package io.vertx.ext.auth.webauthn.impl.attestation;

import io.vertx.core.buffer.Buffer;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.impl.CertificateHelper;
import io.vertx.ext.auth.impl.Codec;
import io.vertx.ext.auth.impl.jose.JWS;
import io.vertx.ext.auth.impl.jose.JWT;
import io.vertx.ext.auth.webauthn.AttestationCertificates;
import io.vertx.ext.auth.webauthn.PublicKeyCredential;
import io.vertx.ext.auth.webauthn.WebAuthnOptions;
import io.vertx.ext.auth.webauthn.impl.AuthData;
import io.vertx.ext.auth.webauthn.impl.metadata.MetaData;
import io.vertx.ext.auth.webauthn.impl.metadata.MetaDataException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.util.ArrayList;

/* loaded from: input_file:io/vertx/ext/auth/webauthn/impl/attestation/AndroidSafetynetAttestation.class */
public class AndroidSafetynetAttestation implements Attestation {
    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public String fmt() {
        return "android-safetynet";
    }

    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public AttestationCertificates validate(WebAuthnOptions webAuthnOptions, MetaData metaData, byte[] bArr, JsonObject jsonObject, AuthData authData) throws AttestationException {
        try {
            JsonObject jsonObject2 = jsonObject.getJsonObject("attStmt");
            if (!jsonObject2.containsKey("ver") || jsonObject2.getString("ver") == null || jsonObject2.getString("ver").length() == 0) {
                throw new AttestationException("Missing {ver} in attStmt");
            }
            JsonObject parse = JWT.parse(Codec.base64UrlDecode(jsonObject2.getString("response")));
            if (!MessageDigest.isEqual(Attestation.hash("SHA-256", Buffer.buffer().appendBytes(authData.getRaw()).appendBytes(Attestation.hash("SHA-256", bArr)).getBytes()), Codec.base64Decode(parse.getJsonObject("payload").getString("nonce")))) {
                throw new AttestationException("JWS nonce does not contains expected nonce!");
            }
            if (!parse.getJsonObject("payload").getBoolean("ctsProfileMatch").booleanValue()) {
                throw new AttestationException("JWS ctsProfileMatch is false!");
            }
            long longValue = parse.getJsonObject("payload").getLong("timestampMs", 0L).longValue();
            long currentTimeMillis = System.currentTimeMillis();
            if (longValue > currentTimeMillis || longValue + 60000 < currentTimeMillis) {
                throw new AttestationException("timestampMs is invalid!");
            }
            JsonArray jsonArray = parse.getJsonObject("header").getJsonArray("x5c");
            if (jsonArray == null || jsonArray.size() == 0) {
                throw new AttestationException("Invalid certificate chain");
            }
            ArrayList arrayList = new ArrayList();
            for (int i = 0; i < jsonArray.size(); i++) {
                byte[] base64Decode = Codec.base64Decode(jsonArray.getString(i));
                arrayList.add(JWS.parseX5c(base64Decode));
                jsonArray.set(i, base64Decode);
            }
            if (!"attest.android.com".equals(CertificateHelper.getCertInfo(arrayList.get(0)).subject("CN"))) {
                throw new AttestationException("The common name is not set to 'attest.android.com'!");
            }
            metaData.verifyMetadata(authData.getAaguidString(), PublicKeyCredential.valueOf(parse.getJsonObject("header").getString("alg")), arrayList, webAuthnOptions.getRootCertificate(fmt()));
            Attestation.verifySignature(PublicKeyCredential.valueOf(parse.getJsonObject("header").getString("alg")), arrayList.get(0), Codec.base64UrlDecode(parse.getString("signature")), parse.getString("signatureBase").getBytes(StandardCharsets.UTF_8));
            return new AttestationCertificates().setAlg(PublicKeyCredential.valueOf(parse.getJsonObject("header").getString("alg"))).setX5c(jsonArray);
        } catch (MetaDataException | InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            throw new AttestationException(e);
        }
    }
}
