package io.vertx.ext.auth.webauthn.impl.attestation;

import io.vertx.core.buffer.Buffer;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.impl.CertificateHelper;
import io.vertx.ext.auth.impl.jose.JWT;
import io.vertx.ext.auth.webauthn.PublicKeyCredential;
import io.vertx.ext.auth.webauthn.impl.AuthData;
import java.io.ByteArrayInputStream;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;

/* loaded from: input_file:io/vertx/ext/auth/webauthn/impl/attestation/AndroidSafetynetAttestation.class */
public class AndroidSafetynetAttestation implements Attestation {
    private static final Base64.Decoder b64dec = Base64.getDecoder();
    private static final String ANDROID_SAFETYNET_ROOT = "MIIDvDCCAqSgAwIBAgINAgPk9GHsmdnVeWbKejANBgkqhkiG9w0BAQUFADBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0wNjEyMTUwODAwMDBaFw0yMTEyMTUwODAwMDBaMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIyMRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAps8kDr4ubyiZRULEqz4hVJsL03+EcPoSs8u/h1/Gf4bTsjBc1v2t8Xvc5fhglgmSEPXQU977e35ziKxSiHtKpspJpl6op4xaEbx6guu+jOmzrJYlB5dKmSoHL7Qed7+KD7UCfBuWuMW5Oiy81hK561l94tAGhl9eSWq1OV6INOy8eAwImIRsqM1LtKB9DHlN8LgtyyHK1WxbfeGgKYSh+dOUScskYpEgvN0L1dnM+eonCitzkcadG6zIy+jgoPQvkItN+7A2G/YZeoXgbfJhE4hcn+CTClGXilrOr6vV96oJqmC93Nlf33KpYBNeAAHJSvo/pOoHAyECjoLKA8KbjwIDAQABo4GcMIGZMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSb4gdXZxwewGoG3lm0mi3f3BmGLjAfBgNVHSMEGDAWgBSb4gdXZxwewGoG3lm0mi3f3BmGLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLmdsb2JhbHNpZ24ubmV0L3Jvb3QtcjIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQANeX81Z1YqDIs4EaLjG0qPOxIzaJI/y4kiRj3a+y3KOx74clIkLuMgi/9/5iv/n+1LyhGU9g7174slbzJOPbSpp1eT19ST2mYbdgTLx/hm3tTLoHIY/w4ZbnQYwfnPwAG4RefnEFYPQJmpD+Wh8BJwBgtm2drTale/T6NBwmwnEFunfaMfMX3g6IBrx7VKnxIkJh/3p190WveLKgl9n7i5SWce/4woPimEn9WfEQWRvp6wKhaCKFjuCMuulEZusoOUJ4LfJnXxcuQTgIrSnwI7KfSSjsd42w3lX1fbgJp7vPmLM6OBRvAXuYRKTFqMAWbb7OaGIEE+cbxY6PDepnva";
    private final CertificateFactory x509;

    public AndroidSafetynetAttestation() {
        try {
            this.x509 = CertificateFactory.getInstance("X.509");
        } catch (CertificateException e) {
            throw new AttestationException(e);
        }
    }

    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public String fmt() {
        return "android-safetynet";
    }

    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public void validate(JsonObject jsonObject, byte[] bArr, JsonObject jsonObject2, AuthData authData) throws AttestationException {
        try {
            JsonObject parse = JWT.parse(jsonObject2.getJsonObject("attStmt").getBinary("response"));
            if (!MessageDigest.isEqual(Attestation.hash("SHA-256", Buffer.buffer().appendBytes(authData.getRaw()).appendBytes(Attestation.hash("SHA-256", bArr)).getBytes()), b64dec.decode(parse.getJsonObject("payload").getString("nonce")))) {
                throw new AttestationException("JWS nonce does not contains expected nonce!");
            }
            if (!parse.getJsonObject("payload").getBoolean("ctsProfileMatch").booleanValue()) {
                throw new AttestationException("JWS ctsProfileMatch is false!");
            }
            JsonArray jsonArray = parse.getJsonObject("header").getJsonArray("x5c");
            if (jsonArray == null || jsonArray.size() == 0) {
                throw new AttestationException("Invalid certificate chain");
            }
            ArrayList arrayList = new ArrayList();
            for (int i = 0; i < jsonArray.size(); i++) {
                arrayList.add((X509Certificate) this.x509.generateCertificate(new ByteArrayInputStream(b64dec.decode(jsonArray.getString(i)))));
            }
            if (!"attest.android.com".equals(CertificateHelper.getCertInfo((X509Certificate) arrayList.get(0)).subject("CN"))) {
                throw new AttestationException("The common name is not set to 'attest.android.com'!");
            }
            arrayList.add(Attestation.parseX5c(this.x509, b64dec.decode(ANDROID_SAFETYNET_ROOT)));
            CertificateHelper.checkValidity(arrayList);
            Attestation.verifySignature(PublicKeyCredential.valueOf(parse.getJsonObject("header").getString("alg")), (X509Certificate) arrayList.get(0), parse.getBinary("signature"), parse.getBinary("signatureBase"));
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            throw new AttestationException(e);
        }
    }
}
