package com.webauthn4j.verifier;

import com.webauthn4j.authenticator.Authenticator;
import com.webauthn4j.credential.CoreCredentialRecord;
import com.webauthn4j.data.AuthenticationData;
import com.webauthn4j.data.AuthenticationParameters;
import com.webauthn4j.data.attestation.authenticator.AuthenticatorData;
import com.webauthn4j.data.client.ClientDataType;
import com.webauthn4j.data.client.CollectedClientData;
import com.webauthn4j.data.extension.authenticator.AuthenticationExtensionAuthenticatorOutput;
import com.webauthn4j.data.extension.authenticator.AuthenticationExtensionsAuthenticatorOutputs;
import com.webauthn4j.data.extension.client.AuthenticationExtensionClientOutput;
import com.webauthn4j.data.extension.client.AuthenticationExtensionsClientOutputs;
import com.webauthn4j.server.ServerProperty;
import com.webauthn4j.util.AssertUtil;
import com.webauthn4j.verifier.exception.BadBackupEligibleFlagException;
import com.webauthn4j.verifier.exception.ConstraintViolationException;
import com.webauthn4j.verifier.exception.CrossOriginException;
import com.webauthn4j.verifier.exception.IllegalBackupStateException;
import com.webauthn4j.verifier.exception.InconsistentClientDataTypeException;
import com.webauthn4j.verifier.exception.NotAllowedCredentialIdException;
import com.webauthn4j.verifier.exception.UserNotPresentException;
import com.webauthn4j.verifier.exception.UserNotVerifiedException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* loaded from: input_file:com/webauthn4j/verifier/AuthenticationDataVerifier.class */
public class AuthenticationDataVerifier {
    private final ChallengeVerifier challengeVerifier;
    private final TokenBindingVerifier tokenBindingVerifier;
    private final RpIdHashVerifier rpIdHashVerifier;
    private final AssertionSignatureVerifier assertionSignatureVerifier;
    private final ClientExtensionVerifier clientExtensionVerifier;
    private final AuthenticatorExtensionVerifier authenticatorExtensionVerifier;
    private final List<CustomAuthenticationVerifier> customAuthenticationVerifiers;
    private OriginVerifier originVerifier;
    private CoreMaliciousCounterValueHandler maliciousCounterValueHandler;
    private boolean crossOriginAllowed;

    public AuthenticationDataVerifier(@NotNull List<CustomAuthenticationVerifier> list) {
        this.challengeVerifier = new ChallengeVerifier();
        this.tokenBindingVerifier = new TokenBindingVerifier();
        this.rpIdHashVerifier = new RpIdHashVerifier();
        this.assertionSignatureVerifier = new AssertionSignatureVerifier();
        this.clientExtensionVerifier = new ClientExtensionVerifier();
        this.authenticatorExtensionVerifier = new AuthenticatorExtensionVerifier();
        this.originVerifier = new OriginVerifierImpl();
        this.maliciousCounterValueHandler = new DefaultCoreMaliciousCounterValueHandler();
        this.crossOriginAllowed = false;
        AssertUtil.notNull(list, "customAuthenticationVerifiers must not be null");
        this.customAuthenticationVerifiers = list;
    }

    public AuthenticationDataVerifier() {
        this.challengeVerifier = new ChallengeVerifier();
        this.tokenBindingVerifier = new TokenBindingVerifier();
        this.rpIdHashVerifier = new RpIdHashVerifier();
        this.assertionSignatureVerifier = new AssertionSignatureVerifier();
        this.clientExtensionVerifier = new ClientExtensionVerifier();
        this.authenticatorExtensionVerifier = new AuthenticatorExtensionVerifier();
        this.originVerifier = new OriginVerifierImpl();
        this.maliciousCounterValueHandler = new DefaultCoreMaliciousCounterValueHandler();
        this.crossOriginAllowed = false;
        this.customAuthenticationVerifiers = new ArrayList();
    }

    public void verify(@NotNull AuthenticationData authenticationData, @NotNull AuthenticationParameters authenticationParameters) {
        BeanAssertUtil.validate(authenticationData);
        AssertUtil.notNull(authenticationParameters, "authenticationParameters must not be null");
        AuthenticationExtensionsClientOutputs<AuthenticationExtensionClientOutput> clientExtensions = authenticationData.getClientExtensions();
        byte[] credentialId = authenticationData.getCredentialId();
        verifyCredentialId(credentialId, authenticationParameters.getAllowCredentials());
        byte[] collectedClientDataBytes = authenticationData.getCollectedClientDataBytes();
        byte[] authenticatorDataBytes = authenticationData.getAuthenticatorDataBytes();
        CollectedClientData collectedClientData = authenticationData.getCollectedClientData();
        AuthenticatorData<AuthenticationExtensionAuthenticatorOutput> authenticatorData = authenticationData.getAuthenticatorData();
        ServerProperty serverProperty = authenticationParameters.getServerProperty();
        BeanAssertUtil.validate(collectedClientData);
        BeanAssertUtil.validate(authenticatorData);
        verifyAuthenticatorData(authenticatorData);
        Authenticator authenticator = authenticationParameters.getAuthenticator();
        AuthenticationObject authenticationObject = new AuthenticationObject(credentialId, authenticatorData, authenticatorDataBytes, collectedClientData, collectedClientDataBytes, clientExtensions, serverProperty, authenticator);
        if (!Objects.equals(collectedClientData.getType(), ClientDataType.WEBAUTHN_GET)) {
            throw new InconsistentClientDataTypeException("ClientData.type must be 'get' on authentication, but it isn't.");
        }
        this.challengeVerifier.verify(collectedClientData, serverProperty);
        this.originVerifier.verify(authenticationObject);
        verifyClientDataCrossOrigin(collectedClientData);
        this.tokenBindingVerifier.verify(collectedClientData.getTokenBinding(), serverProperty.getTokenBindingId());
        this.rpIdHashVerifier.verify(authenticatorData.getRpIdHash(), serverProperty);
        if (authenticationParameters.isUserPresenceRequired() && !authenticatorData.isFlagUP()) {
            throw new UserNotPresentException("Verifier is configured to check user present, but UP flag in authenticatorData is not set.");
        }
        if (authenticationParameters.isUserVerificationRequired() && !authenticatorData.isFlagUV()) {
            throw new UserNotVerifiedException("Verifier is configured to check user verified, but UV flag in authenticatorData is not set.");
        }
        verifyBEBSFlags(authenticatorData);
        verifyBEFlag(authenticator, authenticatorData);
        AuthenticationExtensionsAuthenticatorOutputs<AuthenticationExtensionAuthenticatorOutput> extensions = authenticatorData.getExtensions();
        this.clientExtensionVerifier.verify(clientExtensions);
        this.authenticatorExtensionVerifier.verify(extensions);
        this.assertionSignatureVerifier.verify(authenticationData, authenticator.getAttestedCredentialData().getCOSEKey());
        long signCount = authenticatorData.getSignCount();
        long counter = authenticator.getCounter();
        if ((signCount > 0 || counter > 0) && signCount <= counter) {
            this.maliciousCounterValueHandler.maliciousCounterValueDetected(authenticationObject);
        }
        updateRecord(authenticator, authenticatorData);
        Iterator<CustomAuthenticationVerifier> it = this.customAuthenticationVerifiers.iterator();
        while (it.hasNext()) {
            it.next().verify(authenticationObject);
        }
    }

    static void verifyBEFlag(Authenticator authenticator, AuthenticatorData<AuthenticationExtensionAuthenticatorOutput> authenticatorData) {
        Boolean isBackupEligible;
        if (!(authenticator instanceof CoreCredentialRecord) || (isBackupEligible = ((CoreCredentialRecord) authenticator).isBackupEligible()) == null) {
            return;
        }
        if (isBackupEligible.booleanValue()) {
            if (!authenticatorData.isFlagBE()) {
                throw new BadBackupEligibleFlagException("Although credential record BE flag is set, current BE flag is not set");
            }
        } else if (authenticatorData.isFlagBE()) {
            throw new BadBackupEligibleFlagException("Although credential record BE flag is not set, current BE flag is set");
        }
    }

    static void updateRecord(Authenticator authenticator, AuthenticatorData<AuthenticationExtensionAuthenticatorOutput> authenticatorData) {
        authenticator.setCounter(authenticatorData.getSignCount());
        if (authenticator instanceof CoreCredentialRecord) {
            CoreCredentialRecord coreCredentialRecord = (CoreCredentialRecord) authenticator;
            coreCredentialRecord.setBackedUp(authenticatorData.isFlagBS());
            Boolean isUvInitialized = coreCredentialRecord.isUvInitialized();
            if (Objects.isNull(isUvInitialized) || Boolean.FALSE.equals(isUvInitialized)) {
                coreCredentialRecord.setUvInitialized(authenticatorData.isFlagUV());
            }
        }
    }

    void verifyCredentialId(byte[] bArr, @Nullable List<byte[]> list) {
        if (list != null && list.stream().noneMatch(bArr2 -> {
            return Arrays.equals(bArr2, bArr);
        })) {
            throw new NotAllowedCredentialIdException("credentialId not listed in allowCredentials is used.");
        }
    }

    void verifyClientDataCrossOrigin(CollectedClientData collectedClientData) {
        if (!this.crossOriginAllowed && Objects.equals(true, collectedClientData.getCrossOrigin())) {
            throw new CrossOriginException("Cross-origin request is prohibited. Relax AuthenticationDataVerifier config if necessary.");
        }
    }

    void verifyAuthenticatorData(@NotNull AuthenticatorData<AuthenticationExtensionAuthenticatorOutput> authenticatorData) {
        if (authenticatorData.getAttestedCredentialData() != null) {
            throw new ConstraintViolationException("attestedCredentialData must be null on authentication");
        }
    }

    void verifyBEBSFlags(AuthenticatorData<AuthenticationExtensionAuthenticatorOutput> authenticatorData) {
        if (!authenticatorData.isFlagBE() && authenticatorData.isFlagBS()) {
            throw new IllegalBackupStateException("Backup state bit must not be set if backup eligibility bit is not set");
        }
    }

    @NotNull
    public CoreMaliciousCounterValueHandler getMaliciousCounterValueHandler() {
        return this.maliciousCounterValueHandler;
    }

    public void setMaliciousCounterValueHandler(@NotNull CoreMaliciousCounterValueHandler coreMaliciousCounterValueHandler) {
        AssertUtil.notNull(coreMaliciousCounterValueHandler, "maliciousCounterValueHandler must not be null");
        this.maliciousCounterValueHandler = coreMaliciousCounterValueHandler;
    }

    public OriginVerifier getOriginVerifier() {
        return this.originVerifier;
    }

    public void setOriginVerifier(OriginVerifier originVerifier) {
        this.originVerifier = originVerifier;
    }

    @NotNull
    public List<CustomAuthenticationVerifier> getCustomAuthenticationVerifiers() {
        return this.customAuthenticationVerifiers;
    }

    public boolean isCrossOriginAllowed() {
        return this.crossOriginAllowed;
    }

    public void setCrossOriginAllowed(boolean z) {
        this.crossOriginAllowed = z;
    }
}
