package de.measite.minidns.dnssec;

import de.measite.minidns.DNSCache;
import de.measite.minidns.DNSMessage;
import de.measite.minidns.DNSName;
import de.measite.minidns.Question;
import de.measite.minidns.Record;
import de.measite.minidns.dnssec.UnverifiedReason;
import de.measite.minidns.record.DLV;
import de.measite.minidns.record.DNSKEY;
import de.measite.minidns.record.DS;
import de.measite.minidns.record.RRSIG;
import de.measite.minidns.recursive.ReliableDNSClient;
import java.io.IOException;
import java.math.BigInteger;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;

/* loaded from: input_file:de/measite/minidns/dnssec/DNSSECClient.class */
public class DNSSECClient extends ReliableDNSClient {
    private static final BigInteger rootEntryKey = new BigInteger("03010001a80020a95566ba42e886bb804cda84e47ef56dbd7aec612615552cec906d2116d0ef207028c51554144dfeafe7c7cb8f005dd18234133ac0710a81182ce1fd14ad2283bc83435f9df2f6313251931a176df0da51e54f42e604860dfb359580250f559cc543c4ffd51cbe3de8cfd06719237f9fc47ee729da06835fa452e825e9a18ebc2ecbcf563474652c33cf56a9033bcdf5d973121797ec8089041b6e03a1b72d0a735b984e03687309332324f27c2dba85e9db15e83a0143382e974b0621c18e625ecec907577d9e7bade95241a81ebbe8a901d4d3276e40b114c0a2e6fc38d19c2e6aab02644b2813f575fc21601e0dee49cd9ee96a43103e524d62873d", 16);
    private static final String DEFAULT_DLV = "dlv.isc.org";
    private Verifier verifier;
    private Map<DNSName, byte[]> knownSeps;
    private boolean stripSignatureRecords;
    private String dlv;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:de/measite/minidns/dnssec/DNSSECClient$VerifySignaturesResult.class */
    public class VerifySignaturesResult {
        boolean sepSignatureRequired;
        boolean sepSignaturePresent;
        boolean signaturesPresent;
        Set<UnverifiedReason> reasons;

        private VerifySignaturesResult() {
            this.sepSignatureRequired = false;
            this.sepSignaturePresent = false;
            this.signaturesPresent = false;
            this.reasons = new HashSet();
        }
    }

    public DNSSECClient() {
        this.verifier = new Verifier();
        this.knownSeps = new ConcurrentHashMap();
        this.stripSignatureRecords = true;
    }

    public DNSSECClient(DNSCache dNSCache) {
        super(dNSCache);
        this.verifier = new Verifier();
        this.knownSeps = new ConcurrentHashMap();
        this.stripSignatureRecords = true;
        addSecureEntryPoint(DNSName.EMPTY, rootEntryKey.toByteArray());
    }

    public DNSMessage query(Question question) throws IOException {
        return queryDnssec(question);
    }

    public DNSSECMessage queryDnssec(CharSequence charSequence, Record.TYPE type) throws IOException {
        Question question = new Question(charSequence, type, Record.CLASS.IN);
        return performVerification(question, super.query(question));
    }

    public DNSSECMessage queryDnssec(Question question) throws IOException {
        return performVerification(question, super.query(question));
    }

    private DNSSECMessage performVerification(Question question, DNSMessage dNSMessage) throws IOException {
        if (dNSMessage == null) {
            return null;
        }
        dNSMessage.setAuthenticData(false);
        return createDnssecMessage(dNSMessage, verify(dNSMessage));
    }

    private DNSSECMessage createDnssecMessage(DNSMessage dNSMessage, Set<UnverifiedReason> set) {
        Record[] answers = dNSMessage.getAnswers();
        Record[] nameserverRecords = dNSMessage.getNameserverRecords();
        Record[] additionalResourceRecords = dNSMessage.getAdditionalResourceRecords();
        HashSet hashSet = new HashSet();
        extractSignatureRecords(hashSet, answers);
        extractSignatureRecords(hashSet, nameserverRecords);
        extractSignatureRecords(hashSet, additionalResourceRecords);
        if (this.stripSignatureRecords) {
            answers = stripSignatureRecords(answers);
            nameserverRecords = stripSignatureRecords(nameserverRecords);
            additionalResourceRecords = stripSignatureRecords(additionalResourceRecords);
        }
        return new DNSSECMessage(dNSMessage, answers, nameserverRecords, additionalResourceRecords, hashSet, set);
    }

    private static void extractSignatureRecords(Set<Record> set, Record[] recordArr) {
        for (Record record : recordArr) {
            if (record.type == Record.TYPE.RRSIG) {
                set.add(record);
            }
        }
    }

    private static Record[] stripSignatureRecords(Record[] recordArr) {
        if (recordArr.length == 0) {
            return recordArr;
        }
        ArrayList arrayList = new ArrayList();
        for (Record record : recordArr) {
            if (record.type != Record.TYPE.RRSIG) {
                arrayList.add(record);
            }
        }
        return (Record[]) arrayList.toArray(new Record[arrayList.size()]);
    }

    protected boolean isResponseCacheable(Question question, DNSMessage dNSMessage) {
        return super.isResponseCacheable(question, dNSMessage);
    }

    private Set<UnverifiedReason> verify(DNSMessage dNSMessage) throws IOException {
        return dNSMessage.getAnswers().length > 0 ? verifyAnswer(dNSMessage) : verifyNsec(dNSMessage);
    }

    private Set<UnverifiedReason> verifyAnswer(DNSMessage dNSMessage) throws IOException {
        Question question = dNSMessage.getQuestions()[0];
        Record[] answers = dNSMessage.getAnswers();
        ArrayList arrayList = new ArrayList(Arrays.asList(answers));
        VerifySignaturesResult verifySignatures = verifySignatures(question, answers, arrayList);
        Set<UnverifiedReason> set = verifySignatures.reasons;
        if (!set.isEmpty()) {
            return set;
        }
        boolean z = false;
        HashSet hashSet = new HashSet();
        Iterator<Record> it = arrayList.iterator();
        while (it.hasNext()) {
            Record next = it.next();
            if (next.type == Record.TYPE.DNSKEY && (next.payloadData.flags & 1) > 0) {
                Set<UnverifiedReason> verifySecureEntryPoint = verifySecureEntryPoint(question, next);
                if (verifySecureEntryPoint.isEmpty()) {
                    z = true;
                } else {
                    hashSet.addAll(verifySecureEntryPoint);
                }
                if (!verifySignatures.sepSignaturePresent) {
                    LOGGER.finer("SEP key is not self-signed.");
                }
                it.remove();
            }
        }
        if (verifySignatures.sepSignaturePresent && !z) {
            set.addAll(hashSet);
        }
        if (verifySignatures.sepSignatureRequired && !verifySignatures.sepSignaturePresent) {
            set.add(new UnverifiedReason.NoSecureEntryPointReason(question.name.ace));
        }
        if (!arrayList.isEmpty()) {
            if (arrayList.size() != answers.length) {
                throw new DNSSECValidationFailedException(question, "Only some records are signed!");
            }
            set.add(new UnverifiedReason.NoSignaturesReason(question));
        }
        return set;
    }

    private Set<UnverifiedReason> verifyNsec(DNSMessage dNSMessage) throws IOException {
        UnverifiedReason verifyNsec3;
        HashSet hashSet = new HashSet();
        Question question = dNSMessage.getQuestions()[0];
        boolean z = false;
        boolean z2 = false;
        DNSName dNSName = null;
        Record[] nameserverRecords = dNSMessage.getNameserverRecords();
        for (Record record : nameserverRecords) {
            if (record.type == Record.TYPE.SOA) {
                dNSName = record.name;
            }
        }
        if (dNSName == null) {
            throw new DNSSECValidationFailedException(question, "NSECs must always match to a SOA");
        }
        for (Record record2 : nameserverRecords) {
            if (record2.type == Record.TYPE.NSEC) {
                z2 = true;
                verifyNsec3 = this.verifier.verifyNsec(record2, question);
            } else if (record2.type == Record.TYPE.NSEC3) {
                z2 = true;
                verifyNsec3 = this.verifier.verifyNsec3(dNSName, record2, question);
            }
            if (verifyNsec3 != null) {
                hashSet.add(verifyNsec3);
            } else {
                z = true;
            }
        }
        if (z2 && !z) {
            throw new DNSSECValidationFailedException(question, "Invalid NSEC!");
        }
        ArrayList arrayList = new ArrayList(Arrays.asList(nameserverRecords));
        VerifySignaturesResult verifySignatures = verifySignatures(question, nameserverRecords, arrayList);
        if (z && verifySignatures.reasons.isEmpty()) {
            hashSet.clear();
        } else {
            hashSet.addAll(verifySignatures.reasons);
        }
        if (arrayList.isEmpty() || arrayList.size() == nameserverRecords.length) {
            return hashSet;
        }
        throw new DNSSECValidationFailedException(question, "Only some nameserver records are signed!");
    }

    private VerifySignaturesResult verifySignatures(Question question, Record[] recordArr, List<Record> list) throws IOException {
        VerifySignaturesResult verifySignaturesResult = new VerifySignaturesResult();
        while (true) {
            Record nextSignature = nextSignature(list);
            if (nextSignature == null) {
                break;
            }
            RRSIG rrsig = (RRSIG) nextSignature.payloadData;
            Date date = new Date();
            if (rrsig.signatureExpiration.compareTo(date) < 0 || rrsig.signatureInception.compareTo(date) > 0) {
                list.remove(nextSignature);
            } else {
                verifySignaturesResult.signaturesPresent = true;
                ArrayList arrayList = new ArrayList();
                for (Record record : recordArr) {
                    if (record.type == rrsig.typeCovered && record.name.equals(nextSignature.name)) {
                        arrayList.add(record);
                    }
                }
                verifySignaturesResult.reasons.addAll(verifySignedRecords(question, rrsig, arrayList));
                if (question.name.equals(rrsig.signerName) && rrsig.typeCovered == Record.TYPE.DNSKEY) {
                    Iterator<Record> it = arrayList.iterator();
                    while (it.hasNext()) {
                        DNSKEY dnskey = it.next().payloadData;
                        if ((dnskey.flags & 1) > 0) {
                            it.remove();
                            if (dnskey.getKeyTag() == rrsig.keyTag) {
                                verifySignaturesResult.sepSignaturePresent = true;
                            }
                        }
                    }
                    verifySignaturesResult.sepSignatureRequired = true;
                }
                if (isParentOrSelf(nextSignature.name.ace, rrsig.signerName.ace)) {
                    list.removeAll(arrayList);
                } else {
                    LOGGER.finer("Records at " + nextSignature.name + " are cross-signed with a key from " + rrsig.signerName);
                }
                list.remove(nextSignature);
            }
        }
        if (!verifySignaturesResult.signaturesPresent) {
            verifySignaturesResult.reasons.add(new UnverifiedReason.NoSignaturesReason(question));
        }
        return verifySignaturesResult;
    }

    private static boolean isParentOrSelf(String str, String str2) {
        if (str.equals(str2) || str2.isEmpty()) {
            return true;
        }
        String[] split = str.split("\\.");
        String[] split2 = str2.split("\\.");
        if (split2.length > split.length) {
            return false;
        }
        for (int i = 1; i <= split2.length; i++) {
            if (!split2[split2.length - i].equals(split[split.length - i])) {
                return false;
            }
        }
        return true;
    }

    private Set<UnverifiedReason> verifySignedRecords(Question question, RRSIG rrsig, List<Record> list) throws IOException {
        HashSet hashSet = new HashSet();
        DNSKEY dnskey = null;
        if (rrsig.typeCovered == Record.TYPE.DNSKEY) {
            for (Record record : list) {
                if (record.type == Record.TYPE.DNSKEY && record.payloadData.getKeyTag() == rrsig.keyTag) {
                    dnskey = (DNSKEY) record.payloadData;
                }
            }
        } else {
            if (question.type == Record.TYPE.DS && rrsig.signerName.equals(question.name)) {
                hashSet.add(new UnverifiedReason.NoTrustAnchorReason(question.name.ace));
                return hashSet;
            }
            DNSSECMessage queryDnssec = queryDnssec(rrsig.signerName, Record.TYPE.DNSKEY);
            if (queryDnssec == null) {
                throw new DNSSECValidationFailedException(question, "There is no DNSKEY " + rrsig.signerName + ", but it is used");
            }
            hashSet.addAll(queryDnssec.getUnverifiedReasons());
            for (Record record2 : queryDnssec.getAnswers()) {
                if (record2.type == Record.TYPE.DNSKEY && record2.payloadData.getKeyTag() == rrsig.keyTag) {
                    dnskey = record2.payloadData;
                }
            }
        }
        if (dnskey == null) {
            throw new DNSSECValidationFailedException(question, list.size() + " " + rrsig.typeCovered + " record(s) are signed using an unknown key.");
        }
        UnverifiedReason verify = this.verifier.verify(list, rrsig, dnskey);
        if (verify != null) {
            hashSet.add(verify);
        }
        return hashSet;
    }

    private Set<UnverifiedReason> verifySecureEntryPoint(Question question, Record record) throws IOException {
        DNSSECMessage queryDnssec;
        Set<UnverifiedReason> hashSet = new HashSet();
        Set<UnverifiedReason> hashSet2 = new HashSet();
        if (this.knownSeps.containsKey(record.name)) {
            if (Arrays.equals(record.payloadData.key, this.knownSeps.get(record.name))) {
                return hashSet;
            }
            throw new DNSSECValidationFailedException(question, "Secure entry point " + record.name + " is in list of known SEPs, but mismatches response!");
        }
        DLV dlv = null;
        DNSSECMessage queryDnssec2 = queryDnssec(record.name, Record.TYPE.DS);
        if (queryDnssec2 == null) {
            LOGGER.fine("There is no DS record for " + record.name + ", server gives no result");
        } else {
            hashSet.addAll(queryDnssec2.getUnverifiedReasons());
            Record[] answers = queryDnssec2.getAnswers();
            int length = answers.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Record record2 = answers[i];
                if (record2.type == Record.TYPE.DS && record.payloadData.getKeyTag() == record2.payloadData.keyTag) {
                    dlv = (DS) record2.payloadData;
                    hashSet2 = queryDnssec2.getUnverifiedReasons();
                    break;
                }
                i++;
            }
            if (dlv == null) {
                LOGGER.fine("There is no DS record for " + record.name + ", server gives empty result");
            }
        }
        if (dlv == null && this.dlv != null && !this.dlv.endsWith(record.name.ace) && (queryDnssec = queryDnssec(record.name + "." + this.dlv, Record.TYPE.DLV)) != null) {
            hashSet.addAll(queryDnssec.getUnverifiedReasons());
            Record[] answers2 = queryDnssec.getAnswers();
            int length2 = answers2.length;
            int i2 = 0;
            while (true) {
                if (i2 >= length2) {
                    break;
                }
                Record record3 = answers2[i2];
                if (record3.type == Record.TYPE.DLV && record.payloadData.getKeyTag() == record3.payloadData.keyTag) {
                    LOGGER.fine("Found DLV for " + record.name + ", awesome.");
                    dlv = record3.payloadData;
                    hashSet2 = queryDnssec.getUnverifiedReasons();
                    break;
                }
                i2++;
            }
        }
        if (dlv != null) {
            UnverifiedReason verify = this.verifier.verify(record, dlv);
            if (verify != null) {
                hashSet.add(verify);
            } else {
                hashSet = hashSet2;
            }
        } else {
            hashSet.add(new UnverifiedReason.NoTrustAnchorReason(record.name.ace));
        }
        return hashSet;
    }

    private static Record nextSignature(List<Record> list) {
        for (Record record : list) {
            if (record.type == Record.TYPE.RRSIG) {
                return record;
            }
        }
        return null;
    }

    protected DNSMessage newQuestion(DNSMessage dNSMessage) {
        dNSMessage.setOptPseudoRecord(getDataSource().getUdpPayloadSize(), 32768);
        return dNSMessage;
    }

    public void addSecureEntryPoint(DNSName dNSName, byte[] bArr) {
        this.knownSeps.put(dNSName, bArr);
    }

    public void removeSecureEntryPoint(String str) {
        this.knownSeps.remove(str);
    }

    public void clearSecureEntryPoints() {
        this.knownSeps.clear();
    }

    public boolean isStripSignatureRecords() {
        return this.stripSignatureRecords;
    }

    public void setStripSignatureRecords(boolean z) {
        this.stripSignatureRecords = z;
    }

    public void enableLookasideValidation() {
        configureLookasideValidation(DEFAULT_DLV);
    }

    public void disableLookasideValidation() {
        configureLookasideValidation(null);
    }

    public void configureLookasideValidation(String str) {
        this.dlv = str;
    }
}
