package io.vertx.ext.auth.webauthn.impl.attestation;

import io.vertx.core.buffer.Buffer;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.impl.CertificateHelper;
import io.vertx.ext.auth.webauthn.PublicKeyCredential;
import io.vertx.ext.auth.webauthn.WebAuthnOptions;
import io.vertx.ext.auth.webauthn.impl.ASN1;
import io.vertx.ext.auth.webauthn.impl.AuthData;
import io.vertx.ext.auth.webauthn.impl.metadata.MetaData;
import io.vertx.ext.auth.webauthn.impl.metadata.MetaDataException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.List;

/* loaded from: input_file:io/vertx/ext/auth/webauthn/impl/attestation/AppleAttestation.class */
public class AppleAttestation implements Attestation {
    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public String fmt() {
        return "apple";
    }

    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public void validate(WebAuthnOptions webAuthnOptions, MetaData metaData, byte[] bArr, JsonObject jsonObject, AuthData authData) throws AttestationException {
        try {
            byte[] hash = Attestation.hash("SHA-256", bArr);
            JsonObject jsonObject2 = jsonObject.getJsonObject("attStmt");
            if (!jsonObject2.containsKey("x5c")) {
                throw new AttestationException("No attestation x5c");
            }
            List<X509Certificate> parseX5c = Attestation.parseX5c(jsonObject2.getJsonArray("x5c"));
            if (parseX5c.size() == 0) {
                throw new AttestationException("no certificates in x5c field");
            }
            parseX5c.add(webAuthnOptions.getRootCertificate(fmt()));
            CertificateHelper.checkValidity(parseX5c, true, webAuthnOptions.getRootCrls());
            byte[] hash2 = Attestation.hash("SHA-256", Buffer.buffer().appendBytes(authData.getRaw()).appendBytes(hash).getBytes());
            X509Certificate x509Certificate = parseX5c.get(0);
            ASN1.ASN parseASN1 = ASN1.parseASN1(x509Certificate.getExtensionValue("1.2.840.113635.100.8.2"));
            if (parseASN1.tag.type != 4) {
                throw new AttestationException("1.2.840.113635.100.8.2 Extension is not an ASN.1 OCTET string!");
            }
            ASN1.ASN parseASN12 = ASN1.parseASN1(parseASN1.binary(0));
            if (parseASN12.tag.type != 48) {
                throw new AttestationException("1.2.840.113635.100.8.2 Extension is not an ASN.1 SEQUENCE!");
            }
            if (!MessageDigest.isEqual(hash2, parseASN12.object(0).object(0).binary(0))) {
                throw new AttestationException("Certificate 1.2.840.113635.100.8.2 extension does not match nonce");
            }
            if (!x509Certificate.getPublicKey().equals(authData.getCredentialJWK().getPublicKey())) {
                throw new AttestationException("credCert public key does not equal authData public key");
            }
            metaData.verifyMetadata(authData.getAaguidString(), jsonObject2.containsKey("alg") ? PublicKeyCredential.valueOf(jsonObject2.getInteger("alg").intValue()) : null, parseX5c);
        } catch (MetaDataException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            throw new AttestationException(e);
        }
    }
}
