package io.vertx.ext.auth.webauthn.impl;

import com.fasterxml.jackson.core.JsonParser;
import io.vertx.core.AsyncResult;
import io.vertx.core.Future;
import io.vertx.core.Handler;
import io.vertx.core.Vertx;
import io.vertx.core.buffer.Buffer;
import io.vertx.core.impl.logging.Logger;
import io.vertx.core.impl.logging.LoggerFactory;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.User;
import io.vertx.ext.auth.VertxContextPRNG;
import io.vertx.ext.auth.authentication.Credentials;
import io.vertx.ext.auth.impl.Codec;
import io.vertx.ext.auth.impl.cose.CWK;
import io.vertx.ext.auth.impl.jose.JWS;
import io.vertx.ext.auth.webauthn.Authenticator;
import io.vertx.ext.auth.webauthn.AuthenticatorTransport;
import io.vertx.ext.auth.webauthn.MetaDataService;
import io.vertx.ext.auth.webauthn.PublicKeyCredential;
import io.vertx.ext.auth.webauthn.UserVerification;
import io.vertx.ext.auth.webauthn.WebAuthn;
import io.vertx.ext.auth.webauthn.WebAuthnCredentials;
import io.vertx.ext.auth.webauthn.WebAuthnOptions;
import io.vertx.ext.auth.webauthn.impl.attestation.Attestation;
import io.vertx.ext.auth.webauthn.impl.attestation.AttestationException;
import io.vertx.ext.auth.webauthn.impl.attestation.TPMAttestation;
import io.vertx.ext.auth.webauthn.impl.metadata.MetaData;
import io.vertx.ext.auth.webauthn.impl.metadata.MetaDataServiceImpl;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.ServiceLoader;
import java.util.UUID;
import java.util.function.Function;

/* loaded from: input_file:io/vertx/ext/auth/webauthn/impl/WebAuthnImpl.class */
public class WebAuthnImpl implements WebAuthn {
    private static final Logger LOG = LoggerFactory.getLogger(WebAuthn.class);
    private final VertxContextPRNG random;
    private final WebAuthnOptions options;
    private final MetaDataServiceImpl mds;
    private final Map<String, Attestation> attestations = new HashMap();
    private Function<Authenticator, Future<List<Authenticator>>> fetcher = authenticator -> {
        return Future.failedFuture("Fetcher function not available");
    };
    private Function<Authenticator, Future<Void>> updater = authenticator -> {
        return Future.failedFuture("Updater function not available");
    };

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.vertx.ext.auth.webauthn.impl.WebAuthnImpl$1, reason: invalid class name */
    /* loaded from: input_file:io/vertx/ext/auth/webauthn/impl/WebAuthnImpl$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$vertx$ext$auth$webauthn$UserVerification = new int[UserVerification.values().length];

        static {
            try {
                $SwitchMap$io$vertx$ext$auth$webauthn$UserVerification[UserVerification.REQUIRED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$vertx$ext$auth$webauthn$UserVerification[UserVerification.PREFERRED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$vertx$ext$auth$webauthn$UserVerification[UserVerification.DISCOURAGED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public WebAuthnImpl(Vertx vertx, WebAuthnOptions webAuthnOptions) {
        this.random = VertxContextPRNG.current(vertx);
        this.options = webAuthnOptions;
        if (webAuthnOptions == null) {
            throw new IllegalArgumentException("options cannot be null!");
        }
        if (webAuthnOptions.getRelyingParty() == null) {
            throw new IllegalArgumentException("options.relyingParty cannot be null!");
        }
        if (webAuthnOptions.getRelyingParty().getName() == null) {
            throw new IllegalArgumentException("options.relyingParty.name cannot be null!");
        }
        this.mds = new MetaDataServiceImpl(vertx, webAuthnOptions);
        Iterator it = ServiceLoader.load(Attestation.class).iterator();
        while (it.hasNext()) {
            Attestation attestation = (Attestation) it.next();
            this.attestations.put(attestation.fmt(), attestation);
        }
    }

    private String randomBase64URLBuffer(int i) {
        byte[] bArr = new byte[i];
        this.random.nextBytes(bArr);
        return Codec.base64UrlEncode(bArr);
    }

    private void putOpt(JsonObject jsonObject, String str, Object obj) {
        if (obj != null) {
            if (obj instanceof Enum) {
                jsonObject.put(str, obj.toString());
                return;
            }
            if ((obj instanceof JsonObject) && ((JsonObject) obj).isEmpty()) {
                return;
            }
            if ((obj instanceof JsonArray) && ((JsonArray) obj).isEmpty()) {
                return;
            }
            jsonObject.put(str, obj);
        }
    }

    private void addOpt(JsonArray jsonArray, Object obj) {
        if (obj != null) {
            if (obj instanceof Enum) {
                jsonArray.add(obj.toString());
                return;
            }
            if ((obj instanceof JsonObject) && ((JsonObject) obj).isEmpty()) {
                return;
            }
            if ((obj instanceof JsonArray) && ((JsonArray) obj).isEmpty()) {
                return;
            }
            jsonArray.add(obj);
        }
    }

    private static String uUIDtoBase64Url(UUID uuid) {
        Buffer buffer = Buffer.buffer(16);
        buffer.setLong(0, uuid.getMostSignificantBits());
        buffer.setLong(8, uuid.getLeastSignificantBits());
        return Codec.base64UrlEncode(buffer.getBytes());
    }

    @Override // io.vertx.ext.auth.webauthn.WebAuthn
    public WebAuthn authenticatorFetcher(Function<Authenticator, Future<List<Authenticator>>> function) {
        if (function == null) {
            throw new IllegalArgumentException("Function cannot be null");
        }
        this.fetcher = function;
        return this;
    }

    @Override // io.vertx.ext.auth.webauthn.WebAuthn
    public WebAuthn authenticatorUpdater(Function<Authenticator, Future<Void>> function) {
        if (function == null) {
            throw new IllegalArgumentException("Function cannot be null");
        }
        this.updater = function;
        return this;
    }

    @Override // io.vertx.ext.auth.webauthn.WebAuthn
    public Future<JsonObject> createCredentialsOptions(JsonObject jsonObject) {
        return this.fetcher.apply(new Authenticator().setUserName(jsonObject.getString("name"))).map(list -> {
            JsonObject put = new JsonObject().put("rp", new JsonObject()).put("user", new JsonObject()).put("challenge", randomBase64URLBuffer(this.options.getChallengeLength())).put("pubKeyCredParams", new JsonArray()).put("authenticatorSelection", new JsonObject());
            putOpt(put.getJsonObject("rp"), "id", this.options.getRelyingParty().getId());
            putOpt(put.getJsonObject("rp"), "name", this.options.getRelyingParty().getName());
            putOpt(put.getJsonObject("rp"), "icon", this.options.getRelyingParty().getIcon());
            putOpt(put.getJsonObject("user"), "id", uUIDtoBase64Url(UUID.randomUUID()));
            putOpt(put.getJsonObject("user"), "name", jsonObject.getString("name"));
            putOpt(put.getJsonObject("user"), "displayName", jsonObject.getString("displayName"));
            putOpt(put.getJsonObject("user"), "icon", jsonObject.getString("icon"));
            Iterator<PublicKeyCredential> it = this.options.getPubKeyCredParams().iterator();
            while (it.hasNext()) {
                addOpt(put.getJsonArray("pubKeyCredParams"), new JsonObject().put("alg", Integer.valueOf(it.next().coseId())).put("type", "public-key"));
            }
            putOpt(put, "timeout", this.options.getTimeout());
            if (!list.isEmpty()) {
                JsonArray jsonArray = new JsonArray();
                Iterator<AuthenticatorTransport> it2 = this.options.getTransports().iterator();
                while (it2.hasNext()) {
                    addOpt(jsonArray, it2.next().toString());
                }
                JsonArray jsonArray2 = new JsonArray();
                Iterator it3 = list.iterator();
                while (it3.hasNext()) {
                    Authenticator authenticator = (Authenticator) it3.next();
                    JsonObject put2 = new JsonObject().put("type", authenticator.getType()).put("id", authenticator.getCredID());
                    putOpt(put2, "transports", jsonArray);
                    addOpt(jsonArray2, put2);
                }
                putOpt(put, "excludeCredentials", jsonArray2);
            }
            putOpt(put.getJsonObject("authenticatorSelection"), "requireResidentKey", Boolean.valueOf(this.options.getRequireResidentKey()));
            putOpt(put.getJsonObject("authenticatorSelection"), "authenticatorAttachment", this.options.getAuthenticatorAttachment());
            putOpt(put.getJsonObject("authenticatorSelection"), "userVerification", this.options.getUserVerification());
            putOpt(put, "attestation", this.options.getAttestation());
            putOpt(put, "extensions", this.options.getExtensions());
            return put;
        });
    }

    @Override // io.vertx.ext.auth.webauthn.WebAuthn
    public Future<JsonObject> getCredentialsOptions(String str) {
        JsonObject put = new JsonObject().put("challenge", randomBase64URLBuffer(this.options.getChallengeLength()));
        putOpt(put, "timeout", this.options.getTimeout());
        putOpt(put, "rpId", this.options.getRelyingParty().getId());
        putOpt(put, "userVerification", this.options.getUserVerification());
        putOpt(put, "extensions", this.options.getExtensions());
        return (this.options.getRequireResidentKey() && str == null) ? Future.succeededFuture(put) : this.fetcher.apply(new Authenticator().setUserName(str)).compose(list -> {
            return list.isEmpty() ? Future.failedFuture("No authenticators registered for user: " + str) : Future.succeededFuture(list);
        }).map(list2 -> {
            JsonArray jsonArray = new JsonArray();
            JsonArray jsonArray2 = new JsonArray();
            if (this.options.getTransports() != null) {
                Iterator<AuthenticatorTransport> it = this.options.getTransports().iterator();
                while (it.hasNext()) {
                    jsonArray2.add(it.next().toString());
                }
            }
            Iterator it2 = list2.iterator();
            while (it2.hasNext()) {
                String credID = ((Authenticator) it2.next()).getCredID();
                if (credID != null) {
                    JsonObject put2 = new JsonObject().put("type", "public-key").put("id", credID);
                    putOpt(put2, "transports", jsonArray2);
                    jsonArray.add(put2);
                }
            }
            putOpt(put, "allowCredentials", jsonArray);
            return put;
        });
    }

    public void authenticate(JsonObject jsonObject, Handler<AsyncResult<User>> handler) {
        authenticate(new WebAuthnCredentials(jsonObject), handler);
    }

    public void authenticate(Credentials credentials, Handler<AsyncResult<User>> handler) {
        WebAuthnCredentials webAuthnCredentials;
        JsonObject webauthn;
        byte[] base64UrlDecode;
        JsonObject jsonObject;
        try {
            webAuthnCredentials = (WebAuthnCredentials) credentials;
            webAuthnCredentials.checkValid(null);
            webauthn = webAuthnCredentials.getWebauthn();
            base64UrlDecode = Codec.base64UrlDecode(webauthn.getJsonObject("response").getString("clientDataJSON"));
            jsonObject = new JsonObject(Buffer.buffer(base64UrlDecode));
        } catch (RuntimeException e) {
            handler.handle(Future.failedFuture(e));
        }
        if (!webAuthnCredentials.getChallenge().equals(jsonObject.getString("challenge"))) {
            handler.handle(Future.failedFuture("Challenges don't match!"));
            return;
        }
        if (webAuthnCredentials.getOrigin() != null && !webAuthnCredentials.getOrigin().equals(jsonObject.getString("origin"))) {
            handler.handle(Future.failedFuture("Origins don't match!"));
            return;
        }
        if (jsonObject.containsKey("tokenBinding")) {
            JsonObject jsonObject2 = jsonObject.getJsonObject("tokenBinding");
            if (jsonObject2 == null) {
                handler.handle(Future.failedFuture("Invalid clientDataJSON.tokenBinding"));
                return;
            }
            String string = jsonObject2.getString("status");
            boolean z = -1;
            switch (string.hashCode()) {
                case -318277445:
                    if (string.equals("present")) {
                        z = false;
                        break;
                    }
                    break;
                case -19802962:
                    if (string.equals("supported")) {
                        z = true;
                        break;
                    }
                    break;
                case 967783988:
                    if (string.equals("not-supported")) {
                        z = 2;
                        break;
                    }
                    break;
            }
            switch (z) {
                case TPMAttestation.TPM_ALG_ERROR /* 0 */:
                case true:
                case MetaData.ALG_SIGN_SECP256R1_ECDSA_SHA256_DER /* 2 */:
                    break;
                default:
                    handler.handle(Future.failedFuture("Invalid clientDataJSON.tokenBinding.status"));
                    return;
            }
        }
        String username = webAuthnCredentials.getUsername();
        if (!jsonObject.containsKey("type")) {
            handler.handle(Future.failedFuture("Missing type on client data"));
            return;
        }
        String string2 = jsonObject.getString("type");
        boolean z2 = -1;
        switch (string2.hashCode()) {
            case -417943176:
                if (string2.equals("webauthn.create")) {
                    z2 = false;
                    break;
                }
                break;
            case 766685274:
                if (string2.equals("webauthn.get")) {
                    z2 = true;
                    break;
                }
                break;
        }
        switch (z2) {
            case TPMAttestation.TPM_ALG_ERROR /* 0 */:
                if (username == null) {
                    handler.handle(Future.failedFuture("username can't be null!"));
                    return;
                }
                try {
                    Authenticator verifyWebAuthNCreate = verifyWebAuthNCreate(webAuthnCredentials, base64UrlDecode);
                    verifyWebAuthNCreate.setUserName(username);
                    this.updater.apply(verifyWebAuthNCreate).onFailure(th -> {
                        handler.handle(Future.failedFuture(th));
                    }).onSuccess(r5 -> {
                        handler.handle(Future.succeededFuture(User.create(verifyWebAuthNCreate.toJson())));
                    });
                    return;
                } catch (AttestationException | IOException | RuntimeException | NoSuchAlgorithmException e2) {
                    handler.handle(Future.failedFuture(e2));
                    return;
                }
            case true:
                Authenticator authenticator = new Authenticator();
                if (this.options.getRequireResidentKey()) {
                    authenticator.setCredID(webauthn.getString("id"));
                } else {
                    if (username == null) {
                        handler.handle(Future.failedFuture("username can't be null!"));
                        return;
                    }
                    authenticator.setUserName(username);
                }
                this.fetcher.apply(authenticator).onFailure(th2 -> {
                    handler.handle(Future.failedFuture(th2));
                }).onSuccess(list -> {
                    if (list == null) {
                        list = Collections.emptyList();
                    }
                    for (Authenticator authenticator2 : list) {
                        if (webauthn.getString("id").equals(authenticator2.getCredID())) {
                            try {
                                authenticator2.setCounter(verifyWebAuthNGet(webAuthnCredentials, base64UrlDecode, authenticator2.toJson()));
                                this.updater.apply(authenticator2).onFailure(th3 -> {
                                    handler.handle(Future.failedFuture(th3));
                                }).onSuccess(r52 -> {
                                    handler.handle(Future.succeededFuture(User.create(authenticator2.toJson())));
                                });
                                return;
                            } catch (AttestationException | IOException | RuntimeException | NoSuchAlgorithmException e3) {
                                handler.handle(Future.failedFuture(e3));
                                return;
                            }
                        }
                    }
                    handler.handle(Future.failedFuture("Cannot find authenticator with id: " + webauthn.getString("id")));
                });
                return;
            default:
                handler.handle(Future.failedFuture("Can not determine type of response!"));
                return;
        }
        handler.handle(Future.failedFuture(e));
    }

    private Authenticator verifyWebAuthNCreate(WebAuthnCredentials webAuthnCredentials, byte[] bArr) throws AttestationException, IOException, NoSuchAlgorithmException {
        JsonObject jsonObject = webAuthnCredentials.getWebauthn().getJsonObject("response");
        if (!jsonObject.containsKey("attestationObject")) {
            throw new AttestationException("Missing response.attestationObject");
        }
        JsonParser cborParser = CBOR.cborParser(jsonObject.getString("attestationObject"));
        Throwable th = null;
        try {
            JsonObject jsonObject2 = new JsonObject((Map) CBOR.parse(cborParser));
            AuthData authData = new AuthData(Codec.base64UrlDecode(jsonObject2.getString("authData")));
            if (webAuthnCredentials.getDomain() != null && !MessageDigest.isEqual(authData.getRpIdHash(), Attestation.hash("SHA-256", webAuthnCredentials.getDomain().getBytes(StandardCharsets.UTF_8)))) {
                throw new AttestationException("WebAuthn rpIdHash invalid (the domain does not match the AuthData)");
            }
            switch (AnonymousClass1.$SwitchMap$io$vertx$ext$auth$webauthn$UserVerification[this.options.getUserVerification().ordinal()]) {
                case 1:
                    if (!authData.is(4) && !authData.is(1)) {
                        throw new AttestationException("User was either not verified or present during credentials creation");
                    }
                    break;
                case MetaData.ALG_SIGN_SECP256R1_ECDSA_SHA256_DER /* 2 */:
                    if (!authData.is(4) && !authData.is(1)) {
                        LOG.warn("User was either not verified or present during credentials creation");
                        break;
                    }
                    break;
                case MetaData.ALG_SIGN_RSASSA_PSS_SHA256_RAW /* 3 */:
                    if (authData.is(4) || authData.is(1)) {
                        LOG.info("User was either verified or present during credentials creation");
                        break;
                    }
                    break;
            }
            String string = jsonObject2.getString("fmt");
            Attestation attestation = this.attestations.get(string);
            if (attestation == null) {
                throw new AttestationException("Unknown attestation fmt: " + string);
            }
            if (!authData.is(64)) {
                throw new AttestationException("WebAuthn response does not contain attestation data!");
            }
            Authenticator attestationCertificates = new Authenticator().setFmt(string).setAaguid(authData.getAaguidString()).setPublicKey(Codec.base64UrlEncode(authData.getCredentialPublicKey())).setCounter(authData.getSignCounter()).setCredID(Codec.base64UrlEncode(authData.getCredentialId())).setAttestationCertificates(attestation.validate(this.options, this.mds.metadata(), bArr, jsonObject2, authData));
            if (cborParser != null) {
                if (0 != 0) {
                    try {
                        cborParser.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    cborParser.close();
                }
            }
            return attestationCertificates;
        } catch (Throwable th3) {
            if (cborParser != null) {
                if (0 != 0) {
                    try {
                        cborParser.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    cborParser.close();
                }
            }
            throw th3;
        }
    }

    private long verifyWebAuthNGet(WebAuthnCredentials webAuthnCredentials, byte[] bArr, JsonObject jsonObject) throws IOException, AttestationException, NoSuchAlgorithmException {
        JsonObject jsonObject2 = webAuthnCredentials.getWebauthn().getJsonObject("response");
        byte[] base64UrlDecode = Codec.base64UrlDecode(jsonObject2.getString("authenticatorData"));
        AuthData authData = new AuthData(base64UrlDecode);
        if (webAuthnCredentials.getDomain() != null && !MessageDigest.isEqual(authData.getRpIdHash(), Attestation.hash("SHA-256", webAuthnCredentials.getDomain().getBytes(StandardCharsets.UTF_8)))) {
            throw new AttestationException("WebAuthn rpIdHash invalid (the domain does not match the AuthData)");
        }
        switch (AnonymousClass1.$SwitchMap$io$vertx$ext$auth$webauthn$UserVerification[this.options.getUserVerification().ordinal()]) {
            case 1:
                if (!authData.is(4) || !authData.is(1)) {
                    throw new AttestationException("User was either not verified or not present during credentials creation");
                }
                break;
            case MetaData.ALG_SIGN_SECP256R1_ECDSA_SHA256_DER /* 2 */:
                if (!authData.is(4) && !authData.is(1)) {
                    LOG.warn("User was either not verified or present during credentials creation");
                    break;
                }
                break;
            case MetaData.ALG_SIGN_RSASSA_PSS_SHA256_RAW /* 3 */:
                if (authData.is(4) || authData.is(1)) {
                    LOG.info("User was either verified or present during credentials creation");
                    break;
                }
                break;
        }
        Buffer appendBytes = Buffer.buffer().appendBytes(base64UrlDecode).appendBytes(Attestation.hash("SHA-256", bArr));
        JsonParser cborParser = CBOR.cborParser(jsonObject.getString("publicKey"));
        Throwable th = null;
        try {
            if (!new JWS(CWK.toJWK(new JsonObject((Map) CBOR.parse(cborParser)))).verify(Codec.base64UrlDecode(jsonObject2.getString("signature")), appendBytes.getBytes())) {
                LOG.warn("Failed to verify signature for key: " + jsonObject.getString("publicKey"));
                throw new AttestationException("Failed to verify the signature!");
            }
            if ((authData.getSignCounter() != 0 || jsonObject.getLong("counter").longValue() != 0) && authData.getSignCounter() != 0 && authData.getSignCounter() <= jsonObject.getLong("counter", 0L).longValue()) {
                throw new AttestationException("Authenticator counter did not increase!");
            }
            long signCounter = authData.getSignCounter();
            if (cborParser != null) {
                if (0 != 0) {
                    try {
                        cborParser.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    cborParser.close();
                }
            }
            return signCounter;
        } catch (Throwable th3) {
            if (cborParser != null) {
                if (0 != 0) {
                    try {
                        cborParser.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    cborParser.close();
                }
            }
            throw th3;
        }
    }

    @Override // io.vertx.ext.auth.webauthn.WebAuthn
    public MetaDataService metaDataService() {
        return this.mds;
    }
}
