package org.xbill.DNS.dnssec;

import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.time.Clock;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.stream.Collectors;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xbill.DNS.CNAMERecord;
import org.xbill.DNS.DClass;
import org.xbill.DNS.DNAMERecord;
import org.xbill.DNS.EDNSOption;
import org.xbill.DNS.ExtendedErrorCodeOption;
import org.xbill.DNS.Header;
import org.xbill.DNS.Master;
import org.xbill.DNS.Message;
import org.xbill.DNS.NSECRecord;
import org.xbill.DNS.Name;
import org.xbill.DNS.NameTooLongException;
import org.xbill.DNS.OPTRecord;
import org.xbill.DNS.Record;
import org.xbill.DNS.Resolver;
import org.xbill.DNS.SimpleResolver;
import org.xbill.DNS.TSIG;
import org.xbill.DNS.TXTRecord;
import org.xbill.DNS.Type;
import org.xbill.DNS.dnssec.ValUtils;

/* loaded from: input_file:org/xbill/DNS/dnssec/ValidatingResolver.class */
public final class ValidatingResolver implements Resolver {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(ValidatingResolver.class);
    public static final int VALIDATION_REASON_QCLASS = 65280;
    private static final long DEFAULT_TA_BAD_KEY_TTL = 60;
    private final KeyCache keyCache;
    private final TrustAnchorStore trustAnchors;
    private final ValUtils valUtils;
    private final NSEC3ValUtils n3valUtils;
    private final Resolver headResolver;
    private final Clock clock;
    private boolean isAddReasonToAdditional;

    public ValidatingResolver(Resolver resolver) {
        this(resolver, Clock.systemUTC());
    }

    public ValidatingResolver(Resolver resolver, Clock clock) {
        this.isAddReasonToAdditional = true;
        this.headResolver = resolver;
        this.clock = clock;
        resolver.setEDNS(0, 0, 32768, new EDNSOption[0]);
        resolver.setIgnoreTruncation(false);
        this.keyCache = new KeyCache();
        this.valUtils = new ValUtils();
        this.n3valUtils = new NSEC3ValUtils();
        this.trustAnchors = new TrustAnchorStore();
        try {
            init(System.getProperties());
        } catch (IOException e) {
            log.error("Could not initialize from system properties", e);
        }
    }

    public void init(Properties properties) throws IOException {
        this.keyCache.init(properties);
        this.n3valUtils.init(properties);
        this.valUtils.init(properties);
        String property = properties.getProperty("dnsjava.dnssec.trust_anchor_file");
        if (property != null) {
            log.debug("Reading trust anchor file: {}", property);
            loadTrustAnchors(new FileInputStream(property));
        }
    }

    public void loadTrustAnchors(InputStream inputStream) throws IOException {
        ArrayList<Record> arrayList = new ArrayList();
        Master master = new Master(inputStream, Name.root, 0L);
        Throwable th = null;
        while (true) {
            try {
                try {
                    Record nextRecord = master.nextRecord();
                    if (nextRecord == null) {
                        break;
                    } else {
                        arrayList.add(nextRecord);
                    }
                } catch (Throwable th2) {
                    th = th2;
                    throw th2;
                }
            } catch (Throwable th3) {
                if (master != null) {
                    if (th != null) {
                        try {
                            master.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        master.close();
                    }
                }
                throw th3;
            }
        }
        if (master != null) {
            if (0 != 0) {
                try {
                    master.close();
                } catch (Throwable th5) {
                    th.addSuppressed(th5);
                }
            } else {
                master.close();
            }
        }
        Collections.sort(arrayList);
        SRRset sRRset = new SRRset();
        for (Record record : arrayList) {
            if (record.getType() == 48 || record.getType() == 43) {
                if (sRRset.size() == 0) {
                    sRRset.addRR(record);
                } else if (sRRset.getName().equals(record.getName()) && sRRset.getType() == record.getType() && sRRset.getDClass() == record.getDClass()) {
                    sRRset.addRR(record);
                } else {
                    this.trustAnchors.store(sRRset);
                    sRRset = new SRRset();
                    sRRset.addRR(record);
                }
            }
        }
        if (sRRset.size() > 0) {
            this.trustAnchors.store(sRRset);
        }
    }

    public TrustAnchorStore getTrustAnchors() {
        return this.trustAnchors;
    }

    private void removeSpuriousAuthority(SMessage sMessage) {
        if (sMessage.getSectionRRsets(1).isEmpty() && sMessage.getSectionRRsets(2).size() == 1) {
            return;
        }
        Iterator<SRRset> it = sMessage.getSectionRRsets(2).iterator();
        while (it.hasNext()) {
            SRRset next = it.next();
            if (next.getType() == 2 && next.sigs().isEmpty()) {
                log.trace("Removing spurious unsigned NS record (likely inserted by forwarder) {}/{}/{}", new Object[]{next.getName(), Type.string(next.getType()), DClass.string(next.getDClass())});
                it.remove();
            }
        }
    }

    private CompletionStage<Void> validatePositiveResponse(Message message, SMessage sMessage) {
        HashMap hashMap = new HashMap(1);
        ArrayList arrayList = new ArrayList(0);
        ArrayList arrayList2 = new ArrayList(0);
        return validateAnswerAndGetWildcards(sMessage, message.getQuestion().getType(), hashMap).thenCompose(bool -> {
            if (Boolean.TRUE.equals(bool)) {
                return validatePositiveResponseRecursive(sMessage, hashMap, arrayList, arrayList2, message.getQuestion().getType() == 255 ? new int[]{1, 2} : new int[]{2}, new AtomicInteger(0), new AtomicInteger(0));
            }
            return CompletableFuture.completedFuture(false);
        }).thenAccept(bool2 -> {
            if (Boolean.TRUE.equals(bool2)) {
                if (hashMap.size() > 0) {
                    for (Map.Entry entry : hashMap.entrySet()) {
                        boolean z = false;
                        Iterator it = arrayList2.iterator();
                        while (true) {
                            if (!it.hasNext()) {
                                break;
                            }
                            SRRset sRRset = (SRRset) it.next();
                            NSECRecord nSECRecord = (NSECRecord) sRRset.first();
                            if (ValUtils.nsecProvesNameError(sRRset, nSECRecord, (Name) entry.getKey())) {
                                try {
                                    if (((Name) entry.getValue()).equals(ValUtils.nsecWildcard((Name) entry.getKey(), sRRset, nSECRecord))) {
                                        z = true;
                                        break;
                                    }
                                } catch (NameTooLongException e) {
                                    throw new IllegalStateException(R.get("failed.positive.wildcardgeneration", new Object[0]));
                                }
                            }
                        }
                        if (!z && !arrayList.isEmpty()) {
                            if (this.n3valUtils.allNSEC3sIgnoreable(arrayList, this.keyCache)) {
                                sMessage.setStatus(SecurityStatus.INSECURE, -1, R.get("failed.nsec3_ignored", new Object[0]));
                                return;
                            }
                            SecurityStatus proveWildcard = this.n3valUtils.proveWildcard(arrayList, (Name) entry.getKey(), ((SRRset) arrayList.get(0)).getSignerName(), (Name) entry.getValue());
                            if (proveWildcard == SecurityStatus.INSECURE) {
                                sMessage.setStatus(proveWildcard, -1);
                                return;
                            } else if (proveWildcard == SecurityStatus.SECURE) {
                                z = true;
                            }
                        }
                        if (!z) {
                            sMessage.setBogus(R.get("failed.positive.wildcard_too_broad", new Object[0]));
                            return;
                        }
                    }
                }
                sMessage.setStatus(SecurityStatus.SECURE, -1);
            }
        });
    }

    private CompletionStage<Boolean> validatePositiveResponseRecursive(SMessage sMessage, Map<Name, Name> map, List<SRRset> list, List<SRRset> list2, int[] iArr, AtomicInteger atomicInteger, AtomicInteger atomicInteger2) {
        if (atomicInteger.get() >= iArr.length) {
            return CompletableFuture.completedFuture(true);
        }
        List<SRRset> sectionRRsets = sMessage.getSectionRRsets(iArr[atomicInteger.get()]);
        if (atomicInteger2.get() < sectionRRsets.size()) {
            SRRset sRRset = sectionRRsets.get(atomicInteger2.getAndIncrement());
            return prepareFindKey(sRRset).thenCompose(keyEntry -> {
                JustifiedSecStatus validateKeyFor = keyEntry.validateKeyFor(sRRset.getSignerName());
                if (validateKeyFor != null) {
                    validateKeyFor.applyToResponse(sMessage);
                    return CompletableFuture.completedFuture(false);
                }
                if (this.valUtils.verifySRRset(sRRset, keyEntry, this.clock.instant()).status != SecurityStatus.SECURE) {
                    sMessage.setBogus(R.get("failed.authority.positive", sRRset));
                    return CompletableFuture.completedFuture(false);
                }
                if (map.size() > 0) {
                    if (sRRset.getType() == 47) {
                        list2.add(sRRset);
                    } else if (sRRset.getType() == 50) {
                        list.add(sRRset);
                    }
                }
                return validatePositiveResponseRecursive(sMessage, map, list, list2, iArr, atomicInteger, atomicInteger2);
            });
        }
        atomicInteger.getAndIncrement();
        atomicInteger2.set(0);
        return validatePositiveResponseRecursive(sMessage, map, list, list2, iArr, atomicInteger, atomicInteger2);
    }

    private CompletionStage<Boolean> validateAnswerAndGetWildcards(SMessage sMessage, int i, Map<Name, Name> map) {
        return validateAnswerAndGetWildcardsRecursive(sMessage, i, map, new AtomicInteger(0));
    }

    private CompletionStage<Boolean> validateAnswerAndGetWildcardsRecursive(SMessage sMessage, int i, Map<Name, Name> map, AtomicInteger atomicInteger) {
        List<SRRset> sectionRRsets = sMessage.getSectionRRsets(1);
        if (atomicInteger.get() >= sectionRRsets.size()) {
            return CompletableFuture.completedFuture(true);
        }
        SRRset sRRset = sectionRRsets.get(atomicInteger.get());
        return prepareFindKey(sRRset).thenCompose(keyEntry -> {
            JustifiedSecStatus validateKeyFor = keyEntry.validateKeyFor(sRRset.getSignerName());
            if (validateKeyFor != null) {
                validateKeyFor.applyToResponse(sMessage);
                return CompletableFuture.completedFuture(false);
            }
            if (this.valUtils.verifySRRset(sRRset, keyEntry, this.clock.instant()).status != SecurityStatus.SECURE) {
                sMessage.setBogus(R.get("failed.answer.positive", sRRset));
                return CompletableFuture.completedFuture(false);
            }
            try {
                Name rrsetWildcard = ValUtils.rrsetWildcard(sRRset);
                if (rrsetWildcard != null) {
                    if (sRRset.getType() == 39) {
                        sMessage.setBogus(R.get("failed.dname.wildcard", sRRset.getName()));
                        return CompletableFuture.completedFuture(false);
                    }
                    map.put(sRRset.getName(), rrsetWildcard);
                }
                if (i != 39 && sRRset.getType() == 39) {
                    DNAMERecord dNAMERecord = (DNAMERecord) sRRset.first();
                    if (atomicInteger.getAndIncrement() < sectionRRsets.size()) {
                        SRRset sRRset2 = (SRRset) sectionRRsets.get(atomicInteger.get());
                        if (sRRset2.getType() == 5 && dNAMERecord != null) {
                            if (sRRset2.size() > 1) {
                                sMessage.setBogus(R.get("failed.synthesize.multiple", new Object[0]));
                                return CompletableFuture.completedFuture(false);
                            }
                            CNAMERecord cNAMERecord = (CNAMERecord) sRRset2.first();
                            try {
                                Name concatenate = Name.concatenate(cNAMERecord.getName().relativize(dNAMERecord.getName()), dNAMERecord.getTarget());
                                if (!concatenate.equals(cNAMERecord.getTarget())) {
                                    sMessage.setBogus(R.get("failed.synthesize.nomatch", cNAMERecord.getTarget(), concatenate));
                                    return CompletableFuture.completedFuture(false);
                                }
                                sRRset2.setSecurityStatus(SecurityStatus.SECURE);
                            } catch (NameTooLongException e) {
                                sMessage.setBogus(R.get("failed.synthesize.toolong", new Object[0]));
                                return CompletableFuture.completedFuture(false);
                            }
                        }
                    }
                }
                atomicInteger.getAndIncrement();
                return validateAnswerAndGetWildcardsRecursive(sMessage, i, map, atomicInteger);
            } catch (RuntimeException e2) {
                sMessage.setBogus(R.get(e2.getMessage(), sRRset.getName()));
                return CompletableFuture.completedFuture(false);
            }
        });
    }

    private CompletionStage<Void> validateNodataResponse(Message message, SMessage sMessage) {
        Name name = message.getQuestion().getName();
        int type = message.getQuestion().getType();
        for (SRRset sRRset : sMessage.getSectionRRsets(1)) {
            if (sRRset.getSecurityStatus() != SecurityStatus.SECURE) {
                sMessage.setBogus(R.get("failed.answer.cname_nodata", sRRset.getName()));
                return CompletableFuture.completedFuture(null);
            }
            if (sRRset.getType() == 5) {
                name = ((CNAMERecord) sRRset.first()).getTarget();
            }
        }
        Name name2 = name;
        return validateNodataResponseRecursive(sMessage, new AtomicInteger(0)).handleAsync((r10, th) -> {
            if (th != null) {
                return null;
            }
            boolean z = false;
            Name name3 = null;
            ValUtils.NsecProvesNodataResponse nsecProvesNodataResponse = new ValUtils.NsecProvesNodataResponse();
            ArrayList arrayList = new ArrayList(0);
            Name name4 = null;
            int i = 12;
            for (SRRset sRRset2 : sMessage.getSectionRRsets(2)) {
                if (sRRset2.getType() == 47) {
                    NSECRecord nSECRecord = (NSECRecord) sRRset2.first();
                    nsecProvesNodataResponse = ValUtils.nsecProvesNodata(sRRset2, nSECRecord, name2, type);
                    if (nsecProvesNodataResponse.result) {
                        z = true;
                    } else {
                        i = 6;
                    }
                    if (ValUtils.nsecProvesNameError(sRRset2, nSECRecord, name2)) {
                        name3 = ValUtils.closestEncloser(name2, sRRset2.getName(), nSECRecord.getNext());
                    }
                }
                if (sRRset2.getType() == 50) {
                    arrayList.add(sRRset2);
                    name4 = sRRset2.getSignerName();
                }
            }
            if (nsecProvesNodataResponse.wc != null && (name3 == null || (!name3.equals(nsecProvesNodataResponse.wc) && !name2.equals(name3)))) {
                i = 6;
                z = false;
            }
            this.n3valUtils.stripUnknownAlgNSEC3s(arrayList);
            if (!z && !arrayList.isEmpty()) {
                log.debug("Using NSEC3 records");
                if (this.n3valUtils.allNSEC3sIgnoreable(arrayList, this.keyCache)) {
                    sMessage.setBogus(R.get("failed.nsec3_ignored", new Object[0]));
                    return null;
                }
                JustifiedSecStatus proveNodata = this.n3valUtils.proveNodata(arrayList, name2, type, name4);
                i = proveNodata.edeReason;
                if (proveNodata.status == SecurityStatus.INSECURE) {
                    sMessage.setStatus(SecurityStatus.INSECURE, -1);
                    return null;
                }
                z = proveNodata.status == SecurityStatus.SECURE;
            }
            if (z) {
                log.trace("Successfully validated NODATA response");
                sMessage.setStatus(SecurityStatus.SECURE, -1);
                return null;
            }
            sMessage.setBogus(R.get("failed.nodata", new Object[0]), i);
            log.trace("Failed NODATA for {}", name2);
            return null;
        });
    }

    private CompletionStage<Void> validateNodataResponseRecursive(SMessage sMessage, AtomicInteger atomicInteger) {
        if (atomicInteger.get() >= sMessage.getSectionRRsets(2).size()) {
            return CompletableFuture.completedFuture(null);
        }
        SRRset sRRset = sMessage.getSectionRRsets(2).get(atomicInteger.getAndIncrement());
        return prepareFindKey(sRRset).thenComposeAsync(keyEntry -> {
            JustifiedSecStatus validateKeyFor = keyEntry.validateKeyFor(sRRset.getSignerName());
            if (validateKeyFor != null) {
                validateKeyFor.applyToResponse(sMessage);
                return failedFuture(new Exception(validateKeyFor.reason));
            }
            if (this.valUtils.verifySRRset(sRRset, keyEntry, this.clock.instant()).status == SecurityStatus.SECURE) {
                return validateNodataResponseRecursive(sMessage, atomicInteger);
            }
            sMessage.setBogus(R.get("failed.authority.nodata", sRRset));
            return failedFuture(new Exception("failed.authority.nodata"));
        });
    }

    private <T> CompletionStage<T> failedFuture(Throwable th) {
        CompletableFuture completableFuture = new CompletableFuture();
        completableFuture.completeExceptionally(th);
        return completableFuture;
    }

    private CompletionStage<Void> validateNameErrorResponse(Message message, SMessage sMessage) {
        Name name = message.getQuestion().getName();
        for (SRRset sRRset : sMessage.getSectionRRsets(1)) {
            if (sRRset.getSecurityStatus() != SecurityStatus.SECURE) {
                sMessage.setBogus(R.get("failed.nxdomain.cname_nxdomain", sRRset));
                return CompletableFuture.completedFuture(null);
            }
            if (sRRset.getType() == 5) {
                name = ((CNAMERecord) sRRset.first()).getTarget();
            }
        }
        Name name2 = name;
        return validateNameErrorResponseRecursive(sMessage, new AtomicInteger(0)).thenComposeAsync(r10 -> {
            boolean z = false;
            boolean z2 = false;
            ArrayList arrayList = new ArrayList(0);
            Name name3 = null;
            int i = 0;
            for (SRRset sRRset2 : sMessage.getSectionRRsets(2)) {
                if (sRRset2.getType() == 47) {
                    NSECRecord nSECRecord = (NSECRecord) sRRset2.first();
                    if (ValUtils.nsecProvesNameError(sRRset2, nSECRecord, name2)) {
                        z = true;
                    }
                    int labels = ValUtils.closestEncloser(name2, sRRset2.getName(), nSECRecord.getNext()).labels();
                    if (labels > i || (labels == i && !z2)) {
                        z2 = ValUtils.nsecProvesNoWC(sRRset2, nSECRecord, name2);
                    }
                    i = labels;
                }
                if (sRRset2.getType() == 50) {
                    arrayList.add(sRRset2);
                    name3 = sRRset2.getSignerName();
                }
            }
            this.n3valUtils.stripUnknownAlgNSEC3s(arrayList);
            if ((!z || !z2) && !arrayList.isEmpty()) {
                log.debug("Validating nxdomain: using NSEC3 records");
                if (this.n3valUtils.allNSEC3sIgnoreable(arrayList, this.keyCache)) {
                    sMessage.setStatus(SecurityStatus.INSECURE, -1, R.get("failed.nsec3_ignored", new Object[0]));
                    return CompletableFuture.completedFuture(null);
                }
                SecurityStatus proveNameError = this.n3valUtils.proveNameError(arrayList, name2, name3);
                if (proveNameError != SecurityStatus.SECURE) {
                    if (proveNameError == SecurityStatus.INSECURE) {
                        sMessage.setStatus(proveNameError, -1, R.get("failed.nxdomain.nsec3_insecure", new Object[0]));
                    } else {
                        sMessage.setStatus(proveNameError, 6, R.get("failed.nxdomain.nsec3_bogus", new Object[0]));
                    }
                    return CompletableFuture.completedFuture(null);
                }
                z = true;
                z2 = true;
            }
            if (!z || !z2) {
                boolean z3 = z;
                return validateNodataResponse(message, sMessage).thenRun(() -> {
                    if (sMessage.getStatus() == SecurityStatus.SECURE) {
                        sMessage.getHeader().setRcode(0);
                    } else if (z3) {
                        sMessage.setBogus(R.get("failed.nxdomain.haswildcard", new Object[0]));
                    } else {
                        sMessage.setBogus(R.get("failed.nxdomain.exists", sMessage.getQuestion().getName()));
                    }
                });
            }
            log.trace("Successfully validated NAME ERROR response");
            sMessage.setStatus(SecurityStatus.SECURE, -1);
            return CompletableFuture.completedFuture(null);
        }).exceptionally(th -> {
            return null;
        });
    }

    private CompletionStage<Void> validateNameErrorResponseRecursive(SMessage sMessage, AtomicInteger atomicInteger) {
        if (atomicInteger.get() >= sMessage.getSectionRRsets(2).size()) {
            return CompletableFuture.completedFuture(null);
        }
        SRRset sRRset = sMessage.getSectionRRsets(2).get(atomicInteger.getAndIncrement());
        return prepareFindKey(sRRset).thenCompose(keyEntry -> {
            JustifiedSecStatus validateKeyFor = keyEntry.validateKeyFor(sRRset.getSignerName());
            if (validateKeyFor != null) {
                validateKeyFor.applyToResponse(sMessage);
                return failedFuture(new Exception(validateKeyFor.reason));
            }
            if (this.valUtils.verifySRRset(sRRset, keyEntry, this.clock.instant()).status == SecurityStatus.SECURE) {
                return validateNameErrorResponseRecursive(sMessage, atomicInteger);
            }
            sMessage.setBogus(R.get("failed.nxdomain.authority", sRRset));
            return failedFuture(new Exception("failed.nxdomain.authority"));
        });
    }

    private CompletionStage<SMessage> sendRequest(Message message) {
        Record question = message.getQuestion();
        log.trace("Sending request: <{}/{}/{}>", new Object[]{question.getName(), Type.string(question.getType()), DClass.string(question.getDClass())});
        Message m634clone = message.m634clone();
        m634clone.getHeader().setFlag(11);
        return this.headResolver.sendAsync(m634clone).thenApply(SMessage::new);
    }

    private CompletionStage<KeyEntry> prepareFindKey(SRRset sRRset) {
        FindKeyState findKeyState = new FindKeyState();
        findKeyState.signerName = sRRset.getSignerName();
        findKeyState.qclass = sRRset.getDClass();
        if (findKeyState.signerName == null) {
            findKeyState.signerName = sRRset.getName();
        }
        SRRset find = this.trustAnchors.find(findKeyState.signerName, sRRset.getDClass());
        if (find == null) {
            return CompletableFuture.completedFuture(KeyEntry.newNullKeyEntry(findKeyState.signerName, sRRset.getDClass(), DEFAULT_TA_BAD_KEY_TTL));
        }
        findKeyState.keyEntry = this.keyCache.find(findKeyState.signerName, sRRset.getDClass());
        if (findKeyState.keyEntry != null && (findKeyState.keyEntry.getName().equals(findKeyState.signerName) || !findKeyState.keyEntry.isGood())) {
            return CompletableFuture.completedFuture(findKeyState.keyEntry);
        }
        findKeyState.dsRRset = find;
        findKeyState.keyEntry = null;
        findKeyState.currentDSKeyName = new Name(find.getName(), 1);
        return processFindKey(findKeyState).thenApply(r3 -> {
            return findKeyState.keyEntry;
        });
    }

    private CompletionStage<Void> processFindKey(FindKeyState findKeyState) {
        int i = findKeyState.qclass;
        Name name = findKeyState.signerName;
        Name name2 = Name.empty;
        if (findKeyState.keyEntry != null) {
            name2 = findKeyState.keyEntry.getName();
        }
        if (findKeyState.currentDSKeyName != null) {
            name2 = findKeyState.currentDSKeyName;
            findKeyState.currentDSKeyName = null;
        }
        if (name2.equals(name)) {
            return CompletableFuture.completedFuture(null);
        }
        if (findKeyState.emptyDSName != null) {
            name2 = findKeyState.emptyDSName;
        }
        int labels = (name.labels() - name2.labels()) - 1;
        if (labels < 0) {
            return CompletableFuture.completedFuture(null);
        }
        Name name3 = new Name(name, labels);
        log.trace("Key search: targetKeyName = {}, currentKeyName = {}, nextKeyName = {}", new Object[]{name, name2, name3});
        if (findKeyState.dsRRset == null || !findKeyState.dsRRset.getName().equals(name3)) {
            Message newQuery = Message.newQuery(Record.newRecord(name3, 43, i));
            return sendRequest(newQuery).thenComposeAsync(sMessage -> {
                return processDSResponse(newQuery, sMessage, findKeyState);
            });
        }
        Message newQuery2 = Message.newQuery(Record.newRecord(findKeyState.dsRRset.getName(), 48, i));
        return sendRequest(newQuery2).thenComposeAsync(sMessage2 -> {
            return processDNSKEYResponse(newQuery2, sMessage2, findKeyState);
        });
    }

    private KeyEntry dsResponseToKE(SMessage sMessage, Message message, SRRset sRRset) {
        Name name = message.getQuestion().getName();
        int dClass = message.getQuestion().getDClass();
        ResponseClassification classifyResponse = ValUtils.classifyResponse(message, sMessage);
        KeyEntry newBadKeyEntry = KeyEntry.newBadKeyEntry(name, dClass, DEFAULT_TA_BAD_KEY_TTL);
        switch (classifyResponse) {
            case POSITIVE:
                SRRset findAnswerRRset = sMessage.findAnswerRRset(name, 43, dClass);
                JustifiedSecStatus verifySRRset = this.valUtils.verifySRRset(findAnswerRRset, sRRset, this.clock.instant());
                if (verifySRRset.status != SecurityStatus.SECURE) {
                    newBadKeyEntry.setBadReason(verifySRRset.edeReason, verifySRRset.reason);
                    return newBadKeyEntry;
                }
                if (this.valUtils.atLeastOneSupportedAlgorithm(findAnswerRRset)) {
                    log.trace("DS RRset was good");
                    return KeyEntry.newKeyEntry(findAnswerRRset);
                }
                KeyEntry newNullKeyEntry = KeyEntry.newNullKeyEntry(name, dClass, findAnswerRRset.getTTL());
                newNullKeyEntry.setBadReason(1, R.get("insecure.ds.noalgorithms", name));
                return newNullKeyEntry;
            case CNAME:
                if (this.valUtils.verifySRRset(sMessage.findAnswerRRset(name, 5, dClass), sRRset, this.clock.instant()).status == SecurityStatus.SECURE) {
                    return null;
                }
                newBadKeyEntry.setBadReason(6, R.get("failed.ds.cname", new Object[0]));
                return newBadKeyEntry;
            case NODATA:
            case NAMEERROR:
                return dsReponseToKeForNodata(sMessage, message, sRRset);
            default:
                newBadKeyEntry.setBadReason(6, R.get("failed.ds.notype", classifyResponse));
                return newBadKeyEntry;
        }
    }

    private KeyEntry dsReponseToKeForNodata(SMessage sMessage, Message message, SRRset sRRset) {
        Name name = message.getQuestion().getName();
        int dClass = message.getQuestion().getDClass();
        KeyEntry newBadKeyEntry = KeyEntry.newBadKeyEntry(name, dClass, DEFAULT_TA_BAD_KEY_TTL);
        if (!this.valUtils.hasSignedNsecs(sMessage)) {
            newBadKeyEntry.setBadReason(10, R.get("failed.ds.nonsec", name));
            return newBadKeyEntry;
        }
        JustifiedSecStatus nsecProvesNodataDsReply = this.valUtils.nsecProvesNodataDsReply(message, sMessage, sRRset, this.clock.instant());
        switch (nsecProvesNodataDsReply.status) {
            case SECURE:
                KeyEntry newNullKeyEntry = KeyEntry.newNullKeyEntry(name, dClass, DEFAULT_TA_BAD_KEY_TTL);
                newNullKeyEntry.setBadReason(-1, R.get("insecure.ds.nsec", new Object[0]));
                return newNullKeyEntry;
            case INSECURE:
                return null;
            case BOGUS:
                newBadKeyEntry.setBadReason(nsecProvesNodataDsReply.edeReason, nsecProvesNodataDsReply.reason);
                return newBadKeyEntry;
            default:
                List<SRRset> sectionRRsets = sMessage.getSectionRRsets(2, 50);
                ArrayList arrayList = new ArrayList(0);
                Name name2 = null;
                long j = -1;
                if (sectionRRsets.isEmpty()) {
                    newBadKeyEntry.setBadReason(6, R.get("failed.ds.unknown", new Object[0]));
                    return newBadKeyEntry;
                }
                for (SRRset sRRset2 : sectionRRsets) {
                    if (this.valUtils.verifySRRset(sRRset2, sRRset, this.clock.instant()).status != SecurityStatus.SECURE) {
                        log.debug("Skipping bad NSEC3");
                    } else {
                        name2 = sRRset2.getSignerName();
                        if (j < 0 || sRRset2.getTTL() < j) {
                            j = sRRset2.getTTL();
                        }
                        arrayList.add(sRRset2);
                    }
                }
                switch (this.n3valUtils.proveNoDS(arrayList, name, name2)) {
                    case SECURE:
                    case INSECURE:
                        KeyEntry newNullKeyEntry2 = KeyEntry.newNullKeyEntry(name, dClass, j);
                        newNullKeyEntry2.setBadReason(-1, R.get("insecure.ds.nsec3", new Object[0]));
                        return newNullKeyEntry2;
                    case BOGUS:
                        newBadKeyEntry.setBadReason(6, R.get("failed.ds.nsec3", new Object[0]));
                        return newBadKeyEntry;
                    case INDETERMINATE:
                        log.debug("NSEC3s for the referral proved no delegation");
                        return null;
                    default:
                        newBadKeyEntry.setBadReason(6, R.get("unknown.ds.nsec3", new Object[0]));
                        return newBadKeyEntry;
                }
        }
    }

    private CompletionStage<Void> processDSResponse(Message message, SMessage sMessage, FindKeyState findKeyState) {
        Name name = message.getQuestion().getName();
        findKeyState.emptyDSName = null;
        findKeyState.dsRRset = null;
        KeyEntry dsResponseToKE = dsResponseToKE(sMessage, message, findKeyState.keyEntry);
        if (dsResponseToKE == null) {
            findKeyState.emptyDSName = name;
        } else {
            if (!dsResponseToKE.isGood()) {
                findKeyState.keyEntry = dsResponseToKE;
                if (dsResponseToKE.isNull()) {
                    this.keyCache.store(dsResponseToKE);
                }
                return CompletableFuture.completedFuture(null);
            }
            findKeyState.dsRRset = dsResponseToKE;
            findKeyState.currentDSKeyName = new Name(dsResponseToKE.getName(), 1);
        }
        return processFindKey(findKeyState);
    }

    private CompletionStage<Void> processDNSKEYResponse(Message message, SMessage sMessage, FindKeyState findKeyState) {
        Name name = message.getQuestion().getName();
        int dClass = message.getQuestion().getDClass();
        SRRset findAnswerRRset = sMessage.findAnswerRRset(name, 48, dClass);
        if (findAnswerRRset == null) {
            findKeyState.keyEntry = KeyEntry.newBadKeyEntry(name, dClass, DEFAULT_TA_BAD_KEY_TTL);
            findKeyState.keyEntry.setBadReason(9, R.get("dnskey.no_rrset", name));
            return CompletableFuture.completedFuture(null);
        }
        findKeyState.keyEntry = this.valUtils.verifyNewDNSKEYs(findAnswerRRset, findKeyState.dsRRset, DEFAULT_TA_BAD_KEY_TTL, this.clock.instant());
        if (!findKeyState.keyEntry.isGood()) {
            return CompletableFuture.completedFuture(null);
        }
        this.keyCache.store(findKeyState.keyEntry);
        return processFindKey(findKeyState);
    }

    private CompletionStage<SMessage> processValidate(Message message, SMessage sMessage) {
        CompletionStage<Void> completedFuture;
        ResponseClassification classifyResponse = ValUtils.classifyResponse(message, sMessage);
        if (classifyResponse != ResponseClassification.REFERRAL) {
            removeSpuriousAuthority(sMessage);
        }
        switch (classifyResponse) {
            case POSITIVE:
            case CNAME:
            case ANY:
                log.trace("Validating a positive response");
                completedFuture = validatePositiveResponse(message, sMessage);
                break;
            case NODATA:
                log.trace("Validating a nodata response");
                completedFuture = validateNodataResponse(message, sMessage);
                break;
            case NAMEERROR:
                log.trace("Validating a nxdomain response");
                completedFuture = validateNameErrorResponse(message, sMessage);
                break;
            case CNAME_NODATA:
                log.trace("Validating a CNAME_NODATA response");
                completedFuture = validatePositiveResponse(message, sMessage).thenCompose(r7 -> {
                    if (sMessage.getStatus() == SecurityStatus.INSECURE) {
                        return CompletableFuture.completedFuture(null);
                    }
                    sMessage.setStatus(SecurityStatus.UNCHECKED, -1);
                    return validateNodataResponse(message, sMessage);
                });
                break;
            case CNAME_NAMEERROR:
                log.trace("Validating a cname_nxdomain response");
                completedFuture = validatePositiveResponse(message, sMessage).thenCompose(r72 -> {
                    if (sMessage.getStatus() == SecurityStatus.INSECURE) {
                        return CompletableFuture.completedFuture(null);
                    }
                    sMessage.setStatus(SecurityStatus.UNCHECKED, -1);
                    return validateNameErrorResponse(message, sMessage);
                });
                break;
            default:
                sMessage.setBogus(R.get("validate.response.unknown", classifyResponse));
                completedFuture = CompletableFuture.completedFuture(null);
                break;
        }
        return completedFuture.thenApply(r73 -> {
            return processFinishedState(message, sMessage);
        });
    }

    private SMessage processFinishedState(Message message, SMessage sMessage) {
        SecurityStatus status = sMessage.getStatus();
        String bogusReason = sMessage.getBogusReason();
        int edeReason = sMessage.getEdeReason();
        switch (status) {
            case SECURE:
                sMessage.getHeader().setFlag(10);
                break;
            case INSECURE:
            case UNCHECKED:
                break;
            case BOGUS:
                int rcode = sMessage.getHeader().getRcode();
                if (rcode == 0 || rcode == 3) {
                    rcode = 2;
                }
                sMessage = errorMessage(message, rcode);
                break;
            case INDETERMINATE:
            default:
                throw new IllegalArgumentException("unexpected security status");
        }
        sMessage.setStatus(status, edeReason, bogusReason);
        return sMessage;
    }

    @Override // org.xbill.DNS.Resolver
    public void setPort(int i) {
        this.headResolver.setPort(i);
    }

    @Override // org.xbill.DNS.Resolver
    public void setTCP(boolean z) {
        this.headResolver.setTCP(z);
    }

    @Override // org.xbill.DNS.Resolver
    public void setIgnoreTruncation(boolean z) {
    }

    @Override // org.xbill.DNS.Resolver
    public void setEDNS(int i, int i2, int i3, List<EDNSOption> list) {
        if (i == -1) {
            throw new IllegalArgumentException("EDNS cannot be disabled");
        }
        this.headResolver.setEDNS(i, i2, i3 | 32768, list);
    }

    @Override // org.xbill.DNS.Resolver
    public void setTSIGKey(TSIG tsig) {
        this.headResolver.setTSIGKey(tsig);
    }

    @Override // org.xbill.DNS.Resolver
    public Duration getTimeout() {
        return this.headResolver.getTimeout();
    }

    @Override // org.xbill.DNS.Resolver
    public void setTimeout(Duration duration) {
        this.headResolver.setTimeout(duration);
    }

    @Override // org.xbill.DNS.Resolver
    public CompletionStage<Message> sendAsync(Message message) {
        return sendRequest(message).thenCompose(sMessage -> {
            sMessage.getHeader().unsetFlag(10);
            if (message.getHeader().getFlag(11)) {
                return CompletableFuture.completedFuture(sMessage.getMessage());
            }
            Message message2 = sMessage.getMessage();
            if (message.getQuestion().getType() != 46 || message2.getHeader().getRcode() != 0 || message2.getSectionRRsets(1).isEmpty()) {
                return processValidate(message, sMessage).thenApply(sMessage -> {
                    Message message3 = sMessage.getMessage();
                    String bogusReason = sMessage.getBogusReason();
                    if (bogusReason != null) {
                        applyEdeToOpt(sMessage, message3);
                        if (this.isAddReasonToAdditional) {
                            addValidationReasonTxtRecord(message3, bogusReason);
                        }
                    }
                    return message3;
                });
            }
            message2.getHeader().unsetFlag(10);
            return CompletableFuture.completedFuture(message2);
        });
    }

    private void applyEdeToOpt(SMessage sMessage, Message message) {
        OPTRecord oPTRecord;
        if (sMessage.getEdeReason() <= -1) {
            return;
        }
        OPTRecord opt = message.getOPT();
        ArrayList arrayList = new ArrayList();
        arrayList.add(new ExtendedErrorCodeOption(sMessage.getEdeReason(), sMessage.getBogusReason()));
        if (opt != null) {
            arrayList.addAll((Collection) opt.getOptions().stream().filter(eDNSOption -> {
                return eDNSOption.getCode() != 15;
            }).collect(Collectors.toList()));
            oPTRecord = new OPTRecord(opt.getPayloadSize(), opt.getExtendedRcode(), opt.getVersion(), opt.getFlags(), arrayList);
            message.removeRecord(message.getOPT(), 3);
        } else {
            oPTRecord = new OPTRecord(SimpleResolver.DEFAULT_EDNS_PAYLOADSIZE, 0, 0, 0, arrayList);
        }
        message.addRecord(oPTRecord, 3);
    }

    private void addValidationReasonTxtRecord(Message message, String str) {
        String[] strArr = new String[(str.length() / 255) + 1];
        for (int i = 0; i < strArr.length; i++) {
            strArr[i] = str.substring(i * 255, Math.min((i + 1) * 255, str.length()));
        }
        message.addRecord(new TXTRecord(Name.root, VALIDATION_REASON_QCLASS, 0L, (List<String>) Arrays.asList(strArr)), 3);
    }

    private static SMessage errorMessage(Message message, int i) {
        SMessage sMessage = new SMessage(message.getHeader().getID(), message.getQuestion());
        Header header = sMessage.getHeader();
        header.setRcode(i);
        header.setFlag(0);
        return sMessage;
    }

    @Generated
    public boolean isAddReasonToAdditional() {
        return this.isAddReasonToAdditional;
    }

    @Generated
    public void setAddReasonToAdditional(boolean z) {
        this.isAddReasonToAdditional = z;
    }
}
