package com.webauthn4j.validator.attestation.statement.androidkey;

import com.webauthn4j.response.attestation.statement.AndroidKeyAttestationStatement;
import com.webauthn4j.response.attestation.statement.AttestationType;
import com.webauthn4j.util.MessageDigestUtil;
import com.webauthn4j.util.SignatureUtil;
import com.webauthn4j.validator.RegistrationObject;
import com.webauthn4j.validator.attestation.statement.AttestationStatementValidator;
import com.webauthn4j.validator.exception.BadAttestationStatementException;
import com.webauthn4j.validator.exception.BadSignatureException;
import com.webauthn4j.validator.exception.PublicKeyMismatchException;
import java.nio.ByteBuffer;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;

/* loaded from: input_file:com/webauthn4j/validator/attestation/statement/androidkey/AndroidKeyAttestationStatementValidator.class */
public class AndroidKeyAttestationStatementValidator implements AttestationStatementValidator {
    private KeyDescriptionValidator keyDescriptionValidator = new KeyDescriptionValidator();
    private boolean teeEnforcedOnly = true;

    @Override // com.webauthn4j.validator.attestation.statement.AttestationStatementValidator
    public AttestationType validate(RegistrationObject registrationObject) {
        if (!supports(registrationObject)) {
            throw new IllegalArgumentException("Specified format is not supported by " + getClass().getName());
        }
        AndroidKeyAttestationStatement androidKeyAttestationStatement = (AndroidKeyAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
        if (androidKeyAttestationStatement.getX5c() == null || androidKeyAttestationStatement.getX5c().isEmpty()) {
            throw new BadAttestationStatementException("No attestation certificate is found'.");
        }
        validateSignature(registrationObject);
        if (!androidKeyAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate().getPublicKey().equals(registrationObject.getAttestationObject().getAuthenticatorData().getAttestedCredentialData().getCredentialPublicKey().getPublicKey())) {
            throw new PublicKeyMismatchException("The public key in the first certificate in x5c doesn't matches the credentialPublicKey in the attestedCredentialData in authenticatorData.");
        }
        this.keyDescriptionValidator.validate(androidKeyAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate(), MessageDigestUtil.createSHA256().digest(registrationObject.getCollectedClientDataBytes()), this.teeEnforcedOnly);
        return AttestationType.BASIC;
    }

    @Override // com.webauthn4j.validator.attestation.statement.AttestationStatementValidator
    public boolean supports(RegistrationObject registrationObject) {
        return AndroidKeyAttestationStatement.class.isAssignableFrom(registrationObject.getAttestationObject().getAttestationStatement().getClass());
    }

    private void validateSignature(RegistrationObject registrationObject) {
        AndroidKeyAttestationStatement androidKeyAttestationStatement = (AndroidKeyAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
        byte[] signedData = getSignedData(registrationObject);
        byte[] sig = androidKeyAttestationStatement.getSig();
        PublicKey publicKey = getPublicKey(androidKeyAttestationStatement);
        try {
            Signature createSignature = SignatureUtil.createSignature(androidKeyAttestationStatement.getAlg().getJcaName());
            createSignature.initVerify(publicKey);
            createSignature.update(signedData);
            if (createSignature.verify(sig)) {
            } else {
                throw new BadSignatureException("Bad signature");
            }
        } catch (InvalidKeyException | SignatureException e) {
            throw new BadSignatureException("Bad signature", e);
        }
    }

    private byte[] getSignedData(RegistrationObject registrationObject) {
        MessageDigest createSHA256 = MessageDigestUtil.createSHA256();
        byte[] authenticatorDataBytes = registrationObject.getAuthenticatorDataBytes();
        byte[] digest = createSHA256.digest(registrationObject.getCollectedClientDataBytes());
        return ByteBuffer.allocate(authenticatorDataBytes.length + digest.length).put(authenticatorDataBytes).put(digest).array();
    }

    private PublicKey getPublicKey(AndroidKeyAttestationStatement androidKeyAttestationStatement) {
        return androidKeyAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate().getPublicKey();
    }
}
