package org.xbill.DNS;

import com.ctc.wstx.shaded.msv_core.datatype.xsd.XSDatatype;
import com.helger.commons.io.file.FilenameHelper;
import java.security.GeneralSecurityException;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.TreeMap;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import lombok.Generated;
import org.apache.logging.log4j.util.ProcessIdUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xbill.DNS.utils.base64;
import org.xbill.DNS.utils.hexdump;

/* loaded from: input_file:WEB-INF/lib/dnsjava-3.6.3.jar:org/xbill/DNS/TSIG.class */
public class TSIG {
    private static final Map<Name, String> algMap;
    private static final Map<Name, Integer> algLengthMap;
    public static final Duration FUDGE;
    private final Name alg;
    private final Clock clock;
    private final Name name;
    private final SecretKey macKey;
    private final String macAlgorithm;
    private final Mac sharedHmac;

    @Generated
    private static final Logger log = LoggerFactory.getLogger((Class<?>) TSIG.class);
    public static final Name GSS_TSIG = Name.fromConstantString("gss-tsig.");
    public static final Name HMAC_MD5 = Name.fromConstantString("HMAC-MD5.SIG-ALG.REG.INT.");

    @Deprecated
    public static final Name HMAC = HMAC_MD5;
    public static final Name HMAC_SHA1 = Name.fromConstantString("hmac-sha1.");
    public static final Name HMAC_SHA224 = Name.fromConstantString("hmac-sha224.");
    public static final Name HMAC_SHA256 = Name.fromConstantString("hmac-sha256.");
    public static final Name HMAC_SHA384 = Name.fromConstantString("hmac-sha384.");
    public static final Name HMAC_SHA512 = Name.fromConstantString("hmac-sha512.");
    public static final Name HMAC_SHA256_128 = Name.fromConstantString("hmac-sha256-128.");
    public static final Name HMAC_SHA384_192 = Name.fromConstantString("hmac-sha384-192.");
    public static final Name HMAC_SHA512_256 = Name.fromConstantString("hmac-sha512-256.");
    private static final Pattern javaAlgNamePattern = Pattern.compile("^Hmac(?<alg>(SHA(1|\\d{3})|MD5))(/(?<length>\\d{3}))?$", 2);

    /* loaded from: input_file:WEB-INF/lib/dnsjava-3.6.3.jar:org/xbill/DNS/TSIG$StreamGenerator.class */
    public static class StreamGenerator {
        private final TSIG key;
        private final Mac sharedHmac;
        private final int signEveryNthMessage;
        private int numGenerated;
        private TSIGRecord lastTsigRecord;

        public StreamGenerator(TSIG tsig, TSIGRecord tSIGRecord) {
            this(tsig, tSIGRecord, 1);
        }

        StreamGenerator(TSIG tsig, TSIGRecord tSIGRecord, int i) {
            if (i < 1 || i > 100) {
                throw new IllegalArgumentException("signEveryNthMessage must be between 1 and 100");
            }
            this.key = tsig;
            this.lastTsigRecord = tSIGRecord;
            this.signEveryNthMessage = i;
            this.sharedHmac = this.key.initHmac();
        }

        public void generate(Message message) {
            generate(message, true);
        }

        void generate(Message message, boolean z) {
            boolean z2 = this.numGenerated % this.signEveryNthMessage == 0;
            boolean z3 = this.numGenerated == 0;
            if (z3 || z2 || z) {
                TSIGRecord generate = this.key.generate(message, message.toWire(), 0, z3 ? this.lastTsigRecord : null, z3, this.sharedHmac);
                message.addRecord(generate, 3);
                message.tsigState = 3;
                this.lastTsigRecord = generate;
                TSIG.hmacAddSignature(this.sharedHmac, generate);
            } else {
                this.sharedHmac.update(message.toWire(65535));
            }
            this.numGenerated++;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/dnsjava-3.6.3.jar:org/xbill/DNS/TSIG$StreamVerifier.class */
    public static class StreamVerifier {
        private final TSIG key;
        private final Mac sharedHmac;
        private final TSIGRecord queryTsig;
        private int nresponses = 0;
        private int lastsigned;
        private String errorMessage;

        public StreamVerifier(TSIG tsig, TSIGRecord tSIGRecord) {
            this.key = tsig;
            this.sharedHmac = this.key.initHmac();
            this.queryTsig = tSIGRecord;
        }

        public int verify(Message message, byte[] bArr) {
            return verify(message, bArr, false);
        }

        public int verify(Message message, byte[] bArr, boolean z) {
            TSIGRecord tsig = message.getTSIG();
            this.nresponses++;
            if (this.nresponses == 1) {
                if (tsig != null) {
                    int verify = this.key.verify(message, bArr, this.queryTsig, true, this.sharedHmac);
                    TSIG.hmacAddSignature(this.sharedHmac, tsig);
                    this.lastsigned = this.nresponses;
                    return verify;
                }
                this.errorMessage = "missing required signature on first message";
                TSIG.log.debug("FORMERR: {}", this.errorMessage);
                message.tsigState = 4;
                return 1;
            }
            if (tsig != null) {
                int verify2 = this.key.verify(message, bArr, null, false, this.sharedHmac);
                this.lastsigned = this.nresponses;
                TSIG.hmacAddSignature(this.sharedHmac, tsig);
                return verify2;
            }
            if (this.nresponses - this.lastsigned >= 100) {
                this.errorMessage = "Missing required signature on message #" + this.nresponses;
                TSIG.log.debug("FORMERR: {}", this.errorMessage);
                message.tsigState = 4;
                return 1;
            }
            if (z) {
                this.errorMessage = "Missing required signature on last message";
                TSIG.log.debug("FORMERR: {}", this.errorMessage);
                message.tsigState = 4;
                return 1;
            }
            this.errorMessage = "Intermediate message #" + this.nresponses + " without signature";
            TSIG.log.debug("FORMERR: {}", this.errorMessage);
            addUnsignedMessageToMac(message, bArr, this.sharedHmac);
            return 0;
        }

        private void addUnsignedMessageToMac(Message message, byte[] bArr, Mac mac) {
            byte[] wire = message.getHeader().toWire();
            if (TSIG.log.isTraceEnabled()) {
                TSIG.log.trace(hexdump.dump("TSIG-HMAC header", wire));
            }
            mac.update(wire);
            int length = bArr.length - wire.length;
            if (TSIG.log.isTraceEnabled()) {
                TSIG.log.trace(hexdump.dump("TSIG-HMAC message after header", bArr, wire.length, length));
            }
            mac.update(bArr, wire.length, length);
            message.tsigState = 2;
        }

        @Generated
        public String getErrorMessage() {
            return this.errorMessage;
        }
    }

    public static Name algorithmToName(String str) {
        if (str == null) {
            throw new IllegalArgumentException("Null algorithm");
        }
        if (!str.contains(ProcessIdUtil.DEFAULT_PROCESSID)) {
            Matcher matcher = javaAlgNamePattern.matcher(str);
            if (matcher.matches()) {
                str = "hmac-" + matcher.group("alg");
                String group = matcher.group(XSDatatype.FACET_LENGTH);
                if (group != null) {
                    str = str + ProcessIdUtil.DEFAULT_PROCESSID + group;
                }
            }
        }
        if (!str.endsWith(FilenameHelper.PATH_CURRENT)) {
            str = str + FilenameHelper.PATH_CURRENT;
        }
        try {
            Name fromString = Name.fromString(str);
            if (fromString.equals(Name.fromConstantString("hmac-md5."))) {
                return HMAC_MD5;
            }
            if (algMap.get(fromString) == null) {
                throw new IllegalArgumentException("Unknown algorithm: " + fromString);
            }
            return fromString;
        } catch (TextParseException e) {
            throw new IllegalArgumentException(e);
        }
    }

    @Deprecated
    public static String nameToAlgorithm(Name name) {
        String str = algMap.get(name);
        if (str != null) {
            return str;
        }
        throw new IllegalArgumentException("Unknown algorithm: " + name);
    }

    private static boolean verify(byte[] bArr, byte[] bArr2) {
        if (bArr2.length < bArr.length) {
            byte[] bArr3 = new byte[bArr2.length];
            System.arraycopy(bArr, 0, bArr3, 0, bArr3.length);
            bArr = bArr3;
        }
        return Arrays.equals(bArr2, bArr);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Mac initHmac() {
        if (this.sharedHmac != null) {
            try {
                return (Mac) this.sharedHmac.clone();
            } catch (CloneNotSupportedException e) {
                this.sharedHmac.reset();
                return this.sharedHmac;
            }
        }
        try {
            Mac mac = Mac.getInstance(this.macAlgorithm);
            mac.init(this.macKey);
            return mac;
        } catch (GeneralSecurityException e2) {
            throw new IllegalArgumentException("Caught security exception setting up HMAC.", e2);
        }
    }

    public TSIG(Name name, Name name2, String str) {
        this(name, name2, (byte[]) Objects.requireNonNull(base64.fromString(str)));
    }

    public TSIG(Name name, Name name2, byte[] bArr) {
        this(name, name2, new SecretKeySpec(bArr, nameToAlgorithm(name)));
    }

    public TSIG(Name name, Name name2, SecretKey secretKey) {
        this(name, name2, secretKey, Clock.systemUTC());
    }

    public TSIG(Name name, Name name2, SecretKey secretKey, Clock clock) {
        this.name = name2;
        this.alg = name;
        this.clock = clock;
        this.macAlgorithm = nameToAlgorithm(name);
        this.macKey = secretKey;
        this.sharedHmac = null;
    }

    @Deprecated
    public TSIG(Mac mac, Name name) {
        this.name = name;
        this.sharedHmac = mac;
        this.macAlgorithm = null;
        this.macKey = null;
        this.clock = Clock.systemUTC();
        this.alg = algorithmToName(mac.getAlgorithm());
    }

    @Deprecated
    public TSIG(Name name, byte[] bArr) {
        this(HMAC_MD5, name, bArr);
    }

    public TSIG(Name name, String str, String str2) {
        byte[] fromString = base64.fromString(str2);
        if (fromString == null) {
            throw new IllegalArgumentException("Invalid TSIG key string");
        }
        try {
            this.name = Name.fromString(str, Name.root);
            this.alg = name;
            this.clock = Clock.systemUTC();
            this.macAlgorithm = nameToAlgorithm(name);
            this.sharedHmac = null;
            this.macKey = new SecretKeySpec(fromString, this.macAlgorithm);
        } catch (TextParseException e) {
            throw new IllegalArgumentException("Invalid TSIG key name");
        }
    }

    public TSIG(String str, String str2, String str3) {
        this(algorithmToName(str), str2, str3);
    }

    @Deprecated
    public TSIG(String str, String str2) {
        this(HMAC_MD5, str, str2);
    }

    @Deprecated
    public static TSIG fromString(String str) {
        String[] split = str.split("[:/]", 3);
        switch (split.length) {
            case 2:
                return new TSIG(HMAC_MD5, split[0], split[1]);
            case 3:
                return new TSIG(split[0], split[1], split[2]);
            default:
                throw new IllegalArgumentException("Invalid TSIG key specification");
        }
    }

    public TSIGRecord generate(Message message, byte[] bArr, int i, TSIGRecord tSIGRecord) {
        return generate(message, bArr, i, tSIGRecord, true);
    }

    public TSIGRecord generate(Message message, byte[] bArr, int i, TSIGRecord tSIGRecord, boolean z) {
        Mac mac = null;
        if (i == 0 || i == 18 || i == 22) {
            mac = initHmac();
        }
        return generate(message, bArr, i, tSIGRecord, z, mac);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public TSIGRecord generate(Message message, byte[] bArr, int i, TSIGRecord tSIGRecord, boolean z, Mac mac) {
        byte[] bArr2;
        Instant timeSigned = getTimeSigned(i, tSIGRecord);
        Duration tsigFudge = getTsigFudge();
        boolean z2 = mac != null;
        if (tSIGRecord != null && z2) {
            hmacAddSignature(mac, tSIGRecord);
        }
        if (z2) {
            if (log.isTraceEnabled()) {
                log.trace(hexdump.dump("TSIG-HMAC rendered message", bArr));
            }
            mac.update(bArr);
        }
        DNSOutput dNSOutput = new DNSOutput();
        if (z) {
            this.name.toWireCanonical(dNSOutput);
            dNSOutput.writeU16(255);
            dNSOutput.writeU32(0L);
            this.alg.toWireCanonical(dNSOutput);
        }
        writeTsigTimerVariables(timeSigned, tsigFudge, dNSOutput);
        if (z) {
            dNSOutput.writeU16(i);
            dNSOutput.writeU16(0);
        }
        if (z2) {
            byte[] byteArray = dNSOutput.toByteArray();
            if (log.isTraceEnabled()) {
                log.trace(hexdump.dump("TSIG-HMAC variables", byteArray));
            }
            bArr2 = mac.doFinal(byteArray);
            if (bArr2.length > algLengthMap.get(this.alg).intValue()) {
                bArr2 = Arrays.copyOfRange(bArr2, 0, algLengthMap.get(this.alg).intValue());
            }
        } else {
            bArr2 = new byte[0];
        }
        byte[] bArr3 = null;
        if (i == 18) {
            DNSOutput dNSOutput2 = new DNSOutput(6);
            writeTsigTime(this.clock.instant(), dNSOutput2);
            bArr3 = dNSOutput2.toByteArray();
        }
        return new TSIGRecord(this.name, 255, 0L, this.alg, timeSigned, tsigFudge, bArr2, message.getHeader().getID(), i, bArr3);
    }

    private Instant getTimeSigned(int i, TSIGRecord tSIGRecord) {
        return i == 18 ? tSIGRecord.getTimeSigned() : this.clock.instant();
    }

    private static Duration getTsigFudge() {
        int intValue = Options.intValue("tsigfudge");
        return (intValue < 0 || intValue > 32767) ? FUDGE : Duration.ofSeconds(intValue);
    }

    public void apply(Message message, TSIGRecord tSIGRecord) {
        apply(message, 0, tSIGRecord, true);
    }

    public void apply(Message message, int i, TSIGRecord tSIGRecord) {
        apply(message, i, tSIGRecord, true);
    }

    public void apply(Message message, TSIGRecord tSIGRecord, boolean z) {
        apply(message, 0, tSIGRecord, z);
    }

    public void apply(Message message, int i, TSIGRecord tSIGRecord, boolean z) {
        message.addRecord(generate(message, message.toWire(), i, tSIGRecord, z), 3);
        message.tsigState = 3;
    }

    @Deprecated
    public void applyStream(Message message, TSIGRecord tSIGRecord, boolean z) {
        apply(message, 0, tSIGRecord, z);
    }

    @Deprecated
    public byte verify(Message message, byte[] bArr, int i, TSIGRecord tSIGRecord) {
        return (byte) verify(message, bArr, tSIGRecord);
    }

    public int verify(Message message, byte[] bArr, TSIGRecord tSIGRecord) {
        return verify(message, bArr, tSIGRecord, true);
    }

    public int verify(Message message, byte[] bArr, TSIGRecord tSIGRecord, boolean z) {
        return verify(message, bArr, tSIGRecord, z, null);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public int verify(Message message, byte[] bArr, TSIGRecord tSIGRecord, boolean z, Mac mac) {
        message.tsigState = 4;
        TSIGRecord tsig = message.getTSIG();
        if (tsig == null) {
            return 1;
        }
        if (!tsig.getName().equals(this.name) || !tsig.getAlgorithm().equals(this.alg)) {
            log.debug("BADKEY failure on message id {}, expected: {}/{}, actual: {}/{}", Integer.valueOf(message.getHeader().getID()), this.name, this.alg, tsig.getName(), tsig.getAlgorithm());
            return 17;
        }
        if (mac == null) {
            mac = initHmac();
        }
        if (tSIGRecord != null && tsig.getError() != 17 && tsig.getError() != 16) {
            hmacAddSignature(mac, tSIGRecord);
        }
        message.getHeader().decCount(3);
        byte[] wire = message.getHeader().toWire();
        message.getHeader().incCount(3);
        if (log.isTraceEnabled()) {
            log.trace(hexdump.dump("TSIG-HMAC header", wire));
        }
        mac.update(wire);
        int length = message.tsigstart - wire.length;
        if (log.isTraceEnabled()) {
            log.trace(hexdump.dump("TSIG-HMAC message after header", bArr, wire.length, length));
        }
        mac.update(bArr, wire.length, length);
        mac.update(getTsigVariables(z, tsig));
        int verifySignature = verifySignature(mac, tsig.getSignature());
        if (verifySignature != 0) {
            return verifySignature;
        }
        int verifyTime = verifyTime(tsig);
        if (verifyTime != 0) {
            return verifyTime;
        }
        message.tsigState = 1;
        return 0;
    }

    private static byte[] getTsigVariables(boolean z, TSIGRecord tSIGRecord) {
        DNSOutput dNSOutput = new DNSOutput();
        if (z) {
            tSIGRecord.getName().toWireCanonical(dNSOutput);
            dNSOutput.writeU16(tSIGRecord.dclass);
            dNSOutput.writeU32(tSIGRecord.ttl);
            tSIGRecord.getAlgorithm().toWireCanonical(dNSOutput);
        }
        writeTsigTimerVariables(tSIGRecord.getTimeSigned(), tSIGRecord.getFudge(), dNSOutput);
        if (z) {
            dNSOutput.writeU16(tSIGRecord.getError());
            if (tSIGRecord.getOther() != null) {
                dNSOutput.writeU16(tSIGRecord.getOther().length);
                dNSOutput.writeByteArray(tSIGRecord.getOther());
            } else {
                dNSOutput.writeU16(0);
            }
        }
        byte[] byteArray = dNSOutput.toByteArray();
        if (log.isTraceEnabled()) {
            log.trace(hexdump.dump("TSIG-HMAC variables", byteArray));
        }
        return byteArray;
    }

    private int verifySignature(Mac mac, byte[] bArr) {
        int macLength = mac.getMacLength();
        int max = Math.max(10, macLength / 2);
        if (bArr.length > macLength) {
            log.debug("BADSIG: signature too long, expected: {}, actual: {}", Integer.valueOf(macLength), Integer.valueOf(bArr.length));
            return 16;
        }
        if (bArr.length < max) {
            log.debug("BADSIG: signature too short, expected: {} of {}, actual: {}", Integer.valueOf(max), Integer.valueOf(macLength), Integer.valueOf(bArr.length));
            return 16;
        }
        byte[] doFinal = mac.doFinal();
        if (doFinal.length > algLengthMap.get(this.alg).intValue()) {
            doFinal = Arrays.copyOfRange(doFinal, 0, algLengthMap.get(this.alg).intValue());
        }
        if (verify(doFinal, bArr)) {
            return 0;
        }
        if (!log.isDebugEnabled()) {
            return 16;
        }
        log.debug("BADSIG: signature verification failed, expected: {}, actual: {}", base64.toString(doFinal), base64.toString(bArr));
        return 16;
    }

    private int verifyTime(TSIGRecord tSIGRecord) {
        Instant instant = this.clock.instant();
        if (Duration.between(instant, tSIGRecord.getTimeSigned()).abs().compareTo(tSIGRecord.getFudge()) <= 0) {
            return 0;
        }
        log.debug("BADTIME failure, now {} +/- tsig {} > fudge {}", instant, tSIGRecord.getTimeSigned(), tSIGRecord.getFudge());
        return 18;
    }

    public int recordLength() {
        return this.name.length() + 10 + this.alg.length() + 8 + 2 + algLengthMap.get(this.alg).intValue() + 4 + 8;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void hmacAddSignature(Mac mac, TSIGRecord tSIGRecord) {
        byte[] u16 = DNSOutput.toU16(tSIGRecord.getSignature().length);
        if (log.isTraceEnabled()) {
            log.trace(hexdump.dump("TSIG-HMAC signature size", u16));
            log.trace(hexdump.dump("TSIG-HMAC signature", tSIGRecord.getSignature()));
        }
        mac.update(u16);
        mac.update(tSIGRecord.getSignature());
    }

    private static void writeTsigTimerVariables(Instant instant, Duration duration, DNSOutput dNSOutput) {
        writeTsigTime(instant, dNSOutput);
        dNSOutput.writeU16((int) duration.getSeconds());
    }

    private static void writeTsigTime(Instant instant, DNSOutput dNSOutput) {
        long epochSecond = instant.getEpochSecond();
        dNSOutput.writeU16((int) (epochSecond >> 32));
        dNSOutput.writeU32(epochSecond & 4294967295L);
    }

    static {
        TreeMap treeMap = new TreeMap();
        treeMap.put(HMAC_MD5, "HmacMD5");
        treeMap.put(HMAC_SHA1, "HmacSHA1");
        treeMap.put(HMAC_SHA224, "HmacSHA224");
        treeMap.put(HMAC_SHA256, "HmacSHA256");
        treeMap.put(HMAC_SHA384, "HmacSHA384");
        treeMap.put(HMAC_SHA512, "HmacSHA512");
        treeMap.put(HMAC_SHA256_128, "HmacSHA256");
        treeMap.put(HMAC_SHA384_192, "HmacSHA384");
        treeMap.put(HMAC_SHA512_256, "HmacSHA512");
        algMap = Collections.unmodifiableMap(treeMap);
        HashMap hashMap = new HashMap();
        hashMap.put(HMAC_MD5, 16);
        hashMap.put(HMAC_SHA1, 20);
        hashMap.put(HMAC_SHA224, 28);
        hashMap.put(HMAC_SHA256, 32);
        hashMap.put(HMAC_SHA384, 48);
        hashMap.put(HMAC_SHA512, 64);
        hashMap.put(HMAC_SHA256_128, 16);
        hashMap.put(HMAC_SHA384_192, 24);
        hashMap.put(HMAC_SHA512_256, 32);
        algLengthMap = Collections.unmodifiableMap(hashMap);
        FUDGE = Duration.ofSeconds(300L);
    }
}
