package com.webauthn4j.verifier.attestation.statement.apple;

import com.webauthn4j.data.attestation.statement.AppleAnonymousAttestationStatement;
import com.webauthn4j.data.attestation.statement.AttestationType;
import com.webauthn4j.util.AssertUtil;
import com.webauthn4j.util.MessageDigestUtil;
import com.webauthn4j.verifier.CoreRegistrationObject;
import com.webauthn4j.verifier.attestation.statement.AbstractStatementVerifier;
import com.webauthn4j.verifier.exception.BadAttestationStatementException;
import com.webauthn4j.verifier.exception.PublicKeyMismatchException;
import com.webauthn4j.verifier.internal.asn1.ASN1Primitive;
import com.webauthn4j.verifier.internal.asn1.ASN1Structure;
import java.nio.ByteBuffer;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import org.jetbrains.annotations.NotNull;

/* loaded from: input_file:com/webauthn4j/verifier/attestation/statement/apple/AppleAnonymousAttestationStatementVerifier.class */
public class AppleAnonymousAttestationStatementVerifier extends AbstractStatementVerifier<AppleAnonymousAttestationStatement> {
    @Override // com.webauthn4j.verifier.attestation.statement.AttestationStatementVerifier
    @NotNull
    public AttestationType verify(@NotNull CoreRegistrationObject coreRegistrationObject) {
        AssertUtil.notNull(coreRegistrationObject, "registrationObject must not be null");
        if (!supports(coreRegistrationObject)) {
            throw new IllegalArgumentException(String.format("Specified format '%s' is not supported by %s.", coreRegistrationObject.getAttestationObject().getFormat(), getClass().getName()));
        }
        AppleAnonymousAttestationStatement appleAnonymousAttestationStatement = (AppleAnonymousAttestationStatement) coreRegistrationObject.getAttestationObject().getAttestationStatement();
        verifyAttestationStatementNotNull(appleAnonymousAttestationStatement);
        verifyNonce(coreRegistrationObject);
        verifyPublicKey(coreRegistrationObject, appleAnonymousAttestationStatement);
        return AttestationType.BASIC;
    }

    void verifyAttestationStatementNotNull(AppleAnonymousAttestationStatement appleAnonymousAttestationStatement) {
        if (appleAnonymousAttestationStatement == null) {
            throw new BadAttestationStatementException("attestation statement is not found.");
        }
    }

    private void verifyNonce(@NotNull CoreRegistrationObject coreRegistrationObject) {
        AppleAnonymousAttestationStatement appleAnonymousAttestationStatement = (AppleAnonymousAttestationStatement) coreRegistrationObject.getAttestationObject().getAttestationStatement();
        if (!Arrays.equals(extractNonce(appleAnonymousAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate()), getNonce(coreRegistrationObject))) {
            throw new BadAttestationStatementException("nonce doesn't match.");
        }
    }

    @NotNull
    private byte[] getNonce(@NotNull CoreRegistrationObject coreRegistrationObject) {
        byte[] authenticatorDataBytes = coreRegistrationObject.getAuthenticatorDataBytes();
        byte[] clientDataHash = coreRegistrationObject.getClientDataHash();
        return MessageDigestUtil.createSHA256().digest(ByteBuffer.allocate(authenticatorDataBytes.length + clientDataHash.length).put(authenticatorDataBytes).put(clientDataHash).array());
    }

    private void verifyPublicKey(@NotNull CoreRegistrationObject coreRegistrationObject, @NotNull AppleAnonymousAttestationStatement appleAnonymousAttestationStatement) {
        if (!appleAnonymousAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate().getPublicKey().equals(coreRegistrationObject.getAttestationObject().getAuthenticatorData().getAttestedCredentialData().getCOSEKey().getPublicKey())) {
            throw new PublicKeyMismatchException("The public key in the first certificate in x5c doesn't matches the credentialPublicKey in the attestedCredentialData in authenticatorData.");
        }
    }

    private byte[] extractNonce(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue("1.2.840.113635.100.8.2");
        if (extensionValue == null) {
            throw new BadAttestationStatementException("Apple X.509 extension not found");
        }
        try {
            return ((ASN1Primitive) ((ASN1Structure) ASN1Primitive.parse(extensionValue).getValueAsASN1Structure().get(0)).get(0)).getValue();
        } catch (RuntimeException e) {
            throw new BadAttestationStatementException("Failed to extract nonce from Apple anonymous attestation statement.", e);
        }
    }
}
