package pro.javacard.fido2.common;

import com.fasterxml.jackson.databind.node.ObjectNode;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import org.bouncycastle.util.encoders.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:pro/javacard/fido2/common/AttestationVerifier.class */
public class AttestationVerifier {
    private static final Logger logger = LoggerFactory.getLogger(AttestationVerifier.class);

    static boolean valid(byte[] bArr, byte[] bArr2, X509Certificate x509Certificate) throws GeneralSecurityException {
        return valid(bArr, bArr2, x509Certificate.getPublicKey());
    }

    static boolean valid(byte[] bArr, byte[] bArr2, PublicKey publicKey) throws GeneralSecurityException {
        logger.debug("Signature: {}", Hex.toHexString(bArr));
        Signature signature = Signature.getInstance("SHA256withECDSA");
        signature.initVerify(publicKey);
        signature.update(bArr2);
        if (!signature.verify(bArr)) {
            throw new GeneralSecurityException("Attestation verification failed");
        }
        logger.info("Attestation signature verified");
        return true;
    }

    public static void dumpAttestation(MakeCredentialCommand makeCredentialCommand, ObjectNode objectNode) {
        try {
            if (objectNode.get("fmt").asText().equals("fido-u2f")) {
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(objectNode.get("attStmt").get("x5c").get(0).binaryValue()));
                logger.info("Attestation: " + x509Certificate.getSubjectX500Principal() + " by " + x509Certificate.getIssuerX500Principal());
                valid(objectNode.get("attStmt").get("sig").binaryValue(), attestation_dtbs(makeCredentialCommand, objectNode), x509Certificate);
            } else if (objectNode.get("fmt").asText().equals("packed")) {
                if (objectNode.get("attStmt").has("x5c")) {
                    X509Certificate x509Certificate2 = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(objectNode.get("attStmt").get("x5c").get(0).binaryValue()));
                    logger.info("Attestation: " + x509Certificate2.getSubjectX500Principal() + " by " + x509Certificate2.getIssuerX500Principal());
                    valid(objectNode.get("attStmt").get("sig").binaryValue(), attestation_dtbs(makeCredentialCommand, objectNode), x509Certificate2);
                } else {
                    logger.info("self-attestation");
                    valid(objectNode.get("attStmt").get("sig").binaryValue(), attestation_dtbs(makeCredentialCommand, objectNode), AuthenticatorData.fromBytes(objectNode.get("authData").binaryValue()).getAttestation().getPublicKey());
                }
            }
        } catch (IOException | GeneralSecurityException e) {
            logger.error("Failed to parse/verify attestation: " + e.getMessage(), e);
        }
    }

    static byte[] attestation_dtbs(MakeCredentialCommand makeCredentialCommand, ObjectNode objectNode) {
        try {
            if (!objectNode.get("fmt").asText().equals("fido-u2f")) {
                if (!objectNode.get("fmt").asText().equals("packed")) {
                    throw new IllegalStateException("Unsupported attestation format: " + objectNode.get("fmt").asText());
                }
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                byteArrayOutputStream.write(objectNode.get("authData").binaryValue());
                byteArrayOutputStream.write(makeCredentialCommand.clientDataHash);
                return byteArrayOutputStream.toByteArray();
            }
            AuthenticatorData fromBytes = AuthenticatorData.fromBytes(objectNode.get("authData").binaryValue());
            ByteArrayOutputStream byteArrayOutputStream2 = new ByteArrayOutputStream();
            byteArrayOutputStream2.write(0);
            byteArrayOutputStream2.write(fromBytes.rpIdHash);
            byteArrayOutputStream2.write(makeCredentialCommand.clientDataHash);
            byteArrayOutputStream2.write(fromBytes.getAttestation().getCredentialID());
            byteArrayOutputStream2.write(P256.pubkey2uncompressed((ECPublicKey) fromBytes.getAttestation().getPublicKey()));
            return byteArrayOutputStream2.toByteArray();
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }
}
