3 bW9@sHdZddlmZddlZddlZddlZddlZddlZddl Zddl Zddl Zddl Zddl ZddlmZGdddejjZGdd d ejjZdZd Zd Zd Zd ZdZdZdZdZdZdZdZdZ dZ!eeeeeeeeeeeee e!dZ"e#dde"j$DZ%ddZ&ddZ'ddZ(dDd d!Z)dEd"d#Z*d$d%Z+d&d'Z,d(d)Z-d*d+Z.d,d-Z/d.d/Z0d0d1Z1d2d3Z2d4d5Z3d6d7Z4d8d9Z5dFd:d;Z6dGdd?Z8y(ddl9Z:ddl;Z:ddld@Z?Wn"e@k re8Z=e8Z>dAZ?YnXy8ddlAZAddlBZAddlCZAddlDZAd@ZEGdBdCdCeFZGWne@k rBdAZEYnXdS)Hz.Common DNSSEC-related functions and constants.)BytesION) string_typesc@seZdZdZdS)UnsupportedAlgorithmz&The DNSSEC algorithm is not supported.N)__name__ __module__ __qualname____doc__r r /usr/lib/python3.6/dnssec.pyr!src@seZdZdZdS)ValidationFailurez The DNSSEC signature is invalid.N)rrrr r r r r r &sr  )RSAMD5DHDSAECCRSASHA1 DSANSEC3SHA1RSASHA1NSEC3SHA1 RSASHA256 RSASHA512INDIRECTECDSAP256SHA256ECDSAP384SHA384 PRIVATEDNS PRIVATEOIDccs|]\}}||fVqdS)Nr ).0xyr r r Nsr+cCs"tj|j}|dkrt|}|S)z:Convert text into a DNSSEC algorithm value @rtype: intN)_algorithm_by_textgetupperint)textvaluer r r algorithm_from_textQsr2cCstj|}|dkrt|}|S)z;Convert a DNSSEC algorithm value to text @rtype: stringN)_algorithm_by_valuer-str)r1r0r r r algorithm_to_text[s r5cCst}|j||d|jS)N)origin)rto_wiregetvalue)recordr6sr r r _to_rdataesr;cCst||}t|}|jtkr0|dd>|d Sd}x|d|d7}qFWt|ddkr||t|dd>7}||d?d@7}|d@SdS) Nrrr rri)r; bytearray algorithmrrangelen)keyr6rdataZtotalir r r key_idks  rFcCs|jdkr d}tjjd}n,|jdkr@d}tjjd}n td|t|trdtjj||}|j |j j |j t |||j }tjdt||j||}tjjtjjtjj|dt|S)NSHA1rSHA256r zunsupported algorithm "%s"z!HBBr)r.dnshashhashesr isinstancername from_textupdateZ canonicalizer7r;digeststructpackrFr@rDZ from_wire rdataclassIN rdatatypeZDSrB)rMrCr@r6ZdsalgrJrPZdsrdatar r r make_ds{s    rVc Csg}|j|j}|dkrdSt|tjjrZy|jtjjtj j }Wq^t k rVdSXn|}x0|D](}|j |j krdt ||jkrd|j|qdW|S)N)r-signerrLrIZnodeZNodeZ find_rdatasetrSrTrUZDNSKEYKeyErrorr@rFZkey_tagappend)keysrrsigZcandidate_keysr1rdatasetrDr r r _find_candidate_keyss     r]cCs|tttttfkS)N)rrr r!r")r@r r r _is_rsasr^cCs |ttfkS)N)rr)r@r r r _is_dsasr_cCsto|ttfkS)N) _have_ecdsar$r%)r@r r r _is_ecdsasracCs|tkS)N)r)r@r r r _is_md5srbcCs|ttttfkS)N)rrrr )r@r r r _is_sha1srccCs |ttfkS)N)r!r$)r@r r r _is_sha256srdcCs|tkS)N)r%)r@r r r _is_sha384srecCs|tkS)N)r")r@r r r _is_sha512srfcCs~t|rtjjdSt|r,tjjdSt|rBtjjdSt|rXtjjdSt|rntjjdStd|dS)NZMD5rGrHZSHA384ZSHA512zunknown hash for algorithm %u) rbrIrJrKrcrdrerfr )r@r r r _make_hashsrgc Cst|rddddddddg}ndt|r6dd d dd g}nLt|rVd ddd dd ddd g }n,t|rvd ddd dd ddd g }n td|t|}t|j}dgd||gd|dgd|g|ddgd|g}tj dt|f|S)N*Hrr r+rr`rerzunknown algorithm %u0rrrz!%dB) rbrcrdrfr rBrgZ digest_sizerQrR)r@ZoidZolenZdlenZidbytesr r r _make_algorithm_ids  <rqc)Cst|trtjj|tjj}xt||D]}|srLrrIrMrNrootr]r tupletimeZ expirationZ inceptionrgr@r^rCrQunpackrBCryptoZ PublicKeyZRSAZ constructUtilnumber bytes_to_longZ signaturer_rrar$ecdsaZcurvesZNIST256pr%ZNIST384pZpoint_is_valid generatorAssertionErrorZ ellipticcurveZPointcurveorderrZZ VerifyingKeyZfrom_public_point ECKeyWrapperZ SignaturerOr;rWZ to_digestableZlabelssplitrRZrdtypeZrdclassZ original_ttlsortedrPrqverify))rrsetr[rZr6nowZ candidate_keyrrnamer\rJZkeyptrZbytes_Zrsa_eZrsa_nZkeylenpubkeysigtZoctetsZdsa_qZdsa_pZdsa_gZdsa_yZdsa_rZdsa_srkey_lenr)r*ZpointZ verifying_keyrr:suffixZ rrnamebufZrrfixedZrrlistZrrZrrdataZrrlenrPZpadlenr r r _validate_rrsigs                                        " rc Cst|trtjj|tjj}t|tr0|d}n|j}t|trR|d}|d}n |j}|}|j|}|j|}||krtdx6|D].}yt |||||dStk rYqXqWtddS)ahValidate an RRset @param rrset: The RRset to validate @type rrset: dns.rrset.RRset or (dns.name.Name, dns.rdataset.Rdataset) tuple @param rrsigset: The signature RRset @type rrsigset: dns.rrset.RRset or (dns.name.Name, dns.rdataset.Rdataset) tuple @param keys: The key dictionary. @type keys: a dictionary keyed by dns.name.Name with node or rdataset values @param origin: The origin to use for relative names @type origin: dns.name.Name or None @param now: The time to use when validating the signatures. The default is the current time. @type now: int rrzowner names do not matchNzno RRSIGs validated) rLrrIrMrNrxryZchoose_relativityr r) rZrrsigsetrZr6rrZ rrsignameZ rrsigrdatasetr[r r r _validatexs*         rcOs tddS)Nz#DNSSEC validation requires pycrypto)NotImplementedError)argskwargsr r r _need_pycryptosrTFc@seZdZddZddZdS)rcCs||_||_dS)N)rCr)selfrCrr r r __init__szECKeyWrapper.__init__cCstjjj|}|jjj||S)N)r|r}r~rrCrZverifies)rrPrZdiglongr r r rszECKeyWrapper.verifyN)rrrrrr r r r rsr)N)N)NN)NN)Hr iorrQrzZ dns.exceptionrIZdns.hashZdns.nameZdns.nodeZ dns.rdatasetZ dns.rdataZ dns.rdatatypeZdns.rdataclassZ_compatrZ exceptionZ DNSExceptionrr rrrrrrr r!r"r$r%r#r&r'r,dictitemsr3r2r5r;rFrVr]r^r_rarbrcrdrerfrgrqrrrZCrypto.PublicKey.RSAr|ZCrypto.PublicKey.DSAZCrypto.Util.numberZvalidateZvalidate_rrsigZ_have_pycrypto ImportErrorrZ ecdsa.ecdsaZecdsa.ellipticcurveZ ecdsa.keysr`objectrr r r r s        0