package com.webauthn4j.verifier.attestation.statement.androidkey;

import com.webauthn4j.util.AssertUtil;
import com.webauthn4j.verifier.exception.BadAttestationStatementException;
import com.webauthn4j.verifier.exception.KeyDescriptionValidationException;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Objects;
import org.apache.kerby.asn1.parse.Asn1Container;
import org.apache.kerby.asn1.parse.Asn1ParseResult;
import org.apache.kerby.asn1.parse.Asn1Parser;
import org.apache.kerby.asn1.type.Asn1Integer;
import org.apache.kerby.asn1.type.Asn1OctetString;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/webauthn4j/verifier/attestation/statement/androidkey/KeyDescriptionVerifier.class */
public class KeyDescriptionVerifier {
    public static final String ATTESTATION_EXTENSION_OID = "1.3.6.1.4.1.11129.2.1.17";
    public static final int ATTESTATION_CHALLENGE_INDEX = 4;
    public static final int SW_ENFORCED_INDEX = 6;
    public static final int TEE_ENFORCED_INDEX = 7;
    public static final int KM_TAG_PURPOSE = 1;
    public static final int KM_TAG_ALL_APPLICATIONS = 600;
    public static final int KM_TAG_CREATION_DATE_TIME = 701;
    public static final int KM_TAG_ORIGIN = 702;
    public static final int KM_ORIGIN_GENERATED = 0;
    public static final int KM_PURPOSE_SIGN = 2;
    private final Logger logger = LoggerFactory.getLogger((Class<?>) KeyDescriptionVerifier.class);

    public void verify(@NotNull X509Certificate x509Certificate, @NotNull byte[] bArr, boolean z) {
        AssertUtil.notNull(x509Certificate, "x509Certificate must not be null");
        AssertUtil.notNull(bArr, "clientDataHash must not be null");
        try {
            doVerify(extractKeyDescription(x509Certificate), bArr, z);
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    @NotNull
    Asn1Container extractKeyDescription(@NotNull X509Certificate x509Certificate) throws IOException {
        byte[] extensionValue = x509Certificate.getExtensionValue(ATTESTATION_EXTENSION_OID);
        Asn1OctetString asn1OctetString = new Asn1OctetString();
        if (extensionValue == null) {
            throw new KeyDescriptionValidationException("KeyDescription must not be null");
        }
        asn1OctetString.decode(extensionValue);
        return (Asn1Container) Asn1Parser.parse(ByteBuffer.wrap(asn1OctetString.getValue()));
    }

    void doVerify(@NotNull Asn1Container asn1Container, @NotNull byte[] bArr, boolean z) throws IOException {
        if (!Arrays.equals(asn1Container.getChildren().get(4).readBodyBytes(), bArr)) {
            throw new KeyDescriptionValidationException("Attestation challenge doesn't match.");
        }
        Asn1Container asn1Container2 = (Asn1Container) asn1Container.getChildren().get(6);
        Asn1Container asn1Container3 = (Asn1Container) asn1Container.getChildren().get(7);
        if (findAuthorizationListEntry(asn1Container2, 600) != null || findAuthorizationListEntry(asn1Container3, 600) != null) {
            throw new KeyDescriptionValidationException("Key is not scoped properly.");
        }
        verifyAuthorizationList(z, asn1Container2, asn1Container3);
    }

    private void verifyAuthorizationList(boolean z, @NotNull Asn1Container asn1Container, @NotNull Asn1Container asn1Container2) throws IOException {
        if (z) {
            if (!isKeyGeneratedInKeymaster(findAuthorizationListEntry(asn1Container2, 702))) {
                throw new KeyDescriptionValidationException("Key is not generated in keymaster.");
            }
            if (!containsValidPurpose(findAuthorizationListEntry(asn1Container2, 1))) {
                throw new KeyDescriptionValidationException("Key purpose is invalid.");
            }
            return;
        }
        if (!isKeyGeneratedInKeymaster(findAuthorizationListEntry(asn1Container2, 702)) && !isKeyGeneratedInKeymaster(findAuthorizationListEntry(asn1Container, 702))) {
            throw new KeyDescriptionValidationException("Key is not generated in keymaster.");
        }
        if (!containsValidPurpose(findAuthorizationListEntry(asn1Container2, 1)) && !containsValidPurpose(findAuthorizationListEntry(asn1Container, 1))) {
            throw new KeyDescriptionValidationException("Key purpose is invalid.");
        }
    }

    private boolean isKeyGeneratedInKeymaster(@Nullable Asn1ParseResult asn1ParseResult) {
        try {
            return Objects.equals(getIntegerFromAsn1(asn1ParseResult), BigInteger.valueOf(0L));
        } catch (IOException | RuntimeException e) {
            this.logger.debug("Failed to retrieve origin.", e);
            return false;
        }
    }

    private boolean containsValidPurpose(@Nullable Asn1ParseResult asn1ParseResult) throws IOException {
        if (asn1ParseResult == null) {
            return false;
        }
        try {
            Iterator<Asn1ParseResult> it = ((Asn1Container) asn1ParseResult).getChildren().iterator();
            while (it.hasNext()) {
                if (Objects.equals(getIntegerFromAsn1(it.next()), BigInteger.valueOf(2L))) {
                    return true;
                }
            }
            return false;
        } catch (RuntimeException e) {
            this.logger.debug("Failed to retrieve purpose.", (Throwable) e);
            return false;
        }
    }

    @Nullable
    private BigInteger getIntegerFromAsn1(Asn1ParseResult asn1ParseResult) throws IOException {
        if (asn1ParseResult == null) {
            return null;
        }
        if (!asn1ParseResult.isPrimitive()) {
            throw new BadAttestationStatementException(String.format("ASN1Integer is expected. Found %s instead.", asn1ParseResult.getClass().getName()));
        }
        Asn1Integer asn1Integer = new Asn1Integer();
        asn1Integer.decode(asn1ParseResult);
        return asn1Integer.getValue();
    }

    @Nullable
    private Asn1ParseResult findAuthorizationListEntry(@NotNull Asn1Container asn1Container, int i) {
        for (Asn1ParseResult asn1ParseResult : asn1Container.getChildren()) {
            if (asn1ParseResult.tagNo() == i) {
                return ((Asn1Container) asn1ParseResult).getChildren().get(0);
            }
        }
        return null;
    }
}
