package com.yubico.webauthn;

import COSE.CoseException;
import com.fasterxml.jackson.databind.JsonNode;
import com.yubico.internal.util.ExceptionUtil;
import com.yubico.webauthn.data.AttestationObject;
import com.yubico.webauthn.data.AttestationType;
import com.yubico.webauthn.data.ByteArray;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.spec.InvalidKeySpecException;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yubico/webauthn/FidoU2fAttestationStatementVerifier.class */
final class FidoU2fAttestationStatementVerifier implements AttestationStatementVerifier, X5cAttestationStatementVerifier {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(FidoU2fAttestationStatementVerifier.class);

    private X509Certificate getAttestationCertificate(AttestationObject attestationObject) throws CertificateException {
        return (X509Certificate) getX5cAttestationCertificate(attestationObject).map(x509Certificate -> {
            if ("EC".equals(x509Certificate.getPublicKey().getAlgorithm()) && Crypto.isP256(((ECPublicKey) x509Certificate.getPublicKey()).getParams())) {
                return x509Certificate;
            }
            throw new IllegalArgumentException("Attestation certificate for fido-u2f must have an ECDSA P-256 public key.");
        }).orElseThrow(() -> {
            return new IllegalArgumentException("fido-u2f attestation statement must have an \"x5c\" property set to an array of at least one DER encoded X.509 certificate.");
        });
    }

    private static boolean validSelfSignature(X509Certificate x509Certificate) {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    private static ByteArray getRawUserPublicKey(AttestationObject attestationObject) throws IOException, CoseException {
        ByteArray credentialPublicKey = attestationObject.getAuthenticatorData().getAttestedCredentialData().get().getCredentialPublicKey();
        try {
            PublicKey importCosePublicKey = WebAuthnCodecs.importCosePublicKey(credentialPublicKey);
            try {
                return WebAuthnCodecs.ecPublicKeyToRaw((ECPublicKey) importCosePublicKey);
            } catch (ClassCastException e) {
                throw new RuntimeException("U2F supports only EC keys, was: " + importCosePublicKey);
            }
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e2) {
            throw ExceptionUtil.wrapAndLog(log, "Failed to decode public key: " + credentialPublicKey, e2);
        }
    }

    @Override // com.yubico.webauthn.AttestationStatementVerifier
    public AttestationType getAttestationType(AttestationObject attestationObject) throws CoseException, IOException, CertificateException {
        X509Certificate attestationCertificate = getAttestationCertificate(attestationObject);
        return ((attestationCertificate.getPublicKey() instanceof ECPublicKey) && validSelfSignature(attestationCertificate) && getRawUserPublicKey(attestationObject).equals(WebAuthnCodecs.ecPublicKeyToRaw((ECPublicKey) attestationCertificate.getPublicKey()))) ? AttestationType.SELF_ATTESTATION : AttestationType.BASIC;
    }

    @Override // com.yubico.webauthn.AttestationStatementVerifier
    public boolean verifyAttestationSignature(AttestationObject attestationObject, ByteArray byteArray) {
        try {
            X509Certificate attestationCertificate = getAttestationCertificate(attestationObject);
            if ("EC".equals(attestationCertificate.getPublicKey().getAlgorithm()) && Crypto.isP256(((ECPublicKey) attestationCertificate.getPublicKey()).getParams())) {
                return ((Boolean) attestationObject.getAuthenticatorData().getAttestedCredentialData().map(attestedCredentialData -> {
                    JsonNode jsonNode = attestationObject.getAttestationStatement().get("sig");
                    if (jsonNode == null) {
                        throw new IllegalArgumentException("fido-u2f attestation statement must have a \"sig\" property set to a DER encoded signature.");
                    }
                    if (!jsonNode.isBinary()) {
                        throw new IllegalArgumentException("\"sig\" property of fido-u2f attestation statement must be a CBOR byte array value.");
                    }
                    try {
                        try {
                            return Boolean.valueOf(new U2fRawRegisterResponse(getRawUserPublicKey(attestationObject), attestedCredentialData.getCredentialId(), attestationCertificate, new ByteArray(jsonNode.binaryValue())).verifySignature(attestationObject.getAuthenticatorData().getRpIdHash(), byteArray));
                        } catch (IOException e) {
                            RuntimeException runtimeException = new RuntimeException("signature.isBinary() was true but signature.binaryValue() failed", e);
                            log.error(runtimeException.getMessage(), runtimeException);
                            throw runtimeException;
                        }
                    } catch (IOException | CoseException e2) {
                        RuntimeException runtimeException2 = new RuntimeException(String.format("Failed to parse public key from attestation data %s", attestedCredentialData), e2);
                        log.error(runtimeException2.getMessage(), runtimeException2);
                        throw runtimeException2;
                    }
                }).orElseThrow(() -> {
                    return new IllegalArgumentException("Attestation object for credential creation must have attestation data.");
                })).booleanValue();
            }
            throw new IllegalArgumentException("Attestation certificate for fido-u2f must have an ECDSA P-256 public key.");
        } catch (CertificateException e) {
            throw new IllegalArgumentException(String.format("Failed to parse X.509 certificate from attestation object: %s", attestationObject));
        }
    }
}
