a sd_I@s2dZddlZddlZddlZddlZddlZddlZddlZddl Zddl Zddl Zddl Zddl ZGdddejjZGdddejjZGdddejjZeejd d Zd d Zd dZGdddejjZdCddZddZddZddZddZ ddZ!ddZ"dd Z#d!d"Z$d#d$Z%d%d&Z&d'd(Z'd)d*Z(d+d,Z)dDd-d.Z*dEd/d0Z+Gd1d2d2ejjZ,d3d4Z-d5d6Z.z|dd7l/m0Z0dd8l1m2Z2dd9l3m4Z4dd:l5m6Z6dd;l5m7Z7ddl5m:Z:dd?l5m;Z;dd@l5me.Z?dAZ@Yn0e+Z>e*Z?dBZ@dS)Fz.Common DNSSEC-related functions and constants.Nc@seZdZdZdS)UnsupportedAlgorithmz&The DNSSEC algorithm is not supported.N__name__ __module__ __qualname____doc__rr,/usr/lib/python3/dist-packages/dns/dnssec.pyr#src@seZdZdZdS)ValidationFailurez The DNSSEC signature is invalid.Nrrrrr r 'sr c@s\eZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZeddZdS) Algorithm cCsdSNrclsrrr _maximum>szAlgorithm._maximumN)rrrRSAMD5ZDHDSAZECCRSASHA1 DSANSEC3SHA1RSASHA1NSEC3SHA1 RSASHA256 RSASHA512ECCGOSTECDSAP256SHA256ECDSAP384SHA384ED25519ED448ZINDIRECTZ PRIVATEDNSZ PRIVATEOID classmethodr!rrrr r +s&r cCs t|S)zConvert text into a DNSSEC algorithm value. *text*, a ``str``, the text to convert to into an algorithm value. Returns an ``int``. )r from_text)textrrr algorithm_from_textFsr1cCs t|S)zConvert a DNSSEC algorithm value to text *value*, an ``int`` a DNSSEC algorithm. Returns a ``str``, the name of a DNSSEC algorithm. )r Zto_text)valuerrr algorithm_to_textQsr3cCs|}|jtjkr(|dd>|dSd}tt|dD](}||d|d>|d|d7}q7}||d?d@7}|d@Sd S) zReturn the key id (a 16-bit number) for the specified key. *key*, a ``dns.rdtypes.ANY.DNSKEY.DNSKEY`` Returns an ``int`` between 0 and 65535 rrr r riN)to_wire algorithmr r"rangelen)keyrdatatotalirrr key_id\s r>c@s(eZdZdZdZdZdZeddZdS)DSDigestz(DNSSEC Delgation Signer Digest Algorithmr r rcCsdSrrrrrr r!xszDSDigest._maximumN) rrrrSHA1SHA256SHA384r.r!rrrr r?qs r?cCszt|trt|}Wnty8td|Yn0|tjkrNt}n4|tj krbt }n |tj krvt }n td|t|trt j||}||||j|d|}tdt||j||}t jt jjt jj|dt|S)aqCreate a DS record for a DNSSEC key. *name*, a ``dns.name.Name`` or ``str``, the owner name of the DS record. *key*, a ``dns.rdtypes.ANY.DNSKEY.DNSKEY``, the key the DS is about. *algorithm*, a ``str`` or ``int`` specifying the hash algorithm. The currently supported hashes are "SHA1", "SHA256", and "SHA384". Case does not matter for these strings. *origin*, a ``dns.name.Name`` or ``None``. If `key` is a relative name, then it will be made absolute using the specified origin. Raises ``UnsupportedAlgorithm`` if the algorithm is unknown. Returns a ``dns.rdtypes.ANY.DS.DS`` zunsupported algorithm "%s"originz!HBBr) isinstancestrr?upper Exceptionrr@hashlibsha1rAZsha256rBZsha384dnsnamer/update canonicalizer6digeststructpackr>r7r;Z from_wire rdataclassIN rdatatypeZDSr9)rLr:r7rDZdshashrOZdsrdatarrr make_ds}s.          rUcCsg}||j}|durdSt|tjjrZz|tjjtj j }Wq^t yVYdS0n|}|D](}|j |j krbt ||jkrb||qb|SN)getsignerrErKZnodeZNodeZ find_rdatasetrRrSrTZDNSKEYKeyErrorr7r>Zkey_tagappend)keysrrsigcandidate_keysr2rdatasetr;rrr _find_candidate_keyss$       r_cCs|tjtjtjtjtjfvSrV)r r"r$r&r'r(r7rrr _is_rsas racCs|tjtjfvSrV)r r#r%r`rrr _is_dsasrbcCs|tjtjfvSrV)r r*r+r`rrr _is_ecdsasrccCs|tjtjfvSrV)r r,r-r`rrr _is_eddsasrdcCs |tjkSrV)r r)r`rrr _is_gostsrecCs |tjkSrV)r r"r`rrr _is_md5srfcCs|tjtjtjtjfvSrV)r r#r$r%r&r`rrr _is_sha1s rgcCs|tjtjfvSrV)r r'r*r`rrr _is_sha256srhcCs |tjkSrV)r r+r`rrr _is_sha384sricCs |tjkSrV)r r(r`rrr _is_sha512srjcCst|rtSt|r tSt|r0tSt|r@tSt |rPt S|t j krbt S|t j krvtdStd|dS)Nrzunknown hash for algorithm %u)rfhashesZMD5rgr@rhrArirBrjZSHA512r r,r-ZSHAKE256r r`rrr _make_hashs   rmcCs t|dS)NZbig)int from_bytes)brrr _bytes_to_longsrqc$ Cs\t|trtj|tjj}t||}|dur6td|D]}t|tr\|d}|d}n |j}|}|durvt }|j |krtd|j |krtdt |j rX|j} td| dd\} | dd} | dkrtd| dd \} | d d} | d| } | | d} z tt| t| t} WntyLtd Yn0|j}nrt|j rp|j} td| dd\}| dd} d |d }| dd }| d d} | d|}| |d} | d|}| |d} | d|}z2tt|tt|t|t|t} Wnty:td Yn0|jdd}|jdd}tt|t|}nZt|j r:|j} |j tj krt!"}d}n t!#}d}| d|}| ||d }z$t!j$|t|t|dt} Wntytd Yn0|jd|}|j|d}tt|t|}nt%|j r|j} |j tj&krbt'j(}nt)j*}z|+| } Wntytd Yn0|j}n.t,|j rt-dt.|j ntd|j d}||j/|ddd7}||j01|7}|j2t3|dkr,|4|j2dd}tjd|}|1|}t5d|j6|j7|j8}t9|}|D]@} ||7}||7}| 1|}!t5dt3|!}"||"7}||!7}qXt:|j }#zt |j r| ;||t<=|#nft|j r| ;|||#nJt|j r| ;||t!>|#n(t%|j r | ;||ntd|j WdSt?yLYq:Yq:0q:tddS)a*Validate an RRset against a single signature rdata, throwing an exception if validation is not successful. *rrset*, the RRset to validate. This can be a ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``) tuple. *rrsig*, a ``dns.rdata.Rdata``, the signature to validate. *keys*, the key dictionary, used to find the DNSKEY associated with a given name. The dictionary is keyed by a ``dns.name.Name``, and has ``dns.node.Node`` or ``dns.rdataset.Rdataset`` values. *origin*, a ``dns.name.Name`` or ``None``, the origin to use for relative names. *now*, an ``int`` or ``None``, the time, in seconds since the epoch, to use as the current time when validating. If ``None``, the actual current time is used. Raises ``ValidationFailure`` if the signature is expired, not yet valid, the public key is invalid, the algorithm is unknown, the verification fails, etc. Raises ``UnsupportedAlgorithm`` if the algorithm is recognized by dnspython but not implemented. Nz unknown keyrr Zexpiredz not yet validz!Bz!Hr zinvalid public key@r 0)curvexyz)algorithm "%s" not supported by dnspythonzunknown algorithm %urC*z!HHIzverify failure)@rErFrKrLr/rootr_r tupletimeZ expirationZ inceptionrar7r:rPZunpackrsaZRSAPublicNumbersrq public_keydefault_backend ValueErrorZ signaturerbdsaZDSAPublicNumbersZDSAParameterNumbersutilsZencode_dss_signaturercr r*ecZ SECP256R1Z SECP384R1ZEllipticCurvePublicNumbersrdr,ed25519ZEd25519PublicKeyed448ZEd448PublicKeyZfrom_public_bytesrerr3r6rXZ to_digestablelabelsr9splitrQZrdtypeZrdclassZ original_ttlsortedrmZverifypaddingZPKCS1v15ZECDSAInvalidSignature)$rrsetr\r[rDnowr]Z candidate_keyrrnamer^ZkeyptrZbytes_Zrsa_eZrsa_nrZsigtZoctetsZdsa_qZdsa_pZdsa_gZdsa_yZsig_rZsig_srwZecdsa_xZecdsa_yloaderdatasuffixZ rrnamebufZrrfixedZrrlistZrrZrrdataZrrlenZ chosen_hashrrr _validate_rrsigs                                      rc Cst|trtj|tjj}t|tr0|d}n|j}t|trR|d}|d}n |j}|}||}||}||krtd|D]4}zt |||||WdStt fyYq0qtddS)aValidate an RRset against a signature RRset, throwing an exception if none of the signatures validate. *rrset*, the RRset to validate. This can be a ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``) tuple. *rrsigset*, the signature RRset. This can be a ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``) tuple. *keys*, the key dictionary, used to find the DNSKEY associated with a given name. The dictionary is keyed by a ``dns.name.Name``, and has ``dns.node.Node`` or ``dns.rdataset.Rdataset`` values. *origin*, a ``dns.name.Name``, the origin to use for relative names; defaults to None. *now*, an ``int`` or ``None``, the time, in seconds since the epoch, to use as the current time when validating. If ``None``, the actual current time is used. Raises ``ValidationFailure`` if the signature is expired, not yet valid, the public key is invalid, the algorithm is unknown, the verification fails, etc. rr zowner names do not matchNzno RRSIGs validated) rErFrKrLr/r}r~Zchoose_relativityr rr) rZrrsigsetr[rDrrZ rrsignameZ rrsigrdatasetr\rrr _validates*       rc@s eZdZdZdZeddZdS) NSEC3HashzNSEC3 hash algorithmr cCsdSrrrrrr r!szNSEC3Hash._maximumN)rrrrr@r.r!rrrr rsrc Cs tdd}zt|tr$t|}Wnty@tdYn0|tjkrTtd|}|durfd}n.t|trt|ddkrt |}ntdt|t j j st j |}|}t||}t|D]}t||}qt|d } | |} | S) a Calculate the NSEC3 hash, according to https://tools.ietf.org/html/rfc5155#section-5 *domain*, a ``dns.name.Name`` or ``str``, the name to hash. *salt*, a ``str``, ``bytes``, or ``None``, the hash salt. If a string, it is decoded as a hex string. *iterations*, an ``int``, the number of iterations. *algorithm*, a ``str`` or ``int``, the hash algorithm. The only defined algorithm is SHA1. Returns a ``str``, the encoded NSEC3 hash. Z ABCDEFGHIJKLMNOPQRSTUVWXYZ234567Z 0123456789ABCDEFGHIJKLMNOPQRSTUVz-Wrong hash algorithm (only SHA1 is supported)Nrzr rzInvalid salt lengthzutf-8)rF maketransrErrGrHrr@r9bytesfromhexrKrLNamer/rNr6rIrJrOr8base64Z b32encodedecode translate) ZdomainZsaltZ iterationsr7Zb32_conversionZ salt_encodedZdomain_encodedrOr=outputrrr nsec3_hashs4         rcOs tddS)Nz.DNSSEC validation requires python cryptography) ImportError)argskwargsrrr _need_pyca.sr)r)r)rl)r)r)r)r)r)r)rFT)N)NN)NN)ArrIrPrrZdns.enumrKZ dns.exceptionZdns.nameZdns.nodeZ dns.rdatasetZ dns.rdataZ dns.rdatatypeZdns.rdataclassZ exceptionZ DNSExceptionrr enumIntEnumr globalsrM __members__r1r3r>r?rUr_rarbrcrdrerfrgrhrirjrmrqrrrrrZcryptography.exceptionsrZcryptography.hazmat.backendsrZcryptography.hazmat.primitivesrlZ)cryptography.hazmat.primitives.asymmetricrrrrrrrrZvalidateZvalidate_rrsigZ _have_pycarrrr st   . 5 : 6