package com.yubico.webauthn;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ArrayNode;
import com.fasterxml.jackson.databind.node.JsonNodeFactory;
import com.yubico.internal.util.CertificateParser;
import com.yubico.internal.util.ExceptionUtil;
import com.yubico.internal.util.JacksonCodecs;
import com.yubico.webauthn.data.AttestationObject;
import com.yubico.webauthn.data.AttestationType;
import com.yubico.webauthn.data.ByteArray;
import com.yubico.webauthn.data.exception.Base64UrlException;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.SSLException;
import lombok.Generated;
import org.apache.http.conn.ssl.DefaultHostnameVerifier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yubico/webauthn/AndroidSafetynetAttestationStatementVerifier.class */
class AndroidSafetynetAttestationStatementVerifier implements AttestationStatementVerifier, X5cAttestationStatementVerifier {
    private final BouncyCastleCrypto crypto = new BouncyCastleCrypto();

    @Generated
    private static final Logger log = LoggerFactory.getLogger(AndroidSafetynetAttestationStatementVerifier.class);
    private static final DefaultHostnameVerifier HOSTNAME_VERIFIER = new DefaultHostnameVerifier();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yubico/webauthn/AndroidSafetynetAttestationStatementVerifier$JsonWebSignatureCustom.class */
    public static final class JsonWebSignatureCustom {
        public final JsonNode header;
        public final JsonNode payload;
        public final ByteArray signedBytes;
        public final ByteArray signature;
        public final List<X509Certificate> x5c;
        public final String algorithm;

        JsonWebSignatureCustom(String str) {
            String[] split = str.split("\\.");
            ObjectMapper json = JacksonCodecs.json();
            try {
                ByteArray fromBase64Url = ByteArray.fromBase64Url(split[0]);
                ByteArray fromBase64Url2 = ByteArray.fromBase64Url(split[1]);
                this.header = json.readTree(fromBase64Url.getBytes());
                this.payload = json.readTree(fromBase64Url2.getBytes());
                this.signedBytes = new ByteArray((split[0] + "." + split[1]).getBytes(StandardCharsets.UTF_8));
                this.signature = ByteArray.fromBase64Url(split[2]);
                this.x5c = getX5c(this.header);
                this.algorithm = this.header.get("alg").textValue();
            } catch (Base64UrlException | IOException e) {
                throw ExceptionUtil.wrapAndLog(AndroidSafetynetAttestationStatementVerifier.log, "Failed to parse JWS: " + str, e);
            } catch (CertificateException e2) {
                throw ExceptionUtil.wrapAndLog(AndroidSafetynetAttestationStatementVerifier.log, "Failed to parse attestation certificates in JWS header: " + str, e2);
            }
        }

        private static List<X509Certificate> getX5c(JsonNode jsonNode) throws IOException, CertificateException {
            ArrayList arrayList = new ArrayList();
            Iterator it = jsonNode.get("x5c").iterator();
            while (it.hasNext()) {
                arrayList.add(CertificateParser.parseDer(((JsonNode) it.next()).binaryValue()));
            }
            return arrayList;
        }

        @Generated
        public JsonNode getHeader() {
            return this.header;
        }

        @Generated
        public JsonNode getPayload() {
            return this.payload;
        }

        @Generated
        public ByteArray getSignedBytes() {
            return this.signedBytes;
        }

        @Generated
        public ByteArray getSignature() {
            return this.signature;
        }

        @Generated
        public List<X509Certificate> getX5c() {
            return this.x5c;
        }

        @Generated
        public String getAlgorithm() {
            return this.algorithm;
        }

        @Generated
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof JsonWebSignatureCustom)) {
                return false;
            }
            JsonWebSignatureCustom jsonWebSignatureCustom = (JsonWebSignatureCustom) obj;
            JsonNode header = getHeader();
            JsonNode header2 = jsonWebSignatureCustom.getHeader();
            if (header == null) {
                if (header2 != null) {
                    return false;
                }
            } else if (!header.equals(header2)) {
                return false;
            }
            JsonNode payload = getPayload();
            JsonNode payload2 = jsonWebSignatureCustom.getPayload();
            if (payload == null) {
                if (payload2 != null) {
                    return false;
                }
            } else if (!payload.equals(payload2)) {
                return false;
            }
            ByteArray signedBytes = getSignedBytes();
            ByteArray signedBytes2 = jsonWebSignatureCustom.getSignedBytes();
            if (signedBytes == null) {
                if (signedBytes2 != null) {
                    return false;
                }
            } else if (!signedBytes.equals(signedBytes2)) {
                return false;
            }
            ByteArray signature = getSignature();
            ByteArray signature2 = jsonWebSignatureCustom.getSignature();
            if (signature == null) {
                if (signature2 != null) {
                    return false;
                }
            } else if (!signature.equals(signature2)) {
                return false;
            }
            List<X509Certificate> x5c = getX5c();
            List<X509Certificate> x5c2 = jsonWebSignatureCustom.getX5c();
            if (x5c == null) {
                if (x5c2 != null) {
                    return false;
                }
            } else if (!x5c.equals(x5c2)) {
                return false;
            }
            String algorithm = getAlgorithm();
            String algorithm2 = jsonWebSignatureCustom.getAlgorithm();
            return algorithm == null ? algorithm2 == null : algorithm.equals(algorithm2);
        }

        @Generated
        public int hashCode() {
            JsonNode header = getHeader();
            int hashCode = (1 * 59) + (header == null ? 43 : header.hashCode());
            JsonNode payload = getPayload();
            int hashCode2 = (hashCode * 59) + (payload == null ? 43 : payload.hashCode());
            ByteArray signedBytes = getSignedBytes();
            int hashCode3 = (hashCode2 * 59) + (signedBytes == null ? 43 : signedBytes.hashCode());
            ByteArray signature = getSignature();
            int hashCode4 = (hashCode3 * 59) + (signature == null ? 43 : signature.hashCode());
            List<X509Certificate> x5c = getX5c();
            int hashCode5 = (hashCode4 * 59) + (x5c == null ? 43 : x5c.hashCode());
            String algorithm = getAlgorithm();
            return (hashCode5 * 59) + (algorithm == null ? 43 : algorithm.hashCode());
        }

        @Generated
        public String toString() {
            return "AndroidSafetynetAttestationStatementVerifier.JsonWebSignatureCustom(header=" + getHeader() + ", payload=" + getPayload() + ", signedBytes=" + getSignedBytes() + ", signature=" + getSignature() + ", x5c=" + getX5c() + ", algorithm=" + getAlgorithm() + ")";
        }
    }

    @Override // com.yubico.webauthn.AttestationStatementVerifier
    public AttestationType getAttestationType(AttestationObject attestationObject) {
        return AttestationType.BASIC;
    }

    @Override // com.yubico.webauthn.X5cAttestationStatementVerifier
    public JsonNode getX5cArray(AttestationObject attestationObject) {
        JsonNodeFactory jsonNodeFactory = JsonNodeFactory.instance;
        ArrayNode arrayNode = jsonNodeFactory.arrayNode();
        Iterator it = parseJws(attestationObject).getHeader().get("x5c").iterator();
        while (it.hasNext()) {
            arrayNode.add(jsonNodeFactory.binaryNode(ByteArray.fromBase64(((JsonNode) it.next()).textValue()).getBytes()));
        }
        return arrayNode;
    }

    @Override // com.yubico.webauthn.AttestationStatementVerifier
    public boolean verifyAttestationSignature(AttestationObject attestationObject, ByteArray byteArray) {
        JsonNode jsonNode = attestationObject.getAttestationStatement().get("ver");
        if (jsonNode == null || !jsonNode.isTextual()) {
            throw new IllegalArgumentException("Property \"ver\" of android-safetynet attestation statement must be a string, was: " + jsonNode);
        }
        JsonWebSignatureCustom parseJws = parseJws(attestationObject);
        if (!verifySignature(parseJws)) {
            return false;
        }
        JsonNode payload = parseJws.getPayload();
        ByteArray hash = this.crypto.hash(attestationObject.getAuthenticatorData().getBytes().concat(byteArray));
        ByteArray fromBase64 = ByteArray.fromBase64(payload.get("nonce").textValue());
        ExceptionUtil.assure(hash.equals(fromBase64), "Nonce does not equal authenticator data + client data. Expected nonce: %s, was nonce: %s", new Object[]{hash.getBase64Url(), fromBase64.getBase64Url()});
        ExceptionUtil.assure(payload.get("ctsProfileMatch").booleanValue(), "Expected ctsProfileMatch to be true, was: %s", new Object[]{payload.get("ctsProfileMatch")});
        return true;
    }

    private static JsonWebSignatureCustom parseJws(AttestationObject attestationObject) {
        return new JsonWebSignatureCustom(new String(getResponseBytes(attestationObject).getBytes(), StandardCharsets.UTF_8));
    }

    private static ByteArray getResponseBytes(AttestationObject attestationObject) {
        JsonNode jsonNode = attestationObject.getAttestationStatement().get("response");
        if (jsonNode == null || !jsonNode.isBinary()) {
            throw new IllegalArgumentException("Property \"response\" of android-safetynet attestation statement must be a binary value, was: " + jsonNode);
        }
        try {
            return new ByteArray(jsonNode.binaryValue());
        } catch (IOException e) {
            throw ExceptionUtil.wrapAndLog(log, "response.isBinary() was true but response.binaryValue failed: " + jsonNode, e);
        }
    }

    private boolean verifySignature(JsonWebSignatureCustom jsonWebSignatureCustom) {
        X509Certificate x509Certificate = jsonWebSignatureCustom.getX5c().get(0);
        String jwsAlgorithmNameToJavaAlgorithmName = WebAuthnCodecs.jwsAlgorithmNameToJavaAlgorithmName(jsonWebSignatureCustom.getAlgorithm());
        try {
            Signature signature = Signature.getInstance(jwsAlgorithmNameToJavaAlgorithmName, this.crypto.getProvider());
            try {
                signature.initVerify(x509Certificate.getPublicKey());
                try {
                    signature.update(jsonWebSignatureCustom.getSignedBytes().getBytes());
                    ExceptionUtil.assure(verifyHostname(x509Certificate), "Certificate isn't issued for the hostname attest.android.com: %s", new Object[]{x509Certificate});
                    try {
                        return signature.verify(jsonWebSignatureCustom.getSignature().getBytes());
                    } catch (SignatureException e) {
                        throw ExceptionUtil.wrapAndLog(log, "Failed to verify signature of JWS: " + jsonWebSignatureCustom, e);
                    }
                } catch (SignatureException e2) {
                    throw ExceptionUtil.wrapAndLog(log, "Signature object in invalid state: " + signature, e2);
                }
            } catch (InvalidKeyException e3) {
                throw ExceptionUtil.wrapAndLog(log, "Attestation key is invalid: " + x509Certificate, e3);
            }
        } catch (NoSuchAlgorithmException e4) {
            throw ExceptionUtil.wrapAndLog(log, "Failed to get a Signature instance for " + jwsAlgorithmNameToJavaAlgorithmName, e4);
        }
    }

    private static boolean verifyHostname(X509Certificate x509Certificate) {
        try {
            HOSTNAME_VERIFIER.verify("attest.android.com", x509Certificate);
            return true;
        } catch (SSLException e) {
            return false;
        }
    }
}
