package org.gluu.oxauth.fido2.service.mds;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.node.ArrayNode;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import java.io.BufferedReader;
import java.io.IOException;
import java.nio.file.DirectoryStream;
import java.nio.file.FileSystems;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.MessageDigest;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.text.ParseException;
import java.time.LocalDate;
import java.time.format.DateTimeFormatter;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.PostConstruct;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.event.Observes;
import javax.inject.Inject;
import org.apache.commons.codec.digest.DigestUtils;
import org.gluu.oxauth.fido2.cryptoutils.CryptoUtils;
import org.gluu.oxauth.fido2.exception.Fido2RPRuntimeException;
import org.gluu.oxauth.fido2.service.Base64Service;
import org.gluu.oxauth.fido2.service.CertificateValidator;
import org.gluu.oxauth.fido2.service.DataMapperService;
import org.slf4j.Logger;
import org.xdi.oxauth.model.configuration.AppConfiguration;
import org.xdi.oxauth.model.configuration.Fido2Configuration;
import org.xdi.service.cdi.event.ApplicationInitialized;
import org.xdi.util.Pair;
import org.xdi.util.StringHelper;

@ApplicationScoped
/* loaded from: input_file:org/gluu/oxauth/fido2/service/mds/MdsTocService.class */
public class MdsTocService {

    @Inject
    private Logger log;

    @Inject
    private DataMapperService dataMapperService;

    @Inject
    private CertificateValidator certificateValidator;

    @Inject
    private CryptoUtils cryptoUtils;

    @Inject
    private Base64Service base64Service;

    @Inject
    private AppConfiguration appConfiguration;
    private Map<String, JsonNode> tocEntries;
    private MessageDigest digester;

    @PostConstruct
    public void create() {
        this.tocEntries = Collections.synchronizedMap(new HashMap());
    }

    public void init(@Observes @ApplicationInitialized(ApplicationScoped.class) Object obj) {
        this.tocEntries.putAll(parseTOCs());
    }

    private Map<String, JsonNode> parseTOCs() {
        Fido2Configuration fido2Configuration = this.appConfiguration.getFido2Configuration();
        if (fido2Configuration == null) {
            this.log.warn("Fido2 configuration not exists");
            return new HashMap();
        }
        String mdsCertsFolder = fido2Configuration.getMdsCertsFolder();
        String mdsTocsFolder = fido2Configuration.getMdsTocsFolder();
        if (StringHelper.isEmpty(mdsCertsFolder) || StringHelper.isEmpty(mdsTocsFolder)) {
            this.log.warn("Fido2 MDS properties should be set");
            return new HashMap();
        }
        this.log.info("Populating TOC entries from {}", mdsTocsFolder);
        Path path = FileSystems.getDefault().getPath(mdsTocsFolder, new String[0]);
        DirectoryStream<Path> directoryStream = null;
        ArrayList arrayList = new ArrayList();
        try {
            try {
                directoryStream = Files.newDirectoryStream(path);
                for (Path path2 : directoryStream) {
                    try {
                        Pair<LocalDate, Map<String, JsonNode>> parseTOC = parseTOC(mdsCertsFolder, path2);
                        this.log.info("Get TOC {} entries with nextUpdate date {}", Integer.valueOf(((Map) parseTOC.getSecond()).size()), parseTOC.getFirst());
                        arrayList.add(parseTOC.getSecond());
                    } catch (IOException e) {
                        this.log.warn("Can't access or open path: {}", path2, e);
                    } catch (ParseException e2) {
                        this.log.warn("Can't parse path: {}", path2, e2);
                    }
                }
                if (directoryStream != null) {
                    try {
                        directoryStream.close();
                    } catch (IOException e3) {
                        this.log.warn("Something wrong with directory stream");
                    }
                }
            } catch (Throwable th) {
                if (directoryStream != null) {
                    try {
                        directoryStream.close();
                    } catch (IOException e4) {
                        this.log.warn("Something wrong with directory stream");
                    }
                }
                throw th;
            }
        } catch (Exception e5) {
            this.log.warn("Something wrong with path", e5);
            if (directoryStream != null) {
                try {
                    directoryStream.close();
                } catch (IOException e6) {
                    this.log.warn("Something wrong with directory stream");
                }
            }
        }
        return mergeAndResolveDuplicateEntries(arrayList);
    }

    private Map<String, JsonNode> parseTOC(String str, String str2) {
        try {
            return (Map) parseTOC(str, FileSystems.getDefault().getPath(str2, new String[0])).getSecond();
        } catch (IOException e) {
            throw new Fido2RPRuntimeException("Unable to read TOC at " + str2, e);
        } catch (ParseException e2) {
            throw new Fido2RPRuntimeException("Unable to parse TOC at " + str2, e2);
        }
    }

    private Pair<LocalDate, Map<String, JsonNode>> parseTOC(String str, Path path) throws IOException, ParseException {
        BufferedReader bufferedReader = null;
        try {
            bufferedReader = Files.newBufferedReader(path);
            JWSObject parse = JWSObject.parse(bufferedReader.readLine());
            List<String> list = (List) parse.getHeader().getX509CertChain().stream().map(base64 -> {
                return this.base64Service.encodeToString(base64.decode());
            }).collect(Collectors.toList());
            JWSAlgorithm algorithm = parse.getHeader().getAlgorithm();
            try {
                if (!parse.verify(resolveVerifier(algorithm, str, list))) {
                    this.log.warn("Unable to verify JWS object using algorithm {} for file {}", algorithm, path);
                    Pair<LocalDate, Map<String, JsonNode>> pair = new Pair<>((Object) null, Collections.emptyMap());
                    if (bufferedReader != null) {
                        try {
                            bufferedReader.close();
                        } catch (IOException e) {
                            this.log.warn("Unable to close reader {}", path);
                        }
                    }
                    return pair;
                }
                this.digester = resolveDigester(algorithm);
                JsonNode readTree = this.dataMapperService.readTree(parse.getPayload().toString());
                this.log.info("Legal header {}", readTree.get("legalHeader"));
                ArrayNode arrayNode = readTree.get("entries");
                this.log.info("Property 'no' value: {}. Number of entries: {}", Integer.valueOf(readTree.get("no").asInt()), Integer.valueOf(arrayNode.size()));
                Iterator elements = arrayNode.elements();
                HashMap hashMap = new HashMap();
                while (elements.hasNext()) {
                    JsonNode jsonNode = (JsonNode) elements.next();
                    if (jsonNode.hasNonNull("aaguid")) {
                        String asText = jsonNode.get("aaguid").asText();
                        this.log.info("Added TOC entry {} from {} with status {}", new Object[]{asText, path, jsonNode.get("statusReports").findValue("status")});
                        hashMap.put(asText, jsonNode);
                    }
                }
                Pair<LocalDate, Map<String, JsonNode>> pair2 = new Pair<>(LocalDate.parse(readTree.get("nextUpdate").asText()), hashMap);
                if (bufferedReader != null) {
                    try {
                        bufferedReader.close();
                    } catch (IOException e2) {
                        this.log.warn("Unable to close reader {}", path);
                    }
                }
                return pair2;
            } catch (Fido2RPRuntimeException e3) {
                this.log.warn("Unable to verify JWS object using algorithm {} for file {} {}", new Object[]{algorithm, path, e3});
                Pair<LocalDate, Map<String, JsonNode>> pair3 = new Pair<>((Object) null, Collections.emptyMap());
                if (bufferedReader != null) {
                    try {
                        bufferedReader.close();
                    } catch (IOException e4) {
                        this.log.warn("Unable to close reader {}", path);
                    }
                }
                return pair3;
            } catch (JOSEException e5) {
                this.log.warn("Unable to verify JWS object using algorithm {} for file {} {} ", new Object[]{algorithm, path, e5});
                Pair<LocalDate, Map<String, JsonNode>> pair4 = new Pair<>((Object) null, Collections.emptyMap());
                if (bufferedReader != null) {
                    try {
                        bufferedReader.close();
                    } catch (IOException e6) {
                        this.log.warn("Unable to close reader {}", path);
                    }
                }
                return pair4;
            }
        } catch (Throwable th) {
            if (bufferedReader != null) {
                try {
                    bufferedReader.close();
                } catch (IOException e7) {
                    this.log.warn("Unable to close reader {}", path);
                }
            }
            throw th;
        }
    }

    private JWSVerifier resolveVerifier(JWSAlgorithm jWSAlgorithm, String str, List<String> list) {
        List<X509Certificate> certificates = this.cryptoUtils.getCertificates(list);
        ArrayList arrayList = new ArrayList();
        DirectoryStream<Path> directoryStream = null;
        try {
            try {
                Path path = FileSystems.getDefault().getPath(str, new String[0]);
                directoryStream = Files.newDirectoryStream(path);
                Iterator<Path> it = directoryStream.iterator();
                while (it.hasNext()) {
                    try {
                        arrayList.add(this.cryptoUtils.getCertificate(Files.newInputStream(it.next(), new OpenOption[0])));
                    } catch (IOException e) {
                        throw new Fido2RPRuntimeException("Unable to read the root cert " + path, e);
                    }
                }
                if (directoryStream != null) {
                    try {
                        directoryStream.close();
                    } catch (IOException e2) {
                        this.log.warn("Something wrong with directory stream");
                    }
                }
            } catch (Throwable th) {
                if (directoryStream != null) {
                    try {
                        directoryStream.close();
                    } catch (IOException e3) {
                        this.log.warn("Something wrong with directory stream");
                    }
                }
                throw th;
            }
        } catch (Exception e4) {
            this.log.warn("Something wrong with path", e4);
            if (directoryStream != null) {
                try {
                    directoryStream.close();
                } catch (IOException e5) {
                    this.log.warn("Something wrong with directory stream");
                }
            }
        }
        X509Certificate verifyAttestationCertificates = this.certificateValidator.verifyAttestationCertificates(certificates, arrayList);
        if (!JWSAlgorithm.ES256.equals(jWSAlgorithm)) {
            throw new Fido2RPRuntimeException("Don't know what to do with " + jWSAlgorithm);
        }
        try {
            return new ECDSAVerifier((ECPublicKey) verifyAttestationCertificates.getPublicKey());
        } catch (JOSEException e6) {
            throw new Fido2RPRuntimeException("Unable to create verifier for algorithm " + jWSAlgorithm, (Throwable) e6);
        }
    }

    private MessageDigest resolveDigester(JWSAlgorithm jWSAlgorithm) {
        if (JWSAlgorithm.ES256.equals(jWSAlgorithm)) {
            return DigestUtils.getSha256Digest();
        }
        throw new Fido2RPRuntimeException("Don't know what to do with " + jWSAlgorithm);
    }

    private Map<String, JsonNode> mergeAndResolveDuplicateEntries(List<Map<String, JsonNode>> list) {
        HashMap hashMap = new HashMap();
        Map[] mapArr = new Map[list.size()];
        list.toArray(mapArr);
        hashMap.putAll((Map) Stream.of((Object[]) mapArr).flatMap(map -> {
            return map.entrySet().stream();
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }, (jsonNode, jsonNode2) -> {
            this.log.warn("Duplicate values {} {}", jsonNode, jsonNode2);
            JsonNode jsonNode = getDate(jsonNode).isAfter(getDate(jsonNode2)) ? jsonNode : jsonNode2;
            this.log.warn("Selected value {} ", jsonNode);
            return jsonNode;
        })));
        return hashMap;
    }

    private LocalDate getDate(JsonNode jsonNode) {
        JsonNode jsonNode2 = jsonNode.get("timeOfLastStatusChange");
        return jsonNode2 != null ? LocalDate.parse(jsonNode2.asText(), DateTimeFormatter.ISO_DATE) : LocalDate.now();
    }

    public JsonNode getAuthenticatorsMetadata(String str) {
        return this.tocEntries.get(str);
    }

    public MessageDigest getDigester() {
        return this.digester;
    }
}
