package com.webauthn4j.metadata.legacy;

import com.webauthn4j.converter.util.ObjectConverter;
import com.webauthn4j.data.AuthenticatorAttestationType;
import com.webauthn4j.data.attestation.authenticator.AAGUID;
import com.webauthn4j.data.attestation.statement.CertificateBaseAttestationStatement;
import com.webauthn4j.metadata.exception.BadStatusException;
import com.webauthn4j.metadata.legacy.data.MetadataItem;
import com.webauthn4j.util.AssertUtil;
import com.webauthn4j.validator.CustomRegistrationValidator;
import com.webauthn4j.validator.RegistrationObject;
import com.webauthn4j.validator.exception.BadAttestationStatementException;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;

@Deprecated
/* loaded from: input_file:com/webauthn4j/metadata/legacy/FidoMdsMetadataValidator.class */
public class FidoMdsMetadataValidator implements CustomRegistrationValidator {
    private final MetadataItemsResolver metadataItemsResolver;

    public FidoMdsMetadataValidator(MetadataItemsResolver metadataItemsResolver) {
        this.metadataItemsResolver = metadataItemsResolver;
    }

    public FidoMdsMetadataValidator(ObjectConverter objectConverter, String str, X509Certificate x509Certificate) {
        FidoMdsMetadataItemsProvider fidoMdsMetadataItemsProvider = new FidoMdsMetadataItemsProvider(objectConverter, x509Certificate);
        fidoMdsMetadataItemsProvider.setFidoMetadataServiceEndpoint(str);
        this.metadataItemsResolver = new MetadataItemsResolverImpl(fidoMdsMetadataItemsProvider);
    }

    public FidoMdsMetadataValidator(String str, X509Certificate x509Certificate) {
        this(new ObjectConverter(), str, x509Certificate);
    }

    public void validate(RegistrationObject registrationObject) {
        AssertUtil.notNull(registrationObject.getAttestationObject().getAuthenticatorData(), "authenticatorData must not be null");
        AssertUtil.notNull(registrationObject.getAttestationObject().getAuthenticatorData().getAttestedCredentialData(), "attestedCredentialData must not be null");
        AAGUID aaguid = registrationObject.getAttestationObject().getAuthenticatorData().getAttestedCredentialData().getAaguid();
        CertificateBaseAttestationStatement attestationStatement = registrationObject.getAttestationObject().getAttestationStatement();
        Set<MetadataItem> resolve = this.metadataItemsResolver.resolve(aaguid);
        List list = (List) resolve.stream().flatMap(metadataItem -> {
            return metadataItem.getMetadataStatement().getAttestationTypes().stream();
        }).collect(Collectors.toList());
        if ((!list.isEmpty() && list.stream().allMatch(authenticatorAttestationType -> {
            return authenticatorAttestationType.equals(AuthenticatorAttestationType.BASIC_SURROGATE);
        })) && (attestationStatement instanceof CertificateBaseAttestationStatement) && attestationStatement.getX5c() != null) {
            throw new BadAttestationStatementException("Although AAGUID is registered for surrogate attestation in metadata, x5c contains certificates.");
        }
        Iterator<MetadataItem> it = resolve.iterator();
        while (it.hasNext()) {
            doAdditionalValidationForFidoMdsMetadataItem(it.next());
        }
    }

    private void doAdditionalValidationForFidoMdsMetadataItem(MetadataItem metadataItem) {
        metadataItem.getStatusReports().forEach(statusReport -> {
            switch (statusReport.getStatus()) {
                case FIDO_CERTIFIED:
                case FIDO_CERTIFIED_L1:
                case FIDO_CERTIFIED_L1_PLUS:
                case FIDO_CERTIFIED_L2:
                case FIDO_CERTIFIED_L2_PLUS:
                case FIDO_CERTIFIED_L3:
                case FIDO_CERTIFIED_L3_PLUS:
                case UPDATE_AVAILABLE:
                case NOT_FIDO_CERTIFIED:
                case SELF_ASSERTION_SUBMITTED:
                    return;
                case ATTESTATION_KEY_COMPROMISE:
                case USER_VERIFICATION_BYPASS:
                case USER_KEY_REMOTE_COMPROMISE:
                case USER_KEY_PHYSICAL_COMPROMISE:
                case REVOKED:
                default:
                    throw new BadStatusException(String.format("FIDO Metadata Service reported `%s` for this authenticator.", statusReport.getStatus()));
            }
        });
    }
}
