package io.vertx.ext.auth.webauthn.impl.attestation;

import io.vertx.core.buffer.Buffer;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.impl.CertificateHelper;
import io.vertx.ext.auth.webauthn.impl.AuthenticatorData;
import java.io.ByteArrayInputStream;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;

/* loaded from: input_file:io/vertx/ext/auth/webauthn/impl/attestation/PackedAttestation.class */
public class PackedAttestation implements Attestation {
    private static final Base64.Decoder b64dec = Base64.getUrlDecoder();
    private final MessageDigest sha256;
    private final CertificateFactory x509;
    private final Signature sig;

    public PackedAttestation() {
        try {
            this.sha256 = MessageDigest.getInstance("SHA-256");
            this.x509 = CertificateFactory.getInstance("X.509");
            this.sig = Signature.getInstance("SHA256withECDSA");
        } catch (NoSuchAlgorithmException | CertificateException e) {
            throw new AttestationException(e);
        }
    }

    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public String fmt() {
        return "packed";
    }

    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public void verify(JsonObject jsonObject, byte[] bArr, JsonObject jsonObject2, AuthenticatorData authenticatorData) throws AttestationException {
        boolean verify;
        try {
            byte[] bytes = Buffer.buffer().appendBytes(authenticatorData.getRaw()).appendBytes(hash(bArr)).getBytes();
            JsonObject jsonObject3 = jsonObject2.getJsonObject("attStmt");
            byte[] decode = b64dec.decode(jsonObject3.getString("sig"));
            if (jsonObject3.containsKey("x5c")) {
                JsonArray jsonArray = jsonObject3.getJsonArray("x5c");
                ArrayList arrayList = new ArrayList();
                for (int i = 0; i < jsonArray.size(); i++) {
                    arrayList.add((X509Certificate) this.x509.generateCertificate(new ByteArrayInputStream(b64dec.decode(jsonArray.getString(i)))));
                }
                CertificateHelper.checkValidity(arrayList);
                X509Certificate x509Certificate = (X509Certificate) arrayList.get(0);
                x509Certificate.checkValidity();
                int i2 = 0;
                for (String str : x509Certificate.getSubjectX500Principal().getName("RFC2253").split(",")) {
                    if (str.startsWith("OU=")) {
                        if (!str.equals("OU=Authenticator Attestation")) {
                            throw new AttestationException("Batch certificate OU MUST be set strictly to 'Authenticator Attestation'!");
                        }
                        i2++;
                    } else if (str.startsWith("CN=")) {
                        if (str.equals("CN=")) {
                            throw new AttestationException("Batch certificate CN MUST no be empty!");
                        }
                        i2++;
                    } else if (str.startsWith("O=")) {
                        if (str.equals("O=")) {
                            throw new AttestationException("Batch certificate O MUST no be empty!");
                        }
                        i2++;
                    } else if (!str.startsWith("C=")) {
                        continue;
                    } else {
                        if (str.length() != 4) {
                            throw new AttestationException("Batch certificate C MUST be set to two character ISO 3166 code!");
                        }
                        i2++;
                    }
                }
                if (i2 != 4) {
                    throw new AttestationException("Batch certificate does not contain the required subject info!");
                }
                if (x509Certificate.getBasicConstraints() != -1) {
                    throw new AttestationException("Batch certificate basic constraints CA MUST be false!");
                }
                if (x509Certificate.getVersion() != 3) {
                    throw new AttestationException("Batch certificate version MUST be 3(ASN1 2)!");
                }
                verify = verifySignature(decode, bytes, x509Certificate);
            } else {
                if (jsonObject3.containsKey("ecdaaKeyId")) {
                    throw new AttestationException("ECDAA IS NOT SUPPORTED YET!");
                }
                verify = authenticatorData.getCredentialJWK().verify(decode, bytes);
            }
            if (!verify) {
                throw new AttestationException("Failed to verify the signature!");
            }
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            throw new AttestationException(e);
        }
    }

    private byte[] hash(byte[] bArr) {
        byte[] digest;
        synchronized (this.sha256) {
            this.sha256.update(bArr);
            digest = this.sha256.digest();
        }
        return digest;
    }

    private boolean verifySignature(byte[] bArr, byte[] bArr2, X509Certificate x509Certificate) throws InvalidKeyException, SignatureException {
        boolean verify;
        synchronized (this.sig) {
            this.sig.initVerify(x509Certificate);
            this.sig.update(bArr2);
            verify = this.sig.verify(bArr);
        }
        return verify;
    }
}
