package com.yubico.webauthn.attestation.resolver;

import com.google.common.collect.ArrayListMultimap;
import com.google.common.collect.Multimap;
import com.yubico.internal.util.CertificateParser;
import com.yubico.internal.util.JacksonCodecs;
import com.yubico.webauthn.attestation.MetadataObject;
import com.yubico.webauthn.attestation.TrustResolver;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yubico/webauthn/attestation/resolver/SimpleTrustResolver.class */
public final class SimpleTrustResolver implements TrustResolver {
    private static final Logger logger = LoggerFactory.getLogger(SimpleTrustResolver.class);
    private final Multimap<String, X509Certificate> trustedCerts = ArrayListMultimap.create();

    public SimpleTrustResolver(Iterable<X509Certificate> iterable) {
        for (X509Certificate x509Certificate : iterable) {
            this.trustedCerts.put(x509Certificate.getSubjectDN().getName(), x509Certificate);
        }
    }

    public static SimpleTrustResolver fromMetadata(Iterable<MetadataObject> iterable) throws CertificateException {
        HashSet hashSet = new HashSet();
        Iterator<MetadataObject> it = iterable.iterator();
        while (it.hasNext()) {
            Iterator<String> it2 = it.next().getTrustedCertificates().iterator();
            while (it2.hasNext()) {
                hashSet.add(CertificateParser.parsePem(it2.next()));
            }
        }
        return new SimpleTrustResolver(hashSet);
    }

    public static SimpleTrustResolver fromMetadataJson(String str) throws IOException, CertificateException {
        return fromMetadata(Collections.singleton((MetadataObject) JacksonCodecs.json().readValue(str, MetadataObject.class)));
    }

    @Override // com.yubico.webauthn.attestation.TrustResolver
    public Optional<X509Certificate> resolveTrustAnchor(X509Certificate x509Certificate, List<X509Certificate> list) {
        ArrayList<X509Certificate> arrayList = new ArrayList();
        arrayList.add(x509Certificate);
        arrayList.addAll(list);
        X509Certificate x509Certificate2 = null;
        for (X509Certificate x509Certificate3 : arrayList) {
            if (x509Certificate2 != null) {
                logger.trace("No trusted certificate has signed certificate [{}] - trying next element in certificate chain.", x509Certificate2);
                try {
                    x509Certificate2.verify(x509Certificate3.getPublicKey());
                } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | CertificateException e) {
                    logger.error("Failed to verify that certificate [{}] was signed by [{}]", new Object[]{x509Certificate2, x509Certificate3, e});
                    throw new RuntimeException("Resolve failed", e);
                } catch (SignatureException e2) {
                    logger.debug("Certificate chain broken - certificate [{}] was not signed by certificate [{}]", x509Certificate2, x509Certificate3);
                    return Optional.empty();
                }
            }
            for (X509Certificate x509Certificate4 : this.trustedCerts.get(x509Certificate3.getIssuerDN().getName())) {
                try {
                    x509Certificate3.verify(x509Certificate4.getPublicKey());
                    logger.debug("Found signature from trusted certificate [{}]", x509Certificate4);
                    return Optional.of(x509Certificate4);
                } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | CertificateException e3) {
                    logger.error("Resolve failed", e3);
                    throw new RuntimeException("Resolve failed", e3);
                } catch (SignatureException e4) {
                }
            }
            x509Certificate2 = x509Certificate3;
        }
        logger.debug("No trusted certificate has signed certificate chain {}", arrayList);
        return Optional.empty();
    }
}
