package com.android.server.locksettings;

import android.content.Context;
import android.content.pm.UserInfo;
import android.hardware.rebootescrow.IRebootEscrow;
import android.os.RemoteException;
import android.os.ServiceManager;
import android.os.SystemClock;
import android.os.UserManager;
import android.provider.Settings;
import android.util.Slog;
import com.android.internal.annotations.GuardedBy;
import com.android.internal.annotations.VisibleForTesting;
import com.android.internal.util.FrameworkStatsLog;
import com.android.internal.util.IndentingPrintWriter;
import com.android.internal.widget.RebootEscrowListener;
import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.NoSuchElementException;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/android/server/locksettings/RebootEscrowManager.class */
public class RebootEscrowManager {
    private static final String TAG = "RebootEscrowManager";

    @VisibleForTesting
    public static final String REBOOT_ESCROW_ARMED_KEY = "reboot_escrow_armed_count";
    private static final int BOOT_COUNT_TOLERANCE = 5;
    private final RebootEscrowEventLog mEventLog;
    private boolean mRebootEscrowWanted;
    private boolean mRebootEscrowReady;
    private RebootEscrowListener mRebootEscrowListener;
    private final Object mKeyGenerationLock;

    @GuardedBy({"mKeyGenerationLock"})
    private RebootEscrowKey mPendingRebootEscrowKey;
    private final UserManager mUserManager;
    private final Injector mInjector;
    private final LockSettingsStorage mStorage;
    private final Callbacks mCallbacks;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/android/server/locksettings/RebootEscrowManager$Callbacks.class */
    public interface Callbacks {
        boolean isUserSecure(int i);

        void onRebootEscrowRestored(byte b, byte[] bArr, int i);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/android/server/locksettings/RebootEscrowManager$Injector.class */
    public static class Injector {
        protected Context mContext;

        Injector(Context context) {
            this.mContext = context;
        }

        public Context getContext() {
            return this.mContext;
        }

        public UserManager getUserManager() {
            return (UserManager) this.mContext.getSystemService("user");
        }

        public IRebootEscrow getRebootEscrow() {
            try {
                return IRebootEscrow.Stub.asInterface(ServiceManager.getService("android.hardware.rebootescrow.IRebootEscrow/default"));
            } catch (NoSuchElementException e) {
                Slog.i(RebootEscrowManager.TAG, "Device doesn't implement RebootEscrow HAL");
                return null;
            }
        }

        public int getBootCount() {
            return Settings.Global.getInt(this.mContext.getContentResolver(), Settings.Global.BOOT_COUNT, 0);
        }

        public void reportMetric(boolean z) {
            FrameworkStatsLog.write(238, z);
        }

        public RebootEscrowEventLog getEventLog() {
            return new RebootEscrowEventLog();
        }
    }

    @VisibleForTesting
    /* loaded from: input_file:com/android/server/locksettings/RebootEscrowManager$RebootEscrowEvent.class */
    public static class RebootEscrowEvent {
        static final int FOUND_ESCROW_DATA = 1;
        static final int SET_ARMED_STATUS = 2;
        static final int CLEARED_LSKF_REQUEST = 3;
        static final int RETRIEVED_STORED_KEK = 4;
        static final int REQUESTED_LSKF = 5;
        static final int STORED_LSKF_FOR_USER = 6;
        static final int RETRIEVED_LSKF_FOR_USER = 7;
        final int mEventId;
        final Integer mUserId;
        final long mWallTime;
        final long mTimestamp;

        RebootEscrowEvent(int i) {
            this(i, null);
        }

        RebootEscrowEvent(int i, Integer num) {
            this.mEventId = i;
            this.mUserId = num;
            this.mTimestamp = SystemClock.uptimeMillis();
            this.mWallTime = System.currentTimeMillis();
        }

        String getEventDescription() {
            switch (this.mEventId) {
                case 1:
                    return "Found escrow data";
                case 2:
                    return "Set armed status";
                case 3:
                    return "Cleared request for LSKF";
                case 4:
                    return "Retrieved stored KEK";
                case 5:
                    return "Requested LSKF";
                case 6:
                    return "Stored LSKF for user";
                case 7:
                    return "Retrieved LSKF for user";
                default:
                    return "Unknown event ID " + this.mEventId;
            }
        }
    }

    @VisibleForTesting
    /* loaded from: input_file:com/android/server/locksettings/RebootEscrowManager$RebootEscrowEventLog.class */
    public static class RebootEscrowEventLog {
        private RebootEscrowEvent[] mEntries = new RebootEscrowEvent[16];
        private int mNextIndex = 0;

        void addEntry(int i) {
            addEntryInternal(new RebootEscrowEvent(i));
        }

        void addEntry(int i, int i2) {
            addEntryInternal(new RebootEscrowEvent(i, Integer.valueOf(i2)));
        }

        private void addEntryInternal(RebootEscrowEvent rebootEscrowEvent) {
            this.mEntries[this.mNextIndex] = rebootEscrowEvent;
            this.mNextIndex = (this.mNextIndex + 1) % this.mEntries.length;
        }

        void dump(IndentingPrintWriter indentingPrintWriter) {
            SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS", Locale.US);
            for (int i = 0; i < this.mEntries.length; i++) {
                RebootEscrowEvent rebootEscrowEvent = this.mEntries[(i + this.mNextIndex) % this.mEntries.length];
                if (rebootEscrowEvent != null) {
                    indentingPrintWriter.print("Event #");
                    indentingPrintWriter.println(i);
                    indentingPrintWriter.println(" time=" + simpleDateFormat.format(new Date(rebootEscrowEvent.mWallTime)) + " (timestamp=" + rebootEscrowEvent.mTimestamp + ")");
                    indentingPrintWriter.print(" event=");
                    indentingPrintWriter.println(rebootEscrowEvent.getEventDescription());
                    if (rebootEscrowEvent.mUserId != null) {
                        indentingPrintWriter.print(" user=");
                        indentingPrintWriter.println(rebootEscrowEvent.mUserId);
                    }
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RebootEscrowManager(Context context, Callbacks callbacks, LockSettingsStorage lockSettingsStorage) {
        this(new Injector(context), callbacks, lockSettingsStorage);
    }

    @VisibleForTesting
    RebootEscrowManager(Injector injector, Callbacks callbacks, LockSettingsStorage lockSettingsStorage) {
        this.mKeyGenerationLock = new Object();
        this.mInjector = injector;
        this.mCallbacks = callbacks;
        this.mStorage = lockSettingsStorage;
        this.mUserManager = injector.getUserManager();
        this.mEventLog = injector.getEventLog();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void loadRebootEscrowDataIfAvailable() {
        List<UserInfo> users = this.mUserManager.getUsers();
        ArrayList arrayList = new ArrayList();
        for (UserInfo userInfo : users) {
            if (this.mCallbacks.isUserSecure(userInfo.id) && this.mStorage.hasRebootEscrow(userInfo.id)) {
                arrayList.add(userInfo);
            }
        }
        if (arrayList.isEmpty()) {
            return;
        }
        RebootEscrowKey andClearRebootEscrowKey = getAndClearRebootEscrowKey();
        if (andClearRebootEscrowKey == null) {
            Slog.w(TAG, "Had reboot escrow data for users, but no key; removing escrow storage.");
            Iterator<UserInfo> it = users.iterator();
            while (it.hasNext()) {
                this.mStorage.removeRebootEscrow(it.next().id);
            }
            onEscrowRestoreComplete(false);
            return;
        }
        this.mEventLog.addEntry(1);
        boolean z = true;
        Iterator it2 = arrayList.iterator();
        while (it2.hasNext()) {
            z &= restoreRebootEscrowForUser(((UserInfo) it2.next()).id, andClearRebootEscrowKey);
        }
        onEscrowRestoreComplete(z);
    }

    private void onEscrowRestoreComplete(boolean z) {
        int i = this.mStorage.getInt(REBOOT_ESCROW_ARMED_KEY, -1, 0);
        this.mStorage.removeKey(REBOOT_ESCROW_ARMED_KEY, 0);
        int bootCount = this.mInjector.getBootCount() - i;
        if (z || (i != -1 && bootCount <= 5)) {
            this.mInjector.reportMetric(z);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private RebootEscrowKey getAndClearRebootEscrowKey() {
        IRebootEscrow rebootEscrow = this.mInjector.getRebootEscrow();
        if (rebootEscrow == null) {
            Slog.w(TAG, "Had reboot escrow data for users, but RebootEscrow HAL is unavailable");
            return null;
        }
        try {
            byte[] retrieveKey = rebootEscrow.retrieveKey();
            if (retrieveKey == null) {
                Slog.w(TAG, "Had reboot escrow data for users, but could not retrieve key");
                return null;
            }
            if (retrieveKey.length != 32) {
                Slog.e(TAG, "IRebootEscrow returned key of incorrect size " + retrieveKey.length);
                return null;
            }
            byte b = 0;
            for (byte b2 : retrieveKey) {
                b = b | b2 ? 1 : 0;
            }
            if (b == 0) {
                Slog.w(TAG, "IRebootEscrow returned an all-zeroes key");
                return null;
            }
            rebootEscrow.storeKey(new byte[32]);
            this.mEventLog.addEntry(4);
            return RebootEscrowKey.fromKeyBytes(retrieveKey);
        } catch (RemoteException e) {
            Slog.w(TAG, "Could not retrieve escrow data");
            return null;
        }
    }

    private boolean restoreRebootEscrowForUser(int i, RebootEscrowKey rebootEscrowKey) {
        if (!this.mStorage.hasRebootEscrow(i)) {
            return false;
        }
        try {
            byte[] readRebootEscrow = this.mStorage.readRebootEscrow(i);
            this.mStorage.removeRebootEscrow(i);
            RebootEscrowData fromEncryptedData = RebootEscrowData.fromEncryptedData(rebootEscrowKey, readRebootEscrow);
            this.mCallbacks.onRebootEscrowRestored(fromEncryptedData.getSpVersion(), fromEncryptedData.getSyntheticPassword(), i);
            Slog.i(TAG, "Restored reboot escrow data for user " + i);
            this.mEventLog.addEntry(7, i);
            return true;
        } catch (IOException e) {
            Slog.w(TAG, "Could not load reboot escrow data for user " + i, e);
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void callToRebootEscrowIfNeeded(int i, byte b, byte[] bArr) {
        if (this.mRebootEscrowWanted) {
            if (this.mInjector.getRebootEscrow() == null) {
                Slog.w(TAG, "Reboot escrow requested, but RebootEscrow HAL is unavailable");
                return;
            }
            RebootEscrowKey generateEscrowKeyIfNeeded = generateEscrowKeyIfNeeded();
            if (generateEscrowKeyIfNeeded == null) {
                Slog.e(TAG, "Could not generate escrow key");
                return;
            }
            try {
                this.mStorage.writeRebootEscrow(i, RebootEscrowData.fromSyntheticPassword(generateEscrowKeyIfNeeded, b, bArr).getBlob());
                this.mEventLog.addEntry(6, i);
                setRebootEscrowReady(true);
            } catch (IOException e) {
                setRebootEscrowReady(false);
                Slog.w(TAG, "Could not escrow reboot data", e);
            }
        }
    }

    private RebootEscrowKey generateEscrowKeyIfNeeded() {
        synchronized (this.mKeyGenerationLock) {
            if (this.mPendingRebootEscrowKey != null) {
                return this.mPendingRebootEscrowKey;
            }
            try {
                RebootEscrowKey generate = RebootEscrowKey.generate();
                this.mPendingRebootEscrowKey = generate;
                return generate;
            } catch (IOException e) {
                Slog.w(TAG, "Could not generate reboot escrow key");
                return null;
            }
        }
    }

    private void clearRebootEscrowIfNeeded() {
        this.mRebootEscrowWanted = false;
        setRebootEscrowReady(false);
        IRebootEscrow rebootEscrow = this.mInjector.getRebootEscrow();
        if (rebootEscrow == null) {
            return;
        }
        this.mStorage.removeKey(REBOOT_ESCROW_ARMED_KEY, 0);
        try {
            rebootEscrow.storeKey(new byte[32]);
        } catch (RemoteException e) {
            Slog.w(TAG, "Could not call RebootEscrow HAL to shred key");
        }
        Iterator<UserInfo> it = this.mUserManager.getUsers().iterator();
        while (it.hasNext()) {
            this.mStorage.removeRebootEscrow(it.next().id);
        }
        this.mEventLog.addEntry(3);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean armRebootEscrowIfNeeded() {
        RebootEscrowKey rebootEscrowKey;
        if (!this.mRebootEscrowReady) {
            return false;
        }
        IRebootEscrow rebootEscrow = this.mInjector.getRebootEscrow();
        if (rebootEscrow == null) {
            Slog.w(TAG, "Escrow marked as ready, but RebootEscrow HAL is unavailable");
            return false;
        }
        synchronized (this.mKeyGenerationLock) {
            rebootEscrowKey = this.mPendingRebootEscrowKey;
        }
        if (rebootEscrowKey == null) {
            Slog.e(TAG, "Escrow key is null, but escrow was marked as ready");
            return false;
        }
        boolean z = false;
        try {
            rebootEscrow.storeKey(rebootEscrowKey.getKeyBytes());
            z = true;
            Slog.i(TAG, "Reboot escrow key stored with RebootEscrow HAL");
        } catch (RemoteException e) {
            Slog.e(TAG, "Failed escrow secret to RebootEscrow HAL", e);
        }
        if (z) {
            this.mStorage.setInt(REBOOT_ESCROW_ARMED_KEY, this.mInjector.getBootCount(), 0);
            this.mEventLog.addEntry(2);
        }
        return z;
    }

    private void setRebootEscrowReady(boolean z) {
        if (this.mRebootEscrowReady != z) {
            this.mRebootEscrowListener.onPreparedForReboot(z);
        }
        this.mRebootEscrowReady = z;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean prepareRebootEscrow() {
        if (this.mInjector.getRebootEscrow() == null) {
            return false;
        }
        clearRebootEscrowIfNeeded();
        this.mRebootEscrowWanted = true;
        this.mEventLog.addEntry(5);
        return true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean clearRebootEscrow() {
        if (this.mInjector.getRebootEscrow() == null) {
            return false;
        }
        clearRebootEscrowIfNeeded();
        return true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setRebootEscrowListener(RebootEscrowListener rebootEscrowListener) {
        this.mRebootEscrowListener = rebootEscrowListener;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void dump(IndentingPrintWriter indentingPrintWriter) {
        boolean z;
        indentingPrintWriter.print("mRebootEscrowWanted=");
        indentingPrintWriter.println(this.mRebootEscrowWanted);
        indentingPrintWriter.print("mRebootEscrowReady=");
        indentingPrintWriter.println(this.mRebootEscrowReady);
        indentingPrintWriter.print("mRebootEscrowListener=");
        indentingPrintWriter.println(this.mRebootEscrowListener);
        synchronized (this.mKeyGenerationLock) {
            z = this.mPendingRebootEscrowKey != null;
        }
        indentingPrintWriter.print("mPendingRebootEscrowKey is ");
        indentingPrintWriter.println(z ? "set" : "not set");
        indentingPrintWriter.println();
        indentingPrintWriter.println("Event log:");
        indentingPrintWriter.increaseIndent();
        this.mEventLog.dump(indentingPrintWriter);
        indentingPrintWriter.println();
        indentingPrintWriter.decreaseIndent();
    }
}
