package org.gluu.oxauth.service.fido.u2f;

import com.google.common.io.ByteArrayDataOutput;
import com.google.common.io.ByteStreams;
import java.io.IOException;
import java.io.InputStream;
import java.security.cert.CertificateException;
import javax.ejb.Stateless;
import javax.inject.Inject;
import javax.inject.Named;
import org.apache.commons.io.IOUtils;
import org.gluu.oxauth.crypto.cert.CertificateParser;
import org.gluu.oxauth.crypto.signature.SHA256withECDSASignatureVerification;
import org.gluu.oxauth.model.exception.SignatureException;
import org.gluu.oxauth.model.fido.u2f.DeviceRegistration;
import org.gluu.oxauth.model.fido.u2f.exception.BadInputException;
import org.gluu.oxauth.model.fido.u2f.message.RawRegisterResponse;
import org.gluu.oxauth.model.fido.u2f.protocol.ClientData;
import org.gluu.oxauth.model.util.Base64Util;
import org.gluu.util.io.ByteDataInputStream;
import org.slf4j.Logger;

@Stateless
@Named
/* loaded from: input_file:org/gluu/oxauth/service/fido/u2f/RawRegistrationService.class */
public class RawRegistrationService {

    @Inject
    private Logger log;
    public static final byte REGISTRATION_RESERVED_BYTE_VALUE = 5;
    public static final byte REGISTRATION_SIGNED_RESERVED_BYTE_VALUE = 0;
    public static final long INITIAL_DEVICE_COUNTER_VALUE = -1;
    public static final String REGISTER_FINISH_TYPE = "navigator.id.finishEnrollment";
    public static final String REGISTER_CANCEL_TYPE = "navigator.id.cancelEnrollment";
    public static final String[] SUPPORTED_REGISTER_TYPES = {REGISTER_FINISH_TYPE, REGISTER_CANCEL_TYPE};

    @Inject
    @Named("sha256withECDSASignatureVerification")
    private SHA256withECDSASignatureVerification signatureVerification;

    public RawRegisterResponse parseRawRegisterResponse(String str) throws BadInputException {
        ByteDataInputStream byteDataInputStream = new ByteDataInputStream(Base64Util.base64urldecode(str));
        try {
            try {
                byte readSigned = byteDataInputStream.readSigned();
                if (readSigned != 5) {
                    throw new BadInputException("Incorrect value of reserved byte. Expected: 5. Was: " + ((int) readSigned));
                }
                RawRegisterResponse rawRegisterResponse = new RawRegisterResponse(byteDataInputStream.read(65), byteDataInputStream.read(byteDataInputStream.readUnsigned()), CertificateParser.parseDer((InputStream) byteDataInputStream), byteDataInputStream.readAll());
                IOUtils.closeQuietly(byteDataInputStream);
                return rawRegisterResponse;
            } catch (IOException e) {
                throw new BadInputException("Failed to parse RAW register response", e);
            } catch (CertificateException e2) {
                throw new BadInputException("Malformed attestation certificate", e2);
            }
        } catch (Throwable th) {
            IOUtils.closeQuietly(byteDataInputStream);
            throw th;
        }
    }

    public void checkSignature(String str, ClientData clientData, RawRegisterResponse rawRegisterResponse) throws BadInputException {
        try {
            this.signatureVerification.checkSignature(rawRegisterResponse.getAttestationCertificate(), packBytesToSign(this.signatureVerification.hash(str), this.signatureVerification.hash(clientData.getRawClientData()), rawRegisterResponse.getKeyHandle(), rawRegisterResponse.getUserPublicKey()), rawRegisterResponse.getSignature());
        } catch (SignatureException e) {
            throw new BadInputException("Failed to checkSignature", e);
        }
    }

    private byte[] packBytesToSign(byte[] bArr, byte[] bArr2, byte[] bArr3, byte[] bArr4) {
        ByteArrayDataOutput newDataOutput = ByteStreams.newDataOutput();
        newDataOutput.write(0);
        newDataOutput.write(bArr);
        newDataOutput.write(bArr2);
        newDataOutput.write(bArr3);
        newDataOutput.write(bArr4);
        return newDataOutput.toByteArray();
    }

    public DeviceRegistration createDevice(String str, RawRegisterResponse rawRegisterResponse) throws BadInputException {
        return new DeviceRegistration(str, Base64Util.base64urlencode(rawRegisterResponse.getKeyHandle()), Base64Util.base64urlencode(rawRegisterResponse.getUserPublicKey()), rawRegisterResponse.getAttestationCertificate(), -1L);
    }
}
