U
    mÃfõž  ã                   @   s<  d Z ddlZddlZddlZddlZddlZddlZddlmZ ddlm	Z	m
Z
mZmZmZmZmZmZ ddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlmZmZm Z  ddlm!Z!m"Z"m#Z#m$Z$ ddl%m&Z& ddl'm(Z( dd	l)m*Z* dd
l+m,Z, ddl-m.Z.m/Z/ ddl0m1Z1 ddl2m3Z3m4Z4 ddl5m6Z6 ed Z7ed Z8e	ej9j:ej;j<gdf Z=e>edœdd„Z?eee@f e>dœdd„ZAeee>eBe@f e@dœdd„ZCee*e&f e@dœdd„ZDG dd„ dƒZEG dd„ deEƒZFeFejGejHejIejJhejGejHejIhejKejLejMhejKhƒZNeFeOƒ eOƒ eOƒ eOƒ ƒZPeNZQdeeejRjSe>f ejTjUeee>f eejRjS eeE eVe,d!œd"d#„ZWdfeejRjSe>f ejTjUeee>f eejRjS e(d$œd%d&„ZXe
ejRjSeejYjZej[j\f f e3eee*  d'œd(d)„Z]eej;j<eejRjSejYjZf f eejRjSejYjZf d*œd+d,„Z^e_e_e*dd-œd.d/„Z`dgeej;j<eejRjSejYjZf f e3e
ejRjSeej[j\ejYjZf f eejRjS eeB eeE dd0œd1d2„Zadheej;j<eejRjSejYjZf f eej;j<eejRjSejYjZf f e
ejRjSeej[j\ejYjZf f eejRjS eeB eeE dd3œd4d5„Zbdieej;j<eejRjSejYjZf f e8ejRjSe*eeee>e@eBf  eeee>e@eBf  ee@ eVeeE eejRjS e3d6œd7d8„Zcdjeej;j<eejRjSejYjZf f e3eejRjS e_d9œd:d;„Zde6jed<fe7ee@e>f e@e@e*d=œd>d?„Zfe6jed<fe7ee@e>f e@e@e&d=œd@dA„ZgeejRjSe>f eee>e_f  e@ee@e>f e>dBœdCdD„Zhdkeej;j<eejRjSejYjZf f eeee>f  eejRjS ejYjZdEœdFdG„ZiejYjZejYjZdHœdIdJ„ZjdleejRjSe>f ejYjZeee>f eejRjS ejYjZdKœdLdM„ZkejYjZejYjZdHœdNdO„Zldmej9j:ej;j<ejRjSeee8e*f  eee8e*f  eeee>e@eBf  eeee>e@eBf  ee@ eeE eejRjS ddPœdQdR„Zmdnejnjoeej9j: eeee8e*f   eVee@ eeee>e@eBf  eeee>e@eBf  ee@ ee1 ee= eeE ddTœdUdV„Zpdoejnjoej9j:ee= ddWœdXdY„ZqdZd[„ Zrejs td\¡rºdd]lumvZv dd^lwmxZx dd_lwmyZy dd`lwmzZz ddalwm{Z{ ddblwm|Z| ddcl}m~Z~mZ dddl€mZm‚Z‚ ebZƒeaZ„ecZ…efZ†egZ‡dSZˆnerZƒerZ„erZ…erZ†erZ‡d ZˆejGZGej‰Z‰ejHZHejŠZŠej‹Z‹ejIZIejŒZŒejZejŽZŽejJZJejZejZej‘Z‘ej’Z’ej“Z“ej”Z”ej•Z•dS )pz.Common DNSSEC-related functions and constants.é    N)Údatetime)ÚCallableÚDictÚListÚOptionalÚSetÚTupleÚUnionÚcast)Ú	AlgorithmÚDSDigestÚ	NSEC3Hash)ÚAlgorithmKeyMismatchÚDeniedByPolicyÚUnsupportedAlgorithmÚValidationFailure)ÚCDNSKEY)ÚCDS)ÚDNSKEY)ÚDS)ÚNSECÚBitmap)Ú
NSEC3PARAM)ÚRRSIGÚsigtime_to_posixtime)ÚFlag)ÚGenericPublicKeyzrsa.RSAPublicKeyzec.EllipticCurvePublicKeyzed25519.Ed25519PublicKeyzed448.Ed448PublicKey)ÚGenericPrivateKeyzrsa.RSAPrivateKeyzec.EllipticCurvePrivateKeyzed25519.Ed25519PrivateKeyzed448.Ed448PrivateKey)ÚtextÚreturnc                 C   s
   t  | ¡S )z‘Convert text into a DNSSEC algorithm value.

    *text*, a ``str``, the text to convert to into an algorithm value.

    Returns an ``int``.
    )r   Ú	from_text)r   © r!   ú8/opt/hc_python/lib/python3.8/site-packages/dns/dnssec.pyÚalgorithm_from_textL   s    r#   )Úvaluer   c                 C   s
   t  | ¡S )zConvert a DNSSEC algorithm value to text

    *value*, a ``dns.dnssec.Algorithm``.

    Returns a ``str``, the name of a DNSSEC algorithm.
    )r   Zto_text©r$   r!   r!   r"   Úalgorithm_to_textW   s    r&   c                 C   sT   t | tƒrt|  ¡ ƒS t | tƒr(t| ƒS t | tƒr:t| ƒS t | tƒrH| S tdƒ‚dS )z%Convert various format to a timestampzUnsupported timestamp typeN)Ú
isinstancer   ÚintÚ	timestampÚstrr   ÚfloatÚ	TypeErrorr%   r!   r!   r"   Úto_timestampb   s    



r-   ©Úkeyr   c                 C   sª   |   ¡ }| jtjkr(|d d> |d  S d}tt|ƒd ƒD ](}||d|  d> |d| d   7 }q<t|ƒd dkrŽ||t|ƒd  d> 7 }||d? d@ 7 }|d@ S d	S )
z›Return the key id (a 16-bit number) for the specified key.

    *key*, a ``dns.rdtypes.ANY.DNSKEY.DNSKEY``

    Returns an ``int`` between 0 and 65535
    éýÿÿÿé   éþÿÿÿr   é   é   é   iÿÿ  N)Úto_wireÚ	algorithmr   ÚRSAMD5ÚrangeÚlen)r/   ÚrdataÚtotalÚir!   r!   r"   Úkey_idp   s    &r>   c                   @   sT   e Zd Zdd„ Zeedœdd„Zeedœdd„Zeedœdd	„Z	eedœd
d„Z
dS )ÚPolicyc                 C   s   d S ©Nr!   )Úselfr!   r!   r"   Ú__init__†   s    zPolicy.__init__)Ú_r   c                 C   s   dS ©NFr!   ©rA   rC   r!   r!   r"   Ú
ok_to_sign‰   s    zPolicy.ok_to_signc                 C   s   dS rD   r!   rE   r!   r!   r"   Úok_to_validateŒ   s    zPolicy.ok_to_validatec                 C   s   dS rD   r!   rE   r!   r!   r"   Úok_to_create_ds   s    zPolicy.ok_to_create_dsc                 C   s   dS rD   r!   rE   r!   r!   r"   Úok_to_validate_ds’   s    zPolicy.ok_to_validate_dsN)Ú__name__Ú
__module__Ú__qualname__rB   r   ÚboolrF   rG   r   rH   rI   r!   r!   r!   r"   r?   …   s
   r?   c                       s\   e Zd Z‡ fdd„Zeedœdd„Zeedœdd„Zeedœd	d
„Z	eedœdd„Z
‡  ZS )Ú
SimpleDenyc                    s&   t ƒ  ¡  || _|| _|| _|| _d S r@   )ÚsuperrB   Ú
_deny_signÚ_deny_validateÚ_deny_create_dsÚ_deny_validate_ds)rA   Z	deny_signZdeny_validateZdeny_create_dsZdeny_validate_ds©Ú	__class__r!   r"   rB   —   s
    
zSimpleDeny.__init__r.   c                 C   s   |j | jkS r@   )r7   rP   ©rA   r/   r!   r!   r"   rF   ž   s    zSimpleDeny.ok_to_signc                 C   s   |j | jkS r@   )r7   rQ   rV   r!   r!   r"   rG   ¡   s    zSimpleDeny.ok_to_validate)r7   r   c                 C   s
   || j kS r@   )rR   ©rA   r7   r!   r!   r"   rH   ¤   s    zSimpleDeny.ok_to_create_dsc                 C   s
   || j kS r@   )rS   rW   r!   r!   r"   rI   §   s    zSimpleDeny.ok_to_validate_ds)rJ   rK   rL   rB   r   rM   rF   rG   r   rH   rI   Ú__classcell__r!   r!   rT   r"   rN   –   s
   rN   F)Únamer/   r7   ÚoriginÚpolicyÚ
validatingr   c                 C   s\  |dkrt }zt|tƒr$t| ¡  }W n  tk
rF   td| ƒ‚Y nX |rT|j}n|j}||ƒsft	‚t|t
tfƒs|tdƒ‚|tjkrt ¡ }n4|tjkr¤t ¡ }n |tjkr¸t ¡ }ntd| ƒ‚t| tƒrÜtj | |¡} |  ¡  ¡ }|dk	sôt‚| |¡ | |j|d¡ | ¡ }	t dt|ƒ|j|¡|	 }
tj  !tj"j#tj$j%|
dt&|
ƒ¡}t't%|ƒS )a—  Create a DS record for a DNSSEC key.

    *name*, a ``dns.name.Name`` or ``str``, the owner name of the DS record.

    *key*, a ``dns.rdtypes.ANY.DNSKEY.DNSKEY`` or ``dns.rdtypes.ANY.DNSKEY.CDNSKEY``,
    the key the DS is about.

    *algorithm*, a ``str`` or ``int`` specifying the hash algorithm.
    The currently supported hashes are "SHA1", "SHA256", and "SHA384". Case
    does not matter for these strings.

    *origin*, a ``dns.name.Name`` or ``None``.  If *key* is a relative name,
    then it will be made absolute using the specified origin.

    *policy*, a ``dns.dnssec.Policy`` or ``None``.  If ``None``, the default policy,
    ``dns.dnssec.default_policy`` is used; this policy defaults to that of RFC 8624.

    *validating*, a ``bool``.  If ``True``, then policy is checked in
    validating mode, i.e. "Is it ok to validate using this digest algorithm?".
    Otherwise the policy is checked in creating mode, i.e. "Is it ok to create a DS with
    this digest algorithm?".

    Raises ``UnsupportedAlgorithm`` if the algorithm is unknown.

    Raises ``DeniedByPolicy`` if the algorithm is denied by policy.

    Returns a ``dns.rdtypes.ANY.DS.DS``
    Núunsupported algorithm "%s"zkey is not a DNSKEY/CDNSKEY©rZ   z!HBBr   )(Údefault_policyr'   r*   r   ÚupperÚ	Exceptionr   rI   rH   r   r   r   Ú
ValueErrorÚSHA1ÚhashlibÚsha1ÚSHA256Úsha256ÚSHA384Úsha384ÚdnsrY   r    Úcanonicalizer6   ÚAssertionErrorÚupdateÚdigestÚstructÚpackr>   r7   r;   Z	from_wireÚ
rdataclassÚINÚ	rdatatyper   r:   r
   )rY   r/   r7   rZ   r[   r\   ÚcheckZdshashZwirern   ZdsrdataÚdsr!   r!   r"   Úmake_ds¸   sJ    %




    ÿrv   )rY   r/   r7   rZ   r   c                 C   s0   t | |||ƒ}t|jtjj|j|j|j|jdS )a  Create a CDS record for a DNSSEC key.

    *name*, a ``dns.name.Name`` or ``str``, the owner name of the DS record.

    *key*, a ``dns.rdtypes.ANY.DNSKEY.DNSKEY`` or ``dns.rdtypes.ANY.DNSKEY.CDNSKEY``,
    the key the DS is about.

    *algorithm*, a ``str`` or ``int`` specifying the hash algorithm.
    The currently supported hashes are "SHA1", "SHA256", and "SHA384". Case
    does not matter for these strings.

    *origin*, a ``dns.name.Name`` or ``None``.  If *key* is a relative name,
    then it will be made absolute using the specified origin.

    Raises ``UnsupportedAlgorithm`` if the algorithm is unknown.

    Returns a ``dns.rdtypes.ANY.DS.CDS``
    ©ÚrdclassÚrdtypeÚkey_tagr7   Údigest_typern   )	rv   r   rx   rj   rs   rz   r7   r{   rn   )rY   r/   r7   rZ   ru   r!   r!   r"   Úmake_cds  s    úr|   )ÚkeysÚrrsigr   c                    sR   |   ˆ j¡}t|tjjƒr0| tjjtj	j
¡}n|}|d kr@d S ‡ fdd„|D ƒS )Nc                    sL   g | ]D}|j ˆ j krt|ƒˆ jkr|jtj@ tjkr|jd krtt|ƒ‘qS )é   )	r7   r>   rz   Úflagsr   ÚZONEÚprotocolr
   r   )Ú.0Úrd©r~   r!   r"   Ú
<listcomp>2  s   
ûz(_find_candidate_keys.<locals>.<listcomp>)ÚgetÚsignerr'   rj   ÚnodeÚNodeZget_rdatasetrq   rr   rs   r   )r}   r~   r$   Úrdatasetr!   r…   r"   Ú_find_candidate_keys(  s    
þrŒ   )Úrrsetr   c                 C   s(   t | tƒr| d | d fS | j| fS d S )Nr   r4   )r'   ÚtuplerY   )r   r!   r!   r"   Ú_get_rrname_rdataset<  s    
r   )ÚsigÚdatar/   r   c                 C   sF   t |ƒj}z| |¡}W n tk
r4   tdƒ‚Y nX | | |¡ d S )Nzinvalid public key)Úget_algorithm_cls_from_dnskeyÚ
public_clsZfrom_dnskeyrb   r   Úverify)r   r‘   r/   r“   Ú
public_keyr!   r!   r"   Ú_validate_signatureE  s    
r–   )r   r~   r}   rZ   Únowr[   r   c           	   
   C   s¼   |dkrt }t||ƒ}|dkr&tdƒ‚|dkr6t ¡ }|j|k rHtdƒ‚|j|krZtdƒ‚t| ||ƒ}|D ]D}| |¡szqjzt|j	||ƒ W  dS  t
tfk
r¬   Y qjY qjX qjtdƒ‚dS )aÖ  Validate an RRset against a single signature rdata, throwing an
    exception if validation is not successful.

    *rrset*, the RRset to validate.  This can be a
    ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``)
    tuple.

    *rrsig*, a ``dns.rdata.Rdata``, the signature to validate.

    *keys*, the key dictionary, used to find the DNSKEY associated
    with a given name.  The dictionary is keyed by a
    ``dns.name.Name``, and has ``dns.node.Node`` or
    ``dns.rdataset.Rdataset`` values.

    *origin*, a ``dns.name.Name`` or ``None``, the origin to use for relative
    names.

    *now*, a ``float`` or ``None``, the time, in seconds since the epoch, to
    use as the current time when validating.  If ``None``, the actual current
    time is used.

    *policy*, a ``dns.dnssec.Policy`` or ``None``.  If ``None``, the default policy,
    ``dns.dnssec.default_policy`` is used; this policy defaults to that of RFC 8624.

    Raises ``ValidationFailure`` if the signature is expired, not yet valid,
    the public key is invalid, the algorithm is unknown, the verification
    fails, etc.

    Raises ``UnsupportedAlgorithm`` if the algorithm is recognized by
    dnspython but not implemented.
    Nzunknown keyZexpiredznot yet validzverify failure)r_   rŒ   r   ÚtimeÚ
expirationÚ	inceptionÚ_make_rrsig_signature_datarG   r–   Ú	signatureÚInvalidSignature)	r   r~   r}   rZ   r—   r[   Zcandidate_keysr‘   Zcandidate_keyr!   r!   r"   Ú_validate_rrsigN  s*    (



rž   )r   Úrrsigsetr}   rZ   r—   r[   r   c           
   
   C   sè   |dkrt }t|tƒr(tj |tjj¡}t| tƒr<| d }n| j}t|tƒr^|d }|d }n
|j}|}| |¡}| |¡}||krŒt	dƒ‚|D ]J}	t|	t
ƒs¦t	dƒ‚zt| |	||||ƒ W  dS  t	tfk
rØ   Y qX qt	dƒ‚dS )a¹  Validate an RRset against a signature RRset, throwing an exception
    if none of the signatures validate.

    *rrset*, the RRset to validate.  This can be a
    ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``)
    tuple.

    *rrsigset*, the signature RRset.  This can be a
    ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``)
    tuple.

    *keys*, the key dictionary, used to find the DNSKEY associated
    with a given name.  The dictionary is keyed by a
    ``dns.name.Name``, and has ``dns.node.Node`` or
    ``dns.rdataset.Rdataset`` values.

    *origin*, a ``dns.name.Name``, the origin to use for relative names;
    defaults to None.

    *now*, an ``int`` or ``None``, the time, in seconds since the epoch, to
    use as the current time when validating.  If ``None``, the actual current
    time is used.

    *policy*, a ``dns.dnssec.Policy`` or ``None``.  If ``None``, the default policy,
    ``dns.dnssec.default_policy`` is used; this policy defaults to that of RFC 8624.

    Raises ``ValidationFailure`` if the signature is expired, not yet valid,
    the public key is invalid, the algorithm is unknown, the verification
    fails, etc.
    Nr   r4   zowner names do not matchzexpected an RRSIGzno RRSIGs validated)r_   r'   r*   rj   rY   r    ÚrootrŽ   Zchoose_relativityr   r   rž   r   )
r   rŸ   r}   rZ   r—   r[   ÚrrnameZ	rrsignameZrrsigrdatasetr~   r!   r!   r"   Ú	_validate“  s2    '







r¢   )r   Úprivate_keyrˆ   Údnskeyrš   r™   Úlifetimer”   r[   rZ   r   c
                 C   sz  |dkrt }| |¡st‚t| tƒrL| d j}
| d j}| d }| d j}n| j}
| j}| j}| j}|dk	rvt	|ƒ}nt
t ¡ ƒ}|dk	r”t	|ƒ}n|dk	r¦|| }ntdƒ‚|	dk	rÀ| |	¡}t|ƒd }| ¡ rÜ|d8 }t|
tjj||j||||t|ƒ|dd}tj | ||	¡}t|tƒr&|}n6zt|ƒ}||d}W n tk
rZ   tdƒ‚Y nX | ||¡}tt|j|d	ƒS )
a  Sign RRset using private key.

    *rrset*, the RRset to validate.  This can be a
    ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``)
    tuple.

    *private_key*, the private key to use for signing, a
    ``cryptography.hazmat.primitives.asymmetric`` private key class applicable
    for DNSSEC.

    *signer*, a ``dns.name.Name``, the Signer's name.

    *dnskey*, a ``DNSKEY`` matching ``private_key``.

    *inception*, a ``datetime``, ``str``, ``int``, ``float`` or ``None``, the
    signature inception time.  If ``None``, the current time is used.  If a ``str``, the
    format is "YYYYMMDDHHMMSS" or alternatively the number of seconds since the UNIX
    epoch in text form; this is the same the RRSIG rdata's text form.
    Values of type `int` or `float` are interpreted as seconds since the UNIX epoch.

    *expiration*, a ``datetime``, ``str``, ``int``, ``float`` or ``None``, the signature
    expiration time.  If ``None``, the expiration time will be the inception time plus
    the value of the *lifetime* parameter.  See the description of *inception* above
    for how the various parameter types are interpreted.

    *lifetime*, an ``int`` or ``None``, the signature lifetime in seconds.  This
    parameter is only meaningful if *expiration* is ``None``.

    *verify*, a ``bool``.  If set to ``True``, the signer will verify signatures
    after they are created; the default is ``False``.

    *policy*, a ``dns.dnssec.Policy`` or ``None``.  If ``None``, the default policy,
    ``dns.dnssec.default_policy`` is used; this policy defaults to that of RFC 8624.

    *origin*, a ``dns.name.Name`` or ``None``.  If ``None``, the default, then all
    names in the rrset (including its owner name) must be absolute; otherwise the
    specified origin will be used to make names absolute when signing.

    Raises ``DeniedByPolicy`` if the signature is denied by policy.
    Nr4   r   z(expiration or lifetime must be specifiedó    )rx   ry   Ztype_coveredr7   ÚlabelsÚoriginal_ttlr™   rš   rz   rˆ   rœ   ©r/   zUnsupported key algorithm)rœ   )r_   rF   r   r'   rŽ   rx   ry   ÚttlrY   r-   r(   r˜   rb   Úderelativizer:   Úis_wildr   rj   rs   r7   r>   Údnssecr›   r   r’   r   r,   Úsignr
   Úreplace)r   r£   rˆ   r¤   rš   r™   r¥   r”   r[   rZ   rx   ry   r¡   r¨   Zrrsig_inceptionZrrsig_expirationr§   Zrrsig_templater‘   Zsigning_keyZprivate_clsrœ   r!   r!   r"   Ú_signÜ  sb    5






õr°   )r   r~   rZ   r   c                    s‚  t ˆ tƒrtj ˆ tjj¡‰ |j}| ¡ sDˆ dkr:tdƒ‚| 	ˆ ¡}t
| ƒ\}}d}||j|ddd… 7 }||j |¡7 }| ¡ sžˆ dkr”tdƒ‚| 	ˆ ¡}t|ƒ}| ¡ rÄ|j|d krÄtdƒ‚|d |jk rÜtd	ƒ‚n2|j|d k r| |jd ¡d }tj d
|¡}| ¡ }	t d|j|j|j¡}
‡ fdd„|D ƒ}t|ƒD ]6}||	7 }||
7 }t dt|ƒ¡}||7 }||7 }qF|S )aá  Create signature rdata.

    *rrset*, the RRset to sign/validate.  This can be a
    ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``)
    tuple.

    *rrsig*, a ``dns.rdata.Rdata``, the signature to validate, or the
    signature template used when signing.

    *origin*, a ``dns.name.Name`` or ``None``, the origin to use for relative
    names.

    Raises ``UnsupportedAlgorithm`` if the algorithm is recognized by
    dnspython but not implemented.
    Nz,relative RR name without an origin specifiedr¦   r^   é   r3   z&wild owner name has wrong label lengthr4   z#owner name longer than RRSIG labelsÚ*z!HHIc                    s   g | ]}|  ˆ ¡‘qS r!   )Úto_digestable)rƒ   r;   r^   r!   r"   r†   ‹  s     z._make_rrsig_signature_data.<locals>.<listcomp>z!H)r'   r*   rj   rY   r    r    rˆ   Úis_absoluter   r«   r   r6   r³   r:   r¬   r§   Úsplitro   rp   ry   rx   r¨   Úsorted)r   r~   rZ   rˆ   r¡   r‹   r‘   Zname_lenÚsuffixZ	rrnamebufZrrfixedZrdatasr;   Zrrlenr!   r^   r"   r›   U  sB    



r›   r   )r•   r7   r€   r‚   r   c                 C   sD   t  |¡}t| tƒr"| j||dS t|ƒj}|| dj||dS dS )a€  Convert a public key to DNSKEY Rdata

    *public_key*, a ``PublicKey`` (``GenericPublicKey`` or
    ``cryptography.hazmat.primitives.asymmetric``) to convert.

    *algorithm*, a ``str`` or ``int`` specifying the DNSKEY algorithm.

    *flags*: DNSKEY flags field as an integer.

    *protocol*: DNSKEY protocol field as an integer.

    Raises ``ValueError`` if the specified key algorithm parameters are not
    unsupported, ``TypeError`` if the key type is unsupported,
    `UnsupportedAlgorithm` if the algorithm is unknown and
    `AlgorithmKeyMismatch` if the algorithm does not match the key type.

    Return DNSKEY ``Rdata``.
    )r€   r‚   r©   N)r   Úmaker'   r   Z	to_dnskeyÚget_algorithm_clsr“   )r•   r7   r€   r‚   r“   r!   r!   r"   Ú_make_dnskey–  s
    


rº   c                 C   s0   t | |||ƒ}t|jtjj|j|j|j|jdS )a•  Convert a public key to CDNSKEY Rdata

    *public_key*, the public key to convert, a
    ``cryptography.hazmat.primitives.asymmetric`` public key class applicable
    for DNSSEC.

    *algorithm*, a ``str`` or ``int`` specifying the DNSKEY algorithm.

    *flags*: DNSKEY flags field as an integer.

    *protocol*: DNSKEY protocol field as an integer.

    Raises ``ValueError`` if the specified key algorithm parameters are not
    unsupported, ``TypeError`` if the key type is unsupported,
    `UnsupportedAlgorithm` if the algorithm is unknown and
    `AlgorithmKeyMismatch` if the algorithm does not match the key type.

    Return CDNSKEY ``Rdata``.
    ©rx   ry   r€   r‚   r7   r/   )	rº   r   rx   rj   rs   r€   r‚   r7   r/   )r•   r7   r€   r‚   r¤   r!   r!   r"   Ú_make_cdnskey¸  s    úr¼   )ÚdomainÚsaltÚ
iterationsr7   r   c           
      C   s  t  dd¡}zt|t ƒr$t| ¡  }W n tk
rB   tdƒ‚Y nX |tjkrVtdƒ‚|dkrdd}n4t|t ƒr”t|ƒd dkrŠt	 
|¡}q˜tdƒ‚n|}t| tjjƒs²tj | ¡} |  ¡  ¡ }|dk	sÊt‚t || ¡ ¡ }t|ƒD ]}t || ¡ ¡ }qät |¡ d	¡}	|	 |¡}	|	S )
aà  
    Calculate the NSEC3 hash, according to
    https://tools.ietf.org/html/rfc5155#section-5

    *domain*, a ``dns.name.Name`` or ``str``, the name to hash.

    *salt*, a ``str``, ``bytes``, or ``None``, the hash salt.  If a
    string, it is decoded as a hex string.

    *iterations*, an ``int``, the number of iterations.

    *algorithm*, a ``str`` or ``int``, the hash algorithm.
    The only defined algorithm is SHA1.

    Returns a ``str``, the encoded NSEC3 hash.
    Z ABCDEFGHIJKLMNOPQRSTUVWXYZ234567Z 0123456789ABCDEFGHIJKLMNOPQRSTUVz-Wrong hash algorithm (only SHA1 is supported)Nr¦   r3   r   zInvalid salt lengthzutf-8)r*   Ú	maketransr'   r   r`   ra   rb   rc   r:   ÚbytesÚfromhexrj   rY   ÚNamer    rk   r6   rl   rd   re   rn   r9   Úbase64Ú	b32encodeÚdecodeÚ	translate)
r½   r¾   r¿   r7   Zb32_conversionZsalt_encodedZdomain_encodedrn   rC   Úoutputr!   r!   r"   Ú
nsec3_hashÞ  s8     ÿ




rÉ   )r   Ú
algorithmsrZ   r   c           	   	   C   s  t | ƒ\}}|jtjjtjjtjjfkr0tdƒ‚tƒ }|D ]J}zt	|t
ƒrVt| ¡  }W n  tk
rx   td| ƒ‚Y nX | |¡ q:|jtjjkrÞg }t|ƒD ]}|j|kr | |¡ q t|ƒdkrÎtdƒ‚tj |j|¡S g }|D ]}| t||||ƒ¡ qætj |j|¡S )a  Create a DS record from DNSKEY/CDNSKEY/CDS.

    *rrset*, the RRset to create DS Rdataset for.  This can be a
    ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``)
    tuple.

    *algorithms*, a set of ``str`` or ``int`` specifying the hash algorithms.
    The currently supported hashes are "SHA1", "SHA256", and "SHA384". Case
    does not matter for these strings. If the RRset is a CDS, only digest
    algorithms matching algorithms are accepted.

    *origin*, a ``dns.name.Name`` or ``None``.  If `key` is a relative name,
    then it will be made absolute using the specified origin.

    Raises ``UnsupportedAlgorithm`` if any of the algorithms are unknown and
    ``ValueError`` if the given RRset is not usable.

    Returns a ``dns.rdataset.Rdataset``
    zrrset not a DNSKEY/CDNSKEY/CDSr]   r   zno acceptable CDS rdata found)r   ry   rj   rs   r   r   r   rb   Úsetr'   r*   r   r`   ra   r   ÚaddÚcds_rdataset_to_ds_rdatasetr{   Úappendr:   r‹   Úfrom_rdata_listrª   ÚextendÚdnskey_rdataset_to_cds_rdataset)	r   rÊ   rZ   r¡   r‹   Z_algorithmsr7   Úresr;   r!   r!   r"   Úmake_ds_rdataset  s6    ý

rÓ   )r‹   r   c                 C   s\   | j tjjkrtdƒ‚g }| D ],}| t|jtjj|j|j	|j
|jd¡ qtj | j|¡S )zÊCreate a CDS record from DS.

    *rdataset*, a ``dns.rdataset.Rdataset``, to create DS Rdataset for.

    Raises ``ValueError`` if the rdataset is not CDS.

    Returns a ``dns.rdataset.Rdataset``
    zrdataset not a CDSrw   )ry   rj   rs   r   rb   rÎ   rx   r   rz   r7   r{   rn   r‹   rÏ   rª   ©r‹   rÒ   r;   r!   r!   r"   rÍ   U  s    úÿ
rÍ   )rY   r‹   r7   rZ   r   c                 C   sP   |j tjjtjjfkrtdƒ‚g }|D ]}| t| |||ƒ¡ q&tj 	|j
|¡S )a±  Create a CDS record from DNSKEY/CDNSKEY.

    *name*, a ``dns.name.Name`` or ``str``, the owner name of the CDS record.

    *rdataset*, a ``dns.rdataset.Rdataset``, to create DS Rdataset for.

    *algorithm*, a ``str`` or ``int`` specifying the hash algorithm.
    The currently supported hashes are "SHA1", "SHA256", and "SHA384". Case
    does not matter for these strings.

    *origin*, a ``dns.name.Name`` or ``None``.  If `key` is a relative name,
    then it will be made absolute using the specified origin.

    Raises ``UnsupportedAlgorithm`` if the algorithm is unknown or
    ``ValueError`` if the rdataset is not DNSKEY/CDNSKEY.

    Returns a ``dns.rdataset.Rdataset``
    zrdataset not a DNSKEY/CDNSKEY)ry   rj   rs   r   r   rb   rÎ   r|   r‹   rÏ   rª   )rY   r‹   r7   rZ   rÒ   r;   r!   r!   r"   rÑ   r  s    rÑ   c                 C   sZ   | j tjjkrtdƒ‚g }| D ]*}| t| j| j |j|j	|j
|jd¡ qtj | j|¡S )z Create a CDNSKEY record from DNSKEY.

    *rdataset*, a ``dns.rdataset.Rdataset``, to create CDNSKEY Rdataset for.

    Returns a ``dns.rdataset.Rdataset``
    zrdataset not a DNSKEYr»   )ry   rj   rs   r   rb   rÎ   r   rx   r€   r‚   r7   r/   r‹   rÏ   rª   rÔ   r!   r!   r"   Ú#dnskey_rdataset_to_cdnskey_rdataset“  s    
úÿ
rÕ   )Útxnr   rˆ   ÚksksÚzsksrš   r™   r¥   r[   rZ   r   c
                 C   sr   |j ttjjjtjjjtjjjgƒkr,|}
n|}
|
D ]8\}}tjj	|||||||||	d	}|  
|j|j|¡ q4dS )zDefault RRset signer)	r   r£   r¤   rš   r™   r¥   rˆ   r[   rZ   N)ry   rË   rj   rs   Ú	RdataTyper   r   r   r­   r®   rÌ   rY   rª   )rÖ   r   rˆ   r×   rØ   rš   r™   r¥   r[   rZ   r}   r£   r¤   r~   r!   r!   r"   Údefault_rrset_signer®  s*    ýÿ÷rÚ   T)ÚzonerÖ   r}   Ú
add_dnskeyÚ
dnskey_ttlrš   r™   r¥   Únsec3Úrrset_signerr[   r   c                 C   s*  g }g }|rN|D ]*}|d j tj@ r0| |¡ q| |¡ q|sD|}|sR|}ng }|rbt |¡}n|  ¡ }|²}|rÐ|dkr²| | jt	j
j¡}|rš|j}n| | jt	j
j¡}|j}|D ]\}}| | j||¡ q¶|rÞtdƒ‚n>|	ptjt| j||||||
| jd	}t| ||ƒW  5 Q R £ S W 5 Q R X dS )a?  Sign zone.

    *zone*, a ``dns.zone.Zone``, the zone to sign.

    *txn*, a ``dns.transaction.Transaction``, an optional transaction to use for
    signing.

    *keys*, a list of (``PrivateKey``, ``DNSKEY``) tuples, to use for signing. KSK/ZSK
    roles are assigned automatically if the SEP flag is used, otherwise all RRsets are
    signed by all keys.

    *add_dnskey*, a ``bool``.  If ``True``, the default, all specified DNSKEYs are
    automatically added to the zone on signing.

    *dnskey_ttl*, a``int``, specifies the TTL for DNSKEY RRs. If not specified the TTL
    of the existing DNSKEY RRset used or the TTL of the SOA RRset.

    *inception*, a ``datetime``, ``str``, ``int``, ``float`` or ``None``, the signature
    inception time.  If ``None``, the current time is used.  If a ``str``, the format is
    "YYYYMMDDHHMMSS" or alternatively the number of seconds since the UNIX epoch in text
    form; this is the same the RRSIG rdata's text form. Values of type `int` or `float`
    are interpreted as seconds since the UNIX epoch.

    *expiration*, a ``datetime``, ``str``, ``int``, ``float`` or ``None``, the signature
    expiration time.  If ``None``, the expiration time will be the inception time plus
    the value of the *lifetime* parameter.  See the description of *inception* above for
    how the various parameter types are interpreted.

    *lifetime*, an ``int`` or ``None``, the signature lifetime in seconds.  This
    parameter is only meaningful if *expiration* is ``None``.

    *nsec3*, a ``NSEC3PARAM`` Rdata, configures signing using NSEC3. Not yet
    implemented.

    *rrset_signer*, a ``Callable``, an optional function for signing RRsets. The
    function requires two arguments: transaction and RRset. If the not specified,
    ``dns.dnssec.default_rrset_signer`` will be used.

    Returns ``None``.
    r4   Nz&Signing with NSEC3 not yet implemented)rˆ   r×   rØ   rš   r™   r¥   r[   rZ   )r€   r   ZSEPrÎ   Ú
contextlibÚnullcontextÚwriterr‡   rZ   rj   rs   r   rª   ZSOArÌ   ÚNotImplementedErrorÚ	functoolsÚpartialrÚ   Ú_sign_zone_nsec)rÛ   rÖ   r}   rÜ   rÝ   rš   r™   r¥   rÞ   rß   r[   r×   rØ   r/   ÚcmZ_txnr¤   ZsoarC   Z_rrset_signerr!   r!   r"   Ú	sign_zoneÖ  sN    6

÷rè   )rÛ   rÖ   rß   r   c              	   C   s6  dt jjt jjtt jj t jjttt	 ddœdd„}|  
¡ j}d}d}t| ¡ ƒD ]Â}|rh| |¡rhqRn$| |t jj¡rˆ|| jkrˆ|}nd}|rò| |¡}|rò|jD ]L}	|	jt jjkrºq¤q¤|rÐ|	jt jjkrÐq¤q¤t jj||	jf|	žŽ }
|||
ƒ q¤|dk	r||||| j||ƒ |}qR|r2|||| j| j||ƒ dS )zNSEC zone signerN)rÖ   rY   Únext_securerx   rª   rß   r   c              
   S   sŽ   t tjjjtjjjgƒ}|  |¡}|rŠ|rŠt dd„ |jD ƒƒ|B }t 	t
|ƒ¡}	tj ||t|tjjj||	d¡}
|  |
¡ |rŠ|| |
ƒ dS )zNSEC zone signer helperc                 S   s   g | ]
}|j ‘qS r!   )ry   )rƒ   r‹   r!   r!   r"   r†   V  s     z:_sign_zone_nsec.<locals>._txn_add_nsec.<locals>.<listcomp>)rx   ry   ÚnextÚwindowsN)rË   rj   rs   rÙ   r   r   Úget_nodeÚ	rdatasetsr   Zfrom_rdtypesÚlistr   Ú
from_rdatarÌ   )rÖ   rY   ré   rx   rª   rß   Zmandatory_typesr‰   Útypesrë   r   r!   r!   r"   Ú_txn_add_nsecG  s*    	ÿ
ÿüý

z&_sign_zone_nsec.<locals>._txn_add_nsec)N)rj   ÚtransactionÚTransactionrY   rÃ   r   rq   Z
RdataClassr(   ÚRRsetSignerZget_soaÚminimumr¶   Ziterate_namesZis_subdomainr‡   rs   ZNSrZ   rì   rí   ry   r   r   r   rï   rª   rx   )rÛ   rÖ   rß   rñ   Z	rrsig_ttlZ
delegationZlast_securerY   r‰   r‹   r   r!   r!   r"   ræ   @  sR     ú
ù 



     ÿræ   c                  O   s   t dƒ‚d S )Nz.DNSSEC validation requires python cryptography)ÚImportError)ÚargsÚkwargsr!   r!   r"   Ú
_need_pyca  s    ÿrù   r­   )r   )Údsa)Úec)Úed448)Úrsa)Úed25519)r¹   r’   )r   r   )NNF)N)NNN)NNN)NNNFNN)N)N)N)NNNNN)
NNTNNNNNNN)N)–Ú__doc__rÄ   rà   rä   rd   ro   r˜   r   Útypingr   r   r   r   r   r   r	   r
   Zdns._featuresrj   Zdns.exceptionZdns.nameZdns.nodeZ	dns.rdataZdns.rdataclassZdns.rdatasetZdns.rdatatypeZ	dns.rrsetZdns.transactionZdns.zoneZdns.dnssectypesr   r   r   r   r   r   r   Zdns.rdtypes.ANY.CDNSKEYr   Zdns.rdtypes.ANY.CDSr   Zdns.rdtypes.ANY.DNSKEYr   Zdns.rdtypes.ANY.DSr   Zdns.rdtypes.ANY.NSECr   r   Zdns.rdtypes.ANY.NSEC3PARAMr   Zdns.rdtypes.ANY.RRSIGr   r   Zdns.rdtypes.dnskeybaser   Z	PublicKeyZ
PrivateKeyrò   ró   r   ZRRsetrô   r*   r#   r(   r&   r+   r-   r>   r?   rN   r8   ZDSAZDSANSEC3SHA1ZECCGOSTZNULLrc   ZGOSTZrfc_8624_policyrË   Zallow_all_policyr_   rY   rÃ   r;   ZRdatarM   rv   r|   r‹   ZRdatasetr‰   rŠ   rŒ   r   rÁ   r–   rž   r¢   r°   r›   r   rº   r¼   rÉ   rÓ   rÍ   rÑ   rÕ   rÚ   rÛ   ÚZonerè   ræ   rù   Z	_featuresZhaveZcryptography.exceptionsr   Z)cryptography.hazmat.primitives.asymmetricrú   rû   rü   rý   rþ   Zdns.dnssecalgsr¹   r’   Zdns.dnssecalgs.baser   r   ÚvalidateZvalidate_rrsigr®   Zmake_dnskeyZmake_cdnskeyZ
_have_pycaZDHZECCZRSASHA1ZRSASHA1NSEC3SHA1Z	RSASHA256Z	RSASHA512ZECDSAP256SHA256ZECDSAP384SHA384ZED25519ZED448ZINDIRECTZ
PRIVATEDNSZ
PRIVATEOIDr!   r!   r!   r"   Ú<module>   s
  (ÿÿü   ú

ùP ü

û% 
þþ	   ú
ùI   ú
ùN      ö
õ| ý
üDü
û%ü
û'
û@ ý
ü;þ! ü

û"þ!     ö
õ*          õ
ôm ýüO