package com.yubico.fido.metadata;

import com.yubico.internal.util.CertificateParser;
import com.yubico.internal.util.OptionalUtil;
import com.yubico.webauthn.RegistrationResult;
import com.yubico.webauthn.attestation.AttestationTrustSource;
import com.yubico.webauthn.data.ByteArray;
import com.yubico.webauthn.data.exception.Base64UrlException;
import java.io.IOException;
import java.security.DigestException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Consumer;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import lombok.Generated;
import lombok.NonNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:com/yubico/fido/metadata/FidoMetadataService.class
 */
/* loaded from: input_file:webauthn-server-attestation-2.4.0.jar:com/yubico/fido/metadata/FidoMetadataService.class */
public final class FidoMetadataService implements AttestationTrustSource {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(FidoMetadataService.class);
    private final HashMap<String, HashSet<MetadataBLOBPayloadEntry>> prefilteredEntriesByCertificateKeyIdentifier;
    private final HashMap<AAGUID, HashSet<MetadataBLOBPayloadEntry>> prefilteredEntriesByAaguid;
    private final HashSet<MetadataBLOBPayloadEntry> prefilteredUnindexedEntries;
    private final Predicate<Filters.AuthenticatorToBeFiltered> filter;
    private final CertStore certStore;

    /* JADX WARN: Classes with same name are omitted:
      input_file:com/yubico/fido/metadata/FidoMetadataService$FidoMetadataServiceBuilder.class
     */
    /* loaded from: input_file:webauthn-server-attestation-2.4.0.jar:com/yubico/fido/metadata/FidoMetadataService$FidoMetadataServiceBuilder.class */
    public static class FidoMetadataServiceBuilder {

        @NonNull
        private final MetadataBLOBPayload blob;
        private Predicate<MetadataBLOBPayloadEntry> prefilter;
        private Predicate<Filters.AuthenticatorToBeFiltered> filter;
        private CertStore certStore;

        /* JADX WARN: Classes with same name are omitted:
          input_file:com/yubico/fido/metadata/FidoMetadataService$FidoMetadataServiceBuilder$Step1.class
         */
        /* loaded from: input_file:webauthn-server-attestation-2.4.0.jar:com/yubico/fido/metadata/FidoMetadataService$FidoMetadataServiceBuilder$Step1.class */
        public static class Step1 {
            public FidoMetadataServiceBuilder useBlob(@NonNull MetadataBLOB metadataBLOB) {
                if (metadataBLOB == null) {
                    throw new NullPointerException("blob is marked non-null but is null");
                }
                return useBlob(metadataBLOB.getPayload());
            }

            public FidoMetadataServiceBuilder useBlob(@NonNull MetadataBLOBPayload metadataBLOBPayload) {
                if (metadataBLOBPayload == null) {
                    throw new NullPointerException("blobPayload is marked non-null but is null");
                }
                return new FidoMetadataServiceBuilder(metadataBLOBPayload);
            }
        }

        public FidoMetadataServiceBuilder prefilter(@NonNull Predicate<MetadataBLOBPayloadEntry> predicate) {
            if (predicate == null) {
                throw new NullPointerException("prefilter is marked non-null but is null");
            }
            this.prefilter = predicate;
            return this;
        }

        public FidoMetadataServiceBuilder filter(@NonNull Predicate<Filters.AuthenticatorToBeFiltered> predicate) {
            if (predicate == null) {
                throw new NullPointerException("filter is marked non-null but is null");
            }
            this.filter = predicate;
            return this;
        }

        public FidoMetadataServiceBuilder certStore(@NonNull CertStore certStore) {
            if (certStore == null) {
                throw new NullPointerException("certStore is marked non-null but is null");
            }
            this.certStore = certStore;
            return this;
        }

        public FidoMetadataService build() throws CertPathValidatorException, InvalidAlgorithmParameterException, Base64UrlException, DigestException, FidoMetadataDownloaderException, CertificateException, UnexpectedLegalHeader, IOException, NoSuchAlgorithmException, SignatureException, InvalidKeyException {
            return new FidoMetadataService(this.blob, this.prefilter, this.filter, this.certStore);
        }

        @Generated
        private FidoMetadataServiceBuilder(@NonNull MetadataBLOBPayload metadataBLOBPayload) {
            this.prefilter = Filters.notRevoked();
            this.filter = Filters.noAttestationKeyCompromise();
            this.certStore = null;
            if (metadataBLOBPayload == null) {
                throw new NullPointerException("blob is marked non-null but is null");
            }
            this.blob = metadataBLOBPayload;
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:com/yubico/fido/metadata/FidoMetadataService$Filters.class
     */
    /* loaded from: input_file:webauthn-server-attestation-2.4.0.jar:com/yubico/fido/metadata/FidoMetadataService$Filters.class */
    public static class Filters {

        /* JADX WARN: Classes with same name are omitted:
          input_file:com/yubico/fido/metadata/FidoMetadataService$Filters$AuthenticatorToBeFiltered.class
         */
        /* loaded from: input_file:webauthn-server-attestation-2.4.0.jar:com/yubico/fido/metadata/FidoMetadataService$Filters$AuthenticatorToBeFiltered.class */
        public static final class AuthenticatorToBeFiltered {

            @NonNull
            private final List<X509Certificate> attestationCertificateChain;

            @NonNull
            private final MetadataBLOBPayloadEntry metadataEntry;
            private final AAGUID aaguid;

            public Optional<AAGUID> getAaguid() {
                return Optional.ofNullable(this.aaguid);
            }

            @NonNull
            @Generated
            public List<X509Certificate> getAttestationCertificateChain() {
                return this.attestationCertificateChain;
            }

            @NonNull
            @Generated
            public MetadataBLOBPayloadEntry getMetadataEntry() {
                return this.metadataEntry;
            }

            @Generated
            public boolean equals(Object obj) {
                if (obj == this) {
                    return true;
                }
                if (!(obj instanceof AuthenticatorToBeFiltered)) {
                    return false;
                }
                AuthenticatorToBeFiltered authenticatorToBeFiltered = (AuthenticatorToBeFiltered) obj;
                List<X509Certificate> attestationCertificateChain = getAttestationCertificateChain();
                List<X509Certificate> attestationCertificateChain2 = authenticatorToBeFiltered.getAttestationCertificateChain();
                if (attestationCertificateChain == null) {
                    if (attestationCertificateChain2 != null) {
                        return false;
                    }
                } else if (!attestationCertificateChain.equals(attestationCertificateChain2)) {
                    return false;
                }
                MetadataBLOBPayloadEntry metadataEntry = getMetadataEntry();
                MetadataBLOBPayloadEntry metadataEntry2 = authenticatorToBeFiltered.getMetadataEntry();
                if (metadataEntry == null) {
                    if (metadataEntry2 != null) {
                        return false;
                    }
                } else if (!metadataEntry.equals(metadataEntry2)) {
                    return false;
                }
                Optional<AAGUID> aaguid = getAaguid();
                Optional<AAGUID> aaguid2 = authenticatorToBeFiltered.getAaguid();
                return aaguid == null ? aaguid2 == null : aaguid.equals(aaguid2);
            }

            @Generated
            public int hashCode() {
                List<X509Certificate> attestationCertificateChain = getAttestationCertificateChain();
                int hashCode = (1 * 59) + (attestationCertificateChain == null ? 43 : attestationCertificateChain.hashCode());
                MetadataBLOBPayloadEntry metadataEntry = getMetadataEntry();
                int hashCode2 = (hashCode * 59) + (metadataEntry == null ? 43 : metadataEntry.hashCode());
                Optional<AAGUID> aaguid = getAaguid();
                return (hashCode2 * 59) + (aaguid == null ? 43 : aaguid.hashCode());
            }

            @Generated
            public String toString() {
                return "FidoMetadataService.Filters.AuthenticatorToBeFiltered(attestationCertificateChain=" + getAttestationCertificateChain() + ", metadataEntry=" + getMetadataEntry() + ", aaguid=" + getAaguid() + ")";
            }

            @Generated
            private AuthenticatorToBeFiltered(@NonNull List<X509Certificate> list, @NonNull MetadataBLOBPayloadEntry metadataBLOBPayloadEntry, AAGUID aaguid) {
                if (list == null) {
                    throw new NullPointerException("attestationCertificateChain is marked non-null but is null");
                }
                if (metadataBLOBPayloadEntry == null) {
                    throw new NullPointerException("metadataEntry is marked non-null but is null");
                }
                this.attestationCertificateChain = list;
                this.metadataEntry = metadataBLOBPayloadEntry;
                this.aaguid = aaguid;
            }
        }

        @SafeVarargs
        public static <T> Predicate<T> allOf(Predicate<T>... predicateArr) {
            return obj -> {
                return Stream.of((Object[]) predicateArr).allMatch(predicate -> {
                    return predicate.test(obj);
                });
            };
        }

        public static Predicate<MetadataBLOBPayloadEntry> notRevoked() {
            return metadataBLOBPayloadEntry -> {
                return metadataBLOBPayloadEntry.getStatusReports().stream().noneMatch(statusReport -> {
                    return AuthenticatorStatus.REVOKED.equals(statusReport.getStatus());
                });
            };
        }

        public static Predicate<AuthenticatorToBeFiltered> noAttestationKeyCompromise() {
            return authenticatorToBeFiltered -> {
                return authenticatorToBeFiltered.getMetadataEntry().getStatusReports().stream().filter(statusReport -> {
                    return AuthenticatorStatus.ATTESTATION_KEY_COMPROMISE.equals(statusReport.getStatus());
                }).noneMatch(statusReport2 -> {
                    return !statusReport2.getCertificate().isPresent() || authenticatorToBeFiltered.getAttestationCertificateChain().stream().anyMatch(x509Certificate -> {
                        return Arrays.equals(statusReport2.getCertificate().get().getPublicKey().getEncoded(), x509Certificate.getPublicKey().getEncoded());
                    });
                });
            };
        }
    }

    private FidoMetadataService(@NonNull MetadataBLOBPayload metadataBLOBPayload, @NonNull Predicate<MetadataBLOBPayloadEntry> predicate, @NonNull Predicate<Filters.AuthenticatorToBeFiltered> predicate2, CertStore certStore) {
        if (metadataBLOBPayload == null) {
            throw new NullPointerException("blob is marked non-null but is null");
        }
        if (predicate == null) {
            throw new NullPointerException("prefilter is marked non-null but is null");
        }
        if (predicate2 == null) {
            throw new NullPointerException("filter is marked non-null but is null");
        }
        List list = (List) metadataBLOBPayload.getEntries().stream().filter(FidoMetadataService::ignoreInvalidUpdateAvailableAuthenticatorVersion).filter(predicate).collect(Collectors.toList());
        this.prefilteredEntriesByCertificateKeyIdentifier = buildCkiMap(list);
        this.prefilteredEntriesByAaguid = buildAaguidMap(list);
        this.prefilteredUnindexedEntries = new HashSet<>(list);
        Iterator<HashSet<MetadataBLOBPayloadEntry>> it = this.prefilteredEntriesByAaguid.values().iterator();
        while (it.hasNext()) {
            this.prefilteredUnindexedEntries.removeAll(it.next());
        }
        Iterator<HashSet<MetadataBLOBPayloadEntry>> it2 = this.prefilteredEntriesByCertificateKeyIdentifier.values().iterator();
        while (it2.hasNext()) {
            this.prefilteredUnindexedEntries.removeAll(it2.next());
        }
        this.filter = predicate2;
        this.certStore = certStore;
    }

    private static boolean ignoreInvalidUpdateAvailableAuthenticatorVersion(MetadataBLOBPayloadEntry metadataBLOBPayloadEntry) {
        return ((Boolean) metadataBLOBPayloadEntry.getMetadataStatement().map((v0) -> {
            return v0.getAuthenticatorVersion();
        }).map(l -> {
            return Boolean.valueOf(metadataBLOBPayloadEntry.getStatusReports().stream().filter(statusReport -> {
                return AuthenticatorStatus.UPDATE_AVAILABLE.equals(statusReport.getStatus());
            }).noneMatch(statusReport2 -> {
                return ((Boolean) statusReport2.getAuthenticatorVersion().map(l -> {
                    return Boolean.valueOf(l.longValue() > l.longValue());
                }).orElse(false)).booleanValue();
            }));
        }).orElse(true)).booleanValue();
    }

    private static HashMap<String, HashSet<MetadataBLOBPayloadEntry>> buildCkiMap(@NonNull List<MetadataBLOBPayloadEntry> list) {
        if (list == null) {
            throw new NullPointerException("entries is marked non-null but is null");
        }
        return (HashMap) list.stream().collect(HashMap::new, (hashMap, metadataBLOBPayloadEntry) -> {
            Iterator<String> it = metadataBLOBPayloadEntry.getAttestationCertificateKeyIdentifiers().iterator();
            while (it.hasNext()) {
                ((HashSet) hashMap.computeIfAbsent(it.next(), str -> {
                    return new HashSet();
                })).add(metadataBLOBPayloadEntry);
            }
            Iterator it2 = ((Set) metadataBLOBPayloadEntry.getMetadataStatement().map((v0) -> {
                return v0.getAttestationCertificateKeyIdentifiers();
            }).orElseGet(Collections::emptySet)).iterator();
            while (it2.hasNext()) {
                ((HashSet) hashMap.computeIfAbsent((String) it2.next(), str2 -> {
                    return new HashSet();
                })).add(metadataBLOBPayloadEntry);
            }
        }, (hashMap2, hashMap3) -> {
            for (Map.Entry entry : hashMap3.entrySet()) {
                hashMap2.merge((String) entry.getKey(), (HashSet) entry.getValue(), (hashSet, hashSet2) -> {
                    hashSet.addAll(hashSet2);
                    return hashSet;
                });
            }
        });
    }

    private static HashMap<AAGUID, HashSet<MetadataBLOBPayloadEntry>> buildAaguidMap(@NonNull List<MetadataBLOBPayloadEntry> list) {
        if (list == null) {
            throw new NullPointerException("entries is marked non-null but is null");
        }
        return (HashMap) list.stream().collect(HashMap::new, (hashMap, metadataBLOBPayloadEntry) -> {
            Consumer<? super AAGUID> consumer = aaguid -> {
                ((HashSet) hashMap.computeIfAbsent(aaguid, aaguid -> {
                    return new HashSet();
                })).add(metadataBLOBPayloadEntry);
            };
            metadataBLOBPayloadEntry.getAaguid().filter(aaguid2 -> {
                return !aaguid2.isZero();
            }).ifPresent(consumer);
            metadataBLOBPayloadEntry.getMetadataStatement().flatMap((v0) -> {
                return v0.getAaguid();
            }).filter(aaguid3 -> {
                return !aaguid3.isZero();
            }).ifPresent(consumer);
        }, (hashMap2, hashMap3) -> {
            for (Map.Entry entry : hashMap3.entrySet()) {
                hashMap2.merge((AAGUID) entry.getKey(), (HashSet) entry.getValue(), (hashSet, hashSet2) -> {
                    hashSet.addAll(hashSet2);
                    return hashSet;
                });
            }
        });
    }

    public static FidoMetadataServiceBuilder.Step1 builder() {
        return new FidoMetadataServiceBuilder.Step1();
    }

    public Set<MetadataBLOBPayloadEntry> findEntries(@NonNull List<X509Certificate> list, @NonNull Optional<AAGUID> optional) {
        if (list == null) {
            throw new NullPointerException("attestationCertificateChain is marked non-null but is null");
        }
        if (optional == null) {
            throw new NullPointerException("aaguid is marked non-null but is null");
        }
        Set set = (Set) list.stream().map(x509Certificate -> {
            try {
                return new ByteArray(CertificateParser.computeSubjectKeyIdentifier(x509Certificate)).getHex();
            } catch (NoSuchAlgorithmException e) {
                throw new RuntimeException("SHA-1 hash algorithm is not available in JCA context.", e);
            }
        }).collect(Collectors.toSet());
        Optional orElseOptional = OptionalUtil.orElseOptional(optional.filter(aaguid -> {
            return !aaguid.isZero();
        }), () -> {
            log.debug("findEntries: attempting to look up AAGUID from certificate");
            return list.isEmpty() ? Optional.empty() : CertificateParser.parseFidoAaguidExtension((X509Certificate) list.get(0)).map(ByteArray::new).map(AAGUID::new);
        });
        log.debug("findEntries(certSubjectKeyIdentifiers = {}, aaguid = {}, nonzeroAaguid= {})", new Object[]{set, optional, orElseOptional});
        HashMap<AAGUID, HashSet<MetadataBLOBPayloadEntry>> hashMap = this.prefilteredEntriesByAaguid;
        Objects.requireNonNull(hashMap);
        Set<MetadataBLOBPayloadEntry> set2 = (Set) Stream.concat((Stream) orElseOptional.map((v1) -> {
            return r1.get(v1);
        }).map((v0) -> {
            return v0.stream();
        }).orElseGet(Stream::empty), set.stream().flatMap(str -> {
            return (Stream) Optional.ofNullable(this.prefilteredEntriesByCertificateKeyIdentifier.get(str)).map((v0) -> {
                return v0.stream();
            }).orElseGet(Stream::empty);
        })).filter(metadataBLOBPayloadEntry -> {
            return this.filter.test(new Filters.AuthenticatorToBeFiltered(list, metadataBLOBPayloadEntry, (AAGUID) orElseOptional.orElse(null)));
        }).collect(Collectors.toSet());
        log.debug("findEntries(certSubjectKeyIdentifiers = {}, aaguid = {}) => {} matches", new Object[]{set, optional, Integer.valueOf(set2.size())});
        return set2;
    }

    public Set<MetadataBLOBPayloadEntry> findEntries(@NonNull List<X509Certificate> list) {
        if (list == null) {
            throw new NullPointerException("attestationCertificateChain is marked non-null but is null");
        }
        return findEntries(list, Optional.empty());
    }

    public Set<MetadataBLOBPayloadEntry> findEntries(@NonNull List<X509Certificate> list, @NonNull AAGUID aaguid) {
        if (list == null) {
            throw new NullPointerException("attestationCertificateChain is marked non-null but is null");
        }
        if (aaguid == null) {
            throw new NullPointerException("aaguid is marked non-null but is null");
        }
        return findEntries(list, Optional.of(aaguid));
    }

    public Set<MetadataBLOBPayloadEntry> findEntries(@NonNull RegistrationResult registrationResult) {
        if (registrationResult == null) {
            throw new NullPointerException("registrationResult is marked non-null but is null");
        }
        return (Set) registrationResult.getAttestationTrustPath().map(list -> {
            return findEntries((List<X509Certificate>) list, new AAGUID(registrationResult.getAaguid()));
        }).orElseGet(Collections::emptySet);
    }

    public Set<MetadataBLOBPayloadEntry> findEntries(@NonNull AAGUID aaguid) {
        if (aaguid == null) {
            throw new NullPointerException("aaguid is marked non-null but is null");
        }
        return findEntries(Collections.emptyList(), aaguid);
    }

    public Set<MetadataBLOBPayloadEntry> findEntries(@NonNull Predicate<MetadataBLOBPayloadEntry> predicate) {
        if (predicate == null) {
            throw new NullPointerException("filter is marked non-null but is null");
        }
        return (Set) Stream.concat(Stream.concat(this.prefilteredEntriesByAaguid.values().stream().flatMap((v0) -> {
            return v0.stream();
        }), this.prefilteredEntriesByCertificateKeyIdentifier.values().stream().flatMap((v0) -> {
            return v0.stream();
        })), this.prefilteredUnindexedEntries.stream()).filter(predicate).collect(Collectors.toSet());
    }

    @Override // com.yubico.webauthn.attestation.AttestationTrustSource
    public AttestationTrustSource.TrustRootsResult findTrustRoots(List<X509Certificate> list, Optional<ByteArray> optional) {
        return AttestationTrustSource.TrustRootsResult.builder().trustRoots((Set) findEntries(list, optional.map(AAGUID::new)).stream().map((v0) -> {
            return v0.getMetadataStatement();
        }).flatMap(OptionalUtil::stream).flatMap(metadataStatement -> {
            return metadataStatement.getAttestationRootCertificates().stream();
        }).collect(Collectors.toSet())).certStore(this.certStore).enableRevocationChecking(false).policyTreeValidator(policyNode -> {
            return true;
        }).build();
    }
}
