package com.webauthn4j.validator.attestation.packed;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.webauthn4j.attestation.authenticator.CredentialPublicKey;
import com.webauthn4j.attestation.statement.AttestationType;
import com.webauthn4j.attestation.statement.COSEAlgorithmIdentifier;
import com.webauthn4j.attestation.statement.PackedAttestationStatement;
import com.webauthn4j.converter.jackson.ObjectMapperUtil;
import com.webauthn4j.util.MessageDigestUtil;
import com.webauthn4j.util.exception.NotImplementedException;
import com.webauthn4j.validator.RegistrationObject;
import com.webauthn4j.validator.attestation.AttestationStatementValidator;
import com.webauthn4j.validator.exception.BadAlgorithmException;
import com.webauthn4j.validator.exception.BadAttestationStatementException;
import com.webauthn4j.validator.exception.BadSignatureException;
import com.webauthn4j.validator.exception.UnsupportedAttestationFormatException;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.nio.ByteBuffer;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Arrays;

/* loaded from: input_file:com/webauthn4j/validator/attestation/packed/PackedAttestationStatementValidator.class */
public class PackedAttestationStatementValidator implements AttestationStatementValidator {
    private final ObjectMapper objectMapper = ObjectMapperUtil.createCBORMapper();

    @Override // com.webauthn4j.validator.attestation.AttestationStatementValidator
    public AttestationType validate(RegistrationObject registrationObject) {
        if (!supports(registrationObject)) {
            throw new UnsupportedAttestationFormatException("Specified format is not supported by " + getClass().getName());
        }
        PackedAttestationStatement packedAttestationStatement = (PackedAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
        byte[] sig = packedAttestationStatement.getSig();
        COSEAlgorithmIdentifier alg = packedAttestationStatement.getAlg();
        byte[] signedData = getSignedData(registrationObject);
        if (packedAttestationStatement.getX5c() == null) {
            if (packedAttestationStatement.getEcdaaKeyId() != null) {
                throw new NotImplementedException();
            }
            CredentialPublicKey credentialPublicKey = registrationObject.getAttestationObject().getAuthenticatorData().getAttestedCredentialData().getCredentialPublicKey();
            if (!alg.equals(credentialPublicKey.getAlgorithm())) {
                throw new BadAlgorithmException("Algorithm doesn't match");
            }
            if (verifySignature(credentialPublicKey.getPublicKey(), alg, sig, signedData)) {
                throw new BadSignatureException("Bad signature");
            }
            return AttestationType.SELF;
        }
        if (verifySignature(packedAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate().getPublicKey(), alg, sig, signedData)) {
            throw new BadSignatureException("Bad signature");
        }
        packedAttestationStatement.getX5c().getEndEntityAttestationCertificate().validate();
        byte[] extensionValue = packedAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate().getExtensionValue("1.3.6.1.4.1.45724.1.1.4");
        byte[] aaGuid = registrationObject.getAttestationObject().getAuthenticatorData().getAttestedCredentialData().getAaGuid();
        if (extensionValue == null || Arrays.equals(extensionValue, aaGuid)) {
            return AttestationType.BASIC;
        }
        throw new BadAttestationStatementException("Bad aaguid");
    }

    @Override // com.webauthn4j.validator.attestation.AttestationStatementValidator
    public boolean supports(RegistrationObject registrationObject) {
        return PackedAttestationStatement.class.isAssignableFrom(registrationObject.getAttestationObject().getAttestationStatement().getClass());
    }

    private boolean verifySignature(PublicKey publicKey, COSEAlgorithmIdentifier cOSEAlgorithmIdentifier, byte[] bArr, byte[] bArr2) {
        try {
            Signature signature = Signature.getInstance(cOSEAlgorithmIdentifier.getName());
            signature.initVerify(publicKey);
            signature.update(bArr2);
            return signature.verify(bArr);
        } catch (RuntimeException | InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            return false;
        }
    }

    private byte[] getSignedData(RegistrationObject registrationObject) {
        MessageDigest createSHA256 = MessageDigestUtil.createSHA256();
        byte[] deriveAuthenticatorDataFromAttestationObject = deriveAuthenticatorDataFromAttestationObject(registrationObject.getAttestationObjectBytes());
        byte[] digest = createSHA256.digest(registrationObject.getCollectedClientDataBytes());
        return ByteBuffer.allocate(deriveAuthenticatorDataFromAttestationObject.length + digest.length).put(deriveAuthenticatorDataFromAttestationObject).put(digest).array();
    }

    private byte[] deriveAuthenticatorDataFromAttestationObject(byte[] bArr) {
        try {
            return this.objectMapper.readTree(bArr).get("authData").binaryValue();
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }
}
