package org.xbill.DNS.dnssec;

import java.security.Security;
import java.time.Instant;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.Marker;
import org.xbill.DNS.DClass;
import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.DSRecord;
import org.xbill.DNS.Message;
import org.xbill.DNS.NSECRecord;
import org.xbill.DNS.Name;
import org.xbill.DNS.NameTooLongException;
import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset;
import org.xbill.DNS.Record;
import org.xbill.DNS.Type;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes2.dex */
public final class ValUtils {
    public static final String ALGORITHM_ENABLED = "dnsjava.dnssec.algorithm";
    public static final String DIGEST_ENABLED = "dnsjava.dnssec.digest";
    public static final String DIGEST_HARDEN_DOWNGRADE = "dnsjava.dnssec.harden_algo_downgrade";
    public static final String DIGEST_PREFERENCE = "dnsjava.dnssec.digest_preference";
    private boolean hasEd25519;
    private boolean hasEd448;
    private boolean hasGost;

    @Generated
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ValUtils.class);
    private static final Name WILDCARD = Name.fromConstantString(Marker.ANY_MARKER);
    private int[] digestPreference = null;
    private Properties config = null;
    private boolean digestHardenDowngrade = true;
    private final DnsSecVerifier verifier = new DnsSecVerifier();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.xbill.DNS.dnssec.ValUtils$1, reason: invalid class name */
    /* loaded from: classes4.dex */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xbill$DNS$dnssec$SecurityStatus;

        static {
            int[] iArr = new int[SecurityStatus.values().length];
            $SwitchMap$org$xbill$DNS$dnssec$SecurityStatus = iArr;
            try {
                iArr[SecurityStatus.SECURE.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                $SwitchMap$org$xbill$DNS$dnssec$SecurityStatus[SecurityStatus.BOGUS.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            try {
                $SwitchMap$org$xbill$DNS$dnssec$SecurityStatus[SecurityStatus.INSECURE.ordinal()] = 3;
            } catch (NoSuchFieldError unused3) {
            }
        }
    }

    /* loaded from: classes2.dex */
    public static class NsecProvesNodataResponse {
        boolean result;
        Name wc;
    }

    public ValUtils() {
        this.hasGost = Security.getProviders("MessageDigest.GOST3411") != null;
        this.hasEd25519 = Security.getProviders("KeyFactory.Ed25519") != null;
        this.hasEd448 = Security.getProviders("KeyFactory.Ed448") != null;
    }

    public static ResponseClassification classifyResponse(Message message, SMessage sMessage) {
        if (sMessage.getRcode() == 3 && sMessage.getCount(1) == 0) {
            return ResponseClassification.NAMEERROR;
        }
        boolean z = false;
        if (!message.getHeader().getFlag(7) && sMessage.getCount(1) == 0 && sMessage.getRcode() != 0) {
            for (SRRset sRRset : sMessage.getSectionRRsets(2)) {
                if (sRRset.getType() == 6) {
                    return ResponseClassification.NODATA;
                }
                if (sRRset.getType() == 43) {
                    return ResponseClassification.REFERRAL;
                }
                if (sRRset.getType() == 2) {
                    z = true;
                }
            }
            return z ? ResponseClassification.REFERRAL : ResponseClassification.NODATA;
        }
        if (sMessage.getSectionRRsets(2).isEmpty() && sMessage.getSectionRRsets(1).size() == 1 && sMessage.getRcode() == 0 && sMessage.getSectionRRsets(1).get(0).getType() == 2 && !sMessage.getSectionRRsets(1).get(0).getName().equals(message.getQuestion().getName())) {
            return ResponseClassification.REFERRAL;
        }
        if (sMessage.getRcode() != 0 && sMessage.getRcode() != 3) {
            return ResponseClassification.UNKNOWN;
        }
        if (sMessage.getRcode() == 0 && sMessage.getCount(1) == 0) {
            return ResponseClassification.NODATA;
        }
        int type = sMessage.getQuestion().getType();
        if (type == 255) {
            return ResponseClassification.ANY;
        }
        for (SRRset sRRset2 : sMessage.getSectionRRsets(1)) {
            if (sRRset2.getType() == type) {
                return ResponseClassification.POSITIVE;
            }
            if (sRRset2.getType() == 5 || sRRset2.getType() == 39) {
                if (type == 43) {
                    return ResponseClassification.CNAME;
                }
                z = true;
            }
        }
        if (z) {
            return sMessage.getRcode() == 3 ? ResponseClassification.CNAME_NAMEERROR : ResponseClassification.CNAME_NODATA;
        }
        log.warn("Failed to classify response message:\n{}", sMessage);
        return ResponseClassification.UNKNOWN;
    }

    public static Name closestEncloser(Name name, Name name2, Name name3) {
        Name longestCommonName = longestCommonName(name, name2);
        Name longestCommonName2 = longestCommonName(name, name3);
        return longestCommonName.labels() > longestCommonName2.labels() ? longestCommonName : longestCommonName2;
    }

    private KeyEntry getKeyEntry(SRRset sRRset, Instant instant, DSRecord dSRecord, DNSKEYRecord dNSKEYRecord) {
        byte[] digest = new DSRecord(Name.root, dSRecord.getDClass(), 0L, dSRecord.getDigestID(), dNSKEYRecord).getDigest();
        byte[] digest2 = dSRecord.getDigest();
        if (digest.length != digest2.length) {
            KeyEntry newBadKeyEntry = KeyEntry.newBadKeyEntry(dSRecord.getName(), dSRecord.getDClass(), dSRecord.getTTL());
            newBadKeyEntry.setBadReason(6, R.get("dnskey.invalid", new Object[0]));
            return newBadKeyEntry;
        }
        for (int i = 0; i < digest.length; i++) {
            if (digest[i] != digest2[i]) {
                KeyEntry newBadKeyEntry2 = KeyEntry.newBadKeyEntry(dSRecord.getName(), dSRecord.getDClass(), dSRecord.getTTL());
                newBadKeyEntry2.setBadReason(6, R.get("dnskey.invalid", new Object[0]));
                return newBadKeyEntry2;
            }
        }
        JustifiedSecStatus verify = this.verifier.verify(sRRset, dNSKEYRecord, instant);
        int i2 = AnonymousClass1.$SwitchMap$org$xbill$DNS$dnssec$SecurityStatus[verify.status.ordinal()];
        if (i2 == 1) {
            sRRset.setSecurityStatus(SecurityStatus.SECURE);
            return KeyEntry.newKeyEntry(sRRset);
        }
        if (i2 != 2) {
            throw new IllegalStateException("Unexpected security status");
        }
        KeyEntry newBadKeyEntry3 = KeyEntry.newBadKeyEntry(dSRecord.getName(), dSRecord.getDClass(), dSRecord.getTTL());
        newBadKeyEntry3.setBadReason(verify.edeReason, verify.reason);
        return newBadKeyEntry3;
    }

    public static Name longestCommonName(Name name, Name name2) {
        int min = Math.min(name.labels(), name2.labels());
        Name name3 = new Name(name, name.labels() - min);
        Name name4 = new Name(name2, name2.labels() - min);
        for (int i = 0; i < min - 1; i++) {
            Name name5 = new Name(name3, i);
            if (name5.equals(new Name(name4, i))) {
                return name5;
            }
        }
        return Name.root;
    }

    public static boolean nsecProvesNameError(SRRset sRRset, NSECRecord nSECRecord, Name name) {
        Name name2 = sRRset.getName();
        Name next = nSECRecord.getNext();
        if (name.equals(name2) || !next.subdomain(sRRset.getSignerName())) {
            return false;
        }
        if (name.subdomain(name2)) {
            if (nSECRecord.hasType(39)) {
                return false;
            }
            if (nSECRecord.hasType(2) && !nSECRecord.hasType(6)) {
                return false;
            }
        }
        return name2.equals(next) ? strictSubdomain(name, next) : name2.compareTo(next) > 0 ? name2.compareTo(name) < 0 && strictSubdomain(name, next) : name2.compareTo(name) < 0 && name.compareTo(next) < 0;
    }

    public static SecurityStatus nsecProvesNoDS(NSECRecord nSECRecord, Name name) {
        return ((!nSECRecord.hasType(6) || Name.root.equals(name)) && !nSECRecord.hasType(43)) ? !nSECRecord.hasType(2) ? SecurityStatus.INSECURE : SecurityStatus.SECURE : SecurityStatus.BOGUS;
    }

    public static boolean nsecProvesNoWC(SRRset sRRset, NSECRecord nSECRecord, Name name) {
        int labels = name.labels() - closestEncloser(name, sRRset.getName(), nSECRecord.getNext()).labels();
        if (labels > 0) {
            return nsecProvesNameError(sRRset, nSECRecord, name.wild(labels));
        }
        return false;
    }

    public static NsecProvesNodataResponse nsecProvesNodata(SRRset sRRset, NSECRecord nSECRecord, Name name, int i) {
        NsecProvesNodataResponse nsecProvesNodataResponse = new NsecProvesNodataResponse();
        if (sRRset.getName().equals(name)) {
            if (nSECRecord.hasType(i)) {
                log.debug("NSEC proofed that {} exists", Type.string(i));
                nsecProvesNodataResponse.result = false;
                return nsecProvesNodataResponse;
            }
            if (nSECRecord.hasType(5)) {
                log.debug("NSEC proofed CNAME");
                nsecProvesNodataResponse.result = false;
                return nsecProvesNodataResponse;
            }
            if (i != 43 && nSECRecord.hasType(2) && !nSECRecord.hasType(6)) {
                log.debug("NSEC proofed missing referral");
                nsecProvesNodataResponse.result = false;
                return nsecProvesNodataResponse;
            }
            if (i != 43 || !nSECRecord.hasType(6) || Name.root.equals(name)) {
                nsecProvesNodataResponse.result = true;
                return nsecProvesNodataResponse;
            }
            log.debug("NSEC from wrong zone");
            nsecProvesNodataResponse.result = false;
            return nsecProvesNodataResponse;
        }
        if (strictSubdomain(nSECRecord.getNext(), name) && sRRset.getName().compareTo(name) < 0) {
            nsecProvesNodataResponse.result = true;
            return nsecProvesNodataResponse;
        }
        if (!sRRset.getName().isWild()) {
            nsecProvesNodataResponse.result = false;
            return nsecProvesNodataResponse;
        }
        Name name2 = new Name(sRRset.getName(), 1);
        if (strictSubdomain(name, name2)) {
            if (nSECRecord.hasType(5)) {
                log.debug("NSEC proofed wildcard CNAME");
                nsecProvesNodataResponse.result = false;
                return nsecProvesNodataResponse;
            }
            if (nSECRecord.hasType(2) && !nSECRecord.hasType(6)) {
                log.debug("Wrong parent (wildcard) NSEC used");
                nsecProvesNodataResponse.result = false;
                return nsecProvesNodataResponse;
            }
            if (nSECRecord.hasType(i)) {
                log.debug("NSEC proofed that {} exists", Type.string(i));
                nsecProvesNodataResponse.result = false;
                return nsecProvesNodataResponse;
            }
        }
        nsecProvesNodataResponse.wc = name2;
        nsecProvesNodataResponse.result = true;
        return nsecProvesNodataResponse;
    }

    public static Name nsecWildcard(Name name, SRRset sRRset, NSECRecord nSECRecord) throws NameTooLongException {
        return Name.concatenate(WILDCARD, closestEncloser(name, sRRset.getName(), nSECRecord.getNext()));
    }

    private boolean propertyOrTrueWithPrecondition(String str, boolean z) {
        if (!z) {
            return false;
        }
        Properties properties = this.config;
        if (properties == null) {
            return true;
        }
        return Boolean.parseBoolean(properties.getProperty(str, Boolean.TRUE.toString()));
    }

    public static Name rrsetWildcard(RRset rRset) {
        List<RRSIGRecord> sigs = rRset.sigs();
        RRSIGRecord rRSIGRecord = sigs.get(0);
        for (int i = 1; i < sigs.size(); i++) {
            if (sigs.get(i).getLabels() != rRSIGRecord.getLabels()) {
                throw new IllegalArgumentException("failed.wildcard.label_count_mismatch");
            }
        }
        Name name = rRset.getName();
        if (rRset.getName().isWild()) {
            name = new Name(name, 1);
        }
        int labels = (name.labels() - 1) - rRSIGRecord.getLabels();
        if (labels > 0) {
            return name.wild(labels);
        }
        return null;
    }

    public static void setCanonicalNsecOwner(SRRset sRRset, RRSIGRecord rRSIGRecord) {
        if (sRRset.getType() != 47) {
            return;
        }
        Record first = sRRset.first();
        int labels = first.getName().labels() - 1;
        if (first.getName().isWild()) {
            labels--;
        }
        if (rRSIGRecord.getLabels() == labels) {
            sRRset.setName(first.getName());
        } else {
            if (rRSIGRecord.getLabels() >= labels) {
                throw new IllegalArgumentException("invalid nsec record");
            }
            sRRset.setName(first.getName().wild(rRSIGRecord.getSigner().labels() - rRSIGRecord.getLabels()));
        }
    }

    public static boolean strictSubdomain(Name name, Name name2) {
        if (name.labels() <= name2.labels()) {
            return false;
        }
        return new Name(name, name.labels() - name2.labels()).equals(name2);
    }

    boolean atLeastOneDigestSupported(RRset rRset) {
        Iterator<Record> it = rRset.rrs().iterator();
        while (it.hasNext()) {
            if (isDigestSupported(((DSRecord) it.next()).getDigestID())) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean atLeastOneSupportedAlgorithm(RRset rRset) {
        Iterator<Record> it = rRset.rrs().iterator();
        while (it.hasNext()) {
            if (isAlgorithmSupported(((DSRecord) it.next()).getAlgorithm())) {
                return true;
            }
        }
        return false;
    }

    int favoriteDSDigestID(SRRset sRRset) {
        int[] iArr = this.digestPreference;
        int i = 0;
        if (iArr == null) {
            Iterator<Record> it = sRRset.rrs().iterator();
            while (it.hasNext()) {
                DSRecord dSRecord = (DSRecord) it.next();
                if (dSRecord.getDigestID() > i && isDigestSupported(dSRecord.getDigestID()) && isAlgorithmSupported(dSRecord.getAlgorithm())) {
                    i = dSRecord.getDigestID();
                }
            }
            return i;
        }
        for (int i2 : iArr) {
            Iterator<Record> it2 = sRRset.rrs().iterator();
            while (it2.hasNext()) {
                DSRecord dSRecord2 = (DSRecord) it2.next();
                if (dSRecord2.getDigestID() == i2) {
                    return dSRecord2.getDigestID();
                }
            }
        }
        return 0;
    }

    public boolean hasSignedNsecs(SMessage sMessage) {
        for (SRRset sRRset : sMessage.getSectionRRsets(2)) {
            if (sRRset.getType() == 47 || sRRset.getType() == 50) {
                if (!sRRset.sigs().isEmpty()) {
                    return true;
                }
            }
        }
        return false;
    }

    public void init(Properties properties) {
        this.hasGost = Security.getProviders("MessageDigest.GOST3411") != null;
        this.hasEd25519 = Security.getProviders("KeyFactory.Ed25519") != null;
        this.hasEd448 = Security.getProviders("KeyFactory.Ed448") != null;
        this.config = properties;
        String property = properties.getProperty(DIGEST_PREFERENCE);
        if (property != null) {
            String[] split = property.split(",");
            this.digestPreference = new int[split.length];
            for (int i = 0; i < split.length; i++) {
                this.digestPreference[i] = Integer.parseInt(split[i]);
                if (!isDigestSupported(this.digestPreference[i])) {
                    throw new IllegalArgumentException("Unsupported or disabled digest ID in digest preferences");
                }
            }
        }
        this.digestHardenDowngrade = Boolean.parseBoolean(properties.getProperty(DIGEST_HARDEN_DOWNGRADE));
    }

    boolean isAlgorithmSupported(int i) {
        String str = "dnsjava.dnssec.algorithm." + i;
        switch (i) {
            case 3:
            case 6:
                Properties properties = this.config;
                if (properties == null) {
                    return false;
                }
                return Boolean.parseBoolean(properties.getProperty(str, Boolean.FALSE.toString()));
            case 4:
            case 9:
            case 11:
            default:
                return false;
            case 5:
            case 7:
            case 8:
            case 10:
            case 13:
            case 14:
                return propertyOrTrueWithPrecondition(str, true);
            case 12:
                return propertyOrTrueWithPrecondition(str, this.hasGost);
            case 15:
                return propertyOrTrueWithPrecondition(str, this.hasEd25519);
            case 16:
                return propertyOrTrueWithPrecondition(str, this.hasEd448);
        }
    }

    boolean isDigestSupported(int i) {
        String str = "dnsjava.dnssec.digest." + i;
        if (i != 1 && i != 2) {
            if (i == 3) {
                return propertyOrTrueWithPrecondition(str, this.hasGost);
            }
            if (i != 4) {
                return false;
            }
        }
        Properties properties = this.config;
        if (properties == null) {
            return true;
        }
        return Boolean.parseBoolean(properties.getProperty(str, Boolean.TRUE.toString()));
    }

    public JustifiedSecStatus nsecProvesNodataDsReply(Message message, SMessage sMessage, SRRset sRRset, Instant instant) {
        Name name = message.getQuestion().getName();
        SRRset findRRset = sMessage.findRRset(name, 47, message.getQuestion().getDClass(), 2);
        if (findRRset != null) {
            JustifiedSecStatus verifySRRset = verifySRRset(findRRset, sRRset, instant);
            if (verifySRRset.status != SecurityStatus.SECURE) {
                return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("failed.ds.nsec", verifySRRset.reason));
            }
            SecurityStatus nsecProvesNoDS = nsecProvesNoDS((NSECRecord) findRRset.first(), name);
            int i = AnonymousClass1.$SwitchMap$org$xbill$DNS$dnssec$SecurityStatus[nsecProvesNoDS.ordinal()];
            return i != 1 ? i != 3 ? new JustifiedSecStatus(nsecProvesNoDS, 6, R.get("failed.ds.nsec.hasdata", new Object[0])) : new JustifiedSecStatus(nsecProvesNoDS, -1, R.get("failed.ds.nodelegation", new Object[0])) : new JustifiedSecStatus(nsecProvesNoDS, -1, R.get("insecure.ds.nsec", new Object[0]));
        }
        NsecProvesNodataResponse nsecProvesNodataResponse = new NsecProvesNodataResponse();
        Name name2 = null;
        NSECRecord nSECRecord = null;
        boolean z = false;
        for (SRRset sRRset2 : sMessage.getSectionRRsets(2, 47)) {
            JustifiedSecStatus verifySRRset2 = verifySRRset(sRRset2, sRRset, instant);
            SecurityStatus securityStatus = verifySRRset2.status;
            if (securityStatus != SecurityStatus.SECURE) {
                return new JustifiedSecStatus(securityStatus, verifySRRset2.edeReason, R.get("failed.ds.nsec.ent", new Object[0]));
            }
            NSECRecord nSECRecord2 = (NSECRecord) sRRset2.rrs().get(0);
            NsecProvesNodataResponse nsecProvesNodata = nsecProvesNodata(sRRset2, nSECRecord2, name, 43);
            if (nsecProvesNodata.result) {
                if (nsecProvesNodata.wc != null && nSECRecord2.getName().isWild()) {
                    nSECRecord = nSECRecord2;
                }
                z = true;
            }
            if (nsecProvesNameError(sRRset2, nSECRecord2, name)) {
                name2 = closestEncloser(name, sRRset2.getName(), nSECRecord2.getNext());
            }
            nsecProvesNodataResponse = nsecProvesNodata;
        }
        Name name3 = nsecProvesNodataResponse.wc;
        if (name3 != null && (name2 == null || !name2.equals(name3))) {
            z = false;
        }
        return z ? nsecProvesNodataResponse.wc != null ? new JustifiedSecStatus(nsecProvesNoDS(nSECRecord, name), 12, R.get("failed.ds.nowildcardproof", new Object[0])) : new JustifiedSecStatus(SecurityStatus.INSECURE, -1, R.get("insecure.ds.nsec.ent", new Object[0])) : new JustifiedSecStatus(SecurityStatus.UNCHECKED, 5, R.get("failed.ds.nonconclusive", new Object[0]));
    }

    public KeyEntry verifyNewDNSKEYs(SRRset sRRset, SRRset sRRset2, long j, Instant instant) {
        if (!atLeastOneDigestSupported(sRRset2)) {
            KeyEntry newNullKeyEntry = KeyEntry.newNullKeyEntry(sRRset2.getName(), sRRset2.getDClass(), sRRset2.getTTL());
            newNullKeyEntry.setBadReason(2, R.get("failed.ds.nodigest", sRRset2.getName()));
            return newNullKeyEntry;
        }
        if (!atLeastOneSupportedAlgorithm(sRRset2)) {
            KeyEntry newNullKeyEntry2 = KeyEntry.newNullKeyEntry(sRRset2.getName(), sRRset2.getDClass(), sRRset2.getTTL());
            newNullKeyEntry2.setBadReason(1, R.get("failed.ds.noalg", sRRset2.getName()));
            return newNullKeyEntry2;
        }
        int favoriteDSDigestID = favoriteDSDigestID(sRRset2);
        KeyEntry keyEntry = null;
        Iterator<Record> it = sRRset2.rrs().iterator();
        while (it.hasNext()) {
            DSRecord dSRecord = (DSRecord) it.next();
            if (!this.digestHardenDowngrade || dSRecord.getDigestID() == favoriteDSDigestID) {
                Iterator<Record> it2 = sRRset.rrs().iterator();
                while (it2.hasNext()) {
                    DNSKEYRecord dNSKEYRecord = (DNSKEYRecord) it2.next();
                    if (dSRecord.getFootprint() == dNSKEYRecord.getFootprint() && dSRecord.getAlgorithm() == dNSKEYRecord.getAlgorithm()) {
                        keyEntry = getKeyEntry(sRRset, instant, dSRecord, dNSKEYRecord);
                        if (keyEntry.isGood()) {
                            return keyEntry;
                        }
                    }
                }
            }
        }
        if (keyEntry != null) {
            return keyEntry;
        }
        KeyEntry newBadKeyEntry = KeyEntry.newBadKeyEntry(sRRset2.getName(), sRRset2.getDClass(), j);
        newBadKeyEntry.setBadReason(9, R.get("dnskey.no_ds_match", new Object[0]));
        return newBadKeyEntry;
    }

    public JustifiedSecStatus verifySRRset(SRRset sRRset, SRRset sRRset2, Instant instant) {
        SecurityStatus securityStatus = sRRset.getSecurityStatus();
        SecurityStatus securityStatus2 = SecurityStatus.SECURE;
        if (securityStatus == securityStatus2) {
            log.trace("RRset <{}/{}/{}> previously found to be SECURE", sRRset.getName(), Type.string(sRRset.getType()), DClass.string(sRRset.getDClass()));
            return new JustifiedSecStatus(securityStatus2, -1, null);
        }
        JustifiedSecStatus verify = this.verifier.verify(sRRset, sRRset2, instant);
        sRRset.setSecurityStatus(verify.status);
        return verify;
    }
}
