package com.android.server.security;

import android.Manifest;
import android.annotation.EnforcePermission;
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.app.AppOpsManager;
import android.content.Context;
import android.content.pm.PackageManagerInternal;
import android.os.Binder;
import android.os.Build;
import android.os.Environment;
import android.os.IBinder;
import android.os.IInstalld;
import android.os.ParcelFileDescriptor;
import android.os.PermissionEnforcer;
import android.os.RemoteException;
import android.os.ResultReceiver;
import android.os.ShellCallback;
import android.os.ShellCommand;
import android.os.UserHandle;
import android.os.storage.StorageManagerInternal;
import android.security.Flags;
import android.security.IFileIntegrityService;
import android.util.Slog;
import com.android.internal.annotations.GuardedBy;
import com.android.internal.security.VerityUtils;
import com.android.server.LocalServices;
import com.android.server.SystemService;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileDescriptor;
import java.io.IOException;
import java.io.PrintWriter;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Objects;

/* loaded from: input_file:com/android/server/security/FileIntegrityService.class */
public class FileIntegrityService extends SystemService {
    private static final String TAG = "FileIntegrityService";
    private static final int MAX_SIGNATURE_FILE_SIZE_BYTES = 8192;
    private static CertificateFactory sCertFactory;

    @GuardedBy({"mTrustedCertificates"})
    private final ArrayList<X509Certificate> mTrustedCertificates;
    private final IBinder mService;

    /* loaded from: input_file:com/android/server/security/FileIntegrityService$BinderService.class */
    private final class BinderService extends IFileIntegrityService.Stub {
        BinderService(Context context) {
            super(PermissionEnforcer.fromContext(context));
        }

        @Override // android.security.IFileIntegrityService
        public boolean isApkVeritySupported() {
            return VerityUtils.isFsVeritySupported();
        }

        @Override // android.security.IFileIntegrityService
        public boolean isAppSourceCertificateTrusted(@Nullable byte[] bArr, @NonNull String str) {
            boolean contains;
            checkCallerPermission(str);
            if (Flags.deprecateFsvSig()) {
                return false;
            }
            try {
                if (!VerityUtils.isFsVeritySupported()) {
                    return false;
                }
                if (bArr == null) {
                    Slog.w(FileIntegrityService.TAG, "Received a null certificate");
                    return false;
                }
                synchronized (FileIntegrityService.this.mTrustedCertificates) {
                    contains = FileIntegrityService.this.mTrustedCertificates.contains(FileIntegrityService.toCertificate(bArr));
                }
                return contains;
            } catch (CertificateException e) {
                Slog.e(FileIntegrityService.TAG, "Failed to convert the certificate: " + e);
                return false;
            }
        }

        @Override // android.os.Binder
        public void onShellCommand(FileDescriptor fileDescriptor, FileDescriptor fileDescriptor2, FileDescriptor fileDescriptor3, String[] strArr, ShellCallback shellCallback, ResultReceiver resultReceiver) {
            new FileIntegrityServiceShellCommand().exec(this, fileDescriptor, fileDescriptor2, fileDescriptor3, strArr, shellCallback, resultReceiver);
        }

        private void checkCallerPackageName(String str) {
            int callingUid = Binder.getCallingUid();
            if (callingUid != ((PackageManagerInternal) LocalServices.getService(PackageManagerInternal.class)).getPackageUid(str, 0L, UserHandle.getUserId(callingUid))) {
                throw new SecurityException("Calling uid " + callingUid + " does not own package " + str);
            }
        }

        private void checkCallerPermission(String str) {
            checkCallerPackageName(str);
            if (FileIntegrityService.this.getContext().checkCallingPermission(Manifest.permission.INSTALL_PACKAGES) != 0 && ((AppOpsManager) FileIntegrityService.this.getContext().getSystemService(AppOpsManager.class)).checkOpNoThrow(66, Binder.getCallingUid(), str) != 0) {
                throw new SecurityException("Caller should have INSTALL_PACKAGES or REQUEST_INSTALL_PACKAGES");
            }
        }

        @Override // android.security.IFileIntegrityService
        public IInstalld.IFsveritySetupAuthToken createAuthToken(ParcelFileDescriptor parcelFileDescriptor) throws RemoteException {
            Objects.requireNonNull(parcelFileDescriptor);
            try {
                IInstalld.IFsveritySetupAuthToken createFsveritySetupAuthToken = FileIntegrityService.this.getStorageManagerInternal().createFsveritySetupAuthToken(parcelFileDescriptor, Binder.getCallingUid());
                parcelFileDescriptor.close();
                return createFsveritySetupAuthToken;
            } catch (IOException e) {
                throw new RemoteException(e);
            }
        }

        @Override // android.security.IFileIntegrityService
        @EnforcePermission(Manifest.permission.SETUP_FSVERITY)
        public int setupFsverity(IInstalld.IFsveritySetupAuthToken iFsveritySetupAuthToken, String str, String str2) throws RemoteException {
            setupFsverity_enforcePermission();
            Objects.requireNonNull(iFsveritySetupAuthToken);
            Objects.requireNonNull(str);
            Objects.requireNonNull(str2);
            checkCallerPackageName(str2);
            try {
                return FileIntegrityService.this.getStorageManagerInternal().enableFsverity(iFsveritySetupAuthToken, str, str2);
            } catch (IOException e) {
                throw new RemoteException(e);
            }
        }
    }

    /* loaded from: input_file:com/android/server/security/FileIntegrityService$FileIntegrityServiceShellCommand.class */
    private class FileIntegrityServiceShellCommand extends ShellCommand {
        private FileIntegrityServiceShellCommand() {
        }

        @Override // com.android.modules.utils.BasicShellCommandHandler
        public int onCommand(String str) {
            if (!Build.IS_DEBUGGABLE) {
                return -1;
            }
            if (str == null) {
                return handleDefaultCommands(str);
            }
            PrintWriter outPrintWriter = getOutPrintWriter();
            boolean z = -1;
            switch (str.hashCode()) {
                case -1932837641:
                    if (str.equals("append-cert")) {
                        z = false;
                        break;
                    }
                    break;
                case 755125490:
                    if (str.equals("remove-last-cert")) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    String nextArg = getNextArg();
                    if (nextArg == null) {
                        outPrintWriter.println("Invalid argument");
                        outPrintWriter.println("");
                        onHelp();
                        return -1;
                    }
                    ParcelFileDescriptor openFileForSystem = openFileForSystem(nextArg, "r");
                    if (openFileForSystem == null) {
                        outPrintWriter.println("Cannot open the file");
                        return -1;
                    }
                    try {
                        FileIntegrityService.this.collectCertificate(new ParcelFileDescriptor.AutoCloseInputStream(openFileForSystem).readAllBytes());
                        outPrintWriter.println("Certificate is added successfully");
                        return 0;
                    } catch (IOException e) {
                        outPrintWriter.println("Failed to add certificate: " + e);
                        return -1;
                    }
                case true:
                    synchronized (FileIntegrityService.this.mTrustedCertificates) {
                        if (FileIntegrityService.this.mTrustedCertificates.size() == 0) {
                            outPrintWriter.println("Certificate list is already empty");
                            return -1;
                        }
                        FileIntegrityService.this.mTrustedCertificates.remove(FileIntegrityService.this.mTrustedCertificates.size() - 1);
                        outPrintWriter.println("Certificate is removed successfully");
                        return 0;
                    }
                default:
                    outPrintWriter.println("Unknown action");
                    outPrintWriter.println("");
                    onHelp();
                    return -1;
            }
        }

        @Override // com.android.modules.utils.BasicShellCommandHandler
        public void onHelp() {
            PrintWriter outPrintWriter = getOutPrintWriter();
            outPrintWriter.println("File integrity service commands:");
            outPrintWriter.println("  help");
            outPrintWriter.println("    Print this help text.");
            outPrintWriter.println("  append-cert path/to/cert.der");
            outPrintWriter.println("    Add the DER-encoded certificate (only in debug builds)");
            outPrintWriter.println("  remove-last-cert");
            outPrintWriter.println("    Remove the last certificate in the key list (only in debug builds)");
            outPrintWriter.println("");
        }
    }

    public static FileIntegrityService getService() {
        return (FileIntegrityService) LocalServices.getService(FileIntegrityService.class);
    }

    public FileIntegrityService(Context context) {
        super(context);
        this.mTrustedCertificates = new ArrayList<>();
        this.mService = new BinderService(context);
        try {
            sCertFactory = CertificateFactory.getInstance("X.509");
        } catch (CertificateException e) {
            Slog.wtf(TAG, "Cannot get an instance of X.509 certificate factory");
        }
        LocalServices.addService(FileIntegrityService.class, this);
    }

    private StorageManagerInternal getStorageManagerInternal() {
        return (StorageManagerInternal) LocalServices.getService(StorageManagerInternal.class);
    }

    @Override // com.android.server.SystemService
    public void onStart() {
        loadAllCertificates();
        publishBinderService(Context.FILE_INTEGRITY_SERVICE, this.mService);
    }

    public boolean verifyPkcs7DetachedSignature(String str, String str2) throws IOException {
        if (Files.size(Paths.get(str, new String[0])) > 8192) {
            throw new SecurityException("Signature file is unexpectedly large: " + str);
        }
        byte[] readAllBytes = Files.readAllBytes(Paths.get(str, new String[0]));
        byte[] fsverityDigest = VerityUtils.getFsverityDigest(str2);
        synchronized (this.mTrustedCertificates) {
            Iterator<X509Certificate> it = this.mTrustedCertificates.iterator();
            while (it.hasNext()) {
                try {
                } catch (CertificateEncodingException e) {
                    Slog.w(TAG, "Ignoring ill-formed certificate: " + e);
                }
                if (VerityUtils.verifyPkcs7DetachedSignature(readAllBytes, fsverityDigest, new ByteArrayInputStream(it.next().getEncoded()))) {
                    return true;
                }
            }
            return false;
        }
    }

    private void loadAllCertificates() {
        loadCertificatesFromDirectory(Environment.getRootDirectory().toPath().resolve("etc/security/fsverity"));
        loadCertificatesFromDirectory(Environment.getProductDirectory().toPath().resolve("etc/security/fsverity"));
    }

    private void loadCertificatesFromDirectory(Path path) {
        try {
            File[] listFiles = path.toFile().listFiles();
            if (listFiles == null) {
                return;
            }
            for (File file : listFiles) {
                collectCertificate(Files.readAllBytes(file.toPath()));
            }
        } catch (IOException e) {
            Slog.wtf(TAG, "Failed to load fs-verity certificate from " + path, e);
        }
    }

    private void collectCertificate(@NonNull byte[] bArr) {
        try {
            synchronized (this.mTrustedCertificates) {
                this.mTrustedCertificates.add(toCertificate(bArr));
            }
        } catch (CertificateException e) {
            Slog.e(TAG, "Invalid certificate, ignored: " + e);
        }
    }

    @NonNull
    private static X509Certificate toCertificate(@NonNull byte[] bArr) throws CertificateException {
        Certificate generateCertificate = sCertFactory.generateCertificate(new ByteArrayInputStream(bArr));
        if (generateCertificate instanceof X509Certificate) {
            return (X509Certificate) generateCertificate;
        }
        throw new CertificateException("Expected to contain an X.509 certificate");
    }
}
