package org.gluu.oxauth.fido2.service.processor.attestation;

import com.fasterxml.jackson.databind.JsonNode;
import java.nio.ByteBuffer;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Arrays;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.codec.digest.DigestUtils;
import org.gluu.oxauth.fido2.ctap.AttestationFormat;
import org.gluu.oxauth.fido2.exception.Fido2RPRuntimeException;
import org.gluu.oxauth.fido2.google.safetynet.AttestationStatement;
import org.gluu.oxauth.fido2.google.safetynet.OfflineVerify;
import org.gluu.oxauth.fido2.model.auth.AuthData;
import org.gluu.oxauth.fido2.model.auth.CredAndCounterData;
import org.gluu.oxauth.fido2.model.entry.Fido2RegistrationData;
import org.gluu.oxauth.fido2.service.Base64Service;
import org.gluu.oxauth.fido2.service.mds.AttestationCertificateService;
import org.gluu.oxauth.fido2.service.processors.AttestationFormatProcessor;
import org.gluu.oxauth.fido2.service.verifier.CommonVerifiers;
import org.slf4j.Logger;

@ApplicationScoped
/* loaded from: input_file:org/gluu/oxauth/fido2/service/processor/attestation/AndroidSafetyNetAttestationProcessor.class */
public class AndroidSafetyNetAttestationProcessor implements AttestationFormatProcessor {

    @Inject
    private Logger log;

    @Inject
    private CommonVerifiers commonVerifiers;

    @Inject
    private AttestationCertificateService attestationCertificateService;

    @Inject
    private Base64Service base64Service;

    @Override // org.gluu.oxauth.fido2.service.processors.AttestationFormatProcessor
    public AttestationFormat getAttestationFormat() {
        return AttestationFormat.android_safetynet;
    }

    @Override // org.gluu.oxauth.fido2.service.processors.AttestationFormatProcessor
    public void process(JsonNode jsonNode, AuthData authData, Fido2RegistrationData fido2RegistrationData, byte[] bArr, CredAndCounterData credAndCounterData) {
        this.commonVerifiers.verifyThatNonEmptyString(jsonNode, "ver");
        String asText = jsonNode.get("response").asText();
        this.log.debug("Android safetynet payload {} {}", Hex.encodeHexString(authData.getAaguid()), new String(this.base64Service.decode(asText)));
        try {
            AttestationStatement parseAndVerify = OfflineVerify.parseAndVerify(new String(this.base64Service.decode(asText)), this.attestationCertificateService.populateTrustManager(authData, null));
            if (parseAndVerify == null) {
                throw new Fido2RPRuntimeException("Invalid safety net attestation");
            }
            byte[] authDataDecoded = authData.getAuthDataDecoded();
            if (!Arrays.equals(DigestUtils.getSha256Digest().digest(ByteBuffer.allocate(authDataDecoded.length + bArr.length).put(authDataDecoded).put(bArr).array()), parseAndVerify.getNonce())) {
                throw new Fido2RPRuntimeException("Invalid safety net attestation");
            }
            if (!parseAndVerify.isCtsProfileMatch()) {
                throw new Fido2RPRuntimeException("Invalid safety net attestation");
            }
            Instant ofEpochMilli = Instant.ofEpochMilli(parseAndVerify.getTimestampMs());
            if (ofEpochMilli.isAfter(Instant.now())) {
                throw new Fido2RPRuntimeException("Invalid safety net attestation");
            }
            if (ofEpochMilli.isBefore(Instant.now().minus(1L, (TemporalUnit) ChronoUnit.MINUTES))) {
                throw new Fido2RPRuntimeException("Invalid safety net attestation");
            }
            credAndCounterData.setAttestationType(getAttestationFormat().getFmt());
            credAndCounterData.setCredId(this.base64Service.urlEncodeToString(authData.getCredId()));
            credAndCounterData.setUncompressedEcPoint(this.base64Service.urlEncodeToString(authData.getCosePublicKey()));
        } catch (Exception e) {
            throw new Fido2RPRuntimeException("Invalid safety net attestation " + e.getMessage());
        }
    }
}
