package com.webauthn4j.metadata;

import com.webauthn4j.converter.util.JsonConverter;
import com.webauthn4j.converter.util.ObjectConverter;
import com.webauthn4j.data.attestation.authenticator.AAGUID;
import com.webauthn4j.data.jws.JWS;
import com.webauthn4j.data.jws.JWSFactory;
import com.webauthn4j.metadata.data.MetadataItem;
import com.webauthn4j.metadata.data.MetadataItemImpl;
import com.webauthn4j.metadata.data.statement.MetadataStatement;
import com.webauthn4j.metadata.data.toc.MetadataTOCPayload;
import com.webauthn4j.metadata.data.toc.MetadataTOCPayloadEntry;
import com.webauthn4j.metadata.exception.MDSException;
import com.webauthn4j.metadata.validator.MetadataStatementValidator;
import com.webauthn4j.util.Base64UrlUtil;
import com.webauthn4j.util.CertificateUtil;
import com.webauthn4j.util.MessageDigestUtil;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.InvalidAlgorithmParameterException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.PKIXParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.time.OffsetDateTime;
import java.time.ZoneOffset;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/webauthn4j/metadata/FidoMdsMetadataItemsProvider.class */
public class FidoMdsMetadataItemsProvider implements MetadataItemsProvider {
    private static final String DEFAULT_FIDO_METADATA_SERVICE_ENDPOINT = "https://mds2.fidoalliance.org/";
    Map<AAGUID, Set<MetadataItem>> cachedMetadataItemMap;
    OffsetDateTime nextUpdate;
    OffsetDateTime lastRefresh;
    private Logger logger;
    private JsonConverter jsonConverter;
    private JWSFactory jwsFactory;
    private String fidoMetadataServiceEndpoint;
    private String token;
    private HttpClient httpClient;
    private TrustAnchor trustAnchor;
    private MetadataStatementValidator metadataStatementValidator;

    public FidoMdsMetadataItemsProvider(ObjectConverter objectConverter, String str, HttpClient httpClient, X509Certificate x509Certificate) {
        this.logger = LoggerFactory.getLogger(FidoMdsMetadataItemsProvider.class);
        this.fidoMetadataServiceEndpoint = DEFAULT_FIDO_METADATA_SERVICE_ENDPOINT;
        this.token = null;
        this.metadataStatementValidator = new MetadataStatementValidator();
        this.jsonConverter = objectConverter.getJsonConverter();
        this.jwsFactory = new JWSFactory(objectConverter);
        this.token = str;
        this.httpClient = httpClient;
        this.trustAnchor = new TrustAnchor(x509Certificate, null);
    }

    public FidoMdsMetadataItemsProvider(ObjectConverter objectConverter, String str, HttpClient httpClient, Path path) {
        this(objectConverter, str, httpClient, loadRootCertificateFromPath(path));
    }

    public FidoMdsMetadataItemsProvider(ObjectConverter objectConverter, String str, HttpClient httpClient) {
        this(objectConverter, str, httpClient, loadEmbeddedFidoMdsRootCertificate());
    }

    public FidoMdsMetadataItemsProvider(ObjectConverter objectConverter, String str) {
        this(objectConverter, str, new SimpleHttpClient(), loadEmbeddedFidoMdsRootCertificate());
    }

    public FidoMdsMetadataItemsProvider(ObjectConverter objectConverter, HttpClient httpClient, X509Certificate x509Certificate) {
        this(objectConverter, (String) null, httpClient, x509Certificate);
    }

    public FidoMdsMetadataItemsProvider(ObjectConverter objectConverter, HttpClient httpClient, Path path) {
        this(objectConverter, (String) null, httpClient, path);
    }

    public FidoMdsMetadataItemsProvider(ObjectConverter objectConverter, HttpClient httpClient) {
        this(objectConverter, (String) null, httpClient);
    }

    public FidoMdsMetadataItemsProvider(ObjectConverter objectConverter) {
        this(objectConverter, (String) null);
    }

    private static X509Certificate loadRootCertificateFromPath(Path path) {
        try {
            return CertificateUtil.generateX509Certificate(Files.newInputStream(path, new OpenOption[0]));
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    private static X509Certificate loadEmbeddedFidoMdsRootCertificate() {
        return CertificateUtil.generateX509Certificate(FidoMdsMetadataItemsProvider.class.getClassLoader().getResourceAsStream("metadata/certs/FIDOMetadataService.cer"));
    }

    static String appendToken(String str, String str2) {
        if (str == null) {
            throw new IllegalArgumentException("url must not be null.");
        }
        if (str2 == null) {
            return str;
        }
        try {
            URI uri = new URI(str);
            String query = uri.getQuery();
            return new URI(uri.getScheme(), uri.getAuthority(), uri.getPath(), query == null ? "token=" + str2 : query + "&token=" + str2, uri.getFragment()).toString();
        } catch (URISyntaxException e) {
            throw new IllegalArgumentException(String.format("Provided url %s is illegal.", str), e);
        }
    }

    @Override // com.webauthn4j.metadata.MetadataItemsProvider
    public Map<AAGUID, Set<MetadataItem>> provide() {
        if (needsRefresh()) {
            refresh();
        }
        return this.cachedMetadataItemMap;
    }

    public String getFidoMetadataServiceEndpoint() {
        return this.fidoMetadataServiceEndpoint;
    }

    public void setFidoMetadataServiceEndpoint(String str) {
        this.fidoMetadataServiceEndpoint = str;
    }

    private void refresh() {
        MetadataTOCPayload fetchMetadataTOCPayload = fetchMetadataTOCPayload(false);
        this.cachedMetadataItemMap = (Map) ((Map) fetchMetadataTOCPayload.getEntries().parallelStream().map(metadataTOCPayloadEntry -> {
            try {
                return fetchFidoMdsMetadataItem(metadataTOCPayloadEntry);
            } catch (RuntimeException e) {
                this.logger.warn("Failed to fetch MetadataTOCPayLoad", e);
                return null;
            }
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).distinct().collect(Collectors.groupingBy(metadataItem -> {
            return metadataItem.getAaguid();
        }))).entrySet().stream().collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, entry -> {
            return Collections.unmodifiableSet(new HashSet((Collection) entry.getValue()));
        }));
        this.nextUpdate = fetchMetadataTOCPayload.getNextUpdate().atStartOfDay().atOffset(ZoneOffset.UTC);
        this.lastRefresh = OffsetDateTime.now(ZoneOffset.UTC);
    }

    boolean needsRefresh() {
        OffsetDateTime now = OffsetDateTime.now(ZoneOffset.UTC);
        return this.cachedMetadataItemMap == null || (this.nextUpdate.isBefore(now) && this.lastRefresh.isBefore(now.minusHours(1L)));
    }

    MetadataTOCPayload fetchMetadataTOCPayload(boolean z) {
        JWS<MetadataTOCPayload> parse = this.jwsFactory.parse(this.httpClient.fetch(appendToken(this.fidoMetadataServiceEndpoint, this.token)), MetadataTOCPayload.class);
        if (!parse.isValidSignature()) {
            throw new MDSException("invalid signature");
        }
        if (!z) {
            validateCertPath(parse);
        }
        return (MetadataTOCPayload) parse.getPayload();
    }

    private MetadataItem fetchFidoMdsMetadataItem(MetadataTOCPayloadEntry metadataTOCPayloadEntry) {
        return new MetadataItemImpl(metadataTOCPayloadEntry.getAaid(), new AAGUID(metadataTOCPayloadEntry.getAaguid()), metadataTOCPayloadEntry.getAttestationCertificateKeyIdentifiers(), metadataTOCPayloadEntry.getHash(), metadataTOCPayloadEntry.getStatusReports(), metadataTOCPayloadEntry.getTimeOfLastStatusChange(), fetchMetadataStatement(metadataTOCPayloadEntry.getUrl().toString(), Base64UrlUtil.decode(metadataTOCPayloadEntry.getHash())));
    }

    private void validateCertPath(JWS<MetadataTOCPayload> jws) {
        Set singleton = Collections.singleton(this.trustAnchor);
        CertPath createCertPath = jws.getHeader().getX5c().createCertPath();
        CertPathValidator createCertPathValidator = CertificateUtil.createCertPathValidator();
        PKIXParameters createPKIXParameters = CertificateUtil.createPKIXParameters(singleton);
        PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) createCertPathValidator.getRevocationChecker();
        pKIXRevocationChecker.setOptions(EnumSet.of(PKIXRevocationChecker.Option.PREFER_CRLS));
        createPKIXParameters.addCertPathChecker(pKIXRevocationChecker);
        try {
            createCertPathValidator.validate(createCertPath, createPKIXParameters);
        } catch (InvalidAlgorithmParameterException e) {
            throw new MDSException("invalid algorithm parameter", e);
        } catch (CertPathValidatorException e2) {
            throw new MDSException("invalid cert path", e2);
        }
    }

    MetadataStatement fetchMetadataStatement(String str, byte[] bArr) {
        String fetch = this.httpClient.fetch(appendToken(str, this.token));
        String str2 = new String(Base64UrlUtil.decode(fetch));
        if (!Arrays.equals(MessageDigestUtil.createSHA256().digest(fetch.getBytes(StandardCharsets.UTF_8)), bArr)) {
            throw new MDSException("Hash of metadataStatement doesn't match");
        }
        MetadataStatement metadataStatement = (MetadataStatement) this.jsonConverter.readValue(str2, MetadataStatement.class);
        this.metadataStatementValidator.validate(metadataStatement);
        return metadataStatement;
    }
}
