package com.yubico.webauthn;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import com.upokecenter.cbor.CBORObject;
import com.yubico.internal.util.BinaryUtil;
import com.yubico.internal.util.ByteInputStream;
import com.yubico.internal.util.CertificateParser;
import com.yubico.internal.util.ExceptionUtil;
import com.yubico.webauthn.data.AttestationObject;
import com.yubico.webauthn.data.AttestationType;
import com.yubico.webauthn.data.ByteArray;
import com.yubico.webauthn.data.COSEAlgorithmIdentifier;
import java.io.IOException;
import java.math.BigInteger;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/yubico/webauthn/TpmAttestationStatementVerifier.class */
public final class TpmAttestationStatementVerifier implements AttestationStatementVerifier, X5cAttestationStatementVerifier {
    private static final String TPM_VER = "2.0";
    static final int TPM_ALG_NULL = 16;
    private static final String OID_TCG_AT_TPM_MANUFACTURER = "2.23.133.2.1";
    private static final String OID_TCG_AT_TPM_MODEL = "2.23.133.2.2";
    private static final String OID_TCG_AT_TPM_VERSION = "2.23.133.2.3";

    @Generated
    private static final Logger log = LoggerFactory.getLogger(TpmAttestationStatementVerifier.class);
    static final ByteArray TPM_GENERATED_VALUE = ByteArray.fromBase64("/1RDRw==");
    static final ByteArray TPM_ST_ATTEST_CERTIFY = ByteArray.fromBase64("gBc=");

    /* loaded from: input_file:com/yubico/webauthn/TpmAttestationStatementVerifier$Attributes.class */
    static final class Attributes {
        static final int SIGN_ENCRYPT = 262144;
        private static final int SHALL_BE_ZERO = -462071;

        Attributes() {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yubico/webauthn/TpmAttestationStatementVerifier$Parameters.class */
    public interface Parameters {
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yubico/webauthn/TpmAttestationStatementVerifier$Tpm2bPublicKeyRsa.class */
    public static final class Tpm2bPublicKeyRsa implements Unique {
        private final ByteArray bytes;

        /* JADX INFO: Access modifiers changed from: private */
        public static Tpm2bPublicKeyRsa parse(ByteInputStream byteInputStream) throws IOException {
            return new Tpm2bPublicKeyRsa(new ByteArray(byteInputStream.read(byteInputStream.readUnsignedShort())));
        }

        @Generated
        public Tpm2bPublicKeyRsa(ByteArray byteArray) {
            this.bytes = byteArray;
        }

        @Generated
        public ByteArray getBytes() {
            return this.bytes;
        }

        @Generated
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof Tpm2bPublicKeyRsa)) {
                return false;
            }
            ByteArray bytes = getBytes();
            ByteArray bytes2 = ((Tpm2bPublicKeyRsa) obj).getBytes();
            return bytes == null ? bytes2 == null : bytes.equals(bytes2);
        }

        @Generated
        public int hashCode() {
            ByteArray bytes = getBytes();
            return (1 * 59) + (bytes == null ? 43 : bytes.hashCode());
        }

        @Generated
        public String toString() {
            return "TpmAttestationStatementVerifier.Tpm2bPublicKeyRsa(bytes=" + getBytes() + ")";
        }
    }

    /* loaded from: input_file:com/yubico/webauthn/TpmAttestationStatementVerifier$TpmAlgAsym.class */
    static final class TpmAlgAsym {
        static final int RSA = 1;
        static final int ECC = 35;

        TpmAlgAsym() {
        }
    }

    /* loaded from: input_file:com/yubico/webauthn/TpmAttestationStatementVerifier$TpmAlgHash.class */
    static class TpmAlgHash {
        static final int SHA1 = 4;
        static final int SHA256 = 11;
        static final int SHA384 = 12;
        static final int SHA512 = 13;

        TpmAlgHash() {
        }
    }

    /* loaded from: input_file:com/yubico/webauthn/TpmAttestationStatementVerifier$TpmEccCurve.class */
    private static class TpmEccCurve {
        private static final int NONE = 0;
        private static final int NIST_P256 = 3;
        private static final int NIST_P384 = 4;
        private static final int NIST_P521 = 5;

        private TpmEccCurve() {
        }
    }

    /* loaded from: input_file:com/yubico/webauthn/TpmAttestationStatementVerifier$TpmRsaScheme.class */
    static final class TpmRsaScheme {
        static final int RSASSA = 20;

        TpmRsaScheme() {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yubico/webauthn/TpmAttestationStatementVerifier$TpmsAttest.class */
    public static final class TpmsAttest {
        private final ByteArray rawBytes;
        private final ByteArray extraData;
        private final ByteArray attestedName;

        /* JADX INFO: Access modifiers changed from: private */
        public static TpmsAttest parse(byte[] bArr) throws IOException {
            ByteInputStream byteInputStream = new ByteInputStream(bArr);
            try {
                ByteArray byteArray = new ByteArray(byteInputStream.read(4));
                ExceptionUtil.assertTrue(byteArray.equals(TpmAttestationStatementVerifier.TPM_GENERATED_VALUE), "magic field is invalid: %s", new Object[]{byteArray});
                ByteArray byteArray2 = new ByteArray(byteInputStream.read(2));
                ExceptionUtil.assertTrue(byteArray2.equals(TpmAttestationStatementVerifier.TPM_ST_ATTEST_CERTIFY), "type field is invalid: %s", new Object[]{byteArray2});
                byteInputStream.skipBytes(byteInputStream.readUnsignedShort());
                ByteArray byteArray3 = new ByteArray(byteInputStream.read(byteInputStream.readUnsignedShort()));
                byteInputStream.skipBytes(17);
                byteInputStream.skipBytes(8);
                TpmsAttest tpmsAttest = new TpmsAttest(new ByteArray(bArr), byteArray3, new ByteArray(byteInputStream.read(byteInputStream.readUnsignedShort())));
                byteInputStream.close();
                return tpmsAttest;
            } catch (Throwable th) {
                try {
                    byteInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }

        @Generated
        public TpmsAttest(ByteArray byteArray, ByteArray byteArray2, ByteArray byteArray3) {
            this.rawBytes = byteArray;
            this.extraData = byteArray2;
            this.attestedName = byteArray3;
        }

        @Generated
        public ByteArray getRawBytes() {
            return this.rawBytes;
        }

        @Generated
        public ByteArray getExtraData() {
            return this.extraData;
        }

        @Generated
        public ByteArray getAttestedName() {
            return this.attestedName;
        }

        @Generated
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof TpmsAttest)) {
                return false;
            }
            TpmsAttest tpmsAttest = (TpmsAttest) obj;
            ByteArray rawBytes = getRawBytes();
            ByteArray rawBytes2 = tpmsAttest.getRawBytes();
            if (rawBytes == null) {
                if (rawBytes2 != null) {
                    return false;
                }
            } else if (!rawBytes.equals(rawBytes2)) {
                return false;
            }
            ByteArray extraData = getExtraData();
            ByteArray extraData2 = tpmsAttest.getExtraData();
            if (extraData == null) {
                if (extraData2 != null) {
                    return false;
                }
            } else if (!extraData.equals(extraData2)) {
                return false;
            }
            ByteArray attestedName = getAttestedName();
            ByteArray attestedName2 = tpmsAttest.getAttestedName();
            return attestedName == null ? attestedName2 == null : attestedName.equals(attestedName2);
        }

        @Generated
        public int hashCode() {
            ByteArray rawBytes = getRawBytes();
            int hashCode = (1 * 59) + (rawBytes == null ? 43 : rawBytes.hashCode());
            ByteArray extraData = getExtraData();
            int hashCode2 = (hashCode * 59) + (extraData == null ? 43 : extraData.hashCode());
            ByteArray attestedName = getAttestedName();
            return (hashCode2 * 59) + (attestedName == null ? 43 : attestedName.hashCode());
        }

        @Generated
        public String toString() {
            return "TpmAttestationStatementVerifier.TpmsAttest(rawBytes=" + getRawBytes() + ", extraData=" + getExtraData() + ", attestedName=" + getAttestedName() + ")";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yubico/webauthn/TpmAttestationStatementVerifier$TpmsEccParms.class */
    public static final class TpmsEccParms implements Parameters {
        private final int curve_id;

        /* JADX INFO: Access modifiers changed from: private */
        public static TpmsEccParms parse(ByteInputStream byteInputStream) throws IOException {
            int readUnsignedShort = byteInputStream.readUnsignedShort();
            int readUnsignedShort2 = byteInputStream.readUnsignedShort();
            ExceptionUtil.assertTrue(readUnsignedShort == TpmAttestationStatementVerifier.TPM_ALG_NULL, "ECC key is expected to have \"symmetric\" set to TPM_ALG_NULL, was: 0x%04x", new Object[]{Integer.valueOf(readUnsignedShort)});
            ExceptionUtil.assertTrue(readUnsignedShort2 == TpmAttestationStatementVerifier.TPM_ALG_NULL, "ECC key is expected to have \"scheme\" set to TPM_ALG_NULL, was: 0x%04x", new Object[]{Integer.valueOf(readUnsignedShort2)});
            int readUnsignedShort3 = byteInputStream.readUnsignedShort();
            byteInputStream.skipBytes(2);
            return new TpmsEccParms(readUnsignedShort3);
        }

        @Generated
        public TpmsEccParms(int i) {
            this.curve_id = i;
        }

        @Generated
        public int getCurve_id() {
            return this.curve_id;
        }

        @Generated
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            return (obj instanceof TpmsEccParms) && getCurve_id() == ((TpmsEccParms) obj).getCurve_id();
        }

        @Generated
        public int hashCode() {
            return (1 * 59) + getCurve_id();
        }

        @Generated
        public String toString() {
            return "TpmAttestationStatementVerifier.TpmsEccParms(curve_id=" + getCurve_id() + ")";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yubico/webauthn/TpmAttestationStatementVerifier$TpmsEccPoint.class */
    public static final class TpmsEccPoint implements Unique {
        private final ByteArray x;
        private final ByteArray y;

        /* JADX INFO: Access modifiers changed from: private */
        public static TpmsEccPoint parse(ByteInputStream byteInputStream) throws IOException {
            return new TpmsEccPoint(new ByteArray(byteInputStream.read(byteInputStream.readUnsignedShort())), new ByteArray(byteInputStream.read(byteInputStream.readUnsignedShort())));
        }

        @Generated
        public TpmsEccPoint(ByteArray byteArray, ByteArray byteArray2) {
            this.x = byteArray;
            this.y = byteArray2;
        }

        @Generated
        public ByteArray getX() {
            return this.x;
        }

        @Generated
        public ByteArray getY() {
            return this.y;
        }

        @Generated
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof TpmsEccPoint)) {
                return false;
            }
            TpmsEccPoint tpmsEccPoint = (TpmsEccPoint) obj;
            ByteArray x = getX();
            ByteArray x2 = tpmsEccPoint.getX();
            if (x == null) {
                if (x2 != null) {
                    return false;
                }
            } else if (!x.equals(x2)) {
                return false;
            }
            ByteArray y = getY();
            ByteArray y2 = tpmsEccPoint.getY();
            return y == null ? y2 == null : y.equals(y2);
        }

        @Generated
        public int hashCode() {
            ByteArray x = getX();
            int hashCode = (1 * 59) + (x == null ? 43 : x.hashCode());
            ByteArray y = getY();
            return (hashCode * 59) + (y == null ? 43 : y.hashCode());
        }

        @Generated
        public String toString() {
            return "TpmAttestationStatementVerifier.TpmsEccPoint(x=" + getX() + ", y=" + getY() + ")";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yubico/webauthn/TpmAttestationStatementVerifier$TpmsRsaParms.class */
    public static final class TpmsRsaParms implements Parameters {
        private final long exponent;

        /* JADX INFO: Access modifiers changed from: private */
        public static TpmsRsaParms parse(ByteInputStream byteInputStream) throws IOException {
            int readUnsignedShort = byteInputStream.readUnsignedShort();
            ExceptionUtil.assertTrue(readUnsignedShort == TpmAttestationStatementVerifier.TPM_ALG_NULL, "RSA key is expected to have \"symmetric\" set to TPM_ALG_NULL, was: 0x%04x", new Object[]{Integer.valueOf(readUnsignedShort)});
            int readUnsignedShort2 = byteInputStream.readUnsignedShort();
            ExceptionUtil.assertTrue(readUnsignedShort2 == 20 || readUnsignedShort2 == TpmAttestationStatementVerifier.TPM_ALG_NULL, "RSA key is expected to have \"scheme\" set to TPM_ALG_RSASSA or TPM_ALG_NULL, was: 0x%04x", new Object[]{Integer.valueOf(readUnsignedShort2)});
            byteInputStream.skipBytes(2);
            int readInt = byteInputStream.readInt();
            ExceptionUtil.assertTrue(readInt >= 0, "Exponent is too large and wrapped around to negative: %d", new Object[]{Integer.valueOf(readInt)});
            if (readInt == 0) {
                readInt = 65537;
            }
            return new TpmsRsaParms(readInt);
        }

        @Generated
        public TpmsRsaParms(long j) {
            this.exponent = j;
        }

        @Generated
        public long getExponent() {
            return this.exponent;
        }

        @Generated
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            return (obj instanceof TpmsRsaParms) && getExponent() == ((TpmsRsaParms) obj).getExponent();
        }

        @Generated
        public int hashCode() {
            long exponent = getExponent();
            return (1 * 59) + ((int) ((exponent >>> 32) ^ exponent));
        }

        @Generated
        public String toString() {
            return "TpmAttestationStatementVerifier.TpmsRsaParms(exponent=" + getExponent() + ")";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yubico/webauthn/TpmAttestationStatementVerifier$TpmtPublic.class */
    public static final class TpmtPublic {
        private final int signAlg;
        private final int nameAlg;
        private final Parameters parameters;
        private final Unique unique;
        private final ByteArray rawBytes;

        /* JADX INFO: Access modifiers changed from: private */
        public static TpmtPublic parse(byte[] bArr) throws IOException {
            Parameters parse;
            Unique parse2;
            ByteInputStream byteInputStream = new ByteInputStream(bArr);
            try {
                int readUnsignedShort = byteInputStream.readUnsignedShort();
                int readUnsignedShort2 = byteInputStream.readUnsignedShort();
                int readInt = byteInputStream.readInt();
                ExceptionUtil.assertTrue((readInt & (-462071)) == 0, "Attributes contains 1 bits in reserved position(s): 0x%08x", new Object[]{Integer.valueOf(readInt)});
                byteInputStream.skipBytes(byteInputStream.readUnsignedShort());
                ExceptionUtil.assertTrue((readInt & 262144) == 262144, "Public key is expected to have the SIGN_ENCRYPT attribute set, attributes were: 0x%08x", new Object[]{Integer.valueOf(readInt)});
                if (readUnsignedShort == 1) {
                    parse = TpmsRsaParms.parse(byteInputStream);
                    parse2 = Tpm2bPublicKeyRsa.parse(byteInputStream);
                } else {
                    if (readUnsignedShort != 35) {
                        throw new UnsupportedOperationException("Signing algorithm not implemented: " + readUnsignedShort);
                    }
                    parse = TpmsEccParms.parse(byteInputStream);
                    parse2 = TpmsEccPoint.parse(byteInputStream);
                }
                ExceptionUtil.assertTrue(byteInputStream.available() == 0, "%d remaining bytes in TPMT_PUBLIC buffer", new Object[]{Integer.valueOf(byteInputStream.available())});
                TpmtPublic tpmtPublic = new TpmtPublic(readUnsignedShort, readUnsignedShort2, parse, parse2, new ByteArray(bArr));
                byteInputStream.close();
                return tpmtPublic;
            } catch (Throwable th) {
                try {
                    byteInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public ByteArray name() {
            ByteArray sha1;
            switch (this.nameAlg) {
                case 4:
                    try {
                        sha1 = Crypto.sha1(this.rawBytes);
                        break;
                    } catch (NoSuchAlgorithmException e) {
                        throw new RuntimeException("Failed to hash TPMU_ATTEST name.", e);
                    }
                case 5:
                case 6:
                case 7:
                case 8:
                case 9:
                case 10:
                default:
                    throw new IllegalArgumentException("Unknown hash algorithm identifier: " + this.nameAlg);
                case 11:
                    sha1 = Crypto.sha256(this.rawBytes);
                    break;
                case 12:
                    sha1 = Crypto.sha384(this.rawBytes);
                    break;
                case 13:
                    sha1 = Crypto.sha512(this.rawBytes);
                    break;
            }
            return new ByteArray(BinaryUtil.encodeUint16(this.nameAlg)).concat(sha1);
        }

        @Generated
        public TpmtPublic(int i, int i2, Parameters parameters, Unique unique, ByteArray byteArray) {
            this.signAlg = i;
            this.nameAlg = i2;
            this.parameters = parameters;
            this.unique = unique;
            this.rawBytes = byteArray;
        }

        @Generated
        public int getSignAlg() {
            return this.signAlg;
        }

        @Generated
        public int getNameAlg() {
            return this.nameAlg;
        }

        @Generated
        public Parameters getParameters() {
            return this.parameters;
        }

        @Generated
        public Unique getUnique() {
            return this.unique;
        }

        @Generated
        public ByteArray getRawBytes() {
            return this.rawBytes;
        }

        @Generated
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof TpmtPublic)) {
                return false;
            }
            TpmtPublic tpmtPublic = (TpmtPublic) obj;
            if (getSignAlg() != tpmtPublic.getSignAlg() || getNameAlg() != tpmtPublic.getNameAlg()) {
                return false;
            }
            Parameters parameters = getParameters();
            Parameters parameters2 = tpmtPublic.getParameters();
            if (parameters == null) {
                if (parameters2 != null) {
                    return false;
                }
            } else if (!parameters.equals(parameters2)) {
                return false;
            }
            Unique unique = getUnique();
            Unique unique2 = tpmtPublic.getUnique();
            if (unique == null) {
                if (unique2 != null) {
                    return false;
                }
            } else if (!unique.equals(unique2)) {
                return false;
            }
            ByteArray rawBytes = getRawBytes();
            ByteArray rawBytes2 = tpmtPublic.getRawBytes();
            return rawBytes == null ? rawBytes2 == null : rawBytes.equals(rawBytes2);
        }

        @Generated
        public int hashCode() {
            int signAlg = (((1 * 59) + getSignAlg()) * 59) + getNameAlg();
            Parameters parameters = getParameters();
            int hashCode = (signAlg * 59) + (parameters == null ? 43 : parameters.hashCode());
            Unique unique = getUnique();
            int hashCode2 = (hashCode * 59) + (unique == null ? 43 : unique.hashCode());
            ByteArray rawBytes = getRawBytes();
            return (hashCode2 * 59) + (rawBytes == null ? 43 : rawBytes.hashCode());
        }

        @Generated
        public String toString() {
            return "TpmAttestationStatementVerifier.TpmtPublic(signAlg=" + getSignAlg() + ", nameAlg=" + getNameAlg() + ", parameters=" + getParameters() + ", unique=" + getUnique() + ", rawBytes=" + getRawBytes() + ")";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yubico/webauthn/TpmAttestationStatementVerifier$Unique.class */
    public interface Unique {
    }

    @Override // com.yubico.webauthn.AttestationStatementVerifier
    public AttestationType getAttestationType(AttestationObject attestationObject) {
        return AttestationType.ATTESTATION_CA;
    }

    @Override // com.yubico.webauthn.AttestationStatementVerifier
    public boolean verifyAttestationSignature(AttestationObject attestationObject, ByteArray byteArray) {
        ObjectNode attestationStatement = attestationObject.getAttestationStatement();
        JsonNode jsonNode = attestationStatement.get("ver");
        ExceptionUtil.assertTrue(jsonNode != null && jsonNode.isTextual() && jsonNode.textValue().equals(TPM_VER), "attStmt.ver must equal \"%s\", was: %s", new Object[]{TPM_VER, jsonNode});
        JsonNode jsonNode2 = attestationStatement.get("alg");
        ExceptionUtil.assertTrue(jsonNode2 != null && jsonNode2.canConvertToLong(), "attStmt.alg must be set to an integer value, was: %s", new Object[]{jsonNode2});
        COSEAlgorithmIdentifier orElseThrow = COSEAlgorithmIdentifier.fromId(jsonNode2.longValue()).orElseThrow(() -> {
            return new IllegalArgumentException("Unknown COSE algorithm identifier: " + jsonNode2);
        });
        JsonNode jsonNode3 = attestationStatement.get("x5c");
        ExceptionUtil.assertTrue(jsonNode3 != null && jsonNode3.isArray(), "attStmt.x5c must be set to an array value, was: %s", new Object[]{jsonNode3});
        try {
            X509Certificate x509Certificate = getAttestationTrustPath(attestationObject).orElseThrow(() -> {
                return new IllegalArgumentException("Failed to parse \"x5c\" attestation certificate chain in \"tpm\" attestation statement.");
            }).get(0);
            JsonNode jsonNode4 = attestationStatement.get("sig");
            ExceptionUtil.assertTrue(jsonNode4 != null && jsonNode4.isBinary(), "attStmt.sig must be set to a binary value, was: %s", new Object[]{jsonNode4});
            try {
                ByteArray byteArray2 = new ByteArray(jsonNode4.binaryValue());
                JsonNode jsonNode5 = attestationStatement.get("certInfo");
                ExceptionUtil.assertTrue(jsonNode5 != null && jsonNode5.isBinary(), "attStmt.certInfo must be set to a binary value, was: %s", new Object[]{jsonNode5});
                JsonNode jsonNode6 = attestationStatement.get("pubArea");
                ExceptionUtil.assertTrue(jsonNode6 != null && jsonNode6.isBinary(), "attStmt.pubArea must be set to a binary value, was: %s", new Object[]{jsonNode6});
                try {
                    TpmtPublic parse = TpmtPublic.parse(jsonNode6.binaryValue());
                    try {
                        TpmsAttest parse2 = TpmsAttest.parse(jsonNode5.binaryValue());
                        try {
                            verifyPublicKeysMatch(attestationObject, parse);
                            try {
                                validateCertInfo(orElseThrow, x509Certificate, byteArray2, parse, parse2, attestationObject.getAuthenticatorData().getBytes().concat(byteArray), attestationObject);
                                return true;
                            } catch (CertificateParsingException e) {
                                throw new RuntimeException("Failed to verify TPM attestation.", e);
                            }
                        } catch (IOException | NoSuchAlgorithmException | InvalidKeySpecException e2) {
                            throw new RuntimeException("Failed to verify that public key in TPM attestation matches public key in authData.", e2);
                        }
                    } catch (IOException e3) {
                        throw new RuntimeException("Failed to parse TPMS_ATTEST data structure.", e3);
                    }
                } catch (IOException e4) {
                    throw new RuntimeException("Failed to parse TPMT_PUBLIC data structure.", e4);
                }
            } catch (IOException e5) {
                throw new RuntimeException(e5);
            }
        } catch (CertificateException e6) {
            throw new RuntimeException(e6);
        }
    }

    private void validateCertInfo(COSEAlgorithmIdentifier cOSEAlgorithmIdentifier, X509Certificate x509Certificate, ByteArray byteArray, TpmtPublic tpmtPublic, TpmsAttest tpmsAttest, ByteArray byteArray2, AttestationObject attestationObject) throws CertificateParsingException {
        ByteArray sha1;
        switch (cOSEAlgorithmIdentifier) {
            case ES256:
            case RS256:
                sha1 = Crypto.sha256(byteArray2);
                break;
            case ES384:
            case RS384:
                sha1 = Crypto.sha384(byteArray2);
                break;
            case ES512:
            case RS512:
                sha1 = Crypto.sha512(byteArray2);
                break;
            case RS1:
                try {
                    sha1 = Crypto.sha1(byteArray2);
                    break;
                } catch (NoSuchAlgorithmException e) {
                    throw new RuntimeException("Failed to hash attToBeSigned to verify TPM attestation.", e);
                }
            default:
                throw new UnsupportedOperationException("Signing algorithm not implemented: " + cOSEAlgorithmIdentifier);
        }
        ExceptionUtil.assertTrue(tpmsAttest.extraData.equals(sha1), "Incorrect certInfo.extraData.", new Object[0]);
        ExceptionUtil.assertTrue(tpmsAttest.attestedName.equals(tpmtPublic.name()), "Incorrect certInfo.attestedName.", new Object[0]);
        ExceptionUtil.assertTrue(Crypto.verifySignature(x509Certificate, tpmsAttest.getRawBytes(), byteArray, cOSEAlgorithmIdentifier), "Incorrect TPM attestation signature.", new Object[0]);
        verifyX5cRequirements(x509Certificate, attestationObject.getAuthenticatorData().getAttestedCredentialData().get().getAaguid());
    }

    private void verifyPublicKeysMatch(AttestationObject attestationObject, TpmtPublic tpmtPublic) throws IOException, InvalidKeySpecException, NoSuchAlgorithmException {
        COSEAlgorithmIdentifier cOSEAlgorithmIdentifier;
        PublicKey importCosePublicKey = WebAuthnCodecs.importCosePublicKey(attestationObject.getAuthenticatorData().getAttestedCredentialData().get().getCredentialPublicKey());
        switch (tpmtPublic.signAlg) {
            case 1:
                ExceptionUtil.assertTrue(Arrays.equals(importCosePublicKey.getEncoded(), KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(new BigInteger(1, ((Tpm2bPublicKeyRsa) tpmtPublic.unique).bytes.getBytes()), BigInteger.valueOf(((TpmsRsaParms) tpmtPublic.parameters).exponent))).getEncoded()), "Signed public key in TPM attestation is not identical to credential public key in authData.", new Object[0]);
                return;
            case 35:
                TpmsEccParms tpmsEccParms = (TpmsEccParms) tpmtPublic.parameters;
                TpmsEccPoint tpmsEccPoint = (TpmsEccPoint) tpmtPublic.unique;
                COSEAlgorithmIdentifier cOSEAlgorithmIdentifier2 = COSEAlgorithmIdentifier.fromPublicKey(attestationObject.getAuthenticatorData().getAttestedCredentialData().get().getCredentialPublicKey()).get();
                CBORObject DecodeFromBytes = CBORObject.DecodeFromBytes(attestationObject.getAuthenticatorData().getAttestedCredentialData().get().getCredentialPublicKey().getBytes());
                switch (tpmsEccParms.curve_id) {
                    case 3:
                        cOSEAlgorithmIdentifier = COSEAlgorithmIdentifier.ES256;
                        break;
                    case 4:
                        cOSEAlgorithmIdentifier = COSEAlgorithmIdentifier.ES384;
                        break;
                    case 5:
                        cOSEAlgorithmIdentifier = COSEAlgorithmIdentifier.ES512;
                        break;
                    default:
                        throw new UnsupportedOperationException("Unsupported elliptic curve: " + tpmsEccParms.curve_id);
                }
                ExceptionUtil.assertTrue(cOSEAlgorithmIdentifier2.equals(cOSEAlgorithmIdentifier), "Signed public key in TPM attestation is not identical to credential public key in authData; elliptic curve differs: %s != %s", new Object[]{cOSEAlgorithmIdentifier, cOSEAlgorithmIdentifier2});
                byte[] GetByteString = DecodeFromBytes.get(CBORObject.FromObject(-2)).GetByteString();
                byte[] GetByteString2 = DecodeFromBytes.get(CBORObject.FromObject(-3)).GetByteString();
                ExceptionUtil.assertTrue(new BigInteger(1, tpmsEccPoint.x.getBytes()).equals(new BigInteger(1, GetByteString)), "Signed public key in TPM attestation is not identical to credential public key in authData; EC X coordinate differs: %s != %s", new Object[]{tpmsEccPoint.x, new ByteArray(GetByteString)});
                ExceptionUtil.assertTrue(new BigInteger(1, tpmsEccPoint.y.getBytes()).equals(new BigInteger(1, GetByteString2)), "Signed public key in TPM attestation is not identical to credential public key in authData; EC Y coordinate differs: %s != %s", new Object[]{tpmsEccPoint.y, new ByteArray(GetByteString2)});
                return;
            default:
                throw new UnsupportedOperationException("Unsupported algorithm for credential public key: " + tpmtPublic.signAlg);
        }
    }

    private void verifyX5cRequirements(X509Certificate x509Certificate, ByteArray byteArray) throws CertificateParsingException {
        ExceptionUtil.assertTrue(x509Certificate.getVersion() == 3, "Invalid TPM attestation certificate: Version MUST be 3, but was: %s", new Object[]{Integer.valueOf(x509Certificate.getVersion())});
        ExceptionUtil.assertTrue(x509Certificate.getSubjectX500Principal().getName().isEmpty(), "Invalid TPM attestation certificate: subject MUST be empty, but was: %s", new Object[]{x509Certificate.getSubjectX500Principal()});
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        for (List<?> list : x509Certificate.getSubjectAlternativeNames()) {
            if (((Integer) list.get(0)).intValue() == 4) {
                if (list.get(1) instanceof String) {
                    try {
                        Iterator it = new LdapName((String) list.get(1)).getRdns().iterator();
                        while (it.hasNext()) {
                            javax.naming.directory.Attributes attributes = ((Rdn) it.next()).toAttributes();
                            z = z || attributes.get(OID_TCG_AT_TPM_MANUFACTURER) != null;
                            z2 = z2 || attributes.get(OID_TCG_AT_TPM_MODEL) != null;
                            z3 = z3 || attributes.get(OID_TCG_AT_TPM_VERSION) != null;
                        }
                    } catch (InvalidNameException e) {
                        throw new RuntimeException("Failed to decode subject alternative name in TPM attestation cert", e);
                    }
                } else {
                    log.debug("Unknown type of SubjectAlternativeNames entry: {}", list.get(1));
                }
            }
        }
        boolean z4 = z && z2 && z3;
        Object[] objArr = new Object[3];
        objArr[0] = z ? "" : " Missing TPM manufacturer.";
        objArr[1] = z2 ? "" : " Missing TPM model.";
        objArr[2] = z3 ? "" : " Missing TPM version.";
        ExceptionUtil.assertTrue(z4, "Invalid TPM attestation certificate: The Subject Alternative Name extension MUST be set as defined in [TPMv2-EK-Profile] section 3.2.9.%s%s%s", objArr);
        ExceptionUtil.assertTrue(x509Certificate.getExtendedKeyUsage() != null && x509Certificate.getExtendedKeyUsage().contains("2.23.133.8.3"), "Invalid TPM attestation certificate: extended key usage extension MUST contain the OID 2.23.133.8.3, but was: %s", new Object[]{x509Certificate.getExtendedKeyUsage()});
        ExceptionUtil.assertTrue(x509Certificate.getBasicConstraints() == -1, "Invalid TPM attestation certificate: MUST NOT be a CA certificate, but was.", new Object[0]);
        CertificateParser.parseFidoAaguidExtension(x509Certificate).ifPresent(bArr -> {
            ExceptionUtil.assertTrue(Arrays.equals(byteArray.getBytes(), bArr), "Invalid TPM attestation certificate: X.509 extension \"id-fido-gen-ce-aaguid\" is present but does not match the authenticator AAGUID.", new Object[0]);
        });
    }
}
