Unlocking children profile must pass on existing challenge

                // If boot took too long and the password in vold got expired, parent keystore will

                // be still locked, we ignore this case since the user will be prompted to unlock

                // the device after boot.

                unlockChildProfile(userId, true /* ignoreUserNotAuthenticated */);

                unlockChildProfile(userId, true /* ignoreUserNotAuthenticated */,

                        false /* hasChallenge */, 0 /* challenge */);

            } catch (RemoteException e) {

                Slog.e(TAG, "Failed to unlock child profile");

            }

        return decryptionResult;

    }

    private void unlockChildProfile(int profileHandle, boolean ignoreUserNotAuthenticated)

    private void unlockChildProfile(int profileHandle, boolean ignoreUserNotAuthenticated,

            boolean hasChallenge, long challenge)

            throws RemoteException {

        try {

            doVerifyCredential(getDecryptedPasswordForTiedProfile(profileHandle),

                    CREDENTIAL_TYPE_PASSWORD,

                    false, 0 /* no challenge */, profileHandle, null /* progressCallback */);

                    hasChallenge, challenge, profileHandle, null /* progressCallback */);

        } catch (UnrecoverableKeyException | InvalidKeyException | KeyStoreException

                | NoSuchAlgorithmException | NoSuchPaddingException

                | InvalidAlgorithmParameterException | IllegalBlockSizeException

        }

    }

    private void unlockUser(int userId, byte[] token, byte[] secret) {

        unlockUser(userId, token, secret, false /* hasChallenge */, 0 /* challenge */);

    }

    /**

     * Unlock the user (both storage and user state) and its associated managed profiles

     * synchronously.

     * can end up calling into other system services to process user unlock request (via

     * {@link com.android.server.SystemServiceManager#unlockUser} </em>

     */

    private void unlockUser(int userId, byte[] token, byte[] secret) {

    private void unlockUser(int userId, byte[] token, byte[] secret,

            boolean hasChallenge, long challenge) {

        // TODO: make this method fully async so we can update UI with progress strings

        final boolean alreadyUnlocked = mUserManager.isUserUnlockingOrUnlocked(userId);

        final CountDownLatch latch = new CountDownLatch(1);

            // Unlock managed profile with unified lock

            if (tiedManagedProfileReadyToUnlock(profile)) {

                try {

                    unlockChildProfile(profile.id, false /* ignoreUserNotAuthenticated */);

                    // Must pass the challenge on for resetLockout, so it's not over-written, which

                    // causes LockSettingsService to revokeChallenge inappropriately.

                    unlockChildProfile(profile.id, false /* ignoreUserNotAuthenticated */,

                            hasChallenge, challenge);

                } catch (RemoteException e) {

                    Log.d(TAG, "Failed to unlock child profile", e);

                }

            final byte[] secret = authResult.authToken.deriveDiskEncryptionKey();

            Slog.i(TAG, "Unlocking user " + userId + " with secret only, length " + secret.length);

            unlockUser(userId, null, secret);

            unlockUser(userId, null, secret, hasChallenge, challenge);

            activateEscrowTokens(authResult.authToken, userId);