package io.vertx.ext.auth.webauthn.impl.attestation;

import com.fasterxml.jackson.core.JsonParser;
import io.vertx.core.buffer.Buffer;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.webauthn.impl.AuthenticatorData;
import io.vertx.ext.auth.webauthn.impl.CBOR;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.Map;

/* loaded from: input_file:io/vertx/ext/auth/webauthn/impl/attestation/FidoU2fAttestation.class */
public class FidoU2fAttestation implements Attestation {
    private static final Base64.Decoder b64dec = Base64.getUrlDecoder();
    private final MessageDigest sha256;
    private final CertificateFactory x509;
    private final Signature sig;

    public FidoU2fAttestation() {
        try {
            this.sha256 = MessageDigest.getInstance("SHA-256");
            this.x509 = CertificateFactory.getInstance("X.509");
            this.sig = Signature.getInstance("SHA256withECDSA");
        } catch (NoSuchAlgorithmException | CertificateException e) {
            throw new AttestationException(e);
        }
    }

    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public String fmt() {
        return "fido-u2f";
    }

    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public void verify(JsonObject jsonObject, byte[] bArr, JsonObject jsonObject2, AuthenticatorData authenticatorData) {
        try {
            if (!authenticatorData.is(1)) {
                throw new AttestationException("User was NOT present during authentication!");
            }
            byte[] hash = hash(bArr);
            Buffer appendBytes = Buffer.buffer().appendByte((byte) 0).appendBytes(authenticatorData.getRpIdHash()).appendBytes(hash).appendBytes(authenticatorData.getCredentialId()).appendBytes(COSEECDHAtoPKCS(authenticatorData.getCredentialPublicKey()));
            JsonObject jsonObject3 = jsonObject2.getJsonObject("attStmt");
            X509Certificate x509Certificate = (X509Certificate) this.x509.generateCertificate(new ByteArrayInputStream(b64dec.decode(jsonObject3.getJsonArray("x5c").getString(0))));
            x509Certificate.checkValidity();
            if (!verifySignature(b64dec.decode(jsonObject3.getString("sig")), appendBytes.getBytes(), x509Certificate)) {
                throw new AttestationException("Failed to verify signature");
            }
        } catch (IOException | InvalidKeyException | SignatureException | CertificateException e) {
            throw new AttestationException(e);
        }
    }

    private byte[] hash(byte[] bArr) {
        byte[] digest;
        synchronized (this.sha256) {
            this.sha256.update(bArr);
            digest = this.sha256.digest();
        }
        return digest;
    }

    private boolean verifySignature(byte[] bArr, byte[] bArr2, X509Certificate x509Certificate) throws InvalidKeyException, SignatureException {
        boolean verify;
        synchronized (this.sig) {
            this.sig.initVerify(x509Certificate);
            this.sig.update(bArr2);
            verify = this.sig.verify(bArr);
        }
        return verify;
    }

    private static byte[] COSEECDHAtoPKCS(byte[] bArr) throws IOException {
        JsonParser cborParser = CBOR.cborParser(bArr);
        Throwable th = null;
        try {
            Map map = (Map) CBOR.parse(cborParser);
            byte[] bytes = Buffer.buffer().appendByte((byte) 4).appendBytes(b64dec.decode((String) map.get("-2"))).appendBytes(b64dec.decode((String) map.get("-3"))).getBytes();
            if (cborParser != null) {
                if (0 != 0) {
                    try {
                        cborParser.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    cborParser.close();
                }
            }
            return bytes;
        } catch (Throwable th3) {
            if (cborParser != null) {
                if (0 != 0) {
                    try {
                        cborParser.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    cborParser.close();
                }
            }
            throw th3;
        }
    }
}
