package com.webauthn4j.appattest.verifier.attestation.statement.appleappattest;

import com.webauthn4j.appattest.data.attestation.statement.AppleAppAttestAttestationStatement;
import com.webauthn4j.appattest.verifier.DCRegistrationObject;
import com.webauthn4j.data.attestation.statement.AttestationType;
import com.webauthn4j.util.AssertUtil;
import com.webauthn4j.util.ECUtil;
import com.webauthn4j.util.MessageDigestUtil;
import com.webauthn4j.verifier.CoreRegistrationObject;
import com.webauthn4j.verifier.attestation.statement.AbstractStatementVerifier;
import com.webauthn4j.verifier.exception.BadAttestationStatementException;
import com.webauthn4j.verifier.internal.asn1.ASN1Primitive;
import java.nio.ByteBuffer;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.util.Arrays;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* loaded from: input_file:com/webauthn4j/appattest/verifier/attestation/statement/appleappattest/AppleAppAttestAttestationStatementVerifier.class */
public class AppleAppAttestAttestationStatementVerifier extends AbstractStatementVerifier<AppleAppAttestAttestationStatement> {
    public static final String APPLE_CRED_CERT_EXTENSION_OID = "1.2.840.113635.100.8.2";

    public AttestationType verify(@NotNull CoreRegistrationObject coreRegistrationObject) {
        AssertUtil.notNull(coreRegistrationObject, "registrationObject must not be null");
        if (!(coreRegistrationObject instanceof DCRegistrationObject)) {
            throw new IllegalArgumentException("registrationObject must be an instance of DCRegistrationObject.");
        }
        if (!supports(coreRegistrationObject)) {
            throw new IllegalArgumentException(String.format("Specified format '%s' is not supported by %s.", coreRegistrationObject.getAttestationObject().getFormat(), getClass().getName()));
        }
        AppleAppAttestAttestationStatement appleAppAttestAttestationStatement = (AppleAppAttestAttestationStatement) coreRegistrationObject.getAttestationObject().getAttestationStatement();
        validateAttestationStatementNotNull(appleAppAttestAttestationStatement);
        validateX5c(appleAppAttestAttestationStatement);
        validateNonce(coreRegistrationObject);
        validatePublicKey(coreRegistrationObject);
        return AttestationType.BASIC;
    }

    void validateAttestationStatementNotNull(@Nullable AppleAppAttestAttestationStatement appleAppAttestAttestationStatement) {
        if (appleAppAttestAttestationStatement == null) {
            throw new BadAttestationStatementException("attestation statement is not found.");
        }
    }

    void validateX5c(@NotNull AppleAppAttestAttestationStatement appleAppAttestAttestationStatement) {
        if (appleAppAttestAttestationStatement.getX5c().isEmpty()) {
            throw new BadAttestationStatementException("No attestation certificate is found in Apple App Attest attestation statement.");
        }
    }

    public boolean supports(CoreRegistrationObject coreRegistrationObject) {
        return super.supports(coreRegistrationObject) && (coreRegistrationObject instanceof DCRegistrationObject);
    }

    private void validateNonce(CoreRegistrationObject coreRegistrationObject) {
        byte[] extractNonce = extractNonce(getAttestationStatement(coreRegistrationObject).getX5c().getEndEntityAttestationCertificate().getCertificate());
        byte[] clientDataHash = coreRegistrationObject.getClientDataHash();
        byte[] authenticatorDataBytes = coreRegistrationObject.getAuthenticatorDataBytes();
        if (!Arrays.equals(extractNonce, MessageDigestUtil.createSHA256().digest(ByteBuffer.allocate(authenticatorDataBytes.length + clientDataHash.length).put(authenticatorDataBytes).put(clientDataHash).array()))) {
            throw new BadAttestationStatementException("App Attest nonce doesn't match.");
        }
    }

    private void validatePublicKey(CoreRegistrationObject coreRegistrationObject) {
        byte[] createUncompressedPublicKey = ECUtil.createUncompressedPublicKey((ECPublicKey) getAttestationStatement(coreRegistrationObject).getX5c().getEndEntityAttestationCertificate().getCertificate().getPublicKey());
        if (!Arrays.equals(MessageDigestUtil.createSHA256().digest(createUncompressedPublicKey), ((DCRegistrationObject) coreRegistrationObject).getKeyId())) {
            throw new BadAttestationStatementException("key identifier doesn't match SHA-256 of the publickey");
        }
    }

    private AppleAppAttestAttestationStatement getAttestationStatement(CoreRegistrationObject coreRegistrationObject) {
        return coreRegistrationObject.getAttestationObject().getAttestationStatement();
    }

    byte[] extractNonce(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(APPLE_CRED_CERT_EXTENSION_OID);
        if (extensionValue == null) {
            throw new BadAttestationStatementException("Apple X.509 extension not found");
        }
        try {
            return ASN1Primitive.parse(extensionValue).getValueAsASN1Structure().get(0).get(0).getValue();
        } catch (RuntimeException e) {
            throw new BadAttestationStatementException("Failed to extract nonce from Apple App Attest attestation statement.", e);
        }
    }
}
