package org.gluu.oxauth.fido2.service.verifier;

import com.fasterxml.jackson.databind.JsonNode;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.nio.charset.Charset;
import java.util.Arrays;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.inject.Instance;
import javax.inject.Inject;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang.StringUtils;
import org.gluu.oxauth.fido2.ctap.AttestationConveyancePreference;
import org.gluu.oxauth.fido2.ctap.AuthenticatorAttachment;
import org.gluu.oxauth.fido2.ctap.TokenBindingSupport;
import org.gluu.oxauth.fido2.ctap.UserVerification;
import org.gluu.oxauth.fido2.exception.Fido2RPRuntimeException;
import org.gluu.oxauth.fido2.model.auth.AuthData;
import org.gluu.oxauth.fido2.model.auth.CredAndCounterData;
import org.gluu.oxauth.fido2.service.Base64Service;
import org.gluu.oxauth.fido2.service.DataMapperService;
import org.gluu.oxauth.fido2.service.processors.AttestationFormatProcessor;
import org.gluu.oxauth.model.configuration.AppConfiguration;
import org.gluu.service.net.NetworkService;
import org.gluu.util.StringHelper;
import org.slf4j.Logger;

@ApplicationScoped
/* loaded from: input_file:org/gluu/oxauth/fido2/service/verifier/CommonVerifiers.class */
public class CommonVerifiers {

    @Inject
    private Logger log;

    @Inject
    private NetworkService networkService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private Base64Service base64Service;

    @Inject
    private DataMapperService dataMapperService;

    @Inject
    private Instance<AttestationFormatProcessor> supportedAttestationFormats;

    public void verifyRpIdHash(AuthData authData, String str) {
        try {
            byte[] rpIdHash = authData.getRpIdHash();
            byte[] digest = DigestUtils.getSha256Digest().digest(str.getBytes("UTF-8"));
            this.log.debug("rpIDHash from Domain    HEX {}", Hex.encodeHexString(digest));
            this.log.debug("rpIDHash from Assertion HEX {}", Hex.encodeHexString(rpIdHash));
            if (Arrays.equals(rpIdHash, digest)) {
                return;
            }
            this.log.warn("hash from domain doesn't match hash from assertion HEX");
            throw new Fido2RPRuntimeException("Hashes don't match");
        } catch (UnsupportedEncodingException e) {
            throw new Fido2RPRuntimeException("This encoding is not supported");
        }
    }

    public String verifyRpDomain(JsonNode jsonNode) {
        return this.networkService.getHost(jsonNode.hasNonNull("documentDomain") ? jsonNode.get("documentDomain").asText() : this.appConfiguration.getIssuer());
    }

    public void verifyCounter(int i, int i2) {
        this.log.debug("old counter {} new counter {} ", Integer.valueOf(i), Integer.valueOf(i2));
        if (!(i2 == 0 && i == 0) && i2 <= i) {
            throw new Fido2RPRuntimeException("Counter did not increase");
        }
    }

    public void verifyCounter(int i) {
        if (i < 0) {
            throw new Fido2RPRuntimeException("Invalid field : counter");
        }
    }

    public void verifyAttestationOptions(JsonNode jsonNode) {
        if (Arrays.asList(Boolean.valueOf(jsonNode.hasNonNull("username")), Boolean.valueOf(jsonNode.hasNonNull("displayName")), Boolean.valueOf(jsonNode.hasNonNull("attestation"))).parallelStream().filter(bool -> {
            return !bool.booleanValue();
        }).count() != 0) {
            throw new Fido2RPRuntimeException("Invalid parameters");
        }
    }

    public void verifyAssertionOptions(JsonNode jsonNode) {
        if (Arrays.asList(Boolean.valueOf(jsonNode.hasNonNull("username"))).parallelStream().filter(bool -> {
            return !bool.booleanValue();
        }).count() != 0) {
            throw new Fido2RPRuntimeException("Invalid parameters");
        }
    }

    public void verifyBasicPayload(JsonNode jsonNode) {
        if (Arrays.asList(Boolean.valueOf(jsonNode.hasNonNull("response")), Boolean.valueOf(jsonNode.hasNonNull("type")), Boolean.valueOf(jsonNode.hasNonNull("id"))).parallelStream().filter(bool -> {
            return !bool.booleanValue();
        }).count() != 0) {
            throw new Fido2RPRuntimeException("Invalid parameters");
        }
    }

    public String verifyBase64UrlString(JsonNode jsonNode, String str) {
        String verifyThatFieldString = verifyThatFieldString(jsonNode, str);
        try {
            this.base64Service.urlDecode(verifyThatFieldString);
            return verifyThatFieldString;
        } catch (IllegalArgumentException e) {
            throw new Fido2RPRuntimeException("Invalid \"" + str + "\"");
        }
    }

    public String verifyBase64String(JsonNode jsonNode) {
        if (jsonNode == null || jsonNode.isNull()) {
            throw new Fido2RPRuntimeException("Invalid data");
        }
        String verifyThatBinary = verifyThatBinary(jsonNode);
        if (verifyThatBinary.isEmpty()) {
            throw new Fido2RPRuntimeException("Invalid data");
        }
        try {
            this.base64Service.decode(verifyThatBinary.getBytes("UTF-8"));
            return verifyThatBinary;
        } catch (UnsupportedEncodingException e) {
            throw new Fido2RPRuntimeException("Invalid data");
        } catch (IllegalArgumentException e2) {
            throw new Fido2RPRuntimeException("Invalid data");
        }
    }

    protected String verifyThatString(JsonNode jsonNode, String str) {
        if (jsonNode.isTextual()) {
            return jsonNode.asText();
        }
        if (jsonNode.fieldNames().hasNext()) {
            throw new Fido2RPRuntimeException("Invalid field " + ((String) jsonNode.fieldNames().next()) + ". There is no filed " + str);
        }
        throw new Fido2RPRuntimeException("Field hasn't sub field " + str);
    }

    public String verifyThatFieldString(JsonNode jsonNode, String str) {
        JsonNode jsonNode2 = jsonNode.get(str);
        if (jsonNode2 == null || jsonNode2.isNull()) {
            throw new Fido2RPRuntimeException("Invalid \"" + str + "\"");
        }
        return verifyThatString(jsonNode2, str);
    }

    public String verifyThatNonEmptyString(JsonNode jsonNode, String str) {
        JsonNode jsonNode2 = jsonNode.get(str);
        if (jsonNode2 == null || jsonNode2.isNull()) {
            throw new Fido2RPRuntimeException("Invalid \"" + str + "\"");
        }
        String verifyThatString = verifyThatString(jsonNode2, str);
        if (StringUtils.isEmpty(verifyThatString)) {
            throw new Fido2RPRuntimeException("Invalid field " + jsonNode);
        }
        return verifyThatString;
    }

    public String verifyThatBinary(JsonNode jsonNode) {
        if (jsonNode.isBinary()) {
            return jsonNode.asText();
        }
        throw new Fido2RPRuntimeException("Invalid field " + jsonNode);
    }

    public String verifyAuthData(JsonNode jsonNode) {
        if (jsonNode == null || jsonNode.isNull()) {
            throw new Fido2RPRuntimeException("Empty auth data");
        }
        String verifyThatBinary = verifyThatBinary(jsonNode);
        if (verifyThatBinary.isEmpty()) {
            throw new Fido2RPRuntimeException("Invalid field " + jsonNode);
        }
        return verifyThatBinary;
    }

    public JsonNode verifyAuthStatement(JsonNode jsonNode) {
        if (jsonNode == null || jsonNode.isNull()) {
            throw new Fido2RPRuntimeException("Empty auth statement");
        }
        return jsonNode;
    }

    public int verifyAlgorithm(JsonNode jsonNode, int i) {
        if (jsonNode == null || jsonNode.isNull()) {
            throw new Fido2RPRuntimeException("Wrong algorithm");
        }
        int parseInt = Integer.parseInt(jsonNode.asText());
        if (parseInt != i) {
            throw new Fido2RPRuntimeException("Wrong algorithm");
        }
        return parseInt;
    }

    public String verifyFmt(JsonNode jsonNode, String str) {
        String verifyThatFieldString = verifyThatFieldString(jsonNode, str);
        this.supportedAttestationFormats.stream().filter(attestationFormatProcessor -> {
            return attestationFormatProcessor.getAttestationFormat().getFmt().equals(verifyThatFieldString);
        }).findAny().orElseThrow(() -> {
            return new Fido2RPRuntimeException("Unsupported attestation format " + verifyThatFieldString);
        });
        return verifyThatFieldString;
    }

    public void verifyAAGUIDZeroed(AuthData authData) {
        for (byte b : authData.getAaguid()) {
            if (b != 0) {
                throw new Fido2RPRuntimeException("Invalid AAGUID");
            }
        }
    }

    public void verifyClientJSONTypeIsGet(JsonNode jsonNode) {
        verifyClientJSONType(jsonNode, "webauthn.get");
    }

    void verifyClientJSONType(JsonNode jsonNode, String str) {
        if (jsonNode.has("type") && !str.equals(jsonNode.get("type").asText())) {
            throw new Fido2RPRuntimeException("Invalid client json parameters");
        }
    }

    public void verifyClientJSONTypeIsCreate(JsonNode jsonNode) {
        verifyClientJSONType(jsonNode, "webauthn.create");
    }

    public JsonNode verifyClientJSON(JsonNode jsonNode) {
        try {
            if (!jsonNode.hasNonNull("clientDataJSON")) {
                throw new Fido2RPRuntimeException("Client data JSON is missing");
            }
            JsonNode readTree = this.dataMapperService.readTree(new String(this.base64Service.urlDecode(jsonNode.get("clientDataJSON").asText()), Charset.forName("UTF-8")));
            if (readTree == null) {
                throw new Fido2RPRuntimeException("Client data JSON is empty");
            }
            if (Arrays.asList(Boolean.valueOf(readTree.hasNonNull("challenge")), Boolean.valueOf(readTree.hasNonNull("origin")), Boolean.valueOf(readTree.hasNonNull("type"))).parallelStream().filter(bool -> {
                return !bool.booleanValue();
            }).count() != 0) {
                throw new Fido2RPRuntimeException("Invalid client json parameters");
            }
            verifyBase64UrlString(readTree, "challenge");
            if (readTree.hasNonNull("tokenBinding")) {
                JsonNode jsonNode2 = readTree.get("tokenBinding");
                if (!jsonNode2.hasNonNull("status")) {
                    throw new Fido2RPRuntimeException("Invalid tokenBinding entry. it should contaiss status");
                }
                verifyTokenBindingSupport(verifyThatFieldString(jsonNode2, "status"));
                if (jsonNode2.hasNonNull("id")) {
                    verifyThatFieldString(jsonNode2, "id");
                }
            }
            if (verifyThatFieldString(readTree, "origin").isEmpty()) {
                throw new Fido2RPRuntimeException("Client data origin parameter should be string");
            }
            return readTree;
        } catch (IOException e) {
            throw new Fido2RPRuntimeException("Can't parse message");
        }
    }

    public void verifyTPMVersion(JsonNode jsonNode) {
        if (!"2.0".equals(jsonNode.asText())) {
            throw new Fido2RPRuntimeException("Invalid TPM Attestation version");
        }
    }

    public AttestationConveyancePreference verifyAttestationConveyanceType(JsonNode jsonNode) {
        AttestationConveyancePreference attestationConveyancePreference = null;
        if (jsonNode.has("attestation")) {
            attestationConveyancePreference = AttestationConveyancePreference.valueOf(verifyThatFieldString(jsonNode, "attestation"));
        }
        if (attestationConveyancePreference == null) {
            attestationConveyancePreference = AttestationConveyancePreference.direct;
        }
        return attestationConveyancePreference;
    }

    public TokenBindingSupport verifyTokenBindingSupport(String str) {
        if (str == null) {
            return null;
        }
        try {
            TokenBindingSupport fromStatusValue = TokenBindingSupport.fromStatusValue(str);
            if (fromStatusValue == null) {
                throw new Fido2RPRuntimeException("Wrong token binding status parameter " + str);
            }
            return fromStatusValue;
        } catch (Exception e) {
            throw new Fido2RPRuntimeException("Wrong token binding status parameter " + e.getMessage(), e);
        }
    }

    public AuthenticatorAttachment verifyAuthenticatorAttachment(JsonNode jsonNode) {
        if (jsonNode == null) {
            return null;
        }
        try {
            AuthenticatorAttachment fromAttachmentValue = AuthenticatorAttachment.fromAttachmentValue(jsonNode.asText());
            if (fromAttachmentValue == null) {
                throw new Fido2RPRuntimeException("Wrong authenticator attachment parameter " + jsonNode);
            }
            return fromAttachmentValue;
        } catch (Exception e) {
            throw new Fido2RPRuntimeException("Wrong authenticator attachment parameter " + e.getMessage(), e);
        }
    }

    public UserVerification verifyUserVerification(JsonNode jsonNode) {
        if (jsonNode == null) {
            return null;
        }
        try {
            UserVerification valueOf = UserVerification.valueOf(jsonNode.asText());
            if (valueOf == null) {
                throw new Fido2RPRuntimeException("Wrong user verification parameter " + jsonNode);
            }
            return valueOf;
        } catch (Exception e) {
            throw new Fido2RPRuntimeException("Wrong user verification parameter " + e.getMessage(), e);
        }
    }

    public UserVerification prepareUserVerification(JsonNode jsonNode) {
        UserVerification userVerification = UserVerification.preferred;
        if (jsonNode.hasNonNull("userVerification")) {
            userVerification = verifyUserVerification(jsonNode.get("userVerification"));
        }
        return userVerification;
    }

    public Boolean verifyRequireResidentKey(JsonNode jsonNode) {
        if (jsonNode == null) {
            return null;
        }
        try {
            return Boolean.valueOf(jsonNode.asBoolean());
        } catch (Exception e) {
            throw new Fido2RPRuntimeException("Wrong authenticator attachment parameter " + e.getMessage(), e);
        }
    }

    public String verifyAssertionType(JsonNode jsonNode, String str) {
        String verifyThatFieldString = verifyThatFieldString(jsonNode, str);
        if ("public-key".equals(verifyThatFieldString)) {
            return verifyThatFieldString;
        }
        throw new Fido2RPRuntimeException("Invalid type");
    }

    public String verifyCredentialId(CredAndCounterData credAndCounterData, JsonNode jsonNode) {
        String verifyBase64UrlString = verifyBase64UrlString(jsonNode, "id");
        if (StringHelper.isEmpty(verifyBase64UrlString)) {
            throw new Fido2RPRuntimeException("Credential id attestationObject and response id mismatch");
        }
        return verifyBase64UrlString;
    }

    public String getChallenge(JsonNode jsonNode) {
        try {
            return this.base64Service.urlEncodeToStringWithoutPadding(this.base64Service.urlDecode(jsonNode.get("challenge").asText()));
        } catch (Exception e) {
            throw new Fido2RPRuntimeException("Can't get challenge from clientData");
        }
    }

    public int verifyTimeout(JsonNode jsonNode) {
        int i = 90;
        if (jsonNode.hasNonNull("timeout")) {
            i = jsonNode.get("timeout").asInt(90);
        }
        return i;
    }

    public void verifyThatMetadataIsValid(JsonNode jsonNode) {
        if (Arrays.asList(Boolean.valueOf(jsonNode.hasNonNull("aaguid")), Boolean.valueOf(jsonNode.hasNonNull("assertionScheme")), Boolean.valueOf(jsonNode.hasNonNull("attestationTypes")), Boolean.valueOf(jsonNode.hasNonNull("description"))).parallelStream().filter(bool -> {
            return !bool.booleanValue();
        }).count() != 0) {
            throw new Fido2RPRuntimeException("Invalid parameters in metadata");
        }
    }
}
