassword(null, i2);
        }
        setLong("sp-handle", createPasswordBasedSyntheticPassword, i2);
        synchronizeUnifiedWorkChallengeForProfiles(i2, decryptedPasswordsForAllTiedProfiles);
        return createPasswordBasedSyntheticPassword;
    }

    private void spBasedSetLockCredentialInternalLocked(String str, int i, String str2, int i2) throws RemoteException {
        if (isManagedProfileWithUnifiedLock(i2)) {
            try {
                str2 = getDecryptedPasswordForTiedProfile(i2);
            } catch (FileNotFoundException e) {
                Slog.i(TAG, "Child profile key not found");
            } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e2) {
                Slog.e(TAG, "Failed to decrypt child profile key", e2);
            }
        }
        long syntheticPasswordHandleLocked = getSyntheticPasswordHandleLocked(i2);
        SyntheticPasswordManager.AuthenticationResult unwrapPasswordBasedSyntheticPassword = this.mSpManager.unwrapPasswordBasedSyntheticPassword(getGateKeeperService(), syntheticPasswordHandleLocked, str2, i2);
        VerifyCredentialResponse verifyCredentialResponse = unwrapPasswordBasedSyntheticPassword.gkResponse;
        SyntheticPasswordManager.AuthenticationToken authenticationToken = unwrapPasswordBasedSyntheticPassword.authToken;
        if (authenticationToken != null) {
            setLockCredentialWithAuthTokenLocked(str, i, authenticationToken, i2);
            this.mSpManager.destroyPasswordBasedSyntheticPassword(syntheticPasswordHandleLocked, i2);
        } else {
            if (verifyCredentialResponse == null || verifyCredentialResponse.getResponseCode() != -1) {
                Slog.w(TAG, "spBasedSetLockCredentialInternalLocked: " + (verifyCredentialResponse != null ? "rate limit exceeded" : "failed"));
                return;
            }
            Slog.w(TAG, "Untrusted credential change invoked");
            initializeSyntheticPasswordLocked(null, str, i, i2);
            synchronizeUnifiedWorkChallengeForProfiles(i2, null);
            this.mSpManager.destroyPasswordBasedSyntheticPassword(syntheticPasswordHandleLocked, i2);
        }
        notifyActivePasswordMetricsAvailable(str, i2);
    }

    @Override // com.android.internal.widget.ILockSettings
    public long addEscrowToken(byte[] bArr, int i) throws RemoteException {
        long createTokenBasedSyntheticPassword;
        ensureCallerSystemUid();
        synchronized (this.mSpManager) {
            enableSyntheticPasswordLocked();
            SyntheticPasswordManager.AuthenticationToken authenticationToken = null;
            if (!isUserSecure(i)) {
                if (shouldMigrateToSyntheticPasswordLocked(i)) {
                    authenticationToken = initializeSyntheticPasswordLocked(null, null, -1, i);
                } else {
                    authenticationToken = this.mSpManager.unwrapPasswordBasedSyntheticPassword(getGateKeeperService(), getSyntheticPasswordHandleLocked(i), null, i).authToken;
                }
            }
            if (isSyntheticPasswordBasedCredentialLocked(i)) {
                disableEscrowTokenOnNonManagedDevicesIfNeeded(i);
                if (!this.mSpManager.hasEscrowData(i)) {
                    throw new SecurityException("Escrow token is disabled on the current user");
                }
            }
            createTokenBasedSyntheticPassword = this.mSpManager.createTokenBasedSyntheticPassword(bArr, i);
            if (authenticationToken != null) {
                this.mSpManager.activateTokenBasedSyntheticPassword(createTokenBasedSyntheticPassword, authenticationToken, i);
            }
        }
        return createTokenBasedSyntheticPassword;
    }

    private void activateEscrowTokens(SyntheticPasswordManager.AuthenticationToken authenticationToken, int i) throws RemoteException {
        disableEscrowTokenOnNonManagedDevicesIfNeeded(i);
        synchronized (this.mSpManager) {
            Iterator<Long> it = this.mSpManager.getPendingTokensForUser(i).iterator();
            while (it.hasNext()) {
                long longValue = it.next().longValue();
                Slog.i(TAG, String.format("activateEscrowTokens: %x %d ", Long.valueOf(longValue), Integer.valueOf(i)));
                this.mSpManager.activateTokenBasedSyntheticPassword(longValue, authenticationToken, i);
            }
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean isEscrowTokenActive(long j, int i) throws RemoteException {
        boolean existsHandle;
        ensureCallerSystemUid();
        synchronized (this.mSpManager) {
            existsHandle = this.mSpManager.existsHandle(j, i);
        }
        return existsHandle;
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean removeEscrowToken(long j, int i) throws RemoteException {
        ensureCallerSystemUid();
        synchronized (this.mSpManager) {
            if (j == getSyntheticPasswordHandleLocked(i)) {
                Slog.w(TAG, "Cannot remove password handle");
                return false;
            }
            if (this.mSpManager.removePendingToken(j, i)) {
                return true;
            }
            if (!this.mSpManager.existsHandle(j, i)) {
                return false;
            }
            this.mSpManager.destroyTokenBasedSyntheticPassword(j, i);
            return true;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public boolean setLockCredentialWithToken(String str, int i, long j, byte[] bArr, int i2) throws RemoteException {
        boolean lockCredentialWithTokenInternal;
        ensureCallerSystemUid();
        synchronized (this.mSpManager) {
            if (!this.mSpManager.hasEscrowData(i2)) {
                throw new SecurityException("Escrow token is disabled on the current user");
            }
            lockCredentialWithTokenInternal = setLockCredentialWithTokenInternal(str, i, j, bArr, i2);
        }
        if (lockCredentialWithTokenInternal) {
            synchronized (this.mSeparateChallengeLock) {
                setSeparateProfileChallengeEnabled(i2, true, null);
            }
            notifyPasswordChanged(i2);
        }
        return lockCredentialWithTokenInternal;
    }

    private boolean setLockCredentialWithTokenInternal(String str, int i, long j, byte[] bArr, int i2) throws RemoteException {
        synchronized (this.mSpManager) {
            SyntheticPasswordManager.AuthenticationResult unwrapTokenBasedSyntheticPassword = this.mSpManager.unwrapTokenBasedSyntheticPassword(getGateKeeperService(), j, bArr, i2);
            if (unwrapTokenBasedSyntheticPassword.authToken == null) {
                Slog.w(TAG, "Invalid escrow token supplied");
                return false;
            }
            long syntheticPasswordHandleLocked = getSyntheticPasswordHandleLocked(i2);
            setLockCredentialWithAuthTokenLocked(str, i, unwrapTokenBasedSyntheticPassword.authToken, i2);
            this.mSpManager.destroyPasswordBasedSyntheticPassword(syntheticPasswordHandleLocked, i2);
            return true;
        }
    }

    @Override // com.android.internal.widget.ILockSettings
    public void unlockUserWithToken(long j, byte[] bArr, int i) throws RemoteException {
        ensureCallerSystemUid();
        synchronized (this.mSpManager) {
            if (!this.mSpManager.hasEscrowData(i)) {
                throw new SecurityException("Escrow token is disabled on the current user");
            }
            SyntheticPasswordManager.AuthenticationResult unwrapTokenBasedSyntheticPassword = this.mSpManager.unwrapTokenBasedSyntheticPassword(getGateKeeperService(), j, bArr, i);
            if (unwrapTokenBasedSyntheticPassword.authToken == null) {
                Slog.w(TAG, "Invalid escrow token supplied");
            } else {
                unlockUser(i, null, unwrapTokenBasedSyntheticPassword.authToken.deriveDiskEncryptionKey());
            }
        }
    }

    @Override // android.os.Binder
    protected void dump(FileDescriptor fileDescriptor, PrintWriter printWriter, String[] strArr) {
        if (DumpUtils.checkDumpPermission(this.mContext, TAG, printWriter)) {
            printWriter.println("Current lock settings service state:");
            printWriter.println(String.format("SP Enabled = %b", Boolean.valueOf(this.mLockPatternUtils.isSyntheticPasswordEnabled())));
            List<UserInfo> users = this.mUserManager.getUsers();
            for (int i = 0; i < users.size(); i++) {
                int i2 = users.get(i).id;
                printWriter.println("    User " + i2);
                synchronized (this.mSpManager) {
                    printWriter.println(String.format("        SP Handle = %x", Long.valueOf(getSyntheticPasswordHandleLocked(i2))));
                }
                try {
                    printWriter.println(String.format("        SID = %x", Long.valueOf(getGateKeeperService().getSecureUserId(i2))));
                } catch (RemoteException e) {
                }
            }
        }
    }

    private void disableEscrowTokenOnNonManagedDevicesIfNeeded(int i) {
        long clearCallingIdentity = Binder.clearCallingIdentity();
        try {
            try {
                if (this.mUserManager.getUserInfo(i).isManagedProfile()) {
                    Slog.i(TAG, "Managed profile can have escrow token");
                    Binder.restoreCallingIdentity(clearCallingIdentity);
                    return;
                }
                DevicePolicyManager devicePolicyManager = this.mInjector.getDevicePolicyManager();
                if (devicePolicyManager.getDeviceOwnerComponentOnAnyUser() != null) {
                    Slog.i(TAG, "Corp-owned device can have escrow token");
                    Binder.restoreCallingIdentity(clearCallingIdentity);
                    return;
                }
                if (devicePolicyManager.getProfileOwnerAsUser(i) != null) {
                    Slog.i(TAG, "User with profile owner can have escrow token");
                    Binder.restoreCallingIdentity(clearCallingIdentity);
                    return;
                }
                if (!devicePolicyManager.isDeviceProvisioned()) {
                    Slog.i(TAG, "Postpone disabling escrow tokens until device is provisioned");
                    Binder.restoreCallingIdentity(clearCallingIdentity);
                } else {
                    if (this.mContext.getPackageManager().hasSystemFeature("android.hardware.type.automotive")) {
                        Binder.restoreCallingIdentity(clearCallingIdentity);
                        return;
                    }
                    Slog.i(TAG, "Disabling escrow token on user " + i);
                    if (isSyntheticPasswordBasedCredentialLocked(i)) {
                        this.mSpManager.destroyEscrowData(i);
                    }
                    Binder.restoreCallingIdentity(clearCallingIdentity);
                }
            } catch (RemoteException e) {
                Slog.e(TAG, "disableEscrowTokenOnNonManagedDevices", e);
                Binder.restoreCallingIdentity(clearCallingIdentity);
            }
        } catch (Throwable th) {
            Binder.restoreCallingIdentity(clearCallingIdentity);
            throw th;
        }
    }

    private void ensureCallerSystemUid() throws SecurityException {
        if (this.mInjector.binderGetCallingUid() != 1000) {
            throw new SecurityException("Only system can call this API.");
        }
    }
}
