package com.yubico.webauthn;

import COSE.CoseException;
import com.fasterxml.jackson.databind.JsonNode;
import com.upokecenter.cbor.CBORObject;
import com.yubico.internal.util.CollectionUtil;
import com.yubico.internal.util.ExceptionUtil;
import com.yubico.webauthn.data.AttestationObject;
import com.yubico.webauthn.data.AttestationType;
import com.yubico.webauthn.data.ByteArray;
import com.yubico.webauthn.data.COSEAlgorithmIdentifier;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Locale;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import lombok.Generated;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.DEROctetString;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/webauthn-server-core-1.6.4.jar:com/yubico/webauthn/PackedAttestationStatementVerifier.class */
final class PackedAttestationStatementVerifier implements AttestationStatementVerifier, X5cAttestationStatementVerifier {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(PackedAttestationStatementVerifier.class);
    private final BouncyCastleCrypto crypto = new BouncyCastleCrypto();

    @Override // com.yubico.webauthn.AttestationStatementVerifier
    public AttestationType getAttestationType(AttestationObject attestationObject) {
        return attestationObject.getAttestationStatement().hasNonNull("x5c") ? AttestationType.BASIC : attestationObject.getAttestationStatement().hasNonNull("ecdaaKeyId") ? AttestationType.ECDAA : AttestationType.SELF_ATTESTATION;
    }

    @Override // com.yubico.webauthn.AttestationStatementVerifier
    public boolean verifyAttestationSignature(AttestationObject attestationObject, ByteArray byteArray) {
        JsonNode jsonNode = attestationObject.getAttestationStatement().get("sig");
        if (jsonNode == null || !jsonNode.isBinary()) {
            throw new IllegalArgumentException("attStmt.sig must be set to a binary value.");
        }
        return attestationObject.getAttestationStatement().has("x5c") ? verifyX5cSignature(attestationObject, byteArray) : attestationObject.getAttestationStatement().has("ecdaaKeyId") ? verifyEcdaaSignature(attestationObject, byteArray) : verifySelfAttestationSignature(attestationObject, byteArray);
    }

    private boolean verifyEcdaaSignature(AttestationObject attestationObject, ByteArray byteArray) {
        throw new UnsupportedOperationException("ECDAA signature verification is not (yet) implemented.");
    }

    private boolean verifySelfAttestationSignature(AttestationObject attestationObject, ByteArray byteArray) {
        try {
            PublicKey importCosePublicKey = WebAuthnCodecs.importCosePublicKey(attestationObject.getAuthenticatorData().getAttestedCredentialData().get().getCredentialPublicKey());
            Long valueOf = Long.valueOf(CBORObject.DecodeFromBytes(attestationObject.getAuthenticatorData().getAttestedCredentialData().get().getCredentialPublicKey().getBytes()).get(CBORObject.FromObject(3)).AsInt64());
            COSEAlgorithmIdentifier orElseThrow = COSEAlgorithmIdentifier.fromId(valueOf.longValue()).orElseThrow(() -> {
                return new IllegalArgumentException("Unsupported COSE algorithm identifier: " + valueOf);
            });
            Long valueOf2 = Long.valueOf(attestationObject.getAttestationStatement().get("alg").asLong());
            COSEAlgorithmIdentifier orElseThrow2 = COSEAlgorithmIdentifier.fromId(valueOf2.longValue()).orElseThrow(() -> {
                return new IllegalArgumentException("Unsupported COSE algorithm identifier: " + valueOf2);
            });
            if (!Objects.equals(orElseThrow, orElseThrow2)) {
                throw new IllegalArgumentException(String.format("Key algorithm and signature algorithm must be equal, was: Key: %s, Sig: %s", orElseThrow, orElseThrow2));
            }
            try {
                return this.crypto.verifySignature(importCosePublicKey, attestationObject.getAuthenticatorData().getBytes().concat(byteArray), new ByteArray(attestationObject.getAttestationStatement().get("sig").binaryValue()), orElseThrow);
            } catch (IOException e) {
                throw ExceptionUtil.wrapAndLog(log, ".binaryValue() of \"sig\" failed", e);
            }
        } catch (CoseException | IOException | InvalidKeySpecException e2) {
            throw ExceptionUtil.wrapAndLog(log, String.format("Failed to parse public key from attestation data %s", attestationObject.getAuthenticatorData().getAttestedCredentialData()), e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new RuntimeException(e3);
        }
    }

    private boolean verifyX5cSignature(AttestationObject attestationObject, ByteArray byteArray) {
        try {
            return ((Boolean) getX5cAttestationCertificate(attestationObject).map(x509Certificate -> {
                JsonNode jsonNode = attestationObject.getAttestationStatement().get("sig");
                if (jsonNode == null) {
                    throw new IllegalArgumentException("Packed attestation statement must have field \"sig\".");
                }
                if (!jsonNode.isBinary()) {
                    throw new IllegalArgumentException("Field \"sig\" in packed attestation statement must be a binary value.");
                }
                try {
                    ByteArray byteArray2 = new ByteArray(jsonNode.binaryValue());
                    JsonNode jsonNode2 = attestationObject.getAttestationStatement().get("alg");
                    if (jsonNode2 == null) {
                        throw new IllegalArgumentException("Packed attestation statement must have field \"alg\".");
                    }
                    ExceptionUtil.assure(jsonNode2.isIntegralNumber(), "Field \"alg\" in packed attestation statement must be a COSEAlgorithmIdentifier.", new Object[0]);
                    Long valueOf = Long.valueOf(jsonNode2.asLong());
                    COSEAlgorithmIdentifier orElseThrow = COSEAlgorithmIdentifier.fromId(valueOf.longValue()).orElseThrow(() -> {
                        return new IllegalArgumentException("Unsupported COSE algorithm identifier: " + valueOf);
                    });
                    ByteArray concat = attestationObject.getAuthenticatorData().getBytes().concat(byteArray);
                    String javaAlgorithmName = WebAuthnCodecs.getJavaAlgorithmName(orElseThrow);
                    try {
                        Signature signature = Signature.getInstance(javaAlgorithmName, this.crypto.getProvider());
                        try {
                            signature.initVerify(x509Certificate.getPublicKey());
                            try {
                                signature.update(concat.getBytes());
                                try {
                                    return Boolean.valueOf(signature.verify(byteArray2.getBytes()) && verifyX5cRequirements(x509Certificate, attestationObject.getAuthenticatorData().getAttestedCredentialData().get().getAaguid()));
                                } catch (SignatureException e) {
                                    throw ExceptionUtil.wrapAndLog(log, "Failed to verify signature: " + attestationObject, e);
                                }
                            } catch (SignatureException e2) {
                                throw ExceptionUtil.wrapAndLog(log, "Signature object in invalid state: " + signature, e2);
                            }
                        } catch (InvalidKeyException e3) {
                            throw ExceptionUtil.wrapAndLog(log, "Attestation key is invalid: " + x509Certificate, e3);
                        }
                    } catch (NoSuchAlgorithmException e4) {
                        throw ExceptionUtil.wrapAndLog(log, "Failed to get a Signature instance for " + javaAlgorithmName, e4);
                    }
                } catch (IOException e5) {
                    throw ExceptionUtil.wrapAndLog(log, "signatureNode.isBinary() was true but signatureNode.binaryValue() failed", e5);
                }
            }).orElseThrow(() -> {
                return new IllegalArgumentException("If \"x5c\" property is present in \"packed\" attestation format it must be an array containing at least one DER encoded X.509 cerficicate.");
            })).booleanValue();
        } catch (CertificateException e) {
            throw ExceptionUtil.wrapAndLog(log, String.format("Failed to parse X.509 certificate from attestation object: %s", attestationObject), e);
        }
    }

    private Optional<Object> getDnField(String str, X509Certificate x509Certificate) {
        try {
            return new LdapName(x509Certificate.getSubjectX500Principal().getName()).getRdns().stream().filter(rdn -> {
                return Objects.equals(rdn.getType(), str);
            }).findAny().map((v0) -> {
                return v0.getValue();
            });
        } catch (InvalidNameException e) {
            throw ExceptionUtil.wrapAndLog(log, "X500Principal name was not accepted as an LdapName: " + x509Certificate.getSubjectX500Principal().getName(), e);
        }
    }

    public boolean verifyX5cRequirements(X509Certificate x509Certificate, ByteArray byteArray) {
        if (x509Certificate.getVersion() != 3) {
            throw new IllegalArgumentException(String.format("Wrong attestation certificate X509 version: %s, expected: 3", Integer.valueOf(x509Certificate.getVersion())));
        }
        Set immutableSet = CollectionUtil.immutableSet(new HashSet(Arrays.asList(Locale.getISOCountries())));
        Optional<Object> dnField = getDnField("C", x509Certificate);
        Objects.requireNonNull(immutableSet);
        ExceptionUtil.assure(dnField.filter(immutableSet::contains).isPresent(), "Invalid attestation certificate country code: %s", getDnField("C", x509Certificate));
        ExceptionUtil.assure(getDnField("O", x509Certificate).filter(obj -> {
            return !((String) obj).isEmpty();
        }).isPresent(), "Organization (O) field of attestation certificate DN must be present.", new Object[0]);
        String str = "Authenticator Attestation";
        ExceptionUtil.assure(getDnField("OU", x509Certificate).filter(str::equals).isPresent(), "Organization Unit (OU) field of attestation certificate DN must be exactly \"%s\", was: %s", "Authenticator Attestation", getDnField("OU", x509Certificate));
        Optional.ofNullable(x509Certificate.getExtensionValue("1.3.6.1.4.1.45724.1.1.4")).map(bArr -> {
            try {
                return new ByteArray(((DEROctetString) ASN1Primitive.fromByteArray(((DEROctetString) ASN1Primitive.fromByteArray(bArr)).getOctets())).getOctets());
            } catch (IOException e) {
                throw new IllegalArgumentException("Failed to read id-fido-gen-ce-aaguid certificate extension value.");
            }
        }).ifPresent(byteArray2 -> {
            ExceptionUtil.assure(byteArray2.equals(byteArray), "X.509 extension %s (id-fido-gen-ce-aaguid) is present but does not match the authenticator AAGUID.", "1.3.6.1.4.1.45724.1.1.4");
            ExceptionUtil.assure(!x509Certificate.getCriticalExtensionOIDs().contains("1.3.6.1.4.1.45724.1.1.4"), "X.509 extension %s (id-fido-gen-ce-aaguid) must not be marked critical.", "1.3.6.1.4.1.45724.1.1.4");
        });
        ExceptionUtil.assure(x509Certificate.getBasicConstraints() == -1, "Attestation certificate must not be a CA certificate.", new Object[0]);
        return true;
    }
}
