package org.minidns.dnssec;

import com.fasterxml.jackson.core.util.MinimalPrettyPrinter;
import java.io.IOException;
import java.math.BigInteger;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import org.minidns.AbstractDnsClient;
import org.minidns.DnsCache;
import org.minidns.dnsmessage.DnsMessage;
import org.minidns.dnsmessage.Question;
import org.minidns.dnsname.DnsName;
import org.minidns.dnssec.UnverifiedReason;
import org.minidns.iterative.ReliableDnsClient;
import org.minidns.record.DLV;
import org.minidns.record.DNSKEY;
import org.minidns.record.DS;
import org.minidns.record.Data;
import org.minidns.record.DelegatingDnssecRR;
import org.minidns.record.RRSIG;
import org.minidns.record.Record;

/* loaded from: classes4.dex */
public class DnssecClient extends ReliableDnsClient {
    private static final BigInteger m = new BigInteger("1628686155461064465348252249725010996177649738666492500572664444461532807739744536029771810659241049343994038053541290419968870563183856865780916376571550372513476957870843322273120879361960335192976656756972171258658400305760429696147778001233984421619267530978084631948434496468785021389956803104620471232008587410372348519229650742022804219634190734272506220018657920136902014393834092648785514548876370028925405557661759399901378816916683122474038734912535425670533237815676134840739565610963796427401855723026687073600445461090736240030247906095053875491225879656640052743394090544036297390104110989318819106653199917493");
    private static final DnsName n = DnsName.a("dlv.isc.org");
    private Verifier o;
    private final Map<DnsName, byte[]> p;
    private boolean q;
    private DnsName r;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.minidns.dnssec.DnssecClient$1, reason: invalid class name */
    /* loaded from: classes4.dex */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] a = new int[Record.TYPE.values().length];

        static {
            try {
                a[Record.TYPE.NSEC.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                a[Record.TYPE.NSEC3.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes4.dex */
    public class VerifySignaturesResult {
        boolean a;
        boolean b;
        Set<UnverifiedReason> c;

        private VerifySignaturesResult() {
            this.a = false;
            this.b = false;
            this.c = new HashSet();
        }

        /* synthetic */ VerifySignaturesResult(DnssecClient dnssecClient, AnonymousClass1 anonymousClass1) {
            this();
        }
    }

    public DnssecClient() {
        this(AbstractDnsClient.a);
    }

    public DnssecClient(DnsCache dnsCache) {
        super(dnsCache);
        this.o = new Verifier();
        this.p = new ConcurrentHashMap();
        this.q = true;
        a(DnsName.a, m.toByteArray());
    }

    private static List<Record<? extends Data>> a(List<Record<? extends Data>> list) {
        if (list.isEmpty()) {
            return list;
        }
        ArrayList arrayList = new ArrayList(list.size());
        for (Record<? extends Data> record : list) {
            if (record.b != Record.TYPE.RRSIG) {
                arrayList.add(record);
            }
        }
        return arrayList;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Set<UnverifiedReason> a(Question question, RRSIG rrsig, List<Record<? extends Data>> list) throws IOException {
        HashSet hashSet = new HashSet();
        DNSKEY dnskey = null;
        if (rrsig.c == Record.TYPE.DNSKEY) {
            Iterator<Record<? extends Data>> it2 = list.iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                Record<E> a = it2.next().a(DNSKEY.class);
                if (a != 0 && ((DNSKEY) a.f).g() == rrsig.j) {
                    dnskey = (DNSKEY) a.f;
                    break;
                }
            }
        } else {
            if (question.b == Record.TYPE.DS && rrsig.k.equals(question.a)) {
                hashSet.add(new UnverifiedReason.NoTrustAnchorReason(question.a.f));
                return hashSet;
            }
            DnssecMessage a2 = a((CharSequence) rrsig.k, Record.TYPE.DNSKEY);
            if (a2 == null) {
                throw new DnssecValidationFailedException(question, "There is no DNSKEY " + ((Object) rrsig.k) + ", but it is used");
            }
            hashSet.addAll(a2.l());
            Iterator<Record<? extends Data>> it3 = a2.m.iterator();
            while (it3.hasNext()) {
                Record<E> a3 = it3.next().a(DNSKEY.class);
                if (a3 != 0 && ((DNSKEY) a3.f).g() == rrsig.j) {
                    dnskey = (DNSKEY) a3.f;
                }
            }
        }
        if (dnskey != null) {
            UnverifiedReason a4 = this.o.a(list, rrsig, dnskey);
            if (a4 != null) {
                hashSet.add(a4);
            }
            return hashSet;
        }
        throw new DnssecValidationFailedException(question, list.size() + MinimalPrettyPrinter.DEFAULT_ROOT_VALUE_SEPARATOR + rrsig.c + " record(s) are signed using an unknown key.");
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Set<UnverifiedReason> a(Question question, Record<DNSKEY> record) throws IOException {
        Set<UnverifiedReason> set;
        DnsName dnsName;
        DnssecMessage a;
        DNSKEY dnskey = record.f;
        HashSet hashSet = new HashSet();
        Set<UnverifiedReason> hashSet2 = new HashSet<>();
        if (this.p.containsKey(record.a)) {
            if (dnskey.a(this.p.get(record.a))) {
                return hashSet;
            }
            hashSet.add(new UnverifiedReason.ConflictsWithSep(record));
            return hashSet;
        }
        if (record.a.g()) {
            hashSet.add(new UnverifiedReason.NoRootSecureEntryPointReason());
            return hashSet;
        }
        DelegatingDnssecRR delegatingDnssecRR = null;
        DnssecMessage a2 = a((CharSequence) record.a, Record.TYPE.DS);
        if (a2 == null) {
            AbstractDnsClient.b.fine("There is no DS record for " + ((Object) record.a) + ", server gives no result");
        } else {
            hashSet.addAll(a2.l());
            Iterator<Record<? extends Data>> it2 = a2.m.iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                Record<E> a3 = it2.next().a(DS.class);
                if (a3 != 0) {
                    DS ds = (DS) a3.f;
                    if (dnskey.g() == ds.c) {
                        hashSet2 = a2.l();
                        delegatingDnssecRR = ds;
                        break;
                    }
                }
            }
            if (delegatingDnssecRR == null) {
                AbstractDnsClient.b.fine("There is no DS record for " + ((Object) record.a) + ", server gives empty result");
            }
        }
        if (delegatingDnssecRR == null && (dnsName = this.r) != null && !dnsName.b(record.a) && (a = a((CharSequence) DnsName.a(record.a, this.r), Record.TYPE.DLV)) != null) {
            hashSet.addAll(a.l());
            Iterator<Record<? extends Data>> it3 = a.m.iterator();
            while (it3.hasNext()) {
                Record<E> a4 = it3.next().a(DLV.class);
                if (a4 != 0 && record.f.g() == ((DLV) a4.f).c) {
                    AbstractDnsClient.b.fine("Found DLV for " + ((Object) record.a) + ", awesome.");
                    delegatingDnssecRR = (DelegatingDnssecRR) a4.f;
                    set = a.l();
                    break;
                }
            }
        }
        set = hashSet2;
        if (delegatingDnssecRR == null) {
            if (!hashSet.isEmpty()) {
                return hashSet;
            }
            hashSet.add(new UnverifiedReason.NoTrustAnchorReason(record.a.f));
            return hashSet;
        }
        UnverifiedReason a5 = this.o.a(record, delegatingDnssecRR);
        if (a5 == null) {
            return set;
        }
        hashSet.add(a5);
        return hashSet;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private VerifySignaturesResult a(Question question, Collection<Record<? extends Data>> collection, List<Record<? extends Data>> list) throws IOException {
        Date date = new Date();
        LinkedList linkedList = new LinkedList();
        VerifySignaturesResult verifySignaturesResult = new VerifySignaturesResult(this, null);
        ArrayList<Record> arrayList = new ArrayList(list.size());
        Iterator<Record<? extends Data>> it2 = list.iterator();
        while (it2.hasNext()) {
            Record<E> a = it2.next().a(RRSIG.class);
            if (a != 0) {
                RRSIG rrsig = (RRSIG) a.f;
                if (rrsig.h.compareTo(date) < 0 || rrsig.i.compareTo(date) > 0) {
                    linkedList.add(rrsig);
                } else {
                    arrayList.add(a);
                }
            }
        }
        if (arrayList.isEmpty()) {
            if (linkedList.isEmpty()) {
                verifySignaturesResult.c.add(new UnverifiedReason.NoSignaturesReason(question));
            } else {
                verifySignaturesResult.c.add(new UnverifiedReason.NoActiveSignaturesReason(question, linkedList));
            }
            return verifySignaturesResult;
        }
        for (Record record : arrayList) {
            RRSIG rrsig2 = (RRSIG) record.f;
            ArrayList arrayList2 = new ArrayList(collection.size());
            for (Record<? extends Data> record2 : collection) {
                if (record2.b == rrsig2.c && record2.a.equals(record.a)) {
                    arrayList2.add(record2);
                }
            }
            verifySignaturesResult.c.addAll(a(question, rrsig2, arrayList2));
            if (question.a.equals(rrsig2.k) && rrsig2.c == Record.TYPE.DNSKEY) {
                Iterator<Record<? extends Data>> it3 = arrayList2.iterator();
                while (it3.hasNext()) {
                    DNSKEY dnskey = (DNSKEY) it3.next().a(DNSKEY.class).f;
                    it3.remove();
                    if (dnskey.g() == rrsig2.j) {
                        verifySignaturesResult.b = true;
                    }
                }
                verifySignaturesResult.a = true;
            }
            if (a(record.a.f, rrsig2.k.f)) {
                list.removeAll(arrayList2);
            } else {
                AbstractDnsClient.b.finer("Records at " + ((Object) record.a) + " are cross-signed with a key from " + ((Object) rrsig2.k));
            }
            list.remove(record);
        }
        return verifySignaturesResult;
    }

    private DnssecMessage a(DnsMessage dnsMessage, Set<UnverifiedReason> set) {
        List<Record<? extends Data>> list = dnsMessage.m;
        List<Record<? extends Data>> list2 = dnsMessage.n;
        List<Record<? extends Data>> list3 = dnsMessage.o;
        HashSet hashSet = new HashSet();
        Record.a(hashSet, RRSIG.class, list);
        Record.a(hashSet, RRSIG.class, list2);
        Record.a(hashSet, RRSIG.class, list3);
        DnsMessage.Builder a = dnsMessage.a();
        if (this.q) {
            a.c(a(list));
            a.d(a(list2));
            a.b(a(list3));
        }
        return new DnssecMessage(a, hashSet, set);
    }

    private static boolean a(String str, String str2) {
        if (str.equals(str2) || str2.isEmpty()) {
            return true;
        }
        String[] split = str.split("\\.");
        String[] split2 = str2.split("\\.");
        if (split2.length > split.length) {
            return false;
        }
        for (int i = 1; i <= split2.length; i++) {
            if (!split2[split2.length - i].equals(split[split.length - i])) {
                return false;
            }
        }
        return true;
    }

    private Set<UnverifiedReason> b(DnsMessage dnsMessage) throws IOException {
        return !dnsMessage.m.isEmpty() ? c(dnsMessage) : d(dnsMessage);
    }

    private DnssecMessage b(Question question, DnsMessage dnsMessage) throws IOException {
        if (dnsMessage == null) {
            return null;
        }
        if (dnsMessage.j) {
            dnsMessage = dnsMessage.a().a(false).a();
        }
        return a(dnsMessage, b(dnsMessage));
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Set<UnverifiedReason> c(DnsMessage dnsMessage) throws IOException {
        boolean z = false;
        Question question = dnsMessage.l.get(0);
        List<Record<? extends Data>> list = dnsMessage.m;
        List<Record<? extends Data>> e = dnsMessage.e();
        VerifySignaturesResult a = a(question, list, e);
        Set<UnverifiedReason> set = a.c;
        if (!set.isEmpty()) {
            return set;
        }
        HashSet hashSet = new HashSet();
        Iterator<Record<? extends Data>> it2 = e.iterator();
        while (it2.hasNext()) {
            Record<E> a2 = it2.next().a(DNSKEY.class);
            if (a2 != 0) {
                Set<UnverifiedReason> a3 = a(question, (Record<DNSKEY>) a2);
                if (a3.isEmpty()) {
                    z = true;
                } else {
                    hashSet.addAll(a3);
                }
                if (!a.b) {
                    AbstractDnsClient.b.finer("SEP key is not self-signed.");
                }
                it2.remove();
            }
        }
        if (a.b && !z) {
            set.addAll(hashSet);
        }
        if (a.a && !a.b) {
            set.add(new UnverifiedReason.NoSecureEntryPointReason(question.a.f));
        }
        if (!e.isEmpty()) {
            if (e.size() != list.size()) {
                throw new DnssecValidationFailedException(question, "Only some records are signed!");
            }
            set.add(new UnverifiedReason.NoSignaturesReason(question));
        }
        return set;
    }

    private Set<UnverifiedReason> d(DnsMessage dnsMessage) throws IOException {
        UnverifiedReason a;
        HashSet hashSet = new HashSet();
        boolean z = false;
        Question question = dnsMessage.l.get(0);
        List<Record<? extends Data>> list = dnsMessage.n;
        DnsName dnsName = null;
        for (Record<? extends Data> record : list) {
            if (record.b == Record.TYPE.SOA) {
                dnsName = record.a;
            }
        }
        if (dnsName == null) {
            throw new DnssecValidationFailedException(question, "NSECs must always match to a SOA");
        }
        boolean z2 = false;
        for (Record<? extends Data> record2 : list) {
            int i = AnonymousClass1.a[record2.b.ordinal()];
            if (i == 1) {
                a = this.o.a(record2, question);
            } else if (i == 2) {
                a = this.o.a(dnsName, record2, question);
            }
            if (a != null) {
                hashSet.add(a);
            } else {
                z2 = true;
            }
            z = true;
        }
        if (z && !z2) {
            throw new DnssecValidationFailedException(question, "Invalid NSEC!");
        }
        List<Record<? extends Data>> f = dnsMessage.f();
        VerifySignaturesResult a2 = a(question, list, f);
        if (z2 && a2.c.isEmpty()) {
            hashSet.clear();
        } else {
            hashSet.addAll(a2.c);
        }
        if (f.isEmpty() || f.size() == list.size()) {
            return hashSet;
        }
        throw new DnssecValidationFailedException(question, "Only some nameserver records are signed!");
    }

    @Override // org.minidns.iterative.ReliableDnsClient
    protected String a(DnsMessage dnsMessage) {
        return !dnsMessage.j() ? "DNSSEC OK (DO) flag not set in response" : !dnsMessage.k ? "CHECKING DISABLED (CD) flag not set in response" : super.a(dnsMessage);
    }

    @Override // org.minidns.iterative.ReliableDnsClient, org.minidns.AbstractDnsClient
    protected DnsMessage.Builder a(DnsMessage.Builder builder) {
        builder.b().a(this.h.b()).b();
        builder.c(true);
        super.a(builder);
        return builder;
    }

    public DnssecMessage a(CharSequence charSequence, Record.TYPE type) throws IOException {
        Question question = new Question(charSequence, type, Record.CLASS.IN);
        return b(question, super.c(question));
    }

    public void a(DnsName dnsName, byte[] bArr) {
        this.p.put(dnsName, bArr);
    }

    @Override // org.minidns.iterative.ReliableDnsClient, org.minidns.AbstractDnsClient
    protected boolean a(Question question, DnsMessage dnsMessage) {
        return super.a(question, dnsMessage);
    }

    @Override // org.minidns.AbstractDnsClient
    public DnsMessage c(Question question) throws IOException {
        return d(question);
    }

    public DnssecMessage d(Question question) throws IOException {
        return b(question, super.c(question));
    }
}
