package com.webauthn4j.metadata;

import com.webauthn4j.converter.util.ObjectConverter;
import com.webauthn4j.metadata.data.MetadataBLOB;
import com.webauthn4j.metadata.data.MetadataBLOBFactory;
import com.webauthn4j.metadata.exception.CertPathCheckException;
import com.webauthn4j.metadata.exception.MDSException;
import com.webauthn4j.util.CertificateUtil;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.PKIXParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.EnumSet;
import java.util.Set;
import org.jetbrains.annotations.NotNull;

/* loaded from: input_file:com/webauthn4j/metadata/FidoMDS3MetadataBLOBProvider.class */
public class FidoMDS3MetadataBLOBProvider extends CachingMetadataBLOBProvider {
    public static final String DEFAULT_BLOB_ENDPOINT = "https://mds.fidoalliance.org/";
    private final MetadataBLOBFactory metadataBLOBFactory;
    private final String blobEndpoint;
    private final HttpClient httpClient;
    private final Set<TrustAnchor> trustAnchors;
    private boolean revocationCheckEnabled;
    private CertPathChecker certPathChecker;

    /* loaded from: input_file:com/webauthn4j/metadata/FidoMDS3MetadataBLOBProvider$DefaultCertPathChecker.class */
    private class DefaultCertPathChecker implements CertPathChecker {
        private DefaultCertPathChecker() {
        }

        @Override // com.webauthn4j.metadata.CertPathChecker
        public void check(CertPathCheckContext certPathCheckContext) throws MDSException {
            CertPathValidator createCertPathValidator = CertificateUtil.createCertPathValidator();
            PKIXParameters createPKIXParameters = CertificateUtil.createPKIXParameters(FidoMDS3MetadataBLOBProvider.this.trustAnchors);
            createPKIXParameters.setRevocationEnabled(FidoMDS3MetadataBLOBProvider.this.revocationCheckEnabled);
            if (FidoMDS3MetadataBLOBProvider.this.revocationCheckEnabled) {
                PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) createCertPathValidator.getRevocationChecker();
                pKIXRevocationChecker.setOptions(EnumSet.of(PKIXRevocationChecker.Option.PREFER_CRLS));
                createPKIXParameters.addCertPathChecker(pKIXRevocationChecker);
            }
            try {
                createCertPathValidator.validate(certPathCheckContext.getCertPath(), createPKIXParameters);
            } catch (InvalidAlgorithmParameterException e) {
                throw new CertPathCheckException("invalid algorithm parameter", e);
            } catch (CertPathValidatorException e2) {
                throw new CertPathCheckException("invalid cert path", e2);
            }
        }
    }

    public FidoMDS3MetadataBLOBProvider(@NotNull ObjectConverter objectConverter, @NotNull String str, @NotNull HttpClient httpClient, @NotNull Set<TrustAnchor> set) {
        this.revocationCheckEnabled = true;
        this.certPathChecker = new DefaultCertPathChecker();
        this.metadataBLOBFactory = new MetadataBLOBFactory(objectConverter);
        this.blobEndpoint = str;
        this.httpClient = httpClient;
        this.trustAnchors = set;
    }

    public FidoMDS3MetadataBLOBProvider(@NotNull ObjectConverter objectConverter, @NotNull String str, @NotNull Set<TrustAnchor> set) {
        this(objectConverter, str, new SimpleHttpClient(), set);
    }

    public FidoMDS3MetadataBLOBProvider(@NotNull ObjectConverter objectConverter, @NotNull String str, @NotNull X509Certificate x509Certificate) {
        this(objectConverter, str, (Set<TrustAnchor>) Collections.singleton(new TrustAnchor(x509Certificate, null)));
    }

    public FidoMDS3MetadataBLOBProvider(@NotNull ObjectConverter objectConverter, @NotNull Set<TrustAnchor> set) {
        this(objectConverter, DEFAULT_BLOB_ENDPOINT, set);
    }

    public FidoMDS3MetadataBLOBProvider(@NotNull ObjectConverter objectConverter, @NotNull X509Certificate x509Certificate) {
        this(objectConverter, (Set<TrustAnchor>) Collections.singleton(new TrustAnchor(x509Certificate, null)));
    }

    @Override // com.webauthn4j.metadata.CachingMetadataBLOBProvider
    @NotNull
    protected MetadataBLOB doProvide() {
        try {
            MetadataBLOB parse = this.metadataBLOBFactory.parse(new String(this.httpClient.fetch(this.blobEndpoint).getBody().readAllBytes(), StandardCharsets.UTF_8));
            if (!parse.isValidSignature()) {
                throw new MDSException("MetadataBLOB signature is invalid");
            }
            validateCertPath(parse);
            return parse;
        } catch (IOException e) {
            throw new MDSException("Failed to parse response as String", e);
        }
    }

    private void validateCertPath(@NotNull MetadataBLOB metadataBLOB) {
        try {
            this.certPathChecker.check(new CertPathCheckContext(metadataBLOB.getHeader().getX5c(), this.trustAnchors, this.revocationCheckEnabled));
        } catch (CertPathCheckException e) {
            throw new MDSException("MetadataBLOB certificate chain validation failed", e);
        }
    }

    public boolean isRevocationCheckEnabled() {
        return this.revocationCheckEnabled;
    }

    public void setRevocationCheckEnabled(boolean z) {
        this.revocationCheckEnabled = z;
    }

    @NotNull
    public CertPathChecker getCertPathChecker() {
        return this.certPathChecker;
    }

    public void setCertPathChecker(@NotNull CertPathChecker certPathChecker) {
        this.certPathChecker = certPathChecker;
    }
}
