package org.xbill.DNS.dnssec;

import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset;
import org.xbill.DNS.Record;
import org.xbill.DNS.Type;

/* loaded from: classes4.dex */
final class DnsSecVerifier {

    @Generated
    private static final Logger log = LoggerFactory.getLogger((Class<?>) DnsSecVerifier.class);

    private List<DNSKEYRecord> findKey(RRset rRset, RRSIGRecord rRSIGRecord) {
        if (!rRSIGRecord.getSigner().equals(rRset.getName())) {
            log.trace("Could not find appropriate key because incorrect keyset was supplied. Wanted: {}, got: {}", rRSIGRecord.getSigner(), rRset.getName());
            return Collections.emptyList();
        }
        int footprint = rRSIGRecord.getFootprint();
        int algorithm = rRSIGRecord.getAlgorithm();
        ArrayList arrayList = new ArrayList(rRset.size());
        Iterator<Record> it = rRset.rrs().iterator();
        while (it.hasNext()) {
            DNSKEYRecord dNSKEYRecord = (DNSKEYRecord) it.next();
            if (dNSKEYRecord.getAlgorithm() == algorithm && dNSKEYRecord.getFootprint() == footprint) {
                arrayList.add(dNSKEYRecord);
            }
        }
        return arrayList;
    }

    private JustifiedSecStatus verifySignature(SRRset sRRset, RRSIGRecord rRSIGRecord, RRset rRset, Instant instant) {
        if (!sRRset.getName().subdomain(rRset.getName())) {
            log.debug("Signer name is off-tree");
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("dnskey.key_offtree", rRset.getName(), sRRset.getName()));
        }
        List<DNSKEYRecord> findKey = findKey(rRset, rRSIGRecord);
        if (findKey.isEmpty()) {
            log.trace("Could not find appropriate key");
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 9, R.get("dnskey.no_key", rRSIGRecord.getSigner()));
        }
        Iterator<DNSKEYRecord> it = findKey.iterator();
        if (!it.hasNext()) {
            return new JustifiedSecStatus(SecurityStatus.UNCHECKED, -1, null);
        }
        try {
            DNSSEC.verify(sRRset, rRSIGRecord, it.next(), instant);
            ValUtils.setCanonicalNsecOwner(sRRset, rRSIGRecord);
            return new JustifiedSecStatus(SecurityStatus.SECURE, -1, null);
        } catch (DNSSEC.KeyMismatchException unused) {
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("dnskey.no_match", new Object[0]));
        } catch (DNSSEC.SignatureExpiredException unused2) {
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 7, R.get("dnskey.expired", new Object[0]));
        } catch (DNSSEC.SignatureNotYetValidException unused3) {
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 8, R.get("dnskey.not_yet_valid", new Object[0]));
        } catch (DNSSEC.DNSSECException e) {
            log.error("Failed to validate RRset {}/{}", sRRset.getName(), Type.string(sRRset.getType()), e);
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("dnskey.invalid", new Object[0]));
        }
    }

    public JustifiedSecStatus verify(RRset rRset, DNSKEYRecord dNSKEYRecord, Instant instant) {
        List<RRSIGRecord> sigs = rRset.sigs();
        if (sigs.isEmpty()) {
            log.info("RRset failed to verify due to lack of signatures");
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 10, R.get("dnskey.no_sigs", rRset.getName()));
        }
        DNSSEC.DNSSECException e = null;
        for (RRSIGRecord rRSIGRecord : sigs) {
            if (rRSIGRecord.getFootprint() == dNSKEYRecord.getFootprint()) {
                try {
                    DNSSEC.verify(rRset, rRSIGRecord, dNSKEYRecord, instant);
                    return new JustifiedSecStatus(SecurityStatus.SECURE, -1, null);
                } catch (DNSSEC.DNSSECException e2) {
                    e = e2;
                    log.error("Failed to validate RRset", (Throwable) e);
                }
            }
        }
        log.info("RRset failed to verify: all signatures were BOGUS");
        return new JustifiedSecStatus(SecurityStatus.BOGUS, e instanceof DNSSEC.SignatureExpiredException ? 7 : e instanceof DNSSEC.SignatureNotYetValidException ? 8 : 6, "dnskey.invalid");
    }

    public JustifiedSecStatus verify(SRRset sRRset, RRset rRset, Instant instant) {
        List<RRSIGRecord> sigs = sRRset.sigs();
        if (sigs.isEmpty()) {
            log.info("RRset failed to verify due to lack of signatures");
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 10, R.get("validate.bogus.missingsig", new Object[0]));
        }
        JustifiedSecStatus justifiedSecStatus = new JustifiedSecStatus(SecurityStatus.BOGUS, 10, R.get("validate.bogus.missingsig", new Object[0]));
        Iterator<RRSIGRecord> it = sigs.iterator();
        while (it.hasNext()) {
            justifiedSecStatus = verifySignature(sRRset, it.next(), rRset, instant);
            if (justifiedSecStatus.status == SecurityStatus.SECURE) {
                return justifiedSecStatus;
            }
        }
        log.info("RRset failed to verify: all signatures were BOGUS");
        return justifiedSecStatus;
    }
}
