package com.webauthn4j.metadata;

import com.webauthn4j.metadata.data.FidoMdsMetadataItem;
import com.webauthn4j.metadata.data.MetadataItem;
import com.webauthn4j.metadata.data.statement.AttestationType;
import com.webauthn4j.response.attestation.authenticator.AAGUID;
import com.webauthn4j.response.attestation.statement.CertificateBaseAttestationStatement;
import com.webauthn4j.util.WIP;
import com.webauthn4j.validator.attestation.trustworthiness.certpath.CertPathTrustworthinessValidatorBase;
import com.webauthn4j.validator.exception.BadAttestationStatementException;
import com.webauthn4j.validator.exception.CertificateException;
import java.security.cert.TrustAnchor;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;

@WIP
/* loaded from: input_file:com/webauthn4j/metadata/MetadataItemsCertPathTrustworthinessValidator.class */
public class MetadataItemsCertPathTrustworthinessValidator<T extends MetadataItem> extends CertPathTrustworthinessValidatorBase {
    private MetadataItemsResolver<T> metadataItemsResolver;

    public MetadataItemsCertPathTrustworthinessValidator(MetadataItemsResolver<T> metadataItemsResolver) {
        this.metadataItemsResolver = metadataItemsResolver;
    }

    public void validate(AAGUID aaguid, CertificateBaseAttestationStatement certificateBaseAttestationStatement) {
        Set<T> resolve = this.metadataItemsResolver.resolve(aaguid);
        List list = (List) resolve.stream().flatMap(metadataItem -> {
            return metadataItem.getMetadataStatement().getAttestationTypes().stream();
        }).collect(Collectors.toList());
        if ((!list.isEmpty() && list.stream().allMatch(attestationType -> {
            return attestationType.equals(AttestationType.ATTESTATION_BASIC_SURROGATE);
        })) && certificateBaseAttestationStatement.getX5c() != null) {
            throw new BadAttestationStatementException("Although aaguid is for surrogate attestation, x5c contains certificates");
        }
        for (T t : resolve) {
            if (t instanceof FidoMdsMetadataItem) {
                doAdditionalValidationForFidoMdsMetadataItem((FidoMdsMetadataItem) t);
            }
        }
        super.validate(aaguid, certificateBaseAttestationStatement);
    }

    private void doAdditionalValidationForFidoMdsMetadataItem(FidoMdsMetadataItem fidoMdsMetadataItem) {
        fidoMdsMetadataItem.getStatusReports().forEach(statusReport -> {
            switch (statusReport.getStatus()) {
                case FIDO_CERTIFIED:
                case FIDO_CERTIFIED_L1:
                case FIDO_CERTIFIED_L1_PLUS:
                case FIDO_CERTIFIED_L2:
                case FIDO_CERTIFIED_L2_PLUS:
                case FIDO_CERTIFIED_L3:
                case FIDO_CERTIFIED_L3_PLUS:
                case UPDATE_AVAILABLE:
                case NOT_FIDO_CERTIFIED:
                case SELF_ASSERTION_SUBMITTED:
                    return;
                case ATTESTATION_KEY_COMPROMISE:
                case USER_VERIFICATION_BYPASS:
                case USER_KEY_REMOTE_COMPROMISE:
                case USER_KEY_PHYSICAL_COMPROMISE:
                case REVOKED:
                default:
                    throw new CertificateException(String.format("error response from fidoMdsMetadataItem service: %s", statusReport.getStatus()));
            }
        });
    }

    protected Set<TrustAnchor> resolveTrustAnchors(AAGUID aaguid) {
        return (Set) this.metadataItemsResolver.resolve(aaguid).stream().flatMap(metadataItem -> {
            return metadataItem.getMetadataStatement().getAttestationRootCertificates().stream();
        }).map(x509Certificate -> {
            return new TrustAnchor(x509Certificate, null);
        }).collect(Collectors.toSet());
    }
}
