package com.webauthn4j.test.authenticator.webauthn;

import com.webauthn4j.converter.AuthenticatorDataConverter;
import com.webauthn4j.converter.util.CborConverter;
import com.webauthn4j.converter.util.ObjectConverter;
import com.webauthn4j.data.PublicKeyCredentialDescriptor;
import com.webauthn4j.data.PublicKeyCredentialParameters;
import com.webauthn4j.data.PublicKeyCredentialRpEntity;
import com.webauthn4j.data.PublicKeyCredentialType;
import com.webauthn4j.data.attestation.AttestationObject;
import com.webauthn4j.data.attestation.authenticator.AAGUID;
import com.webauthn4j.data.attestation.authenticator.AttestedCredentialData;
import com.webauthn4j.data.attestation.authenticator.AuthenticatorData;
import com.webauthn4j.data.attestation.authenticator.EC2COSEKey;
import com.webauthn4j.data.attestation.authenticator.RSACOSEKey;
import com.webauthn4j.data.attestation.statement.AttestationStatement;
import com.webauthn4j.data.attestation.statement.COSEAlgorithmIdentifier;
import com.webauthn4j.data.extension.authenticator.AuthenticationExtensionsAuthenticatorOutputs;
import com.webauthn4j.data.extension.authenticator.RegistrationExtensionAuthenticatorOutput;
import com.webauthn4j.data.extension.client.AuthenticationExtensionsClientInputs;
import com.webauthn4j.data.extension.client.RegistrationExtensionClientInput;
import com.webauthn4j.test.CACertificatePath;
import com.webauthn4j.test.CipherUtil;
import com.webauthn4j.test.TestAttestationUtil;
import com.webauthn4j.test.TestDataUtil;
import com.webauthn4j.test.authenticator.u2f.FIDOU2FAuthenticator;
import com.webauthn4j.test.authenticator.webauthn.exception.ConstraintException;
import com.webauthn4j.test.authenticator.webauthn.exception.InvalidStateException;
import com.webauthn4j.test.authenticator.webauthn.exception.NotAllowedException;
import com.webauthn4j.test.authenticator.webauthn.exception.NotSupportedException;
import com.webauthn4j.test.authenticator.webauthn.exception.WebAuthnModelException;
import com.webauthn4j.test.client.AuthenticationEmulationOption;
import com.webauthn4j.test.client.RegistrationEmulationOption;
import com.webauthn4j.util.ECUtil;
import com.webauthn4j.util.MessageDigestUtil;
import com.webauthn4j.util.RSAUtil;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;

/* loaded from: input_file:com/webauthn4j/test/authenticator/webauthn/WebAuthnModelAuthenticator.class */
public abstract class WebAuthnModelAuthenticator implements WebAuthnAuthenticator {
    private static final SecureRandom secureRandom = new SecureRandom();
    protected final ObjectConverter objectConverter;
    private final CborConverter cborConverter;
    private final AAGUID aaguid;
    private final KeyPair attestationKeyPair;
    private final CACertificatePath caCertificatePath;
    private final PrivateKey attestationIssuerPrivateKey;
    private final Map<CredentialMapKey, PublicKeyCredentialSource> credentialMap;
    private final boolean capableOfUserVerification;
    private final AuthenticatorDataConverter authenticatorDataConverter;
    private final byte[] credentialEncryptionKey;
    private int counter;
    private boolean countUpEnabled;

    public WebAuthnModelAuthenticator(AAGUID aaguid, KeyPair keyPair, CACertificatePath cACertificatePath, PrivateKey privateKey, int i, boolean z, ObjectConverter objectConverter) {
        this.countUpEnabled = true;
        this.aaguid = aaguid;
        this.attestationKeyPair = keyPair;
        this.caCertificatePath = cACertificatePath;
        this.attestationIssuerPrivateKey = privateKey;
        this.credentialMap = new HashMap();
        this.counter = i;
        this.capableOfUserVerification = z;
        this.objectConverter = objectConverter;
        this.cborConverter = objectConverter.getCborConverter();
        this.authenticatorDataConverter = new AuthenticatorDataConverter(objectConverter);
        this.credentialEncryptionKey = new byte[32];
        secureRandom.nextBytes(this.credentialEncryptionKey);
    }

    public WebAuthnModelAuthenticator() {
        this(AAGUID.ZERO, new KeyPair(TestAttestationUtil.load3tierTestAuthenticatorAttestationPublicKey(), TestAttestationUtil.load3tierTestAuthenticatorAttestationPrivateKey()), TestAttestationUtil.load3tierTestCACertificatePath(), TestAttestationUtil.load3tierTestIntermediateCAPrivateKey(), 0, true, new ObjectConverter());
    }

    public PublicKeyCredentialSource lookup(byte[] bArr) {
        if (isCapableOfStoringClientSideResidentCredential()) {
            for (Map.Entry<CredentialMapKey, PublicKeyCredentialSource> entry : this.credentialMap.entrySet()) {
                if (Arrays.equals(bArr, entry.getValue().getId())) {
                    return entry.getValue();
                }
            }
        }
        try {
            PublicKeyCredentialSource publicKeyCredentialSource = (PublicKeyCredentialSource) this.cborConverter.readValue(CipherUtil.decrypt(bArr, this.credentialEncryptionKey), PublicKeyCredentialSource.class);
            publicKeyCredentialSource.setId(bArr);
            return publicKeyCredentialSource;
        } catch (RuntimeException e) {
            return null;
        }
    }

    @Override // com.webauthn4j.test.authenticator.webauthn.WebAuthnAuthenticator
    public MakeCredentialResponse makeCredential(MakeCredentialRequest makeCredentialRequest, RegistrationEmulationOption registrationEmulationOption) {
        EC2COSEKey create;
        EC2COSEKey create2;
        EC2COSEKey create3;
        byte[] encrypt;
        PublicKeyCredentialRpEntity rpEntity = makeCredentialRequest.getRpEntity();
        Optional<PublicKeyCredentialParameters> findFirst = makeCredentialRequest.getCredTypesAndPublicKeyAlgs().stream().filter(this::isCapableOfHandling).findFirst();
        if (!findFirst.isPresent()) {
            throw new NotSupportedException("Specified PublicKeyCredentialParameters are not supported");
        }
        PublicKeyCredentialParameters publicKeyCredentialParameters = findFirst.get();
        List<PublicKeyCredentialDescriptor> excludeCredentialDescriptorList = makeCredentialRequest.getExcludeCredentialDescriptorList();
        if (excludeCredentialDescriptorList == null) {
            excludeCredentialDescriptorList = Collections.emptyList();
        }
        for (PublicKeyCredentialDescriptor publicKeyCredentialDescriptor : excludeCredentialDescriptorList) {
            PublicKeyCredentialSource lookup = lookup(publicKeyCredentialDescriptor.getId());
            if (lookup != null && lookup.getRpId().equals(rpEntity.getId()) && lookup.getType().equals(publicKeyCredentialDescriptor.getType())) {
                if (1 != 0) {
                    throw new InvalidStateException("");
                }
                throw new NotAllowedException("User consent is required");
            }
        }
        if (makeCredentialRequest.isRequireResidentKey() && !isCapableOfStoringClientSideResidentCredential()) {
            throw new ConstraintException("Authenticator isn't capable of storing client-side resident credential");
        }
        if (makeCredentialRequest.isRequireUserVerification() && !isCapableOfUserVerification()) {
            throw new ConstraintException("Authenticator isn't capable of user verification");
        }
        if (makeCredentialRequest.isRequireUserVerification() && 1 == 0) {
            throw new NotAllowedException("User is not verified.");
        }
        if (makeCredentialRequest.isRequireUserPresence() && 1 == 0) {
            throw new NotAllowedException("User doesn't resolve consent.");
        }
        COSEAlgorithmIdentifier alg = publicKeyCredentialParameters.getAlg();
        try {
            if (Arrays.asList(COSEAlgorithmIdentifier.ES256, COSEAlgorithmIdentifier.ES384, COSEAlgorithmIdentifier.ES512).contains(alg)) {
                KeyPair createKeyPair = ECUtil.createKeyPair();
                ECPublicKey eCPublicKey = (ECPublicKey) createKeyPair.getPublic();
                ECPrivateKey eCPrivateKey = (ECPrivateKey) createKeyPair.getPrivate();
                create = TestDataUtil.createEC2COSEPublicKey(eCPublicKey);
                create2 = TestDataUtil.createEC2COSEPrivateKey(eCPublicKey, eCPrivateKey);
                create3 = EC2COSEKey.create(createKeyPair, alg);
            } else {
                if (!Arrays.asList(COSEAlgorithmIdentifier.RS256, COSEAlgorithmIdentifier.RS384, COSEAlgorithmIdentifier.RS512, COSEAlgorithmIdentifier.PS256, COSEAlgorithmIdentifier.PS384, COSEAlgorithmIdentifier.PS512).contains(alg)) {
                    throw new NotSupportedException("Specified alg are not supported");
                }
                KeyPair createKeyPair2 = RSAUtil.createKeyPair();
                RSAPublicKey rSAPublicKey = (RSAPublicKey) createKeyPair2.getPublic();
                RSAPrivateKey rSAPrivateKey = (RSAPrivateKey) createKeyPair2.getPrivate();
                create = RSACOSEKey.create(rSAPublicKey, alg);
                create2 = RSACOSEKey.create(rSAPrivateKey, alg);
                create3 = RSACOSEKey.create(createKeyPair2, alg);
            }
            byte[] id = makeCredentialRequest.getUserEntity().getId();
            PublicKeyCredentialSource publicKeyCredentialSource = new PublicKeyCredentialSource();
            publicKeyCredentialSource.setType(PublicKeyCredentialType.PUBLIC_KEY);
            publicKeyCredentialSource.setPrivateKey(create2);
            publicKeyCredentialSource.setRpId(rpEntity.getId());
            publicKeyCredentialSource.setUserHandle(id);
            publicKeyCredentialSource.setOtherUI(null);
            if (makeCredentialRequest.isRequireResidentKey()) {
                encrypt = new byte[32];
                secureRandom.nextBytes(encrypt);
                publicKeyCredentialSource.setId(encrypt);
                this.credentialMap.put(new CredentialMapKey(rpEntity.getId(), id), publicKeyCredentialSource);
            } else {
                encrypt = CipherUtil.encrypt(this.cborConverter.writeValueAsBytes(publicKeyCredentialSource), this.credentialEncryptionKey);
            }
            AuthenticationExtensionsAuthenticatorOutputs<RegistrationExtensionAuthenticatorOutput> processRegistrationExtensions = processRegistrationExtensions(makeCredentialRequest);
            countUp();
            byte[] digest = MessageDigestUtil.createSHA256().digest(rpEntity.getId().getBytes(StandardCharsets.UTF_8));
            byte b = 1 != 0 ? (byte) (64 | 1) : (byte) 64;
            if (1 != 0) {
                b = (byte) (b | 4);
            }
            if (!processRegistrationExtensions.getKeys().isEmpty()) {
                b = (byte) (b | Byte.MIN_VALUE);
            }
            AuthenticatorData authenticatorData = new AuthenticatorData(digest, b, this.counter, new AttestedCredentialData(this.aaguid, encrypt, create), processRegistrationExtensions);
            AttestationObject attestationObject = new AttestationObject(authenticatorData, createAttestationStatement(new AttestationStatementRequest(getSignedData(this.authenticatorDataConverter.convert(authenticatorData), makeCredentialRequest.getHash()), create3, makeCredentialRequest.getHash()), registrationEmulationOption));
            MakeCredentialResponse makeCredentialResponse = new MakeCredentialResponse();
            makeCredentialResponse.setAttestationObject(attestationObject);
            return makeCredentialResponse;
        } catch (RuntimeException e) {
            throw new WebAuthnModelException(e);
        }
    }

    private AuthenticationExtensionsAuthenticatorOutputs<RegistrationExtensionAuthenticatorOutput> processRegistrationExtensions(MakeCredentialRequest makeCredentialRequest) {
        AuthenticationExtensionsClientInputs<RegistrationExtensionClientInput> extensions = makeCredentialRequest.getExtensions();
        if (extensions == null) {
            extensions = new AuthenticationExtensionsClientInputs<>();
        }
        AuthenticationExtensionsAuthenticatorOutputs.BuilderForRegistration builderForRegistration = new AuthenticationExtensionsAuthenticatorOutputs.BuilderForRegistration();
        for (String str : extensions.getKeys()) {
        }
        return builderForRegistration.build();
    }

    public MakeCredentialResponse makeCredential(MakeCredentialRequest makeCredentialRequest) {
        return makeCredential(makeCredentialRequest, new RegistrationEmulationOption());
    }

    @Override // com.webauthn4j.test.authenticator.webauthn.WebAuthnAuthenticator
    public GetAssertionResponse getAssertion(GetAssertionRequest getAssertionRequest, AuthenticationEmulationOption authenticationEmulationOption) {
        byte b = 0;
        ArrayList arrayList = new ArrayList();
        List<PublicKeyCredentialDescriptor> allowCredentialDescriptorList = getAssertionRequest.getAllowCredentialDescriptorList();
        if (allowCredentialDescriptorList == null || allowCredentialDescriptorList.isEmpty()) {
            Iterator<Map.Entry<CredentialMapKey, PublicKeyCredentialSource>> it = this.credentialMap.entrySet().iterator();
            while (it.hasNext()) {
                arrayList.add(it.next().getValue());
            }
        } else {
            Iterator<PublicKeyCredentialDescriptor> it2 = getAssertionRequest.getAllowCredentialDescriptorList().iterator();
            while (it2.hasNext()) {
                PublicKeyCredentialSource lookup = lookup(it2.next().getId());
                if (lookup != null) {
                    arrayList.add(lookup);
                }
            }
        }
        List list = (List) arrayList.stream().filter(publicKeyCredentialSource -> {
            return publicKeyCredentialSource.getRpId().equals(getAssertionRequest.getRpId());
        }).collect(Collectors.toList());
        if (list.isEmpty()) {
            throw new NotAllowedException("No matching authenticator found");
        }
        if (getAssertionRequest.isRequireUserVerification()) {
            b = (byte) (0 | 4);
        }
        if (getAssertionRequest.isRequireUserPresence()) {
            b = (byte) (b | 1);
        }
        PublicKeyCredentialSource publicKeyCredentialSource2 = (PublicKeyCredentialSource) list.get(0);
        AuthenticationExtensionsAuthenticatorOutputs authenticationExtensionsAuthenticatorOutputs = new AuthenticationExtensionsAuthenticatorOutputs();
        if (!authenticationExtensionsAuthenticatorOutputs.getKeys().isEmpty()) {
            b = (byte) (b | Byte.MIN_VALUE);
        }
        countUp();
        byte[] convert = this.authenticatorDataConverter.convert(new AuthenticatorData(MessageDigestUtil.createSHA256().digest(getAssertionRequest.getRpId().getBytes(StandardCharsets.UTF_8)), b, this.counter, authenticationExtensionsAuthenticatorOutputs));
        byte[] hash = getAssertionRequest.getHash();
        byte[] calculateSignature = TestDataUtil.calculateSignature(publicKeyCredentialSource2.getPrivateKey(), ByteBuffer.allocate(convert.length + hash.length).put(convert).put(hash).array());
        GetAssertionResponse getAssertionResponse = new GetAssertionResponse();
        getAssertionResponse.setCredentialId(publicKeyCredentialSource2.getId());
        getAssertionResponse.setAuthenticatorData(convert);
        getAssertionResponse.setSignature(calculateSignature);
        getAssertionResponse.setUserHandle(publicKeyCredentialSource2.getUserHandle());
        return getAssertionResponse;
    }

    public GetAssertionResponse getAssertion(GetAssertionRequest getAssertionRequest) {
        return getAssertion(getAssertionRequest, new AuthenticationEmulationOption());
    }

    @Override // com.webauthn4j.test.authenticator.webauthn.WebAuthnAuthenticator
    public boolean isCapableOfUserVerification() {
        return this.capableOfUserVerification;
    }

    @Override // com.webauthn4j.test.authenticator.webauthn.WebAuthnAuthenticator
    public boolean isCapableOfStoringClientSideResidentCredential() {
        return true;
    }

    private boolean isCapableOfHandling(PublicKeyCredentialParameters publicKeyCredentialParameters) {
        return publicKeyCredentialParameters.getType().equals(PublicKeyCredentialType.PUBLIC_KEY) && (COSEAlgorithmIdentifier.ES256.equals(publicKeyCredentialParameters.getAlg()) || COSEAlgorithmIdentifier.PS256.equals(publicKeyCredentialParameters.getAlg()));
    }

    @Override // com.webauthn4j.test.authenticator.webauthn.WebAuthnAuthenticator
    public boolean isCountUpEnabled() {
        return this.countUpEnabled;
    }

    public void setCountUpEnabled(boolean z) {
        this.countUpEnabled = z;
    }

    private byte[] getSignedData(byte[] bArr, byte[] bArr2) {
        return ByteBuffer.allocate(bArr.length + bArr2.length).put(bArr).put(bArr2).array();
    }

    private void countUp() {
        if (isCountUpEnabled()) {
            this.counter++;
        }
    }

    public abstract AttestationStatement createAttestationStatement(AttestationStatementRequest attestationStatementRequest, RegistrationEmulationOption registrationEmulationOption);

    public AttestationStatement createAttestationStatement(AttestationStatementRequest attestationStatementRequest) {
        return createAttestationStatement(attestationStatementRequest, new RegistrationEmulationOption());
    }

    abstract X509Certificate createAttestationCertificate(AttestationStatementRequest attestationStatementRequest, AttestationOption attestationOption);

    public X509Certificate getAttestationCertificate(AttestationStatementRequest attestationStatementRequest, AttestationOption attestationOption) {
        switch (attestationOption.getX509CertificateVersion()) {
            case FIDOU2FAuthenticator.FLAG_UP /* 1 */:
                return TestAttestationUtil.createV1DummyCertificate();
            case 3:
                return createAttestationCertificate(attestationStatementRequest, attestationOption);
            default:
                throw new IllegalArgumentException("Only version 1 or 3 are supported.");
        }
    }

    public KeyPair getAttestationKeyPair() {
        return this.attestationKeyPair;
    }

    public CACertificatePath getCACertificatePath() {
        return this.caCertificatePath;
    }

    public PrivateKey getAttestationIssuerPrivateKey() {
        return this.attestationIssuerPrivateKey;
    }

    public X509Certificate getAttestationIssuerCertificate() {
        if (this.caCertificatePath.isEmpty()) {
            throw new IllegalStateException("caCertificatePath is empty");
        }
        return this.caCertificatePath.get(0);
    }
}
