o 2cL@sdZddlZddlZddlZddlZddlZddlZddlZddl Zddl Zddl Zddl Zddl ZGdddejjZGdddejjZGdddejjZd d Zd d Zd dZGdddejjZdCddZddZddZddZddZddZddZdd Z d!d"Z!d#d$Z"d%d&Z#d'd(Z$d)d*Z%d+d,Z&dDd-d.Z'dDd/d0Z(Gd1d2d2ejjZ)d3d4Z*d5d6Z+z>dd7l,m-Z-dd8l.m/Z/dd9l0m1Z1dd:l2m3Z3dd;l2m4Z4ddl2m7Z7dd?l2m8Z8dd@l2m9Z9Wne:y e+Z;e+ZZ>ej?Z?ej@Z@ejAZAejBZBejCZCejDZDejEZEejFZFejGZGejHZHejIZIejJZJejKZKejLZLejMZMejNZNdS)Ez.Common DNSSEC-related functions and constants.Nc@eZdZdZdS)UnsupportedAlgorithmz&The DNSSEC algorithm is not supported.N__name__ __module__ __qualname____doc__r r @/var/www/html/gps/gps/lib/python3.10/site-packages/dns/dnssec.pyr#rc@r)ValidationFailurez The DNSSEC signature is invalid.Nrr r r r r 'r r c@s\eZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZeddZdS) Algorithm cCdSNr clsr r r _maximum>zAlgorithm._maximumN)rrrRSAMD5DHDSAECCRSASHA1 DSANSEC3SHA1RSASHA1NSEC3SHA1 RSASHA256 RSASHA512ECCGOSTECDSAP256SHA256ECDSAP384SHA384ED25519ED448INDIRECT PRIVATEDNS PRIVATEOID classmethodr$r r r r r +s(r cC t|S)zConvert text into a DNSSEC algorithm value. *text*, a ``str``, the text to convert to into an algorithm value. Returns an ``int``. )r from_text)textr r r algorithm_from_textC r;cCr8)zConvert a DNSSEC algorithm value to text *value*, an ``int`` a DNSSEC algorithm. Returns a ``str``, the name of a DNSSEC algorithm. )r to_text)valuer r r algorithm_to_textNr<r?cCs|}|jtjkr|dd>|dSd}tt|dD]}||d|d>|d|d7}qt|ddkrG||t|dd>7}||d?d@7}|d@S) zReturn the key id (a 16-bit number) for the specified key. *key*, a ``dns.rdtypes.ANY.DNSKEY.DNSKEY`` Returns an ``int`` between 0 and 65535 rrrrri)to_wire algorithmr r&rangelen)keyrdatatotalir r r key_idYs rJc@s(eZdZdZdZdZdZeddZdS)DSDigestz(DNSSEC Delgation Signer Digest AlgorithmrrrcCrr r r"r r r r$ur%zDSDigest._maximumN) rrrrSHA1SHA256SHA384r7r$r r r r rKnsrKcCsz t|tr t|}Wn tytd|w|tjkr%t}n|tj kr/t }n|tj kr9t }ntd|t|trKt j||}||||j|d|}tdt||j||}t jt jjt jj|dt|S)aqCreate a DS record for a DNSSEC key. *name*, a ``dns.name.Name`` or ``str``, the owner name of the DS record. *key*, a ``dns.rdtypes.ANY.DNSKEY.DNSKEY``, the key the DS is about. *algorithm*, a ``str`` or ``int`` specifying the hash algorithm. The currently supported hashes are "SHA1", "SHA256", and "SHA384". Case does not matter for these strings. *origin*, a ``dns.name.Name`` or ``None``. If `key` is a relative name, then it will be made absolute using the specified origin. Raises ``UnsupportedAlgorithm`` if the algorithm is unknown. Returns a ``dns.rdtypes.ANY.DS.DS`` zunsupported algorithm "%s"originz!HBBr) isinstancestrrKupper ExceptionrrLhashlibsha1rMsha256rNsha384dnsnamer9update canonicalizerBdigeststructpackrJrCrG from_wire rdataclassIN rdatatypeDSrE)rZrFrCrPdshashr]dsrdatar r r make_dszs2            rgcCsg}||j}|durdSt|tjjr,z |tjjtj j }Wn t y+YdSw|}|D]}|j |j krDt ||jkrD||q0|SN)getsignerrQrYnodeNode find_rdatasetrarbrcDNSKEYKeyErrorrCrJkey_tagappend)keysrrsigcandidate_keysr>rdatasetrGr r r _find_candidate_keyss(      rvcCs|tjtjtjtjtjfvSrh)r r&r*r,r-r.rCr r r _is_rsas rxcC|tjtjfvSrh)r r(r+rwr r r _is_dsarzcCryrh)r r0r1rwr r r _is_ecdsar{r|cCryrh)r r2r3rwr r r _is_eddsar{r}cC |tjkSrh)r r/rwr r r _is_gost rcCr~rh)r r&rwr r r _is_md5rrcCs|tjtjtjtjfvSrh)r r(r*r+r,rwr r r _is_sha1s rcCryrh)r r-r0rwr r r _is_sha256r{rcCr~rh)r r1rwr r r _is_sha384rrcCr~rh)r r.rwr r r _is_sha512rrcCst|rtSt|rtSt|rtSt|r tSt |r(t S|t j kr1t S|t j kr;tdStd|)Nrzunknown hash for algorithm %u)rhashesMD5rrLrrMrrNrSHA512r r2r3SHAKE256r rwr r r _make_hashs    rcCs t|dS)Nbig)int from_bytes)br r r _bytes_to_longs rc$ Csnt|trtj|tjj}t||}|durtd|D]}t|tr.|d}|d}n|j}|}|dur;t }|j |krDtd|j |krMtdt |j r|j} td| dd\} | dd} | dkr{td| dd \} | d d} | d| } | | d} ztt| t| t} Wn tytd w|j}n1t|j r1|j} td| dd\}| dd} d |d }| dd }| d d} | d|}| |d} | d|}| |d} | d|}ztt|tt|t|t|t} Wn tytd w|jdd}|jdd}tt|t|}nt|j r|j} |j tj krHt!"}d}nt!#}d}| d|}| ||d }zt!j$|t|t|dt} Wn tyztd w|jd|}|j|d}tt|t|}nEt%|j r|j} |j tj&krt'j(}nt)j*}z|+| } Wn tytd w|j}nt,|j rt-dt.|j td|j d}||j/|ddd7}||j01|7}|2|}t3|d|j4krtd|j4t3|dkr|5|j4dd}tjd|}|1}t6d|j7|j8|j9}t:|}|D] } ||7}||7}| 1|}!t6dt3|!}"||"7}||!7}q2t;|j }#zPt |j rm| <||t=>|#WdSt|j r~| <|||#WdSt|j r| <||t!?|#WdSt%|j r| <||WdStd|j t@yYqwtd)a*Validate an RRset against a single signature rdata, throwing an exception if validation is not successful. *rrset*, the RRset to validate. This can be a ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``) tuple. *rrsig*, a ``dns.rdata.Rdata``, the signature to validate. *keys*, the key dictionary, used to find the DNSKEY associated with a given name. The dictionary is keyed by a ``dns.name.Name``, and has ``dns.node.Node`` or ``dns.rdataset.Rdataset`` values. *origin*, a ``dns.name.Name`` or ``None``, the origin to use for relative names. *now*, an ``int`` or ``None``, the time, in seconds since the epoch, to use as the current time when validating. If ``None``, the actual current time is used. Raises ``ValidationFailure`` if the signature is expired, not yet valid, the public key is invalid, the algorithm is unknown, the verification fails, etc. Raises ``UnsupportedAlgorithm`` if the algorithm is recognized by dnspython but not implemented. Nz unknown keyrrexpiredz not yet validz!Bz!Hrzinvalid public key@r 0)curvexyz)algorithm "%s" not supported by dnspythonzunknown algorithm %urOz#owner name longer than RRSIG labels*z!HHIzverify failure)ArQrRrYrZr9rootrvr tupletime expiration inceptionrxrCrFr^unpackrsaRSAPublicNumbersr public_keydefault_backend ValueError signaturerzdsaDSAPublicNumbersDSAParameterNumbersutilsencode_dss_signaturer|r r0ec SECP256R1 SECP384R1EllipticCurvePublicNumbersr}r2ed25519Ed25519PublicKeyed448Ed448PublicKeyfrom_public_bytesrrr?rBrj to_digestable derelativizerElabelssplitr_rdtyperdclass original_ttlsortedrverifypaddingPKCS1v15ECDSAInvalidSignature)$rrsetrsrrrPnowrt candidate_keyrrnamerukeyptrbytes_rsa_ersa_nrsigtoctetsdsa_qdsa_pdsa_gdsa_ysig_rsig_srecdsa_xecdsa_yloaderdatasuffix rrnamebufrrfixedrrlistrrrrdatarrlen chosen_hashr r r _validate_rrsigs2                                       rc Cst|trtj|tjj}t|tr|d}n|j}t|tr)|d}|d}n|j}|}||}||}||kr@td|D]}z t |||||WdStt fy[YqBwtd)aValidate an RRset against a signature RRset, throwing an exception if none of the signatures validate. *rrset*, the RRset to validate. This can be a ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``) tuple. *rrsigset*, the signature RRset. This can be a ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``) tuple. *keys*, the key dictionary, used to find the DNSKEY associated with a given name. The dictionary is keyed by a ``dns.name.Name``, and has ``dns.node.Node`` or ``dns.rdataset.Rdataset`` values. *origin*, a ``dns.name.Name``, the origin to use for relative names; defaults to None. *now*, an ``int`` or ``None``, the time, in seconds since the epoch, to use as the current time when validating. If ``None``, the actual current time is used. Raises ``ValidationFailure`` if the signature is expired, not yet valid, the public key is invalid, the algorithm is unknown, the verification fails, etc. rrzowner names do not matchNzno RRSIGs validated) rQrRrYrZr9rrchoose_relativityr rr) rrrsigsetrrrPrr rrsigname rrsigrdatasetrsr r r _validates,       rc@s eZdZdZdZeddZdS) NSEC3HashzNSEC3 hash algorithmrcCrr r r"r r r r$r%zNSEC3Hash._maximumN)rrrrrLr7r$r r r r rs rc Cstdd}z t|trt|}Wn tytdw|tjkr(td|}|dur1d}nt|trHt|ddkrDt |}ntdt|t j j sUt j |}|}t||}t|D] }t||}qht|d } | |} | S) a Calculate the NSEC3 hash, according to https://tools.ietf.org/html/rfc5155#section-5 *domain*, a ``dns.name.Name`` or ``str``, the name to hash. *salt*, a ``str``, ``bytes``, or ``None``, the hash salt. If a string, it is decoded as a hex string. *iterations*, an ``int``, the number of iterations. *algorithm*, a ``str`` or ``int``, the hash algorithm. The only defined algorithm is SHA1. Returns a ``str``, the encoded NSEC3 hash. ABCDEFGHIJKLMNOPQRSTUVWXYZ234567 0123456789ABCDEFGHIJKLMNOPQRSTUVz-Wrong hash algorithm (only SHA1 is supported)NrrrzInvalid salt lengthzutf-8)rR maketransrQrrSrTrrLrEbytesfromhexrYrZNamer9r\rBrUrVr]rDbase64 b32encodedecode translate) domainsalt iterationsrCb32_conversion salt_encodeddomain_encodedr]_outputr r r nsec3_hashs8          rcOstd)Nz.DNSSEC validation requires python cryptography) ImportError)argskwargsr r r _need_pyca0sr)r)r)r)r)r)r)r)r)r)rFTrh)NN)OrrUr^rrdns.enumrY dns.exceptiondns.namedns.node dns.rdataset dns.rdata dns.rdatatypedns.rdataclass exception DNSExceptionrr enumIntEnumr r;r?rJrKrgrvrxrzr|r}rrrrrrrrrrrrrcryptography.exceptionsrcryptography.hazmat.backendsrcryptography.hazmat.primitivesr)cryptography.hazmat.primitives.asymmetricrrrrrrrrvalidatevalidate_rrsig _have_pycar&r'r(r)r*r+r,r-r.r/r0r1r2r3r4r5r6r r r r s   .  :: 6