package com.webauthn4j.async.metadata;

import com.webauthn4j.converter.util.ObjectConverter;
import com.webauthn4j.metadata.CertPathCheckContext;
import com.webauthn4j.metadata.data.MetadataBLOB;
import com.webauthn4j.metadata.data.MetadataBLOBFactory;
import com.webauthn4j.metadata.exception.CertPathCheckException;
import com.webauthn4j.metadata.exception.MDSException;
import com.webauthn4j.util.CertificateUtil;
import com.webauthn4j.verifier.internal.asn1.ASN1;
import com.webauthn4j.verifier.internal.asn1.ASN1Primitive;
import com.webauthn4j.verifier.internal.asn1.ASN1Structure;
import java.io.IOException;
import java.io.InputStream;
import java.io.UncheckedIOException;
import java.net.URL;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.jetbrains.annotations.NotNull;

/* loaded from: input_file:com/webauthn4j/async/metadata/FidoMDS3MetadataBLOBAsyncProvider.class */
public class FidoMDS3MetadataBLOBAsyncProvider extends CachingMetadataBLOBAsyncProvider {
    public static final String DEFAULT_BLOB_ENDPOINT = "https://mds.fidoalliance.org/";
    private final MetadataBLOBFactory metadataBLOBFactory;
    private final String blobEndpoint;
    private final HttpAsyncClient httpClient;
    private final Set<TrustAnchor> trustAnchors;
    private boolean revocationCheckEnabled;
    private CertPathAsyncChecker certPathAsyncChecker;

    /* loaded from: input_file:com/webauthn4j/async/metadata/FidoMDS3MetadataBLOBAsyncProvider$DefaultCertPathAsyncChecker.class */
    private static class DefaultCertPathAsyncChecker implements CertPathAsyncChecker {
        private final HttpAsyncClient httpClient;

        public DefaultCertPathAsyncChecker(HttpAsyncClient httpAsyncClient) {
            this.httpClient = httpAsyncClient;
        }

        @Override // com.webauthn4j.async.metadata.CertPathAsyncChecker
        public CompletionStage<Void> check(CertPathCheckContext certPathCheckContext) throws MDSException {
            CertPathValidator createCertPathValidator = CertificateUtil.createCertPathValidator();
            PKIXParameters createPKIXParameters = CertificateUtil.createPKIXParameters(certPathCheckContext.getTrustAnchors());
            createPKIXParameters.setRevocationEnabled(false);
            try {
                createCertPathValidator.validate(certPathCheckContext.getCertPath(), createPKIXParameters);
                return certPathCheckContext.isRevocationCheckEnabled() ? checkCRL(certPathCheckContext) : CompletableFuture.completedFuture(null);
            } catch (InvalidAlgorithmParameterException e) {
                throw new CertPathCheckException("invalid algorithm parameter", e);
            } catch (CertPathValidatorException e2) {
                throw new CertPathCheckException("invalid cert path", e2);
            }
        }

        private CompletionStage<Void> checkCRL(CertPathCheckContext certPathCheckContext) {
            ArrayList arrayList = new ArrayList();
            certPathCheckContext.getCertPath().getCertificates().forEach(certificate -> {
                arrayList.add((X509Certificate) certificate);
            });
            X509Certificate x509Certificate = (X509Certificate) arrayList.get(arrayList.size() - 1);
            arrayList.add(((TrustAnchor) certPathCheckContext.getTrustAnchors().stream().filter(trustAnchor -> {
                return Objects.equals(trustAnchor.getTrustedCert().getSubjectX500Principal(), x509Certificate.getIssuerX500Principal());
            }).findFirst().orElseThrow()).getTrustedCert());
            return join(certPathCheckContext.getCertPath().getCertificates().stream().map(certificate2 -> {
                return join(extractCRLDistributionPoints((X509Certificate) certificate2).stream().map(this::fetchCRL)).thenApply(stream -> {
                    stream.forEach(x509crl -> {
                        try {
                            x509crl.verify(((X509Certificate) arrayList.stream().filter(x509Certificate2 -> {
                                return Objects.equals(x509Certificate2.getSubjectX500Principal(), x509crl.getIssuerX500Principal());
                            }).findFirst().orElseThrow()).getPublicKey());
                            if (x509crl.isRevoked(certificate2)) {
                                throw new CertPathCheckException("Certificate is revoked");
                            }
                        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CRLException e) {
                            throw new CertPathCheckException("crl validation failed", e);
                        }
                    });
                    return null;
                });
            })).thenApply(stream -> {
                return null;
            });
        }

        private static <T> CompletionStage<Stream<T>> join(Stream<CompletionStage<T>> stream) {
            List list = (List) stream.map((v0) -> {
                return v0.toCompletableFuture();
            }).collect(Collectors.toList());
            return CompletableFuture.allOf((CompletableFuture[]) list.toArray(i -> {
                return new CompletableFuture[i];
            })).thenApply(r4 -> {
                return list.stream().map((v0) -> {
                    return v0.join();
                });
            });
        }

        private CompletionStage<X509CRL> fetchCRL(String str) {
            try {
                URL url = new URL(str);
                if (url.getProtocol().equals("http") || url.getProtocol().equals("https")) {
                    return this.httpClient.fetch(str).thenApply(response -> {
                        if (response.getStatusCode() >= 400) {
                            throw new CertPathCheckException(String.format("Failed to fetch CRL. HTTP Status code: %d", Integer.valueOf(response.getStatusCode())));
                        }
                        try {
                            return (X509CRL) CertificateUtil.createCertificateFactory().generateCRL(response.getBody());
                        } catch (CRLException e) {
                            throw new CertPathCheckException(e);
                        }
                    });
                }
                throw new CertPathCheckException("http or https is the only supported protocol to fetch CRL.");
            } catch (IOException e) {
                throw new UncheckedIOException(e);
            }
        }

        private List<String> extractCRLDistributionPoints(X509Certificate x509Certificate) {
            ASN1Structure valueAsASN1Structure = ASN1Primitive.parse(x509Certificate.getExtensionValue("2.5.29.31")).getValueAsASN1Structure();
            ArrayList arrayList = new ArrayList();
            Iterator it = valueAsASN1Structure.iterator();
            while (it.hasNext()) {
                Iterator it2 = ((ASN1) it.next()).get(0).get(0).iterator();
                while (it2.hasNext()) {
                    arrayList.add(((ASN1) it2.next()).getValueAsUtf8String());
                }
            }
            return Collections.unmodifiableList(arrayList);
        }
    }

    public FidoMDS3MetadataBLOBAsyncProvider(@NotNull ObjectConverter objectConverter, @NotNull String str, @NotNull HttpAsyncClient httpAsyncClient, @NotNull Set<TrustAnchor> set) {
        this.revocationCheckEnabled = true;
        this.metadataBLOBFactory = new MetadataBLOBFactory(objectConverter);
        this.blobEndpoint = str;
        this.httpClient = httpAsyncClient;
        this.trustAnchors = set;
        this.certPathAsyncChecker = new DefaultCertPathAsyncChecker(httpAsyncClient);
    }

    public FidoMDS3MetadataBLOBAsyncProvider(@NotNull ObjectConverter objectConverter, @NotNull String str, @NotNull Set<TrustAnchor> set) {
        this(objectConverter, str, new SimpleHttpAsyncClient(), set);
    }

    public FidoMDS3MetadataBLOBAsyncProvider(@NotNull ObjectConverter objectConverter, @NotNull String str, @NotNull X509Certificate x509Certificate) {
        this(objectConverter, str, new SimpleHttpAsyncClient(), Collections.singleton(new TrustAnchor(x509Certificate, null)));
    }

    public FidoMDS3MetadataBLOBAsyncProvider(@NotNull ObjectConverter objectConverter, @NotNull Set<TrustAnchor> set) {
        this(objectConverter, DEFAULT_BLOB_ENDPOINT, set);
    }

    public FidoMDS3MetadataBLOBAsyncProvider(@NotNull ObjectConverter objectConverter, @NotNull X509Certificate x509Certificate) {
        this(objectConverter, DEFAULT_BLOB_ENDPOINT, (Set<TrustAnchor>) Collections.singleton(new TrustAnchor(x509Certificate, null)));
    }

    @Override // com.webauthn4j.async.metadata.CachingMetadataBLOBAsyncProvider
    @NotNull
    protected CompletionStage<MetadataBLOB> doProvide() {
        return this.httpClient.fetch(this.blobEndpoint).thenApply(response -> {
            return this.metadataBLOBFactory.parse(readAsString(response.getBody()));
        }).thenCompose(metadataBLOB -> {
            if (metadataBLOB.isValidSignature()) {
                return validateCertPath(metadataBLOB).thenApply(r3 -> {
                    return metadataBLOB;
                });
            }
            throw new MDSException("MetadataBLOB signature is invalid");
        });
    }

    @NotNull
    private static String readAsString(InputStream inputStream) {
        try {
            return new String(inputStream.readAllBytes());
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    private CompletionStage<Void> validateCertPath(@NotNull MetadataBLOB metadataBLOB) {
        try {
            return this.certPathAsyncChecker.check(new CertPathCheckContext(metadataBLOB.getHeader().getX5c(), this.trustAnchors, isRevocationCheckEnabled()));
        } catch (CertPathCheckException e) {
            throw new MDSException("MetadataBLOB certificate chain validation failed", e);
        }
    }

    public boolean isRevocationCheckEnabled() {
        return this.revocationCheckEnabled;
    }

    public void setRevocationCheckEnabled(boolean z) {
        this.revocationCheckEnabled = z;
    }

    public CertPathAsyncChecker getCertPathAsyncValidator() {
        return this.certPathAsyncChecker;
    }

    public void setCertPathAsyncValidator(CertPathAsyncChecker certPathAsyncChecker) {
        this.certPathAsyncChecker = certPathAsyncChecker;
    }
}
