package org.xbill.DNS;

import java.security.GeneralSecurityException;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xbill.DNS.utils.base64;
import org.xbill.DNS.utils.hexdump;

/* loaded from: classes3.dex */
public class TSIG {
    private static final Logger g = LoggerFactory.a((Class<?>) TSIG.class);
    public static final Name h;
    public static final Name i;
    public static final Name j;
    public static final Name k;
    public static final Name l;
    public static final Name m;
    public static final Duration n;

    /* renamed from: a, reason: collision with root package name */
    private final Name f11360a;
    private final Clock b;
    private final Name c;
    private final SecretKey d;
    private final String e;
    private final Mac f;

    /* loaded from: classes3.dex */
    public static class StreamVerifier {

        /* renamed from: a, reason: collision with root package name */
        private final TSIG f11361a;
        private int b = 0;
        private int c;
        private TSIGRecord d;

        public StreamVerifier(TSIG tsig, TSIGRecord tSIGRecord) {
            this.f11361a = tsig;
            this.d = tSIGRecord;
        }

        public int a(Message message, byte[] bArr) {
            TSIGRecord e = message.e();
            this.b++;
            int i = this.b;
            if (i == 1) {
                int a2 = this.f11361a.a(message, bArr, this.d);
                this.d = e;
                return a2;
            }
            if (e != null) {
                int a3 = this.f11361a.a(message, bArr, this.d, false);
                this.c = this.b;
                this.d = e;
                return a3;
            }
            if (i - this.c >= 100) {
                TSIG.g.debug("FORMERR: missing required signature on {}th message", Integer.valueOf(this.b));
                message.k = 4;
                return 1;
            }
            TSIG.g.trace("Intermediate message {} without signature", Integer.valueOf(this.b));
            message.k = 2;
            return 0;
        }
    }

    static {
        Name.fromConstantString("gss-tsig.");
        h = Name.fromConstantString("HMAC-MD5.SIG-ALG.REG.INT.");
        i = Name.fromConstantString("hmac-sha1.");
        j = Name.fromConstantString("hmac-sha224.");
        k = Name.fromConstantString("hmac-sha256.");
        l = Name.fromConstantString("hmac-sha384.");
        m = Name.fromConstantString("hmac-sha512.");
        HashMap hashMap = new HashMap();
        hashMap.put(h, "HmacMD5");
        hashMap.put(i, "HmacSHA1");
        hashMap.put(j, "HmacSHA224");
        hashMap.put(k, "HmacSHA256");
        hashMap.put(l, "HmacSHA384");
        hashMap.put(m, "HmacSHA512");
        Collections.unmodifiableMap(hashMap);
        n = Duration.ofSeconds(300L);
    }

    private static void a(Instant instant, Duration duration, DNSOutput dNSOutput) {
        a(instant, dNSOutput);
        dNSOutput.b((int) duration.getSeconds());
    }

    private static void a(Instant instant, DNSOutput dNSOutput) {
        long epochSecond = instant.getEpochSecond();
        dNSOutput.b((int) (epochSecond >> 32));
        dNSOutput.a(epochSecond & 4294967295L);
    }

    private static void a(Mac mac, TSIGRecord tSIGRecord) {
        byte[] e = DNSOutput.e(tSIGRecord.p().length);
        if (g.isTraceEnabled()) {
            g.trace(hexdump.a("TSIG-HMAC signature size", e));
            g.trace(hexdump.a("TSIG-HMAC signature", tSIGRecord.p()));
        }
        mac.update(e);
        mac.update(tSIGRecord.p());
    }

    private static boolean a(byte[] bArr, byte[] bArr2) {
        if (bArr2.length < bArr.length) {
            byte[] bArr3 = new byte[bArr2.length];
            System.arraycopy(bArr, 0, bArr3, 0, bArr3.length);
            bArr = bArr3;
        }
        return Arrays.equals(bArr2, bArr);
    }

    private Mac c() {
        Mac mac = this.f;
        if (mac != null) {
            try {
                return (Mac) mac.clone();
            } catch (CloneNotSupportedException unused) {
                this.f.reset();
                return this.f;
            }
        }
        try {
            Mac mac2 = Mac.getInstance(this.e);
            mac2.init(this.d);
            return mac2;
        } catch (GeneralSecurityException e) {
            throw new IllegalArgumentException("Caught security exception setting up HMAC.", e);
        }
    }

    public int a() {
        return this.c.length() + 10 + this.f11360a.length() + 8 + 18 + 4 + 8;
    }

    public int a(Message message, byte[] bArr, TSIGRecord tSIGRecord) {
        return a(message, bArr, tSIGRecord, true);
    }

    public int a(Message message, byte[] bArr, TSIGRecord tSIGRecord, boolean z) {
        message.k = 4;
        TSIGRecord e = message.e();
        if (e == null) {
            return 1;
        }
        if (!e.d().equals(this.c) || !e.l().equals(this.f11360a)) {
            g.debug("BADKEY failure, expected: {}/{}, actual: {}/{}", this.c, this.f11360a, e.d(), e.l());
            return 17;
        }
        Mac c = c();
        if (tSIGRecord != null && e.m() != 17 && e.m() != 16) {
            a(c, tSIGRecord);
        }
        message.a().a(3);
        byte[] f = message.a().f();
        message.a().d(3);
        if (g.isTraceEnabled()) {
            g.trace(hexdump.a("TSIG-HMAC header", f));
        }
        c.update(f);
        int length = message.j - f.length;
        if (g.isTraceEnabled()) {
            g.trace(hexdump.a("TSIG-HMAC message after header", bArr, f.length, length));
        }
        c.update(bArr, f.length, length);
        DNSOutput dNSOutput = new DNSOutput();
        if (z) {
            e.d().toWireCanonical(dNSOutput);
            dNSOutput.b(e.f);
            dNSOutput.a(e.g);
            e.l().toWireCanonical(dNSOutput);
        }
        a(e.q(), e.n(), dNSOutput);
        if (z) {
            dNSOutput.b(e.m());
            if (e.o() != null) {
                dNSOutput.b(e.o().length);
                dNSOutput.a(e.o());
            } else {
                dNSOutput.b(0);
            }
        }
        byte[] b = dNSOutput.b();
        if (g.isTraceEnabled()) {
            g.trace(hexdump.a("TSIG-HMAC variables", b));
        }
        c.update(b);
        byte[] p = e.p();
        int macLength = c.getMacLength();
        int max = Math.max(10, macLength / 2);
        if (p.length > macLength) {
            g.debug("BADSIG: signature too long, expected: {}, actual: {}", Integer.valueOf(macLength), Integer.valueOf(p.length));
            return 16;
        }
        if (p.length < max) {
            g.debug("BADSIG: signature too short, expected: {} of {}, actual: {}", Integer.valueOf(max), Integer.valueOf(macLength), Integer.valueOf(p.length));
            return 16;
        }
        byte[] doFinal = c.doFinal();
        if (!a(doFinal, p)) {
            if (g.isDebugEnabled()) {
                g.debug("BADSIG: signature verification failed, expected: {}, actual: {}", base64.a(doFinal), base64.a(p));
            }
            return 16;
        }
        Instant instant = this.b.instant();
        if (Duration.between(instant, e.q()).abs().compareTo(e.n()) > 0) {
            g.debug("BADTIME failure, now {} +/- tsig {} > fudge {}", instant, e.q(), e.n());
            return 18;
        }
        message.k = 1;
        return 0;
    }

    public TSIGRecord a(Message message, byte[] bArr, int i2, TSIGRecord tSIGRecord) {
        return a(message, bArr, i2, tSIGRecord, true);
    }

    public TSIGRecord a(Message message, byte[] bArr, int i2, TSIGRecord tSIGRecord, boolean z) {
        boolean z2;
        Mac c;
        byte[] bArr2;
        byte[] bArr3;
        Instant q = i2 == 18 ? tSIGRecord.q() : this.b.instant();
        if (i2 == 0 || i2 == 18 || i2 == 22) {
            z2 = true;
            c = c();
        } else {
            c = null;
            z2 = false;
        }
        int b = Options.b("tsigfudge");
        Duration ofSeconds = (b < 0 || b > 32767) ? n : Duration.ofSeconds(b);
        if (tSIGRecord != null && z2) {
            a(c, tSIGRecord);
        }
        if (z2) {
            if (g.isTraceEnabled()) {
                g.trace(hexdump.a("TSIG-HMAC rendered message", bArr));
            }
            c.update(bArr);
        }
        DNSOutput dNSOutput = new DNSOutput();
        if (z) {
            this.c.toWireCanonical(dNSOutput);
            dNSOutput.b(255);
            dNSOutput.a(0L);
            this.f11360a.toWireCanonical(dNSOutput);
        }
        a(q, ofSeconds, dNSOutput);
        if (z) {
            dNSOutput.b(i2);
            dNSOutput.b(0);
        }
        if (z2) {
            byte[] b2 = dNSOutput.b();
            if (g.isTraceEnabled()) {
                g.trace(hexdump.a("TSIG-HMAC variables", b2));
            }
            bArr2 = c.doFinal(b2);
        } else {
            bArr2 = new byte[0];
        }
        byte[] bArr4 = bArr2;
        if (i2 == 18) {
            DNSOutput dNSOutput2 = new DNSOutput(6);
            a(this.b.instant(), dNSOutput2);
            bArr3 = dNSOutput2.b();
        } else {
            bArr3 = null;
        }
        return new TSIGRecord(this.c, 255, 0L, this.f11360a, q, ofSeconds, bArr4, message.a().b(), i2, bArr3);
    }

    public void a(Message message, int i2, TSIGRecord tSIGRecord, boolean z) {
        message.a(a(message, message.i(), i2, tSIGRecord, z), 3);
        message.k = 3;
    }

    public void a(Message message, TSIGRecord tSIGRecord) {
        a(message, 0, tSIGRecord, true);
    }
}
