package io.vertx.ext.auth.webauthn.impl.attestation;

import io.vertx.core.buffer.Buffer;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.impl.CertificateHelper;
import io.vertx.ext.auth.impl.Codec;
import io.vertx.ext.auth.impl.asn.ASN1;
import io.vertx.ext.auth.impl.jose.JWS;
import io.vertx.ext.auth.webauthn.AttestationCertificates;
import io.vertx.ext.auth.webauthn.PublicKeyCredential;
import io.vertx.ext.auth.webauthn.WebAuthnOptions;
import io.vertx.ext.auth.webauthn.impl.AuthData;
import io.vertx.ext.auth.webauthn.impl.metadata.MetaData;
import io.vertx.ext.auth.webauthn.impl.metadata.MetaDataException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Set;

/* loaded from: input_file:io/vertx/ext/auth/webauthn/impl/attestation/PackedAttestation.class */
public class PackedAttestation implements Attestation {
    private final Set<String> ISO3166 = new HashSet();

    public PackedAttestation() {
        this.ISO3166.addAll(Arrays.asList(Locale.getISOCountries()));
    }

    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public String fmt() {
        return "packed";
    }

    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public AttestationCertificates validate(WebAuthnOptions webAuthnOptions, MetaData metaData, byte[] bArr, JsonObject jsonObject, AuthData authData) throws AttestationException {
        try {
            byte[] hash = Attestation.hash("SHA-256", bArr);
            JsonObject jsonObject2 = jsonObject.getJsonObject("attStmt");
            byte[] base64UrlDecode = Codec.base64UrlDecode(jsonObject2.getString("sig"));
            if (jsonObject2.containsKey("x5c")) {
                List<X509Certificate> parseX5c = Attestation.parseX5c(jsonObject2.getJsonArray("x5c"));
                if (parseX5c.size() == 0) {
                    throw new AttestationException("no certificates in x5c field");
                }
                X509Certificate x509Certificate = parseX5c.get(0);
                CertificateHelper.CertInfo certInfo = CertificateHelper.getCertInfo(parseX5c.get(0));
                if (certInfo.version() != 3) {
                    throw new AttestationException("Batch certificate version MUST be 3(ASN1 2)");
                }
                if (!certInfo.subjectHas("C") || !this.ISO3166.contains(certInfo.subject("C"))) {
                    throw new AttestationException("Batch certificate C MUST be set to two character ISO 3166 code");
                }
                if (!certInfo.subjectHas("O")) {
                    throw new AttestationException("Batch certificate CN MUST no be empty");
                }
                if (!"Authenticator Attestation".equals(certInfo.subject("OU"))) {
                    throw new AttestationException("Batch certificate OU MUST be set strictly to 'Authenticator Attestation'");
                }
                if (!certInfo.subjectHas("CN")) {
                    throw new AttestationException("Batch certificate CN MUST no be empty");
                }
                if (certInfo.basicConstraintsCA() != -1) {
                    throw new AttestationException("Batch certificate basic constraints CA MUST be -1");
                }
                byte[] extensionValue = x509Certificate.getExtensionValue("1.3.6.1.4.1.45724.1.1.4");
                if (extensionValue != null) {
                    ASN1.ASN parseASN1 = ASN1.parseASN1(extensionValue);
                    if (!parseASN1.is(4)) {
                        throw new AttestationException("1.3.6.1.4.1.45724.1.1.4 Extension is not an ASN.1 OCTET string!");
                    }
                    ASN1.ASN parseASN12 = ASN1.parseASN1(parseASN1.binary(0));
                    if (!parseASN12.is(4)) {
                        throw new AttestationException("1.3.6.1.4.1.45724.1.1.4 Extension is not an ASN.1 OCTET string!");
                    }
                    if (!MessageDigest.isEqual(parseASN12.binary(0), authData.getAaguid())) {
                        throw new AttestationException("Certificate id-fido-gen-ce-aaguid extension does not match authData");
                    }
                }
                JsonObject verifyMetadata = metaData.verifyMetadata(authData.getAaguidString(), PublicKeyCredential.valueOf(jsonObject2.getInteger("alg").intValue()), parseX5c);
                if (verifyMetadata != null && !MetaData.statementAttestationTypesContains(verifyMetadata, MetaData.ATTESTATION_BASIC_FULL)) {
                    throw new AttestationException("Metadata does not indicate support for basic_full attestations");
                }
                Attestation.verifySignature(PublicKeyCredential.valueOf(jsonObject2.getInteger("alg").intValue()), x509Certificate, base64UrlDecode, Buffer.buffer().appendBytes(authData.getRaw()).appendBytes(hash).getBytes());
            } else {
                if (jsonObject2.containsKey("ecdaaKeyId")) {
                    JsonObject verifyMetadata2 = metaData.verifyMetadata(authData.getAaguidString(), PublicKeyCredential.valueOf(jsonObject2.getInteger("alg").intValue()), null);
                    if (verifyMetadata2 == null || MetaData.statementAttestationTypesContains(verifyMetadata2, MetaData.ATTESTATION_ECDAA)) {
                        throw new AttestationException("ECDAA IS NOT SUPPORTED YET!");
                    }
                    throw new AttestationException("Metadata does not indicate support for ecdaa attestations");
                }
                JsonObject verifyMetadata3 = metaData.verifyMetadata(authData.getAaguidString(), PublicKeyCredential.valueOf(jsonObject2.getInteger("alg").intValue()), null);
                if (verifyMetadata3 != null && !MetaData.statementAttestationTypesContains(verifyMetadata3, MetaData.ATTESTATION_BASIC_SURROGATE)) {
                    throw new AttestationException("Metadata does not indicate support for basic_surrogate attestations");
                }
                if (!new JWS(authData.getCredentialJWK()).verify(base64UrlDecode, Buffer.buffer().appendBytes(authData.getRaw()).appendBytes(hash).getBytes())) {
                    throw new AttestationException("Failed to verify the signature!");
                }
            }
            return new AttestationCertificates().setAlg(PublicKeyCredential.valueOf(jsonObject2.getInteger("alg").intValue())).setX5c(jsonObject2.containsKey("x5c") ? jsonObject2.getJsonArray("x5c") : null);
        } catch (MetaDataException | InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            throw new AttestationException(e);
        }
    }
}
