package com.android.keychain;

import android.annotation.NonNull;
import android.annotation.Nullable;
import android.app.AppOpsManager;
import android.app.BroadcastOptions;
import android.app.IntentService;
import android.app.admin.SecurityLog;
import android.content.Context;
import android.content.Intent;
import android.content.pm.PackageManager;
import android.content.pm.StringParceledListSlice;
import android.net.Uri;
import android.os.Binder;
import android.os.IBinder;
import android.os.UserHandle;
import android.os.UserManager;
import android.security.AppUriAuthenticationPolicy;
import android.security.CredentialManagementApp;
import android.security.IKeyChainService;
import android.security.KeyChain;
import android.security.KeyStore2;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.ParcelableKeyGenParameterSpec;
import android.security.keystore.StrongBoxUnavailableException;
import android.security.keystore2.AndroidKeyStoreLoadStoreParameter;
import android.system.keystore2.KeyDescriptor;
import android.text.TextUtils;
import android.util.Base64;
import android.util.Log;
import androidx.core.view.PointerIconCompat;
import com.android.internal.annotations.GuardedBy;
import com.android.internal.annotations.VisibleForTesting;
import com.android.internal.util.Preconditions;
import com.android.keychain.internal.ExistingKeysProvider;
import com.android.keychain.internal.GrantsDatabase;
import com.android.org.conscrypt.TrustedCertificateStore;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.Key;
import java.security.KeyFactory;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:com/android/keychain/KeyChainService.class */
public class KeyChainService extends IntentService {
    private static final String TAG = "KeyChain";
    private static final String CERT_INSTALLER_PACKAGE = "com.android.certinstaller";
    private final Set<Integer> ALLOWED_UIDS;
    private static final String MSG_NOT_SYSTEM = "Not system package";
    private static final String MSG_NOT_SYSTEM_OR_CERT_INSTALLER = "Not system or cert installer package";
    private static final String MSG_NOT_SYSTEM_OR_CRED_MNG_APP = "Not system or credential management app package";
    private GrantsDatabase mGrantsDb;
    private Injector mInjector;
    private KeyStore mKeyStore;
    private KeyChainStateStorage mStateStorage;
    private Object mCredentialManagementAppLock;

    @GuardedBy({"mCredentialManagementAppLock"})
    @Nullable
    private CredentialManagementApp mCredentialManagementApp;
    private final IKeyChainService.Stub mIKeyChainService;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/android/keychain/KeyChainService$CallerIdentity.class */
    public final class CallerIdentity {
        final int mUid;
        final int mPid = Binder.getCallingPid();
        final String mPackageName;

        CallerIdentity() {
            this.mUid = KeyChainService.this.mInjector.getCallingUid();
            this.mPackageName = KeyChainService.this.getPackageManager().getNameForUid(this.mUid);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:com/android/keychain/KeyChainService$Injector.class */
    public static class Injector {
        Injector() {
        }

        public boolean isSecurityLoggingEnabled() {
            return SecurityLog.isLoggingEnabled();
        }

        public void writeSecurityEvent(int i, Object... objArr) {
            SecurityLog.writeEvent(i, objArr);
        }

        public int getCallingUid() {
            return Binder.getCallingUid();
        }

        public KeyStore getKeyStoreInstance() throws KeyStoreException {
            return KeyStore.getInstance("AndroidKeyStore");
        }
    }

    /* loaded from: input_file:com/android/keychain/KeyChainService$KeyStoreAliasesProvider.class */
    private static class KeyStoreAliasesProvider implements ExistingKeysProvider {
        private final KeyStore mKeyStore;

        KeyStoreAliasesProvider(KeyStore keyStore) {
            this.mKeyStore = keyStore;
        }

        @Override // com.android.keychain.internal.ExistingKeysProvider
        public List<String> getExistingKeyAliases() {
            ArrayList arrayList = new ArrayList();
            try {
                Enumeration<String> aliases = this.mKeyStore.aliases();
                while (aliases.hasMoreElements()) {
                    String nextElement = aliases.nextElement();
                    if (this.mKeyStore.isKeyEntry(nextElement)) {
                        arrayList.add(nextElement);
                    }
                }
            } catch (KeyStoreException e) {
                Log.e(KeyChainService.TAG, "Error while loading entries from keystore. List may be empty or incomplete.");
            }
            return arrayList;
        }
    }

    public KeyChainService() {
        super(KeyChainService.class.getSimpleName());
        this.ALLOWED_UIDS = Collections.unmodifiableSet(new HashSet(Arrays.asList(-1, Integer.valueOf(PointerIconCompat.TYPE_ALIAS))));
        this.mCredentialManagementAppLock = new Object();
        this.mIKeyChainService = new IKeyChainService.Stub() { // from class: com.android.keychain.KeyChainService.1
            private final TrustedCertificateStore mTrustedCertificateStore = new TrustedCertificateStore();
            private final Context mContext;

            {
                this.mContext = KeyChainService.this;
            }

            public String requestPrivateKey(String str) {
                CallerIdentity caller = KeyChainService.this.getCaller();
                if (!hasGrant(str, caller)) {
                    return null;
                }
                int i = caller.mUid;
                try {
                    return KeyChain.getGrantString(KeyStore2.getInstance().grant(KeyChainService.this.makeKeyDescriptor(str), i, 260));
                } catch (android.security.KeyStoreException e) {
                    Log.e(KeyChainService.TAG, "Failed to grant " + str + " to uid: " + i, e);
                    return null;
                }
            }

            public String getWifiKeyGrantAsUser(String str) {
                Preconditions.checkCallAuthorization(isSystemUid(KeyChainService.this.getCaller()), KeyChainService.MSG_NOT_SYSTEM);
                if (!hasGrant(str, PointerIconCompat.TYPE_ALIAS)) {
                    return null;
                }
                try {
                    return KeyStore2.makeKeystoreEngineGrantString(KeyStore2.getInstance().grant(KeyChainService.this.makeKeyDescriptor(str), PointerIconCompat.TYPE_ALIAS, 260).nspace);
                } catch (android.security.KeyStoreException e) {
                    Log.e(KeyChainService.TAG, "Failed to grant " + str + " to uid: " + PointerIconCompat.TYPE_ALIAS, e);
                    return null;
                }
            }

            public byte[] getCertificate(String str) {
                Certificate certificate;
                CallerIdentity caller = KeyChainService.this.getCaller();
                if (!hasGrant(str, caller) && !isSystemUid(caller)) {
                    return null;
                }
                try {
                    if (KeyChainService.this.mKeyStore.isCertificateEntry(str) || (certificate = KeyChainService.this.mKeyStore.getCertificate(str)) == null) {
                        return null;
                    }
                    return certificate.getEncoded();
                } catch (KeyStoreException | CertificateEncodingException e) {
                    Log.e(KeyChainService.TAG, "Failed to retrieve certificate.", e);
                    return null;
                }
            }

            public byte[] getCaCertificates(String str) {
                CallerIdentity caller = KeyChainService.this.getCaller();
                if (!hasGrant(str, caller) && !isSystemUid(caller)) {
                    return null;
                }
                try {
                    if (KeyChainService.this.mKeyStore.isCertificateEntry(str)) {
                        return KeyChainService.this.mKeyStore.getCertificate(str).getEncoded();
                    }
                    Certificate[] certificateChain = KeyChainService.this.mKeyStore.getCertificateChain(str);
                    if (certificateChain == null || certificateChain.length <= 1) {
                        return null;
                    }
                    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                    for (int i = 1; i < certificateChain.length; i++) {
                        byteArrayOutputStream.write(certificateChain[i].getEncoded());
                    }
                    return byteArrayOutputStream.toByteArray();
                } catch (IOException | KeyStoreException | CertificateEncodingException e) {
                    Log.e(KeyChainService.TAG, "Failed to retrieve certificate(s) from AndroidKeyStore.", e);
                    return null;
                }
            }

            public boolean isUserSelectable(String str) {
                validateAlias(str);
                return KeyChainService.this.mGrantsDb.isUserSelectable(str);
            }

            public void setUserSelectable(String str, boolean z) {
                validateAlias(str);
                Preconditions.checkCallAuthorization(isSystemUid(KeyChainService.this.getCaller()), KeyChainService.MSG_NOT_SYSTEM);
                Log.i(KeyChainService.TAG, String.format("Marking certificate %s as user-selectable: %b", str, Boolean.valueOf(z)));
                KeyChainService.this.mGrantsDb.setIsUserSelectable(str, z);
            }

            public int generateKeyPair(String str, ParcelableKeyGenParameterSpec parcelableKeyGenParameterSpec) {
                Preconditions.checkCallAuthorization(isSystemUid(KeyChainService.this.getCaller()), KeyChainService.MSG_NOT_SYSTEM);
                KeyGenParameterSpec spec = parcelableKeyGenParameterSpec.getSpec();
                String keystoreAlias = spec.getKeystoreAlias();
                Log.i(KeyChainService.TAG, String.format("About to generate key with alias %s, algorithm %s", keystoreAlias, str));
                if ("android:alias-selection-denied".equals(keystoreAlias)) {
                    throw new IllegalArgumentException("The alias specified for the key denotes a reserved value and cannot be used to name a key");
                }
                if (TextUtils.isEmpty(keystoreAlias) || spec.getUid() != -1) {
                    Log.e(KeyChainService.TAG, "Cannot generate key pair with empty alias or specified uid.");
                    return 1;
                }
                try {
                    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str, "AndroidKeyStore");
                    keyPairGenerator.initialize(spec);
                    if (keyPairGenerator.generateKeyPair() != null) {
                        return 0;
                    }
                    Log.e(KeyChainService.TAG, "Key generation failed.");
                    return 7;
                } catch (StrongBoxUnavailableException e) {
                    Log.e(KeyChainService.TAG, "StrongBox unavailable.", e);
                    return 6;
                } catch (InvalidAlgorithmParameterException e2) {
                    Log.e(KeyChainService.TAG, "Invalid algorithm params", e2);
                    return 4;
                } catch (NoSuchAlgorithmException e3) {
                    Log.e(KeyChainService.TAG, "Invalid algorithm requested", e3);
                    return 3;
                } catch (NoSuchProviderException e4) {
                    Log.e(KeyChainService.TAG, "Could not find Keystore.", e4);
                    return 5;
                } catch (ProviderException e5) {
                    Throwable cause = e5.getCause();
                    if ((cause instanceof android.security.KeyStoreException) && ((android.security.KeyStoreException) cause).getErrorCode() == -66) {
                        return 3;
                    }
                    Log.e(KeyChainService.TAG, "KeyStore error.", e5);
                    return 7;
                }
            }

            public boolean setKeyPairCertificate(String str, byte[] bArr, byte[] bArr2) {
                Preconditions.checkCallAuthorization(isSystemUid(KeyChainService.this.getCaller()), KeyChainService.MSG_NOT_SYSTEM);
                try {
                    Key key = KeyChainService.this.mKeyStore.getKey(str, null);
                    if (!(key instanceof PrivateKey)) {
                        return false;
                    }
                    PrivateKey privateKey = (PrivateKey) key;
                    ArrayList arrayList = new ArrayList();
                    if (bArr != null) {
                        try {
                            arrayList.add(parseCertificate(bArr));
                        } catch (CertificateException e) {
                            Log.e(KeyChainService.TAG, "Failed to parse user certificate.", e);
                            return false;
                        }
                    }
                    if (bArr2 != null) {
                        arrayList.addAll(parseCertificates(bArr2));
                    }
                    try {
                        KeyChainService.this.mKeyStore.setKeyEntry(str, privateKey, null, (Certificate[]) arrayList.toArray(new Certificate[0]));
                        if (Log.isLoggable(KeyChainService.TAG, 3)) {
                            Log.d(KeyChainService.TAG, String.format("Set certificate for key alias %s : user %s CA chain: %s", str, KeyChainService.emptyOrBase64Encoded(bArr), KeyChainService.emptyOrBase64Encoded(bArr2)));
                        }
                        KeyChainService.this.broadcastKeychainChange();
                        KeyChainService.this.broadcastLegacyStorageChange();
                        return true;
                    } catch (KeyStoreException e2) {
                        Log.e(KeyChainService.TAG, "Failed update key certificates.", e2);
                        return false;
                    }
                } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e3) {
                    Log.e(KeyChainService.TAG, "Failed to get private key entry.", e3);
                    return false;
                }
            }

            private void validateAlias(String str) {
                if (str == null) {
                    throw new NullPointerException("alias == null");
                }
            }

            private boolean hasGrant(String str, CallerIdentity callerIdentity) {
                return hasGrant(str, callerIdentity.mUid);
            }

            private boolean hasGrant(String str, int i) {
                validateAlias(str);
                if (KeyChainService.this.mGrantsDb.hasGrant(i, str)) {
                    return true;
                }
                Log.w(KeyChainService.TAG, String.format("uid %d doesn't have permission to access the requested alias %s", Integer.valueOf(i), str));
                return false;
            }

            public String installCaCertificate(byte[] bArr) {
                String certificateAlias;
                CallerIdentity caller = KeyChainService.this.getCaller();
                Preconditions.checkCallAuthorization(isSystemUid(caller) || isCertInstaller(caller), KeyChainService.MSG_NOT_SYSTEM_OR_CERT_INSTALLER);
                String str = null;
                boolean isSecurityLoggingEnabled = KeyChainService.this.mInjector.isSecurityLoggingEnabled();
                try {
                    X509Certificate parseCertificate = parseCertificate(bArr);
                    boolean isLoggable = Log.isLoggable(KeyChainService.TAG, 3);
                    str = parseCertificate.getSubjectX500Principal().getName("CANONICAL");
                    if (isLoggable) {
                        Log.d(KeyChainService.TAG, String.format("Installing CA certificate: %s", str));
                    }
                    synchronized (this.mTrustedCertificateStore) {
                        this.mTrustedCertificateStore.installCertificate(parseCertificate);
                        certificateAlias = this.mTrustedCertificateStore.getCertificateAlias(parseCertificate);
                    }
                    if (isSecurityLoggingEnabled && str != null) {
                        KeyChainService.this.mInjector.writeSecurityEvent(210029, 1, str, Integer.valueOf(UserHandle.myUserId()));
                    }
                    if (KeyChainService.CERT_INSTALLER_PACKAGE.equals(caller.mPackageName)) {
                        try {
                            KeyChainService.this.mKeyStore.setCertificateEntry(String.format("%s %s", str, certificateAlias), parseCertificate);
                        } catch (KeyStoreException e) {
                            Log.e(KeyChainService.TAG, String.format("Attempted installing %s (subject: %s) to KeyStore. Failed", certificateAlias, str), e);
                        }
                    }
                    KeyChainService.this.broadcastLegacyStorageChange();
                    KeyChainService.this.broadcastTrustStoreChange();
                    return certificateAlias;
                } catch (IOException | CertificateException e2) {
                    Log.w(KeyChainService.TAG, "Failed installing CA certificate", e2);
                    if (isSecurityLoggingEnabled && str != null) {
                        KeyChainService.this.mInjector.writeSecurityEvent(210029, 0, str, Integer.valueOf(UserHandle.myUserId()));
                    }
                    throw new IllegalStateException(e2);
                }
            }

            public boolean installKeyPair(@Nullable byte[] bArr, @Nullable byte[] bArr2, @Nullable byte[] bArr3, String str, int i) {
                PrivateKey generatePrivate;
                CallerIdentity caller = KeyChainService.this.getCaller();
                Preconditions.checkCallAuthorization(isSystemUid(caller) || isCertInstaller(caller), KeyChainService.MSG_NOT_SYSTEM_OR_CERT_INSTALLER);
                if ("android:alias-selection-denied".equals(str)) {
                    throw new IllegalArgumentException("The alias specified for the key denotes a reserved value and cannot be used to name a key");
                }
                if (!KeyChainService.this.ALLOWED_UIDS.contains(Integer.valueOf(i))) {
                    Log.e(KeyChainService.TAG, String.format("Installing alias %s as UID %d is now allowed.", str, Integer.valueOf(i)));
                    return false;
                }
                if (bArr == null && bArr2 == null && bArr3 == null) {
                    Log.e(KeyChainService.TAG, String.format("Nothing to install for alias %s", str));
                    return false;
                }
                UserManager userManager = (UserManager) this.mContext.getSystemService(UserManager.class);
                if (i == 1010 && !userManager.isAdminUser()) {
                    Log.e(KeyChainService.TAG, "Installation into the WiFi Keystore should be called from the admin user");
                    return false;
                }
                if (Log.isLoggable(KeyChainService.TAG, 3)) {
                    Log.d(KeyChainService.TAG, String.format("Installing certificate and key to alias %s to uid %d: user cert %s CA chain: %s", str, Integer.valueOf(i), KeyChainService.emptyOrBase64Encoded(bArr2), KeyChainService.emptyOrBase64Encoded(bArr3)));
                }
                ArrayList arrayList = new ArrayList();
                if (bArr2 != null) {
                    try {
                        arrayList.add(parseCertificate(bArr2));
                    } catch (CertificateException e) {
                        Log.e(KeyChainService.TAG, "Failed to parse user certificate.", e);
                        return false;
                    }
                }
                if (bArr3 != null) {
                    arrayList.addAll(parseCertificates(bArr3));
                }
                if (arrayList.isEmpty()) {
                    Log.e(KeyChainService.TAG, "Cannot install private key without public certificate.");
                    return false;
                }
                Certificate[] certificateArr = (Certificate[]) arrayList.toArray(new Certificate[0]);
                if (bArr != null) {
                    try {
                        generatePrivate = KeyFactory.getInstance(certificateArr[0].getPublicKey().getAlgorithm()).generatePrivate(new PKCS8EncodedKeySpec(bArr));
                    } catch (NoSuchAlgorithmException | InvalidKeySpecException e2) {
                        Log.e(KeyChainService.TAG, "Failed to parse private key.", e2);
                        return false;
                    }
                } else {
                    generatePrivate = null;
                }
                KeyStore keyStore = KeyChainService.this.getKeyStore(i == 1010);
                if (keyStore == null) {
                    return false;
                }
                try {
                    if (bArr != null) {
                        keyStore.setKeyEntry(str, generatePrivate, null, certificateArr);
                    } else {
                        if (certificateArr.length > 1) {
                            Log.e(KeyChainService.TAG, "Cannot install key certificate chain without private key.");
                            return false;
                        }
                        keyStore.setCertificateEntry(str, certificateArr[0]);
                    }
                } catch (KeyStoreException e3) {
                    Log.e(KeyChainService.TAG, "Failed to install key pair.", e3);
                }
                KeyChainService.this.broadcastKeychainChange();
                KeyChainService.this.broadcastLegacyStorageChange();
                return true;
            }

            public boolean removeKeyPair(String str) {
                CallerIdentity caller = KeyChainService.this.getCaller();
                Preconditions.checkCallAuthorization(isSystemUid(caller) || isCertInstaller(caller), KeyChainService.MSG_NOT_SYSTEM_OR_CERT_INSTALLER);
                return removeKeyPairInternal(str);
            }

            private boolean removeKeyPairInternal(String str) {
                try {
                    KeyChainService.this.mKeyStore.deleteEntry(str);
                    Log.w(KeyChainService.TAG, String.format("WARNING: Removing alias %s, existing grants will be revoked.", str));
                    KeyChainService.this.mGrantsDb.removeAliasInformation(str);
                    KeyChainService.this.broadcastKeychainChange();
                    KeyChainService.this.broadcastLegacyStorageChange();
                    return true;
                } catch (KeyStoreException e) {
                    Log.e(KeyChainService.TAG, String.format("Failed not remove keystore entry with alias %s", str));
                    return false;
                }
            }

            public boolean containsKeyPair(String str) {
                Preconditions.checkCallAuthorization(isSystemUid(KeyChainService.this.getCaller()), KeyChainService.MSG_NOT_SYSTEM);
                try {
                    return KeyChainService.this.mKeyStore.getKey(str, null) instanceof PrivateKey;
                } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
                    Log.w("Error while trying to check for key presence.", e);
                    return false;
                }
            }

            private X509Certificate parseCertificate(byte[] bArr) throws CertificateException {
                return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr));
            }

            private Collection<X509Certificate> parseCertificates(byte[] bArr) throws CertificateException {
                return CertificateFactory.getInstance("X.509").generateCertificates(new ByteArrayInputStream(bArr));
            }

            public boolean reset() {
                Preconditions.checkCallAuthorization(isSystemUid(KeyChainService.this.getCaller()), KeyChainService.MSG_NOT_SYSTEM);
                KeyChainService.this.mGrantsDb.removeAllAliasesInformation();
                boolean z = true;
                synchronized (this.mTrustedCertificateStore) {
                    for (String str : this.mTrustedCertificateStore.aliases()) {
                        if (TrustedCertificateStore.isUser(str) && !deleteCertificateEntry(str)) {
                            z = false;
                        }
                    }
                }
                KeyChainService.this.broadcastTrustStoreChange();
                KeyChainService.this.broadcastKeychainChange();
                KeyChainService.this.broadcastLegacyStorageChange();
                return z;
            }

            public boolean deleteCaCertificate(String str) {
                boolean deleteCertificateEntry;
                Preconditions.checkCallAuthorization(isSystemUid(KeyChainService.this.getCaller()), KeyChainService.MSG_NOT_SYSTEM);
                Log.i(KeyChainService.TAG, String.format("Deleting CA certificate %s", str));
                synchronized (this.mTrustedCertificateStore) {
                    deleteCertificateEntry = deleteCertificateEntry(str);
                }
                KeyChainService.this.broadcastTrustStoreChange();
                KeyChainService.this.broadcastLegacyStorageChange();
                return deleteCertificateEntry;
            }

            private boolean deleteCertificateEntry(String str) {
                String str2 = null;
                if (KeyChainService.this.mInjector.isSecurityLoggingEnabled()) {
                    Certificate certificate = this.mTrustedCertificateStore.getCertificate(str);
                    if (certificate instanceof X509Certificate) {
                        str2 = ((X509Certificate) certificate).getSubjectX500Principal().getName("CANONICAL");
                    }
                }
                try {
                    this.mTrustedCertificateStore.deleteCertificateEntry(str);
                    if (str2 == null) {
                        return true;
                    }
                    KeyChainService.this.mInjector.writeSecurityEvent(210030, 1, str2, Integer.valueOf(UserHandle.myUserId()));
                    return true;
                } catch (IOException | CertificateException e) {
                    Log.w(KeyChainService.TAG, "Problem removing CA certificate " + str, e);
                    if (str2 == null) {
                        return false;
                    }
                    KeyChainService.this.mInjector.writeSecurityEvent(210030, 0, str2, Integer.valueOf(UserHandle.myUserId()));
                    return false;
                }
            }

            private boolean hasManageCredentialManagementAppPermission(CallerIdentity callerIdentity) {
                return this.mContext.checkPermission("android.permission.MANAGE_CREDENTIAL_MANAGEMENT_APP", callerIdentity.mPid, callerIdentity.mUid) == 0;
            }

            private boolean isCertInstaller(CallerIdentity callerIdentity) {
                return callerIdentity.mPackageName != null && KeyChainService.CERT_INSTALLER_PACKAGE.equals(callerIdentity.mPackageName);
            }

            private boolean isCredentialManagementApp(CallerIdentity callerIdentity) {
                boolean z;
                synchronized (KeyChainService.this.mCredentialManagementAppLock) {
                    z = (KeyChainService.this.mCredentialManagementApp == null || callerIdentity.mPackageName == null || !callerIdentity.mPackageName.equals(KeyChainService.this.mCredentialManagementApp.getPackageName())) ? false : true;
                }
                return z;
            }

            private boolean isSystemUid(CallerIdentity callerIdentity) {
                return UserHandle.isSameApp(callerIdentity.mUid, 1000);
            }

            public boolean hasGrant(int i, String str) {
                Preconditions.checkCallAuthorization(isSystemUid(KeyChainService.this.getCaller()), KeyChainService.MSG_NOT_SYSTEM);
                return KeyChainService.this.mGrantsDb.hasGrant(i, str);
            }

            public boolean setGrant(int i, String str, boolean z) {
                Preconditions.checkCallAuthorization(isSystemUid(KeyChainService.this.getCaller()), KeyChainService.MSG_NOT_SYSTEM);
                Preconditions.checkArgument(containsKeyPair(str), "Alias not associated with a key.");
                KeyChainService.this.mGrantsDb.setGrant(i, str, z);
                if (!z) {
                    try {
                        KeyStore2.getInstance().ungrant(KeyChainService.this.makeKeyDescriptor(str), i);
                    } catch (android.security.KeyStoreException e) {
                        Log.e(KeyChainService.TAG, "Failed to ungrant " + str + " to uid: " + i, e);
                        return false;
                    }
                }
                KeyChainService.this.broadcastPermissionChange(i, str, z);
                KeyChainService.this.broadcastLegacyStorageChange();
                return true;
            }

            public int[] getGrants(String str) {
                Preconditions.checkCallAuthorization(isSystemUid(KeyChainService.this.getCaller()), KeyChainService.MSG_NOT_SYSTEM);
                try {
                    if (KeyChainService.this.mKeyStore.isKeyEntry(str)) {
                        return KeyChainService.this.mGrantsDb.getGrants(str);
                    }
                } catch (KeyStoreException e) {
                    Log.w(KeyChainService.TAG, "Error while checking if key exists.", e);
                }
                throw new IllegalArgumentException("Alias not found: " + str);
            }

            public StringParceledListSlice getUserCaAliases() {
                StringParceledListSlice stringParceledListSlice;
                synchronized (this.mTrustedCertificateStore) {
                    stringParceledListSlice = new StringParceledListSlice(new ArrayList(this.mTrustedCertificateStore.userAliases()));
                }
                return stringParceledListSlice;
            }

            public StringParceledListSlice getSystemCaAliases() {
                StringParceledListSlice stringParceledListSlice;
                synchronized (this.mTrustedCertificateStore) {
                    stringParceledListSlice = new StringParceledListSlice(new ArrayList(this.mTrustedCertificateStore.allSystemAliases()));
                }
                return stringParceledListSlice;
            }

            public boolean containsCaAlias(String str) {
                return this.mTrustedCertificateStore.containsAlias(str);
            }

            public byte[] getEncodedCaCertificate(String str, boolean z) {
                synchronized (this.mTrustedCertificateStore) {
                    X509Certificate x509Certificate = (X509Certificate) this.mTrustedCertificateStore.getCertificate(str, z);
                    if (x509Certificate == null) {
                        Log.w(KeyChainService.TAG, "Could not find CA certificate " + str);
                        return null;
                    }
                    try {
                        return x509Certificate.getEncoded();
                    } catch (CertificateEncodingException e) {
                        Log.w(KeyChainService.TAG, "Error while encoding CA certificate " + str);
                        return null;
                    }
                }
            }

            public List<String> getCaCertificateChainAliases(String str, boolean z) {
                ArrayList arrayList;
                synchronized (this.mTrustedCertificateStore) {
                    try {
                        List certificateChain = this.mTrustedCertificateStore.getCertificateChain((X509Certificate) this.mTrustedCertificateStore.getCertificate(str, z));
                        arrayList = new ArrayList(certificateChain.size());
                        int size = certificateChain.size();
                        for (int i = 0; i < size; i++) {
                            String certificateAlias = this.mTrustedCertificateStore.getCertificateAlias((Certificate) certificateChain.get(i), true);
                            if (certificateAlias != null) {
                                arrayList.add(certificateAlias);
                            }
                        }
                    } catch (CertificateException e) {
                        Log.w(KeyChainService.TAG, "Error retrieving cert chain for root " + str);
                        return Collections.emptyList();
                    }
                }
                return arrayList;
            }

            public void setCredentialManagementApp(@NonNull String str, @NonNull AppUriAuthenticationPolicy appUriAuthenticationPolicy) {
                CallerIdentity caller = KeyChainService.this.getCaller();
                Preconditions.checkCallAuthorization(isSystemUid(caller) || hasManageCredentialManagementAppPermission(caller), KeyChainService.MSG_NOT_SYSTEM);
                checkValidAuthenticationPolicy(appUriAuthenticationPolicy);
                synchronized (KeyChainService.this.mCredentialManagementAppLock) {
                    if (KeyChainService.this.mCredentialManagementApp != null) {
                        String packageName = KeyChainService.this.mCredentialManagementApp.getPackageName();
                        if (packageName.equals(str)) {
                            removeOrphanedKeyPairs(appUriAuthenticationPolicy);
                        } else {
                            removeOrphanedKeyPairs(null);
                            setManageCredentialsAppOps(packageName, false);
                        }
                    }
                    setManageCredentialsAppOps(str, true);
                    KeyChainService.this.mCredentialManagementApp = new CredentialManagementApp(str, appUriAuthenticationPolicy);
                    KeyChainService.this.mStateStorage.saveCredentialManagementApp(KeyChainService.this.mCredentialManagementApp);
                }
            }

            private void setManageCredentialsAppOps(String str, boolean z) {
                try {
                    ((AppOpsManager) KeyChainService.this.getSystemService(AppOpsManager.class)).setMode(104, KeyChainService.this.getPackageManager().getApplicationInfo(str, 0).uid, str, z ? 0 : 3);
                } catch (PackageManager.NameNotFoundException e) {
                    Log.e(KeyChainService.TAG, "Unable to find info for package: " + str);
                }
            }

            private void removeOrphanedKeyPairs(@Nullable AppUriAuthenticationPolicy appUriAuthenticationPolicy) {
                Set<String> aliases = KeyChainService.this.mCredentialManagementApp.getAuthenticationPolicy().getAliases();
                Set aliases2 = appUriAuthenticationPolicy != null ? appUriAuthenticationPolicy.getAliases() : new HashSet();
                for (String str : aliases) {
                    if (!aliases2.contains(str)) {
                        removeKeyPairInternal(str);
                    }
                }
            }

            private void checkValidAuthenticationPolicy(@NonNull AppUriAuthenticationPolicy appUriAuthenticationPolicy) {
                if (appUriAuthenticationPolicy == null || appUriAuthenticationPolicy.getAppAndUriMappings().isEmpty()) {
                    throw new IllegalArgumentException("The authentication policy is null or empty");
                }
                for (String str : appUriAuthenticationPolicy.getAliases()) {
                    if (requestPrivateKey(str) != null) {
                        throw new IllegalArgumentException(String.format("The authentication policy contains an installed alias: %s", str));
                    }
                }
            }

            public boolean hasCredentialManagementApp() {
                boolean z;
                Preconditions.checkCallAuthorization(isSystemUid(KeyChainService.this.getCaller()), KeyChainService.MSG_NOT_SYSTEM);
                synchronized (KeyChainService.this.mCredentialManagementAppLock) {
                    z = KeyChainService.this.mCredentialManagementApp != null;
                }
                return z;
            }

            @Nullable
            public String getCredentialManagementAppPackageName() {
                String packageName;
                Preconditions.checkCallAuthorization(isSystemUid(KeyChainService.this.getCaller()), KeyChainService.MSG_NOT_SYSTEM);
                synchronized (KeyChainService.this.mCredentialManagementAppLock) {
                    packageName = KeyChainService.this.mCredentialManagementApp != null ? KeyChainService.this.mCredentialManagementApp.getPackageName() : null;
                }
                return packageName;
            }

            @Nullable
            public AppUriAuthenticationPolicy getCredentialManagementAppPolicy() {
                AppUriAuthenticationPolicy authenticationPolicy;
                CallerIdentity caller = KeyChainService.this.getCaller();
                Preconditions.checkCallAuthorization(isSystemUid(caller) || isCredentialManagementApp(caller), KeyChainService.MSG_NOT_SYSTEM_OR_CRED_MNG_APP);
                synchronized (KeyChainService.this.mCredentialManagementAppLock) {
                    authenticationPolicy = KeyChainService.this.mCredentialManagementApp != null ? KeyChainService.this.mCredentialManagementApp.getAuthenticationPolicy() : null;
                }
                return authenticationPolicy;
            }

            @Nullable
            public String getPredefinedAliasForPackageAndUri(@NonNull String str, @Nullable Uri uri) {
                Preconditions.checkCallAuthorization(isSystemUid(KeyChainService.this.getCaller()), KeyChainService.MSG_NOT_SYSTEM);
                synchronized (KeyChainService.this.mCredentialManagementAppLock) {
                    if (KeyChainService.this.mCredentialManagementApp == null || uri == null) {
                        return null;
                    }
                    Map<Uri, String> map = KeyChainService.this.mCredentialManagementApp.getAuthenticationPolicy().getAppAndUriMappings().get(str);
                    return map != null ? map.get(uri) : null;
                }
            }

            public void removeCredentialManagementApp() {
                CallerIdentity caller = KeyChainService.this.getCaller();
                Preconditions.checkCallAuthorization(isSystemUid(caller) || isCredentialManagementApp(caller) || hasManageCredentialManagementAppPermission(caller), KeyChainService.MSG_NOT_SYSTEM_OR_CRED_MNG_APP);
                synchronized (KeyChainService.this.mCredentialManagementAppLock) {
                    if (KeyChainService.this.mCredentialManagementApp != null) {
                        removeOrphanedKeyPairs(null);
                        setManageCredentialsAppOps(KeyChainService.this.mCredentialManagementApp.getPackageName(), false);
                    }
                    KeyChainService.this.mCredentialManagementApp = null;
                    KeyChainService.this.mStateStorage.saveCredentialManagementApp(KeyChainService.this.mCredentialManagementApp);
                }
            }

            public boolean isCredentialManagementApp(@NonNull String str) {
                boolean equals;
                CallerIdentity caller = KeyChainService.this.getCaller();
                Preconditions.checkCallAuthorization(isSystemUid(caller) || isCredentialManagementApp(caller), KeyChainService.MSG_NOT_SYSTEM_OR_CRED_MNG_APP);
                synchronized (KeyChainService.this.mCredentialManagementAppLock) {
                    equals = str.equals(KeyChainService.this.mCredentialManagementApp.getPackageName());
                }
                return equals;
            }
        };
        this.mInjector = new Injector();
    }

    private KeyStore getKeyStore() {
        try {
            KeyStore keyStoreInstance = this.mInjector.getKeyStoreInstance();
            keyStoreInstance.load(null);
            return keyStoreInstance;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            Log.e(TAG, "Error opening AndroidKeyStore.", e);
            throw new RuntimeException("Error opening AndroidKeyStore.", e);
        }
    }

    private KeyStore getKeyStore(boolean z) {
        if (!z) {
            return this.mKeyStore;
        }
        try {
            KeyStore keyStoreInstance = this.mInjector.getKeyStoreInstance();
            keyStoreInstance.load(new AndroidKeyStoreLoadStoreParameter(102));
            return keyStoreInstance;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            Log.e(TAG, "Failed to open AndroidKeyStore for WI-FI namespace.", e);
            return null;
        }
    }

    @Override // android.app.IntentService, android.app.Service
    public void onCreate() {
        super.onCreate();
        this.mKeyStore = getKeyStore();
        this.mGrantsDb = new GrantsDatabase(this, new KeyStoreAliasesProvider(this.mKeyStore));
        this.mStateStorage = new KeyChainStateStorage(getDataDir());
        synchronized (this.mCredentialManagementAppLock) {
            this.mCredentialManagementApp = this.mStateStorage.loadCredentialManagementApp();
        }
    }

    @Override // android.app.IntentService, android.app.Service
    public void onDestroy() {
        super.onDestroy();
        this.mGrantsDb.destroy();
        this.mGrantsDb = null;
    }

    private KeyDescriptor makeKeyDescriptor(String str) {
        KeyDescriptor keyDescriptor = new KeyDescriptor();
        keyDescriptor.domain = 0;
        keyDescriptor.nspace = -1L;
        keyDescriptor.alias = str;
        keyDescriptor.blob = null;
        return keyDescriptor;
    }

    @Override // android.app.IntentService, android.app.Service
    public IBinder onBind(Intent intent) {
        if (IKeyChainService.class.getName().equals(intent.getAction())) {
            return this.mIKeyChainService;
        }
        return null;
    }

    @Override // android.app.IntentService
    protected void onHandleIntent(Intent intent) {
        if ("android.intent.action.PACKAGE_REMOVED".equals(intent.getAction())) {
            this.mGrantsDb.purgeOldGrants(getPackageManager());
        }
    }

    private void broadcastLegacyStorageChange() {
        Intent intent = new Intent("android.security.STORAGE_CHANGED");
        BroadcastOptions makeBasic = BroadcastOptions.makeBasic();
        makeBasic.setMaxManifestReceiverApiLevel(25);
        sendBroadcastAsUser(intent, UserHandle.of(UserHandle.myUserId()), null, makeBasic.toBundle());
    }

    private void broadcastKeychainChange() {
        sendBroadcastAsUser(new Intent("android.security.action.KEYCHAIN_CHANGED"), UserHandle.of(UserHandle.myUserId()));
    }

    private void broadcastTrustStoreChange() {
        sendBroadcastAsUser(new Intent("android.security.action.TRUST_STORE_CHANGED"), UserHandle.of(UserHandle.myUserId()));
    }

    private void broadcastPermissionChange(int i, String str, boolean z) {
        String[] packagesForUid = getPackageManager().getPackagesForUid(i);
        if (packagesForUid == null) {
            return;
        }
        for (String str2 : packagesForUid) {
            Intent intent = new Intent("android.security.action.KEY_ACCESS_CHANGED");
            intent.putExtra("android.security.extra.KEY_ALIAS", str);
            intent.putExtra("android.security.extra.KEY_ACCESSIBLE", z);
            intent.setPackage(str2);
            sendBroadcastAsUser(intent, UserHandle.of(UserHandle.myUserId()));
        }
    }

    private static String emptyOrBase64Encoded(byte[] bArr) {
        return bArr == null ? "" : Base64.encodeToString(bArr, 2);
    }

    private CallerIdentity getCaller() {
        return new CallerIdentity();
    }

    @VisibleForTesting
    void setInjector(Injector injector) {
        this.mInjector = injector;
    }
}
