package org.gluu.oxauth.fido2.service.processors.impl;

import com.fasterxml.jackson.databind.JsonNode;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.charset.Charset;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import org.apache.commons.codec.digest.DigestUtils;
import org.gluu.oxauth.fido2.certification.CertificationKeyStoreUtils;
import org.gluu.oxauth.fido2.cryptoutils.CoseService;
import org.gluu.oxauth.fido2.cryptoutils.CryptoUtils;
import org.gluu.oxauth.fido2.ctap.AttestationFormat;
import org.gluu.oxauth.fido2.exception.Fido2RPRuntimeException;
import org.gluu.oxauth.fido2.model.auth.AuthData;
import org.gluu.oxauth.fido2.model.auth.CredAndCounterData;
import org.gluu.oxauth.fido2.model.entry.Fido2RegistrationData;
import org.gluu.oxauth.fido2.service.Base64Service;
import org.gluu.oxauth.fido2.service.CertificateValidator;
import org.gluu.oxauth.fido2.service.DataMapperService;
import org.gluu.oxauth.fido2.service.processors.AttestationFormatProcessor;
import org.gluu.oxauth.fido2.service.verifier.CommonVerifiers;
import org.slf4j.Logger;
import tss.tpm.TPMS_ATTEST;
import tss.tpm.TPMS_CERTIFY_INFO;
import tss.tpm.TPMT_PUBLIC;
import tss.tpm.TPM_ALG_ID;
import tss.tpm.TPM_GENERATED;

@ApplicationScoped
/* loaded from: input_file:org/gluu/oxauth/fido2/service/processors/impl/TPMProcessor.class */
public class TPMProcessor implements AttestationFormatProcessor {

    @Inject
    private Logger log;

    @Inject
    private CryptoUtils cryptoUtils;

    @Inject
    private CommonVerifiers commonVerifiers;

    @Inject
    private CertificationKeyStoreUtils utils;

    @Inject
    private CertificateValidator certificateValidator;

    @Inject
    private DataMapperService dataMapperService;

    @Inject
    private CoseService coseService;

    @Inject
    private Base64Service base64Service;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.gluu.oxauth.fido2.service.processors.impl.TPMProcessor$1, reason: invalid class name */
    /* loaded from: input_file:org/gluu/oxauth/fido2/service/processors/impl/TPMProcessor$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$tss$tpm$TPM_ALG_ID$_N = new int[TPM_ALG_ID._N.values().length];

        static {
            try {
                $SwitchMap$tss$tpm$TPM_ALG_ID$_N[TPM_ALG_ID._N.SHA1.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$tss$tpm$TPM_ALG_ID$_N[TPM_ALG_ID._N.SHA256.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    @Override // org.gluu.oxauth.fido2.service.processors.AttestationFormatProcessor
    public AttestationFormat getAttestationFormat() {
        return AttestationFormat.tpm;
    }

    @Override // org.gluu.oxauth.fido2.service.processors.AttestationFormatProcessor
    public void process(JsonNode jsonNode, AuthData authData, Fido2RegistrationData fido2RegistrationData, byte[] bArr, CredAndCounterData credAndCounterData) {
        try {
            JsonNode cborReadTree = this.dataMapperService.cborReadTree(authData.getCOSEPublicKey());
            byte[] hashedBuffer = getHashedBuffer(cborReadTree.get("3").asInt(), authData.getAttestationBuffer(), bArr);
            byte[] decode = this.base64Service.decode(cborReadTree.get("-1").asText());
            Iterator elements = jsonNode.get("x5c").elements();
            String asText = jsonNode.get("pubArea").asText();
            String asText2 = jsonNode.get("certInfo").asText();
            if (!elements.hasNext()) {
                throw new Fido2RPRuntimeException("Problem with TPM attestation. Unsupported ");
            }
            ArrayList<String> arrayList = new ArrayList<>();
            arrayList.add(((JsonNode) elements.next()).asText());
            ArrayList<String> arrayList2 = new ArrayList<>();
            while (elements.hasNext()) {
                arrayList2.add(((JsonNode) elements.next()).asText());
            }
            List<X509Certificate> certificates = this.cryptoUtils.getCertificates(arrayList2);
            List<X509Certificate> certificates2 = this.cryptoUtils.getCertificates(arrayList);
            X509Certificate verifyAttestationCertificates = this.certificateValidator.verifyAttestationCertificates(certificates, this.utils.getCertificates(authData));
            X509Certificate x509Certificate = certificates2.get(0);
            verifyTPMCertificateExtenstion(x509Certificate, authData);
            verifyAIKCertificate(x509Certificate, verifyAttestationCertificates);
            String verifyBase64String = this.commonVerifiers.verifyBase64String(jsonNode.get("sig"));
            byte[] decode2 = this.base64Service.decode(asText2);
            this.commonVerifiers.verifySignature(this.base64Service.decode(verifyBase64String.getBytes()), decode2, x509Certificate, authData.getKeyType());
            byte[] decode3 = this.base64Service.decode(asText);
            TPMT_PUBLIC fromTpm = TPMT_PUBLIC.fromTpm(decode3);
            TPMS_ATTEST fromTpm2 = TPMS_ATTEST.fromTpm(decode2);
            verifyMagicInTpms(fromTpm2);
            verifyTPMSCertificateName(fromTpm, fromTpm2, decode3);
            verifyTPMSExtraData(hashedBuffer, fromTpm2.extraData);
            verifyThatKeysAreSame(fromTpm, decode);
        } catch (IOException e) {
            throw new Fido2RPRuntimeException("Problem with TPM attestation");
        }
    }

    private void verifyThatKeysAreSame(TPMT_PUBLIC tpmt_public, byte[] bArr) {
        byte[] tpm = tpmt_public.unique.toTpm();
        if (!Arrays.equals(Arrays.copyOfRange(tpm, 2, tpm.length), bArr)) {
            throw new Fido2RPRuntimeException("Problem with TPM attestation.");
        }
    }

    private void verifyTPMSExtraData(byte[] bArr, byte[] bArr2) {
        if (!Arrays.equals(bArr, bArr2)) {
            throw new Fido2RPRuntimeException("Problem with TPM attestation.");
        }
    }

    private void verifyTPMSCertificateName(TPMT_PUBLIC tpmt_public, TPMS_ATTEST tpms_attest, byte[] bArr) {
        switch (AnonymousClass1.$SwitchMap$tss$tpm$TPM_ALG_ID$_N[tpmt_public.nameAlg.asEnum().ordinal()]) {
            case 1:
            case 2:
                byte[] digest = DigestUtils.getSha256Digest().digest(bArr);
                TPMS_CERTIFY_INFO tpms_certify_info = tpms_attest.attested;
                if (!Arrays.equals(Arrays.copyOfRange(tpms_certify_info.name, 2, tpms_certify_info.name.length), digest)) {
                    throw new Fido2RPRuntimeException("Problem with TPM attestation.");
                }
                return;
            default:
                throw new Fido2RPRuntimeException("Problem with TPM attestation");
        }
    }

    private void verifyMagicInTpms(TPMS_ATTEST tpms_attest) {
        if (tpms_attest.magic.toInt() != TPM_GENERATED.VALUE.toInt()) {
            throw new Fido2RPRuntimeException("Problem with TPM attestation");
        }
    }

    private byte[] getHashedBuffer(int i, byte[] bArr, byte[] bArr2) {
        return this.commonVerifiers.getDigest(i).digest(ByteBuffer.allocate(bArr.length + bArr2.length).put(bArr).put(bArr2).array());
    }

    private void verifyTPMCertificateExtenstion(X509Certificate x509Certificate, AuthData authData) {
        byte[] extensionValue = x509Certificate.getExtensionValue("1 3 6 1 4 1 45724 1 1 4");
        if (extensionValue == null || extensionValue.length <= 0) {
            return;
        }
        if (!authData.getAaguid().equals(new String(extensionValue, Charset.forName("UTF-8")))) {
            throw new Fido2RPRuntimeException("Problem with TPM attestation");
        }
    }

    private void verifyAIKCertificate(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        try {
            x509Certificate.verify(x509Certificate2.getPublicKey());
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            this.log.warn("Problem with AIK certificate {}", e.getMessage());
            throw new Fido2RPRuntimeException("Problem with TPM attestation");
        }
    }
}
