package com.webauthn4j.verifier.attestation.statement.packed;

import com.webauthn4j.data.attestation.authenticator.AAGUID;
import com.webauthn4j.data.attestation.authenticator.COSEKey;
import com.webauthn4j.data.attestation.statement.AttestationType;
import com.webauthn4j.data.attestation.statement.COSEAlgorithmIdentifier;
import com.webauthn4j.data.attestation.statement.PackedAttestationStatement;
import com.webauthn4j.util.AssertUtil;
import com.webauthn4j.util.SignatureUtil;
import com.webauthn4j.util.UUIDUtil;
import com.webauthn4j.verifier.CoreRegistrationObject;
import com.webauthn4j.verifier.attestation.statement.AbstractStatementVerifier;
import com.webauthn4j.verifier.exception.BadAlgorithmException;
import com.webauthn4j.verifier.exception.BadAttestationStatementException;
import com.webauthn4j.verifier.exception.BadSignatureException;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.nio.ByteBuffer;
import java.security.InvalidKeyException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import java.util.Objects;
import org.apache.kerby.asn1.type.Asn1OctetString;
import org.jetbrains.annotations.NotNull;

/* loaded from: input_file:com/webauthn4j/verifier/attestation/statement/packed/PackedAttestationStatementVerifier.class */
public class PackedAttestationStatementVerifier extends AbstractStatementVerifier<PackedAttestationStatement> {
    private static final String ID_FIDO_GEN_CE_AAGUID = "1.3.6.1.4.1.45724.1.1.4";

    @Override // com.webauthn4j.verifier.attestation.statement.AttestationStatementVerifier
    @NotNull
    public AttestationType verify(@NotNull CoreRegistrationObject coreRegistrationObject) {
        AssertUtil.notNull(coreRegistrationObject, "registrationObject must not be null");
        if (!supports(coreRegistrationObject)) {
            throw new IllegalArgumentException("Specified format is not supported by " + getClass().getName());
        }
        PackedAttestationStatement packedAttestationStatement = (PackedAttestationStatement) coreRegistrationObject.getAttestationObject().getAttestationStatement();
        verifyAttestationStatementNotNull(packedAttestationStatement);
        byte[] sig = packedAttestationStatement.getSig();
        COSEAlgorithmIdentifier alg = packedAttestationStatement.getAlg();
        byte[] attToBeSigned = getAttToBeSigned(coreRegistrationObject);
        return packedAttestationStatement.getX5c() != null ? verifyX5c(coreRegistrationObject, packedAttestationStatement, sig, alg, attToBeSigned) : verifySelfAttestation(coreRegistrationObject, sig, alg, attToBeSigned);
    }

    void verifyAttestationStatementNotNull(PackedAttestationStatement packedAttestationStatement) {
        if (packedAttestationStatement == null) {
            throw new BadAttestationStatementException("attestation statement is not found.");
        }
    }

    @NotNull
    private AttestationType verifyX5c(@NotNull CoreRegistrationObject coreRegistrationObject, @NotNull PackedAttestationStatement packedAttestationStatement, @NotNull byte[] bArr, @NotNull COSEAlgorithmIdentifier cOSEAlgorithmIdentifier, @NotNull byte[] bArr2) {
        if (packedAttestationStatement.getX5c() == null || packedAttestationStatement.getX5c().isEmpty()) {
            throw new BadAttestationStatementException("No attestation certificate is found in packed attestation statement.");
        }
        if (!verifySignature(packedAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate().getPublicKey(), cOSEAlgorithmIdentifier, bArr, bArr2)) {
            throw new BadSignatureException("`sig` in attestation statement is not valid signature over the concatenation of authenticatorData and clientDataHash.");
        }
        packedAttestationStatement.getX5c().getEndEntityAttestationCertificate().validate();
        AAGUID extractAAGUIDFromAttestationCertificate = extractAAGUIDFromAttestationCertificate(packedAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate());
        AAGUID aaguid = coreRegistrationObject.getAttestationObject().getAuthenticatorData().getAttestedCredentialData().getAaguid();
        if (extractAAGUIDFromAttestationCertificate == AAGUID.NULL || Objects.equals(extractAAGUIDFromAttestationCertificate, aaguid)) {
            return AttestationType.BASIC;
        }
        throw new BadAttestationStatementException("AAGUID in attestation certificate doesn't match the AAGUID in authenticatorData.");
    }

    @NotNull
    AAGUID extractAAGUIDFromAttestationCertificate(@NotNull X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(ID_FIDO_GEN_CE_AAGUID);
        if (extensionValue == null) {
            return AAGUID.NULL;
        }
        try {
            Asn1OctetString asn1OctetString = new Asn1OctetString();
            asn1OctetString.decode(extensionValue);
            Asn1OctetString asn1OctetString2 = new Asn1OctetString();
            asn1OctetString2.decode(asn1OctetString.getValue());
            return new AAGUID(UUIDUtil.fromBytes(asn1OctetString2.getValue()));
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    @NotNull
    private AttestationType verifySelfAttestation(@NotNull CoreRegistrationObject coreRegistrationObject, @NotNull byte[] bArr, @NotNull COSEAlgorithmIdentifier cOSEAlgorithmIdentifier, @NotNull byte[] bArr2) {
        COSEKey cOSEKey = coreRegistrationObject.getAttestationObject().getAuthenticatorData().getAttestedCredentialData().getCOSEKey();
        if (!cOSEAlgorithmIdentifier.equals(cOSEKey.getAlgorithm())) {
            throw new BadAlgorithmException("`alg` in attestation statement doesn't match the algorithm of the coseKey in authenticatorData.");
        }
        if (verifySignature(cOSEKey.getPublicKey(), cOSEAlgorithmIdentifier, bArr, bArr2)) {
            return AttestationType.SELF;
        }
        throw new BadSignatureException("`sig` in attestation statement is not valid signature over the concatenation of authenticatorData and clientDataHash.");
    }

    private boolean verifySignature(@NotNull PublicKey publicKey, @NotNull COSEAlgorithmIdentifier cOSEAlgorithmIdentifier, @NotNull byte[] bArr, @NotNull byte[] bArr2) {
        try {
            Signature createSignature = SignatureUtil.createSignature(getJcaName(cOSEAlgorithmIdentifier));
            createSignature.initVerify(publicKey);
            createSignature.update(bArr2);
            return createSignature.verify(bArr);
        } catch (RuntimeException | InvalidKeyException | SignatureException e) {
            return false;
        }
    }

    @NotNull
    private byte[] getAttToBeSigned(@NotNull CoreRegistrationObject coreRegistrationObject) {
        byte[] authenticatorDataBytes = coreRegistrationObject.getAuthenticatorDataBytes();
        byte[] clientDataHash = coreRegistrationObject.getClientDataHash();
        return ByteBuffer.allocate(authenticatorDataBytes.length + clientDataHash.length).put(authenticatorDataBytes).put(clientDataHash).array();
    }
}
