package io.vertx.ext.auth.webauthn.impl.attestation;

import io.vertx.core.buffer.Buffer;
import io.vertx.core.json.DecodeException;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.impl.CertificateHelper;
import io.vertx.ext.auth.impl.Codec;
import io.vertx.ext.auth.webauthn.AttestationCertificates;
import io.vertx.ext.auth.webauthn.PublicKeyCredential;
import io.vertx.ext.auth.webauthn.WebAuthnOptions;
import io.vertx.ext.auth.webauthn.impl.AuthData;
import io.vertx.ext.auth.webauthn.impl.CBOR;
import io.vertx.ext.auth.webauthn.impl.metadata.MetaData;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.List;

/* loaded from: input_file:io/vertx/ext/auth/webauthn/impl/attestation/FidoU2fAttestation.class */
public class FidoU2fAttestation implements Attestation {
    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public String fmt() {
        return "fido-u2f";
    }

    @Override // io.vertx.ext.auth.webauthn.impl.attestation.Attestation
    public AttestationCertificates validate(WebAuthnOptions webAuthnOptions, MetaData metaData, byte[] bArr, JsonObject jsonObject, AuthData authData) throws AttestationException {
        try {
            if (!"00000000-0000-0000-0000-000000000000".equals(authData.getAaguidString())) {
                throw new AttestationException("AAGUID is not 00000000-0000-0000-0000-000000000000!");
            }
            byte[] hash = Attestation.hash("SHA-256", bArr);
            Buffer appendBytes = Buffer.buffer().appendByte((byte) 0).appendBytes(authData.getRpIdHash()).appendBytes(hash).appendBytes(authData.getCredentialId()).appendBytes(COSEECDHAtoPKCS(authData.getCredentialPublicKey()));
            JsonObject jsonObject2 = jsonObject.getJsonObject("attStmt");
            List<X509Certificate> parseX5c = Attestation.parseX5c(jsonObject2.getJsonArray("x5c"));
            if (parseX5c.size() == 0) {
                throw new AttestationException("no certificates in x5c field");
            }
            CertificateHelper.checkValidity(parseX5c, webAuthnOptions.getRootCrls());
            Attestation.verifySignature(PublicKeyCredential.ES256, parseX5c.get(0), Codec.base64UrlDecode(jsonObject2.getString("sig")), appendBytes.getBytes());
            return new AttestationCertificates().setAlg(PublicKeyCredential.ES256).setX5c(jsonObject2.getJsonArray("x5c"));
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            throw new AttestationException(e);
        }
    }

    private static byte[] COSEECDHAtoPKCS(byte[] bArr) {
        try {
            CBOR cbor = new CBOR(bArr);
            Throwable th = null;
            try {
                JsonObject jsonObject = (JsonObject) cbor.read();
                byte[] bytes = Buffer.buffer().appendByte((byte) 4).appendBytes(Codec.base64UrlDecode(jsonObject.getString("-2"))).appendBytes(Codec.base64UrlDecode(jsonObject.getString("-3"))).getBytes();
                if (cbor != null) {
                    if (0 != 0) {
                        try {
                            cbor.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        cbor.close();
                    }
                }
                return bytes;
            } finally {
            }
        } catch (IOException e) {
            throw new DecodeException("Invalid CBOR message", e);
        }
    }
}
