package de.measite.minidns.dnssec;

import de.measite.minidns.DNSCache;
import de.measite.minidns.DNSMessage;
import de.measite.minidns.DNSName;
import de.measite.minidns.Question;
import de.measite.minidns.Record;
import de.measite.minidns.dnssec.UnverifiedReason;
import de.measite.minidns.iterative.ReliableDNSClient;
import de.measite.minidns.record.DLV;
import de.measite.minidns.record.DNSKEY;
import de.measite.minidns.record.DS;
import de.measite.minidns.record.Data;
import de.measite.minidns.record.RRSIG;
import java.math.BigInteger;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;

/* loaded from: classes2.dex */
public class DNSSECClient extends ReliableDNSClient {
    private static final BigInteger h = new BigInteger("03010001a80020a95566ba42e886bb804cda84e47ef56dbd7aec612615552cec906d2116d0ef207028c51554144dfeafe7c7cb8f005dd18234133ac0710a81182ce1fd14ad2283bc83435f9df2f6313251931a176df0da51e54f42e604860dfb359580250f559cc543c4ffd51cbe3de8cfd06719237f9fc47ee729da06835fa452e825e9a18ebc2ecbcf563474652c33cf56a9033bcdf5d973121797ec8089041b6e03a1b72d0a735b984e03687309332324f27c2dba85e9db15e83a0143382e974b0621c18e625ecec907577d9e7bade95241a81ebbe8a901d4d3276e40b114c0a2e6fc38d19c2e6aab02644b2813f575fc21601e0dee49cd9ee96a43103e524d62873d", 16);
    private static final DNSName i = DNSName.a("dlv.isc.org");
    private b j;
    private final Map<DNSName, byte[]> k;
    private boolean l;
    private DNSName m;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes2.dex */
    public class a {

        /* renamed from: a, reason: collision with root package name */
        boolean f4653a;

        /* renamed from: b, reason: collision with root package name */
        boolean f4654b;
        Set<UnverifiedReason> c;

        private a() {
            this.f4653a = false;
            this.f4654b = false;
            this.c = new HashSet();
        }

        /* synthetic */ a(DNSSECClient dNSSECClient, byte b2) {
            this();
        }
    }

    public DNSSECClient() {
        this(f4588a);
    }

    public DNSSECClient(DNSCache dNSCache) {
        super(dNSCache);
        this.j = new b();
        this.k = new ConcurrentHashMap();
        this.l = true;
        this.k.put(DNSName.d, h.toByteArray());
    }

    /* JADX WARN: Multi-variable type inference failed */
    private a a(Question question, Collection<Record<? extends Data>> collection, List<Record<? extends Data>> list) {
        Date date = new Date();
        LinkedList linkedList = new LinkedList();
        a aVar = new a(this, (byte) 0);
        ArrayList<Record> arrayList = new ArrayList(list.size());
        Iterator<Record<? extends Data>> it = list.iterator();
        while (it.hasNext()) {
            Record<E> a2 = it.next().a(RRSIG.class);
            if (a2 != 0) {
                RRSIG rrsig = (RRSIG) a2.f;
                if (rrsig.f.compareTo(date) < 0 || rrsig.g.compareTo(date) > 0) {
                    linkedList.add(rrsig);
                } else {
                    arrayList.add(a2);
                }
            }
        }
        if (arrayList.isEmpty()) {
            if (linkedList.isEmpty()) {
                aVar.c.add(new UnverifiedReason.NoSignaturesReason(question));
            } else {
                aVar.c.add(new UnverifiedReason.NoActiveSignaturesReason(question, linkedList));
            }
            return aVar;
        }
        for (Record record : arrayList) {
            RRSIG rrsig2 = (RRSIG) record.f;
            ArrayList arrayList2 = new ArrayList(collection.size());
            for (Record<? extends Data> record2 : collection) {
                if (record2.f4632b == rrsig2.f4739a && record2.f4631a.equals(record.f4631a)) {
                    arrayList2.add(record2);
                }
            }
            aVar.c.addAll(a(question, rrsig2, arrayList2));
            if (question.f4625a.equals(rrsig2.i) && rrsig2.f4739a == Record.TYPE.DNSKEY) {
                Iterator<Record<? extends Data>> it2 = arrayList2.iterator();
                while (it2.hasNext()) {
                    DNSKEY dnskey = (DNSKEY) it2.next().a(DNSKEY.class).f;
                    it2.remove();
                    if (dnskey.b() == rrsig2.h) {
                        aVar.f4654b = true;
                    }
                }
                aVar.f4653a = true;
            }
            if (a(record.f4631a.g, rrsig2.i.g)) {
                list.removeAll(arrayList2);
            } else {
                f4589b.finer("Records at " + ((Object) record.f4631a) + " are cross-signed with a key from " + ((Object) rrsig2.i));
            }
            list.remove(record);
        }
        return aVar;
    }

    private DNSSECMessage a(DNSMessage dNSMessage, Set<UnverifiedReason> set) {
        List<Record<? extends Data>> list = dNSMessage.l;
        List<Record<? extends Data>> list2 = dNSMessage.m;
        List<Record<? extends Data>> list3 = dNSMessage.n;
        HashSet hashSet = new HashSet();
        Record.a(hashSet, RRSIG.class, list);
        Record.a(hashSet, RRSIG.class, list2);
        Record.a(hashSet, RRSIG.class, list3);
        DNSMessage.Builder f = dNSMessage.f();
        if (this.l) {
            f.b((Collection<Record<? extends Data>>) a(list));
            f.c(a(list2));
            f.d(a(list3));
        }
        return new DNSSECMessage(f, hashSet, set);
    }

    private DNSSECMessage a(CharSequence charSequence, Record.TYPE type) {
        return b(super.a(new Question(charSequence, type, Record.CLASS.IN)));
    }

    private static List<Record<? extends Data>> a(List<Record<? extends Data>> list) {
        if (list.isEmpty()) {
            return list;
        }
        ArrayList arrayList = new ArrayList(list.size());
        for (Record<? extends Data> record : list) {
            if (record.f4632b != Record.TYPE.RRSIG) {
                arrayList.add(record);
            }
        }
        return arrayList;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Set<UnverifiedReason> a(Question question, RRSIG rrsig, List<Record<? extends Data>> list) {
        HashSet hashSet = new HashSet();
        DNSKEY dnskey = null;
        if (rrsig.f4739a == Record.TYPE.DNSKEY) {
            Iterator<Record<? extends Data>> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Record<E> a2 = it.next().a(DNSKEY.class);
                if (a2 != 0 && ((DNSKEY) a2.f).b() == rrsig.h) {
                    dnskey = (DNSKEY) a2.f;
                    break;
                }
            }
        } else {
            if (question.f4626b == Record.TYPE.DS && rrsig.i.equals(question.f4625a)) {
                hashSet.add(new UnverifiedReason.NoTrustAnchorReason(question.f4625a.g));
                return hashSet;
            }
            DNSSECMessage a3 = a((CharSequence) rrsig.i, Record.TYPE.DNSKEY);
            if (a3 == null) {
                throw new DNSSECValidationFailedException(question, "There is no DNSKEY " + ((Object) rrsig.i) + ", but it is used");
            }
            hashSet.addAll(a3.i());
            Iterator<Record<? extends Data>> it2 = a3.l.iterator();
            while (it2.hasNext()) {
                Record<E> a4 = it2.next().a(DNSKEY.class);
                if (a4 != 0 && ((DNSKEY) a4.f).b() == rrsig.h) {
                    dnskey = (DNSKEY) a4.f;
                }
            }
        }
        if (dnskey != null) {
            UnverifiedReason a5 = this.j.a(list, rrsig, dnskey);
            if (a5 != null) {
                hashSet.add(a5);
            }
            return hashSet;
        }
        throw new DNSSECValidationFailedException(question, list.size() + " " + rrsig.f4739a + " record(s) are signed using an unknown key.");
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Set<UnverifiedReason> a(Record<DNSKEY> record) {
        Set<UnverifiedReason> set;
        DNSSECMessage a2;
        DNSKEY dnskey = record.f;
        HashSet hashSet = new HashSet();
        Set<UnverifiedReason> hashSet2 = new HashSet<>();
        if (this.k.containsKey(record.f4631a)) {
            if (dnskey.a(this.k.get(record.f4631a))) {
                return hashSet;
            }
            hashSet.add(new UnverifiedReason.ConflictsWithSep(record));
            return hashSet;
        }
        if (record.f4631a.f()) {
            hashSet.add(new UnverifiedReason.NoRootSecureEntryPointReason());
            return hashSet;
        }
        DS ds = null;
        DNSSECMessage a3 = a((CharSequence) record.f4631a, Record.TYPE.DS);
        if (a3 == null) {
            f4589b.fine("There is no DS record for " + ((Object) record.f4631a) + ", server gives no result");
        } else {
            hashSet.addAll(a3.i());
            Iterator<Record<? extends Data>> it = a3.l.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Record<E> a4 = it.next().a(DS.class);
                if (a4 != 0) {
                    DS ds2 = (DS) a4.f;
                    if (dnskey.b() == ds2.f4719a) {
                        hashSet2 = a3.i();
                        ds = ds2;
                        break;
                    }
                }
            }
            if (ds == null) {
                f4589b.fine("There is no DS record for " + ((Object) record.f4631a) + ", server gives empty result");
            }
        }
        if (ds == null && this.m != null && !this.m.b(record.f4631a) && (a2 = a((CharSequence) DNSName.a(record.f4631a, this.m), Record.TYPE.DLV)) != null) {
            hashSet.addAll(a2.i());
            Iterator<Record<? extends Data>> it2 = a2.l.iterator();
            while (it2.hasNext()) {
                Record<E> a5 = it2.next().a(DLV.class);
                if (a5 != 0 && record.f.b() == ((DLV) a5.f).f4719a) {
                    f4589b.fine("Found DLV for " + ((Object) record.f4631a) + ", awesome.");
                    ds = (DS) a5.f;
                    set = a2.i();
                    break;
                }
            }
        }
        set = hashSet2;
        if (ds != null) {
            UnverifiedReason a6 = this.j.a(record, ds);
            if (a6 == null) {
                return set;
            }
            hashSet.add(a6);
        } else if (hashSet.isEmpty()) {
            hashSet.add(new UnverifiedReason.NoTrustAnchorReason(record.f4631a.g));
        }
        return hashSet;
    }

    private void a(DNSName dNSName, byte[] bArr) {
        this.k.put(dNSName, bArr);
    }

    private void a(boolean z) {
        this.l = z;
    }

    private static boolean a(String str, String str2) {
        if (str.equals(str2) || str2.isEmpty()) {
            return true;
        }
        String[] split = str.split("\\.");
        String[] split2 = str2.split("\\.");
        if (split2.length > split.length) {
            return false;
        }
        for (int i2 = 1; i2 <= split2.length; i2++) {
            if (!split2[split2.length - i2].equals(split[split.length - i2])) {
                return false;
            }
        }
        return true;
    }

    private DNSSECMessage b(DNSMessage dNSMessage) {
        if (dNSMessage == null) {
            return null;
        }
        if (dNSMessage.i) {
            dNSMessage = dNSMessage.f().c(false).b();
        }
        return a(dNSMessage, c(dNSMessage));
    }

    private void b() {
        this.k.clear();
    }

    private Set<UnverifiedReason> c(DNSMessage dNSMessage) {
        return !dNSMessage.l.isEmpty() ? d(dNSMessage) : e(dNSMessage);
    }

    private void c(DNSName dNSName) {
        this.k.remove(dNSName);
    }

    private boolean c() {
        return this.l;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Set<UnverifiedReason> d(DNSMessage dNSMessage) {
        boolean z = false;
        Question question = dNSMessage.k.get(0);
        List<Record<? extends Data>> list = dNSMessage.l;
        List<Record<? extends Data>> c = dNSMessage.c();
        a a2 = a(question, list, c);
        Set<UnverifiedReason> set = a2.c;
        if (!set.isEmpty()) {
            return set;
        }
        HashSet hashSet = new HashSet();
        Iterator<Record<? extends Data>> it = c.iterator();
        while (it.hasNext()) {
            Record<E> a3 = it.next().a(DNSKEY.class);
            if (a3 != 0) {
                Set<UnverifiedReason> a4 = a((Record<DNSKEY>) a3);
                if (a4.isEmpty()) {
                    z = true;
                } else {
                    hashSet.addAll(a4);
                }
                if (!a2.f4654b) {
                    f4589b.finer("SEP key is not self-signed.");
                }
                it.remove();
            }
        }
        if (a2.f4654b && !z) {
            set.addAll(hashSet);
        }
        if (a2.f4653a && !a2.f4654b) {
            set.add(new UnverifiedReason.NoSecureEntryPointReason(question.f4625a.g));
        }
        if (!c.isEmpty()) {
            if (c.size() != list.size()) {
                throw new DNSSECValidationFailedException(question, "Only some records are signed!");
            }
            set.add(new UnverifiedReason.NoSignaturesReason(question));
        }
        return set;
    }

    private void d() {
        this.m = i;
    }

    private void d(DNSName dNSName) {
        this.m = dNSName;
    }

    private Set<UnverifiedReason> e(DNSMessage dNSMessage) {
        UnverifiedReason a2;
        HashSet hashSet = new HashSet();
        boolean z = false;
        Question question = dNSMessage.k.get(0);
        List<Record<? extends Data>> list = dNSMessage.m;
        DNSName dNSName = null;
        for (Record<? extends Data> record : list) {
            if (record.f4632b == Record.TYPE.SOA) {
                dNSName = record.f4631a;
            }
        }
        if (dNSName == null) {
            throw new DNSSECValidationFailedException(question, "NSECs must always match to a SOA");
        }
        boolean z2 = false;
        for (Record<? extends Data> record2 : list) {
            switch (de.measite.minidns.dnssec.a.f4671a[record2.f4632b.ordinal()]) {
                case 1:
                    a2 = b.a(record2, question);
                    break;
                case 2:
                    a2 = this.j.a(dNSName, record2, question);
                    break;
            }
            if (a2 != null) {
                hashSet.add(a2);
                z = true;
            } else {
                z = true;
                z2 = true;
            }
        }
        if (z && !z2) {
            throw new DNSSECValidationFailedException(question, "Invalid NSEC!");
        }
        List<Record<? extends Data>> d = dNSMessage.d();
        a a3 = a(question, list, d);
        if (z2 && a3.c.isEmpty()) {
            hashSet.clear();
        } else {
            hashSet.addAll(a3.c);
        }
        if (d.isEmpty() || d.size() == list.size()) {
            return hashSet;
        }
        throw new DNSSECValidationFailedException(question, "Only some nameserver records are signed!");
    }

    private void e() {
        this.m = null;
    }

    @Override // de.measite.minidns.AbstractDNSClient
    public final DNSMessage a(Question question) {
        return c(question);
    }

    @Override // de.measite.minidns.iterative.ReliableDNSClient
    protected final String a(DNSMessage dNSMessage) {
        return !dNSMessage.e() ? "DNSSEC OK (DO) flag not set in response" : !dNSMessage.j ? "CHECKING DISABLED (CD) flag not set in response" : super.a(dNSMessage);
    }

    @Override // de.measite.minidns.iterative.ReliableDNSClient, de.measite.minidns.AbstractDNSClient
    protected final boolean a(Question question, DNSMessage dNSMessage) {
        return super.a(question, dNSMessage);
    }

    @Override // de.measite.minidns.iterative.ReliableDNSClient, de.measite.minidns.AbstractDNSClient
    protected final DNSMessage.Builder b(DNSMessage.Builder builder) {
        builder.a().a(this.f.a()).a();
        builder.d(true);
        return super.b(builder);
    }

    public final DNSSECMessage c(Question question) {
        return b(super.a(question));
    }
}
