package org.minidns.dnssec;

import java.io.IOException;
import java.math.BigInteger;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import org.minidns.AbstractDnsClient;
import org.minidns.DnsCache;
import org.minidns.dnsmessage.DnsMessage;
import org.minidns.dnsmessage.Question;
import org.minidns.dnsname.DnsName;
import org.minidns.dnsqueryresult.DnsQueryResult;
import org.minidns.dnssec.DnssecUnverifiedReason;
import org.minidns.dnssec.DnssecValidationFailedException;
import org.minidns.iterative.ReliableDnsClient;
import org.minidns.record.DLV;
import org.minidns.record.DNSKEY;
import org.minidns.record.DS;
import org.minidns.record.Data;
import org.minidns.record.DelegatingDnssecRR;
import org.minidns.record.NSEC;
import org.minidns.record.NSEC3;
import org.minidns.record.RRSIG;
import org.minidns.record.Record;

/* loaded from: classes4.dex */
public class DnssecClient extends ReliableDnsClient {
    private DnsName dlv;
    private final Map<DnsName, byte[]> knownSeps;
    private boolean stripSignatureRecords;
    private static final BigInteger rootEntryKey = new BigInteger("1628686155461064465348252249725010996177649738666492500572664444461532807739744536029771810659241049343994038053541290419968870563183856865780916376571550372513476957870843322273120879361960335192976656756972171258658400305760429696147778001233984421619267530978084631948434496468785021389956803104620471232008587410372348519229650742022804219634190734272506220018657920136902014393834092648785514548876370028925405557661759399901378816916683122474038734912535425670533237815676134840739565610963796427401855723026687073600445461090736240030247906095053875491225879656640052743394090544036297390104110989318819106653199917493");
    private static final DnsName DEFAULT_DLV = DnsName.from("dlv.isc.org");

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes4.dex */
    public static /* synthetic */ class a {

        /* renamed from: a, reason: collision with root package name */
        static final /* synthetic */ int[] f41558a;

        static {
            int[] iArr = new int[Record.TYPE.values().length];
            f41558a = iArr;
            try {
                iArr[Record.TYPE.NSEC.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                f41558a[Record.TYPE.NSEC3.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes4.dex */
    public static class b {

        /* renamed from: a, reason: collision with root package name */
        boolean f41559a;

        /* renamed from: b, reason: collision with root package name */
        boolean f41560b;

        /* renamed from: c, reason: collision with root package name */
        Set<DnssecUnverifiedReason> f41561c;

        private b() {
            this.f41559a = false;
            this.f41560b = false;
            this.f41561c = new HashSet();
        }

        /* synthetic */ b(a aVar) {
            this();
        }
    }

    public DnssecClient() {
        this(AbstractDnsClient.DEFAULT_CACHE);
    }

    public DnssecClient(DnsCache dnsCache) {
        super(dnsCache);
        this.knownSeps = new ConcurrentHashMap();
        this.stripSignatureRecords = true;
        addSecureEntryPoint(DnsName.ROOT, rootEntryKey.toByteArray());
    }

    private static boolean isParentOrSelf(String str, String str2) {
        if (str.equals(str2) || str2.isEmpty()) {
            return true;
        }
        String[] split = str.split("\\.");
        String[] split2 = str2.split("\\.");
        if (split2.length > split.length) {
            return false;
        }
        for (int i9 = 1; i9 <= split2.length; i9++) {
            if (!split2[split2.length - i9].equals(split[split.length - i9])) {
                return false;
            }
        }
        return true;
    }

    private DnssecQueryResult performVerification(DnsQueryResult dnsQueryResult) throws IOException {
        if (dnsQueryResult == null) {
            return null;
        }
        DnsMessage dnsMessage = dnsQueryResult.response;
        DnsMessage.Builder asBuilder = dnsMessage.asBuilder();
        Set<DnssecUnverifiedReason> verify = verify(dnsMessage);
        asBuilder.setAuthenticData(verify.isEmpty());
        List<Record<? extends Data>> list = dnsMessage.answerSection;
        List<Record<? extends Data>> list2 = dnsMessage.authoritySection;
        List<Record<? extends Data>> list3 = dnsMessage.additionalSection;
        HashSet hashSet = new HashSet();
        Record.filter(hashSet, RRSIG.class, list);
        Record.filter(hashSet, RRSIG.class, list2);
        Record.filter(hashSet, RRSIG.class, list3);
        if (this.stripSignatureRecords) {
            asBuilder.setAnswers(stripSignatureRecords(list));
            asBuilder.setNameserverRecords(stripSignatureRecords(list2));
            asBuilder.setAdditionalResourceRecords(stripSignatureRecords(list3));
        }
        return new DnssecQueryResult(asBuilder.build(), dnsQueryResult, hashSet, verify);
    }

    private static List<Record<? extends Data>> stripSignatureRecords(List<Record<? extends Data>> list) {
        if (list.isEmpty()) {
            return list;
        }
        ArrayList arrayList = new ArrayList(list.size());
        for (Record<? extends Data> record : list) {
            if (record.type != Record.TYPE.RRSIG) {
                arrayList.add(record);
            }
        }
        return arrayList;
    }

    private Set<DnssecUnverifiedReason> verify(DnsMessage dnsMessage) throws IOException {
        return !dnsMessage.answerSection.isEmpty() ? verifyAnswer(dnsMessage) : verifyNsec(dnsMessage);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Set<DnssecUnverifiedReason> verifyAnswer(DnsMessage dnsMessage) throws IOException {
        boolean z9 = false;
        Question question = dnsMessage.questions.get(0);
        List<Record<? extends Data>> list = dnsMessage.answerSection;
        List<Record<? extends Data>> copyAnswers = dnsMessage.copyAnswers();
        b verifySignatures = verifySignatures(question, list, copyAnswers);
        Set<DnssecUnverifiedReason> set = verifySignatures.f41561c;
        if (!set.isEmpty()) {
            return set;
        }
        HashSet hashSet = new HashSet();
        Iterator<Record<? extends Data>> it = copyAnswers.iterator();
        while (it.hasNext()) {
            Record<E> ifPossibleAs = it.next().ifPossibleAs(DNSKEY.class);
            if (ifPossibleAs != 0) {
                Set<DnssecUnverifiedReason> verifySecureEntryPoint = verifySecureEntryPoint(ifPossibleAs);
                if (verifySecureEntryPoint.isEmpty()) {
                    z9 = true;
                } else {
                    hashSet.addAll(verifySecureEntryPoint);
                }
                if (!verifySignatures.f41560b) {
                    AbstractDnsClient.LOGGER.finer("SEP key is not self-signed.");
                }
                it.remove();
            }
        }
        if (verifySignatures.f41560b && !z9) {
            set.addAll(hashSet);
        }
        if (verifySignatures.f41559a && !verifySignatures.f41560b) {
            set.add(new DnssecUnverifiedReason.NoSecureEntryPointReason(question.name));
        }
        if (!copyAnswers.isEmpty()) {
            if (copyAnswers.size() != list.size()) {
                throw new DnssecValidationFailedException(question, "Only some records are signed!");
            }
            set.add(new DnssecUnverifiedReason.NoSignaturesReason(question));
        }
        return set;
    }

    private Set<DnssecUnverifiedReason> verifyNsec(DnsMessage dnsMessage) throws IOException {
        DnsName dnsName;
        DnssecUnverifiedReason h9;
        HashSet hashSet = new HashSet();
        boolean z9 = false;
        Question question = dnsMessage.questions.get(0);
        List<Record<? extends Data>> list = dnsMessage.authoritySection;
        Iterator<Record<? extends Data>> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                dnsName = null;
                break;
            }
            Record<? extends Data> next = it.next();
            if (next.type == Record.TYPE.SOA) {
                dnsName = next.name;
                break;
            }
        }
        if (dnsName == null) {
            throw new DnssecValidationFailedException.AuthorityDoesNotContainSoa(dnsMessage);
        }
        boolean z10 = false;
        for (Record<? extends Data> record : list) {
            int i9 = a.f41558a[record.type.ordinal()];
            if (i9 == 1) {
                h9 = org.minidns.dnssec.a.h(record.as(NSEC.class), question);
            } else if (i9 == 2) {
                h9 = org.minidns.dnssec.a.i(dnsName, record.as(NSEC3.class), question);
            }
            if (h9 != null) {
                hashSet.add(h9);
            } else {
                z10 = true;
            }
            z9 = true;
        }
        if (z9 && !z10) {
            throw new DnssecValidationFailedException(question, "Invalid NSEC!");
        }
        List<Record<? extends Data>> copyAuthority = dnsMessage.copyAuthority();
        b verifySignatures = verifySignatures(question, list, copyAuthority);
        if (z10 && verifySignatures.f41561c.isEmpty()) {
            hashSet.clear();
        } else {
            hashSet.addAll(verifySignatures.f41561c);
        }
        if (copyAuthority.isEmpty() || copyAuthority.size() == list.size()) {
            return hashSet;
        }
        throw new DnssecValidationFailedException(question, "Only some resource records from the authority section are signed!");
    }

    private Set<DnssecUnverifiedReason> verifySecureEntryPoint(Record<DNSKEY> record) throws IOException {
        DelegatingDnssecRR delegatingDnssecRR;
        DnsName dnsName;
        DNSKEY dnskey = record.payloadData;
        HashSet hashSet = new HashSet();
        Set<DnssecUnverifiedReason> hashSet2 = new HashSet<>();
        if (this.knownSeps.containsKey(record.name)) {
            if (dnskey.keyEquals(this.knownSeps.get(record.name))) {
                return hashSet;
            }
            hashSet.add(new DnssecUnverifiedReason.ConflictsWithSep(record));
            return hashSet;
        }
        if (record.name.isRootLabel()) {
            hashSet.add(new DnssecUnverifiedReason.NoRootSecureEntryPointReason());
            return hashSet;
        }
        DnssecQueryResult queryDnssec = queryDnssec(record.name, Record.TYPE.DS);
        hashSet.addAll(queryDnssec.getUnverifiedReasons());
        Iterator it = queryDnssec.dnsQueryResult.response.filterAnswerSectionBy(DS.class).iterator();
        while (true) {
            if (!it.hasNext()) {
                delegatingDnssecRR = null;
                break;
            }
            delegatingDnssecRR = (DS) ((Record) it.next()).payloadData;
            if (dnskey.getKeyTag() == delegatingDnssecRR.keyTag) {
                hashSet2 = queryDnssec.getUnverifiedReasons();
                break;
            }
        }
        if (delegatingDnssecRR == null) {
            AbstractDnsClient.LOGGER.fine("There is no DS record for " + ((Object) record.name) + ", server gives empty result");
        }
        if (delegatingDnssecRR == null && (dnsName = this.dlv) != null && !dnsName.isChildOf(record.name)) {
            DnssecQueryResult queryDnssec2 = queryDnssec(DnsName.from(record.name, this.dlv), Record.TYPE.DLV);
            hashSet.addAll(queryDnssec2.getUnverifiedReasons());
            Iterator it2 = queryDnssec2.dnsQueryResult.response.filterAnswerSectionBy(DLV.class).iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                Record record2 = (Record) it2.next();
                if (record.payloadData.getKeyTag() == ((DLV) record2.payloadData).keyTag) {
                    AbstractDnsClient.LOGGER.fine("Found DLV for " + ((Object) record.name) + ", awesome.");
                    delegatingDnssecRR = (DelegatingDnssecRR) record2.payloadData;
                    hashSet2 = queryDnssec2.getUnverifiedReasons();
                    break;
                }
            }
        }
        if (delegatingDnssecRR == null) {
            if (!hashSet.isEmpty()) {
                return hashSet;
            }
            hashSet.add(new DnssecUnverifiedReason.NoTrustAnchorReason(record.name));
            return hashSet;
        }
        DnssecUnverifiedReason g9 = org.minidns.dnssec.a.g(record, delegatingDnssecRR);
        if (g9 == null) {
            return hashSet2;
        }
        hashSet.add(g9);
        return hashSet;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private b verifySignatures(Question question, Collection<Record<? extends Data>> collection, List<Record<? extends Data>> list) throws IOException {
        Date date = new Date();
        LinkedList linkedList = new LinkedList();
        b bVar = new b(null);
        ArrayList<Record> arrayList = new ArrayList(list.size());
        Iterator<Record<? extends Data>> it = list.iterator();
        while (it.hasNext()) {
            Record<E> ifPossibleAs = it.next().ifPossibleAs(RRSIG.class);
            if (ifPossibleAs != 0) {
                RRSIG rrsig = (RRSIG) ifPossibleAs.payloadData;
                if (rrsig.signatureExpiration.compareTo(date) < 0 || rrsig.signatureInception.compareTo(date) > 0) {
                    linkedList.add(rrsig);
                } else {
                    arrayList.add(ifPossibleAs);
                }
            }
        }
        if (arrayList.isEmpty()) {
            if (linkedList.isEmpty()) {
                bVar.f41561c.add(new DnssecUnverifiedReason.NoSignaturesReason(question));
            } else {
                bVar.f41561c.add(new DnssecUnverifiedReason.NoActiveSignaturesReason(question, linkedList));
            }
            return bVar;
        }
        for (Record record : arrayList) {
            RRSIG rrsig2 = (RRSIG) record.payloadData;
            ArrayList arrayList2 = new ArrayList(collection.size());
            for (Record<? extends Data> record2 : collection) {
                if (record2.type == rrsig2.typeCovered && record2.name.equals(record.name)) {
                    arrayList2.add(record2);
                }
            }
            bVar.f41561c.addAll(verifySignedRecords(question, rrsig2, arrayList2));
            if (question.name.equals(rrsig2.signerName) && rrsig2.typeCovered == Record.TYPE.DNSKEY) {
                Iterator<Record<? extends Data>> it2 = arrayList2.iterator();
                while (it2.hasNext()) {
                    DNSKEY dnskey = (DNSKEY) it2.next().ifPossibleAs(DNSKEY.class).payloadData;
                    it2.remove();
                    if (dnskey.getKeyTag() == rrsig2.keyTag) {
                        bVar.f41560b = true;
                    }
                }
                bVar.f41559a = true;
            }
            if (isParentOrSelf(record.name.ace, rrsig2.signerName.ace)) {
                list.removeAll(arrayList2);
            } else {
                AbstractDnsClient.LOGGER.finer("Records at " + ((Object) record.name) + " are cross-signed with a key from " + ((Object) rrsig2.signerName));
            }
            list.remove(record);
        }
        return bVar;
    }

    private Set<DnssecUnverifiedReason> verifySignedRecords(Question question, RRSIG rrsig, List<Record<? extends Data>> list) throws IOException {
        HashSet hashSet = new HashSet();
        Record.TYPE type = rrsig.typeCovered;
        Record.TYPE type2 = Record.TYPE.DNSKEY;
        DNSKEY dnskey = null;
        if (type == type2) {
            Iterator it = Record.filter(DNSKEY.class, list).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Record record = (Record) it.next();
                if (((DNSKEY) record.payloadData).getKeyTag() == rrsig.keyTag) {
                    dnskey = (DNSKEY) record.payloadData;
                    break;
                }
            }
        } else if (question.type != Record.TYPE.DS || !rrsig.signerName.equals(question.name)) {
            DnssecQueryResult queryDnssec = queryDnssec(rrsig.signerName, type2);
            hashSet.addAll(queryDnssec.getUnverifiedReasons());
            Iterator it2 = queryDnssec.dnsQueryResult.response.filterAnswerSectionBy(DNSKEY.class).iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                Record record2 = (Record) it2.next();
                if (((DNSKEY) record2.payloadData).getKeyTag() == rrsig.keyTag) {
                    dnskey = (DNSKEY) record2.payloadData;
                    break;
                }
            }
        } else {
            hashSet.add(new DnssecUnverifiedReason.NoTrustAnchorReason(question.name));
            return hashSet;
        }
        if (dnskey != null) {
            DnssecUnverifiedReason f9 = org.minidns.dnssec.a.f(list, rrsig, dnskey);
            if (f9 != null) {
                hashSet.add(f9);
            }
            return hashSet;
        }
        throw new DnssecValidationFailedException(question, list.size() + " " + rrsig.typeCovered + " record(s) are signed using an unknown key.");
    }

    public void addSecureEntryPoint(DnsName dnsName, byte[] bArr) {
        this.knownSeps.put(dnsName, bArr);
    }

    public void clearSecureEntryPoints() {
        this.knownSeps.clear();
    }

    public void configureLookasideValidation(DnsName dnsName) {
        this.dlv = dnsName;
    }

    public void disableLookasideValidation() {
        configureLookasideValidation(null);
    }

    public void enableLookasideValidation() {
        configureLookasideValidation(DEFAULT_DLV);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.minidns.iterative.ReliableDnsClient
    public String isResponseAcceptable(DnsMessage dnsMessage) {
        return !dnsMessage.isDnssecOk() ? "DNSSEC OK (DO) flag not set in response" : !dnsMessage.checkingDisabled ? "CHECKING DISABLED (CD) flag not set in response" : super.isResponseAcceptable(dnsMessage);
    }

    public boolean isStripSignatureRecords() {
        return this.stripSignatureRecords;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.minidns.iterative.ReliableDnsClient, org.minidns.AbstractDnsClient
    public DnsMessage.Builder newQuestion(DnsMessage.Builder builder) {
        builder.getEdnsBuilder().setUdpPayloadSize(this.dataSource.getUdpPayloadSize()).setDnssecOk();
        builder.setCheckingDisabled(true);
        return super.newQuestion(builder);
    }

    @Override // org.minidns.AbstractDnsClient
    public DnsQueryResult query(Question question) throws IOException {
        DnssecQueryResult queryDnssec = queryDnssec(question);
        if (queryDnssec.isAuthenticData()) {
            return queryDnssec.dnsQueryResult;
        }
        throw new IOException();
    }

    public DnssecQueryResult queryDnssec(CharSequence charSequence, Record.TYPE type) throws IOException {
        return queryDnssec(new Question(charSequence, type, Record.CLASS.IN));
    }

    public DnssecQueryResult queryDnssec(Question question) throws IOException {
        return performVerification(super.query(question));
    }

    public void removeSecureEntryPoint(DnsName dnsName) {
        this.knownSeps.remove(dnsName);
    }

    public void setStripSignatureRecords(boolean z9) {
        this.stripSignatureRecords = z9;
    }
}
