package duo.labs.webauthn;

import android.content.Context;
import android.content.DialogInterface;
import android.hardware.biometrics.BiometricPrompt;
import android.os.CancellationSignal;
import android.util.Pair;
import citrix.android.util.Log;
import com.google.common.primitives.SignedBytes;
import duo.labs.webauthn.exceptions.ConstraintError;
import duo.labs.webauthn.exceptions.InvalidStateError;
import duo.labs.webauthn.exceptions.NotAllowedError;
import duo.labs.webauthn.exceptions.NotSupportedError;
import duo.labs.webauthn.exceptions.UnknownError;
import duo.labs.webauthn.exceptions.VirgilException;
import duo.labs.webauthn.exceptions.WebAuthnException;
import duo.labs.webauthn.models.AttestationObject;
import duo.labs.webauthn.models.AuthenticatorGetAssertionOptions;
import duo.labs.webauthn.models.AuthenticatorGetAssertionResult;
import duo.labs.webauthn.models.AuthenticatorMakeCredentialOptions;
import duo.labs.webauthn.models.NoneAttestationObject;
import duo.labs.webauthn.models.PublicKeyCredentialDescriptor;
import duo.labs.webauthn.models.PublicKeyCredentialSource;
import duo.labs.webauthn.util.BiometricGetAssertionCallback;
import duo.labs.webauthn.util.BiometricMakeCredentialCallback;
import duo.labs.webauthn.util.CredentialSafe;
import duo.labs.webauthn.util.CredentialSelector;
import duo.labs.webauthn.util.WebAuthnCryptography;
import java.nio.ByteBuffer;
import java.security.Signature;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.Exchanger;

/* loaded from: classes4.dex */
public class Authenticator {
    static final /* synthetic */ boolean $assertionsDisabled = false;
    public static final int AUTHENTICATOR_DATA_LENGTH = 141;
    private static final Pair<String, Long> ES256_COSE = new Pair<>(PublicKeyCredentialSource.type, -7L);
    public static final int SHA_LENGTH = 32;
    private static final String TAG = "WebauthnAuthenticator";
    CredentialSafe credentialSafe;
    WebAuthnCryptography cryptoProvider;

    public Authenticator(Context context, boolean z, boolean z2) throws VirgilException {
        this.credentialSafe = new CredentialSafe(context, z, z2);
        this.cryptoProvider = new WebAuthnCryptography(this.credentialSafe);
    }

    private AttestationObject constructAttestationObject(byte[] bArr, byte[] bArr2, String str, Signature signature) throws VirgilException {
        ByteBuffer allocate = ByteBuffer.allocate(bArr2.length + bArr.length);
        allocate.put(bArr);
        allocate.put(bArr2);
        this.cryptoProvider.performSignature(this.credentialSafe.getKeyPairByAlias(str).getPrivate(), allocate.array(), signature);
        return new NoneAttestationObject(bArr);
    }

    private byte[] constructAttestedCredentialData(PublicKeyCredentialSource publicKeyCredentialSource) throws VirgilException {
        byte[] coseEncodePublicKey = CredentialSafe.coseEncodePublicKey(this.credentialSafe.getKeyPairByAlias(publicKeyCredentialSource.keyPairAlias).getPublic());
        ByteBuffer allocate = ByteBuffer.allocate(publicKeyCredentialSource.id.length + 18 + coseEncodePublicKey.length);
        allocate.position(16);
        allocate.putShort((short) publicKeyCredentialSource.id.length);
        allocate.put(publicKeyCredentialSource.id);
        allocate.put(coseEncodePublicKey);
        return allocate.array();
    }

    private byte[] constructAuthenticatorData(byte[] bArr, byte[] bArr2, int i) throws VirgilException {
        if (bArr.length != 32) {
            throw new VirgilException("rpIdHash must be a 32-byte SHA-256 hash");
        }
        byte b = (byte) 1;
        if (this.credentialSafe.supportsUserVerification()) {
            b = (byte) (b | 4);
        }
        if (bArr2 != null) {
            b = (byte) (b | SignedBytes.MAX_POWER_OF_TWO);
        }
        ByteBuffer allocate = ByteBuffer.allocate((bArr2 == null ? 0 : bArr2.length) + 37);
        allocate.put(bArr);
        allocate.put(b);
        allocate.putInt(i);
        if (bArr2 != null) {
            allocate.put(bArr2);
        }
        return allocate.array();
    }

    public AuthenticatorGetAssertionResult getAssertion(AuthenticatorGetAssertionOptions authenticatorGetAssertionOptions, CredentialSelector credentialSelector, Context context, CancellationSignal cancellationSignal, String str) throws WebAuthnException, VirgilException {
        PublicKeyCredentialSource selectFrom;
        if (!authenticatorGetAssertionOptions.areWellFormed()) {
            Log.w(TAG, "GetAssertion Options are not syntactically well-formed.");
            throw new UnknownError();
        }
        List<PublicKeyCredentialSource> keysForEntity = this.credentialSafe.getKeysForEntity(authenticatorGetAssertionOptions.rpId);
        if (authenticatorGetAssertionOptions.allowCredentialDescriptorList != null && authenticatorGetAssertionOptions.allowCredentialDescriptorList.size() > 0) {
            ArrayList arrayList = new ArrayList();
            HashSet hashSet = new HashSet();
            Iterator<PublicKeyCredentialDescriptor> it = authenticatorGetAssertionOptions.allowCredentialDescriptorList.iterator();
            while (it.hasNext()) {
                hashSet.add(ByteBuffer.wrap(it.next().id));
            }
            for (PublicKeyCredentialSource publicKeyCredentialSource : keysForEntity) {
                if (hashSet.contains(ByteBuffer.wrap(publicKeyCredentialSource.id))) {
                    arrayList.add(publicKeyCredentialSource);
                }
            }
            keysForEntity = arrayList;
        }
        if (keysForEntity == null || keysForEntity.size() == 0) {
            Log.i(TAG, "No credentials for this RpId exist");
            throw new NotAllowedError();
        }
        if (keysForEntity.size() == 1) {
            selectFrom = keysForEntity.get(0);
        } else {
            selectFrom = credentialSelector.selectFrom(keysForEntity);
            if (selectFrom == null) {
                throw new VirgilException("User did not select credential");
            }
        }
        boolean keyRequiresVerification = this.credentialSafe.keyRequiresVerification(selectFrom.keyPairAlias);
        if (!authenticatorGetAssertionOptions.requireUserVerification && !keyRequiresVerification) {
            return getInternalAssertion(authenticatorGetAssertionOptions, selectFrom);
        }
        if (context == null) {
            throw new VirgilException("User Verification requires passing a context to getAssertion");
        }
        Exchanger exchanger = new Exchanger();
        final BiometricGetAssertionCallback biometricGetAssertionCallback = new BiometricGetAssertionCallback(this, authenticatorGetAssertionOptions, selectFrom, exchanger);
        BiometricPrompt build = new BiometricPrompt.Builder(context).setTitle(str).setDescription("Username: " + selectFrom.userDisplayName).setNegativeButton("Cancel", citrix.android.content.Context.getMainExecutor(context), new DialogInterface.OnClickListener() { // from class: duo.labs.webauthn.Authenticator.2
            @Override // android.content.DialogInterface.OnClickListener
            public void onClick(DialogInterface dialogInterface, int i) {
                biometricGetAssertionCallback.onAuthenticationCancelled();
            }
        }).build();
        BiometricPrompt.CryptoObject cryptoObject = new BiometricPrompt.CryptoObject(WebAuthnCryptography.generateSignatureObject(this.credentialSafe.getKeyPairByAlias(selectFrom.keyPairAlias).getPrivate()));
        if (cancellationSignal == null) {
            cancellationSignal = new CancellationSignal();
        }
        build.authenticate(cryptoObject, cancellationSignal, citrix.android.content.Context.getMainExecutor(context), biometricGetAssertionCallback);
        try {
            AuthenticatorGetAssertionResult authenticatorGetAssertionResult = (AuthenticatorGetAssertionResult) exchanger.exchange(null);
            if (authenticatorGetAssertionResult != null) {
                return authenticatorGetAssertionResult;
            }
            Log.w(TAG, "Biometric Authentication failed.");
            throw new NotAllowedError();
        } catch (InterruptedException e) {
            Log.w(TAG, "Could not retrieve attestationObject from BiometricPrompt", e);
            throw new VirgilException("Could not retrieve attestationObject from BiometricPrompt", e);
        }
    }

    public AuthenticatorGetAssertionResult getAssertion(AuthenticatorGetAssertionOptions authenticatorGetAssertionOptions, CredentialSelector credentialSelector, String str) throws WebAuthnException, VirgilException {
        return getAssertion(authenticatorGetAssertionOptions, credentialSelector, null, null, str);
    }

    public AuthenticatorGetAssertionResult getInternalAssertion(AuthenticatorGetAssertionOptions authenticatorGetAssertionOptions, PublicKeyCredentialSource publicKeyCredentialSource) throws WebAuthnException, VirgilException {
        return getInternalAssertion(authenticatorGetAssertionOptions, publicKeyCredentialSource, null);
    }

    public AuthenticatorGetAssertionResult getInternalAssertion(AuthenticatorGetAssertionOptions authenticatorGetAssertionOptions, PublicKeyCredentialSource publicKeyCredentialSource, Signature signature) throws WebAuthnException, VirgilException {
        try {
            byte[] constructAuthenticatorData = constructAuthenticatorData(WebAuthnCryptography.sha256(authenticatorGetAssertionOptions.rpId), null, this.credentialSafe.incrementCredentialUseCounter(publicKeyCredentialSource));
            ByteBuffer allocate = ByteBuffer.allocate(constructAuthenticatorData.length + authenticatorGetAssertionOptions.clientDataHash.length);
            allocate.put(constructAuthenticatorData);
            allocate.put(authenticatorGetAssertionOptions.clientDataHash);
            byte[] performSignature = this.cryptoProvider.performSignature(this.credentialSafe.getKeyPairByAlias(publicKeyCredentialSource.keyPairAlias).getPrivate(), allocate.array(), signature);
            Log.d(TAG, "Performed signature using credential keyPairAlias: " + publicKeyCredentialSource.keyPairAlias);
            return new AuthenticatorGetAssertionResult(publicKeyCredentialSource.id, constructAuthenticatorData, performSignature, publicKeyCredentialSource.userHandle);
        } catch (Exception e) {
            Log.w(TAG, "Exception occurred while generating assertion", e);
            throw new UnknownError();
        }
    }

    public AttestationObject makeCredential(AuthenticatorMakeCredentialOptions authenticatorMakeCredentialOptions) throws WebAuthnException, VirgilException {
        if (this.credentialSafe.supportsUserVerification()) {
            throw new VirgilException("User Verification requires passing a context to makeCredential");
        }
        return makeCredential(authenticatorMakeCredentialOptions, null, null, null);
    }

    public AttestationObject makeCredential(AuthenticatorMakeCredentialOptions authenticatorMakeCredentialOptions, Context context, CancellationSignal cancellationSignal, String str) throws WebAuthnException, VirgilException {
        AttestationObject makeInternalCredential;
        if (!authenticatorMakeCredentialOptions.areWellFormed()) {
            Log.w(TAG, "Credential Options are not syntactically well-formed.");
            throw new UnknownError();
        }
        if (!authenticatorMakeCredentialOptions.credTypesAndPubKeyAlgs.contains(ES256_COSE)) {
            Log.w(TAG, "only ES256 is supported");
            throw new NotSupportedError();
        }
        boolean z = false;
        if (authenticatorMakeCredentialOptions.excludeCredentialDescriptorList != null) {
            for (PublicKeyCredentialDescriptor publicKeyCredentialDescriptor : authenticatorMakeCredentialOptions.excludeCredentialDescriptorList) {
                PublicKeyCredentialSource credentialSourceById = this.credentialSafe.getCredentialSourceById(publicKeyCredentialDescriptor.id);
                if (credentialSourceById != null && credentialSourceById.rpId.equals(authenticatorMakeCredentialOptions.rpEntity.id) && PublicKeyCredentialSource.type.equals(publicKeyCredentialDescriptor.type)) {
                    z = true;
                }
            }
        }
        if (authenticatorMakeCredentialOptions.requireUserVerification && !this.credentialSafe.supportsUserVerification()) {
            Log.w(TAG, "user verification required but not available");
            throw new ConstraintError();
        }
        try {
            PublicKeyCredentialSource generateCredential = this.credentialSafe.generateCredential(authenticatorMakeCredentialOptions.rpEntity.id, authenticatorMakeCredentialOptions.userEntity.id, authenticatorMakeCredentialOptions.userEntity.name);
            if (!this.credentialSafe.supportsUserVerification()) {
                makeInternalCredential = makeInternalCredential(authenticatorMakeCredentialOptions, generateCredential);
            } else {
                if (context == null) {
                    throw new VirgilException("User Verification requires passing a context to makeCredential");
                }
                Exchanger exchanger = new Exchanger();
                final BiometricMakeCredentialCallback biometricMakeCredentialCallback = new BiometricMakeCredentialCallback(this, authenticatorMakeCredentialOptions, generateCredential, exchanger);
                BiometricPrompt build = new BiometricPrompt.Builder(context).setTitle(str).setDescription("Username: " + authenticatorMakeCredentialOptions.userEntity.name).setNegativeButton("Cancel", citrix.android.content.Context.getMainExecutor(context), new DialogInterface.OnClickListener() { // from class: duo.labs.webauthn.Authenticator.1
                    @Override // android.content.DialogInterface.OnClickListener
                    public void onClick(DialogInterface dialogInterface, int i) {
                        biometricMakeCredentialCallback.onAuthenticationCancelled();
                    }
                }).build();
                BiometricPrompt.CryptoObject cryptoObject = new BiometricPrompt.CryptoObject(WebAuthnCryptography.generateSignatureObject(this.credentialSafe.getKeyPairByAlias(generateCredential.keyPairAlias).getPrivate()));
                if (cancellationSignal == null) {
                    cancellationSignal = new CancellationSignal();
                }
                build.authenticate(cryptoObject, cancellationSignal, citrix.android.content.Context.getMainExecutor(context), biometricMakeCredentialCallback);
                try {
                    makeInternalCredential = (AttestationObject) exchanger.exchange(null);
                    if (makeInternalCredential == null) {
                        this.credentialSafe.deleteCredential(generateCredential);
                        Log.w(TAG, "Biometric authentication failed.");
                        throw new NotAllowedError();
                    }
                } catch (InterruptedException e) {
                    throw new VirgilException("Could not retrieve attestationObject from BiometricPrompt: " + e.toString());
                }
            }
            if (!z) {
                return makeInternalCredential;
            }
            this.credentialSafe.deleteCredential(generateCredential);
            Log.w(TAG, "Credential is excluded by excludeCredentialDescriptorList");
            throw new InvalidStateError();
        } catch (VirgilException e2) {
            Log.w(TAG, "couldn't generate credential", e2);
            throw new UnknownError();
        }
    }

    public AttestationObject makeInternalCredential(AuthenticatorMakeCredentialOptions authenticatorMakeCredentialOptions, PublicKeyCredentialSource publicKeyCredentialSource) throws VirgilException, WebAuthnException {
        return makeInternalCredential(authenticatorMakeCredentialOptions, publicKeyCredentialSource, null);
    }

    public AttestationObject makeInternalCredential(AuthenticatorMakeCredentialOptions authenticatorMakeCredentialOptions, PublicKeyCredentialSource publicKeyCredentialSource, Signature signature) throws VirgilException, WebAuthnException {
        return constructAttestationObject(constructAuthenticatorData(WebAuthnCryptography.sha256(authenticatorMakeCredentialOptions.rpEntity.id), constructAttestedCredentialData(publicKeyCredentialSource), 0), authenticatorMakeCredentialOptions.clientDataHash, publicKeyCredentialSource.keyPairAlias, signature);
    }
}
