package com.webauthn4j.verifier.attestation.trustworthiness.certpath;

import com.webauthn4j.anchor.TrustAnchorRepository;
import com.webauthn4j.data.attestation.authenticator.AAGUID;
import com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement;
import com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement;
import com.webauthn4j.util.AssertUtil;
import com.webauthn4j.util.CertificateUtil;
import com.webauthn4j.verifier.exception.CertificateException;
import com.webauthn4j.verifier.exception.TrustAnchorNotFoundException;
import java.security.InvalidAlgorithmParameterException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.time.Instant;
import java.util.Date;
import java.util.Objects;
import java.util.Set;
import org.jetbrains.annotations.NotNull;

/* loaded from: input_file:com/webauthn4j/verifier/attestation/trustworthiness/certpath/DefaultCertPathTrustworthinessVerifier.class */
public class DefaultCertPathTrustworthinessVerifier implements CertPathTrustworthinessVerifier {
    private final TrustAnchorRepository trustAnchorRepository;
    private boolean fullChainProhibited = false;
    private boolean revocationCheckEnabled = false;
    private boolean policyQualifiersRejected = false;

    public DefaultCertPathTrustworthinessVerifier(TrustAnchorRepository trustAnchorRepository) {
        this.trustAnchorRepository = trustAnchorRepository;
    }

    @Override // com.webauthn4j.verifier.attestation.trustworthiness.certpath.CertPathTrustworthinessVerifier
    public void verify(@NotNull AAGUID aaguid, @NotNull CertificateBaseAttestationStatement certificateBaseAttestationStatement, @NotNull Instant instant) {
        Set<TrustAnchor> find;
        AssertUtil.notNull(aaguid, "aaguid must not be null");
        AssertUtil.notNull(aaguid, "attestationStatement must not be null");
        AssertUtil.notNull(aaguid, "timestamp must not be null");
        CertPath createCertPath = certificateBaseAttestationStatement.getX5c().createCertPath();
        if (certificateBaseAttestationStatement instanceof FIDOU2FAttestationStatement) {
            find = this.trustAnchorRepository.find(CertificateUtil.extractSubjectKeyIdentifier(((FIDOU2FAttestationStatement) certificateBaseAttestationStatement).getX5c().getEndEntityAttestationCertificate().getCertificate()));
        } else {
            find = this.trustAnchorRepository.find(aaguid);
        }
        verifyCertPath(createCertPath, find, instant);
    }

    private TrustAnchor verifyCertPath(CertPath certPath, Set<TrustAnchor> set, Instant instant) {
        if (set.isEmpty()) {
            throw new TrustAnchorNotFoundException("TrustAnchors are not found");
        }
        CertPathValidator createCertPathValidator = CertificateUtil.createCertPathValidator();
        PKIXParameters createPKIXParameters = CertificateUtil.createPKIXParameters(set);
        createPKIXParameters.setPolicyQualifiersRejected(this.policyQualifiersRejected);
        createPKIXParameters.setRevocationEnabled(this.revocationCheckEnabled);
        createPKIXParameters.setDate(Date.from(instant));
        if (certPath.getCertificates().size() == 1) {
            Certificate certificate = certPath.getCertificates().get(0);
            TrustAnchor orElse = set.stream().filter(trustAnchor -> {
                return trustAnchor.getTrustedCert().equals(certificate);
            }).findFirst().orElse(null);
            if (orElse != null) {
                return orElse;
            }
        }
        try {
            PKIXCertPathValidatorResult pKIXCertPathValidatorResult = (PKIXCertPathValidatorResult) createCertPathValidator.validate(certPath, createPKIXParameters);
            if (this.fullChainProhibited && certPath.getCertificates().contains(pKIXCertPathValidatorResult.getTrustAnchor().getTrustedCert())) {
                throw new CertificateException("`certpath` must not contain full chain.");
            }
            return set.stream().filter(trustAnchor2 -> {
                return Objects.equals(trustAnchor2, pKIXCertPathValidatorResult.getTrustAnchor());
            }).findFirst().orElseThrow(() -> {
                return new IllegalStateException("Matching TrustAnchor is not found.");
            });
        } catch (InvalidAlgorithmParameterException e) {
            throw new CertificateException("invalid algorithm parameter", e);
        } catch (CertPathValidatorException e2) {
            throw new CertificateException("invalid cert path", e2);
        }
    }

    public boolean isFullChainProhibited() {
        return this.fullChainProhibited;
    }

    public void setFullChainProhibited(boolean z) {
        this.fullChainProhibited = z;
    }

    public boolean isRevocationCheckEnabled() {
        return this.revocationCheckEnabled;
    }

    public void setRevocationCheckEnabled(boolean z) {
        this.revocationCheckEnabled = z;
    }

    public boolean isPolicyQualifiersRejected() {
        return this.policyQualifiersRejected;
    }

    public void setPolicyQualifiersRejected(boolean z) {
        this.policyQualifiersRejected = z;
    }
}
