package com.webauthn4j.validator;

import com.webauthn4j.authenticator.Authenticator;
import com.webauthn4j.data.AuthenticationData;
import com.webauthn4j.data.AuthenticationParameters;
import com.webauthn4j.data.attestation.authenticator.AuthenticatorData;
import com.webauthn4j.data.client.ClientDataType;
import com.webauthn4j.data.client.CollectedClientData;
import com.webauthn4j.data.extension.authenticator.AuthenticationExtensionAuthenticatorOutput;
import com.webauthn4j.data.extension.client.AuthenticationExtensionClientOutput;
import com.webauthn4j.data.extension.client.AuthenticationExtensionsClientOutputs;
import com.webauthn4j.server.ServerProperty;
import com.webauthn4j.util.AssertUtil;
import com.webauthn4j.validator.exception.ConstraintViolationException;
import com.webauthn4j.validator.exception.InconsistentClientDataTypeException;
import com.webauthn4j.validator.exception.UserNotPresentException;
import com.webauthn4j.validator.exception.UserNotVerifiedException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;

/* loaded from: input_file:com/webauthn4j/validator/AuthenticationDataValidator.class */
public class AuthenticationDataValidator {
    private final ChallengeValidator challengeValidator;
    private final OriginValidator originValidator;
    private final TokenBindingValidator tokenBindingValidator;
    private final RpIdHashValidator rpIdHashValidator;
    private final AssertionSignatureValidator assertionSignatureValidator;
    private final ExtensionValidator extensionValidator;
    private final List<CustomAuthenticationValidator> customAuthenticationValidators;
    private MaliciousCounterValueHandler maliciousCounterValueHandler;

    public AuthenticationDataValidator(List<CustomAuthenticationValidator> list) {
        this.challengeValidator = new ChallengeValidator();
        this.originValidator = new OriginValidator();
        this.tokenBindingValidator = new TokenBindingValidator();
        this.rpIdHashValidator = new RpIdHashValidator();
        this.assertionSignatureValidator = new AssertionSignatureValidator();
        this.extensionValidator = new ExtensionValidator();
        this.maliciousCounterValueHandler = new DefaultMaliciousCounterValueHandler();
        this.customAuthenticationValidators = list;
    }

    public AuthenticationDataValidator() {
        this.challengeValidator = new ChallengeValidator();
        this.originValidator = new OriginValidator();
        this.tokenBindingValidator = new TokenBindingValidator();
        this.rpIdHashValidator = new RpIdHashValidator();
        this.assertionSignatureValidator = new AssertionSignatureValidator();
        this.extensionValidator = new ExtensionValidator();
        this.maliciousCounterValueHandler = new DefaultMaliciousCounterValueHandler();
        this.customAuthenticationValidators = new ArrayList();
    }

    public void validate(AuthenticationData authenticationData, AuthenticationParameters authenticationParameters) {
        BeanAssertUtil.validate(authenticationData);
        BeanAssertUtil.validate(authenticationParameters);
        byte[] collectedClientDataBytes = authenticationData.getCollectedClientDataBytes();
        byte[] authenticatorDataBytes = authenticationData.getAuthenticatorDataBytes();
        CollectedClientData collectedClientData = authenticationData.getCollectedClientData();
        AuthenticatorData<AuthenticationExtensionAuthenticatorOutput> authenticatorData = authenticationData.getAuthenticatorData();
        AuthenticationExtensionsClientOutputs<AuthenticationExtensionClientOutput> clientExtensions = authenticationData.getClientExtensions();
        ServerProperty serverProperty = authenticationParameters.getServerProperty();
        BeanAssertUtil.validate(collectedClientData);
        BeanAssertUtil.validate(authenticatorData);
        BeanAssertUtil.validate(serverProperty);
        validateAuthenticatorData(authenticatorData);
        byte[] credentialId = authenticationData.getCredentialId();
        Authenticator authenticator = authenticationParameters.getAuthenticator();
        AuthenticationObject authenticationObject = new AuthenticationObject(credentialId, authenticatorData, authenticatorDataBytes, collectedClientData, collectedClientDataBytes, clientExtensions, serverProperty, authenticator);
        if (!Objects.equals(collectedClientData.getType(), ClientDataType.GET)) {
            throw new InconsistentClientDataTypeException("ClientData.type must be 'get' on authentication, but it isn't.");
        }
        this.challengeValidator.validate(collectedClientData, serverProperty);
        this.originValidator.validate(collectedClientData, serverProperty);
        this.tokenBindingValidator.validate(collectedClientData.getTokenBinding(), serverProperty.getTokenBindingId());
        this.rpIdHashValidator.validate(authenticatorData.getRpIdHash(), serverProperty);
        if (authenticationParameters.isUserPresenceRequired() && !authenticatorData.isFlagUP()) {
            throw new UserNotPresentException("Validator is configured to check user present, but UP flag in authenticatorData is not set.");
        }
        if (authenticationParameters.isUserVerificationRequired() && !authenticatorData.isFlagUV()) {
            throw new UserNotVerifiedException("Validator is configured to check user verified, but UV flag in authenticatorData is not set.");
        }
        this.extensionValidator.validate(clientExtensions, authenticatorData.getExtensions(), authenticationParameters.getExpectedExtensionIds());
        this.assertionSignatureValidator.validate(authenticationData, authenticator.getAttestedCredentialData().getCOSEKey());
        long signCount = authenticatorData.getSignCount();
        long counter = authenticator.getCounter();
        if (signCount > 0 || counter > 0) {
            if (signCount > counter) {
                authenticator.setCounter(signCount);
            } else {
                this.maliciousCounterValueHandler.maliciousCounterValueDetected(authenticationObject);
            }
        }
        Iterator<CustomAuthenticationValidator> it = this.customAuthenticationValidators.iterator();
        while (it.hasNext()) {
            it.next().validate(authenticationObject);
        }
    }

    void validateAuthenticatorData(AuthenticatorData authenticatorData) {
        if (authenticatorData.getAttestedCredentialData() != null) {
            throw new ConstraintViolationException("attestedCredentialData must be null on authentication");
        }
    }

    public MaliciousCounterValueHandler getMaliciousCounterValueHandler() {
        return this.maliciousCounterValueHandler;
    }

    public void setMaliciousCounterValueHandler(MaliciousCounterValueHandler maliciousCounterValueHandler) {
        AssertUtil.notNull(maliciousCounterValueHandler, "maliciousCounterValueHandler must not be null");
        this.maliciousCounterValueHandler = maliciousCounterValueHandler;
    }

    public List<CustomAuthenticationValidator> getCustomAuthenticationValidators() {
        return this.customAuthenticationValidators;
    }
}
