package com.webauthn4j.validator.attestation.statement.androidsafetynet;

import com.webauthn4j.data.attestation.statement.AndroidSafetyNetAttestationStatement;
import com.webauthn4j.data.attestation.statement.AttestationType;
import com.webauthn4j.data.attestation.statement.Response;
import com.webauthn4j.data.jws.JWS;
import com.webauthn4j.util.AssertUtil;
import com.webauthn4j.util.Base64Util;
import com.webauthn4j.util.MessageDigestUtil;
import com.webauthn4j.validator.CoreRegistrationObject;
import com.webauthn4j.validator.attestation.statement.AbstractStatementValidator;
import com.webauthn4j.validator.exception.BadAttestationStatementException;
import java.nio.ByteBuffer;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Arrays;
import java.util.Objects;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* loaded from: input_file:com/webauthn4j/validator/attestation/statement/androidsafetynet/AndroidSafetyNetAttestationStatementValidator.class */
public class AndroidSafetyNetAttestationStatementValidator extends AbstractStatementValidator<AndroidSafetyNetAttestationStatement> {
    private GooglePlayServiceVersionValidator versionValidator = new DefaultVersionValidator();
    private int forwardThreshold = 0;
    private int backwardThreshold = 60;

    /* loaded from: input_file:com/webauthn4j/validator/attestation/statement/androidsafetynet/AndroidSafetyNetAttestationStatementValidator$DefaultVersionValidator.class */
    private static class DefaultVersionValidator implements GooglePlayServiceVersionValidator {
        private static final int MINIMAL_VERSION = 0;

        private DefaultVersionValidator() {
        }

        @Override // com.webauthn4j.validator.attestation.statement.androidsafetynet.GooglePlayServiceVersionValidator
        public void validate(@NotNull String str) {
            try {
                if (Integer.parseInt(str) < 0) {
                    throw new BadAttestationStatementException("The version number of Google Play Services responsible for providing the SafetyNet API doesn't conform minimal requirement.");
                }
            } catch (NumberFormatException e) {
                throw new BadAttestationStatementException("`ver` in android safetynet attestation statement cannot be parsed as number.");
            }
        }
    }

    @Override // com.webauthn4j.validator.attestation.statement.AttestationStatementValidator
    @NotNull
    public AttestationType validate(@NotNull CoreRegistrationObject coreRegistrationObject) {
        AssertUtil.notNull(coreRegistrationObject, "registrationObject must not be null");
        if (!supports(coreRegistrationObject)) {
            throw new IllegalArgumentException("Specified format is not supported by " + getClass().getName());
        }
        AndroidSafetyNetAttestationStatement androidSafetyNetAttestationStatement = (AndroidSafetyNetAttestationStatement) coreRegistrationObject.getAttestationObject().getAttestationStatement();
        validateAttestationStatementNotNull(androidSafetyNetAttestationStatement);
        if (androidSafetyNetAttestationStatement.getX5c().isEmpty()) {
            throw new BadAttestationStatementException("No attestation certificate is found in android safetynet attestation statement.");
        }
        this.versionValidator.validate(androidSafetyNetAttestationStatement.getVer());
        Response payload = androidSafetyNetAttestationStatement.getResponse().getPayload();
        validateNonce(payload.getNonce(), coreRegistrationObject.getAuthenticatorDataBytes(), coreRegistrationObject.getClientDataHash());
        if (!Objects.equals(androidSafetyNetAttestationStatement.getX5c().getEndEntityAttestationCertificate().getSubjectCommonName(), "attest.android.com")) {
            throw new BadAttestationStatementException("The attestation certificate is not issued to 'attest.android.com'.");
        }
        if (!Objects.equals(payload.getCtsProfileMatch(), true)) {
            throw new BadAttestationStatementException("The profile of the device doesn't match the profile of a device that has passed Android Compatibility Test Suite.");
        }
        if (payload.getTimestampMs() == null) {
            throw new BadAttestationStatementException("timestampMs is null.");
        }
        if (Instant.ofEpochMilli(payload.getTimestampMs().longValue()).isBefore(coreRegistrationObject.getTimestamp().minus((TemporalAmount) Duration.ofSeconds(this.backwardThreshold)))) {
            throw new BadAttestationStatementException("timestampMs violates backwardThreshold.");
        }
        if (Instant.ofEpochMilli(payload.getTimestampMs().longValue()).isAfter(coreRegistrationObject.getTimestamp().plus((TemporalAmount) Duration.ofSeconds(this.forwardThreshold)))) {
            throw new BadAttestationStatementException("timestampMs violates forwardThreshold.");
        }
        if (androidSafetyNetAttestationStatement.getResponse().isValidSignature()) {
            return AttestationType.BASIC;
        }
        throw new BadAttestationStatementException("Android safetynet response in the attestation statement doesn't have a valid signature.");
    }

    void validateAttestationStatementNotNull(AndroidSafetyNetAttestationStatement androidSafetyNetAttestationStatement) {
        if (androidSafetyNetAttestationStatement == null) {
            throw new BadAttestationStatementException("attestation statement is not found.");
        }
        validateJWSNotNull(androidSafetyNetAttestationStatement.getResponse());
        if (androidSafetyNetAttestationStatement.getX5c() == null) {
            throw new BadAttestationStatementException("x5c must not be null");
        }
    }

    void validateJWSNotNull(JWS<Response> jws) {
        if (jws == null) {
            throw new BadAttestationStatementException("response must not be null.");
        }
        validateResponseNotNull(jws.getPayload());
    }

    void validateResponseNotNull(Response response) {
        if (response == null) {
            throw new BadAttestationStatementException("response must not be null.");
        }
        if (response.getNonce() == null) {
            throw new BadAttestationStatementException("nonce must not be null.");
        }
        if (response.getTimestampMs() == null) {
            throw new BadAttestationStatementException("timeStampMs must not be null.");
        }
        if (response.getApkPackageName() == null) {
            throw new BadAttestationStatementException("apkPackageName must not be null.");
        }
        if (response.getApkCertificateDigestSha256() == null) {
            throw new BadAttestationStatementException("apkCertificateDigestSha256 must not be null.");
        }
        if (response.getApkDigestSha256() == null) {
            throw new BadAttestationStatementException("apkDigestSha256 must not be null.");
        }
        if (response.getCtsProfileMatch() == null) {
            throw new BadAttestationStatementException("ctsProfileMatch must not be null.");
        }
        if (response.getBasicIntegrity() == null) {
            throw new BadAttestationStatementException("basicIntegrity must not be null.");
        }
    }

    private void validateNonce(@Nullable String str, @NotNull byte[] bArr, @NotNull byte[] bArr2) {
        if (str == null) {
            throw new BadAttestationStatementException("Nonce in the Android safetynet response is null.");
        }
        if (!Arrays.equals(MessageDigestUtil.createSHA256().digest(ByteBuffer.allocate(bArr.length + bArr2.length).put(bArr).put(bArr2).array()), Base64Util.decode(str))) {
            throw new BadAttestationStatementException("Nonce in the Android safetynet response doesn't match.");
        }
    }

    public int getForwardThreshold() {
        return this.forwardThreshold;
    }

    public void setForwardThreshold(int i) {
        this.forwardThreshold = i;
    }

    public int getBackwardThreshold() {
        return this.backwardThreshold;
    }

    public void setBackwardThreshold(int i) {
        this.backwardThreshold = i;
    }

    @NotNull
    public GooglePlayServiceVersionValidator getVersionValidator() {
        return this.versionValidator;
    }

    public void setVersionValidator(@NotNull GooglePlayServiceVersionValidator googlePlayServiceVersionValidator) {
        AssertUtil.notNull(googlePlayServiceVersionValidator, "versionValidator must not be null");
        this.versionValidator = googlePlayServiceVersionValidator;
    }
}
