package org.xbill.DNS.dnssec;

import com.alibaba.fastjson.asm.Opcodes;
import com.bytedance.framwork.core.sdklib.LogStoreManager;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.Map;
import java.util.Properties;
import java.util.TreeMap;
import lombok.Generated;
import org.slf4j.Marker;
import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.NSEC3Record;
import org.xbill.DNS.Name;
import org.xbill.DNS.NameTooLongException;
import org.xbill.DNS.Record;
import org.xbill.DNS.TextParseException;
import org.xbill.DNS.j7;

/* compiled from: NSEC3ValUtils.java */
/* loaded from: classes6.dex */
final class h {

    @Generated
    private static final org.slf4j.a b = org.slf4j.b.i(h.class);
    private static final Name c = Name.fromConstantString(Marker.ANY_MARKER);
    private static final int d = 65536;
    private final TreeMap<Integer, Integer> a;

    /* JADX INFO: Access modifiers changed from: private */
    /* compiled from: NSEC3ValUtils.java */
    /* loaded from: classes6.dex */
    public static final class b {
        private final Name a;
        private final NSEC3Record b;
        private NSEC3Record c;
        private SecurityStatus d;

        private b(Name name, NSEC3Record nSEC3Record) {
            this.d = SecurityStatus.UNCHECKED;
            this.a = name;
            this.b = nSEC3Record;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public h() {
        TreeMap<Integer, Integer> treeMap = new TreeMap<>();
        this.a = treeMap;
        treeMap.put(1024, Integer.valueOf(Opcodes.FCMPG));
        treeMap.put(2048, Integer.valueOf(LogStoreManager.WEED_OUT_ROWS_SINGLE_TIME));
        treeMap.put(4096, 2500);
    }

    private Name b(Name name) {
        try {
            return Name.concatenate(c, name);
        } catch (NameTooLongException unused) {
            return null;
        }
    }

    private b c(Name name, Name name2, List<SRRset> list) {
        while (true) {
            if (name.labels() < name2.labels()) {
                return null;
            }
            NSEC3Record e = e(name, name2, list);
            if (e != null) {
                return new b(name, e);
            }
            name = new Name(name, 1);
        }
    }

    private NSEC3Record d(Name name, Name name2, List<SRRset> list) {
        NSEC3Record nSEC3Record;
        for (SRRset sRRset : list) {
            try {
                nSEC3Record = (NSEC3Record) sRRset.first();
            } catch (NoSuchAlgorithmException e) {
                b.debug("Unrecognized NSEC3 in set: {}", sRRset, e);
            }
            if (h(nSEC3Record, name2, nSEC3Record.hashName(name))) {
                return nSEC3Record;
            }
        }
        return null;
    }

    private NSEC3Record e(Name name, Name name2, List<SRRset> list) {
        NSEC3Record nSEC3Record;
        h5.b bVar = new h5.b("0123456789ABCDEFGHIJKLMNOPQRSTUV=", false, false);
        for (SRRset sRRset : list) {
            try {
                nSEC3Record = (NSEC3Record) sRRset.first();
            } catch (NoSuchAlgorithmException | TextParseException e) {
                b.debug("Unrecognized NSEC3 in set: {}", sRRset, e);
            }
            if (new Name(bVar.d(nSEC3Record.hashName(name)), name2).equals(nSEC3Record.getName())) {
                return nSEC3Record;
            }
        }
        return null;
    }

    private Name g(Name name, Name name2) {
        int labels = (name.labels() - name2.labels()) - 1;
        return labels > 0 ? new Name(name, labels) : name;
    }

    private boolean h(NSEC3Record nSEC3Record, Name name, byte[] bArr) {
        if (!new Name(nSEC3Record.getName(), 1).equals(name)) {
            return false;
        }
        byte[] b2 = new h5.b("0123456789ABCDEFGHIJKLMNOPQRSTUV=", false, false).b(nSEC3Record.getName().getLabelString(0));
        byte[] next = nSEC3Record.getNext();
        if (org.xbill.DNS.dnssec.a.a(b2, bArr) >= 0 || org.xbill.DNS.dnssec.a.a(bArr, next) >= 0) {
            return org.xbill.DNS.dnssec.a.a(next, b2) <= 0 && (org.xbill.DNS.dnssec.a.a(bArr, b2) > 0 || org.xbill.DNS.dnssec.a.a(bArr, next) < 0);
        }
        return true;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private b i(Name name, Name name2, List<SRRset> list) {
        b c2 = c(name, name2, list);
        if (c2 == null) {
            b.debug("Could not find a candidate for the closest encloser");
            b bVar = new b(Name.empty, null);
            bVar.d = SecurityStatus.BOGUS;
            return bVar;
        }
        if (c2.a.equals(name)) {
            b.debug("Proved that qname existed!");
            c2.d = SecurityStatus.BOGUS;
            return c2;
        }
        if (c2.b.hasType(2) && !c2.b.hasType(6)) {
            if (!c2.b.hasType(43)) {
                c2.d = SecurityStatus.INSECURE;
                return c2;
            }
            b.debug("Closest encloser was a delegation!");
            c2.d = SecurityStatus.BOGUS;
            return c2;
        }
        if (c2.b.hasType(39)) {
            b.debug("Closest encloser was a DNAME!");
            c2.d = SecurityStatus.BOGUS;
            return c2;
        }
        c2.c = d(g(name, c2.a), name2, list);
        if (c2.c != null) {
            c2.d = SecurityStatus.SECURE;
            return c2;
        }
        b.debug("Could not find proof that the closest encloser was the closest encloser");
        c2.d = SecurityStatus.BOGUS;
        return c2;
    }

    private boolean o(int i) {
        return i == 1;
    }

    private boolean p(SRRset sRRset, KeyCache keyCache) {
        int bitLength;
        try {
            Iterator<Record> it = keyCache.c(sRRset.getSignerName(), sRRset.getDClass()).rrs().iterator();
            while (it.hasNext()) {
                DNSKEYRecord dNSKEYRecord = (DNSKEYRecord) it.next();
                switch (dNSKEYRecord.getAlgorithm()) {
                    case 3:
                    case 6:
                        bitLength = ((DSAPublicKey) dNSKEYRecord.getPublicKey()).getParams().getP().bitLength();
                        break;
                    case 4:
                    case 9:
                    case 11:
                    default:
                        return false;
                    case 5:
                    case 7:
                    case 8:
                    case 10:
                        bitLength = ((RSAPublicKey) dNSKEYRecord.getPublicKey()).getModulus().bitLength();
                        break;
                    case 12:
                        bitLength = 512;
                        break;
                    case 13:
                    case 14:
                        bitLength = ((ECPublicKey) dNSKEYRecord.getPublicKey()).getParams().getCurve().getField().getFieldSize();
                        break;
                    case 15:
                        bitLength = 256;
                        break;
                    case 16:
                        bitLength = 456;
                        break;
                }
                Integer floorKey = this.a.floorKey(Integer.valueOf(bitLength));
                if (floorKey == null) {
                    floorKey = this.a.firstKey();
                }
                if (((NSEC3Record) sRRset.first()).getIterations() > this.a.get(floorKey).intValue()) {
                    return false;
                }
            }
            return true;
        } catch (DNSSEC.DNSSECException e) {
            b.error("Could not get public key from NSEC3 record", (Throwable) e);
            return false;
        }
    }

    public boolean a(List<SRRset> list, KeyCache keyCache) {
        HashMap hashMap = new HashMap();
        Iterator<SRRset> it = list.iterator();
        while (it.hasNext()) {
            Iterator<Record> it2 = it.next().rrs().iterator();
            while (it2.hasNext()) {
                NSEC3Record nSEC3Record = (NSEC3Record) it2.next();
                Name name = new Name(nSEC3Record.getName(), 1);
                NSEC3Record nSEC3Record2 = (NSEC3Record) hashMap.get(name);
                if (nSEC3Record2 == null) {
                    hashMap.put(name, nSEC3Record);
                } else {
                    if (nSEC3Record.getHashAlgorithm() != nSEC3Record2.getHashAlgorithm() || nSEC3Record.getIterations() != nSEC3Record2.getIterations()) {
                        return true;
                    }
                    if ((nSEC3Record.getSalt() == null) ^ (nSEC3Record2.getSalt() == null)) {
                        return true;
                    }
                    if (nSEC3Record.getSalt() != null && org.xbill.DNS.dnssec.a.a(nSEC3Record.getSalt(), nSEC3Record2.getSalt()) != 0) {
                        return true;
                    }
                }
            }
        }
        Iterator<SRRset> it3 = list.iterator();
        while (it3.hasNext()) {
            if (p(it3.next(), keyCache)) {
                return false;
            }
        }
        return true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void f(Properties properties) {
        boolean z = true;
        for (Map.Entry entry : properties.entrySet()) {
            String obj = entry.getKey().toString();
            if (obj.startsWith("dnsjava.dnssec.nsec3.iterations")) {
                int parseInt = Integer.parseInt(obj.substring(obj.lastIndexOf(".") + 1));
                int parseInt2 = Integer.parseInt(entry.getValue().toString());
                if (parseInt2 > 65536) {
                    throw new IllegalArgumentException("Iteration count too high.");
                }
                if (z) {
                    this.a.clear();
                    z = false;
                }
                this.a.put(Integer.valueOf(parseInt), Integer.valueOf(parseInt2));
            }
        }
    }

    public SecurityStatus j(List<SRRset> list, Name name, Name name2) {
        if (list == null || list.isEmpty()) {
            return SecurityStatus.BOGUS;
        }
        b i = i(name, name2, list);
        SecurityStatus securityStatus = i.d;
        SecurityStatus securityStatus2 = SecurityStatus.SECURE;
        if (securityStatus != securityStatus2) {
            b.debug("Failed to prove a closest encloser");
            return i.d;
        }
        if (d(b(i.a), name2, list) == null) {
            b.debug("Could not prove that the applicable wildcard did not exist");
            return SecurityStatus.BOGUS;
        }
        if ((i.c.getFlags() & 1) != 1) {
            return securityStatus2;
        }
        b.debug("NSEC3 nameerror proof: nc has optout");
        return SecurityStatus.INSECURE;
    }

    public SecurityStatus k(List<SRRset> list, Name name, Name name2) {
        if (list == null || list.isEmpty()) {
            return SecurityStatus.BOGUS;
        }
        NSEC3Record e = e(name, name2, list);
        if (e != null) {
            return (e.hasType(6) || e.hasType(43)) ? SecurityStatus.BOGUS : !e.hasType(2) ? SecurityStatus.INDETERMINATE : SecurityStatus.SECURE;
        }
        b i = i(name, name2, list);
        if (i.d == SecurityStatus.SECURE && (i.c.getFlags() & 1) == 1) {
            return SecurityStatus.INSECURE;
        }
        return SecurityStatus.BOGUS;
    }

    public d l(List<SRRset> list, Name name, int i, Name name2) {
        if (list == null || list.isEmpty()) {
            return new d(SecurityStatus.BOGUS, 12, R.get("failed.nsec3.none", new Object[0]));
        }
        NSEC3Record e = e(name, name2, list);
        if (e != null) {
            if (e.hasType(i)) {
                b.debug("Matching NSEC3 proved that type existed!");
                return new d(SecurityStatus.BOGUS, 6, R.get("failed.nsec3.type_exists", new Object[0]));
            }
            if (e.hasType(5)) {
                b.debug("Matching NSEC3 proved that a CNAME existed!");
                return new d(SecurityStatus.BOGUS, 6, R.get("failed.nsec3.cname_exists", new Object[0]));
            }
            if (i == 43 && e.hasType(6) && !Name.root.equals(name)) {
                b.debug("Apex NSEC3 abused for no DS proof, bogus");
                return new d(SecurityStatus.BOGUS, 6, R.get("failed.nsec3.apex_abuse", new Object[0]));
            }
            if (i == 43 || !e.hasType(2) || e.hasType(6)) {
                return new d(SecurityStatus.SECURE, -1, null);
            }
            if (e.hasType(43)) {
                b.debug("Matching NSEC3 is a delegation, bogus");
                return new d(SecurityStatus.BOGUS, 6, R.get("failed.nsec3.delegation", new Object[0]));
            }
            b.debug("Matching NSEC3 is insecure delegation");
            return new d(SecurityStatus.INSECURE, -1, null);
        }
        b i2 = i(name, name2, list);
        SecurityStatus securityStatus = i2.d;
        SecurityStatus securityStatus2 = SecurityStatus.BOGUS;
        if (securityStatus == securityStatus2) {
            b.debug("Did not match qname, nor found a proven closest encloser");
            return new d(securityStatus2, 6, R.get("failed.nsec3.qname_ce", new Object[0]));
        }
        SecurityStatus securityStatus3 = i2.d;
        SecurityStatus securityStatus4 = SecurityStatus.INSECURE;
        if (securityStatus3 == securityStatus4 && i != 43) {
            b.debug("Closest NSEC3 is insecure delegation");
            return new d(securityStatus4, -1, null);
        }
        NSEC3Record e2 = e(b(i2.a), name2, list);
        if (e2 == null) {
            if (i2.c == null) {
                b.debug("No next closer NSEC3");
                return new d(securityStatus2, 12, R.get("failed.nsec3.no_next", new Object[0]));
            }
            if ((i2.c.getFlags() & 1) != 0) {
                return new d(securityStatus4, -1, null);
            }
            if (i != 43) {
                b.debug("Covering NSEC3 was not opt-out in an opt-out DS NOERROR/NODATA case");
                return new d(securityStatus2, 6, R.get("failed.nsec3.not_optout", new Object[0]));
            }
            b.debug("Could not find matching NSEC3, nor matching wildcard, and qtype is not DS -- no more options");
            return new d(securityStatus2, 12, R.get("failed.nsec3.not_found", new Object[0]));
        }
        if (e2.hasType(i)) {
            b.debug("Matching wildcard has qtype {}", j7.e(i));
            return new d(securityStatus2, 6, R.get("failed.nsec3.type_exists_wc", new Object[0]));
        }
        if (e2.hasType(5)) {
            b.debug("Matching wildcard has a CNAME, bogus");
            return new d(securityStatus2, 6, R.get("failed.nsec3.cname_exists_wc", new Object[0]));
        }
        if (i == 43 && name.labels() != 1 && e2.hasType(6)) {
            b.debug("Matching wildcard for no DS proof has a SOA, bogus");
            return new d(securityStatus2, 6, R.get("failed.nsec3.wc_soa", new Object[0]));
        }
        if (i != 43 && e2.hasType(2) && !e2.hasType(6)) {
            b.debug("Matching wildcard is a delegation, bogus");
            return new d(securityStatus2, 6, R.get("failed.nsec3.delegation_wc", new Object[0]));
        }
        if (i2.c == null || (i2.c.getFlags() & 1) != 1) {
            return new d(SecurityStatus.SECURE, -1, null);
        }
        b.debug("Matching wildcard is in opt-out range, insecure");
        return new d(securityStatus4, -1, null);
    }

    /* JADX WARN: Multi-variable type inference failed */
    public SecurityStatus m(List<SRRset> list, Name name, Name name2, Name name3) {
        if (list == null || list.isEmpty() || name == null || name3 == null) {
            return SecurityStatus.BOGUS;
        }
        b bVar = new b(new Name(name3, 1), null);
        bVar.c = d(g(name, bVar.a), name2, list);
        if (bVar.c != null) {
            return (bVar.c.getFlags() & 1) == 1 ? SecurityStatus.INSECURE : SecurityStatus.SECURE;
        }
        b.debug("did not find a covering NSEC3 that covered the next closer name to {} from {} (derived from wildcard {})", name, bVar.a, name3);
        return SecurityStatus.BOGUS;
    }

    public void n(List<SRRset> list) {
        ListIterator<SRRset> listIterator = list.listIterator();
        while (listIterator.hasNext()) {
            if (!o(((NSEC3Record) listIterator.next().first()).getHashAlgorithm())) {
                listIterator.remove();
            }
        }
    }
}
