package com.android.keychain;

import android.app.BroadcastOptions;
import android.app.IntentService;
import android.app.admin.SecurityLog;
import android.content.Context;
import android.content.Intent;
import android.content.pm.StringParceledListSlice;
import android.os.Binder;
import android.os.IBinder;
import android.os.UserHandle;
import android.security.Credentials;
import android.security.IKeyChainService;
import android.security.KeyStore;
import android.security.keymaster.KeymasterArguments;
import android.security.keymaster.KeymasterCertificateChain;
import android.security.keystore.AttestationUtils;
import android.security.keystore.DeviceIdAttestationException;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.ParcelableKeyGenParameterSpec;
import android.security.keystore.StrongBoxUnavailableException;
import android.text.TextUtils;
import android.util.Log;
import com.android.internal.annotations.VisibleForTesting;
import com.android.keychain.internal.ExistingKeysProvider;
import com.android.keychain.internal.GrantsDatabase;
import com.android.org.conscrypt.TrustedCertificateStore;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;

/* loaded from: classes.dex */
public class KeyChainService extends IntentService {
    private GrantsDatabase mGrantsDb;
    private final IKeyChainService.Stub mIKeyChainService;
    private Injector mInjector;
    private final KeyStore mKeyStore;

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: classes.dex */
    public static class Injector {
        Injector() {
        }

        public int getCallingUid() {
            return Binder.getCallingUid();
        }

        public boolean isSecurityLoggingEnabled() {
            return SecurityLog.isLoggingEnabled();
        }

        public void writeSecurityEvent(int i, Object... objArr) {
            SecurityLog.writeEvent(i, objArr);
        }
    }

    /* loaded from: classes.dex */
    private static class KeyStoreAliasesProvider implements ExistingKeysProvider {
        private final KeyStore mKeyStore;

        KeyStoreAliasesProvider(KeyStore keyStore) {
            this.mKeyStore = keyStore;
        }

        @Override // com.android.keychain.internal.ExistingKeysProvider
        public List<String> getExistingKeyAliases() {
            ArrayList arrayList = new ArrayList();
            String[] list = this.mKeyStore.list("USRPKEY_");
            if (list == null) {
                return arrayList;
            }
            for (String str : list) {
                Log.w("KeyChain", "Got Alias from KeyStore: " + str);
                String replaceFirst = str.replaceFirst("^USRPKEY_", "");
                if (!replaceFirst.startsWith("synthetic_password_")) {
                    arrayList.add(replaceFirst);
                }
            }
            return arrayList;
        }
    }

    public KeyChainService() {
        super(KeyChainService.class.getSimpleName());
        this.mKeyStore = KeyStore.getInstance();
        this.mIKeyChainService = new IKeyChainService.Stub() { // from class: com.android.keychain.KeyChainService.1
            private final Context mContext;
            private final TrustedCertificateStore mTrustedCertificateStore = new TrustedCertificateStore();

            {
                this.mContext = KeyChainService.this;
            }

            private String callingPackage() {
                return KeyChainService.this.getPackageManager().getNameForUid(KeyChainService.this.mInjector.getCallingUid());
            }

            private void checkCertInstallerOrSystemCaller() {
                String callingPackage = callingPackage();
                if (isCallerWithSystemUid() || "com.android.certinstaller".equals(callingPackage)) {
                    return;
                }
                throw new SecurityException("Not system or cert installer package: " + callingPackage);
            }

            private int checkKeyChainStatus(String str, KeymasterCertificateChain keymasterCertificateChain, KeymasterArguments keymasterArguments) {
                int attestKey = KeyChainService.this.mKeyStore.attestKey("USRPKEY_" + str, keymasterArguments, keymasterCertificateChain);
                if (attestKey == 1) {
                    return 0;
                }
                Log.e("KeyChain", String.format("Failure attesting for key %s: %d", str, Integer.valueOf(attestKey)));
                return attestKey == -66 ? 3 : 4;
            }

            private void checkSystemCaller() {
                if (isCallerWithSystemUid()) {
                    return;
                }
                throw new SecurityException("Not system package: " + callingPackage());
            }

            /* JADX WARN: Removed duplicated region for block: B:10:0x0031 A[Catch: IOException | CertificateException -> 0x0045, TRY_LEAVE, TryCatch #0 {IOException | CertificateException -> 0x0045, blocks: (B:8:0x002a, B:10:0x0031), top: B:7:0x002a }] */
            /*
                Code decompiled incorrectly, please refer to instructions dump.
                To view partially-correct add '--show-bad-code' argument
            */
            private boolean deleteCertificateEntry(java.lang.String r9) {
                /*
                    r8 = this;
                    com.android.keychain.KeyChainService r0 = com.android.keychain.KeyChainService.this
                    com.android.keychain.KeyChainService$Injector r0 = com.android.keychain.KeyChainService.access$000(r0)
                    boolean r0 = r0.isSecurityLoggingEnabled()
                    if (r0 == 0) goto L23
                    com.android.org.conscrypt.TrustedCertificateStore r0 = r8.mTrustedCertificateStore
                    java.security.cert.Certificate r0 = r0.getCertificate(r9)
                    boolean r1 = r0 instanceof java.security.cert.X509Certificate
                    if (r1 == 0) goto L23
                    java.security.cert.X509Certificate r0 = (java.security.cert.X509Certificate) r0
                    javax.security.auth.x500.X500Principal r0 = r0.getSubjectX500Principal()
                    java.lang.String r1 = "CANONICAL"
                    java.lang.String r0 = r0.getName(r1)
                    goto L24
                L23:
                    r0 = 0
                L24:
                    r1 = 2
                    r2 = 210030(0x3346e, float:2.94315E-40)
                    r3 = 1
                    r4 = 0
                    com.android.org.conscrypt.TrustedCertificateStore r5 = r8.mTrustedCertificateStore     // Catch: java.lang.Throwable -> L45
                    r5.deleteCertificateEntry(r9)     // Catch: java.lang.Throwable -> L45
                    if (r0 == 0) goto L44
                    com.android.keychain.KeyChainService r5 = com.android.keychain.KeyChainService.this     // Catch: java.lang.Throwable -> L45
                    com.android.keychain.KeyChainService$Injector r5 = com.android.keychain.KeyChainService.access$000(r5)     // Catch: java.lang.Throwable -> L45
                    java.lang.Object[] r6 = new java.lang.Object[r1]     // Catch: java.lang.Throwable -> L45
                    java.lang.Integer r7 = java.lang.Integer.valueOf(r3)     // Catch: java.lang.Throwable -> L45
                    r6[r4] = r7     // Catch: java.lang.Throwable -> L45
                    r6[r3] = r0     // Catch: java.lang.Throwable -> L45
                    r5.writeSecurityEvent(r2, r6)     // Catch: java.lang.Throwable -> L45
                L44:
                    return r3
                L45:
                    r5 = move-exception
                    java.lang.StringBuilder r6 = new java.lang.StringBuilder
                    r6.<init>()
                    java.lang.String r7 = "Problem removing CA certificate "
                    r6.append(r7)
                    r6.append(r9)
                    java.lang.String r9 = r6.toString()
                    java.lang.String r6 = "KeyChain"
                    android.util.Log.w(r6, r9, r5)
                    if (r0 == 0) goto L71
                    com.android.keychain.KeyChainService r8 = com.android.keychain.KeyChainService.this
                    com.android.keychain.KeyChainService$Injector r8 = com.android.keychain.KeyChainService.access$000(r8)
                    java.lang.Object[] r9 = new java.lang.Object[r1]
                    java.lang.Integer r1 = java.lang.Integer.valueOf(r4)
                    r9[r4] = r1
                    r9[r3] = r0
                    r8.writeSecurityEvent(r2, r9)
                L71:
                    return r4
                */
                throw new UnsupportedOperationException("Method not decompiled: com.android.keychain.KeyChainService.AnonymousClass1.deleteCertificateEntry(java.lang.String):boolean");
            }

            private boolean hasGrant(String str) {
                validateAlias(str);
                int callingUid = KeyChainService.this.mInjector.getCallingUid();
                if (KeyChainService.this.mGrantsDb.hasGrant(callingUid, str)) {
                    return true;
                }
                Log.w("KeyChain", String.format("uid %d doesn't have permission to access the requested alias %s", Integer.valueOf(callingUid), str));
                return false;
            }

            private boolean isCallerWithSystemUid() {
                return UserHandle.isSameApp(Binder.getCallingUid(), 1000);
            }

            private X509Certificate parseCertificate(byte[] bArr) throws CertificateException {
                return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr));
            }

            private void validateAlias(String str) {
                if (str == null) {
                    throw new NullPointerException("alias == null");
                }
            }

            public int attestKey(String str, byte[] bArr, int[] iArr, KeymasterCertificateChain keymasterCertificateChain) {
                checkSystemCaller();
                validateAlias(str);
                if (bArr == null) {
                    Log.e("KeyChain", String.format("Missing attestation challenge for alias %s", str));
                    return 1;
                }
                try {
                    KeymasterArguments prepareAttestationArguments = AttestationUtils.prepareAttestationArguments(this.mContext, iArr, bArr);
                    int checkKeyChainStatus = checkKeyChainStatus(str, keymasterCertificateChain, prepareAttestationArguments);
                    if (checkKeyChainStatus == 3) {
                        try {
                            prepareAttestationArguments = AttestationUtils.prepareAttestationArgumentsIfMisprovisioned(this.mContext, iArr, bArr);
                            if (prepareAttestationArguments == null) {
                                return checkKeyChainStatus;
                            }
                        } catch (DeviceIdAttestationException e) {
                            Log.e("KeyChain", "Failed collecting attestation data during second attempt on misprovisioned device", e);
                            return 2;
                        }
                    }
                    return checkKeyChainStatus(str, keymasterCertificateChain, prepareAttestationArguments);
                } catch (DeviceIdAttestationException e2) {
                    Log.e("KeyChain", "Failed collecting attestation data", e2);
                    return 2;
                }
            }

            public boolean containsCaAlias(String str) {
                return this.mTrustedCertificateStore.containsAlias(str);
            }

            public boolean deleteCaCertificate(String str) {
                boolean deleteCertificateEntry;
                checkSystemCaller();
                synchronized (this.mTrustedCertificateStore) {
                    deleteCertificateEntry = deleteCertificateEntry(str);
                }
                KeyChainService.this.broadcastTrustStoreChange();
                KeyChainService.this.broadcastLegacyStorageChange();
                return deleteCertificateEntry;
            }

            public int generateKeyPair(String str, ParcelableKeyGenParameterSpec parcelableKeyGenParameterSpec) {
                checkSystemCaller();
                KeyGenParameterSpec spec = parcelableKeyGenParameterSpec.getSpec();
                String keystoreAlias = spec.getKeystoreAlias();
                if (TextUtils.isEmpty(keystoreAlias) || spec.getUid() != -1) {
                    Log.e("KeyChain", "Cannot generate key pair with empty alias or specified uid.");
                    return 1;
                }
                if (spec.getAttestationChallenge() != null) {
                    Log.e("KeyChain", "Key generation request should not include an Attestation challenge.");
                    return 2;
                }
                if (!removeKeyPair(keystoreAlias)) {
                    Log.e("KeyChain", "Failed to remove previously-installed alias " + keystoreAlias);
                    return 7;
                }
                try {
                    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str, "AndroidKeyStore");
                    keyPairGenerator.initialize(spec);
                    if (keyPairGenerator.generateKeyPair() != null) {
                        return 0;
                    }
                    Log.e("KeyChain", "Key generation failed.");
                    return 7;
                } catch (StrongBoxUnavailableException e) {
                    Log.e("KeyChain", "StrongBox unavailable.", e);
                    return 6;
                } catch (InvalidAlgorithmParameterException e2) {
                    Log.e("KeyChain", "Invalid algorithm params", e2);
                    return 4;
                } catch (NoSuchAlgorithmException e3) {
                    Log.e("KeyChain", "Invalid algorithm requested", e3);
                    return 3;
                } catch (NoSuchProviderException e4) {
                    Log.e("KeyChain", "Could not find Keystore.", e4);
                    return 5;
                }
            }

            public List<String> getCaCertificateChainAliases(String str, boolean z) {
                ArrayList arrayList;
                synchronized (this.mTrustedCertificateStore) {
                    try {
                        List certificateChain = this.mTrustedCertificateStore.getCertificateChain((X509Certificate) this.mTrustedCertificateStore.getCertificate(str, z));
                        arrayList = new ArrayList(certificateChain.size());
                        int size = certificateChain.size();
                        for (int i = 0; i < size; i++) {
                            String certificateAlias = this.mTrustedCertificateStore.getCertificateAlias((Certificate) certificateChain.get(i), true);
                            if (certificateAlias != null) {
                                arrayList.add(certificateAlias);
                            }
                        }
                    } catch (CertificateException unused) {
                        Log.w("KeyChain", "Error retrieving cert chain for root " + str);
                        return Collections.emptyList();
                    }
                }
                return arrayList;
            }

            public byte[] getCaCertificates(String str) {
                if (!hasGrant(str)) {
                    return null;
                }
                return KeyChainService.this.mKeyStore.get("CACERT_" + str);
            }

            public byte[] getCertificate(String str) {
                if (!hasGrant(str)) {
                    return null;
                }
                return KeyChainService.this.mKeyStore.get("USRCERT_" + str);
            }

            public byte[] getEncodedCaCertificate(String str, boolean z) {
                synchronized (this.mTrustedCertificateStore) {
                    X509Certificate x509Certificate = (X509Certificate) this.mTrustedCertificateStore.getCertificate(str, z);
                    if (x509Certificate == null) {
                        Log.w("KeyChain", "Could not find CA certificate " + str);
                        return null;
                    }
                    try {
                        return x509Certificate.getEncoded();
                    } catch (CertificateEncodingException unused) {
                        Log.w("KeyChain", "Error while encoding CA certificate " + str);
                        return null;
                    }
                }
            }

            public StringParceledListSlice getSystemCaAliases() {
                StringParceledListSlice stringParceledListSlice;
                synchronized (this.mTrustedCertificateStore) {
                    stringParceledListSlice = new StringParceledListSlice(new ArrayList(this.mTrustedCertificateStore.allSystemAliases()));
                }
                return stringParceledListSlice;
            }

            public StringParceledListSlice getUserCaAliases() {
                StringParceledListSlice stringParceledListSlice;
                synchronized (this.mTrustedCertificateStore) {
                    stringParceledListSlice = new StringParceledListSlice(new ArrayList(this.mTrustedCertificateStore.userAliases()));
                }
                return stringParceledListSlice;
            }

            public boolean hasGrant(int i, String str) {
                checkSystemCaller();
                return KeyChainService.this.mGrantsDb.hasGrant(i, str);
            }

            public String installCaCertificate(byte[] bArr) {
                String certificateAlias;
                checkCertInstallerOrSystemCaller();
                try {
                    X509Certificate parseCertificate = parseCertificate(bArr);
                    r4 = KeyChainService.this.mInjector.isSecurityLoggingEnabled() ? parseCertificate.getSubjectX500Principal().getName("CANONICAL") : null;
                    synchronized (this.mTrustedCertificateStore) {
                        this.mTrustedCertificateStore.installCertificate(parseCertificate);
                        certificateAlias = this.mTrustedCertificateStore.getCertificateAlias(parseCertificate);
                    }
                    if (r4 != null) {
                        KeyChainService.this.mInjector.writeSecurityEvent(210029, 1, r4);
                    }
                    KeyChainService.this.broadcastLegacyStorageChange();
                    KeyChainService.this.broadcastTrustStoreChange();
                    return certificateAlias;
                } catch (IOException | CertificateException e) {
                    if (r4 != null) {
                        KeyChainService.this.mInjector.writeSecurityEvent(210029, 0, r4);
                    }
                    throw new IllegalStateException(e);
                }
            }

            public boolean installKeyPair(byte[] bArr, byte[] bArr2, byte[] bArr3, String str) {
                checkCertInstallerOrSystemCaller();
                if (!removeKeyPair(str)) {
                    return false;
                }
                if (!KeyChainService.this.mKeyStore.importKey("USRPKEY_" + str, bArr, -1, 0)) {
                    Log.e("KeyChain", "Failed to import private key " + str);
                    return false;
                }
                if (!KeyChainService.this.mKeyStore.put("USRCERT_" + str, bArr2, -1, 0)) {
                    Log.e("KeyChain", "Failed to import user certificate " + bArr2);
                    if (!KeyChainService.this.mKeyStore.delete("USRPKEY_" + str)) {
                        Log.e("KeyChain", "Failed to delete private key after certificate importing failed");
                    }
                    return false;
                }
                if (bArr3 != null && bArr3.length > 0) {
                    if (!KeyChainService.this.mKeyStore.put("CACERT_" + str, bArr3, -1, 0)) {
                        Log.e("KeyChain", "Failed to import certificate chain" + bArr3);
                        if (!removeKeyPair(str)) {
                            Log.e("KeyChain", "Failed to clean up key chain after certificate chain importing failed");
                        }
                        return false;
                    }
                }
                KeyChainService.this.broadcastKeychainChange();
                KeyChainService.this.broadcastLegacyStorageChange();
                return true;
            }

            public boolean isUserSelectable(String str) {
                validateAlias(str);
                return KeyChainService.this.mGrantsDb.isUserSelectable(str);
            }

            public boolean removeKeyPair(String str) {
                checkCertInstallerOrSystemCaller();
                if (!Credentials.deleteAllTypesForAlias(KeyChainService.this.mKeyStore, str)) {
                    return false;
                }
                Log.w("KeyChain", String.format("WARNING: Removing alias %s, existing grants will be revoked.", str));
                KeyChainService.this.mGrantsDb.removeAliasInformation(str);
                KeyChainService.this.broadcastKeychainChange();
                KeyChainService.this.broadcastLegacyStorageChange();
                return true;
            }

            public String requestPrivateKey(String str) {
                if (!hasGrant(str)) {
                    return null;
                }
                return KeyChainService.this.mKeyStore.grant("USRPKEY_" + str, KeyChainService.this.mInjector.getCallingUid());
            }

            public boolean reset() {
                boolean z;
                checkSystemCaller();
                KeyChainService.this.mGrantsDb.removeAllAliasesInformation();
                synchronized (this.mTrustedCertificateStore) {
                    z = true;
                    for (String str : this.mTrustedCertificateStore.aliases()) {
                        if (TrustedCertificateStore.isUser(str) && !deleteCertificateEntry(str)) {
                            z = false;
                        }
                    }
                }
                KeyChainService.this.broadcastTrustStoreChange();
                KeyChainService.this.broadcastKeychainChange();
                KeyChainService.this.broadcastLegacyStorageChange();
                return z;
            }

            public void setGrant(int i, String str, boolean z) {
                checkSystemCaller();
                KeyChainService.this.mGrantsDb.setGrant(i, str, z);
                KeyChainService.this.broadcastPermissionChange(i, str, z);
                KeyChainService.this.broadcastLegacyStorageChange();
            }

            public boolean setKeyPairCertificate(String str, byte[] bArr, byte[] bArr2) {
                checkSystemCaller();
                if (!KeyChainService.this.mKeyStore.put("USRCERT_" + str, bArr, -1, 0)) {
                    Log.e("KeyChain", "Failed to import user certificate " + bArr);
                    return false;
                }
                if (bArr2 == null || bArr2.length <= 0) {
                    if (!KeyChainService.this.mKeyStore.delete("CACERT_" + str)) {
                        Log.e("KeyChain", "Failed to remove CA certificate chain for alias " + str);
                    }
                } else {
                    if (!KeyChainService.this.mKeyStore.put("CACERT_" + str, bArr2, -1, 0)) {
                        Log.e("KeyChain", "Failed to import certificate chain" + bArr2);
                        if (!KeyChainService.this.mKeyStore.delete("USRCERT_" + str)) {
                            Log.e("KeyChain", "Failed to clean up key chain after certificate chain importing failed");
                        }
                        return false;
                    }
                }
                KeyChainService.this.broadcastKeychainChange();
                KeyChainService.this.broadcastLegacyStorageChange();
                return true;
            }

            public void setUserSelectable(String str, boolean z) {
                validateAlias(str);
                checkSystemCaller();
                KeyChainService.this.mGrantsDb.setIsUserSelectable(str, z);
            }
        };
        this.mInjector = new Injector();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void broadcastKeychainChange() {
        sendBroadcastAsUser(new Intent("android.security.action.KEYCHAIN_CHANGED"), UserHandle.of(UserHandle.myUserId()));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void broadcastLegacyStorageChange() {
        Intent intent = new Intent("android.security.STORAGE_CHANGED");
        BroadcastOptions makeBasic = BroadcastOptions.makeBasic();
        makeBasic.setMaxManifestReceiverApiLevel(25);
        sendBroadcastAsUser(intent, UserHandle.of(UserHandle.myUserId()), null, makeBasic.toBundle());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void broadcastPermissionChange(int i, String str, boolean z) {
        String[] packagesForUid = getPackageManager().getPackagesForUid(i);
        if (packagesForUid == null) {
            return;
        }
        for (String str2 : packagesForUid) {
            Intent intent = new Intent("android.security.action.KEY_ACCESS_CHANGED");
            intent.putExtra("android.security.extra.KEY_ALIAS", str);
            intent.putExtra("android.security.extra.KEY_ACCESSIBLE", z);
            intent.setPackage(str2);
            sendBroadcastAsUser(intent, UserHandle.of(UserHandle.myUserId()));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void broadcastTrustStoreChange() {
        sendBroadcastAsUser(new Intent("android.security.action.TRUST_STORE_CHANGED"), UserHandle.of(UserHandle.myUserId()));
    }

    @Override // android.app.IntentService, android.app.Service
    public IBinder onBind(Intent intent) {
        if (IKeyChainService.class.getName().equals(intent.getAction())) {
            return this.mIKeyChainService;
        }
        return null;
    }

    @Override // android.app.IntentService, android.app.Service
    public void onCreate() {
        super.onCreate();
        this.mGrantsDb = new GrantsDatabase(this, new KeyStoreAliasesProvider(this.mKeyStore));
    }

    @Override // android.app.IntentService, android.app.Service
    public void onDestroy() {
        super.onDestroy();
        this.mGrantsDb.destroy();
        this.mGrantsDb = null;
    }

    @Override // android.app.IntentService
    protected void onHandleIntent(Intent intent) {
        if ("android.intent.action.PACKAGE_REMOVED".equals(intent.getAction())) {
            this.mGrantsDb.purgeOldGrants(getPackageManager());
        }
    }

    @VisibleForTesting
    void setInjector(Injector injector) {
        this.mInjector = injector;
    }
}
