package com.webauthn4j.verifier.attestation.statement.androidkey;

import com.webauthn4j.data.attestation.statement.AndroidKeyAttestationStatement;
import com.webauthn4j.data.attestation.statement.AttestationType;
import com.webauthn4j.util.AssertUtil;
import com.webauthn4j.util.SignatureUtil;
import com.webauthn4j.verifier.CoreRegistrationObject;
import com.webauthn4j.verifier.attestation.statement.AbstractStatementVerifier;
import com.webauthn4j.verifier.exception.BadAttestationStatementException;
import com.webauthn4j.verifier.exception.BadSignatureException;
import com.webauthn4j.verifier.exception.PublicKeyMismatchException;
import java.nio.ByteBuffer;
import java.security.InvalidKeyException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import org.jetbrains.annotations.NotNull;

/* loaded from: input_file:com/webauthn4j/verifier/attestation/statement/androidkey/AndroidKeyAttestationStatementVerifier.class */
public class AndroidKeyAttestationStatementVerifier extends AbstractStatementVerifier<AndroidKeyAttestationStatement> {
    private final KeyDescriptionVerifier keyDescriptionVerifier = new KeyDescriptionVerifier();
    private boolean teeEnforcedOnly = true;

    @Override // com.webauthn4j.verifier.attestation.statement.AttestationStatementVerifier
    @NotNull
    public AttestationType verify(@NotNull CoreRegistrationObject coreRegistrationObject) {
        AssertUtil.notNull(coreRegistrationObject, "registrationObject must not be null");
        if (!supports(coreRegistrationObject)) {
            throw new IllegalArgumentException(String.format("Specified format '%s' is not supported by %s.", coreRegistrationObject.getAttestationObject().getFormat(), getClass().getName()));
        }
        AndroidKeyAttestationStatement androidKeyAttestationStatement = (AndroidKeyAttestationStatement) coreRegistrationObject.getAttestationObject().getAttestationStatement();
        verifyAttestationStatementNotNull(androidKeyAttestationStatement);
        if (androidKeyAttestationStatement.getX5c().isEmpty()) {
            throw new BadAttestationStatementException("No attestation certificate is found in android key attestation statement.");
        }
        verifySignature(coreRegistrationObject);
        if (!androidKeyAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate().getPublicKey().equals(coreRegistrationObject.getAttestationObject().getAuthenticatorData().getAttestedCredentialData().getCOSEKey().getPublicKey())) {
            throw new PublicKeyMismatchException("The public key in the first certificate in x5c doesn't matches the credentialPublicKey in the attestedCredentialData in authenticatorData.");
        }
        this.keyDescriptionVerifier.verify(androidKeyAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate(), coreRegistrationObject.getClientDataHash(), this.teeEnforcedOnly);
        return AttestationType.BASIC;
    }

    void verifyAttestationStatementNotNull(AndroidKeyAttestationStatement androidKeyAttestationStatement) {
        if (androidKeyAttestationStatement == null) {
            throw new BadAttestationStatementException("attestation statement is not found.");
        }
    }

    private void verifySignature(@NotNull CoreRegistrationObject coreRegistrationObject) {
        AndroidKeyAttestationStatement androidKeyAttestationStatement = (AndroidKeyAttestationStatement) coreRegistrationObject.getAttestationObject().getAttestationStatement();
        byte[] signedData = getSignedData(coreRegistrationObject);
        byte[] sig = androidKeyAttestationStatement.getSig();
        PublicKey publicKey = getPublicKey(androidKeyAttestationStatement);
        try {
            Signature createSignature = SignatureUtil.createSignature(getJcaName(androidKeyAttestationStatement.getAlg()));
            createSignature.initVerify(publicKey);
            createSignature.update(signedData);
            if (createSignature.verify(sig)) {
            } else {
                throw new BadSignatureException("`sig` in attestation statement is not valid signature over the concatenation of authenticatorData and clientDataHash.");
            }
        } catch (InvalidKeyException | SignatureException e) {
            throw new BadSignatureException("`sig` in attestation statement is not valid signature over the concatenation of authenticatorData and clientDataHash.", e);
        }
    }

    @NotNull
    private byte[] getSignedData(@NotNull CoreRegistrationObject coreRegistrationObject) {
        byte[] authenticatorDataBytes = coreRegistrationObject.getAuthenticatorDataBytes();
        byte[] clientDataHash = coreRegistrationObject.getClientDataHash();
        return ByteBuffer.allocate(authenticatorDataBytes.length + clientDataHash.length).put(authenticatorDataBytes).put(clientDataHash).array();
    }

    @NotNull
    private PublicKey getPublicKey(@NotNull AndroidKeyAttestationStatement androidKeyAttestationStatement) {
        return androidKeyAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate().getPublicKey();
    }

    public boolean isTeeEnforcedOnly() {
        return this.teeEnforcedOnly;
    }

    public void setTeeEnforcedOnly(boolean z) {
        this.teeEnforcedOnly = z;
    }
}
