package io.vertx.ext.auth.webauthn.impl;

import com.fasterxml.jackson.core.JsonParser;
import io.vertx.core.AsyncResult;
import io.vertx.core.Future;
import io.vertx.core.Handler;
import io.vertx.core.Vertx;
import io.vertx.core.buffer.Buffer;
import io.vertx.core.impl.logging.Logger;
import io.vertx.core.impl.logging.LoggerFactory;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.PRNG;
import io.vertx.ext.auth.User;
import io.vertx.ext.auth.authentication.CredentialValidationException;
import io.vertx.ext.auth.authentication.Credentials;
import io.vertx.ext.auth.impl.UserImpl;
import io.vertx.ext.auth.webauthn.CredentialStore;
import io.vertx.ext.auth.webauthn.WebAuthn;
import io.vertx.ext.auth.webauthn.WebAuthnCredentials;
import io.vertx.ext.auth.webauthn.WebAuthnOptions;
import io.vertx.ext.auth.webauthn.impl.attestation.ASN1;
import io.vertx.ext.auth.webauthn.impl.attestation.Attestation;
import io.vertx.ext.auth.webauthn.impl.attestation.AttestationException;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.ServiceLoader;

/* loaded from: input_file:io/vertx/ext/auth/webauthn/impl/WebAuthnImpl.class */
public class WebAuthnImpl implements WebAuthn {
    private static final Logger LOG = LoggerFactory.getLogger(WebAuthnImpl.class);
    private final MessageDigest sha256;
    private final PRNG random;
    private final WebAuthnOptions options;
    private final CredentialStore store;
    private final Base64.Encoder b64enc = Base64.getUrlEncoder().withoutPadding();
    private final Base64.Decoder b64dec = Base64.getUrlDecoder();
    private final Map<String, Attestation> attestations = new HashMap();

    public WebAuthnImpl(Vertx vertx, WebAuthnOptions webAuthnOptions, CredentialStore credentialStore) {
        this.random = new PRNG(vertx);
        this.options = webAuthnOptions;
        this.store = credentialStore;
        if (webAuthnOptions == null || credentialStore == null) {
            throw new IllegalArgumentException("options and store cannot be null!");
        }
        Iterator it = ServiceLoader.load(Attestation.class).iterator();
        while (it.hasNext()) {
            Attestation attestation = (Attestation) it.next();
            this.attestations.put(attestation.fmt(), attestation);
        }
        try {
            this.sha256 = MessageDigest.getInstance("SHA-256");
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("SHA-256 is not available", e);
        }
    }

    private String randomBase64URLBuffer(int i) {
        byte[] bArr = new byte[i];
        this.random.nextBytes(bArr);
        return this.b64enc.encodeToString(bArr);
    }

    @Override // io.vertx.ext.auth.webauthn.WebAuthn
    public WebAuthn createCredentialsOptions(JsonObject jsonObject, Handler<AsyncResult<JsonObject>> handler) {
        this.store.getUserCredentialsByName(jsonObject.getString("name"), asyncResult -> {
            JsonObject jsonObject2;
            if (asyncResult.failed()) {
                handler.handle(Future.failedFuture(asyncResult.cause()));
                return;
            }
            List list = (List) asyncResult.result();
            if (list != null && list.size() != 0) {
                handler.handle(Future.failedFuture("User exists!"));
                return;
            }
            String generateId = this.store.generateId();
            JsonArray jsonArray = new JsonArray();
            for (String str : this.options.getPubKeyCredParams()) {
                boolean z = -1;
                switch (str.hashCode()) {
                    case 81424:
                        if (str.equals("RS1")) {
                            z = 6;
                        }
                        switch (z) {
                            case ASN1.ANY /* 0 */:
                                jsonArray.add(new JsonObject().put("type", "public-key").put("alg", -7));
                                break;
                            case true:
                                jsonArray.add(new JsonObject().put("type", "public-key").put("alg", -35));
                                break;
                            case ASN1.INTEGER /* 2 */:
                                jsonArray.add(new JsonObject().put("type", "public-key").put("alg", -36));
                                break;
                            case ASN1.BIT_STRING /* 3 */:
                                jsonArray.add(new JsonObject().put("type", "public-key").put("alg", -257));
                                break;
                            case true:
                                jsonArray.add(new JsonObject().put("type", "public-key").put("alg", -258));
                                break;
                            case ASN1.NULL /* 5 */:
                                jsonArray.add(new JsonObject().put("type", "public-key").put("alg", -259));
                                break;
                            case ASN1.OBJECT_IDENTIFIER /* 6 */:
                                jsonArray.add(new JsonObject().put("type", "public-key").put("alg", -65535));
                                break;
                            default:
                                LOG.warn("Unsupported algorithm: " + str);
                                break;
                        }
                    case 66245349:
                        if (str.equals("ES256")) {
                            z = false;
                        }
                        switch (z) {
                        }
                        break;
                    case 66246401:
                        if (str.equals("ES384")) {
                            z = true;
                        }
                        switch (z) {
                        }
                        break;
                    case 66248104:
                        if (str.equals("ES512")) {
                            z = 2;
                        }
                        switch (z) {
                        }
                        break;
                    case 78251122:
                        if (str.equals("RS256")) {
                            z = 3;
                        }
                        switch (z) {
                        }
                        break;
                    case 78252174:
                        if (str.equals("RS384")) {
                            z = 4;
                        }
                        switch (z) {
                        }
                        break;
                    case 78253877:
                        if (str.equals("RS512")) {
                            z = 5;
                        }
                        switch (z) {
                        }
                        break;
                    default:
                        switch (z) {
                        }
                        break;
                }
            }
            JsonObject put = new JsonObject().put("id", generateId).put("name", jsonObject.getString("name")).put("displayName", jsonObject.getString("displayName"));
            if (jsonObject.getString("icon") != null) {
                put.put("icon", jsonObject.getString("icon"));
            }
            if (this.options.getAuthenticatorAttachment() == null) {
                String string = jsonObject.getString("type");
                boolean z2 = -1;
                switch (string.hashCode()) {
                    case 77831008:
                        if (string.equals("cross-platform")) {
                            z2 = false;
                            break;
                        }
                        break;
                    case 1874684019:
                        if (string.equals("platform")) {
                            z2 = true;
                            break;
                        }
                        break;
                }
                switch (z2) {
                    case ASN1.ANY /* 0 */:
                    case true:
                        jsonObject2 = new JsonObject().put("authenticatorAttachment", jsonObject.getString("type"));
                        if (this.options.getRequireResidentKey() != null) {
                            jsonObject2.put("requireResidentKey", this.options.getRequireResidentKey());
                        }
                        if (this.options.getUserVerification() != null) {
                            jsonObject2.put("userVerification", this.options.getUserVerification().toString());
                            break;
                        }
                        break;
                    default:
                        jsonObject2 = null;
                        break;
                }
            } else {
                jsonObject2 = this.options.getAuthenticatorSelection();
            }
            JsonObject put2 = new JsonObject().put("challenge", randomBase64URLBuffer(this.options.getChallengeLength())).put("rp", this.options.getRelayParty().toJson()).put("user", put).put("pubKeyCredParams", jsonArray);
            if (jsonObject2 != null) {
                put2.put("authenticatorSelection", jsonObject2);
            }
            if (this.options.getAttestation() != null) {
                put2.put("attestation", this.options.getAttestation().toString());
            }
            if (this.options.getTimeout() > 0) {
                put2.put("timeout", Integer.valueOf(this.options.getTimeout()));
            }
            handler.handle(Future.succeededFuture(put2));
        });
        return this;
    }

    @Override // io.vertx.ext.auth.webauthn.WebAuthn
    public WebAuthn getCredentialsOptions(String str, Handler<AsyncResult<JsonObject>> handler) {
        if (this.options.getRequireResidentKey() != null && this.options.getRequireResidentKey().booleanValue() && str == null) {
            handler.handle(Future.succeededFuture(new JsonObject().put("challenge", randomBase64URLBuffer(this.options.getChallengeLength()))));
            return this;
        }
        this.store.getUserCredentialsByName(str, asyncResult -> {
            if (asyncResult.failed()) {
                handler.handle(Future.failedFuture(asyncResult.cause()));
                return;
            }
            List list = (List) asyncResult.result();
            if (list == null) {
                handler.handle(Future.failedFuture("Invalid username/account disabled."));
                return;
            }
            JsonArray jsonArray = new JsonArray();
            JsonArray jsonArray2 = new JsonArray();
            Iterator<String> it = this.options.getTransports().iterator();
            while (it.hasNext()) {
                jsonArray2.add(it.next());
            }
            Iterator it2 = list.iterator();
            while (it2.hasNext()) {
                String string = ((JsonObject) it2.next()).getString("credID");
                if (string != null) {
                    jsonArray.add(new JsonObject().put("type", "public-key").put("id", string).put("transports", jsonArray2));
                }
            }
            handler.handle(Future.succeededFuture(new JsonObject().put("challenge", randomBase64URLBuffer(this.options.getChallengeLength())).put("allowCredentials", jsonArray)));
        });
        return this;
    }

    public void authenticate(JsonObject jsonObject, Handler<AsyncResult<User>> handler) {
        authenticate(new WebAuthnCredentials(jsonObject), handler);
    }

    public void authenticate(Credentials credentials, Handler<AsyncResult<User>> handler) {
        try {
            WebAuthnCredentials webAuthnCredentials = (WebAuthnCredentials) credentials;
            webAuthnCredentials.checkValid(null);
            JsonObject webauthn = webAuthnCredentials.getWebauthn();
            byte[] decode = this.b64dec.decode(webauthn.getJsonObject("response").getString("clientDataJSON"));
            JsonObject jsonObject = new JsonObject(Buffer.buffer(decode));
            if (!jsonObject.getString("challenge").equals(webAuthnCredentials.getChallenge())) {
                handler.handle(Future.failedFuture("Challenges don't match!"));
                return;
            }
            if (!jsonObject.getString("origin").equals(this.options.getOrigin())) {
                handler.handle(Future.failedFuture("Origins don't match!"));
                return;
            }
            String username = webAuthnCredentials.getUsername();
            String string = jsonObject.getString("type");
            boolean z = -1;
            switch (string.hashCode()) {
                case -417943176:
                    if (string.equals("webauthn.create")) {
                        z = false;
                        break;
                    }
                    break;
                case 766685274:
                    if (string.equals("webauthn.get")) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case ASN1.ANY /* 0 */:
                    if (username == null) {
                        handler.handle(Future.failedFuture("username can't be null!"));
                        return;
                    }
                    try {
                        JsonObject verifyWebAuthNCreate = verifyWebAuthNCreate(webauthn, decode, jsonObject);
                        JsonObject put = new JsonObject().put("credID", verifyWebAuthNCreate.getString("credID")).put("publicKey", verifyWebAuthNCreate.getString("publicKey")).put("counter", verifyWebAuthNCreate.getLong("counter", 0L));
                        this.store.updateUserCredential(verifyWebAuthNCreate.getString("credID"), new JsonObject().mergeIn(put).put("username", username), true, asyncResult -> {
                            if (asyncResult.failed()) {
                                handler.handle(Future.failedFuture(asyncResult.cause()));
                            } else {
                                handler.handle(Future.succeededFuture(new UserImpl(put)));
                            }
                        });
                        return;
                    } catch (IOException | RuntimeException e) {
                        handler.handle(Future.failedFuture(e));
                        return;
                    }
                case true:
                    Handler<AsyncResult<List<JsonObject>>> handler2 = asyncResult2 -> {
                        if (asyncResult2.failed()) {
                            handler.handle(Future.failedFuture(asyncResult2.cause()));
                            return;
                        }
                        List list = (List) asyncResult2.result();
                        if (list == null) {
                            list = Collections.emptyList();
                        }
                        Optional findFirst = list.stream().filter(jsonObject2 -> {
                            return webauthn.getString("id").equals(jsonObject2.getValue("credID"));
                        }).findFirst();
                        if (!findFirst.isPresent()) {
                            handler.handle(Future.failedFuture("Cannot find an authenticator with id: " + webauthn.getString("rawId")));
                            return;
                        }
                        try {
                            JsonObject jsonObject3 = (JsonObject) findFirst.get();
                            jsonObject3.put("counter", Long.valueOf(verifyWebAuthNGet(webauthn, decode, jsonObject, jsonObject3)));
                            this.store.updateUserCredential(webauthn.getString("rawId"), jsonObject3, false, asyncResult2 -> {
                                if (asyncResult2.failed()) {
                                    handler.handle(Future.failedFuture(asyncResult2.cause()));
                                } else {
                                    handler.handle(Future.succeededFuture(new UserImpl(jsonObject3)));
                                }
                            });
                        } catch (IOException | RuntimeException e2) {
                            handler.handle(Future.failedFuture(e2));
                        }
                    };
                    if (this.options.getRequireResidentKey() != null && this.options.getRequireResidentKey().booleanValue()) {
                        this.store.getUserCredentialsById(webauthn.getString("rawId"), handler2);
                        return;
                    } else if (username == null) {
                        handler.handle(Future.failedFuture("username can't be null!"));
                        return;
                    } else {
                        this.store.getUserCredentialsByName(username, handler2);
                        return;
                    }
                default:
                    handler.handle(Future.failedFuture("Can not determine type of response!"));
                    return;
            }
        } catch (ClassCastException | CredentialValidationException e2) {
            handler.handle(Future.failedFuture(e2));
        }
    }

    private JsonObject verifyWebAuthNCreate(JsonObject jsonObject, byte[] bArr, JsonObject jsonObject2) throws AttestationException, IOException {
        JsonParser cborParser = CBOR.cborParser(jsonObject.getJsonObject("response").getString("attestationObject"));
        Throwable th = null;
        try {
            JsonObject jsonObject3 = new JsonObject((Map) CBOR.parse(cborParser));
            AuthenticatorData authenticatorData = new AuthenticatorData(jsonObject3.getString("authData"));
            byte[] credentialPublicKey = authenticatorData.getCredentialPublicKey();
            String string = jsonObject3.getString("fmt");
            Attestation attestation = this.attestations.get(string);
            if (attestation == null) {
                throw new AttestationException("Unknown attestation fmt: " + string);
            }
            attestation.verify(jsonObject, bArr, jsonObject3, authenticatorData);
            JsonObject put = new JsonObject().put("fmt", string).put("publicKey", this.b64enc.encodeToString(credentialPublicKey)).put("counter", Long.valueOf(authenticatorData.getSignCounter())).put("credID", this.b64enc.encodeToString(authenticatorData.getCredentialId()));
            if (cborParser != null) {
                if (0 != 0) {
                    try {
                        cborParser.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    cborParser.close();
                }
            }
            return put;
        } catch (Throwable th3) {
            if (cborParser != null) {
                if (0 != 0) {
                    try {
                        cborParser.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    cborParser.close();
                }
            }
            throw th3;
        }
    }

    private long verifyWebAuthNGet(JsonObject jsonObject, byte[] bArr, JsonObject jsonObject2, JsonObject jsonObject3) throws IOException, AttestationException {
        JsonObject jsonObject4 = jsonObject.getJsonObject("response");
        byte[] decode = this.b64dec.decode(jsonObject4.getString("authenticatorData"));
        AuthenticatorData authenticatorData = new AuthenticatorData(decode);
        if (!authenticatorData.is(1)) {
            throw new RuntimeException("User was NOT present durring authentication!");
        }
        Buffer appendBytes = Buffer.buffer().appendBytes(decode).appendBytes(hash(bArr));
        JsonParser cborParser = CBOR.cborParser(jsonObject3.getString("publicKey"));
        Throwable th = null;
        try {
            if (!COSE.toJWK((Map) CBOR.parse(cborParser)).verify(this.b64dec.decode(jsonObject4.getString("signature")), appendBytes.getBytes())) {
                throw new AttestationException("Failed to verify the signature!");
            }
            if (authenticatorData.getSignCounter() <= jsonObject3.getLong("counter").longValue()) {
                throw new AttestationException("Authr counter did not increase!");
            }
            long signCounter = authenticatorData.getSignCounter();
            if (cborParser != null) {
                if (0 != 0) {
                    try {
                        cborParser.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    cborParser.close();
                }
            }
            return signCounter;
        } catch (Throwable th3) {
            if (cborParser != null) {
                if (0 != 0) {
                    try {
                        cborParser.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    cborParser.close();
                }
            }
            throw th3;
        }
    }

    private byte[] hash(byte[] bArr) {
        byte[] digest;
        synchronized (this.sha256) {
            this.sha256.update(bArr);
            digest = this.sha256.digest();
        }
        return digest;
    }
}
