package io.vertx.ext.auth.webauthn.impl.attestation;

import io.vertx.core.buffer.Buffer;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.impl.CertificateHelper;
import io.vertx.ext.auth.impl.asn.ASN1;
import io.vertx.ext.auth.webauthn.AttestationCertificates;
import io.vertx.ext.auth.webauthn.PublicKeyCredential;
import io.vertx.ext.auth.webauthn.WebAuthnOptions;
import io.vertx.ext.auth.webauthn.impl.AuthData;
import io.vertx.ext.auth.webauthn.impl.attestation.tpm.CertInfo;
import io.vertx.ext.auth.webauthn.impl.attestation.tpm.PubArea;
import io.vertx.ext.auth.webauthn.impl.metadata.MetaData;
import io.vertx.ext.auth.webauthn.impl.metadata.MetaDataException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;

/* loaded from: input_file:io/vertx/ext/auth/webauthn/impl/attestation/TPMAttestation.class */
public class TPMAttestation implements Attestation {
    public static final int TPM_ALG_ERROR = 0;
    public static final int TPM_ALG_RSA = 1;
    public static final int TPM_ALG_SHA = 4;
    public static final int TPM_ALG_SHA1 = 4;
    public static final int TPM_ALG_HMAC = 5;
    public static final int TPM_ALG_AES = 6;
    public static final int TPM_ALG_MGF1 = 7;
    public static final int TPM_ALG_KEYEDHASH = 8;
    public static final int TPM_ALG_XOR = 10;
    public static final int TPM_ALG_SHA256 = 11;
    public static final int TPM_ALG_SHA384 = 12;
    public static final int TPM_ALG_SHA512 = 13;
    public static final int TPM_ALG_NULL = 16;
    public static final int TPM_ALG_SM3_256 = 18;
    public static final int TPM_ALG_SM4 = 19;
    public static final int TPM_ALG_RSASSA = 20;
    public static final int TPM_ALG_RSAES = 21;
    public static final int TPM_ALG_RSAPSS = 22;
    public static final int TPM_ALG_OAEP = 23;
    public static final int TPM_ALG_ECDSA = 24;
    public static final int TPM_ALG_ECDH = 25;
    public static final int TPM_ALG_ECDAA = 26;
    public static final int TPM_ALG_SM2 = 27;
    public static final int TPM_ALG_ECSCHNORR = 28;
    public static final int TPM_ALG_ECMQV = 29;
    public static final int TPM_ALG_KDF1_SP800_56A = 32;
    public static final int TPM_ALG_KDF2 = 33;
    public static final int TPM_ALG_KDF1_SP800_108 = 34;
    public static final int TPM_ALG_ECC = 35;
    public static final int TPM_ALG_SYMCIPHER = 37;
    public static final int TPM_ALG_CAMELLIA = 38;
    public static final int TPM_ALG_CTR = 64;
    public static final int TPM_ALG_OFB = 65;
    public static final int TPM_ALG_CBC = 66;
    public static final int TPM_ALG_CFB = 67;
    public static final int TPM_ALG_ECB = 68;
    public static final int TPM_ST_ATTEST_CERTIFY = 32791;
    private static final List<String> TPM_MANUFACTURERS = Arrays.asList("id:414D4400", "id:41544D4C", "id:4252434D", "id:49424d00", "id:49465800", "id:494E5443", "id:4C454E00", "id:4E534D20", "id:4E545A00", "id:4E544300", "id:51434F4D", "id:534D5343", "id:53544D20", "id:534D534E", "id:534E5300", "id:54584E00", "id:57454300", "id:524F4343", "id:FFFFF1D0");

    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public String fmt() {
        return "tpm";
    }

    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public AttestationCertificates validate(WebAuthnOptions webAuthnOptions, MetaData metaData, byte[] bArr, JsonObject jsonObject, AuthData authData) throws AttestationException {
        String str;
        String str2;
        try {
            byte[] hash = Attestation.hash("SHA-256", bArr);
            JsonObject jsonObject2 = jsonObject.getJsonObject("attStmt");
            if (!jsonObject2.getString("ver").equals("2.0")) {
                throw new AttestationException("expected TPM version 2.0");
            }
            PubArea pubArea = new PubArea(jsonObject2.getBinary("pubArea"));
            JsonObject credentialPublicKeyJson = authData.getCredentialPublicKeyJson();
            if (pubArea.getType() == 1) {
                byte[] binary = credentialPublicKeyJson.getBinary("-1");
                byte[] binary2 = credentialPublicKeyJson.getBinary("-2");
                long exponent = pubArea.getExponent();
                if (exponent == 0) {
                    exponent = 65537;
                }
                if (exponent != binary2[0] + (binary2[1] << 8) + (binary2[2] << 16)) {
                    throw new AttestationException("Unexpected public key exp");
                }
                if (!MessageDigest.isEqual(pubArea.getUnique(), binary)) {
                    throw new AttestationException("PubArea unique is not same as credentialPublicKey");
                }
            } else {
                if (pubArea.getType() != 35) {
                    throw new AttestationException("Unsupported pubArea.type" + pubArea.getType());
                }
                byte[] binary3 = credentialPublicKeyJson.getBinary("-1");
                byte[] binary4 = credentialPublicKeyJson.getBinary("-2");
                byte[] binary5 = credentialPublicKeyJson.getBinary("-3");
                if (pubArea.getCurveID() != binary3[0] + (binary3[1] << 8)) {
                    throw new AttestationException("Unexpected public key crv");
                }
                if (!MessageDigest.isEqual(pubArea.getUnique(), Buffer.buffer().appendBytes(binary4).appendBytes(binary5).getBytes())) {
                    throw new AttestationException("PubArea unique is not same as public key x and y");
                }
            }
            CertInfo certInfo = new CertInfo(jsonObject2.getBinary("certInfo"));
            if (certInfo.getMagic() != CertInfo.TPM_GENERATED) {
                throw new AttestationException("certInfo had bad magic number");
            }
            if (certInfo.getType() != 32791) {
                throw new AttestationException("Wrong type. expected 'TPM_ST_ATTEST_CERTIFY'");
            }
            switch (certInfo.getNameAlg()) {
                case 4:
                    str = "SHA1";
                    break;
                case 5:
                case 6:
                case TPM_ALG_MGF1 /* 7 */:
                case TPM_ALG_KEYEDHASH /* 8 */:
                case 9:
                case 10:
                default:
                    throw new AttestationException("Unsupported algorithm: " + pubArea.getNameAlg());
                case 11:
                    str = "SHA-256";
                    break;
                case 12:
                    str = "SHA-384";
                    break;
                case 13:
                    str = "SHA-512";
                    break;
            }
            if (!MessageDigest.isEqual(certInfo.getAttestedName(), Buffer.buffer().appendByte(certInfo.getAttestedName()[0]).appendByte(certInfo.getAttestedName()[1]).appendBytes(Attestation.hash(str, jsonObject2.getBinary("pubArea"))).getBytes())) {
                throw new AttestationException("Attested name comparison failed");
            }
            byte[] bytes = Buffer.buffer().appendBytes(authData.getRaw()).appendBytes(hash).getBytes();
            switch (jsonObject2.getInteger("alg").intValue()) {
                case -65535:
                    str2 = "SHA1";
                    break;
                case -259:
                case -39:
                case -36:
                    str2 = "SHA-512";
                    break;
                case -258:
                case -38:
                case -35:
                    str2 = "SHA-384";
                    break;
                case -257:
                case -47:
                case -37:
                case -7:
                    str2 = "SHA-256";
                    break;
                default:
                    throw new AttestationException("Unsupported algorithm: " + jsonObject2.getInteger("alg"));
            }
            if (!MessageDigest.isEqual(certInfo.getExtraData(), Attestation.hash(str2, bytes))) {
                throw new AttestationException("CertInfo extra data did not equal hashed attestation");
            }
            List<X509Certificate> parseX5c = Attestation.parseX5c(jsonObject2.getJsonArray("x5c"));
            if (parseX5c.size() == 0) {
                throw new AttestationException("no certificates in x5c field");
            }
            X509Certificate x509Certificate = parseX5c.get(0);
            CertificateHelper.CertInfo certInfo2 = CertificateHelper.getCertInfo(x509Certificate);
            if (certInfo2.version() != 3) {
                throw new AttestationException("Batch certificate version MUST be 3(ASN1 2)");
            }
            if (certInfo2.basicConstraintsCA() != -1) {
                throw new AttestationException("Batch certificate basic constraints CA MUST be -1");
            }
            if (!certInfo2.isEmpty()) {
                throw new AttestationException("Certificate subject was not empty");
            }
            x509Certificate.checkValidity();
            ASN1.ASN parseASN1 = ASN1.parseASN1(x509Certificate.getExtensionValue("2.5.29.17"));
            if (parseASN1.tag.type != 4) {
                throw new AttestationException("2.5.29.17 Extension is not an ASN.1 OCTET_STRING");
            }
            ASN1.ASN parseASN12 = ASN1.parseASN1(parseASN1.binary(0));
            if (parseASN12.tag.type != 48) {
                throw new AttestationException("2.5.29.17 Extension OCTET_STRING is not an ASN.1 SEQUENCE");
            }
            ASN1.ASN object = parseASN12.object(0, 164).object(0, 48).object(0, 49);
            for (int i = 0; i < object.length(); i++) {
                ASN1.ASN object2 = object.object(i);
                ASN1.ASN object3 = object2.object(0, 6);
                ASN1.ASN object4 = object2.object(1, 12);
                if (MessageDigest.isEqual(object3.binary(0), new byte[]{103, -127, 5, 2, 1}) && !TPM_MANUFACTURERS.contains(new String(object4.binary(0)))) {
                    throw new AttestationException("Unkown Manufacturer id");
                }
            }
            ASN1.ASN parseASN13 = ASN1.parseASN1(x509Certificate.getExtensionValue("2.5.29.37"));
            if (parseASN13.tag.type != 4) {
                throw new AttestationException("2.5.29.37 Extension is not an ASN.1 OCTET_STRING");
            }
            ASN1.ASN parseASN14 = ASN1.parseASN1(parseASN13.binary(0));
            if (parseASN14.tag.type != 48) {
                throw new AttestationException("2.5.29.37 Extension OCTET_STRING is not an ASN.1 SEQUENCE");
            }
            boolean z = false;
            int i2 = 0;
            while (true) {
                if (i2 < parseASN14.length()) {
                    if (MessageDigest.isEqual(parseASN14.object(i2, 6).binary(0), new byte[]{103, -127, 5, 8, 3})) {
                        z = true;
                    } else {
                        i2++;
                    }
                }
            }
            if (!z) {
                throw new AttestationException("2.5.29.37 Extension SEQUENCE does not contain OBJECT_IDENTIFIER 2.23.133.8.3");
            }
            byte[] extensionValue = x509Certificate.getExtensionValue("1.3.6.1.4.1.45724.1.1.4");
            if (extensionValue != null) {
                ASN1.ASN parseASN15 = ASN1.parseASN1(extensionValue);
                if (parseASN15.tag.type != 4) {
                    throw new AttestationException("1.3.6.1.4.1.45724.1.1.4 Extension is not an ASN.1 OCTECT string!");
                }
                ASN1.ASN parseASN16 = ASN1.parseASN1(parseASN15.binary(0));
                if (parseASN16.tag.type != 4) {
                    throw new AttestationException("1.3.6.1.4.1.45724.1.1.4 Extension is not an ASN.1 OCTECT string!");
                }
                if (!MessageDigest.isEqual(parseASN16.binary(0), authData.getAaguid())) {
                    throw new AttestationException("Certificate id-fido-gen-ce-aaguid extension does not match authData");
                }
            }
            metaData.verifyMetadata(authData.getAaguidString(), PublicKeyCredential.valueOf(jsonObject2.getInteger("alg").intValue()), parseX5c, false);
            Attestation.verifySignature(PublicKeyCredential.valueOf(jsonObject2.getInteger("alg").intValue()), x509Certificate, jsonObject2.getBinary("sig"), jsonObject2.getBinary("certInfo"));
            return new AttestationCertificates().setAlg(PublicKeyCredential.valueOf(jsonObject2.getInteger("alg").intValue())).setX5c(jsonObject2.getJsonArray("x5c"));
        } catch (MetaDataException | InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            throw new AttestationException(e);
        }
    }
}
