package net.shibboleth.idp.plugin.authn.webauthn.storage.impl;

import com.fasterxml.jackson.annotation.JsonIgnore;
import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.core.Base64Variants;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.json.JsonMapper;
import com.fasterxml.jackson.dataformat.cbor.CBORFactory;
import com.fasterxml.jackson.datatype.jdk8.Jdk8Module;
import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
import com.upokecenter.cbor.CBORObject;
import com.yubico.webauthn.data.AuthenticatorAssertionResponse;
import com.yubico.webauthn.data.AuthenticatorAttestationResponse;
import com.yubico.webauthn.data.ClientAssertionExtensionOutputs;
import com.yubico.webauthn.data.ClientRegistrationExtensionOutputs;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECPoint;
import java.util.BitSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.NotThreadSafe;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.codec.Base64Support;
import net.shibboleth.shared.codec.EncodingException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.slf4j.Logger;
import org.testng.Assert;

@NotThreadSafe
/* loaded from: input_file:net/shibboleth/idp/plugin/authn/webauthn/storage/impl/MockAuthenticator.class */
public class MockAuthenticator {
    private static final String JCA_ALGO = "SHA256withECDSA";
    private static final int KEY_ALGO = -7;

    @Nonnull
    @NotEmpty
    private final String rpId;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(MockAuthenticator.class);

    @Nonnull
    @NotEmpty
    private final String fmt = "none";

    @Nonnull
    private final ObjectMapper cborMapper = new ObjectMapper(new CBORFactory()).setBase64Variant(Base64Variants.MODIFIED_FOR_URL);

    @Nonnull
    private final ObjectMapper jsonMapper = JsonMapper.builder().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true).serializationInclusion(JsonInclude.Include.NON_ABSENT).defaultBase64Variant(Base64Variants.MODIFIED_FOR_URL).addModule(new Jdk8Module()).addModule(new JavaTimeModule()).build();

    @Nonnull
    private final Map<String, PublicKeyCredential<Attestation, AuthenticatonExtensionsClientOutputs>> createdCredentialsMaps = new HashMap();
    private boolean produceBadAssertionSignatures = false;

    @JsonIgnoreProperties(ignoreUnknown = true)
    /* loaded from: input_file:net/shibboleth/idp/plugin/authn/webauthn/storage/impl/MockAuthenticator$Assertion.class */
    public final class Assertion {
        private final byte[] authenticatorData;
        private final byte[] signature;
        private final byte[] userHandle;
        private final byte[] clientDataJSON;

        public Assertion(@JsonProperty("clientDataJSON") byte[] bArr, @JsonProperty("authenticatorData") byte[] bArr2, @JsonProperty("signature") byte[] bArr3, @JsonProperty("userHandle") byte[] bArr4) {
            this.clientDataJSON = bArr;
            this.authenticatorData = bArr2;
            this.signature = bArr3;
            this.userHandle = bArr4;
        }

        @JsonProperty("authenticatorData")
        public final byte[] getAuthenticatorData() {
            return this.authenticatorData;
        }

        @JsonProperty("signature")
        public final byte[] getSignature() {
            return this.signature;
        }

        @JsonProperty("userHandle")
        public final byte[] getUserHandle() {
            return this.userHandle;
        }

        @JsonProperty("clientDataJSON")
        public byte[] getClientDataJSON() {
            return this.clientDataJSON;
        }
    }

    @JsonIgnoreProperties(ignoreUnknown = true)
    /* loaded from: input_file:net/shibboleth/idp/plugin/authn/webauthn/storage/impl/MockAuthenticator$Attestation.class */
    public class Attestation {
        private final byte[] userHandle;
        private final PrivateKey privateKey;
        private final byte[] attestationObjectCose;
        private final byte[] clientDataJSON;

        public Attestation(@JsonProperty("clientDataJSON") byte[] bArr, PrivateKey privateKey, @JsonProperty("attestationObject") byte[] bArr2, byte[] bArr3) {
            this.clientDataJSON = bArr;
            this.privateKey = privateKey;
            this.attestationObjectCose = bArr2;
            this.userHandle = bArr3;
        }

        @JsonIgnore
        public byte[] getUserHandle() {
            return this.userHandle;
        }

        @JsonIgnore
        public PrivateKey getPrivateKey() {
            return this.privateKey;
        }

        @JsonProperty("attestationObject")
        public byte[] getAttestationObjectCose() {
            return this.attestationObjectCose;
        }

        @JsonProperty("clientDataJSON")
        public byte[] getClientDataJSON() {
            return this.clientDataJSON;
        }
    }

    /* loaded from: input_file:net/shibboleth/idp/plugin/authn/webauthn/storage/impl/MockAuthenticator$AuthenticatonExtensionsClientOutputs.class */
    public final class AuthenticatonExtensionsClientOutputs {
        public AuthenticatonExtensionsClientOutputs() {
        }

        @JsonProperty("extensionIds")
        public Set<String> getExtensionIds() {
            return new HashSet();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:net/shibboleth/idp/plugin/authn/webauthn/storage/impl/MockAuthenticator$CombinedKey.class */
    public final class CombinedKey {

        @Nonnull
        private final CBORObject keyMap;

        @Nonnull
        private final PrivateKey privateKey;

        @Nonnull
        private final PublicKey publicKey;

        protected CombinedKey(@Nonnull CBORObject cBORObject, @Nonnull PrivateKey privateKey, @Nonnull PublicKey publicKey) {
            this.keyMap = cBORObject;
            this.privateKey = privateKey;
            this.publicKey = publicKey;
        }

        @Nonnull
        public final CBORObject getKeyMap() {
            return this.keyMap;
        }

        @Nonnull
        public final PrivateKey getPrivateKey() {
            return this.privateKey;
        }

        @Nonnull
        public final PublicKey getPublicKey() {
            return this.publicKey;
        }
    }

    @JsonIgnoreProperties(ignoreUnknown = true)
    /* loaded from: input_file:net/shibboleth/idp/plugin/authn/webauthn/storage/impl/MockAuthenticator$PublicKeyCredential.class */
    public final class PublicKeyCredential<T, R> {
        private final byte[] id;
        private final T response;
        private final R clientExtensions;

        public PublicKeyCredential(byte[] bArr, T t, R r) {
            this.id = bArr;
            this.response = t;
            this.clientExtensions = r;
        }

        @JsonProperty("rawId")
        public byte[] getRawId() {
            return this.id;
        }

        @JsonProperty("id")
        public String getId() throws EncodingException {
            return Base64Support.encodeURLSafe(this.id);
        }

        @JsonProperty("response")
        public T getResponse() {
            return this.response;
        }

        @JsonProperty("type")
        public String getType() {
            return "public-key";
        }

        @JsonProperty("clientExtensionResults")
        public R getClientExtensions() {
            return this.clientExtensions;
        }
    }

    public MockAuthenticator(@Nonnull @NotEmpty String str) throws Exception {
        this.rpId = Constraint.isNotEmpty(str, "relyingPartyId can not be null");
    }

    public void setProduceBadAssertionSignatures(boolean z) {
        this.produceBadAssertionSignatures = z;
    }

    public void reset() {
        this.createdCredentialsMaps.clear();
    }

    public com.yubico.webauthn.data.PublicKeyCredential<AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs> createAuthenticatorAttestationResponse(@Nonnull @NotEmpty String str, Map<String, String> map, byte[] bArr) throws Exception {
        CombinedKey generateECDSA_256_P256_Key = generateECDSA_256_P256_Key();
        if (!$assertionsDisabled && generateECDSA_256_P256_Key == null) {
            throw new AssertionError();
        }
        String generateRandomIdentifierHex = generateRandomIdentifierHex(32);
        byte[] generateRandomIdentifierBytes = generateRandomIdentifierBytes(32);
        PublicKeyCredential<Attestation, AuthenticatonExtensionsClientOutputs> publicKeyCredential = new PublicKeyCredential<>(generateRandomIdentifierBytes, new Attestation(this.jsonMapper.writeValueAsString(map).getBytes(), generateECDSA_256_P256_Key.getPrivateKey(), createAttestationObject(generateECDSA_256_P256_Key, generateRandomIdentifierHex, generateRandomIdentifierBytes), bArr), new AuthenticatonExtensionsClientOutputs());
        com.yubico.webauthn.data.PublicKeyCredential<AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs> parseRegistrationResponseJson = com.yubico.webauthn.data.PublicKeyCredential.parseRegistrationResponseJson(this.jsonMapper.writeValueAsString(publicKeyCredential));
        this.createdCredentialsMaps.put(Base64Support.encodeURLSafe(generateRandomIdentifierBytes), publicKeyCredential);
        return parseRegistrationResponseJson;
    }

    public com.yubico.webauthn.data.PublicKeyCredential<AuthenticatorAssertionResponse, ClientAssertionExtensionOutputs> createAuthenticatorAssertionResponse(@Nonnull byte[] bArr, Map<String, String> map) throws Exception {
        PublicKeyCredential<Attestation, AuthenticatonExtensionsClientOutputs> publicKeyCredential = this.createdCredentialsMaps.get(Base64Support.encodeURLSafe(bArr));
        if (publicKeyCredential == null) {
            throw new IllegalArgumentException("Invalid credentiaId, public key attestation not found");
        }
        String writeValueAsString = this.jsonMapper.writeValueAsString(map);
        byte[] createAuthDataForAssertion = createAuthDataForAssertion(bArr);
        return com.yubico.webauthn.data.PublicKeyCredential.parseAssertionResponseJson(this.jsonMapper.writeValueAsString(new PublicKeyCredential(bArr, new Assertion(writeValueAsString.getBytes(), createAuthDataForAssertion, sign(createAuthDataForAssertion, writeValueAsString, publicKeyCredential.getResponse().getPrivateKey()), publicKeyCredential.getResponse().getUserHandle()), new AuthenticatonExtensionsClientOutputs())));
    }

    private byte[] sign(byte[] bArr, String str, PrivateKey privateKey) throws Exception {
        byte[] sha256 = sha256(str);
        byte[] bArr2 = new byte[bArr.length + sha256.length];
        System.arraycopy(bArr, 0, bArr2, 0, bArr.length);
        System.arraycopy(sha256, 0, bArr2, bArr.length, sha256.length);
        Signature signature = Signature.getInstance(JCA_ALGO);
        if (this.produceBadAssertionSignatures) {
            signature.initSign(generateECDSA_256_P256_Key().getPrivateKey());
        } else {
            signature.initSign(privateKey);
        }
        signature.update(bArr2);
        return signature.sign();
    }

    private byte[] createAttestationObject(CombinedKey combinedKey, String str, byte[] bArr) throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("authData", createAuthData(combinedKey, str, bArr));
        hashMap.put("fmt", this.fmt);
        hashMap.put("attStmt", new HashMap());
        return this.cborMapper.writeValueAsBytes(hashMap);
    }

    private byte[] createAuthDataForAssertion(@Nonnull byte[] bArr) throws Exception {
        return createAuthData(null, null, bArr);
    }

    private byte[] createAuthData(@Nullable CombinedKey combinedKey, @Nullable String str, @Nonnull byte[] bArr) throws Exception {
        byte[] bArr2;
        byte[] createRpIdHash = createRpIdHash();
        byte[] createFlags = combinedKey != null ? createFlags(true, true, true, false) : createFlags(true, true, false, false);
        byte[] createSignCount = createSignCount(1);
        if (combinedKey != null) {
            byte[] createAttestedCredentialData = createAttestedCredentialData(combinedKey, str, bArr);
            bArr2 = new byte[createRpIdHash.length + createFlags.length + createSignCount.length + createAttestedCredentialData.length];
            System.arraycopy(createRpIdHash, 0, bArr2, 0, createRpIdHash.length);
            System.arraycopy(createFlags, 0, bArr2, createRpIdHash.length, createFlags.length);
            System.arraycopy(createSignCount, 0, bArr2, createRpIdHash.length + createFlags.length, createSignCount.length);
            System.arraycopy(createAttestedCredentialData, 0, bArr2, createRpIdHash.length + createFlags.length + createSignCount.length, createAttestedCredentialData.length);
        } else {
            bArr2 = new byte[createRpIdHash.length + createFlags.length + createSignCount.length];
            System.arraycopy(createRpIdHash, 0, bArr2, 0, createRpIdHash.length);
            System.arraycopy(createFlags, 0, bArr2, createRpIdHash.length, createFlags.length);
            System.arraycopy(createSignCount, 0, bArr2, createRpIdHash.length + createFlags.length, createSignCount.length);
        }
        this.log.debug("Created Authenticator Data for RP, '{}' RPHash '{}', SignCounter '{}', flags '{}'", new Object[]{this.rpId, Hex.encodeHexString(createRpIdHash), Hex.encodeHexString(createSignCount), Hex.encodeHexString(createFlags)});
        return bArr2;
    }

    private byte[] createFlags(boolean z, boolean z2, boolean z3, boolean z4) {
        BitSet bitSet = new BitSet();
        if (z) {
            bitSet.set(0);
        }
        if (z2) {
            bitSet.set(2);
        }
        if (z3) {
            bitSet.set(6);
        }
        if (z4) {
            bitSet.set(7);
        }
        return bitSet.toByteArray();
    }

    private byte[] createAttestedCredentialData(CombinedKey combinedKey, String str, byte[] bArr) throws Exception {
        byte[] createAaguid = createAaguid(str);
        byte[] createCredentialId = createCredentialId(bArr);
        byte[] EncodeToBytes = combinedKey.getKeyMap().EncodeToBytes();
        byte[] bArr2 = new byte[createAaguid.length + createCredentialId.length + EncodeToBytes.length];
        System.arraycopy(createAaguid, 0, bArr2, 0, createAaguid.length);
        System.arraycopy(createCredentialId, 0, bArr2, createAaguid.length, createCredentialId.length);
        System.arraycopy(EncodeToBytes, 0, bArr2, createAaguid.length + createCredentialId.length, EncodeToBytes.length);
        return bArr2;
    }

    private byte[] createAaguid(String str) throws DecoderException {
        Assert.assertEquals(str.length(), 32);
        byte[] decodeHex = Hex.decodeHex(str.toCharArray());
        Assert.assertEquals(decodeHex.length, 16);
        return decodeHex;
    }

    private byte[] createSignCount(int i) {
        return ByteBuffer.allocate(4).putInt(i).array();
    }

    private byte[] createCredentialId(byte[] bArr) throws DecoderException {
        int length = bArr.length;
        byte[] bArr2 = {(byte) ((length >>> 8) & 255), (byte) (length & 255)};
        Assert.assertEquals(bArr2.length, 2);
        byte[] bArr3 = new byte[bArr.length + bArr2.length];
        System.arraycopy(bArr2, 0, bArr3, 0, bArr2.length);
        System.arraycopy(bArr, 0, bArr3, bArr2.length, bArr.length);
        return bArr3;
    }

    private byte[] createRpIdHash() throws NoSuchAlgorithmException {
        return MessageDigest.getInstance("SHA-256").digest(this.rpId.getBytes(StandardCharsets.UTF_8));
    }

    private byte[] sha256(String str) throws NoSuchAlgorithmException {
        return MessageDigest.getInstance("SHA-256").digest(str.getBytes(StandardCharsets.UTF_8));
    }

    @Nonnull
    static String generateRandomIdentifierHex(@Nonnull Integer num) {
        SecureRandom secureRandom = new SecureRandom();
        StringBuilder sb = new StringBuilder();
        while (sb.length() < num.intValue()) {
            sb.append(Integer.toHexString(secureRandom.nextInt()));
        }
        return sb.toString().substring(0, num.intValue());
    }

    @Nonnull
    public static byte[] generateRandomIdentifierBytes(@Nonnull Integer num) throws Exception {
        SecureRandom secureRandom = new SecureRandom();
        byte[] bArr = new byte[num.intValue()];
        secureRandom.nextBytes(bArr);
        return bArr;
    }

    private CombinedKey generateECDSA_256_P256_Key() throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
        CBORObject FromObject = CBORObject.FromObject(1);
        ECGenParameterSpec eCGenParameterSpec = new ECGenParameterSpec("secp256r1");
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC");
        keyPairGenerator.initialize(eCGenParameterSpec);
        KeyPair genKeyPair = keyPairGenerator.genKeyPair();
        ECPoint w = ((ECPublicKey) genKeyPair.getPublic()).getW();
        byte[] ArrayFromBigNum = ArrayFromBigNum(w.getAffineX(), 256);
        byte[] ArrayFromBigNum2 = ArrayFromBigNum(w.getAffineY(), 256);
        byte[] ArrayFromBigNum3 = ArrayFromBigNum(((ECPrivateKey) genKeyPair.getPrivate()).getS(), 256);
        CBORObject NewMap = CBORObject.NewMap();
        NewMap.Add(CBORObject.FromObject(1), CBORObject.FromObject(2));
        NewMap.Add(CBORObject.FromObject(-1), FromObject);
        NewMap.Add(CBORObject.FromObject(-2), CBORObject.FromObject(ArrayFromBigNum));
        NewMap.Add(CBORObject.FromObject(-3), CBORObject.FromObject(ArrayFromBigNum2));
        NewMap.Add(CBORObject.FromObject(-4), CBORObject.FromObject(ArrayFromBigNum3));
        NewMap.Add(CBORObject.FromObject(3), CBORObject.FromObject(KEY_ALGO));
        PublicKey publicKey = genKeyPair.getPublic();
        PrivateKey privateKey = genKeyPair.getPrivate();
        if (!$assertionsDisabled && publicKey == null) {
            throw new AssertionError();
        }
        if ($assertionsDisabled || privateKey != null) {
            return new CombinedKey(NewMap, privateKey, publicKey);
        }
        throw new AssertionError();
    }

    private byte[] ArrayFromBigNum(BigInteger bigInteger, int i) {
        byte[] bArr = new byte[(i + 7) / 8];
        byte[] byteArray = bigInteger.toByteArray();
        if (bArr.length == byteArray.length) {
            return byteArray;
        }
        if (byteArray.length > bArr.length) {
            System.arraycopy(byteArray, byteArray.length - bArr.length, bArr, 0, bArr.length);
        } else {
            System.arraycopy(byteArray, 0, bArr, bArr.length - byteArray.length, byteArray.length);
        }
        return bArr;
    }

    static {
        $assertionsDisabled = !MockAuthenticator.class.desiredAssertionStatus();
    }
}
