package com.webauthn4j.validator.attestation.statement.packed;

import com.webauthn4j.response.attestation.authenticator.AAGUID;
import com.webauthn4j.response.attestation.authenticator.CredentialPublicKey;
import com.webauthn4j.response.attestation.statement.AttestationType;
import com.webauthn4j.response.attestation.statement.COSEAlgorithmIdentifier;
import com.webauthn4j.response.attestation.statement.PackedAttestationStatement;
import com.webauthn4j.util.MessageDigestUtil;
import com.webauthn4j.util.SignatureUtil;
import com.webauthn4j.util.UUIDUtil;
import com.webauthn4j.util.exception.NotImplementedException;
import com.webauthn4j.validator.RegistrationObject;
import com.webauthn4j.validator.attestation.statement.AttestationStatementValidator;
import com.webauthn4j.validator.exception.BadAlgorithmException;
import com.webauthn4j.validator.exception.BadAttestationStatementException;
import com.webauthn4j.validator.exception.BadSignatureException;
import java.nio.ByteBuffer;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Objects;

/* loaded from: input_file:com/webauthn4j/validator/attestation/statement/packed/PackedAttestationStatementValidator.class */
public class PackedAttestationStatementValidator implements AttestationStatementValidator {
    private static final String ID_FIDO_GEN_CE_AAGUID = "1.3.6.1.4.1.45724.1.1.4";

    @Override // com.webauthn4j.validator.attestation.statement.AttestationStatementValidator
    public AttestationType validate(RegistrationObject registrationObject) {
        if (!supports(registrationObject)) {
            throw new IllegalArgumentException("Specified format is not supported by " + getClass().getName());
        }
        PackedAttestationStatement packedAttestationStatement = (PackedAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
        byte[] sig = packedAttestationStatement.getSig();
        COSEAlgorithmIdentifier alg = packedAttestationStatement.getAlg();
        byte[] attToBeSigned = getAttToBeSigned(registrationObject);
        return packedAttestationStatement.getX5c() != null ? validateX5c(registrationObject, packedAttestationStatement, sig, alg, attToBeSigned) : packedAttestationStatement.getEcdaaKeyId() != null ? validateEcdaaKeyId() : validateSelfAttestation(registrationObject, sig, alg, attToBeSigned);
    }

    private AttestationType validateX5c(RegistrationObject registrationObject, PackedAttestationStatement packedAttestationStatement, byte[] bArr, COSEAlgorithmIdentifier cOSEAlgorithmIdentifier, byte[] bArr2) {
        if (packedAttestationStatement.getX5c() == null || packedAttestationStatement.getX5c().isEmpty()) {
            throw new BadAttestationStatementException("No attestation certificate is found'.");
        }
        if (!verifySignature(packedAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate().getPublicKey(), cOSEAlgorithmIdentifier, bArr, bArr2)) {
            throw new BadSignatureException("Bad signature");
        }
        packedAttestationStatement.getX5c().getEndEntityAttestationCertificate().validate();
        byte[] extensionValue = packedAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate().getExtensionValue(ID_FIDO_GEN_CE_AAGUID);
        AAGUID aaguid = extensionValue == null ? AAGUID.NULL : new AAGUID(UUIDUtil.fromBytes(extensionValue));
        AAGUID aaguid2 = registrationObject.getAttestationObject().getAuthenticatorData().getAttestedCredentialData().getAaguid();
        if (aaguid == AAGUID.NULL || Objects.equals(aaguid, aaguid2)) {
            return AttestationType.BASIC;
        }
        throw new BadAttestationStatementException("Bad aaguid");
    }

    private AttestationType validateEcdaaKeyId() {
        throw new NotImplementedException();
    }

    private AttestationType validateSelfAttestation(RegistrationObject registrationObject, byte[] bArr, COSEAlgorithmIdentifier cOSEAlgorithmIdentifier, byte[] bArr2) {
        CredentialPublicKey credentialPublicKey = registrationObject.getAttestationObject().getAuthenticatorData().getAttestedCredentialData().getCredentialPublicKey();
        if (!cOSEAlgorithmIdentifier.equals(credentialPublicKey.getAlgorithm())) {
            throw new BadAlgorithmException("Algorithm doesn't match");
        }
        if (verifySignature(credentialPublicKey.getPublicKey(), cOSEAlgorithmIdentifier, bArr, bArr2)) {
            return AttestationType.SELF;
        }
        throw new BadSignatureException("Bad signature");
    }

    @Override // com.webauthn4j.validator.attestation.statement.AttestationStatementValidator
    public boolean supports(RegistrationObject registrationObject) {
        return PackedAttestationStatement.class.isAssignableFrom(registrationObject.getAttestationObject().getAttestationStatement().getClass());
    }

    private boolean verifySignature(PublicKey publicKey, COSEAlgorithmIdentifier cOSEAlgorithmIdentifier, byte[] bArr, byte[] bArr2) {
        try {
            Signature createSignature = SignatureUtil.createSignature(cOSEAlgorithmIdentifier.getJcaName());
            createSignature.initVerify(publicKey);
            createSignature.update(bArr2);
            return createSignature.verify(bArr);
        } catch (RuntimeException | InvalidKeyException | SignatureException e) {
            return false;
        }
    }

    private byte[] getAttToBeSigned(RegistrationObject registrationObject) {
        MessageDigest createSHA256 = MessageDigestUtil.createSHA256();
        byte[] authenticatorDataBytes = registrationObject.getAuthenticatorDataBytes();
        byte[] digest = createSHA256.digest(registrationObject.getCollectedClientDataBytes());
        return ByteBuffer.allocate(authenticatorDataBytes.length + digest.length).put(authenticatorDataBytes).put(digest).array();
    }
}
