package com.yubico.yubikit.fido.client;

import com.yubico.yubikit.core.application.CommandException;
import com.yubico.yubikit.core.application.CommandState;
import com.yubico.yubikit.core.fido.CtapException;
import com.yubico.yubikit.fido.Cbor;
import com.yubico.yubikit.fido.client.ClientError;
import com.yubico.yubikit.fido.ctap.ClientPin;
import com.yubico.yubikit.fido.ctap.CredentialManagement;
import com.yubico.yubikit.fido.ctap.Ctap2Session;
import com.yubico.yubikit.fido.ctap.PinUvAuthProtocolV1;
import com.yubico.yubikit.fido.webauthn.AuthenticatorAssertionResponse;
import com.yubico.yubikit.fido.webauthn.AuthenticatorAttestationResponse;
import com.yubico.yubikit.fido.webauthn.AuthenticatorSelectionCriteria;
import com.yubico.yubikit.fido.webauthn.PublicKeyCredentialCreationOptions;
import com.yubico.yubikit.fido.webauthn.PublicKeyCredentialDescriptor;
import com.yubico.yubikit.fido.webauthn.PublicKeyCredentialParameters;
import com.yubico.yubikit.fido.webauthn.PublicKeyCredentialRequestOptions;
import com.yubico.yubikit.fido.webauthn.UserVerificationRequirement;
import java.io.Closeable;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import javax.annotation.Nullable;

/* loaded from: classes2.dex */
public class BasicWebAuthnClient implements Closeable {
    private static final String KEY_ATTESTATION_STATEMENT = "attStmt";
    private static final String KEY_AUTHENTICATOR_DATA = "authData";
    private static final String KEY_FORMAT = "fmt";
    private static final String KEY_USER_ID = "id";
    private static final String OPTION_CLIENT_PIN = "clientPin";
    private static final String OPTION_CREDENTIAL_MANAGEMENT = "credentialMgmtPreview";
    private static final String OPTION_RESIDENT_KEY = "rk";
    private static final String OPTION_USER_VERIFICATION = "uv";
    private final ClientPin clientPin;
    private boolean credentialManagementSupported;
    private final Ctap2Session ctap;
    private boolean pinConfigured;
    private final boolean pinSupported;
    private boolean uvConfigured;
    private final boolean uvSupported;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.yubico.yubikit.fido.client.BasicWebAuthnClient$1, reason: invalid class name */
    /* loaded from: classes2.dex */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$yubico$yubikit$fido$webauthn$UserVerificationRequirement;

        static {
            int[] iArr = new int[UserVerificationRequirement.values().length];
            $SwitchMap$com$yubico$yubikit$fido$webauthn$UserVerificationRequirement = iArr;
            try {
                iArr[UserVerificationRequirement.PREFERRED.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                $SwitchMap$com$yubico$yubikit$fido$webauthn$UserVerificationRequirement[UserVerificationRequirement.REQUIRED.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
        }
    }

    public BasicWebAuthnClient(Ctap2Session ctap2Session) throws IOException, CommandException {
        this.ctap = ctap2Session;
        Ctap2Session.InfoData info2 = ctap2Session.getInfo();
        Map<String, ?> options = info2.getOptions();
        Boolean bool = (Boolean) options.get(OPTION_CLIENT_PIN);
        boolean z = false;
        boolean z2 = bool != null;
        this.pinSupported = z2;
        if (z2 && info2.getPinUvAuthProtocols().contains(1)) {
            this.clientPin = new ClientPin(ctap2Session, new PinUvAuthProtocolV1());
        } else {
            this.clientPin = null;
        }
        this.pinConfigured = z2 && bool.booleanValue();
        Boolean bool2 = (Boolean) options.get(OPTION_USER_VERIFICATION);
        boolean z3 = bool2 != null;
        this.uvSupported = z3;
        if (z3 && bool2.booleanValue()) {
            z = true;
        }
        this.uvConfigured = z;
        this.credentialManagementSupported = Boolean.TRUE.equals(options.get(OPTION_CREDENTIAL_MANAGEMENT));
    }

    @Nullable
    private static List<Map<String, ?>> getCredentialList(@Nullable List<PublicKeyCredentialDescriptor> list) {
        if (list == null || list.isEmpty()) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        Iterator<PublicKeyCredentialDescriptor> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().toMap());
        }
        return arrayList;
    }

    private boolean getCtapUv(UserVerificationRequirement userVerificationRequirement, boolean z) throws ClientError {
        if (z) {
            if (this.pinConfigured) {
                return false;
            }
            throw new ClientError(ClientError.Code.BAD_REQUEST, "PIN provided but not configured");
        }
        int i = AnonymousClass1.$SwitchMap$com$yubico$yubikit$fido$webauthn$UserVerificationRequirement[userVerificationRequirement.ordinal()];
        if (i != 1) {
            if (i != 2) {
                return false;
            }
        } else if (!this.pinSupported && !this.uvSupported) {
            return false;
        }
        if (this.uvConfigured) {
            return true;
        }
        if (this.pinConfigured) {
            throw new PinRequiredClientError();
        }
        throw new ClientError(ClientError.Code.BAD_REQUEST, "User verification not configured/supported");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] hash(byte[] bArr) {
        try {
            return MessageDigest.getInstance("SHA-256").digest(bArr);
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    public void changePin(char[] cArr, char[] cArr2) throws IOException, CommandException, ClientError {
        if (!this.pinSupported) {
            throw new ClientError(ClientError.Code.BAD_REQUEST, "PIN is not supported on this device");
        }
        if (!this.pinConfigured) {
            throw new ClientError(ClientError.Code.BAD_REQUEST, "No PIN currently configured on this device");
        }
        try {
            this.clientPin.changePin(cArr, cArr2);
        } catch (CtapException e) {
            throw ClientError.wrapCtapException(e);
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        this.ctap.close();
    }

    public AuthenticatorAssertionResponse getAssertion(byte[] bArr, PublicKeyCredentialRequestOptions publicKeyCredentialRequestOptions, @Nullable char[] cArr, @Nullable CommandState commandState) throws MultipleAssertionsAvailable, IOException, CommandException, ClientError {
        byte[] authenticate;
        int version;
        HashMap hashMap = new HashMap();
        if (getCtapUv(publicKeyCredentialRequestOptions.getUserVerification(), cArr != null)) {
            hashMap.put(OPTION_USER_VERIFICATION, true);
        }
        if (publicKeyCredentialRequestOptions.getExtensions() != null) {
            throw new ClientError(ClientError.Code.CONFIGURATION_UNSUPPORTED, "Extensions not supported");
        }
        byte[] hash = hash(bArr);
        if (cArr != null) {
            try {
                authenticate = this.clientPin.getPinUvAuth().authenticate(this.clientPin.getPinToken(cArr), hash);
                version = this.clientPin.getPinUvAuth().getVersion();
            } catch (CtapException e) {
                throw ClientError.wrapCtapException(e);
            }
        } else {
            authenticate = null;
            version = 0;
        }
        List<Ctap2Session.AssertionData> assertions = this.ctap.getAssertions(publicKeyCredentialRequestOptions.getRpId(), hash, getCredentialList(publicKeyCredentialRequestOptions.getAllowCredentials()), null, hashMap.isEmpty() ? null : hashMap, authenticate, version, commandState);
        if (assertions.size() != 1) {
            throw new MultipleAssertionsAvailable(bArr, assertions);
        }
        Ctap2Session.AssertionData assertionData = assertions.get(0);
        Map<String, ?> credential = assertionData.getCredential();
        byte[] id = credential != null ? PublicKeyCredentialDescriptor.fromMap(credential).getId() : publicKeyCredentialRequestOptions.getAllowCredentials().get(0).getId();
        Map<String, ?> user = assertionData.getUser();
        return new AuthenticatorAssertionResponse(assertionData.getAuthencticatorData(), bArr, assertionData.getSignature(), user != null ? (byte[]) Objects.requireNonNull((byte[]) user.get("id")) : null, id);
    }

    public CredentialManager getCredentialManager(char[] cArr) throws IOException, CommandException, ClientError {
        if (!this.credentialManagementSupported) {
            throw new ClientError(ClientError.Code.CONFIGURATION_UNSUPPORTED, "Credential management is not supported on this device");
        }
        if (!this.pinConfigured) {
            throw new ClientError(ClientError.Code.BAD_REQUEST, "No PIN currently configured on this device");
        }
        try {
            return new CredentialManager(new CredentialManagement(this.ctap, this.clientPin.getPinUvAuth(), this.clientPin.getPinToken(cArr)));
        } catch (CtapException e) {
            throw ClientError.wrapCtapException(e);
        }
    }

    public boolean isPinConfigured() {
        return this.pinConfigured;
    }

    public boolean isPinSupported() {
        return this.pinSupported;
    }

    public AuthenticatorAttestationResponse makeCredential(byte[] bArr, PublicKeyCredentialCreationOptions publicKeyCredentialCreationOptions, @Nullable char[] cArr, @Nullable CommandState commandState) throws IOException, CommandException, ClientError {
        byte[] bArr2;
        int i;
        Map<String, ?> map = publicKeyCredentialCreationOptions.getRp().toMap();
        Map<String, ?> map2 = publicKeyCredentialCreationOptions.getUser().toMap();
        ArrayList arrayList = new ArrayList();
        Iterator<PublicKeyCredentialParameters> it = publicKeyCredentialCreationOptions.getPubKeyCredParams().iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().toMap());
        }
        HashMap hashMap = new HashMap();
        AuthenticatorSelectionCriteria authenticatorSelection = publicKeyCredentialCreationOptions.getAuthenticatorSelection();
        if (authenticatorSelection != null) {
            if (authenticatorSelection.isRequireResidentKey()) {
                hashMap.put(OPTION_RESIDENT_KEY, true);
            }
            if (getCtapUv(authenticatorSelection.getUserVerification(), cArr != null)) {
                hashMap.put(OPTION_USER_VERIFICATION, true);
            }
        } else {
            if (getCtapUv(UserVerificationRequirement.PREFERRED, cArr != null)) {
                hashMap.put(OPTION_USER_VERIFICATION, true);
            }
        }
        if (publicKeyCredentialCreationOptions.getExtensions() != null) {
            throw new ClientError(ClientError.Code.CONFIGURATION_UNSUPPORTED, "Extensions not supported");
        }
        byte[] hash = hash(bArr);
        try {
            if (cArr != null) {
                bArr2 = this.clientPin.getPinUvAuth().authenticate(this.clientPin.getPinToken(cArr), hash);
                i = this.clientPin.getPinUvAuth().getVersion();
            } else {
                if (this.pinConfigured && !hashMap.containsKey(OPTION_USER_VERIFICATION)) {
                    throw new PinRequiredClientError();
                }
                bArr2 = null;
                i = 0;
            }
            Ctap2Session ctap2Session = this.ctap;
            List<Map<String, ?>> credentialList = getCredentialList(publicKeyCredentialCreationOptions.getExcludeCredentials());
            if (hashMap.isEmpty()) {
                hashMap = null;
            }
            Ctap2Session.CredentialData makeCredential = ctap2Session.makeCredential(hash, map, map2, arrayList, credentialList, null, hashMap, bArr2, i, commandState);
            HashMap hashMap2 = new HashMap();
            hashMap2.put(KEY_FORMAT, makeCredential.getFormat());
            hashMap2.put(KEY_AUTHENTICATOR_DATA, makeCredential.getAuthencticatorData());
            hashMap2.put(KEY_ATTESTATION_STATEMENT, makeCredential.getAttestationStatement());
            return new AuthenticatorAttestationResponse(bArr, Cbor.encode(hashMap2));
        } catch (CtapException e) {
            throw ClientError.wrapCtapException(e);
        }
    }

    public void setPin(char[] cArr) throws IOException, CommandException, ClientError {
        if (!this.pinSupported) {
            throw new ClientError(ClientError.Code.BAD_REQUEST, "PIN is not supported on this device");
        }
        if (this.pinConfigured) {
            throw new ClientError(ClientError.Code.BAD_REQUEST, "A PIN is already configured on this device");
        }
        try {
            this.clientPin.setPin(cArr);
            this.pinConfigured = true;
        } catch (CtapException e) {
            throw ClientError.wrapCtapException(e);
        }
    }
}
