package org.jitsi.dnssec.validator;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.apache.log4j.Logger;
import org.jitsi.dnssec.SecurityStatus;
import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset;

/* loaded from: input_file:org/jitsi/dnssec/validator/DnsSecVerifier.class */
public class DnsSecVerifier {
    private static final Logger logger = Logger.getLogger(DnsSecVerifier.class);

    private List<DNSKEYRecord> findKey(RRset rRset, RRSIGRecord rRSIGRecord) {
        if (!rRSIGRecord.getSigner().equals(rRset.getName())) {
            logger.trace("findKey: could not find appropriate key because incorrect keyset was supplied. Wanted: " + rRSIGRecord.getSigner() + ", got: " + rRset.getName());
            return null;
        }
        int footprint = rRSIGRecord.getFootprint();
        int algorithm = rRSIGRecord.getAlgorithm();
        ArrayList arrayList = new ArrayList(rRset.size());
        Iterator rrs = rRset.rrs();
        while (rrs.hasNext()) {
            DNSKEYRecord dNSKEYRecord = (DNSKEYRecord) rrs.next();
            if (dNSKEYRecord.getAlgorithm() == algorithm && dNSKEYRecord.getFootprint() == footprint) {
                arrayList.add(dNSKEYRecord);
            }
        }
        if (arrayList.size() != 0) {
            return arrayList;
        }
        logger.trace("findKey: could not find a key matching the algorithm and footprint in supplied keyset. ");
        return null;
    }

    private SecurityStatus verifySignature(RRset rRset, RRSIGRecord rRSIGRecord, RRset rRset2) {
        List<DNSKEYRecord> findKey = findKey(rRset2, rRSIGRecord);
        if (findKey == null) {
            logger.trace("could not find appropriate key");
            return SecurityStatus.BOGUS;
        }
        SecurityStatus securityStatus = SecurityStatus.UNCHECKED;
        for (DNSKEYRecord dNSKEYRecord : findKey) {
            try {
            } catch (DNSSEC.DNSSECException e) {
                logger.error("Failed to validate RRset", e);
                securityStatus = SecurityStatus.BOGUS;
            }
            if (rRset.getName().subdomain(rRset2.getName())) {
                DNSSEC.verify(rRset, rRSIGRecord, dNSKEYRecord);
                return SecurityStatus.SECURE;
            }
            logger.debug("signer name is off-tree");
            securityStatus = SecurityStatus.BOGUS;
        }
        return securityStatus;
    }

    public SecurityStatus verify(RRset rRset, RRset rRset2) {
        Iterator sigs = rRset.sigs();
        if (!sigs.hasNext()) {
            logger.info("RRset failed to verify due to lack of signatures");
            return SecurityStatus.BOGUS;
        }
        while (sigs.hasNext()) {
            SecurityStatus verifySignature = verifySignature(rRset, (RRSIGRecord) sigs.next(), rRset2);
            if (verifySignature == SecurityStatus.SECURE) {
                return verifySignature;
            }
        }
        logger.info("RRset failed to verify: all signatures were BOGUS");
        return SecurityStatus.BOGUS;
    }

    public SecurityStatus verify(RRset rRset, DNSKEYRecord dNSKEYRecord) {
        Iterator sigs = rRset.sigs();
        if (!sigs.hasNext()) {
            logger.info("RRset failed to verify due to lack of signatures");
            return SecurityStatus.BOGUS;
        }
        while (sigs.hasNext()) {
            RRSIGRecord rRSIGRecord = (RRSIGRecord) sigs.next();
            if (rRSIGRecord.getFootprint() == dNSKEYRecord.getFootprint()) {
                try {
                    DNSSEC.verify(rRset, rRSIGRecord, dNSKEYRecord);
                    return SecurityStatus.SECURE;
                } catch (DNSSEC.DNSSECException e) {
                    logger.error("Failed to validate RRset", e);
                }
            }
        }
        logger.info("RRset failed to verify: all signatures were BOGUS");
        return SecurityStatus.BOGUS;
    }
}
