package org.xbill.DNS.dnssec;

import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xbill.DNS.DClass;
import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset;
import org.xbill.DNS.Record;
import org.xbill.DNS.Type;

/* loaded from: input_file:WEB-INF/lib/dnsjava-3.6.3.jar:org/xbill/DNS/dnssec/DnsSecVerifier.class */
final class DnsSecVerifier {

    @Generated
    private static final Logger log = LoggerFactory.getLogger((Class<?>) DnsSecVerifier.class);
    public static final String MAX_VALIDATE_RRSIGS_PROPERTY = "dnsjava.dnssec.max_validate_rrsigs";
    private final ValUtils valUtils;
    private int maxValidateRRsigs;

    public DnsSecVerifier(ValUtils valUtils) {
        this.valUtils = valUtils;
    }

    public void init(Properties properties) {
        this.maxValidateRRsigs = Integer.parseInt(properties.getProperty(MAX_VALIDATE_RRSIGS_PROPERTY, "8"));
    }

    private List<DNSKEYRecord> findKey(RRset rRset, RRSIGRecord rRSIGRecord) {
        if (!rRSIGRecord.getSigner().equals(rRset.getName())) {
            log.trace("Could not find appropriate key because incorrect keyset was supplied. Wanted: {}, got: {}", rRSIGRecord.getSigner(), rRset.getName());
            return Collections.emptyList();
        }
        int footprint = rRSIGRecord.getFootprint();
        int algorithm = rRSIGRecord.getAlgorithm();
        ArrayList arrayList = new ArrayList(rRset.size());
        Iterator<Record> it = rRset.rrs(false).iterator();
        while (it.hasNext()) {
            DNSKEYRecord dNSKEYRecord = (DNSKEYRecord) it.next();
            if (dNSKEYRecord.getAlgorithm() == algorithm && dNSKEYRecord.getFootprint() == footprint) {
                arrayList.add(dNSKEYRecord);
            }
        }
        return arrayList;
    }

    private JustifiedSecStatus verifySignature(SRRset sRRset, RRSIGRecord rRSIGRecord, KeyEntry keyEntry, Instant instant) {
        if (!sRRset.getName().subdomain(rRSIGRecord.getSigner())) {
            log.debug("Signer name {} is off-tree for {}", rRSIGRecord.getSigner(), sRRset.getName());
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("dnskey.key_offtree", rRSIGRecord.getSigner(), sRRset.getName()));
        }
        Iterator<DNSKEYRecord> it = findKey(keyEntry, rRSIGRecord).iterator();
        if (!it.hasNext()) {
            log.trace("Could not find appropriate key for {}", rRSIGRecord);
            return new JustifiedSecStatus(SecurityStatus.UNCHECKED, 9, R.get("dnskey.no_key", rRSIGRecord.getSigner()));
        }
        try {
            DNSSEC.verify(sRRset, rRSIGRecord, it.next(), instant);
            ValUtils.setCanonicalNsecOwner(sRRset, rRSIGRecord);
            return new JustifiedSecStatus(SecurityStatus.SECURE, -1, null);
        } catch (DNSSEC.InvalidDnskeyException e) {
            return new JustifiedSecStatus(SecurityStatus.BOGUS, e.getEdeCode(), R.get("dnskey.invalid", new Object[0]));
        } catch (DNSSEC.KeyMismatchException e2) {
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("dnskey.no_match", new Object[0]));
        } catch (DNSSEC.SignatureExpiredException e3) {
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 7, R.get("dnskey.expired", new Object[0]));
        } catch (DNSSEC.SignatureNotYetValidException e4) {
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 8, R.get("dnskey.not_yet_valid", new Object[0]));
        } catch (DNSSEC.DNSSECException e5) {
            log.error("Failed to validate RRset <{}/{}/{}>", sRRset.getName(), DClass.string(sRRset.getDClass()), Type.string(sRRset.getType()), e5);
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("dnskey.invalid", new Object[0]));
        }
    }

    public JustifiedSecStatus verify(SRRset sRRset, KeyEntry keyEntry, Instant instant) {
        List<RRSIGRecord> sigs = sRRset.sigs();
        if (sigs.isEmpty()) {
            log.info("RRset <{}/{}/{}> failed to verify due to a lack of signatures", sRRset.getName(), DClass.string(sRRset.getDClass()), Type.string(sRRset.getType()));
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 10, R.get("validate.bogus.missingsig_named", sRRset.getName(), Type.string(sRRset.getType())));
        }
        AlgorithmRequirements algorithmRequirements = null;
        if (keyEntry.getAlgo() != null) {
            algorithmRequirements = new AlgorithmRequirements(this.valUtils);
            algorithmRequirements.initList(keyEntry.getAlgo());
            if (algorithmRequirements.getNum() == 0) {
                log.debug("{} has no known algorithms", sRRset.getName());
                return new JustifiedSecStatus(SecurityStatus.INSECURE, 1, R.get("validate.insecure.noalg", sRRset.getName()));
            }
        }
        JustifiedSecStatus justifiedSecStatus = null;
        int i = 0;
        for (RRSIGRecord rRSIGRecord : sigs) {
            justifiedSecStatus = verifySignature(sRRset, rRSIGRecord, keyEntry, instant);
            if (justifiedSecStatus.status == SecurityStatus.SECURE) {
                if (algorithmRequirements == null || algorithmRequirements.setSecure(rRSIGRecord.getAlgorithm())) {
                    return justifiedSecStatus;
                }
            } else if (algorithmRequirements != null && justifiedSecStatus.status == SecurityStatus.BOGUS) {
                algorithmRequirements.setBogus(rRSIGRecord.getAlgorithm());
            }
            i++;
            if (i > this.maxValidateRRsigs) {
                log.warn("RRset <{}/{}/{}> failed to verify: too many signatures", sRRset.getName(), DClass.string(sRRset.getDClass()), Type.string(sRRset.getType()));
                return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("validate.bogus.rrsigtoomany", sRRset.getName(), Type.string(sRRset.getType())));
            }
        }
        log.warn("RRset <{}/{}/{}> failed to verify: all signatures are BOGUS", sRRset.getName(), DClass.string(sRRset.getDClass()), Type.string(sRRset.getType()));
        return justifiedSecStatus;
    }

    public JustifiedSecStatus verify(RRset rRset, DNSKEYRecord dNSKEYRecord, Instant instant) {
        List<RRSIGRecord> sigs = rRset.sigs();
        if (sigs.isEmpty()) {
            log.warn("RRset <{}/{}/{}> failed to verify due to lack of signatures", rRset.getName(), DClass.string(rRset.getDClass()), Type.string(rRset.getType()));
            return new JustifiedSecStatus(SecurityStatus.BOGUS, 10, R.get("validate.bogus.missingsig_named", rRset.getName(), Type.string(rRset.getType())));
        }
        DNSSEC.DNSSECException dNSSECException = null;
        int i = 0;
        for (RRSIGRecord rRSIGRecord : sigs) {
            if (rRSIGRecord.getFootprint() == dNSKEYRecord.getFootprint()) {
                i++;
                try {
                    DNSSEC.verify(rRset, rRSIGRecord, dNSKEYRecord, instant);
                    return new JustifiedSecStatus(SecurityStatus.SECURE, -1, null);
                } catch (DNSSEC.DNSSECException e) {
                    log.warn("Failed to validate RRset <{}/{}/{}> with signature {}", rRset.getName(), DClass.string(rRset.getDClass()), Type.string(rRset.getType()), Integer.valueOf(rRSIGRecord.getFootprint()), e);
                    dNSSECException = e;
                    if (i > this.maxValidateRRsigs) {
                        log.warn("RRset <{}/{}/{}> failed to verify: too many signatures", rRset.getName(), DClass.string(rRset.getDClass()), Type.string(rRset.getType()));
                        return new JustifiedSecStatus(SecurityStatus.BOGUS, 6, R.get("validate.bogus.rrsigtoomany", rRset.getName(), Type.string(rRset.getType())));
                    }
                }
            }
        }
        log.warn("RRset <{}/{}/{}> failed to verify: all signatures were BOGUS", rRset.getName(), DClass.string(rRset.getDClass()), Type.string(rRset.getType()));
        int i2 = 6;
        String str = "dnskey.invalid";
        if (i == 0) {
            i2 = 9;
            str = "dnskey.no_ds_match";
        } else if (dNSSECException instanceof DNSSEC.SignatureExpiredException) {
            i2 = 7;
            str = "dnskey.expired";
        } else if (dNSSECException instanceof DNSSEC.SignatureNotYetValidException) {
            i2 = 8;
            str = "dnskey.not_yet_valid";
        }
        return new JustifiedSecStatus(SecurityStatus.BOGUS, i2, R.get(str, new Object[0]));
    }
}
