package io.vertx.ext.auth.webauthn.impl.attestation;

import io.vertx.core.buffer.Buffer;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.impl.Codec;
import io.vertx.ext.auth.impl.asn.ASN1;
import io.vertx.ext.auth.webauthn.AttestationCertificates;
import io.vertx.ext.auth.webauthn.PublicKeyCredential;
import io.vertx.ext.auth.webauthn.WebAuthnOptions;
import io.vertx.ext.auth.webauthn.impl.AuthData;
import io.vertx.ext.auth.webauthn.impl.metadata.MetaData;
import io.vertx.ext.auth.webauthn.impl.metadata.MetaDataException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.List;

/* loaded from: input_file:io/vertx/ext/auth/webauthn/impl/attestation/AndroidKeyAttestation.class */
public class AndroidKeyAttestation implements Attestation {
    private static final JsonArray EMPTY = new JsonArray(Collections.emptyList());

    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public String fmt() {
        return "android-key";
    }

    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public AttestationCertificates validate(WebAuthnOptions webAuthnOptions, MetaData metaData, byte[] bArr, JsonObject jsonObject, AuthData authData) throws AttestationException {
        try {
            byte[] hash = Attestation.hash("SHA-256", bArr);
            byte[] bytes = Buffer.buffer().appendBytes(authData.getRaw()).appendBytes(hash).getBytes();
            JsonObject jsonObject2 = jsonObject.getJsonObject("attStmt");
            byte[] base64UrlDecode = Codec.base64UrlDecode(jsonObject2.getString("sig"));
            List<X509Certificate> parseX5c = Attestation.parseX5c(jsonObject2.getJsonArray("x5c"));
            if (parseX5c.size() == 0) {
                throw new AttestationException("Invalid certificate chain");
            }
            X509Certificate x509Certificate = parseX5c.get(0);
            Attestation.verifySignature(PublicKeyCredential.valueOf(jsonObject2.getInteger("alg").intValue()), x509Certificate, base64UrlDecode, bytes);
            JsonObject verifyMetadata = metaData.verifyMetadata(authData.getAaguidString(), PublicKeyCredential.valueOf(jsonObject2.getInteger("alg").intValue()), parseX5c);
            if (!x509Certificate.getPublicKey().equals(authData.getCredentialJWK().publicKey())) {
                throw new AttestationException("Certificate public key does not match public key in authData!");
            }
            ASN1.ASN parseASN1 = ASN1.parseASN1(Buffer.buffer(x509Certificate.getExtensionValue("1.3.6.1.4.1.11129.2.1.17")));
            if (!parseASN1.is(4)) {
                throw new AttestationException("Attestation Extension is not an ASN.1 OCTECT string!");
            }
            ASN1.ASN parseASN12 = ASN1.parseASN1(Buffer.buffer(parseASN1.binary(0)));
            if (!parseASN12.is(16)) {
                throw new AttestationException("Attestation Extension Value is not an ASN.1 SEQUENCE!");
            }
            if (!MessageDigest.isEqual(hash, parseASN12.object(4).binary(0))) {
                throw new AttestationException("Certificate attestation challenge is not set to the clientData hash!");
            }
            for (Object obj : parseASN12.object(6).value) {
                if ((obj instanceof ASN1.ASN) && ((ASN1.ASN) obj).tag.number == 600) {
                    throw new AttestationException("Software authorisation list contains 'allApplication' flag, which means that credential is not bound to the RP!");
                }
            }
            for (Object obj2 : parseASN12.object(7).value) {
                if ((obj2 instanceof ASN1.ASN) && ((ASN1.ASN) obj2).tag.number == 600) {
                    throw new AttestationException("TEE authorisation list contains 'allApplication' flag, which means that credential is not bound to the RP!");
                }
            }
            if (verifyMetadata == null || verifyMetadata.getJsonArray("attestationRootCertificates", EMPTY).size() == 0) {
                JsonArray jsonArray = jsonObject2.getJsonArray("x5c");
                X509Certificate rootCertificate = webAuthnOptions.getRootCertificate(fmt());
                if (rootCertificate == null) {
                    throw new AttestationException("Root certificate is invalid!");
                }
                if (!MessageDigest.isEqual(rootCertificate.getEncoded(), Codec.base64UrlDecode(jsonArray.getString(jsonArray.size() - 1)))) {
                    throw new AttestationException("Root certificate is invalid!");
                }
            }
            if (verifyMetadata == null || MetaData.statementAttestationTypesContains(verifyMetadata, MetaData.ATTESTATION_ANONCA)) {
                return new AttestationCertificates().setAlg(PublicKeyCredential.valueOf(jsonObject2.getInteger("alg").intValue())).setX5c(jsonObject2.getJsonArray("x5c"));
            }
            throw new AttestationException("Metadata does not indicate support for anonca attestations");
        } catch (MetaDataException | InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            throw new AttestationException(e);
        }
    }
}
