package org.xbill.DNS.dnssec;

import com.android.volley.DefaultRetryPolicy;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.Map;
import java.util.Properties;
import java.util.TreeMap;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.NSEC3Record;
import org.xbill.DNS.Name;
import org.xbill.DNS.NameTooLongException;
import org.xbill.DNS.Record;
import org.xbill.DNS.TextParseException;
import org.xbill.DNS.Type;
import org.xbill.DNS.utils.base32;

/* loaded from: classes11.dex */
final class NSEC3ValUtils {
    private static final int MAX_ITERATION_COUNT = 65536;
    private final TreeMap<Integer, Integer> maxIterations;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) NSEC3ValUtils.class);
    private static final Name ASTERISK_LABEL = Name.fromConstantString("*");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes11.dex */
    public static final class CEResponse {
        private final NSEC3Record ceNsec3;
        private final Name closestEncloser;
        private NSEC3Record ncNsec3;
        private SecurityStatus status;

        private CEResponse(Name name, NSEC3Record nSEC3Record) {
            this.status = SecurityStatus.UNCHECKED;
            this.closestEncloser = name;
            this.ceNsec3 = nSEC3Record;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public NSEC3ValUtils() {
        TreeMap<Integer, Integer> treeMap = new TreeMap<>();
        this.maxIterations = treeMap;
        treeMap.put(1024, 150);
        treeMap.put(2048, 500);
        treeMap.put(4096, Integer.valueOf(DefaultRetryPolicy.DEFAULT_TIMEOUT_MS));
    }

    private Name ceWildcard(Name name) {
        try {
            return Name.concatenate(ASTERISK_LABEL, name);
        } catch (NameTooLongException e) {
            return null;
        }
    }

    private CEResponse findClosestEncloser(Name name, Name name2, List<SRRset> list) {
        while (true) {
            if (name.labels() < name2.labels()) {
                return null;
            }
            NSEC3Record findMatchingNSEC3 = findMatchingNSEC3(name, name2, list);
            if (findMatchingNSEC3 != null) {
                return new CEResponse(name, findMatchingNSEC3);
            }
            name = new Name(name, 1);
        }
    }

    private NSEC3Record findCoveringNSEC3(Name name, Name name2, List<SRRset> list) {
        NSEC3Record nSEC3Record;
        for (SRRset sRRset : list) {
            try {
                nSEC3Record = (NSEC3Record) sRRset.first();
            } catch (NoSuchAlgorithmException e) {
                log.debug("Unrecognized NSEC3 in set: {}", sRRset, e);
            }
            if (nsec3Covers(nSEC3Record, name2, nSEC3Record.hashName(name))) {
                return nSEC3Record;
            }
        }
        return null;
    }

    private NSEC3Record findMatchingNSEC3(Name name, Name name2, List<SRRset> list) {
        NSEC3Record nSEC3Record;
        base32 base32Var = new base32(base32.Alphabet.BASE32HEX, false, false);
        for (SRRset sRRset : list) {
            try {
                nSEC3Record = (NSEC3Record) sRRset.first();
            } catch (NoSuchAlgorithmException | TextParseException e) {
                log.debug("Unrecognized NSEC3 in set: {}", sRRset, e);
            }
            if (new Name(base32Var.toString(nSEC3Record.hashName(name)), name2).equals(nSEC3Record.getName())) {
                return nSEC3Record;
            }
        }
        return null;
    }

    private Name nextClosest(Name name, Name name2) {
        int labels = (name.labels() - name2.labels()) - 1;
        return labels > 0 ? new Name(name, labels) : name;
    }

    private boolean nsec3Covers(NSEC3Record nSEC3Record, Name name, byte[] bArr) {
        if (!new Name(nSEC3Record.getName(), 1).equals(name)) {
            return false;
        }
        byte[] fromString = new base32(base32.Alphabet.BASE32HEX, false, false).fromString(nSEC3Record.getName().getLabelString(0));
        byte[] next = nSEC3Record.getNext();
        if (ByteArrayComparator.compare(fromString, bArr) >= 0 || ByteArrayComparator.compare(bArr, next) >= 0) {
            return ByteArrayComparator.compare(next, fromString) <= 0 && (ByteArrayComparator.compare(bArr, fromString) > 0 || ByteArrayComparator.compare(bArr, next) < 0);
        }
        return true;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private CEResponse proveClosestEncloser(Name name, Name name2, List<SRRset> list) {
        CEResponse findClosestEncloser = findClosestEncloser(name, name2, list);
        if (findClosestEncloser == null) {
            log.debug("Could not find a candidate for the closest encloser");
            CEResponse cEResponse = new CEResponse(Name.empty, null);
            cEResponse.status = SecurityStatus.BOGUS;
            return cEResponse;
        }
        if (findClosestEncloser.closestEncloser.equals(name)) {
            log.debug("Proved that qname existed!");
            findClosestEncloser.status = SecurityStatus.BOGUS;
            return findClosestEncloser;
        }
        if (findClosestEncloser.ceNsec3.hasType(2) && !findClosestEncloser.ceNsec3.hasType(6)) {
            if (!findClosestEncloser.ceNsec3.hasType(43)) {
                findClosestEncloser.status = SecurityStatus.INSECURE;
                return findClosestEncloser;
            }
            log.debug("Closest encloser was a delegation!");
            findClosestEncloser.status = SecurityStatus.BOGUS;
            return findClosestEncloser;
        }
        if (findClosestEncloser.ceNsec3.hasType(39)) {
            log.debug("Closest encloser was a DNAME!");
            findClosestEncloser.status = SecurityStatus.BOGUS;
            return findClosestEncloser;
        }
        findClosestEncloser.ncNsec3 = findCoveringNSEC3(nextClosest(name, findClosestEncloser.closestEncloser), name2, list);
        if (findClosestEncloser.ncNsec3 != null) {
            findClosestEncloser.status = SecurityStatus.SECURE;
            return findClosestEncloser;
        }
        log.debug("Could not find proof that the closest encloser was the closest encloser");
        findClosestEncloser.status = SecurityStatus.BOGUS;
        return findClosestEncloser;
    }

    private boolean supportsHashAlgorithm(int i) {
        return i == 1;
    }

    private boolean validIterations(SRRset sRRset, KeyCache keyCache) {
        int bitLength;
        try {
            Iterator<Record> it = keyCache.find(sRRset.getSignerName(), sRRset.getDClass()).rrs().iterator();
            while (it.hasNext()) {
                DNSKEYRecord dNSKEYRecord = (DNSKEYRecord) it.next();
                switch (dNSKEYRecord.getAlgorithm()) {
                    case 1:
                        return false;
                    case 2:
                    case 4:
                    case 9:
                    case 11:
                    default:
                        return false;
                    case 3:
                    case 6:
                        bitLength = ((DSAPublicKey) dNSKEYRecord.getPublicKey()).getParams().getP().bitLength();
                        break;
                    case 5:
                    case 7:
                    case 8:
                    case 10:
                        bitLength = ((RSAPublicKey) dNSKEYRecord.getPublicKey()).getModulus().bitLength();
                        break;
                    case 12:
                        bitLength = 512;
                        break;
                    case 13:
                    case 14:
                        bitLength = ((ECPublicKey) dNSKEYRecord.getPublicKey()).getParams().getCurve().getField().getFieldSize();
                        break;
                    case 15:
                        bitLength = 256;
                        break;
                    case 16:
                        bitLength = 456;
                        break;
                }
                Integer floorKey = this.maxIterations.floorKey(Integer.valueOf(bitLength));
                if (floorKey == null) {
                    floorKey = this.maxIterations.firstKey();
                }
                if (((NSEC3Record) sRRset.first()).getIterations() > this.maxIterations.get(floorKey).intValue()) {
                    return false;
                }
            }
            return true;
        } catch (DNSSEC.DNSSECException e) {
            log.error("Could not get public key from NSEC3 record", (Throwable) e);
            return false;
        }
    }

    public boolean allNSEC3sIgnoreable(List<SRRset> list, KeyCache keyCache) {
        HashMap hashMap = new HashMap();
        Iterator<SRRset> it = list.iterator();
        while (it.hasNext()) {
            Iterator<Record> it2 = it.next().rrs().iterator();
            while (it2.hasNext()) {
                NSEC3Record nSEC3Record = (NSEC3Record) it2.next();
                Name name = new Name(nSEC3Record.getName(), 1);
                NSEC3Record nSEC3Record2 = (NSEC3Record) hashMap.get(name);
                if (nSEC3Record2 == null) {
                    hashMap.put(name, nSEC3Record);
                } else {
                    if (nSEC3Record.getHashAlgorithm() != nSEC3Record2.getHashAlgorithm() || nSEC3Record.getIterations() != nSEC3Record2.getIterations()) {
                        return true;
                    }
                    if ((nSEC3Record.getSalt() == null) ^ (nSEC3Record2.getSalt() == null)) {
                        return true;
                    }
                    if (nSEC3Record.getSalt() != null && ByteArrayComparator.compare(nSEC3Record.getSalt(), nSEC3Record2.getSalt()) != 0) {
                        return true;
                    }
                }
            }
        }
        Iterator<SRRset> it3 = list.iterator();
        while (it3.hasNext()) {
            if (validIterations(it3.next(), keyCache)) {
                return false;
            }
        }
        return true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void init(Properties properties) {
        boolean z = true;
        for (Map.Entry entry : properties.entrySet()) {
            String obj = entry.getKey().toString();
            if (obj.startsWith("dnsjava.dnssec.nsec3.iterations")) {
                int parseInt = Integer.parseInt(obj.substring(obj.lastIndexOf(".") + 1));
                int parseInt2 = Integer.parseInt(entry.getValue().toString());
                if (parseInt2 > 65536) {
                    throw new IllegalArgumentException("Iteration count too high.");
                }
                if (z) {
                    z = false;
                    this.maxIterations.clear();
                }
                this.maxIterations.put(Integer.valueOf(parseInt), Integer.valueOf(parseInt2));
            }
        }
    }

    public SecurityStatus proveNameError(List<SRRset> list, Name name, Name name2) {
        if (list == null || list.isEmpty()) {
            return SecurityStatus.BOGUS;
        }
        CEResponse proveClosestEncloser = proveClosestEncloser(name, name2, list);
        if (proveClosestEncloser.status != SecurityStatus.SECURE) {
            log.debug("Failed to prove a closest encloser");
            return proveClosestEncloser.status;
        }
        if (findCoveringNSEC3(ceWildcard(proveClosestEncloser.closestEncloser), name2, list) == null) {
            log.debug("Could not prove that the applicable wildcard did not exist");
            return SecurityStatus.BOGUS;
        }
        if ((proveClosestEncloser.ncNsec3.getFlags() & 1) != 1) {
            return SecurityStatus.SECURE;
        }
        log.debug("NSEC3 nameerror proof: nc has optout");
        return SecurityStatus.INSECURE;
    }

    public SecurityStatus proveNoDS(List<SRRset> list, Name name, Name name2) {
        if (list == null || list.isEmpty()) {
            return SecurityStatus.BOGUS;
        }
        NSEC3Record findMatchingNSEC3 = findMatchingNSEC3(name, name2, list);
        if (findMatchingNSEC3 != null) {
            return (findMatchingNSEC3.hasType(6) || findMatchingNSEC3.hasType(43)) ? SecurityStatus.BOGUS : !findMatchingNSEC3.hasType(2) ? SecurityStatus.INDETERMINATE : SecurityStatus.SECURE;
        }
        CEResponse proveClosestEncloser = proveClosestEncloser(name, name2, list);
        if (proveClosestEncloser.status == SecurityStatus.SECURE && (proveClosestEncloser.ncNsec3.getFlags() & 1) == 1) {
            return SecurityStatus.INSECURE;
        }
        return SecurityStatus.BOGUS;
    }

    public JustifiedSecStatus proveNodata(List<SRRset> list, Name name, int i, Name name2) {
        if (list == null || list.isEmpty()) {
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 12, R.get("failed.nsec3.none", new Object[0]));
        }
        NSEC3Record findMatchingNSEC3 = findMatchingNSEC3(name, name2, list);
        if (findMatchingNSEC3 != null) {
            if (findMatchingNSEC3.hasType(i)) {
                log.debug("Matching NSEC3 proved that type existed!");
                return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("failed.nsec3.type_exists", new Object[0]));
            }
            if (findMatchingNSEC3.hasType(5)) {
                log.debug("Matching NSEC3 proved that a CNAME existed!");
                return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("failed.nsec3.cname_exists", new Object[0]));
            }
            if (i == 43 && findMatchingNSEC3.hasType(6) && !Name.root.equals(name)) {
                log.debug("Apex NSEC3 abused for no DS proof, bogus");
                return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("failed.nsec3.apex_abuse", new Object[0]));
            }
            if (i == 43 || !findMatchingNSEC3.hasType(2) || findMatchingNSEC3.hasType(6)) {
                return new JustifiedSecStatus(SecurityStatus.SECURE, -1, null);
            }
            if (findMatchingNSEC3.hasType(43)) {
                log.debug("Matching NSEC3 is a delegation, bogus");
                return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("failed.nsec3.delegation", new Object[0]));
            }
            log.debug("Matching NSEC3 is insecure delegation");
            return new JustifiedSecStatus(SecurityStatus.INSECURE, -1, null);
        }
        CEResponse proveClosestEncloser = proveClosestEncloser(name, name2, list);
        if (proveClosestEncloser.status == SecurityStatus.BOGUS) {
            log.debug("Did not match qname, nor found a proven closest encloser");
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("failed.nsec3.qname_ce", new Object[0]));
        }
        if (proveClosestEncloser.status == SecurityStatus.INSECURE && i != 43) {
            log.debug("Closest NSEC3 is insecure delegation");
            return new JustifiedSecStatus(SecurityStatus.INSECURE, -1, null);
        }
        NSEC3Record findMatchingNSEC32 = findMatchingNSEC3(ceWildcard(proveClosestEncloser.closestEncloser), name2, list);
        if (findMatchingNSEC32 == null) {
            if (proveClosestEncloser.ncNsec3 == null) {
                log.debug("No next closer NSEC3");
                return new JustifiedSecStatus(SecurityStatus.BOGUS, 12, R.get("failed.nsec3.no_next", new Object[0]));
            }
            if ((proveClosestEncloser.ncNsec3.getFlags() & 1) != 0) {
                return new JustifiedSecStatus(SecurityStatus.INSECURE, -1, null);
            }
            if (i != 43) {
                log.debug("Covering NSEC3 was not opt-out in an opt-out DS NOERROR/NODATA case");
                return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("failed.nsec3.not_optout", new Object[0]));
            }
            log.debug("Could not find matching NSEC3, nor matching wildcard, and qtype is not DS -- no more options");
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 12, R.get("failed.nsec3.not_found", new Object[0]));
        }
        if (findMatchingNSEC32.hasType(i)) {
            log.debug("Matching wildcard has qtype {}", Type.string(i));
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("failed.nsec3.type_exists_wc", new Object[0]));
        }
        if (findMatchingNSEC32.hasType(5)) {
            log.debug("Matching wildcard has a CNAME, bogus");
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("failed.nsec3.cname_exists_wc", new Object[0]));
        }
        if (i == 43 && name.labels() != 1 && findMatchingNSEC32.hasType(6)) {
            log.debug("Matching wildcard for no DS proof has a SOA, bogus");
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("failed.nsec3.wc_soa", new Object[0]));
        }
        if (i != 43 && findMatchingNSEC32.hasType(2) && !findMatchingNSEC32.hasType(6)) {
            log.debug("Matching wildcard is a delegation, bogus");
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("failed.nsec3.delegation_wc", new Object[0]));
        }
        if (proveClosestEncloser.ncNsec3 == null || (proveClosestEncloser.ncNsec3.getFlags() & 1) != 1) {
            return new JustifiedSecStatus(SecurityStatus.SECURE, -1, null);
        }
        log.debug("Matching wildcard is in opt-out range, insecure");
        return new JustifiedSecStatus(SecurityStatus.INSECURE, -1, null);
    }

    /* JADX WARN: Multi-variable type inference failed */
    public SecurityStatus proveWildcard(List<SRRset> list, Name name, Name name2, Name name3) {
        if (list == null || list.isEmpty() || name == null || name3 == null) {
            return SecurityStatus.BOGUS;
        }
        CEResponse cEResponse = new CEResponse(new Name(name3, 1), null);
        cEResponse.ncNsec3 = findCoveringNSEC3(nextClosest(name, cEResponse.closestEncloser), name2, list);
        if (cEResponse.ncNsec3 != null) {
            return (cEResponse.ncNsec3.getFlags() & 1) == 1 ? SecurityStatus.INSECURE : SecurityStatus.SECURE;
        }
        log.debug("did not find a covering NSEC3 that covered the next closer name to {} from {} (derived from wildcard {})", name, cEResponse.closestEncloser, name3);
        return SecurityStatus.BOGUS;
    }

    public void stripUnknownAlgNSEC3s(List<SRRset> list) {
        ListIterator<SRRset> listIterator = list.listIterator();
        while (listIterator.hasNext()) {
            if (!supportsHashAlgorithm(((NSEC3Record) listIterator.next().first()).getHashAlgorithm())) {
                listIterator.remove();
            }
        }
    }
}
