package com.webauthn4j.verifier.attestation.statement.androidkey;

import com.webauthn4j.util.AssertUtil;
import com.webauthn4j.verifier.exception.BadAttestationStatementException;
import com.webauthn4j.verifier.exception.KeyDescriptionValidationException;
import com.webauthn4j.verifier.internal.asn1.ASN1;
import com.webauthn4j.verifier.internal.asn1.ASN1Primitive;
import com.webauthn4j.verifier.internal.asn1.ASN1Structure;
import java.math.BigInteger;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Objects;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/webauthn4j/verifier/attestation/statement/androidkey/KeyDescriptionVerifier.class */
public class KeyDescriptionVerifier {
    public static final String ATTESTATION_EXTENSION_OID = "1.3.6.1.4.1.11129.2.1.17";
    public static final int ATTESTATION_CHALLENGE_INDEX = 4;
    public static final int SW_ENFORCED_INDEX = 6;
    public static final int TEE_ENFORCED_INDEX = 7;
    public static final int KM_TAG_PURPOSE = 1;
    public static final int KM_TAG_ALL_APPLICATIONS = 600;
    public static final int KM_TAG_CREATION_DATE_TIME = 701;
    public static final int KM_TAG_ORIGIN = 702;
    public static final int KM_ORIGIN_GENERATED = 0;
    public static final int KM_PURPOSE_SIGN = 2;
    private final Logger logger = LoggerFactory.getLogger(KeyDescriptionVerifier.class);

    public void verify(@NotNull X509Certificate x509Certificate, @NotNull byte[] bArr, boolean z) {
        AssertUtil.notNull(x509Certificate, "x509Certificate must not be null");
        AssertUtil.notNull(bArr, "clientDataHash must not be null");
        doVerify(extractKeyDescription(x509Certificate), bArr, z);
    }

    @NotNull
    ASN1Structure extractKeyDescription(@NotNull X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(ATTESTATION_EXTENSION_OID);
        if (extensionValue == null) {
            throw new KeyDescriptionValidationException("KeyDescription must not be null");
        }
        return ASN1Primitive.parse(extensionValue).getValueAsASN1Structure();
    }

    void doVerify(@NotNull ASN1Structure aSN1Structure, @NotNull byte[] bArr, boolean z) {
        if (!Arrays.equals(((ASN1Primitive) aSN1Structure.get(4)).getValue(), bArr)) {
            throw new KeyDescriptionValidationException("Attestation challenge doesn't match.");
        }
        ASN1Structure aSN1Structure2 = (ASN1Structure) aSN1Structure.get(6);
        ASN1Structure aSN1Structure3 = (ASN1Structure) aSN1Structure.get(7);
        if (findAuthorizationListEntry(aSN1Structure2, KM_TAG_ALL_APPLICATIONS) != null || findAuthorizationListEntry(aSN1Structure3, KM_TAG_ALL_APPLICATIONS) != null) {
            throw new KeyDescriptionValidationException("Key is not scoped properly.");
        }
        verifyAuthorizationList(z, aSN1Structure2, aSN1Structure3);
    }

    private void verifyAuthorizationList(boolean z, @NotNull ASN1Structure aSN1Structure, @NotNull ASN1Structure aSN1Structure2) {
        if (z) {
            if (!isKeyGeneratedInKeymaster(findAuthorizationListEntry(aSN1Structure2, KM_TAG_ORIGIN))) {
                throw new KeyDescriptionValidationException("Key is not generated in keymaster.");
            }
            if (!containsValidPurpose(findAuthorizationListEntry(aSN1Structure2, 1))) {
                throw new KeyDescriptionValidationException("Key purpose is invalid.");
            }
            return;
        }
        if (!isKeyGeneratedInKeymaster(findAuthorizationListEntry(aSN1Structure2, KM_TAG_ORIGIN)) && !isKeyGeneratedInKeymaster(findAuthorizationListEntry(aSN1Structure, KM_TAG_ORIGIN))) {
            throw new KeyDescriptionValidationException("Key is not generated in keymaster.");
        }
        if (!containsValidPurpose(findAuthorizationListEntry(aSN1Structure2, 1)) && !containsValidPurpose(findAuthorizationListEntry(aSN1Structure, 1))) {
            throw new KeyDescriptionValidationException("Key purpose is invalid.");
        }
    }

    private boolean isKeyGeneratedInKeymaster(@Nullable ASN1 asn1) {
        try {
            return Objects.equals(getIntegerFromAsn1(asn1), BigInteger.valueOf(0L));
        } catch (RuntimeException e) {
            this.logger.debug("Failed to retrieve origin.", e);
            return false;
        }
    }

    private boolean containsValidPurpose(@Nullable ASN1 asn1) {
        if (asn1 == null) {
            return false;
        }
        try {
            Iterator<ASN1> it = ((ASN1Structure) asn1).iterator();
            while (it.hasNext()) {
                if (Objects.equals(getIntegerFromAsn1((ASN1Primitive) it.next()), BigInteger.valueOf(2L))) {
                    return true;
                }
            }
            return false;
        } catch (RuntimeException e) {
            this.logger.debug("Failed to retrieve purpose.", e);
            return false;
        }
    }

    @Nullable
    private BigInteger getIntegerFromAsn1(ASN1 asn1) {
        if (asn1 == null) {
            return null;
        }
        if (asn1.getClass() == ASN1Primitive.class && asn1.getTag().getNumber() == 2) {
            return ((ASN1Primitive) asn1).getValueAsBigInteger();
        }
        throw new BadAttestationStatementException(String.format("ASN1Integer is expected. Found %s instead.", asn1.getClass().getName()));
    }

    @Nullable
    private ASN1 findAuthorizationListEntry(@NotNull ASN1Structure aSN1Structure, int i) {
        Iterator<ASN1> it = aSN1Structure.iterator();
        while (it.hasNext()) {
            ASN1Structure aSN1Structure2 = (ASN1Structure) it.next();
            if (aSN1Structure2.getTag().getNumber() == i) {
                return aSN1Structure2.get(0);
            }
        }
        return null;
    }
}
