package com.webauthn4j.validator.attestation.statement.tpm;

import com.webauthn4j.data.attestation.authenticator.AAGUID;
import com.webauthn4j.data.attestation.authenticator.AuthenticatorData;
import com.webauthn4j.data.attestation.statement.AttestationType;
import com.webauthn4j.data.attestation.statement.COSEAlgorithmIdentifier;
import com.webauthn4j.data.attestation.statement.ECCUnique;
import com.webauthn4j.data.attestation.statement.RSAUnique;
import com.webauthn4j.data.attestation.statement.SignatureAlgorithm;
import com.webauthn4j.data.attestation.statement.TPMAttestationStatement;
import com.webauthn4j.data.attestation.statement.TPMGenerated;
import com.webauthn4j.data.attestation.statement.TPMIAlgHash;
import com.webauthn4j.data.attestation.statement.TPMIAlgPublic;
import com.webauthn4j.data.attestation.statement.TPMISTAttest;
import com.webauthn4j.data.attestation.statement.TPMSAttest;
import com.webauthn4j.data.attestation.statement.TPMSCertifyInfo;
import com.webauthn4j.data.attestation.statement.TPMSECCParms;
import com.webauthn4j.data.attestation.statement.TPMSRSAParms;
import com.webauthn4j.data.attestation.statement.TPMTPublic;
import com.webauthn4j.data.attestation.statement.TPMUPublicId;
import com.webauthn4j.data.extension.authenticator.RegistrationExtensionAuthenticatorOutput;
import com.webauthn4j.data.x500.X500Name;
import com.webauthn4j.util.MessageDigestUtil;
import com.webauthn4j.util.SignatureUtil;
import com.webauthn4j.util.UnsignedNumberUtil;
import com.webauthn4j.util.exception.NotImplementedException;
import com.webauthn4j.validator.RegistrationObject;
import com.webauthn4j.validator.attestation.statement.AbstractStatementValidator;
import com.webauthn4j.validator.exception.BadAttestationStatementException;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;
import org.apache.kerby.asn1.type.Asn1Utf8String;
import org.apache.kerby.asn1.util.HexUtil;

/* loaded from: input_file:BOOT-INF/lib/webauthn4j-core-0.12.0.RELEASE.jar:com/webauthn4j/validator/attestation/statement/tpm/TPMAttestationStatementValidator.class */
public class TPMAttestationStatementValidator extends AbstractStatementValidator<TPMAttestationStatement> {
    private static final String ID_FIDO_GEN_CE_AAGUID = "1.3.6.1.4.1.45724.1.1.4";
    private TPMDevicePropertyValidator tpmDevicePropertyValidator = new NullTPMDevicePropertyValidator();

    @Override // com.webauthn4j.validator.attestation.statement.AttestationStatementValidator
    public AttestationType validate(RegistrationObject registrationObject) {
        if (!supports(registrationObject)) {
            throw new IllegalArgumentException("Specified format is not supported by " + getClass().getName());
        }
        TPMAttestationStatement tPMAttestationStatement = (TPMAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();
        if (!tPMAttestationStatement.getVer().equals("2.0")) {
            throw new BadAttestationStatementException("TPM version is not supported.");
        }
        TPMSAttest certInfo = tPMAttestationStatement.getCertInfo();
        TPMTPublic pubArea = tPMAttestationStatement.getPubArea();
        AuthenticatorData<RegistrationExtensionAuthenticatorOutput<?>> authenticatorData = registrationObject.getAttestationObject().getAuthenticatorData();
        validatePublicKeyEquality(pubArea, authenticatorData);
        byte[] attToBeSigned = getAttToBeSigned(registrationObject);
        if (certInfo.getMagic() != TPMGenerated.TPM_GENERATED_VALUE) {
            throw new BadAttestationStatementException("magic must be TPM_GENERATED_VALUE");
        }
        if (certInfo.getType() != TPMISTAttest.TPM_ST_ATTEST_CERTIFY) {
            throw new BadAttestationStatementException("type must be TPM_ST_ATTEST_CERTIFY");
        }
        if (!Arrays.equals(certInfo.getExtraData(), MessageDigestUtil.createMessageDigest(getMessageDigestJcaName(tPMAttestationStatement.getAlg())).digest(attToBeSigned))) {
            throw new BadAttestationStatementException("extraData must be equals to the hash of attToBeSigned");
        }
        TPMSCertifyInfo tPMSCertifyInfo = (TPMSCertifyInfo) certInfo.getAttested();
        if (!Arrays.equals(MessageDigestUtil.createMessageDigest(getAlgJcaName(tPMSCertifyInfo.getName().getHashAlg())).digest(pubArea.getBytes()), tPMSCertifyInfo.getName().getDigest())) {
            throw new BadAttestationStatementException("hash of `attested` doesn't match with name field of certifyInfo");
        }
        if (tPMAttestationStatement.getX5c() != null) {
            validateX5c(tPMAttestationStatement, certInfo, authenticatorData);
            return AttestationType.ATT_CA;
        }
        if (tPMAttestationStatement.getEcdaaKeyId() != null) {
            throw new NotImplementedException();
        }
        throw new BadAttestationStatementException("`x5c` or `ecdaaKeyId` must be present.");
    }

    private String getMessageDigestJcaName(COSEAlgorithmIdentifier cOSEAlgorithmIdentifier) {
        try {
            return SignatureAlgorithm.create(cOSEAlgorithmIdentifier).getMessageDigestJcaName();
        } catch (IllegalArgumentException e) {
            throw new BadAttestationStatementException("alg is not signature algorithm", e);
        }
    }

    private void validateX5c(TPMAttestationStatement tPMAttestationStatement, TPMSAttest tPMSAttest, AuthenticatorData<RegistrationExtensionAuthenticatorOutput<?>> authenticatorData) {
        X509Certificate certificate = tPMAttestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate();
        Signature createSignature = SignatureUtil.createSignature(getJcaName(tPMAttestationStatement.getAlg()));
        try {
            createSignature.initVerify(certificate.getPublicKey());
            createSignature.update(tPMSAttest.getBytes());
            if (!createSignature.verify(tPMAttestationStatement.getSig())) {
                throw new BadAttestationStatementException("hash of certInfo doesn't match with sig.");
            }
            validateAikCert(certificate);
            byte[] extensionValue = certificate.getExtensionValue(ID_FIDO_GEN_CE_AAGUID);
            if (extensionValue != null && !Objects.equals(new AAGUID(extensionValue), authenticatorData.getAttestedCredentialData().getAaguid())) {
                throw new BadAttestationStatementException("AAGUID in aikCert doesn't match with that in authenticatorData");
            }
        } catch (InvalidKeyException | SignatureException e) {
            throw new BadAttestationStatementException("Failed to validate the signature.", e);
        }
    }

    String getAlgJcaName(TPMIAlgHash tPMIAlgHash) {
        String str;
        switch (tPMIAlgHash) {
            case TPM_ALG_SHA1:
                str = "SHA-1";
                break;
            case TPM_ALG_SHA256:
                str = "SHA-256";
                break;
            case TPM_ALG_SHA384:
                str = "SHA-384";
                break;
            case TPM_ALG_SHA512:
                str = "SHA-512";
                break;
            default:
                throw new BadAttestationStatementException("nameAlg '" + tPMIAlgHash.name() + "' is not supported.");
        }
        return str;
    }

    public TPMDevicePropertyValidator getTpmDevicePropertyValidator() {
        return this.tpmDevicePropertyValidator;
    }

    public void setTpmDevicePropertyValidator(TPMDevicePropertyValidator tPMDevicePropertyValidator) {
        this.tpmDevicePropertyValidator = tPMDevicePropertyValidator;
    }

    private void validatePublicKeyEquality(TPMTPublic tPMTPublic, AuthenticatorData<RegistrationExtensionAuthenticatorOutput<?>> authenticatorData) {
        PublicKey publicKey = authenticatorData.getAttestedCredentialData().getCOSEKey().getPublicKey();
        TPMUPublicId unique = tPMTPublic.getUnique();
        if (tPMTPublic.getType() == TPMIAlgPublic.TPM_ALG_RSA && (unique instanceof RSAUnique)) {
            RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
            RSAUnique rSAUnique = (RSAUnique) unique;
            long unsignedInt = UnsignedNumberUtil.getUnsignedInt(((TPMSRSAParms) tPMTPublic.getParameters()).getExponent());
            if (unsignedInt == 0) {
                unsignedInt = 65537;
            }
            if (rSAPublicKey.getModulus().equals(new BigInteger(1, rSAUnique.getN())) && rSAPublicKey.getPublicExponent().equals(BigInteger.valueOf(unsignedInt))) {
                return;
            }
        } else if (tPMTPublic.getType() == TPMIAlgPublic.TPM_ALG_ECDSA && (unique instanceof ECCUnique)) {
            ECPublicKey eCPublicKey = (ECPublicKey) publicKey;
            ECCUnique eCCUnique = (ECCUnique) unique;
            if (eCPublicKey.getParams().getCurve().equals(((TPMSECCParms) tPMTPublic.getParameters()).getCurveId().getEllipticCurve()) && eCPublicKey.getW().getAffineX().equals(new BigInteger(1, eCCUnique.getX())) && eCPublicKey.getW().getAffineY().equals(new BigInteger(1, eCCUnique.getY()))) {
                return;
            }
        }
        throw new BadAttestationStatementException("publicKey in authData and publicKey in unique pubArea doesn't match");
    }

    void validateAikCert(X509Certificate x509Certificate) {
        try {
            if (!Objects.equals(Integer.valueOf(x509Certificate.getVersion()), 3)) {
                throw new BadAttestationStatementException("x5c must be version 3.");
            }
            if (!x509Certificate.getSubjectDN().getName().isEmpty()) {
                throw new BadAttestationStatementException("x5c subject field MUST be set to empty");
            }
            validateSubjectAlternativeName(x509Certificate);
            if (x509Certificate.getExtendedKeyUsage() == null || !x509Certificate.getExtendedKeyUsage().contains("2.23.133.8.3")) {
                throw new BadAttestationStatementException("Attestation certificate doesn't contain tcg-kp-AIKCertificate (2.23.133.8.3) OID");
            }
            if (x509Certificate.getBasicConstraints() != -1) {
                throw new BadAttestationStatementException("The Basic Constraints extension of attestation certificate must have the CA component set to false");
            }
        } catch (CertificateParsingException e) {
            throw new BadAttestationStatementException("Failed to parse attestation certificate", e);
        }
    }

    private void validateSubjectAlternativeName(X509Certificate x509Certificate) throws CertificateParsingException {
        try {
            for (List<?> list : x509Certificate.getSubjectAlternativeNames()) {
                if (list.get(0).equals(4)) {
                    this.tpmDevicePropertyValidator.validate(parseTPMDeviceProperty(new X500Name((String) list.get(1))));
                    return;
                }
            }
            throw new BadAttestationStatementException("The Subject Alternative Name extension of attestation certificate does not contain a TPM device property");
        } catch (IOException | RuntimeException e) {
            throw new BadAttestationStatementException("The Subject Alternative Name extension of attestation certificate does not contain a TPM device property", e);
        }
    }

    TPMDeviceProperty parseTPMDeviceProperty(X500Name x500Name) throws IOException {
        Map map = (Map) x500Name.stream().flatMap(attributes -> {
            return attributes.entrySet().stream();
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
        return new TPMDeviceProperty(decodeAttr((String) map.get("2.23.133.2.1")), decodeAttr((String) map.get("2.23.133.2.2")), decodeAttr((String) map.get("2.23.133.2.3")));
    }

    private String decodeAttr(String str) throws IOException {
        String str2 = null;
        if (str != null) {
            byte[] hex2bytes = HexUtil.hex2bytes(str.substring(1));
            Asn1Utf8String asn1Utf8String = new Asn1Utf8String();
            asn1Utf8String.decode(hex2bytes);
            str2 = asn1Utf8String.getValue();
        }
        return str2;
    }

    private byte[] getAttToBeSigned(RegistrationObject registrationObject) {
        MessageDigest createSHA256 = MessageDigestUtil.createSHA256();
        byte[] authenticatorDataBytes = registrationObject.getAuthenticatorDataBytes();
        byte[] digest = createSHA256.digest(registrationObject.getCollectedClientDataBytes());
        return ByteBuffer.allocate(authenticatorDataBytes.length + digest.length).put(authenticatorDataBytes).put(digest).array();
    }
}
