package com.webauthn4j.metadata;

import com.webauthn4j.converter.util.ObjectConverter;
import com.webauthn4j.metadata.data.MetadataBLOB;
import com.webauthn4j.metadata.data.MetadataBLOBFactory;
import com.webauthn4j.metadata.exception.MDSException;
import com.webauthn4j.util.CertificateUtil;
import java.security.InvalidAlgorithmParameterException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.PKIXParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.EnumSet;
import java.util.Set;

/* loaded from: input_file:com/webauthn4j/metadata/FidoMDS3MetadataBLOBProvider.class */
public class FidoMDS3MetadataBLOBProvider extends CachingMetadataBLOBProvider {
    private static final String DEFAULT_BLOB_ENDPOINT = "https://mds.fidoalliance.org/";
    private final MetadataBLOBFactory metadataBLOBFactory;
    private final String blobEndpoint;
    private final HttpClient httpClient;
    private final Set<TrustAnchor> trustAnchors;
    private boolean revocationCheckEnabled;

    public FidoMDS3MetadataBLOBProvider(ObjectConverter objectConverter, String str, HttpClient httpClient, Set<TrustAnchor> set) {
        this.revocationCheckEnabled = true;
        this.metadataBLOBFactory = new MetadataBLOBFactory(objectConverter);
        this.blobEndpoint = str;
        this.httpClient = httpClient;
        this.trustAnchors = set;
    }

    public FidoMDS3MetadataBLOBProvider(ObjectConverter objectConverter, String str, Set<TrustAnchor> set) {
        this(objectConverter, str, new SimpleHttpClient(), set);
    }

    public FidoMDS3MetadataBLOBProvider(ObjectConverter objectConverter, String str, X509Certificate x509Certificate) {
        this(objectConverter, str, new SimpleHttpClient(), Collections.singleton(new TrustAnchor(x509Certificate, null)));
    }

    public FidoMDS3MetadataBLOBProvider(ObjectConverter objectConverter, Set<TrustAnchor> set) {
        this(objectConverter, DEFAULT_BLOB_ENDPOINT, set);
    }

    public FidoMDS3MetadataBLOBProvider(ObjectConverter objectConverter, X509Certificate x509Certificate) {
        this(objectConverter, DEFAULT_BLOB_ENDPOINT, (Set<TrustAnchor>) Collections.singleton(new TrustAnchor(x509Certificate, null)));
    }

    @Override // com.webauthn4j.metadata.CachingMetadataBLOBProvider
    protected MetadataBLOB doProvide() {
        MetadataBLOB parse = this.metadataBLOBFactory.parse(this.httpClient.fetch(this.blobEndpoint));
        if (!parse.isValidSignature()) {
            throw new MDSException("MetadataBLOB signature is invalid");
        }
        validateCertPath(parse);
        return parse;
    }

    private void validateCertPath(MetadataBLOB metadataBLOB) {
        CertPath x5c = metadataBLOB.getHeader().getX5c();
        CertPathValidator createCertPathValidator = CertificateUtil.createCertPathValidator();
        PKIXParameters createPKIXParameters = CertificateUtil.createPKIXParameters(this.trustAnchors);
        createPKIXParameters.setRevocationEnabled(this.revocationCheckEnabled);
        if (this.revocationCheckEnabled) {
            PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) createCertPathValidator.getRevocationChecker();
            pKIXRevocationChecker.setOptions(EnumSet.of(PKIXRevocationChecker.Option.PREFER_CRLS));
            createPKIXParameters.addCertPathChecker(pKIXRevocationChecker);
        }
        try {
            createCertPathValidator.validate(x5c, createPKIXParameters);
        } catch (InvalidAlgorithmParameterException e) {
            throw new MDSException("invalid algorithm parameter", e);
        } catch (CertPathValidatorException e2) {
            throw new MDSException("invalid cert path", e2);
        }
    }

    public boolean isRevocationCheckEnabled() {
        return this.revocationCheckEnabled;
    }

    public void setRevocationCheckEnabled(boolean z) {
        this.revocationCheckEnabled = z;
    }
}
