package io.vertx.ext.auth.webauthn.impl.attestation;

import io.vertx.core.buffer.Buffer;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.impl.CertificateHelper;
import io.vertx.ext.auth.impl.jose.JWT;
import io.vertx.ext.auth.webauthn.impl.AuthenticatorData;
import java.io.ByteArrayInputStream;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:io/vertx/ext/auth/webauthn/impl/attestation/AndroidSafetynetAttestation.class */
public class AndroidSafetynetAttestation implements Attestation {
    private static final String ANDROID_SAFETYNET_ROOT = "MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPLv4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklqtTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzdC9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pazq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCBmTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IHV2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nbG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4GsJ0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavSot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxdAfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==";
    private final MessageDigest sha256;
    private final CertificateFactory x509;
    private final Signature sig;
    private static final Base64.Decoder ub64dec = Base64.getUrlDecoder();
    private static final Base64.Decoder b64dec = Base64.getDecoder();
    private static final X500Principal ATTEST_ANDROID_COM = new X500Principal("CN=attest.android.com, O=Google LLC, L=Mountain View, ST=California, C=US");

    public AndroidSafetynetAttestation() {
        try {
            this.sha256 = MessageDigest.getInstance("SHA-256");
            this.x509 = CertificateFactory.getInstance("X.509");
            this.sig = Signature.getInstance("SHA256withRSA");
        } catch (NoSuchAlgorithmException | CertificateException e) {
            throw new AttestationException(e);
        }
    }

    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public String fmt() {
        return "android-safetynet";
    }

    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public void verify(JsonObject jsonObject, byte[] bArr, JsonObject jsonObject2, AuthenticatorData authenticatorData) throws AttestationException {
        try {
            JsonObject parse = JWT.parse(ub64dec.decode(jsonObject2.getJsonObject("attStmt").getString("response")));
            if (!MessageDigest.isEqual(hash(Buffer.buffer().appendBytes(authenticatorData.getRaw()).appendBytes(hash(bArr)).getBytes()), b64dec.decode(parse.getJsonObject("payload").getString("nonce")))) {
                throw new AttestationException("JWS nonce does not contains expected nonce!");
            }
            if (!parse.getJsonObject("payload").getBoolean("ctsProfileMatch").booleanValue()) {
                throw new AttestationException("JWS ctsProfileMatch is false!");
            }
            JsonArray jsonArray = parse.getJsonObject("header").getJsonArray("x5c");
            if (jsonArray == null || jsonArray.size() == 0) {
                throw new AttestationException("Invalid certificate chain");
            }
            jsonArray.add(ANDROID_SAFETYNET_ROOT);
            ArrayList arrayList = new ArrayList();
            for (int i = 0; i < jsonArray.size(); i++) {
                arrayList.add((X509Certificate) this.x509.generateCertificate(new ByteArrayInputStream(b64dec.decode(jsonArray.getString(i)))));
            }
            if (!ATTEST_ANDROID_COM.equals(((X509Certificate) arrayList.get(0)).getSubjectX500Principal())) {
                throw new AttestationException("The common name is not set to 'attest.android.com'!");
            }
            CertificateHelper.checkValidity(arrayList);
            if (!verifySignature(ub64dec.decode(parse.getString("signature")), parse.getString("signatureBase").getBytes(), (X509Certificate) arrayList.get(0))) {
                throw new AttestationException("Failed to verify the signature!");
            }
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            throw new AttestationException(e);
        }
    }

    private byte[] hash(byte[] bArr) {
        byte[] digest;
        synchronized (this.sha256) {
            this.sha256.update(bArr);
            digest = this.sha256.digest();
        }
        return digest;
    }

    private boolean verifySignature(byte[] bArr, byte[] bArr2, X509Certificate x509Certificate) throws InvalidKeyException, SignatureException {
        boolean verify;
        synchronized (this.sig) {
            this.sig.initVerify(x509Certificate);
            this.sig.update(bArr2);
            verify = this.sig.verify(bArr);
        }
        return verify;
    }
}
