package com.yubico.fido.metadata;

import com.fasterxml.jackson.core.Base64Variants;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.yubico.fido.metadata.FidoMetadataDownloaderException;
import com.yubico.internal.util.BinaryUtil;
import com.yubico.internal.util.CertificateParser;
import com.yubico.webauthn.data.ByteArray;
import com.yubico.webauthn.data.exception.Base64UrlException;
import com.yubico.webauthn.data.exception.HexException;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLConnection;
import java.nio.charset.StandardCharsets;
import java.security.DigestException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CRL;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Scanner;
import java.util.Set;
import java.util.UUID;
import java.util.function.Consumer;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import lombok.Generated;
import lombok.NonNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yubico/fido/metadata/FidoMetadataDownloader.class */
public final class FidoMetadataDownloader {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(FidoMetadataDownloader.class);

    @NonNull
    private final Set<String> expectedLegalHeaders;
    private final X509Certificate trustRootCertificate;
    private final URL trustRootUrl;
    private final Set<ByteArray> trustRootSha256;
    private final File trustRootCacheFile;
    private final Supplier<Optional<ByteArray>> trustRootCacheSupplier;
    private final Consumer<ByteArray> trustRootCacheConsumer;
    private final String blobJwt;
    private final URL blobUrl;
    private final File blobCacheFile;
    private final Supplier<Optional<ByteArray>> blobCacheSupplier;
    private final Consumer<ByteArray> blobCacheConsumer;
    private final CertStore certStore;

    @NonNull
    private final Clock clock;
    private final KeyStore httpsTrustStore;
    private final boolean verifyDownloadsOnly;

    /* loaded from: input_file:com/yubico/fido/metadata/FidoMetadataDownloader$FidoMetadataDownloaderBuilder.class */
    public static class FidoMetadataDownloaderBuilder {

        @NonNull
        private final Set<String> expectedLegalHeaders;
        private final X509Certificate trustRootCertificate;
        private final URL trustRootUrl;
        private final Set<ByteArray> trustRootSha256;
        private final File trustRootCacheFile;
        private final Supplier<Optional<ByteArray>> trustRootCacheSupplier;
        private final Consumer<ByteArray> trustRootCacheConsumer;
        private final String blobJwt;
        private final URL blobUrl;
        private final File blobCacheFile;
        private final Supplier<Optional<ByteArray>> blobCacheSupplier;
        private final Consumer<ByteArray> blobCacheConsumer;
        private CertStore certStore = null;

        @NonNull
        private Clock clock = Clock.systemUTC();
        private KeyStore httpsTrustStore = null;
        private boolean verifyDownloadsOnly = false;

        /* loaded from: input_file:com/yubico/fido/metadata/FidoMetadataDownloader$FidoMetadataDownloaderBuilder$Step1.class */
        public static class Step1 {
            public Step2 expectLegalHeader(@NonNull String... strArr) {
                if (strArr == null) {
                    throw new NullPointerException("expectedLegalHeaders is marked non-null but is null");
                }
                return new Step2((Set) Stream.of((Object[]) strArr).collect(Collectors.toSet()));
            }

            @Generated
            private Step1() {
            }
        }

        /* loaded from: input_file:com/yubico/fido/metadata/FidoMetadataDownloader$FidoMetadataDownloaderBuilder$Step2.class */
        public static class Step2 {

            @NonNull
            private final Set<String> expectedLegalHeaders;

            public Step3 useDefaultTrustRoot() {
                try {
                    return downloadTrustRoot(new URL("https://secure.globalsign.com/cacert/root-r3.crt"), Collections.singleton(ByteArray.fromHex("cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b")));
                } catch (HexException e) {
                    throw new RuntimeException("Bad hard-coded trust root certificate hash. Please file a bug report.", e);
                } catch (MalformedURLException e2) {
                    throw new RuntimeException("Bad hard-coded trust root certificate URL. Please file a bug report.", e2);
                }
            }

            public Step3 downloadTrustRoot(@NonNull URL url, @NonNull Set<ByteArray> set) {
                if (url == null) {
                    throw new NullPointerException("url is marked non-null but is null");
                }
                if (set == null) {
                    throw new NullPointerException("acceptedCertSha256 is marked non-null but is null");
                }
                if ("https".equals(url.getProtocol())) {
                    return new Step3(this, null, url, set);
                }
                throw new IllegalArgumentException("Trust certificate download URL must be a HTTPS URL.");
            }

            public Step4 useTrustRoot(@NonNull X509Certificate x509Certificate) {
                if (x509Certificate == null) {
                    throw new NullPointerException("trustRootCertificate is marked non-null but is null");
                }
                return new Step4(new Step3(this, x509Certificate, null, null), null, null, null);
            }

            @Generated
            private Step2(@NonNull Set<String> set) {
                if (set == null) {
                    throw new NullPointerException("expectedLegalHeaders is marked non-null but is null");
                }
                this.expectedLegalHeaders = set;
            }
        }

        /* loaded from: input_file:com/yubico/fido/metadata/FidoMetadataDownloader$FidoMetadataDownloaderBuilder$Step3.class */
        public static class Step3 {

            @NonNull
            private final Step2 step2;
            private final X509Certificate trustRootCertificate;
            private final URL trustRootUrl;
            private final Set<ByteArray> trustRootSha256;

            public Step4 useTrustRootCacheFile(@NonNull File file) {
                if (file == null) {
                    throw new NullPointerException("cacheFile is marked non-null but is null");
                }
                return new Step4(this, file, null, null);
            }

            public Step4 useTrustRootCache(@NonNull Supplier<Optional<ByteArray>> supplier, @NonNull Consumer<ByteArray> consumer) {
                if (supplier == null) {
                    throw new NullPointerException("getCachedTrustRootCert is marked non-null but is null");
                }
                if (consumer == null) {
                    throw new NullPointerException("writeCachedTrustRootCert is marked non-null but is null");
                }
                return new Step4(this, null, supplier, consumer);
            }

            @Generated
            private Step3(@NonNull Step2 step2, X509Certificate x509Certificate, URL url, Set<ByteArray> set) {
                if (step2 == null) {
                    throw new NullPointerException("step2 is marked non-null but is null");
                }
                this.step2 = step2;
                this.trustRootCertificate = x509Certificate;
                this.trustRootUrl = url;
                this.trustRootSha256 = set;
            }
        }

        /* loaded from: input_file:com/yubico/fido/metadata/FidoMetadataDownloader$FidoMetadataDownloaderBuilder$Step4.class */
        public static class Step4 {

            @NonNull
            private final Step3 step3;
            private final File trustRootCacheFile;
            private final Supplier<Optional<ByteArray>> trustRootCacheSupplier;
            private final Consumer<ByteArray> trustRootCacheConsumer;

            public Step5 useDefaultBlob() {
                try {
                    return downloadBlob(new URL("https://mds.fidoalliance.org/"));
                } catch (MalformedURLException e) {
                    throw new RuntimeException("Bad hard-coded trust root certificate URL. Please file a bug report.", e);
                }
            }

            public Step5 downloadBlob(@NonNull URL url) {
                if (url == null) {
                    throw new NullPointerException("url is marked non-null but is null");
                }
                return new Step5(this, null, url);
            }

            public FidoMetadataDownloaderBuilder useBlob(@NonNull String str) {
                if (str == null) {
                    throw new NullPointerException("blobJwt is marked non-null but is null");
                }
                return FidoMetadataDownloaderBuilder.finishRequiredSteps(new Step5(this, str, null), null, null, null);
            }

            @Generated
            private Step4(@NonNull Step3 step3, File file, Supplier<Optional<ByteArray>> supplier, Consumer<ByteArray> consumer) {
                if (step3 == null) {
                    throw new NullPointerException("step3 is marked non-null but is null");
                }
                this.step3 = step3;
                this.trustRootCacheFile = file;
                this.trustRootCacheSupplier = supplier;
                this.trustRootCacheConsumer = consumer;
            }
        }

        /* loaded from: input_file:com/yubico/fido/metadata/FidoMetadataDownloader$FidoMetadataDownloaderBuilder$Step5.class */
        public static class Step5 {

            @NonNull
            private final Step4 step4;
            private final String blobJwt;
            private final URL blobUrl;

            public FidoMetadataDownloaderBuilder useBlobCacheFile(@NonNull File file) {
                if (file == null) {
                    throw new NullPointerException("cacheFile is marked non-null but is null");
                }
                return FidoMetadataDownloaderBuilder.finishRequiredSteps(this, file, null, null);
            }

            public FidoMetadataDownloaderBuilder useBlobCache(@NonNull Supplier<Optional<ByteArray>> supplier, @NonNull Consumer<ByteArray> consumer) {
                if (supplier == null) {
                    throw new NullPointerException("getCachedBlob is marked non-null but is null");
                }
                if (consumer == null) {
                    throw new NullPointerException("writeCachedBlob is marked non-null but is null");
                }
                return FidoMetadataDownloaderBuilder.finishRequiredSteps(this, null, supplier, consumer);
            }

            @Generated
            private Step5(@NonNull Step4 step4, String str, URL url) {
                if (step4 == null) {
                    throw new NullPointerException("step4 is marked non-null but is null");
                }
                this.step4 = step4;
                this.blobJwt = str;
                this.blobUrl = url;
            }
        }

        public FidoMetadataDownloader build() {
            return new FidoMetadataDownloader(this.expectedLegalHeaders, this.trustRootCertificate, this.trustRootUrl, this.trustRootSha256, this.trustRootCacheFile, this.trustRootCacheSupplier, this.trustRootCacheConsumer, this.blobJwt, this.blobUrl, this.blobCacheFile, this.blobCacheSupplier, this.blobCacheConsumer, this.certStore, this.clock, this.httpsTrustStore, this.verifyDownloadsOnly);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static FidoMetadataDownloaderBuilder finishRequiredSteps(Step5 step5, File file, Supplier<Optional<ByteArray>> supplier, Consumer<ByteArray> consumer) {
            return new FidoMetadataDownloaderBuilder(step5.step4.step3.step2.expectedLegalHeaders, step5.step4.step3.trustRootCertificate, step5.step4.step3.trustRootUrl, step5.step4.step3.trustRootSha256, step5.step4.trustRootCacheFile, step5.step4.trustRootCacheSupplier, step5.step4.trustRootCacheConsumer, step5.blobJwt, step5.blobUrl, file, supplier, consumer);
        }

        public FidoMetadataDownloaderBuilder clock(@NonNull Clock clock) {
            if (clock == null) {
                throw new NullPointerException("clock is marked non-null but is null");
            }
            this.clock = clock;
            return this;
        }

        public FidoMetadataDownloaderBuilder useCrls(@NonNull Collection<CRL> collection) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException {
            if (collection == null) {
                throw new NullPointerException("crls is marked non-null but is null");
            }
            return useCrls(CertStore.getInstance("Collection", new CollectionCertStoreParameters(collection)));
        }

        public FidoMetadataDownloaderBuilder useCrls(CertStore certStore) {
            this.certStore = certStore;
            return this;
        }

        public FidoMetadataDownloaderBuilder trustHttpsCerts(@NonNull X509Certificate... x509CertificateArr) {
            if (x509CertificateArr == null) {
                throw new NullPointerException("certificates is marked non-null but is null");
            }
            try {
                KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                keyStore.load(null);
                for (X509Certificate x509Certificate : x509CertificateArr) {
                    try {
                        keyStore.setCertificateEntry(UUID.randomUUID().toString(), x509Certificate);
                    } catch (KeyStoreException e) {
                        throw new RuntimeException("Failed to import HTTPS cert into KeyStore. This should not be possible, please file a bug report.", e);
                    }
                }
                this.httpsTrustStore = keyStore;
                return this;
            } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e2) {
                throw new RuntimeException("Failed to instantiate or initialize KeyStore. This should not be possible, please file a bug report.", e2);
            }
        }

        public FidoMetadataDownloaderBuilder verifyDownloadsOnly(boolean z) {
            this.verifyDownloadsOnly = z;
            return this;
        }

        @Generated
        private FidoMetadataDownloaderBuilder(@NonNull Set<String> set, X509Certificate x509Certificate, URL url, Set<ByteArray> set2, File file, Supplier<Optional<ByteArray>> supplier, Consumer<ByteArray> consumer, String str, URL url2, File file2, Supplier<Optional<ByteArray>> supplier2, Consumer<ByteArray> consumer2) {
            if (set == null) {
                throw new NullPointerException("expectedLegalHeaders is marked non-null but is null");
            }
            this.expectedLegalHeaders = set;
            this.trustRootCertificate = x509Certificate;
            this.trustRootUrl = url;
            this.trustRootSha256 = set2;
            this.trustRootCacheFile = file;
            this.trustRootCacheSupplier = supplier;
            this.trustRootCacheConsumer = consumer;
            this.blobJwt = str;
            this.blobUrl = url2;
            this.blobCacheFile = file2;
            this.blobCacheSupplier = supplier2;
            this.blobCacheConsumer = consumer2;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yubico/fido/metadata/FidoMetadataDownloader$ParseResult.class */
    public static final class ParseResult {
        private final MetadataBLOB blob;
        private final ByteArray jwtHeader;
        private final ByteArray jwtPayload;
        private final ByteArray jwtSignature;

        @Generated
        public ParseResult(MetadataBLOB metadataBLOB, ByteArray byteArray, ByteArray byteArray2, ByteArray byteArray3) {
            this.blob = metadataBLOB;
            this.jwtHeader = byteArray;
            this.jwtPayload = byteArray2;
            this.jwtSignature = byteArray3;
        }

        @Generated
        public MetadataBLOB getBlob() {
            return this.blob;
        }

        @Generated
        public ByteArray getJwtHeader() {
            return this.jwtHeader;
        }

        @Generated
        public ByteArray getJwtPayload() {
            return this.jwtPayload;
        }

        @Generated
        public ByteArray getJwtSignature() {
            return this.jwtSignature;
        }

        @Generated
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof ParseResult)) {
                return false;
            }
            ParseResult parseResult = (ParseResult) obj;
            MetadataBLOB blob = getBlob();
            MetadataBLOB blob2 = parseResult.getBlob();
            if (blob == null) {
                if (blob2 != null) {
                    return false;
                }
            } else if (!blob.equals(blob2)) {
                return false;
            }
            ByteArray jwtHeader = getJwtHeader();
            ByteArray jwtHeader2 = parseResult.getJwtHeader();
            if (jwtHeader == null) {
                if (jwtHeader2 != null) {
                    return false;
                }
            } else if (!jwtHeader.equals(jwtHeader2)) {
                return false;
            }
            ByteArray jwtPayload = getJwtPayload();
            ByteArray jwtPayload2 = parseResult.getJwtPayload();
            if (jwtPayload == null) {
                if (jwtPayload2 != null) {
                    return false;
                }
            } else if (!jwtPayload.equals(jwtPayload2)) {
                return false;
            }
            ByteArray jwtSignature = getJwtSignature();
            ByteArray jwtSignature2 = parseResult.getJwtSignature();
            return jwtSignature == null ? jwtSignature2 == null : jwtSignature.equals(jwtSignature2);
        }

        @Generated
        public int hashCode() {
            MetadataBLOB blob = getBlob();
            int hashCode = (1 * 59) + (blob == null ? 43 : blob.hashCode());
            ByteArray jwtHeader = getJwtHeader();
            int hashCode2 = (hashCode * 59) + (jwtHeader == null ? 43 : jwtHeader.hashCode());
            ByteArray jwtPayload = getJwtPayload();
            int hashCode3 = (hashCode2 * 59) + (jwtPayload == null ? 43 : jwtPayload.hashCode());
            ByteArray jwtSignature = getJwtSignature();
            return (hashCode3 * 59) + (jwtSignature == null ? 43 : jwtSignature.hashCode());
        }

        @Generated
        public String toString() {
            return "FidoMetadataDownloader.ParseResult(blob=" + getBlob() + ", jwtHeader=" + getJwtHeader() + ", jwtPayload=" + getJwtPayload() + ", jwtSignature=" + getJwtSignature() + ")";
        }
    }

    public static FidoMetadataDownloaderBuilder.Step1 builder() {
        return new FidoMetadataDownloaderBuilder.Step1();
    }

    /* JADX WARN: Type inference failed for: r0v22, types: [java.time.ZonedDateTime] */
    public MetadataBLOB loadCachedBlob() throws CertPathValidatorException, InvalidAlgorithmParameterException, Base64UrlException, CertificateException, IOException, NoSuchAlgorithmException, SignatureException, InvalidKeyException, UnexpectedLegalHeader, DigestException, FidoMetadataDownloaderException {
        X509Certificate retrieveTrustRootCert = retrieveTrustRootCert();
        Optional<MetadataBLOB> loadExplicitBlobOnly = loadExplicitBlobOnly(retrieveTrustRootCert);
        if (loadExplicitBlobOnly.isPresent()) {
            log.debug("Explicit BLOB is set - disregarding cache and download.");
            return loadExplicitBlobOnly.get();
        }
        Optional<MetadataBLOB> loadCachedBlobOnly = loadCachedBlobOnly(retrieveTrustRootCert);
        if (loadCachedBlobOnly.isPresent()) {
            log.debug("Cached BLOB exists, checking expiry date...");
            if (loadCachedBlobOnly.get().getPayload().getNextUpdate().atStartOfDay().atZone(this.clock.getZone()).isAfter(this.clock.instant().atZone(this.clock.getZone()))) {
                log.debug("Cached BLOB has not yet expired - using cached BLOB.");
                return loadCachedBlobOnly.get();
            }
            log.debug("Cached BLOB has expired.");
        } else {
            log.debug("Cached BLOB does not exist or is invalid.");
        }
        return refreshBlobInternal(retrieveTrustRootCert, loadCachedBlobOnly).get();
    }

    public MetadataBLOB refreshBlob() throws CertPathValidatorException, InvalidAlgorithmParameterException, Base64UrlException, CertificateException, IOException, NoSuchAlgorithmException, SignatureException, InvalidKeyException, UnexpectedLegalHeader, DigestException, FidoMetadataDownloaderException {
        X509Certificate retrieveTrustRootCert = retrieveTrustRootCert();
        Optional<MetadataBLOB> loadExplicitBlobOnly = loadExplicitBlobOnly(retrieveTrustRootCert);
        if (loadExplicitBlobOnly.isPresent()) {
            log.debug("Explicit BLOB is set - disregarding cache and download.");
            return loadExplicitBlobOnly.get();
        }
        Optional<MetadataBLOB> loadCachedBlobOnly = loadCachedBlobOnly(retrieveTrustRootCert);
        if (loadCachedBlobOnly.isPresent()) {
            log.debug("Cached BLOB exists, proceeding to compare against fresh BLOB...");
        } else {
            log.debug("Cached BLOB does not exist or is invalid.");
        }
        return refreshBlobInternal(retrieveTrustRootCert, loadCachedBlobOnly).get();
    }

    private Optional<MetadataBLOB> refreshBlobInternal(@NonNull X509Certificate x509Certificate, @NonNull Optional<MetadataBLOB> optional) throws CertPathValidatorException, InvalidAlgorithmParameterException, Base64UrlException, CertificateException, IOException, NoSuchAlgorithmException, SignatureException, InvalidKeyException, UnexpectedLegalHeader, FidoMetadataDownloaderException {
        if (x509Certificate == null) {
            throw new NullPointerException("trustRoot is marked non-null but is null");
        }
        if (optional == null) {
            throw new NullPointerException("cached is marked non-null but is null");
        }
        try {
            log.debug("Attempting to download new BLOB...");
            ByteArray download = download(this.blobUrl);
            MetadataBLOB parseAndVerifyBlob = parseAndVerifyBlob(download, x509Certificate);
            log.debug("New BLOB downloaded.");
            if (optional.isPresent()) {
                log.debug("Cached BLOB exists - checking if new BLOB has a higher \"no\"...");
                if (parseAndVerifyBlob.getPayload().getNo() <= optional.get().getPayload().getNo()) {
                    log.debug("New BLOB does not have a higher \"no\" - using cached BLOB instead.");
                    return optional;
                }
                log.debug("New BLOB has a higher \"no\" - proceeding with new BLOB.");
            }
            log.debug("Checking legalHeader in new BLOB...");
            if (!this.expectedLegalHeaders.contains(parseAndVerifyBlob.getPayload().getLegalHeader())) {
                throw new UnexpectedLegalHeader(optional.orElse(null), parseAndVerifyBlob);
            }
            log.debug("Writing new BLOB to cache...");
            if (this.blobCacheFile != null) {
                FileOutputStream fileOutputStream = new FileOutputStream(this.blobCacheFile);
                try {
                    fileOutputStream.write(download.getBytes());
                    fileOutputStream.close();
                } finally {
                }
            }
            if (this.blobCacheConsumer != null) {
                this.blobCacheConsumer.accept(download);
            }
            return Optional.of(parseAndVerifyBlob);
        } catch (FidoMetadataDownloaderException e) {
            if (e.getReason() != FidoMetadataDownloaderException.Reason.BAD_SIGNATURE || !optional.isPresent()) {
                throw e;
            }
            log.warn("New BLOB has bad signature - falling back to cached BLOB.");
            return optional;
        } catch (Exception e2) {
            if (!optional.isPresent()) {
                throw e2;
            }
            log.warn("Failed to download new BLOB - falling back to cached BLOB.", e2);
            return optional;
        }
    }

    private X509Certificate retrieveTrustRootCert() throws CertificateException, DigestException, IOException, NoSuchAlgorithmException {
        ByteArray verifyHash;
        if (this.trustRootCertificate != null) {
            return this.trustRootCertificate;
        }
        Optional<ByteArray> readCacheFile = this.trustRootCacheFile != null ? readCacheFile(this.trustRootCacheFile) : this.trustRootCacheSupplier.get();
        X509Certificate x509Certificate = null;
        if (readCacheFile.isPresent() && (verifyHash = verifyHash(readCacheFile.get(), this.trustRootSha256)) != null) {
            try {
                X509Certificate parseDer = CertificateParser.parseDer(verifyHash.getBytes());
                parseDer.checkValidity(Date.from(this.clock.instant()));
                x509Certificate = parseDer;
            } catch (CertificateException e) {
            }
        }
        if (x509Certificate == null) {
            ByteArray verifyHash2 = verifyHash(download(this.trustRootUrl), this.trustRootSha256);
            if (verifyHash2 == null) {
                throw new DigestException("Downloaded trust root certificate matches none of the acceptable hashes.");
            }
            x509Certificate = CertificateParser.parseDer(verifyHash2.getBytes());
            x509Certificate.checkValidity(Date.from(this.clock.instant()));
            if (this.trustRootCacheFile != null) {
                FileOutputStream fileOutputStream = new FileOutputStream(this.trustRootCacheFile);
                try {
                    fileOutputStream.write(verifyHash2.getBytes());
                    fileOutputStream.close();
                } catch (Throwable th) {
                    try {
                        fileOutputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            }
            if (this.trustRootCacheConsumer != null) {
                this.trustRootCacheConsumer.accept(verifyHash2);
            }
        }
        return x509Certificate;
    }

    private Optional<MetadataBLOB> loadExplicitBlobOnly(X509Certificate x509Certificate) throws Base64UrlException, CertPathValidatorException, CertificateException, IOException, InvalidAlgorithmParameterException, InvalidKeyException, NoSuchAlgorithmException, SignatureException, FidoMetadataDownloaderException {
        return this.blobJwt != null ? Optional.of(parseAndMaybeVerifyBlob(new ByteArray(this.blobJwt.getBytes(StandardCharsets.UTF_8)), x509Certificate)) : Optional.empty();
    }

    private Optional<MetadataBLOB> loadCachedBlobOnly(X509Certificate x509Certificate) {
        Optional<ByteArray> optional;
        if (this.blobCacheFile != null) {
            log.debug("Attempting to read BLOB from cache file...");
            try {
                optional = readCacheFile(this.blobCacheFile);
            } catch (IOException e) {
                return Optional.empty();
            }
        } else {
            log.debug("Attempting to read BLOB from cache Supplier...");
            optional = this.blobCacheSupplier.get();
        }
        return optional.map(byteArray -> {
            try {
                return parseAndMaybeVerifyBlob(byteArray, x509Certificate);
            } catch (Exception e2) {
                log.warn("Failed to read or parse cached BLOB.", e2);
                return null;
            }
        });
    }

    private Optional<ByteArray> readCacheFile(File file) throws IOException {
        if (!file.exists() || !file.canRead() || !file.isFile()) {
            return Optional.empty();
        }
        try {
            FileInputStream fileInputStream = new FileInputStream(file);
            try {
                Optional<ByteArray> of = Optional.of(readAll(fileInputStream));
                fileInputStream.close();
                return of;
            } finally {
            }
        } catch (FileNotFoundException e) {
            throw new RuntimeException("This exception should be impossible, please file a bug report.", e);
        }
    }

    private ByteArray download(URL url) throws IOException {
        URLConnection openConnection = url.openConnection();
        if (openConnection instanceof HttpsURLConnection) {
            HttpsURLConnection httpsURLConnection = (HttpsURLConnection) openConnection;
            if (this.httpsTrustStore != null) {
                try {
                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                    trustManagerFactory.init(this.httpsTrustStore);
                    SSLContext sSLContext = SSLContext.getInstance("TLS");
                    sSLContext.init(null, trustManagerFactory.getTrustManagers(), null);
                    httpsURLConnection.setSSLSocketFactory(sSLContext.getSocketFactory());
                } catch (KeyManagementException | KeyStoreException | NoSuchAlgorithmException e) {
                    throw new RuntimeException("Failed to initialize HTTPS trust store. This should be impossible, please file a bug report.", e);
                }
            }
            httpsURLConnection.setRequestMethod("GET");
        }
        return readAll(openConnection.getInputStream());
    }

    private MetadataBLOB parseAndVerifyBlob(ByteArray byteArray, X509Certificate x509Certificate) throws CertPathValidatorException, InvalidAlgorithmParameterException, CertificateException, IOException, NoSuchAlgorithmException, SignatureException, InvalidKeyException, Base64UrlException, FidoMetadataDownloaderException {
        return verifyBlob(parseBlob(byteArray), x509Certificate);
    }

    private MetadataBLOB parseAndMaybeVerifyBlob(ByteArray byteArray, X509Certificate x509Certificate) throws CertPathValidatorException, InvalidAlgorithmParameterException, CertificateException, IOException, NoSuchAlgorithmException, SignatureException, InvalidKeyException, Base64UrlException, FidoMetadataDownloaderException {
        return this.verifyDownloadsOnly ? parseBlob(byteArray).blob : verifyBlob(parseBlob(byteArray), x509Certificate);
    }

    private MetadataBLOB verifyBlob(ParseResult parseResult, X509Certificate x509Certificate) throws IOException, CertificateException, NoSuchAlgorithmException, InvalidKeyException, SignatureException, CertPathValidatorException, InvalidAlgorithmParameterException, FidoMetadataDownloaderException {
        List<X509Certificate> singletonList;
        Signature signature;
        MetadataBLOBHeader header = parseResult.blob.getHeader();
        if (header.getX5u().isPresent()) {
            URL url = header.getX5u().get();
            if (this.blobUrl != null && (!url.getHost().equals(this.blobUrl.getHost()) || !url.getProtocol().equals(this.blobUrl.getProtocol()) || url.getPort() != this.blobUrl.getPort())) {
                throw new IllegalArgumentException(String.format("x5u in BLOB header must have same origin as the URL the BLOB was downloaded from. Expected origin of: %s ; found: %s", this.blobUrl, url));
            }
            ArrayList arrayList = new ArrayList();
            for (String str : new String(download(url).getBytes(), StandardCharsets.UTF_8).trim().split("\\n+-----END CERTIFICATE-----\\n+-----BEGIN CERTIFICATE-----\\n+")) {
                arrayList.add(CertificateParser.parsePem(str));
            }
            singletonList = arrayList;
        } else {
            singletonList = header.getX5c().isPresent() ? header.getX5c().get() : Collections.singletonList(x509Certificate);
        }
        X509Certificate x509Certificate2 = singletonList.get(0);
        String alg = header.getAlg();
        boolean z = -1;
        switch (alg.hashCode()) {
            case 66245349:
                if (alg.equals("ES256")) {
                    z = true;
                    break;
                }
                break;
            case 78251122:
                if (alg.equals("RS256")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                signature = Signature.getInstance("SHA256withRSA");
                break;
            case true:
                signature = Signature.getInstance("SHA256withECDSA");
                break;
            default:
                throw new UnsupportedOperationException("Unimplemented JWT verification algorithm: " + header.getAlg());
        }
        signature.initVerify(x509Certificate2.getPublicKey());
        signature.update((parseResult.jwtHeader.getBase64Url() + "." + parseResult.jwtPayload.getBase64Url()).getBytes(StandardCharsets.UTF_8));
        if (!signature.verify(parseResult.jwtSignature.getBytes())) {
            throw new FidoMetadataDownloaderException(FidoMetadataDownloaderException.Reason.BAD_SIGNATURE);
        }
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
        CertPath generateCertPath = certificateFactory.generateCertPath(singletonList);
        PKIXParameters pKIXParameters = new PKIXParameters((Set<TrustAnchor>) Collections.singleton(new TrustAnchor(x509Certificate, null)));
        if (this.certStore != null) {
            pKIXParameters.addCertStore(this.certStore);
        }
        pKIXParameters.setDate(Date.from(this.clock.instant()));
        certPathValidator.validate(generateCertPath, pKIXParameters);
        return parseResult.blob;
    }

    private static ParseResult parseBlob(ByteArray byteArray) throws IOException, Base64UrlException {
        Scanner useDelimiter = new Scanner(new ByteArrayInputStream(byteArray.getBytes())).useDelimiter("\\.");
        ByteArray fromBase64Url = ByteArray.fromBase64Url(useDelimiter.next());
        ByteArray fromBase64Url2 = ByteArray.fromBase64Url(useDelimiter.next());
        return new ParseResult(new MetadataBLOB((MetadataBLOBHeader) com.yubico.internal.util.JacksonCodecs.json().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true).setBase64Variant(Base64Variants.MIME_NO_LINEFEEDS).readValue(fromBase64Url.getBytes(), MetadataBLOBHeader.class), (MetadataBLOBPayload) JacksonCodecs.jsonWithDefaultEnums().readValue(fromBase64Url2.getBytes(), MetadataBLOBPayload.class)), fromBase64Url, fromBase64Url2, ByteArray.fromBase64Url(useDelimiter.next()));
    }

    private static ByteArray readAll(InputStream inputStream) throws IOException {
        return new ByteArray(BinaryUtil.readAll(inputStream));
    }

    private static ByteArray verifyHash(ByteArray byteArray, Set<ByteArray> set) throws NoSuchAlgorithmException {
        ByteArray byteArray2 = new ByteArray(MessageDigest.getInstance("SHA-256").digest(byteArray.getBytes()));
        Stream<ByteArray> stream = set.stream();
        Objects.requireNonNull(byteArray2);
        if (stream.anyMatch((v1) -> {
            return r1.equals(v1);
        })) {
            return byteArray;
        }
        return null;
    }

    @Generated
    private FidoMetadataDownloader(@NonNull Set<String> set, X509Certificate x509Certificate, URL url, Set<ByteArray> set2, File file, Supplier<Optional<ByteArray>> supplier, Consumer<ByteArray> consumer, String str, URL url2, File file2, Supplier<Optional<ByteArray>> supplier2, Consumer<ByteArray> consumer2, CertStore certStore, @NonNull Clock clock, KeyStore keyStore, boolean z) {
        if (set == null) {
            throw new NullPointerException("expectedLegalHeaders is marked non-null but is null");
        }
        if (clock == null) {
            throw new NullPointerException("clock is marked non-null but is null");
        }
        this.expectedLegalHeaders = set;
        this.trustRootCertificate = x509Certificate;
        this.trustRootUrl = url;
        this.trustRootSha256 = set2;
        this.trustRootCacheFile = file;
        this.trustRootCacheSupplier = supplier;
        this.trustRootCacheConsumer = consumer;
        this.blobJwt = str;
        this.blobUrl = url2;
        this.blobCacheFile = file2;
        this.blobCacheSupplier = supplier2;
        this.blobCacheConsumer = consumer2;
        this.certStore = certStore;
        this.clock = clock;
        this.httpsTrustStore = keyStore;
        this.verifyDownloadsOnly = z;
    }
}
