package org.wso2.carbon.identity.client.attestation.mgt.validators;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.dataformat.cbor.CBORFactory;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.Date;
import java.util.Map;
import java.util.Set;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.common.model.ClientAttestationMetaData;
import org.wso2.carbon.identity.client.attestation.mgt.exceptions.ClientAttestationMgtException;
import org.wso2.carbon.identity.client.attestation.mgt.internal.ClientAttestationMgtDataHolder;
import org.wso2.carbon.identity.client.attestation.mgt.model.ClientAttestationContext;
import org.wso2.carbon.identity.client.attestation.mgt.utils.Constants;

/* loaded from: input_file:org/wso2/carbon/identity/client/attestation/mgt/validators/AppleAttestationValidator.class */
public class AppleAttestationValidator implements ClientAttestationValidator {
    private static final Log LOG = LogFactory.getLog(AppleAttestationValidator.class);
    private static final String IOS = "IOS";
    private String applicationResourceId;
    private String tenantDomain;
    private ClientAttestationMetaData clientAttestationMetaData;

    public AppleAttestationValidator(String str, String str2, ClientAttestationMetaData clientAttestationMetaData) {
        this.applicationResourceId = str;
        this.tenantDomain = str2;
        this.clientAttestationMetaData = clientAttestationMetaData;
    }

    @Override // org.wso2.carbon.identity.client.attestation.mgt.validators.ClientAttestationValidator
    public void validateAttestation(String str, ClientAttestationContext clientAttestationContext) throws ClientAttestationMgtException {
        try {
            Map<String, Object> map = (Map) new ObjectMapper(new CBORFactory()).readValue(Base64.getDecoder().decode(str), new TypeReference<Map<String, Object>>() { // from class: org.wso2.carbon.identity.client.attestation.mgt.validators.AppleAttestationValidator.1
            });
            if (verifyAppleAttestationStatement(map, clientAttestationContext) && verifyAppleAuthData(map, clientAttestationContext)) {
                clientAttestationContext.setAttested(true);
            }
        } catch (IOException e) {
            throw new ClientAttestationMgtException("Unable to validate attestation, cause Attestation object is not in expected statement : " + this.applicationResourceId + "tenant domain : " + this.tenantDomain);
        }
    }

    private boolean verifyAppleAttestationStatement(Map<String, Object> map, ClientAttestationContext clientAttestationContext) throws ClientAttestationMgtException {
        Object obj = map.get(Constants.ATT_STMT);
        if (!(obj instanceof Map)) {
            clientAttestationContext.setAttested(false);
            clientAttestationContext.setValidationFailureMessage("Attestation statement validation failed. Attestation statement is not in expected format.");
            return false;
        }
        Object obj2 = ((Map) obj).get(Constants.X5C);
        if (!(obj2 instanceof ArrayList)) {
            clientAttestationContext.setAttested(false);
            clientAttestationContext.setValidationFailureMessage("Attestation statement validation failed. X5C is not in expected format.");
            return false;
        }
        ArrayList arrayList = (ArrayList) obj2;
        try {
            X509Certificate appleAttestationRootCertificate = ClientAttestationMgtDataHolder.getInstance().getAppleAttestationRootCertificate();
            if (appleAttestationRootCertificate == null) {
                throw new ClientAttestationMgtException("Unable to validate attestation, apple attestation root certificate is not found. ");
            }
            if (isCertificateExpiringSoon(appleAttestationRootCertificate)) {
                LOG.warn("Provided apple attestation root certificate is going to expire soon. Please add the latest certificate.");
            }
            CertificateFactory certificateFactory = CertificateFactory.getInstance(Constants.X_509_CERTIFICATE_TYPE);
            CertPath generateCertPath = certificateFactory.generateCertPath(Arrays.asList((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream((byte[]) arrayList.get(0))), (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream((byte[]) arrayList.get(1)))));
            CertPathValidator certPathValidator = CertPathValidator.getInstance(Constants.PKIX);
            PKIXParameters pKIXParameters = new PKIXParameters((Set<TrustAnchor>) Collections.singleton(new TrustAnchor(appleAttestationRootCertificate, null)));
            pKIXParameters.setRevocationEnabled(ClientAttestationMgtDataHolder.getInstance().isAppleAttestationRevocationCheckEnabled());
            try {
                certPathValidator.validate(generateCertPath, pKIXParameters);
                return true;
            } catch (CertPathValidatorException e) {
                clientAttestationContext.setAttested(false);
                clientAttestationContext.setValidationFailureMessage("Attestation statement validation failed. Certificate path validation failed for application : " + this.applicationResourceId + " tenant domain : " + this.tenantDomain);
                return false;
            }
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException e2) {
            throw new ClientAttestationMgtException("Unable to validate attestation, due to exception while validating attestation statement ", e2);
        }
    }

    private boolean verifyAppleAuthData(Map<String, Object> map, ClientAttestationContext clientAttestationContext) throws ClientAttestationMgtException {
        Object obj = map.get(Constants.AUTH_DATA);
        if (!(obj instanceof byte[])) {
            clientAttestationContext.setAttested(false);
            clientAttestationContext.setValidationFailureMessage("Attestation Auth data validation failed. Auth data is not in expected format.");
            return false;
        }
        byte[] copyOfRange = Arrays.copyOfRange((byte[]) obj, 0, 32);
        String appleAppId = this.clientAttestationMetaData.getAppleAppId();
        if (!StringUtils.isNotEmpty(appleAppId)) {
            clientAttestationContext.setAttested(false);
            clientAttestationContext.setValidationFailureMessage("Attestation Auth data validation failed. App Id is not configured for application: " + this.applicationResourceId + " tenant: " + this.tenantDomain);
            return false;
        }
        if (MessageDigest.isEqual(getSHA256Hash(appleAppId), copyOfRange)) {
            return true;
        }
        clientAttestationContext.setAttested(false);
        clientAttestationContext.setValidationFailureMessage("Attestation Auth data validation failed. Replying party Id is not matched with app ID for application: " + this.applicationResourceId + " tenant: " + this.tenantDomain);
        return false;
    }

    private byte[] getSHA256Hash(String str) throws ClientAttestationMgtException {
        try {
            return MessageDigest.getInstance(Constants.SHA_256).digest(str.getBytes(StandardCharsets.UTF_8));
        } catch (NoSuchAlgorithmException e) {
            throw new ClientAttestationMgtException("Unable to validate attestation, cause SHA-256 algorithm is not available.", e);
        }
    }

    private boolean isCertificateExpiringSoon(X509Certificate x509Certificate) {
        return (x509Certificate.getNotAfter().getTime() - new Date().getTime()) / 86400000 <= 90;
    }

    @Override // org.wso2.carbon.identity.client.attestation.mgt.validators.ClientAttestationValidator
    public String getAttestationValidationType() {
        return IOS;
    }
}
