package org.minidns.dnssec;

import cn.hutool.core.text.StrPool;
import java.io.ByteArrayOutputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import okhttp3.CertificatePinner;
import org.minidns.dnsmessage.Question;
import org.minidns.dnsname.DnsName;
import org.minidns.dnssec.UnverifiedReason;
import org.minidns.dnssec.algorithms.AlgorithmMap;
import org.minidns.record.DNSKEY;
import org.minidns.record.Data;
import org.minidns.record.DelegatingDnssecRR;
import org.minidns.record.NSEC;
import org.minidns.record.NSEC3;
import org.minidns.record.RRSIG;
import org.minidns.record.Record;
import org.minidns.util.Base32;

/* loaded from: classes4.dex */
public class Verifier {
    public AlgorithmMap algorithmMap = AlgorithmMap.INSTANCE;

    public static byte[] combine(RRSIG rrsig, List<Record<? extends Data>> list) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        DataOutputStream dataOutputStream = new DataOutputStream(byteArrayOutputStream);
        try {
            rrsig.writePartialSignature(dataOutputStream);
            DnsName dnsName = list.get(0).name;
            if (!dnsName.isRootLabel()) {
                if (dnsName.getLabelCount() < rrsig.labels) {
                    throw new DnssecValidationFailedException("Invalid RRsig record");
                }
                if (dnsName.getLabelCount() > rrsig.labels) {
                    dnsName = DnsName.from(CertificatePinner.Pin.WILDCARD + ((Object) dnsName.stripToLabels(rrsig.labels)));
                }
            }
            DnsName dnsName2 = dnsName;
            ArrayList arrayList = new ArrayList();
            for (Record<? extends Data> record : list) {
                arrayList.add(new Record(dnsName2, record.type, record.clazzValue, rrsig.originalTtl, record.payloadData).toByteArray());
            }
            final int size = dnsName2.size() + 10;
            Collections.sort(arrayList, new Comparator<byte[]>() { // from class: org.minidns.dnssec.Verifier.1
                @Override // java.util.Comparator
                public int compare(byte[] bArr, byte[] bArr2) {
                    int length;
                    int length2;
                    for (int i2 = size; i2 < bArr.length && i2 < bArr2.length; i2++) {
                        if (bArr[i2] != bArr2[i2]) {
                            length = bArr[i2] & 255;
                            length2 = bArr2[i2] & 255;
                            break;
                        }
                    }
                    length = bArr.length;
                    length2 = bArr2.length;
                    return length - length2;
                }
            });
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                dataOutputStream.write((byte[]) it.next());
            }
            dataOutputStream.flush();
            return byteArrayOutputStream.toByteArray();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public static byte[] nsec3hash(DigestCalculator digestCalculator, byte[] bArr, byte[] bArr2, int i2) {
        while (true) {
            int i3 = i2 - 1;
            if (i2 < 0) {
                return bArr2;
            }
            byte[] bArr3 = new byte[bArr2.length + bArr.length];
            System.arraycopy(bArr2, 0, bArr3, 0, bArr2.length);
            System.arraycopy(bArr, 0, bArr3, bArr2.length, bArr.length);
            bArr2 = digestCalculator.digest(bArr3);
            i2 = i3;
        }
    }

    public static boolean nsecMatches(String str, String str2, String str3) {
        return nsecMatches(DnsName.from(str), DnsName.from(str2), DnsName.from(str3));
    }

    public static boolean nsecMatches(DnsName dnsName, DnsName dnsName2, DnsName dnsName3) {
        int labelCount = dnsName2.getLabelCount();
        int labelCount2 = dnsName3.getLabelCount();
        int labelCount3 = dnsName.getLabelCount();
        if (labelCount3 > labelCount && !dnsName.isChildOf(dnsName2) && dnsName.stripToLabels(labelCount).compareTo(dnsName2) < 0) {
            return false;
        }
        if (labelCount3 <= labelCount && dnsName.compareTo(dnsName2.stripToLabels(labelCount3)) < 0) {
            return false;
        }
        if (labelCount3 <= labelCount2 || dnsName.isChildOf(dnsName3) || dnsName.stripToLabels(labelCount2).compareTo(dnsName3) <= 0) {
            return labelCount3 > labelCount2 || dnsName.compareTo(dnsName3.stripToLabels(labelCount3)) < 0;
        }
        return false;
    }

    public static String stripToParts(String str, int i2) {
        if (str.isEmpty() && i2 == 0) {
            return str;
        }
        if (str.isEmpty()) {
            throw new IllegalArgumentException();
        }
        String[] split = str.split("\\.");
        if (split.length == i2) {
            return str;
        }
        if (split.length < i2) {
            throw new IllegalArgumentException();
        }
        StringBuilder sb = new StringBuilder();
        for (int length = split.length - i2; length < split.length; length++) {
            sb.append(split[length]);
            if (length != split.length - 1) {
                sb.append('.');
            }
        }
        return sb.toString();
    }

    public UnverifiedReason verify(List<Record<? extends Data>> list, RRSIG rrsig, DNSKEY dnskey) {
        SignatureVerifier signatureVerifier = this.algorithmMap.getSignatureVerifier(rrsig.algorithm);
        if (signatureVerifier == null) {
            return new UnverifiedReason.AlgorithmNotSupportedReason(rrsig.algorithmByte, rrsig.getType(), list.get(0));
        }
        if (signatureVerifier.verify(combine(rrsig, list), rrsig.signature, dnskey.getKey())) {
            return null;
        }
        throw new DnssecValidationFailedException(list, "Signature is invalid.");
    }

    public UnverifiedReason verify(Record<DNSKEY> record, DelegatingDnssecRR delegatingDnssecRR) {
        DNSKEY dnskey = record.payloadData;
        DigestCalculator dsDigestCalculator = this.algorithmMap.getDsDigestCalculator(delegatingDnssecRR.digestType);
        if (dsDigestCalculator == null) {
            return new UnverifiedReason.AlgorithmNotSupportedReason(delegatingDnssecRR.digestTypeByte, delegatingDnssecRR.getType(), record);
        }
        byte[] byteArray = dnskey.toByteArray();
        byte[] bytes = record.name.getBytes();
        byte[] bArr = new byte[bytes.length + byteArray.length];
        System.arraycopy(bytes, 0, bArr, 0, bytes.length);
        System.arraycopy(byteArray, 0, bArr, bytes.length, byteArray.length);
        try {
            if (delegatingDnssecRR.digestEquals(dsDigestCalculator.digest(bArr))) {
                return null;
            }
            throw new DnssecValidationFailedException(record, "SEP is not properly signed by parent DS!");
        } catch (Exception e) {
            return new UnverifiedReason.AlgorithmExceptionThrownReason(delegatingDnssecRR.digestType, "DS", record, e);
        }
    }

    public UnverifiedReason verifyNsec(Record<? extends Data> record, Question question) {
        NSEC nsec = (NSEC) record.payloadData;
        if ((!record.name.equals(question.name) || Arrays.asList(nsec.types).contains(question.type)) && !nsecMatches(question.name, record.name, nsec.next)) {
            return new UnverifiedReason.NSECDoesNotMatchReason(question, record);
        }
        return null;
    }

    public UnverifiedReason verifyNsec3(CharSequence charSequence, Record<? extends Data> record, Question question) {
        return verifyNsec3(DnsName.from(charSequence), record, question);
    }

    public UnverifiedReason verifyNsec3(DnsName dnsName, Record<? extends Data> record, Question question) {
        NSEC3 nsec3 = (NSEC3) record.payloadData;
        DigestCalculator nsecDigestCalculator = this.algorithmMap.getNsecDigestCalculator(nsec3.hashAlgorithm);
        if (nsecDigestCalculator == null) {
            return new UnverifiedReason.AlgorithmNotSupportedReason(nsec3.hashAlgorithmByte, nsec3.getType(), record);
        }
        String encodeToString = Base32.encodeToString(nsec3hash(nsecDigestCalculator, nsec3.salt, question.name.getBytes(), nsec3.iterations));
        if (!record.name.equals(DnsName.from(encodeToString + StrPool.DOT + ((Object) dnsName)))) {
            if (nsecMatches(encodeToString, record.name.getHostpart(), Base32.encodeToString(nsec3.nextHashed))) {
                return null;
            }
            return new UnverifiedReason.NSECDoesNotMatchReason(question, record);
        }
        for (Record.TYPE type : nsec3.types) {
            if (type.equals(question.type)) {
                return new UnverifiedReason.NSECDoesNotMatchReason(question, record);
            }
        }
        return null;
    }
}
