package com.webauthn4j.validator.attestation.statement.u2f;

import com.webauthn4j.data.attestation.AttestationObject;
import com.webauthn4j.data.attestation.authenticator.EC2COSEKey;
import com.webauthn4j.data.attestation.statement.AttestationType;
import com.webauthn4j.data.attestation.statement.FIDOU2FAttestationStatement;
import com.webauthn4j.util.ECUtil;
import com.webauthn4j.util.MessageDigestUtil;
import com.webauthn4j.validator.RegistrationObject;
import com.webauthn4j.validator.attestation.statement.AbstractStatementValidator;
import com.webauthn4j.validator.exception.BadAttestationStatementException;
import com.webauthn4j.validator.exception.BadSignatureException;
import com.webauthn4j.validator.exception.CertificateException;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.interfaces.ECPublicKey;
import org.keycloak.crypto.JavaAlgorithm;

/* loaded from: input_file:BOOT-INF/lib/webauthn4j-core-0.9.14.RELEASE.jar:com/webauthn4j/validator/attestation/statement/u2f/FIDOU2FAttestationStatementValidator.class */
public class FIDOU2FAttestationStatementValidator extends AbstractStatementValidator<FIDOU2FAttestationStatement> {
    @Override // com.webauthn4j.validator.attestation.statement.AttestationStatementValidator
    public AttestationType validate(RegistrationObject registrationObject) {
        if (!supports(registrationObject)) {
            throw new IllegalArgumentException("Specified format is not supported by " + getClass().getName());
        }
        validateAttestationStatement((FIDOU2FAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement());
        validateSignature(registrationObject);
        return AttestationType.BASIC;
    }

    void validateAttestationStatement(FIDOU2FAttestationStatement fIDOU2FAttestationStatement) {
        if (fIDOU2FAttestationStatement.getX5c().size() != 1) {
            throw new BadAttestationStatementException("FIDO-U2F attestation statement must have only one certificate.");
        }
        validatePublicKey(fIDOU2FAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate().getPublicKey());
    }

    void validatePublicKey(PublicKey publicKey) {
        if (!publicKey.getAlgorithm().equals("EC")) {
            throw new CertificateException("FIDO-U2F attestation statement supports ECDSA only.");
        }
        if (!((ECPublicKey) publicKey).getParams().equals(ECUtil.P_256_SPEC)) {
            throw new CertificateException("FIDO-U2F attestation statement supports secp256r1 curve only.");
        }
    }

    private void validateSignature(RegistrationObject registrationObject) {
        FIDOU2FAttestationStatement fIDOU2FAttestationStatement = (FIDOU2FAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
        byte[] signedData = getSignedData(registrationObject);
        byte[] sig = fIDOU2FAttestationStatement.getSig();
        PublicKey publicKey = getPublicKey(fIDOU2FAttestationStatement);
        try {
            Signature signature = Signature.getInstance(JavaAlgorithm.ES256);
            signature.initVerify(publicKey);
            signature.update(signedData);
            if (signature.verify(sig)) {
            } else {
                throw new BadSignatureException("`sig` in attestation statement is not valid signature over the concatenation of authenticatorData and clientDataHash.");
            }
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            throw new BadSignatureException("`sig` in attestation statement is not valid signature over the concatenation of authenticatorData and clientDataHash.");
        }
    }

    private byte[] getSignedData(RegistrationObject registrationObject) {
        String rpId = registrationObject.getServerProperty().getRpId();
        MessageDigest createSHA256 = MessageDigestUtil.createSHA256();
        AttestationObject attestationObject = registrationObject.getAttestationObject();
        EC2COSEKey eC2COSEKey = (EC2COSEKey) attestationObject.getAuthenticatorData().getAttestedCredentialData().getCOSEKey();
        byte[] bytes = rpId.getBytes(StandardCharsets.UTF_8);
        byte[] collectedClientDataBytes = registrationObject.getCollectedClientDataBytes();
        byte[] digest = createSHA256.digest(bytes);
        byte[] digest2 = createSHA256.digest(collectedClientDataBytes);
        byte[] credentialId = attestationObject.getAuthenticatorData().getAttestedCredentialData().getCredentialId();
        byte[] publicKeyBytes = getPublicKeyBytes(eC2COSEKey);
        ByteBuffer allocate = ByteBuffer.allocate(65 + credentialId.length + 65);
        allocate.put((byte) 0);
        allocate.put(digest);
        allocate.put(digest2);
        allocate.put(credentialId);
        allocate.put(publicKeyBytes);
        return allocate.array();
    }

    private byte[] getPublicKeyBytes(EC2COSEKey eC2COSEKey) {
        byte[] x = eC2COSEKey.getX();
        byte[] y = eC2COSEKey.getY();
        return ByteBuffer.allocate(1 + x.length + y.length).put((byte) 4).put(x).put(y).array();
    }

    private PublicKey getPublicKey(FIDOU2FAttestationStatement fIDOU2FAttestationStatement) {
        return fIDOU2FAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate().getPublicKey();
    }
}
