x@>dZddlmZddlZddlZddlZddlZddlZddl Zddl Zddl Zddl Zddl mZGddejj ZGdd ejj ZdZd Zd Zd Zd ZdZdZdZdZdZdZdZdZdZ eeeeeeeeeeeeee dZ!e!jEDcic]\}}|| c}}Z#dZ$dZ%dZ&d3dZ'd3dZ(dZ)dZ*dZ+d Z,d!Z-d"Z.d#Z/d$Z0d%Z1d&Z2d'Z3d4d(Z4d4d)Z5d*Z6 dd+l7m8Z8m9Z9m:Z:m;Z;mZ?mZ@dd-lAmBZBmCZCdd.lDmEZEe5ZKe4ZLd/ZM ddlNZNddlOZNddlPZNddlQZNd/ZRGd0d1eSZTycc}}w#eF$r'dd+lGm8Z8m9Z9m:Z:m;Z;mZ?mZ@dd-lImBZBmCZCdd.lJmEZEYVwxYw#eF$rd2ZRYywxYw#eF$r e6ZKe6ZLd2ZMd2ZRYywxYw)5z.Common DNSSEC-related functions and constants.)BytesION) string_typesceZdZdZy)UnsupportedAlgorithmz&The DNSSEC algorithm is not supported.N__name__ __module__ __qualname____doc__lib/third_party/dns/dnssec.pyrr"s0rrceZdZdZy)ValidationFailurez The DNSSEC signature is invalid.Nrr rrrr&s*rr )RSAMD5DHDSAECCRSASHA1 DSANSEC3SHA1RSASHA1NSEC3SHA1 RSASHA256 RSASHA512INDIRECTECDSAP256SHA256ECDSAP384SHA384 PRIVATEDNS PRIVATEOIDcftj|j}| t|}|S)zIConvert text into a DNSSEC algorithm value. Returns an ``int``. )_algorithm_by_textgetupperint)textvalues ralgorithm_from_textr4_s-  " "4::< 0E }D  LrcJtj|}| t|}|S)zEConvert a DNSSEC algorithm value to text Returns a ``str``. )_algorithm_by_valuer/str)r3r2s ralgorithm_to_textr8ks'  " "5 )D |5z Krc\t}|j|||jS)N)origin)rto_wiregetvalue)recordr:ss r _to_rdatar?ws% A NN1VN$ ::<rcRt||}t|}|jtk(r|ddz|dzSd}t t |dzD]}||d|zdz|d|zdzzz }t |dzdk7r||t |dz dzz }||dz dzz }|dzS) zReturn the key id (a 16-bit number) for the specified key. Note the *origin* parameter of this function is historical and is not needed. Returns an ``int`` between 0 and 65535. rrrri)r? bytearray algorithmrrangelen)keyr:rdatatotalis rkey_idrL}s c6 "E e E }}b Q%)++s5zQ'A eAEla'a!eai ! !E( u:>Q  U3u:>*a/ /E 5B;&()v~rc |jdk(rd}tj}n8|jdk(rd}tj}nt d|zt |t r tjj||}|j|jj|jt|||j}tj dt#||j$||z}tj&j)tj*j,tj.j0|dt3|S)aCreate a DS record for a DNSSEC key. *name* is the owner name of the DS record. *key* is a ``dns.rdtypes.ANY.DNSKEY``. *algorithm* is a string describing which hash algorithm to use. The currently supported hashes are "SHA1" and "SHA256". Case does not matter for these strings. *origin* is a ``dns.name.Name`` and will be used as the origin if *key* is a relative name. Returns a ``dns.rdtypes.ANY.DS``. SHA1rSHA256rzunsupported algorithm "%s"z!HBBr)r0rNnewrOr isinstancerdnsname from_textupdate canonicalizer;r?digeststructpackrLrErI from_wire rdataclassIN rdatatypeDSrG)rSrHrEr:dsalghashrWdsrdatas rmake_dsrbs "F"xxz  h &zz|"#?)#KLL$ %xx!!$/KK!!#++-.KK #v&' [[]Fkk&&+s}}eDvMG 99  s~~00#--2B2BGQ"7| --rcg}|j|j}|yt|tjj rD |j tjjtjj}n|}|D]F}|j|jk(st||jk(s6|j|H|S#t$rYywxYwN)r/signerrQrRnodeNode find_rdatasetr[r\r]DNSKEYKeyErrorrErLkey_tagappend)keysrrsigcandidate_keysr3rdatasetrIs r_find_candidate_keysrqsN HHU\\ "E }%' **3>>+<+<+.==+?+?AH  ??eoo -u .  ! !% (   sAC C$#C$c<|tttttfvSrd)rr#r%r&r'rEs r_is_rsarts )9"$ $$rc|ttfvSrd)r!r$rss r_is_dsarvs l+ ++rc.txr|ttfvSrd) _have_ecdsar)r*rss r _is_ecdsarys  LI/?)KKLrc|tk(Srd)rrss r_is_md5r{s  rc2|ttttfvSrd)r!r#r$r%rss r_is_sha1r}s g%'79 99rc|ttfvSrd)r&r)rss r _is_sha256rs O4 44rc|tk(Srd)r*rss r _is_sha384rs  ''rc|tk(Srd)r'rss r _is_sha512rs  !!rcTt|rtjSt|rt jSt |rt jSt|rtjSt|rtjStd|z)Nzunknown hash for algorithm %u) r{MD5rPr}rNrrOrSHA384rSHA512rrss r _make_hashrswywwy xxz)zz|)zz|)zz| ;iG HHrcpt|rgd}n>t|rgd}n.t|rgd}nt|rgd}nt d|zt |}t |j}dgd|z|zgzd|dzgzd |gz|zd d gzd|gz}tjd t |zg|S) N)*Hrrrr)+rrr) `rrrerrrr) rrrrrrrrrunknown algorithm %u0rrrrrz!%dB) r{r}rrrrGr digest_sizerXrY)rEoidolendlenidbytess r_make_algorithm_idrsy> ) , I D I D 6 BCC s8D i , ,DfD4((TAX"&.034Tl"D\*G ;;vG , 7w 77rc  t|tr8tjj |tjj }t ||}| td|D]@}t|tr |d}|d}n|j}|}|tj}|j|kr td|j|kDr tdt|j} t|jr|j} t!j"d| dd\} | dd} | dk(r t!j"d| dd \} | d d} | d| } | | d} t%j&t)j*| t)j*| f}|j.}nt1|jr|j} t!j"d| dd\}| dd} d |d zz}| dd }| d d} | d|}| |d} | d|}| |d} | d|}t3j&t)j*|t)j*|t)j*|t)j*|f}|j.dd}nt5|jr|j} |jt6k(rt8j:j<}d}n/|jt>k(rt8j:j@}d}t)j*| d}t)j*| ||d z}t8j8jCjD||s tdt8jFjI|jJ|||jL}t8jNjPjS||}tU||}|j.d|}|j.|d}t8j8jWt)j*|t)j*|}ntd|jz| jYt[||dd| jY|j\j_||j`tc|dz krA|je|j`dzd}tjj d|}|j_|}t!jfd|jh|jj|jl} to|}!|!D]v}"| jY|| jY| |"j_|}#t!jfdtc|#}$| jY|$| jY|#x t|jr)tqjr|}%|%ju| |yt1|jr*twjr|d}%|%ju| |yt5|jr(| jy}&|ju|&|st,td|jzytd#t,$r td wxYw#t,$rYswxYw)aValidate an RRset against a single signature rdata The owner name of *rrsig* is assumed to be the same as the owner name of *rrset*. *rrset* is the RRset to validate. It can be a ``dns.rrset.RRset`` or a ``(dns.name.Name, dns.rdataset.Rdataset)`` tuple. *rrsig* is a ``dns.rdata.Rdata``, the signature to validate. *keys* is the key dictionary, used to find the DNSKEY associated with a given name. The dictionary is keyed by a ``dns.name.Name``, and has ``dns.node.Node`` or ``dns.rdataset.Rdataset`` values. *origin* is a ``dns.name.Name``, the origin to use for relative names. *now* is an ``int``, the time to use when validating the signatures, in seconds since the UNIX epoch. The default is the current time. Nz unknown keyrrexpiredz not yet validz!Bz!Hrzinvalid public key@r rzinvalid ECDSA keyr*z!HHIz fips-186-3zverify failure)=rQrrRrSrTrootrqrtupletime expiration inceptionrrErtrHrXunpack CryptoRSA constructnumber bytes_to_long ValueError signaturerv CryptoDSAryr)ecdsacurvesNIST256pr*NIST384ppoint_is_valid generator ellipticcurvePointcurveorderrm VerifyingKeyfrom_public_point ECKeyWrapper SignaturerUr?re to_digestablelabelsrGsplitrYrdtyperdclass original_ttlsortedpkcs1_15rPverifyDSSrW)'rrsetrnrmr:nowro candidate_keyrrnamerpr`keyptrbytes_rsa_ersa_npubkeysigtoctetsdsa_qdsa_pdsa_gdsa_yrkey_lenxypoint verifying_keyrr>suffix rrnamebufrrfixedrrlistrrrrdatarrlenverifierrWs' r_validate_rrsigrs*&,'##FCHHMM:)$6N ..'  eU #1XFQxHZZFH ;))+C   c !#I. . ??S #O4 4%//* 5?? #"&&F dF1QK8IVABZF{"MM$q < 1V$E67OE >",,))%0))%023 //C U__ %"&&F==va{3DQABZF!a%ZF1RLEBC[F1V$EFG_F1V$EFG_F1V$E((%%e,%%e,%%e,%%e,./F //!"%C u '#&&F/1 --O3 --$$VAg%67A$$VGGaK%@AA;;--eooq!D'(;<<''--ekk1aME!JJ33EEeFKMM!-9F)A)A++''(<((PQQ k(t , --u >'(<== >l   s+!=Z3<[ =[ A[ 3[ [[ct|tr8tjj |tjj }t|t r|d}n |j}t|t r |d}|d}n|j}|}|j|}|j|}||k7r td|D]} t|||||ytd#t$rY,wxYw)aValidate an RRset. *rrset* is the RRset to validate. It can be a ``dns.rrset.RRset`` or a ``(dns.name.Name, dns.rdataset.Rdataset)`` tuple. *rrsigset* is the signature RRset to be validated. It can be a ``dns.rrset.RRset`` or a ``(dns.name.Name, dns.rdataset.Rdataset)`` tuple. *keys* is the key dictionary, used to find the DNSKEY associated with a given name. The dictionary is keyed by a ``dns.name.Name``, and has ``dns.node.Node`` or ``dns.rdataset.Rdataset`` values. *origin* is a ``dns.name.Name``, the origin to use for relative names. *now* is an ``int``, the time to use when validating the signatures, in seconds since the UNIX epoch. The default is the current time. rrzowner names do not matchNzno RRSIGs validated) rQrrRrSrTrrchoose_relativityrr) rrrsigsetrmr:rr rrsigname rrsigrdatasetrns r _validaters&&,'##FCHHMM:%q(E"QK   MM   % %f -F++F3I  :;;  E5$ <  1 22!   s C)) C54C5ctd)Nz5DNSSEC validation requires pycryptodome/pycryptodomex)NotImplementedError)argskwargss r_need_pycryptors U VVr)rrNrOrr)RSAr!)rr)rTceZdZdZdZy)rc ||_||_yrd)rHr)selfrHrs r__init__zECKeyWrapper.__init__s& rcxtj|}|jjj ||Srd)rrrHrverifies)rrWrdiglongs rrzECKeyWrapper.verifys- ..v6xx//==rN)r r r rrr rrrrs  ' >rrFrd)NN)Ur iorrXr dns.exceptionrRdns.namedns.node dns.rdataset dns.rdata dns.rdatatypedns.rdataclass_compatr exception DNSExceptionrrrr r!r"r#r$r%r&r'r)r*r(r+r,r.itemsr6r4r8r?rLrbrqrtrvryr{r}rrrrrrrr Crypto.HashrrNrOrrCrypto.PublicKeyrrrCrypto.Signaturerr Crypto.Utilr ImportErrorCryptodome.HashCryptodome.PublicKeyCryptodome.SignatureCryptodome.Utilvalidatevalidate_rrsig_have_pycryptor ecdsa.ecdsaecdsa.ellipticcurve ecdsa.keysrxobjectr)rrs00rrs$5 !13==551+ 22+            (&&*);(@(@(BC(B1q!t(BC   0"-J($ ,M9 5(" I8&V.r-3`W(> +AAG2&H$NN>"  >6 >G DT +EEK6* +(  H#NNK sB1 E $E,E?)E<9F ;E<<F ?F F  FF