package com.yubico.webauthn;

import com.yubico.internal.util.ExceptionUtil;
import com.yubico.webauthn.data.AttestationObject;
import com.yubico.webauthn.data.AttestationType;
import com.yubico.webauthn.data.ByteArray;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yubico/webauthn/AppleAttestationStatementVerifier.class */
final class AppleAttestationStatementVerifier implements AttestationStatementVerifier, X5cAttestationStatementVerifier {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(AppleAttestationStatementVerifier.class);
    private static final String NONCE_EXTENSION_OID = "1.2.840.113635.100.8.2";

    @Override // com.yubico.webauthn.AttestationStatementVerifier
    public AttestationType getAttestationType(AttestationObject attestationObject) {
        return AttestationType.ANONYMIZATION_CA;
    }

    @Override // com.yubico.webauthn.AttestationStatementVerifier
    public boolean verifyAttestationSignature(AttestationObject attestationObject, ByteArray byteArray) {
        try {
            return ((Boolean) getX5cAttestationCertificate(attestationObject).map(x509Certificate -> {
                ByteArray sha256 = Crypto.sha256(attestationObject.getAuthenticatorData().getBytes().concat(byteArray));
                byte[] extensionValue = x509Certificate.getExtensionValue(NONCE_EXTENSION_OID);
                if (extensionValue == null) {
                    throw new IllegalArgumentException("Apple anonymous attestation certificate must contain extension OID: 1.2.840.113635.100.8.2");
                }
                ByteArray concat = new ByteArray(new byte[]{4, 38, 48, 36, -95, 34, 4, 32}).concat(sha256);
                if (!concat.equals(new ByteArray(extensionValue))) {
                    throw new IllegalArgumentException(String.format("Apple anonymous attestation certificate extension %s must equal nonceToHash. Expected: %s, was: %s", NONCE_EXTENSION_OID, concat, new ByteArray(extensionValue)));
                }
                try {
                    PublicKey importCosePublicKey = WebAuthnCodecs.importCosePublicKey(attestationObject.getAuthenticatorData().getAttestedCredentialData().get().getCredentialPublicKey());
                    PublicKey publicKey = x509Certificate.getPublicKey();
                    if (importCosePublicKey.equals(publicKey)) {
                        return true;
                    }
                    throw new IllegalArgumentException(String.format("Apple anonymous attestation certificate subject public key must equal credential public key. Expected: %s, was: %s", importCosePublicKey, publicKey));
                } catch (Exception e) {
                    throw ExceptionUtil.wrapAndLog(log, "Failed to import credential public key", e);
                }
            }).orElseThrow(() -> {
                return new IllegalArgumentException("Failed to parse attestation certificate from \"apple\" attestation statement.");
            })).booleanValue();
        } catch (CertificateException e) {
            throw ExceptionUtil.wrapAndLog(log, String.format("Failed to parse X.509 certificate from attestation object: %s", attestationObject), e);
        }
    }
}
