package com.yubico.core;

import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.databind.JsonSerializer;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializerProvider;
import com.fasterxml.jackson.databind.annotation.JsonSerialize;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.io.Closeables;
import com.upokecenter.cbor.CBORObject;
import com.yubico.data.AssertionRequestWrapper;
import com.yubico.data.AssertionResponse;
import com.yubico.data.CredentialRegistration;
import com.yubico.data.RegistrationRequest;
import com.yubico.data.RegistrationResponse;
import com.yubico.data.U2fRegistrationResponse;
import com.yubico.data.U2fRegistrationResult;
import com.yubico.internal.util.CertificateParser;
import com.yubico.internal.util.ExceptionUtil;
import com.yubico.internal.util.JacksonCodecs;
import com.yubico.util.Either;
import com.yubico.webauthn.AssertionResult;
import com.yubico.webauthn.FinishAssertionOptions;
import com.yubico.webauthn.FinishRegistrationOptions;
import com.yubico.webauthn.RegisteredCredential;
import com.yubico.webauthn.RegistrationResult;
import com.yubico.webauthn.RelyingParty;
import com.yubico.webauthn.StartAssertionOptions;
import com.yubico.webauthn.StartRegistrationOptions;
import com.yubico.webauthn.U2fVerifier;
import com.yubico.webauthn.attestation.Attestation;
import com.yubico.webauthn.attestation.AttestationResolver;
import com.yubico.webauthn.attestation.MetadataObject;
import com.yubico.webauthn.attestation.MetadataService;
import com.yubico.webauthn.attestation.StandardMetadataService;
import com.yubico.webauthn.attestation.TrustResolver;
import com.yubico.webauthn.attestation.resolver.CompositeAttestationResolver;
import com.yubico.webauthn.attestation.resolver.CompositeTrustResolver;
import com.yubico.webauthn.attestation.resolver.SimpleAttestationResolver;
import com.yubico.webauthn.attestation.resolver.SimpleTrustResolverWithEquality;
import com.yubico.webauthn.data.AttestationConveyancePreference;
import com.yubico.webauthn.data.AuthenticatorData;
import com.yubico.webauthn.data.AuthenticatorSelectionCriteria;
import com.yubico.webauthn.data.ByteArray;
import com.yubico.webauthn.data.COSEAlgorithmIdentifier;
import com.yubico.webauthn.data.PublicKeyCredentialDescriptor;
import com.yubico.webauthn.data.RelyingPartyIdentity;
import com.yubico.webauthn.data.UserIdentity;
import com.yubico.webauthn.exception.AssertionFailedException;
import com.yubico.webauthn.exception.RegistrationFailedException;
import com.yubico.webauthn.extension.appid.AppId;
import com.yubico.webauthn.extension.appid.InvalidAppIdException;
import java.io.IOException;
import java.io.InputStream;
import java.security.SecureRandom;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import lombok.NonNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yubico/core/WebAuthnServer.class */
public class WebAuthnServer {
    private static final Logger logger = LoggerFactory.getLogger(WebAuthnServer.class);
    private static final SecureRandom random = new SecureRandom();
    private static final String PREVIEW_METADATA_PATH = "/preview-metadata.json";
    private Cache<ByteArray, AssertionRequestWrapper> assertRequestStorage;
    private Cache<ByteArray, RegistrationRequest> registerRequestStorage;
    private RegistrationStorage userStorage;
    private SessionManager sessions;
    private TrustResolver trustResolver;
    private MetadataService metadataService;
    private final Clock clock;
    private final ObjectMapper jsonMapper;
    private final RelyingParty rp;

    /* loaded from: input_file:com/yubico/core/WebAuthnServer$AttestationCertInfo.class */
    public static final class AttestationCertInfo {
        private final ByteArray der;
        private final String text;

        public AttestationCertInfo(ByteArray byteArray) {
            this.der = byteArray;
            X509Certificate x509Certificate = null;
            try {
                x509Certificate = CertificateParser.parseDer(byteArray.getBytes());
            } catch (CertificateException e) {
                WebAuthnServer.logger.error("Failed to parse attestation certificate");
            }
            if (x509Certificate == null) {
                this.text = null;
            } else {
                this.text = x509Certificate.toString();
            }
        }

        public ByteArray getDer() {
            return this.der;
        }

        public String getText() {
            return this.text;
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof AttestationCertInfo)) {
                return false;
            }
            AttestationCertInfo attestationCertInfo = (AttestationCertInfo) obj;
            ByteArray der = getDer();
            ByteArray der2 = attestationCertInfo.getDer();
            if (der == null) {
                if (der2 != null) {
                    return false;
                }
            } else if (!der.equals(der2)) {
                return false;
            }
            String text = getText();
            String text2 = attestationCertInfo.getText();
            return text == null ? text2 == null : text.equals(text2);
        }

        public int hashCode() {
            ByteArray der = getDer();
            int hashCode = (1 * 59) + (der == null ? 43 : der.hashCode());
            String text = getText();
            return (hashCode * 59) + (text == null ? 43 : text.hashCode());
        }

        public String toString() {
            return "WebAuthnServer.AttestationCertInfo(der=" + getDer() + ", text=" + getText() + ")";
        }
    }

    /* loaded from: input_file:com/yubico/core/WebAuthnServer$AuthDataSerializer.class */
    private static class AuthDataSerializer extends JsonSerializer<AuthenticatorData> {
        private AuthDataSerializer() {
        }

        public void serialize(AuthenticatorData authenticatorData, JsonGenerator jsonGenerator, SerializerProvider serializerProvider) throws IOException {
            jsonGenerator.writeStartObject();
            jsonGenerator.writeStringField("rpIdHash", authenticatorData.getRpIdHash().getHex());
            jsonGenerator.writeObjectField("flags", authenticatorData.getFlags());
            jsonGenerator.writeNumberField("signatureCounter", authenticatorData.getSignatureCounter());
            authenticatorData.getAttestedCredentialData().ifPresent(attestedCredentialData -> {
                try {
                    jsonGenerator.writeObjectFieldStart("attestedCredentialData");
                    jsonGenerator.writeStringField("aaguid", attestedCredentialData.getAaguid().getHex());
                    jsonGenerator.writeStringField("credentialId", attestedCredentialData.getCredentialId().getHex());
                    jsonGenerator.writeStringField("publicKey", attestedCredentialData.getCredentialPublicKey().getHex());
                    jsonGenerator.writeEndObject();
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            });
            jsonGenerator.writeObjectField("extensions", authenticatorData.getExtensions());
            jsonGenerator.writeEndObject();
        }
    }

    /* loaded from: input_file:com/yubico/core/WebAuthnServer$DeregisterCredentialResult.class */
    public static final class DeregisterCredentialResult {
        private final boolean success = true;
        private final CredentialRegistration droppedRegistration;
        private final boolean accountDeleted;

        public DeregisterCredentialResult(CredentialRegistration credentialRegistration, boolean z) {
            this.droppedRegistration = credentialRegistration;
            this.accountDeleted = z;
        }

        public boolean isSuccess() {
            Objects.requireNonNull(this);
            return true;
        }

        public CredentialRegistration getDroppedRegistration() {
            return this.droppedRegistration;
        }

        public boolean isAccountDeleted() {
            return this.accountDeleted;
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof DeregisterCredentialResult)) {
                return false;
            }
            DeregisterCredentialResult deregisterCredentialResult = (DeregisterCredentialResult) obj;
            if (isSuccess() != deregisterCredentialResult.isSuccess() || isAccountDeleted() != deregisterCredentialResult.isAccountDeleted()) {
                return false;
            }
            CredentialRegistration droppedRegistration = getDroppedRegistration();
            CredentialRegistration droppedRegistration2 = deregisterCredentialResult.getDroppedRegistration();
            return droppedRegistration == null ? droppedRegistration2 == null : droppedRegistration.equals(droppedRegistration2);
        }

        public int hashCode() {
            int i = (((1 * 59) + (isSuccess() ? 79 : 97)) * 59) + (isAccountDeleted() ? 79 : 97);
            CredentialRegistration droppedRegistration = getDroppedRegistration();
            return (i * 59) + (droppedRegistration == null ? 43 : droppedRegistration.hashCode());
        }

        public String toString() {
            return "WebAuthnServer.DeregisterCredentialResult(success=" + isSuccess() + ", droppedRegistration=" + getDroppedRegistration() + ", accountDeleted=" + isAccountDeleted() + ")";
        }
    }

    /* loaded from: input_file:com/yubico/core/WebAuthnServer$SuccessfulAuthenticationResult.class */
    public static final class SuccessfulAuthenticationResult {
        private final boolean success = true;
        private final AssertionRequestWrapper request;
        private final AssertionResponse response;
        private final Collection<CredentialRegistration> registrations;

        @JsonSerialize(using = AuthDataSerializer.class)
        private final AuthenticatorData authData;
        private final String username;
        private final ByteArray sessionToken;
        private final List<String> warnings;

        public SuccessfulAuthenticationResult(AssertionRequestWrapper assertionRequestWrapper, AssertionResponse assertionResponse, Collection<CredentialRegistration> collection, String str, ByteArray byteArray, List<String> list) {
            this(assertionRequestWrapper, assertionResponse, collection, assertionResponse.getCredential().getResponse().getParsedAuthenticatorData(), str, byteArray, list);
        }

        public boolean isSuccess() {
            Objects.requireNonNull(this);
            return true;
        }

        public AssertionRequestWrapper getRequest() {
            return this.request;
        }

        public AssertionResponse getResponse() {
            return this.response;
        }

        public Collection<CredentialRegistration> getRegistrations() {
            return this.registrations;
        }

        public AuthenticatorData getAuthData() {
            return this.authData;
        }

        public String getUsername() {
            return this.username;
        }

        public ByteArray getSessionToken() {
            return this.sessionToken;
        }

        public List<String> getWarnings() {
            return this.warnings;
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof SuccessfulAuthenticationResult)) {
                return false;
            }
            SuccessfulAuthenticationResult successfulAuthenticationResult = (SuccessfulAuthenticationResult) obj;
            if (isSuccess() != successfulAuthenticationResult.isSuccess()) {
                return false;
            }
            AssertionRequestWrapper request = getRequest();
            AssertionRequestWrapper request2 = successfulAuthenticationResult.getRequest();
            if (request == null) {
                if (request2 != null) {
                    return false;
                }
            } else if (!request.equals(request2)) {
                return false;
            }
            AssertionResponse response = getResponse();
            AssertionResponse response2 = successfulAuthenticationResult.getResponse();
            if (response == null) {
                if (response2 != null) {
                    return false;
                }
            } else if (!response.equals(response2)) {
                return false;
            }
            Collection<CredentialRegistration> registrations = getRegistrations();
            Collection<CredentialRegistration> registrations2 = successfulAuthenticationResult.getRegistrations();
            if (registrations == null) {
                if (registrations2 != null) {
                    return false;
                }
            } else if (!registrations.equals(registrations2)) {
                return false;
            }
            AuthenticatorData authData = getAuthData();
            AuthenticatorData authData2 = successfulAuthenticationResult.getAuthData();
            if (authData == null) {
                if (authData2 != null) {
                    return false;
                }
            } else if (!authData.equals(authData2)) {
                return false;
            }
            String username = getUsername();
            String username2 = successfulAuthenticationResult.getUsername();
            if (username == null) {
                if (username2 != null) {
                    return false;
                }
            } else if (!username.equals(username2)) {
                return false;
            }
            ByteArray sessionToken = getSessionToken();
            ByteArray sessionToken2 = successfulAuthenticationResult.getSessionToken();
            if (sessionToken == null) {
                if (sessionToken2 != null) {
                    return false;
                }
            } else if (!sessionToken.equals(sessionToken2)) {
                return false;
            }
            List<String> warnings = getWarnings();
            List<String> warnings2 = successfulAuthenticationResult.getWarnings();
            return warnings == null ? warnings2 == null : warnings.equals(warnings2);
        }

        public int hashCode() {
            int i = (1 * 59) + (isSuccess() ? 79 : 97);
            AssertionRequestWrapper request = getRequest();
            int hashCode = (i * 59) + (request == null ? 43 : request.hashCode());
            AssertionResponse response = getResponse();
            int hashCode2 = (hashCode * 59) + (response == null ? 43 : response.hashCode());
            Collection<CredentialRegistration> registrations = getRegistrations();
            int hashCode3 = (hashCode2 * 59) + (registrations == null ? 43 : registrations.hashCode());
            AuthenticatorData authData = getAuthData();
            int hashCode4 = (hashCode3 * 59) + (authData == null ? 43 : authData.hashCode());
            String username = getUsername();
            int hashCode5 = (hashCode4 * 59) + (username == null ? 43 : username.hashCode());
            ByteArray sessionToken = getSessionToken();
            int hashCode6 = (hashCode5 * 59) + (sessionToken == null ? 43 : sessionToken.hashCode());
            List<String> warnings = getWarnings();
            return (hashCode6 * 59) + (warnings == null ? 43 : warnings.hashCode());
        }

        public String toString() {
            return "WebAuthnServer.SuccessfulAuthenticationResult(success=" + isSuccess() + ", request=" + getRequest() + ", response=" + getResponse() + ", registrations=" + getRegistrations() + ", authData=" + getAuthData() + ", username=" + getUsername() + ", sessionToken=" + getSessionToken() + ", warnings=" + getWarnings() + ")";
        }

        public SuccessfulAuthenticationResult(AssertionRequestWrapper assertionRequestWrapper, AssertionResponse assertionResponse, Collection<CredentialRegistration> collection, AuthenticatorData authenticatorData, String str, ByteArray byteArray, List<String> list) {
            this.success = true;
            this.request = assertionRequestWrapper;
            this.response = assertionResponse;
            this.registrations = collection;
            this.authData = authenticatorData;
            this.username = str;
            this.sessionToken = byteArray;
            this.warnings = list;
        }
    }

    /* loaded from: input_file:com/yubico/core/WebAuthnServer$SuccessfulRegistrationResult.class */
    public static final class SuccessfulRegistrationResult {
        private final boolean success = true;
        private final RegistrationRequest request;
        private final RegistrationResponse response;
        private final CredentialRegistration registration;
        private final boolean attestationTrusted;
        private final Optional<AttestationCertInfo> attestationCert;

        @JsonSerialize(using = AuthDataSerializer.class)
        private final AuthenticatorData authData;
        private final String username;
        private final ByteArray sessionToken;

        public SuccessfulRegistrationResult(RegistrationRequest registrationRequest, RegistrationResponse registrationResponse, CredentialRegistration credentialRegistration, boolean z, ByteArray byteArray) {
            this.request = registrationRequest;
            this.response = registrationResponse;
            this.registration = credentialRegistration;
            this.attestationTrusted = z;
            this.attestationCert = Optional.ofNullable(registrationResponse.getCredential().getResponse().getAttestation().getAttestationStatement().get("x5c")).map(jsonNode -> {
                return jsonNode.get(0);
            }).flatMap(jsonNode2 -> {
                try {
                    return Optional.of(new ByteArray(jsonNode2.binaryValue()));
                } catch (IOException e) {
                    WebAuthnServer.logger.error("Failed to get binary value from x5c element: {}", jsonNode2, e);
                    return Optional.empty();
                }
            }).map(AttestationCertInfo::new);
            this.authData = registrationResponse.getCredential().getResponse().getParsedAuthenticatorData();
            this.username = registrationRequest.getUsername();
            this.sessionToken = byteArray;
        }

        public boolean isSuccess() {
            Objects.requireNonNull(this);
            return true;
        }

        public RegistrationRequest getRequest() {
            return this.request;
        }

        public RegistrationResponse getResponse() {
            return this.response;
        }

        public CredentialRegistration getRegistration() {
            return this.registration;
        }

        public boolean isAttestationTrusted() {
            return this.attestationTrusted;
        }

        public Optional<AttestationCertInfo> getAttestationCert() {
            return this.attestationCert;
        }

        public AuthenticatorData getAuthData() {
            return this.authData;
        }

        public String getUsername() {
            return this.username;
        }

        public ByteArray getSessionToken() {
            return this.sessionToken;
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof SuccessfulRegistrationResult)) {
                return false;
            }
            SuccessfulRegistrationResult successfulRegistrationResult = (SuccessfulRegistrationResult) obj;
            if (isSuccess() != successfulRegistrationResult.isSuccess() || isAttestationTrusted() != successfulRegistrationResult.isAttestationTrusted()) {
                return false;
            }
            RegistrationRequest request = getRequest();
            RegistrationRequest request2 = successfulRegistrationResult.getRequest();
            if (request == null) {
                if (request2 != null) {
                    return false;
                }
            } else if (!request.equals(request2)) {
                return false;
            }
            RegistrationResponse response = getResponse();
            RegistrationResponse response2 = successfulRegistrationResult.getResponse();
            if (response == null) {
                if (response2 != null) {
                    return false;
                }
            } else if (!response.equals(response2)) {
                return false;
            }
            CredentialRegistration registration = getRegistration();
            CredentialRegistration registration2 = successfulRegistrationResult.getRegistration();
            if (registration == null) {
                if (registration2 != null) {
                    return false;
                }
            } else if (!registration.equals(registration2)) {
                return false;
            }
            Optional<AttestationCertInfo> attestationCert = getAttestationCert();
            Optional<AttestationCertInfo> attestationCert2 = successfulRegistrationResult.getAttestationCert();
            if (attestationCert == null) {
                if (attestationCert2 != null) {
                    return false;
                }
            } else if (!attestationCert.equals(attestationCert2)) {
                return false;
            }
            AuthenticatorData authData = getAuthData();
            AuthenticatorData authData2 = successfulRegistrationResult.getAuthData();
            if (authData == null) {
                if (authData2 != null) {
                    return false;
                }
            } else if (!authData.equals(authData2)) {
                return false;
            }
            String username = getUsername();
            String username2 = successfulRegistrationResult.getUsername();
            if (username == null) {
                if (username2 != null) {
                    return false;
                }
            } else if (!username.equals(username2)) {
                return false;
            }
            ByteArray sessionToken = getSessionToken();
            ByteArray sessionToken2 = successfulRegistrationResult.getSessionToken();
            return sessionToken == null ? sessionToken2 == null : sessionToken.equals(sessionToken2);
        }

        public int hashCode() {
            int i = (((1 * 59) + (isSuccess() ? 79 : 97)) * 59) + (isAttestationTrusted() ? 79 : 97);
            RegistrationRequest request = getRequest();
            int hashCode = (i * 59) + (request == null ? 43 : request.hashCode());
            RegistrationResponse response = getResponse();
            int hashCode2 = (hashCode * 59) + (response == null ? 43 : response.hashCode());
            CredentialRegistration registration = getRegistration();
            int hashCode3 = (hashCode2 * 59) + (registration == null ? 43 : registration.hashCode());
            Optional<AttestationCertInfo> attestationCert = getAttestationCert();
            int hashCode4 = (hashCode3 * 59) + (attestationCert == null ? 43 : attestationCert.hashCode());
            AuthenticatorData authData = getAuthData();
            int hashCode5 = (hashCode4 * 59) + (authData == null ? 43 : authData.hashCode());
            String username = getUsername();
            int hashCode6 = (hashCode5 * 59) + (username == null ? 43 : username.hashCode());
            ByteArray sessionToken = getSessionToken();
            return (hashCode6 * 59) + (sessionToken == null ? 43 : sessionToken.hashCode());
        }

        public String toString() {
            return "WebAuthnServer.SuccessfulRegistrationResult(success=" + isSuccess() + ", request=" + getRequest() + ", response=" + getResponse() + ", registration=" + getRegistration() + ", attestationTrusted=" + isAttestationTrusted() + ", attestationCert=" + getAttestationCert() + ", authData=" + getAuthData() + ", username=" + getUsername() + ", sessionToken=" + getSessionToken() + ")";
        }
    }

    /* loaded from: input_file:com/yubico/core/WebAuthnServer$SuccessfulU2fRegistrationResult.class */
    public final class SuccessfulU2fRegistrationResult {
        private final boolean success = true;
        private final RegistrationRequest request;
        private final U2fRegistrationResponse response;
        private final CredentialRegistration registration;
        private final boolean attestationTrusted;
        private final Optional<AttestationCertInfo> attestationCert;
        private final String username;
        private final ByteArray sessionToken;

        public SuccessfulU2fRegistrationResult(RegistrationRequest registrationRequest, U2fRegistrationResponse u2fRegistrationResponse, CredentialRegistration credentialRegistration, boolean z, Optional<AttestationCertInfo> optional, String str, ByteArray byteArray) {
            this.request = registrationRequest;
            this.response = u2fRegistrationResponse;
            this.registration = credentialRegistration;
            this.attestationTrusted = z;
            this.attestationCert = optional;
            this.username = str;
            this.sessionToken = byteArray;
        }

        public boolean isSuccess() {
            Objects.requireNonNull(this);
            return true;
        }

        public RegistrationRequest getRequest() {
            return this.request;
        }

        public U2fRegistrationResponse getResponse() {
            return this.response;
        }

        public CredentialRegistration getRegistration() {
            return this.registration;
        }

        public boolean isAttestationTrusted() {
            return this.attestationTrusted;
        }

        public Optional<AttestationCertInfo> getAttestationCert() {
            return this.attestationCert;
        }

        public String getUsername() {
            return this.username;
        }

        public ByteArray getSessionToken() {
            return this.sessionToken;
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof SuccessfulU2fRegistrationResult)) {
                return false;
            }
            SuccessfulU2fRegistrationResult successfulU2fRegistrationResult = (SuccessfulU2fRegistrationResult) obj;
            if (isSuccess() != successfulU2fRegistrationResult.isSuccess() || isAttestationTrusted() != successfulU2fRegistrationResult.isAttestationTrusted()) {
                return false;
            }
            RegistrationRequest request = getRequest();
            RegistrationRequest request2 = successfulU2fRegistrationResult.getRequest();
            if (request == null) {
                if (request2 != null) {
                    return false;
                }
            } else if (!request.equals(request2)) {
                return false;
            }
            U2fRegistrationResponse response = getResponse();
            U2fRegistrationResponse response2 = successfulU2fRegistrationResult.getResponse();
            if (response == null) {
                if (response2 != null) {
                    return false;
                }
            } else if (!response.equals(response2)) {
                return false;
            }
            CredentialRegistration registration = getRegistration();
            CredentialRegistration registration2 = successfulU2fRegistrationResult.getRegistration();
            if (registration == null) {
                if (registration2 != null) {
                    return false;
                }
            } else if (!registration.equals(registration2)) {
                return false;
            }
            Optional<AttestationCertInfo> attestationCert = getAttestationCert();
            Optional<AttestationCertInfo> attestationCert2 = successfulU2fRegistrationResult.getAttestationCert();
            if (attestationCert == null) {
                if (attestationCert2 != null) {
                    return false;
                }
            } else if (!attestationCert.equals(attestationCert2)) {
                return false;
            }
            String username = getUsername();
            String username2 = successfulU2fRegistrationResult.getUsername();
            if (username == null) {
                if (username2 != null) {
                    return false;
                }
            } else if (!username.equals(username2)) {
                return false;
            }
            ByteArray sessionToken = getSessionToken();
            ByteArray sessionToken2 = successfulU2fRegistrationResult.getSessionToken();
            return sessionToken == null ? sessionToken2 == null : sessionToken.equals(sessionToken2);
        }

        public int hashCode() {
            int i = (((1 * 59) + (isSuccess() ? 79 : 97)) * 59) + (isAttestationTrusted() ? 79 : 97);
            RegistrationRequest request = getRequest();
            int hashCode = (i * 59) + (request == null ? 43 : request.hashCode());
            U2fRegistrationResponse response = getResponse();
            int hashCode2 = (hashCode * 59) + (response == null ? 43 : response.hashCode());
            CredentialRegistration registration = getRegistration();
            int hashCode3 = (hashCode2 * 59) + (registration == null ? 43 : registration.hashCode());
            Optional<AttestationCertInfo> attestationCert = getAttestationCert();
            int hashCode4 = (hashCode3 * 59) + (attestationCert == null ? 43 : attestationCert.hashCode());
            String username = getUsername();
            int hashCode5 = (hashCode4 * 59) + (username == null ? 43 : username.hashCode());
            ByteArray sessionToken = getSessionToken();
            return (hashCode5 * 59) + (sessionToken == null ? 43 : sessionToken.hashCode());
        }

        public String toString() {
            return "WebAuthnServer.SuccessfulU2fRegistrationResult(success=" + isSuccess() + ", request=" + getRequest() + ", response=" + getResponse() + ", registration=" + getRegistration() + ", attestationTrusted=" + isAttestationTrusted() + ", attestationCert=" + getAttestationCert() + ", username=" + getUsername() + ", sessionToken=" + getSessionToken() + ")";
        }
    }

    public WebAuthnServer(RegistrationStorage registrationStorage, Cache<ByteArray, RegistrationRequest> cache, Cache<ByteArray, AssertionRequestWrapper> cache2, RelyingPartyIdentity relyingPartyIdentity, Set<String> set, Optional<AppId> optional) throws InvalidAppIdException, CertificateException {
        this.sessions = new DefaultSessionManager();
        this.trustResolver = new CompositeTrustResolver(Arrays.asList(StandardMetadataService.createDefaultTrustResolver(), createExtraTrustResolver()));
        this.metadataService = new StandardMetadataService(new CompositeAttestationResolver(Arrays.asList(StandardMetadataService.createDefaultAttestationResolver(this.trustResolver), createExtraMetadataResolver(this.trustResolver))));
        this.clock = Clock.systemDefaultZone();
        this.jsonMapper = JacksonCodecs.json();
        this.userStorage = registrationStorage;
        this.registerRequestStorage = cache;
        this.assertRequestStorage = cache2;
        this.rp = RelyingParty.builder().identity(relyingPartyIdentity).credentialRepository(this.userStorage).origins(set).attestationConveyancePreference(Optional.of(AttestationConveyancePreference.DIRECT)).metadataService(Optional.of(this.metadataService)).allowOriginPort(false).allowOriginSubdomain(false).allowUnrequestedExtensions(true).allowUntrustedAttestation(true).validateSignatureCounter(true).appId(optional).build();
    }

    public WebAuthnServer(RelyingParty relyingParty) throws CertificateException {
        this.sessions = new DefaultSessionManager();
        this.trustResolver = new CompositeTrustResolver(Arrays.asList(StandardMetadataService.createDefaultTrustResolver(), createExtraTrustResolver()));
        this.metadataService = new StandardMetadataService(new CompositeAttestationResolver(Arrays.asList(StandardMetadataService.createDefaultAttestationResolver(this.trustResolver), createExtraMetadataResolver(this.trustResolver))));
        this.clock = Clock.systemDefaultZone();
        this.jsonMapper = JacksonCodecs.json();
        this.rp = relyingParty;
    }

    public WebAuthnServer(RegistrationStorage registrationStorage, Cache<ByteArray, RegistrationRequest> cache, Cache<ByteArray, AssertionRequestWrapper> cache2, RelyingParty relyingParty, SessionManager sessionManager) throws CertificateException {
        this.sessions = new DefaultSessionManager();
        this.trustResolver = new CompositeTrustResolver(Arrays.asList(StandardMetadataService.createDefaultTrustResolver(), createExtraTrustResolver()));
        this.metadataService = new StandardMetadataService(new CompositeAttestationResolver(Arrays.asList(StandardMetadataService.createDefaultAttestationResolver(this.trustResolver), createExtraMetadataResolver(this.trustResolver))));
        this.clock = Clock.systemDefaultZone();
        this.jsonMapper = JacksonCodecs.json();
        this.userStorage = registrationStorage;
        this.registerRequestStorage = cache;
        this.assertRequestStorage = cache2;
        this.rp = relyingParty;
        this.sessions = sessionManager;
    }

    private static ByteArray generateRandom(int i) {
        byte[] bArr = new byte[i];
        random.nextBytes(bArr);
        return new ByteArray(bArr);
    }

    private static MetadataObject readPreviewMetadata() {
        InputStream resourceAsStream = WebAuthnServer.class.getResourceAsStream(PREVIEW_METADATA_PATH);
        try {
            try {
                MetadataObject metadataObject = (MetadataObject) JacksonCodecs.json().readValue(resourceAsStream, MetadataObject.class);
                Closeables.closeQuietly(resourceAsStream);
                return metadataObject;
            } catch (IOException e) {
                throw ExceptionUtil.wrapAndLog(logger, "Failed to read metadata from /preview-metadata.json", e);
            }
        } catch (Throwable th) {
            Closeables.closeQuietly(resourceAsStream);
            throw th;
        }
    }

    private static TrustResolver createExtraTrustResolver() {
        try {
            return new SimpleTrustResolverWithEquality(readPreviewMetadata().getParsedTrustedCertificates());
        } catch (CertificateException e) {
            throw ExceptionUtil.wrapAndLog(logger, "Failed to read trusted certificate(s)", e);
        }
    }

    private static AttestationResolver createExtraMetadataResolver(TrustResolver trustResolver) {
        try {
            return new SimpleAttestationResolver(Collections.singleton(readPreviewMetadata()), trustResolver);
        } catch (CertificateException e) {
            throw ExceptionUtil.wrapAndLog(logger, "Failed to read trusted certificate(s)", e);
        }
    }

    private static <K, V> Cache<K, V> newCache() {
        return CacheBuilder.newBuilder().maximumSize(100L).expireAfterAccess(10L, TimeUnit.MINUTES).build();
    }

    public Either<String, RegistrationRequest> startRegistration(@NonNull String str, Optional<String> optional, Optional<String> optional2, boolean z, Optional<ByteArray> optional3) throws ExecutionException {
        if (str == null) {
            throw new NullPointerException("username is marked non-null but is null");
        }
        logger.trace("startRegistration username: {}, credentialNickname: {}", str, optional2);
        Optional<U> map = this.userStorage.getRegistrationsByUsername(str).stream().findAny().map((v0) -> {
            return v0.getUserIdentity();
        });
        if (!((Boolean) map.map(userIdentity -> {
            return Boolean.valueOf(this.sessions.isSessionForUser(userIdentity.getId(), (Optional<ByteArray>) optional3));
        }).orElse(true)).booleanValue()) {
            return Either.left("The username \"" + str + "\" is already registered.");
        }
        UserIdentity userIdentity2 = (UserIdentity) map.orElseGet(() -> {
            return UserIdentity.builder().name(str).displayName((String) optional.get()).id(generateRandom(32)).build();
        });
        RegistrationRequest registrationRequest = new RegistrationRequest(str, optional2, generateRandom(32), this.rp.startRegistration(StartRegistrationOptions.builder().user(userIdentity2).authenticatorSelection(AuthenticatorSelectionCriteria.builder().requireResidentKey(z).build()).build()), Optional.of(this.sessions.createSession(userIdentity2.getId())));
        this.registerRequestStorage.put(registrationRequest.getRequestId(), registrationRequest);
        return Either.right(registrationRequest);
    }

    public Either<List<String>, SuccessfulRegistrationResult> finishRegistration(String str) {
        logger.trace("finishRegistration responseJson: {}", str);
        try {
            RegistrationResponse registrationResponse = (RegistrationResponse) this.jsonMapper.readValue(str, RegistrationResponse.class);
            RegistrationRequest registrationRequest = (RegistrationRequest) this.registerRequestStorage.getIfPresent(registrationResponse.getRequestId());
            this.registerRequestStorage.invalidate(registrationResponse.getRequestId());
            if (registrationRequest == null) {
                logger.debug("fail finishRegistration responseJson: {}", str);
                return Either.left(Arrays.asList("Registration failed!", "No such registration in progress."));
            }
            try {
                RegistrationResult finishRegistration = this.rp.finishRegistration(FinishRegistrationOptions.builder().request(registrationRequest.getPublicKeyCredentialCreationOptions()).response(registrationResponse.getCredential()).build());
                if (this.userStorage.userExists(registrationRequest.getUsername())) {
                    boolean z = false;
                    boolean booleanValue = ((Boolean) registrationRequest.getSessionToken().map(byteArray -> {
                        return Boolean.valueOf(this.sessions.isSessionForUser(registrationRequest.getPublicKeyCredentialCreationOptions().getUser().getId(), byteArray));
                    }).orElse(false)).booleanValue();
                    logger.debug("Session token: {}", registrationRequest.getSessionToken());
                    logger.debug("Valid session: {}", Boolean.valueOf(booleanValue));
                    if (booleanValue) {
                        z = true;
                        logger.info("Session token accepted for user {}", registrationRequest.getPublicKeyCredentialCreationOptions().getUser().getId());
                    }
                    logger.debug("permissionGranted: {}", Boolean.valueOf(z));
                    if (!z) {
                        throw new RegistrationFailedException(new IllegalArgumentException(String.format("User %s already exists", registrationRequest.getUsername())));
                    }
                }
                return Either.right(new SuccessfulRegistrationResult(registrationRequest, registrationResponse, addRegistration(registrationRequest.getPublicKeyCredentialCreationOptions().getUser(), registrationRequest.getCredentialNickname(), registrationResponse, finishRegistration), finishRegistration.isAttestationTrusted(), this.sessions.createSession(registrationRequest.getPublicKeyCredentialCreationOptions().getUser().getId())));
            } catch (Exception e) {
                logger.error("fail finishRegistration responseJson: {}", str, e);
                return Either.left(Arrays.asList("Registration failed unexpectedly; this is likely a bug.", e.getMessage()));
            } catch (RegistrationFailedException e2) {
                logger.debug("fail finishRegistration responseJson: {}", str, e2);
                return Either.left(Arrays.asList("Registration failed!", e2.getMessage()));
            }
        } catch (IOException e3) {
            logger.error("JSON error in finishRegistration; responseJson: {}", str, e3);
            return Either.left(Arrays.asList("Registration failed!", "Failed to decode response object.", e3.getMessage()));
        }
    }

    public Either<List<String>, SuccessfulU2fRegistrationResult> finishU2fRegistration(String str) throws ExecutionException {
        logger.trace("finishU2fRegistration responseJson: {}", str);
        try {
            U2fRegistrationResponse u2fRegistrationResponse = (U2fRegistrationResponse) this.jsonMapper.readValue(str, U2fRegistrationResponse.class);
            RegistrationRequest registrationRequest = (RegistrationRequest) this.registerRequestStorage.getIfPresent(u2fRegistrationResponse.getRequestId());
            this.registerRequestStorage.invalidate(u2fRegistrationResponse.getRequestId());
            if (registrationRequest == null) {
                logger.debug("fail finishU2fRegistration responseJson: {}", str);
                return Either.left(Arrays.asList("Registration failed!", "No such registration in progress."));
            }
            try {
                ExceptionUtil.assure(U2fVerifier.verify((AppId) this.rp.getAppId().get(), registrationRequest, u2fRegistrationResponse), "Failed to verify signature.", new Object[0]);
                X509Certificate x509Certificate = null;
                try {
                    x509Certificate = CertificateParser.parseDer(u2fRegistrationResponse.getCredential().getU2fResponse().getAttestationCertAndSignature().getBytes());
                } catch (CertificateException e) {
                    logger.error("Failed to parse attestation certificate: {}", u2fRegistrationResponse.getCredential().getU2fResponse().getAttestationCertAndSignature(), e);
                }
                Optional<Attestation> empty = Optional.empty();
                if (x509Certificate != null) {
                    try {
                        empty = Optional.of(this.metadataService.getAttestation(Collections.singletonList(x509Certificate)));
                    } catch (CertificateEncodingException e2) {
                        logger.error("Failed to resolve attestation", e2);
                    }
                }
                U2fRegistrationResult build = U2fRegistrationResult.builder().keyId(PublicKeyCredentialDescriptor.builder().id(u2fRegistrationResponse.getCredential().getU2fResponse().getKeyHandle()).build()).attestationTrusted(((Boolean) empty.map((v0) -> {
                    return v0.isTrusted();
                }).orElse(false)).booleanValue()).publicKeyCose(rawEcdaKeyToCose(u2fRegistrationResponse.getCredential().getU2fResponse().getPublicKey())).attestationMetadata(empty).build();
                return Either.right(new SuccessfulU2fRegistrationResult(registrationRequest, u2fRegistrationResponse, addRegistration(registrationRequest.getPublicKeyCredentialCreationOptions().getUser(), registrationRequest.getCredentialNickname(), 0L, build), build.isAttestationTrusted(), Optional.of(new AttestationCertInfo(u2fRegistrationResponse.getCredential().getU2fResponse().getAttestationCertAndSignature())), registrationRequest.getUsername(), this.sessions.createSession(registrationRequest.getPublicKeyCredentialCreationOptions().getUser().getId())));
            } catch (Exception e3) {
                logger.debug("Failed to verify U2F signature.", e3);
                return Either.left(Arrays.asList("Failed to verify signature.", e3.getMessage()));
            }
        } catch (IOException e4) {
            logger.error("JSON error in finishU2fRegistration; responseJson: {}", str, e4);
            return Either.left(Arrays.asList("Registration failed!", "Failed to decode response object.", e4.getMessage()));
        }
    }

    public Either<List<String>, AssertionRequestWrapper> startAuthentication(Optional<String> optional) {
        logger.trace("startAuthentication username: {}", optional);
        if (optional.isPresent() && !this.userStorage.userExists(optional.get())) {
            return Either.left(Collections.singletonList("The username \"" + optional.get() + "\" is not registered."));
        }
        AssertionRequestWrapper assertionRequestWrapper = new AssertionRequestWrapper(generateRandom(32), this.rp.startAssertion(StartAssertionOptions.builder().username(optional).build()));
        this.assertRequestStorage.put(assertionRequestWrapper.getRequestId(), assertionRequestWrapper);
        return Either.right(assertionRequestWrapper);
    }

    public Either<List<String>, SuccessfulAuthenticationResult> finishAuthentication(String str) {
        logger.trace("finishAuthentication responseJson: {}", str);
        try {
            AssertionResponse assertionResponse = (AssertionResponse) this.jsonMapper.readValue(str, AssertionResponse.class);
            AssertionRequestWrapper assertionRequestWrapper = (AssertionRequestWrapper) this.assertRequestStorage.getIfPresent(assertionResponse.getRequestId());
            this.assertRequestStorage.invalidate(assertionResponse.getRequestId());
            if (assertionRequestWrapper == null) {
                return Either.left(Arrays.asList("Assertion failed!", "No such assertion in progress."));
            }
            try {
                AssertionResult finishAssertion = this.rp.finishAssertion(FinishAssertionOptions.builder().request(assertionRequestWrapper.getRequest()).response(assertionResponse.getCredential()).build());
                if (!finishAssertion.isSuccess()) {
                    return Either.left(Collections.singletonList("Assertion failed: Invalid assertion."));
                }
                try {
                    this.userStorage.updateSignatureCount(finishAssertion);
                } catch (Exception e) {
                    logger.error("Failed to update signature count for user \"{}\", credential \"{}\"", new Object[]{finishAssertion.getUsername(), assertionResponse.getCredential().getId(), e});
                }
                return Either.right(new SuccessfulAuthenticationResult(assertionRequestWrapper, assertionResponse, this.userStorage.getRegistrationsByUsername(finishAssertion.getUsername()), finishAssertion.getUsername(), this.sessions.createSession(finishAssertion.getUserHandle()), finishAssertion.getWarnings()));
            } catch (Exception e2) {
                logger.error("Assertion failed", e2);
                return Either.left(Arrays.asList("Assertion failed unexpectedly; this is likely a bug.", e2.getMessage()));
            } catch (AssertionFailedException e3) {
                logger.debug("Assertion failed", e3);
                return Either.left(Arrays.asList("Assertion failed!", e3.getMessage()));
            }
        } catch (IOException e4) {
            logger.debug("Failed to decode response object", e4);
            return Either.left(Arrays.asList("Assertion failed!", "Failed to decode response object.", e4.getMessage()));
        }
    }

    public Either<List<String>, DeregisterCredentialResult> deregisterCredential(@NonNull ByteArray byteArray, ByteArray byteArray2) {
        if (byteArray == null) {
            throw new NullPointerException("sessionToken is marked non-null but is null");
        }
        logger.trace("deregisterCredential session: {}, credentialId: {}", byteArray, byteArray2);
        if (byteArray2 == null || byteArray2.getBytes().length == 0) {
            return Either.left(Collections.singletonList("Credential ID must not be empty."));
        }
        Optional<ByteArray> session = this.sessions.getSession(byteArray);
        if (!session.isPresent()) {
            return Either.left(Collections.singletonList("Invalid session"));
        }
        Optional usernameForUserHandle = this.userStorage.getUsernameForUserHandle(session.get());
        if (!usernameForUserHandle.isPresent()) {
            return Either.left(Collections.singletonList("Invalid user handle"));
        }
        Optional<CredentialRegistration> registrationByUsernameAndCredentialId = this.userStorage.getRegistrationByUsernameAndCredentialId((String) usernameForUserHandle.get(), byteArray2);
        if (!registrationByUsernameAndCredentialId.isPresent()) {
            return Either.left(Collections.singletonList("Credential ID not registered:" + byteArray2));
        }
        this.userStorage.removeRegistrationByUsername((String) usernameForUserHandle.get(), registrationByUsernameAndCredentialId.get());
        return Either.right(new DeregisterCredentialResult(registrationByUsernameAndCredentialId.get(), !this.userStorage.userExists((String) usernameForUserHandle.get())));
    }

    public <T> Either<List<String>, T> deleteAccount(String str, Supplier<T> supplier) {
        logger.trace("deleteAccount username: {}", str);
        return (str == null || str.isEmpty()) ? Either.left(Collections.singletonList("Username must not be empty.")) : this.userStorage.removeAllRegistrations(str) ? Either.right(supplier.get()) : Either.left(Collections.singletonList("Username not registered:" + str));
    }

    private CredentialRegistration addRegistration(UserIdentity userIdentity, Optional<String> optional, RegistrationResponse registrationResponse, RegistrationResult registrationResult) {
        return addRegistration(userIdentity, optional, registrationResponse.getCredential().getResponse().getAttestation().getAuthenticatorData().getSignatureCounter(), RegisteredCredential.builder().credentialId(registrationResult.getKeyId().getId()).userHandle(userIdentity.getId()).publicKeyCose(registrationResult.getPublicKeyCose()).signatureCount(registrationResponse.getCredential().getResponse().getParsedAuthenticatorData().getSignatureCounter()).build(), registrationResult.getAttestationMetadata());
    }

    private CredentialRegistration addRegistration(UserIdentity userIdentity, Optional<String> optional, long j, U2fRegistrationResult u2fRegistrationResult) {
        return addRegistration(userIdentity, optional, j, RegisteredCredential.builder().credentialId(u2fRegistrationResult.getKeyId().getId()).userHandle(userIdentity.getId()).publicKeyCose(u2fRegistrationResult.getPublicKeyCose()).signatureCount(j).build(), u2fRegistrationResult.getAttestationMetadata());
    }

    private CredentialRegistration addRegistration(UserIdentity userIdentity, Optional<String> optional, long j, RegisteredCredential registeredCredential, Optional<Attestation> optional2) {
        CredentialRegistration build = CredentialRegistration.builder().userIdentity(userIdentity).credentialNickname(optional).registrationTime(this.clock.instant()).credential(registeredCredential).signatureCount(j).attestationMetadata(optional2).build();
        logger.debug("Adding registration: user: {}, nickname: {}, credential: {}", new Object[]{userIdentity, optional, registeredCredential});
        this.userStorage.addRegistrationByUsername(userIdentity.getName(), build);
        return build;
    }

    static ByteArray rawEcdaKeyToCose(ByteArray byteArray) {
        byte[] bytes = byteArray.getBytes();
        if (bytes.length != 64 && (bytes.length != 65 || bytes[0] != 4)) {
            throw new IllegalArgumentException(String.format("Raw key must be 64 bytes long or be 65 bytes long and start with 0x04, was %d bytes starting with %02x", Integer.valueOf(bytes.length), Byte.valueOf(bytes[0])));
        }
        int i = bytes.length == 64 ? 0 : 1;
        HashMap hashMap = new HashMap();
        hashMap.put(1L, 2L);
        hashMap.put(3L, Long.valueOf(COSEAlgorithmIdentifier.ES256.getId()));
        hashMap.put(-1L, 1L);
        hashMap.put(-2L, Arrays.copyOfRange(bytes, i, i + 32));
        hashMap.put(-3L, Arrays.copyOfRange(bytes, i + 32, i + 64));
        return new ByteArray(CBORObject.FromObject(hashMap).EncodeToBytes());
    }

    public void setAssertRequestStorage(Cache<ByteArray, AssertionRequestWrapper> cache) {
        this.assertRequestStorage = cache;
    }

    public void setRegisterRequestStorage(Cache<ByteArray, RegistrationRequest> cache) {
        this.registerRequestStorage = cache;
    }

    public void setUserStorage(RegistrationStorage registrationStorage) {
        this.userStorage = registrationStorage;
    }

    public void setSessions(SessionManager sessionManager) {
        this.sessions = sessionManager;
    }

    public void setTrustResolver(TrustResolver trustResolver) {
        this.trustResolver = trustResolver;
    }

    public void setMetadataService(MetadataService metadataService) {
        this.metadataService = metadataService;
    }
}
