package org.gluu.oxauth.fido2.service.verifier;

import com.fasterxml.jackson.databind.JsonNode;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.nio.ByteBuffer;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.spec.MGF1ParameterSpec;
import java.security.spec.PSSParameterSpec;
import java.util.Arrays;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.inject.Instance;
import javax.inject.Inject;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang.StringUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.gluu.oxauth.fido2.ctap.AttestationConveyancePreference;
import org.gluu.oxauth.fido2.ctap.UserVerification;
import org.gluu.oxauth.fido2.exception.Fido2RPRuntimeException;
import org.gluu.oxauth.fido2.model.auth.AuthData;
import org.gluu.oxauth.fido2.service.Base64Service;
import org.gluu.oxauth.fido2.service.DataMapperService;
import org.gluu.oxauth.fido2.service.processors.AttestationFormatProcessor;
import org.gluu.oxauth.model.util.SecurityProviderUtility;
import org.slf4j.Logger;

@ApplicationScoped
/* loaded from: input_file:org/gluu/oxauth/fido2/service/verifier/CommonVerifiers.class */
public class CommonVerifiers {
    private static final int FLAG_USER_PRESENT = 1;
    private static final int FLAG_ATTESTED_CREDENTIAL_DATA_INCLUDED = 64;
    private static final int FLAG_USER_VERIFIED = 4;
    private static final int FLAG_EXTENSION_DATA_INCLUDED = 128;

    @Inject
    private Logger log;

    @Inject
    private Base64Service base64Service;

    @Inject
    private DataMapperService dataMapperService;

    @Inject
    private Instance<AttestationFormatProcessor> supportedAttestationFormats;

    public void verifyU2FAttestationSignature(AuthData authData, byte[] bArr, String str, Certificate certificate, int i) {
        byte[] bArr2 = {0};
        int length = 0 + bArr2.length;
        byte[] rpIdHash = authData.getRpIdHash();
        int length2 = length + rpIdHash.length + bArr.length;
        byte[] credId = authData.getCredId();
        int length3 = length2 + credId.length;
        byte[] convertCOSEtoPublicKey = convertCOSEtoPublicKey(authData.getCOSEPublicKey());
        byte[] array = ByteBuffer.allocate(length3 + convertCOSEtoPublicKey.length).put(bArr2).put(rpIdHash).put(bArr).put(credId).put(convertCOSEtoPublicKey).array();
        byte[] decode = this.base64Service.decode(str.getBytes());
        this.log.info("Signature {}", Hex.encodeHexString(decode));
        this.log.info("Signature Base {}", Hex.encodeHexString(array));
        verifySignature(decode, array, certificate, i);
    }

    void verifyPackedAttestationSignature(AuthData authData, byte[] bArr, String str, Certificate certificate, int i) {
        byte[] rpIdHash = authData.getRpIdHash();
        int length = 0 + rpIdHash.length;
        byte[] flags = authData.getFlags();
        int length2 = length + flags.length;
        byte[] counters = authData.getCounters();
        byte[] array = ByteBuffer.allocate(length2 + counters.length + bArr.length).put(rpIdHash).put(flags).put(counters).put(bArr).array();
        byte[] decode = this.base64Service.decode(str.getBytes());
        this.log.info("Signature {}", Hex.encodeHexString(decode));
        this.log.info("Signature Base {}", Hex.encodeHexString(array));
        this.log.info("Signature BaseLen {}", Integer.valueOf(array.length));
        verifySignature(decode, array, certificate, i);
    }

    public void verifyPackedAttestationSignature(byte[] bArr, byte[] bArr2, String str, PublicKey publicKey, int i) {
        byte[] array = ByteBuffer.allocate(0 + bArr.length + bArr2.length).put(bArr).put(bArr2).array();
        byte[] decode = this.base64Service.decode(str.getBytes());
        this.log.info("Signature {}", Hex.encodeHexString(decode));
        this.log.info("Signature Base {}", Hex.encodeHexString(array));
        this.log.info("Signature BaseLen {}", Integer.valueOf(array.length));
        verifySignature(decode, array, publicKey, i);
    }

    public void verifyPackedAttestationSignature(byte[] bArr, byte[] bArr2, String str, Certificate certificate, int i) {
        verifyPackedAttestationSignature(bArr, bArr2, str, certificate.getPublicKey(), i);
    }

    public void verifyAssertionSignature(AuthData authData, byte[] bArr, String str, PublicKey publicKey, int i) {
        byte[] rpIdHash = authData.getRpIdHash();
        int length = 0 + rpIdHash.length;
        byte[] flags = authData.getFlags();
        int length2 = length + flags.length;
        byte[] counters = authData.getCounters();
        int length3 = length2 + counters.length + bArr.length;
        this.log.info("Client data hash HEX {}", Hex.encodeHexString(bArr));
        byte[] array = ByteBuffer.allocate(length3).put(rpIdHash).put(flags).put(counters).put(bArr).array();
        byte[] urlDecode = this.base64Service.urlDecode(str.getBytes());
        this.log.info("Signature {}", Hex.encodeHexString(urlDecode));
        this.log.info("Signature Base {}", Hex.encodeHexString(array));
        verifySignature(urlDecode, array, publicKey, i);
    }

    public boolean verifyUserPresent(AuthData authData) {
        if ((authData.getFlags()[0] & 1) == 1) {
            return true;
        }
        throw new Fido2RPRuntimeException("User not present");
    }

    public boolean verifyUserVerified(AuthData authData) {
        if ((authData.getFlags()[0] & 4) == 1) {
            return true;
        }
        throw new Fido2RPRuntimeException("User not verified");
    }

    public void verifyRpIdHash(AuthData authData, String str) {
        try {
            byte[] rpIdHash = authData.getRpIdHash();
            byte[] digest = DigestUtils.getSha256Digest().digest(str.getBytes("UTF-8"));
            this.log.debug("rpIDHash from Domain    HEX {}", Hex.encodeHexString(digest));
            this.log.debug("rpIDHash from Assertion HEX {}", Hex.encodeHexString(rpIdHash));
            if (Arrays.equals(rpIdHash, digest)) {
                return;
            }
            this.log.warn("hash from domain doesn't match hash from assertion HEX ");
            throw new Fido2RPRuntimeException("Hashes don't match");
        } catch (UnsupportedEncodingException e) {
            throw new Fido2RPRuntimeException("This encoding is not supported");
        }
    }

    public void verifyCounter(int i, int i2) {
        this.log.info("old counter {} new counter {} ", Integer.valueOf(i), Integer.valueOf(i2));
        if (!(i2 == 0 && i == 0) && i2 <= i) {
            throw new Fido2RPRuntimeException("Counter did not increase");
        }
    }

    private byte[] convertCOSEtoPublicKey(byte[] bArr) {
        try {
            JsonNode cborReadTree = this.dataMapperService.cborReadTree(bArr);
            byte[] decode = this.base64Service.decode(cborReadTree.get("-2").asText());
            byte[] decode2 = this.base64Service.decode(cborReadTree.get("-3").asText());
            byte[] array = ByteBuffer.allocate(1 + decode.length + decode2.length).put((byte) 4).put(decode).put(decode2).array();
            this.log.info("KeyBytes HEX {}", Hex.encodeHexString(array));
            return array;
        } catch (IOException e) {
            throw new Fido2RPRuntimeException("Can't parse public key");
        }
    }

    public void verifySignature(byte[] bArr, byte[] bArr2, Certificate certificate, int i) {
        verifySignature(bArr, bArr2, certificate.getPublicKey(), i);
    }

    private void verifySignature(byte[] bArr, byte[] bArr2, PublicKey publicKey, int i) {
        try {
            Signature signatureChecker = getSignatureChecker(i);
            signatureChecker.initVerify(publicKey);
            signatureChecker.update(bArr2);
            if (signatureChecker.verify(bArr)) {
            } else {
                throw new Fido2RPRuntimeException("Unable to verify signature");
            }
        } catch (IllegalArgumentException | InvalidKeyException | SignatureException e) {
            this.log.error("Can't verify the signature ", e);
            throw new Fido2RPRuntimeException("Can't verify the signature");
        }
    }

    private Signature getSignatureChecker(int i) {
        BouncyCastleProvider securityProviderUtility = SecurityProviderUtility.getInstance();
        try {
            switch (i) {
                case -65535:
                    return Signature.getInstance("SHA1withRSA", (Provider) securityProviderUtility);
                case -259:
                    return Signature.getInstance("SHA512withRSA", (Provider) securityProviderUtility);
                case -258:
                    return Signature.getInstance("SHA384withRSA", (Provider) securityProviderUtility);
                case -257:
                    return Signature.getInstance("SHA256withRSA");
                case -39:
                    Signature signature = Signature.getInstance("SHA512withRSA/PSS", (Provider) securityProviderUtility);
                    signature.setParameter(new PSSParameterSpec("SHA-512", "MGF1", new MGF1ParameterSpec("SHA-512"), 32, 1));
                    return signature;
                case -38:
                    Signature signature2 = Signature.getInstance("SHA384withRSA/PSS", (Provider) securityProviderUtility);
                    signature2.setParameter(new PSSParameterSpec("SHA-384", "MGF1", new MGF1ParameterSpec("SHA-384"), 32, 1));
                    return signature2;
                case -37:
                    Signature signature3 = Signature.getInstance("SHA256withRSA/PSS", (Provider) securityProviderUtility);
                    signature3.setParameter(new PSSParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-256"), 32, 1));
                    return signature3;
                case -36:
                    return Signature.getInstance("SHA512withECDSA", (Provider) securityProviderUtility);
                case -35:
                    return Signature.getInstance("SHA384withECDSA", (Provider) securityProviderUtility);
                case -7:
                    return Signature.getInstance("SHA256withECDSA", (Provider) securityProviderUtility);
                default:
                    throw new Fido2RPRuntimeException("Unknown mapping");
            }
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException e) {
            throw new Fido2RPRuntimeException("Problem with crypto");
        }
    }

    public MessageDigest getDigest(int i) {
        switch (i) {
            case -65535:
                return DigestUtils.getSha1Digest();
            case -257:
                return DigestUtils.getSha256Digest();
            default:
                throw new Fido2RPRuntimeException("Unknown mapping ");
        }
    }

    public void verifyOptions(JsonNode jsonNode) {
        if (Arrays.asList(Boolean.valueOf(jsonNode.hasNonNull("username"))).parallelStream().filter(bool -> {
            return !bool.booleanValue();
        }).count() != 0) {
            throw new Fido2RPRuntimeException("Invalid parameters");
        }
    }

    public void verifyBasicPayload(JsonNode jsonNode) {
        if (Arrays.asList(Boolean.valueOf(jsonNode.hasNonNull("response")), Boolean.valueOf(jsonNode.hasNonNull("type"))).parallelStream().filter(bool -> {
            return !bool.booleanValue();
        }).count() != 0) {
            throw new Fido2RPRuntimeException("Invalid parameters");
        }
    }

    public String verifyBase64UrlString(JsonNode jsonNode, String str) {
        String verifyThatString = verifyThatString(jsonNode, str);
        try {
            this.base64Service.urlDecode(verifyThatString);
            return verifyThatString;
        } catch (IllegalArgumentException e) {
            throw new Fido2RPRuntimeException("Invalid \"" + str + "\"");
        }
    }

    protected String verifyThatString(JsonNode jsonNode) {
        if (jsonNode.isTextual()) {
            return jsonNode.asText();
        }
        if (jsonNode.fieldNames().hasNext()) {
            throw new Fido2RPRuntimeException("Invalid field " + ((String) jsonNode.fieldNames().next()));
        }
        throw new Fido2RPRuntimeException("Field hasn't sub fields");
    }

    public String verifyThatString(JsonNode jsonNode, String str) {
        JsonNode jsonNode2 = jsonNode.get(str);
        if (jsonNode2 == null || jsonNode2.isNull()) {
            throw new Fido2RPRuntimeException("Invalid \"" + str + "\"");
        }
        return verifyThatString(jsonNode2);
    }

    public String verifyThatNonEmptyString(JsonNode jsonNode) {
        String verifyThatString = verifyThatString(jsonNode);
        if (StringUtils.isEmpty(verifyThatString)) {
            throw new Fido2RPRuntimeException("Invalid field " + jsonNode);
        }
        return verifyThatString;
    }

    public String verifyAuthData(JsonNode jsonNode) {
        if (jsonNode == null || jsonNode.isNull()) {
            throw new Fido2RPRuntimeException("Empty auth data");
        }
        String verifyThatBinary = verifyThatBinary(jsonNode);
        if (verifyThatBinary.isEmpty()) {
            throw new Fido2RPRuntimeException("Invalid field " + jsonNode);
        }
        return verifyThatBinary;
    }

    public JsonNode verifyAuthStatement(JsonNode jsonNode) {
        if (jsonNode == null || jsonNode.isNull()) {
            throw new Fido2RPRuntimeException("Empty auth statement");
        }
        return jsonNode;
    }

    public String verifyThatBinary(JsonNode jsonNode) {
        if (jsonNode.isBinary()) {
            return jsonNode.asText();
        }
        throw new Fido2RPRuntimeException("Invalid field " + jsonNode);
    }

    public void verifyCounter(int i) {
        if (i < 0) {
            throw new Fido2RPRuntimeException("Invalid field : counter");
        }
    }

    public boolean verifyAtFlag(byte[] bArr) {
        return (bArr[0] & FLAG_ATTESTED_CREDENTIAL_DATA_INCLUDED) == FLAG_ATTESTED_CREDENTIAL_DATA_INCLUDED;
    }

    public void verifyAttestationBuffer(boolean z, byte[] bArr) {
        if (!z && bArr.length > 0) {
            throw new Fido2RPRuntimeException("Invalid attestation data buffer");
        }
        if (z && bArr.length == 0) {
            throw new Fido2RPRuntimeException("Invalid attestation data buffer");
        }
    }

    public void verifyNoLeftovers(byte[] bArr) {
        if (bArr.length > 0) {
            throw new Fido2RPRuntimeException("Invalid attestation data buffer: leftovers");
        }
    }

    public int verifyAlgorithm(JsonNode jsonNode, int i) {
        if (jsonNode == null || jsonNode.isNull()) {
            throw new Fido2RPRuntimeException("Wrong algorithm");
        }
        int parseInt = Integer.parseInt(jsonNode.asText());
        if (parseInt != i) {
            throw new Fido2RPRuntimeException("Wrong algorithm");
        }
        return parseInt;
    }

    public String verifyBase64String(JsonNode jsonNode) {
        if (jsonNode == null || jsonNode.isNull()) {
            throw new Fido2RPRuntimeException("Invalid data");
        }
        String verifyThatBinary = verifyThatBinary(jsonNode);
        if (verifyThatBinary.isEmpty()) {
            throw new Fido2RPRuntimeException("Invalid data");
        }
        try {
            this.base64Service.decode(verifyThatBinary.getBytes("UTF-8"));
            return verifyThatBinary;
        } catch (UnsupportedEncodingException e) {
            throw new Fido2RPRuntimeException("Invalid data");
        } catch (IllegalArgumentException e2) {
            throw new Fido2RPRuntimeException("Invalid data");
        }
    }

    public void verifyPackedSurrogateAttestationSignature(byte[] bArr, byte[] bArr2, String str, PublicKey publicKey, int i) {
        byte[] array = ByteBuffer.allocate(0 + bArr.length + bArr2.length).put(bArr).put(bArr2).array();
        byte[] decode = this.base64Service.decode(str.getBytes());
        this.log.info("Signature {}", Hex.encodeHexString(decode));
        this.log.info("Signature Base {}", Hex.encodeHexString(array));
        this.log.info("Signature BaseLen {}", Integer.valueOf(array.length));
        verifySignature(decode, array, publicKey, i);
    }

    public String verifyFmt(JsonNode jsonNode, String str) {
        String verifyThatString = verifyThatString(jsonNode, str);
        this.supportedAttestationFormats.stream().filter(attestationFormatProcessor -> {
            return attestationFormatProcessor.getAttestationFormat().getFmt().equals(verifyThatString);
        }).findAny().orElseThrow(() -> {
            return new Fido2RPRuntimeException("Unsupported attestation format " + verifyThatString);
        });
        return verifyThatString;
    }

    public void verifyAAGUIDZeroed(AuthData authData) {
        for (byte b : authData.getAaguid()) {
            if (b != 0) {
                throw new Fido2RPRuntimeException("Invalid AAGUID");
            }
        }
    }

    public void verifyTPMVersion(JsonNode jsonNode) {
        if (!"2.0".equals(jsonNode.asText())) {
            throw new Fido2RPRuntimeException("Invalid TPM Attestation version");
        }
    }

    public AttestationConveyancePreference verifyAttestationConveyanceType(JsonNode jsonNode) {
        return jsonNode.has("attestation") ? AttestationConveyancePreference.valueOf(verifyThatString(jsonNode.get("attestation"))) : AttestationConveyancePreference.direct;
    }

    public void verifyClientJSONTypeIsGet(JsonNode jsonNode) {
        verifyClientJSONType(jsonNode, "webauthn.get");
    }

    void verifyClientJSONType(JsonNode jsonNode, String str) {
        if (jsonNode.has("type") && !str.equals(jsonNode.get("type").asText())) {
            throw new Fido2RPRuntimeException("Invalid client json parameters");
        }
    }

    public void verifyClientJSONTypeIsCreate(JsonNode jsonNode) {
        verifyClientJSONType(jsonNode, "webauthn.create");
    }

    public void verifyClientJSON(JsonNode jsonNode) {
        if (Arrays.asList(Boolean.valueOf(jsonNode.hasNonNull("challenge")), Boolean.valueOf(jsonNode.hasNonNull("origin")), Boolean.valueOf(jsonNode.hasNonNull("type"))).parallelStream().filter(bool -> {
            return !bool.booleanValue();
        }).count() != 0) {
            throw new Fido2RPRuntimeException("Invalid client json parameters");
        }
        verifyBase64UrlString(jsonNode, "challenge");
        if (jsonNode.hasNonNull("tokenBinding")) {
            JsonNode jsonNode2 = jsonNode.get("tokenBinding");
            verifyThatString(jsonNode2.get("status"), "status");
            if (jsonNode2.hasNonNull("id")) {
                verifyThatString(jsonNode2.get("id"), "id");
            }
        }
        if (verifyThatString(jsonNode.get("origin")).isEmpty()) {
            throw new Fido2RPRuntimeException("Invalid client json parameters");
        }
    }

    public String verifyUserVerification(JsonNode jsonNode) {
        try {
            return UserVerification.valueOf(jsonNode.asText()).name();
        } catch (Exception e) {
            throw new Fido2RPRuntimeException("Wrong user verification parameter " + e.getMessage());
        }
    }

    public void verifyAttestationSignature(AuthData authData, byte[] bArr, String str, Certificate certificate, int i) {
        byte[] attestationBuffer = authData.getAttestationBuffer();
        byte[] array = ByteBuffer.allocate(0 + attestationBuffer.length + bArr.length).put(attestationBuffer).put(bArr).array();
        byte[] decode = this.base64Service.decode(str.getBytes());
        this.log.info("Signature {}", Hex.encodeHexString(decode));
        this.log.info("Signature Base {}", Hex.encodeHexString(array));
        verifySignature(decode, array, certificate, i);
    }

    public String verifyAssertionType(JsonNode jsonNode) {
        String verifyThatString = verifyThatString(jsonNode);
        if ("public-key".equals(verifyThatString)) {
            return verifyThatString;
        }
        throw new Fido2RPRuntimeException("Invalid type");
    }

    public void verifyRequiredUserPresent(AuthData authData) {
        this.log.info("required user present {}", Hex.encodeHexString(authData.getFlags()));
        byte b = authData.getFlags()[0];
        if (!isUserPresent(b) && !hasUserVerified(b)) {
            throw new Fido2RPRuntimeException("User required not present");
        }
    }

    public void verifyPreferredUserPresent(AuthData authData) {
        this.log.info("preferred user present {}", Hex.encodeHexString(authData.getFlags()));
        byte b = authData.getFlags()[0];
        if (isUserPresent(b) && hasUserVerified(b)) {
            throw new Fido2RPRuntimeException("User required not present");
        }
    }

    public void verifyDiscouragedUserPresent(AuthData authData) {
        this.log.info("discouraged user present {}", Hex.encodeHexString(authData.getFlags()));
        byte b = authData.getFlags()[0];
        if (hasUserVerified(b) && isUserPresent(b)) {
            throw new Fido2RPRuntimeException("User discouraged is present present");
        }
    }

    private boolean hasUserVerified(byte b) {
        boolean z = (b & 4) != 0;
        this.log.info("UV = {}", Boolean.valueOf(z));
        return z;
    }

    private boolean isUserPresent(byte b) {
        boolean z = (b & 1) != 0;
        this.log.info("UP = {}", Boolean.valueOf(z));
        return z;
    }

    public void verifyThatMetadataIsValid(JsonNode jsonNode) {
        if (Arrays.asList(Boolean.valueOf(jsonNode.hasNonNull("aaguid")), Boolean.valueOf(jsonNode.hasNonNull("assertionScheme")), Boolean.valueOf(jsonNode.hasNonNull("attestationTypes")), Boolean.valueOf(jsonNode.hasNonNull("description"))).parallelStream().filter(bool -> {
            return !bool.booleanValue();
        }).count() != 0) {
            throw new Fido2RPRuntimeException("Invalid parameters in metadata");
        }
    }
}
