Sc@s:dZddlZddlZddlZddlZddlZddlZddlZddl Zddl Zddl Zddl Zdej jfdYZdej jfdYZdZdZd Zd Zd Zd Zd ZdZdZdZdZdZdZdZied6ed6ed6ed6ed6ed6ed6ed6ed6ed6ed6ed 6ed!6ed"6Ze gej!D]\Z"Z#e#e"f^qZ$d#Z%d$Z&d%Z'dd&Z)dd'Z*d(Z+d)Z,d*Z-d+Z.d,Z/d-Z0d.Z1d/Z2d0Z3d1Z4d2Z5ddd3Z6ddd4Z7d5Z8y:ddl9Z:ddl;Z:ddl<Z:e7Z=e6Z>e?Z@Wn#eAk re8Z=e8Z>eBZ@nXyPddlCZCddlDZCddlEZCddlFZCe?ZGd6eHfd7YZIWneAk r5eBZGnXdS(8s.Common DNSSEC-related functions and constants.iNtUnsupportedAlgorithmcBseZdZRS(s(Raised if an algorithm is not supported.(t__name__t __module__t__doc__(((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyRstValidationFailurecBseZdZRS(s The DNSSEC signature is invalid.(RRR(((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyR#siiiiiiiii i iiiitRSAMD5tDHtDSAtECCtRSASHA1t DSANSEC3SHA1tRSASHA1NSEC3SHA1t RSASHA256t RSASHA512tINDIRECTtECDSAP256SHA256tECDSAP384SHA384t PRIVATEDNSt PRIVATEOIDcCs4tj|j}|dkr0t|}n|S(s:Convert text into a DNSSEC algorithm value @rtype: intN(t_algorithm_by_texttgettuppertNonetint(ttexttvalue((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pytalgorithm_from_textMs cCs.tj|}|dkr*t|}n|S(s;Convert a DNSSEC algorithm value to text @rtype: stringN(t_algorithm_by_valueRRtstr(RR((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pytalgorithm_to_textVs cCs)tj}|j|d||jS(Ntorigin(t cStringIOtStringIOtto_wiretgetvalue(trecordRts((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt _to_rdata_s cCst||}|jtkr>t|dd>t|dSd}xPtt|dD]8}|t|d|d>t|d|d7}q[Wt|ddkr|t|t|dd>7}n||d?d@7}|d@SdS( Niiiiiiii(R%t algorithmRtordtrangetlen(tkeyRtrdatattotalti((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pytkey_idds 6%cCs(|jdkr0d}tjjd}n=|jdkr`d}tjjd}n td|t|ttfrtjj ||}n|j |j j |j t |||j}tjdt||j||}tjjtjjtjj|dt|S(NtSHA1itSHA256isunsupported algorithm "%s"s!HBBi(RtdnsthashRRt isinstanceRtunicodetnamet from_texttupdatet canonicalizeR!R%tdigesttstructtpackR.R&R+t from_wiret rdataclasstINt rdatatypetDSR)(R5R*R&RtdsalgR2R9tdsrdata((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pytmake_dsqs  %!cCsg}|j|j}|dkr(dSt|tjjrwy"|jtjj tj j }Wq}t k rsdSXn|}xE|D]=}|j |j krt||jkr|j|qqW|S(N(RtsignerRR3R1tnodetNodet find_rdatasetR=R>R?tDNSKEYtKeyErrorR&R.tkey_tagtappend(tkeystrrsigtcandidate_keysRtrdatasetR+((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt_find_candidate_keyss    cCs|tttttfkS(N(RR R R R (R&((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt_is_rsas cCs|ttfkS(N(RR (R&((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt_is_dsascCsto|ttfkS(N(t _have_ecdsaRR(R&((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt _is_ecdsascCs |tkS(N(R(R&((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt_is_md5scCs|ttttfkS(N(RR R R (R&((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt_is_sha1s cCs|ttfkS(N(R R(R&((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt _is_sha256scCs |tkS(N(R(R&((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt _is_sha384scCs |tkS(N(R (R&((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt _is_sha512scCst|rtjjdSt|r>tjjdSt|r]tjjdSt|r|tjjdSt|rtjjdStd|dS(NtMD5R/R0tSHA384tSHA512sunknown hash for algorithm %u( RUR1R2RRVRWRXRYR(R&((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt _make_hashs     c Cs7t|r-ddddddddg}nt|rQdd d dd g}nmt|rd ddd dd ddd g }n=t|rd ddd dd ddd g }n td|t|}t|j}dgd||gd|dgd|g|ddgd|g}djt t |S(Ni*iiHii iii+iiii`iieisunknown algorithm %ui0iiit( RURVRWRYRR)R]t digest_sizetjointmaptchr(R&toidtolentdlentidbytes((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt_make_algorithm_ids !  $ $  Hc*Cszt|ttfr3tjj|tjj}nx7t||D]&}|s[tdnt|t r|d}|d}n|j}|}|dkrt j }n|j |krtdn|j |krtdnt|j}t|jr|j} tjd| dd!\} | d} | dkrctjd| dd!\} | d} n| d| !} | | } t| d } tjjjtjjj| tjjj| f}tjjj|jf}nt|jr(|j} tjd| dd!\}| d} d |d }| dd !}| d } | d|!}| |} | d|!}| |} | d|!}tjjjtjjj|tjjj|tjjj|tjjj|f}tjd |jd\}}tjjj|tjjj|f}nYt|jrq|jt krat!j"j#}d }d }n3|jt$krt!j"j%}d}d}n td|j} tjjj| d|!}tjjj| ||d!}t!j&j'|j(|||j)}t!j*j+j,||}t-||}|j| }|j|} t!j!j.tjjj|tjjj| }ntd|j|j/t0||d |j/|j1j2||j3t|dkr|j4|j3dd}!tjjd|!}n|j2|}"tj5d|j6|j7|j8}#t9|}$xi|$D]a}%|j/|"|j/|#|%j2|}&tj5dt|&}'|j/|'|j/|&qBW|j:}(t|jr"t;|j|(}(| d t|(d})t<dt<dt<d|)t<d|(}(n1t|jsSt|jrCntd|j|j=|(|rCdSqCWtddS(sValidate an RRset against a single signature rdata The owner name of the rrsig is assumed to be the same as the owner name of the rrset. @param rrset: The RRset to validate @type rrset: dns.rrset.RRset or (dns.name.Name, dns.rdataset.Rdataset) tuple @param rrsig: The signature rdata @type rrsig: dns.rrset.Rdata @param keys: The key dictionary. @type keys: a dictionary keyed by dns.name.Name with node or rdataset values @param origin: The origin to use for relative names @type origin: dns.name.Name or None @param now: The time to use when validating the signatures. The default is the current time. @type now: int s unknown keyiitexpireds not yet valids!Bs!Hiii@is!20s20si i0sunknown ECDSA curvesunknown algorithm %uit*s!HHIiiNsverify failure(>R3RR4R1R5R6trootRPRttupleRttimet expirationt inceptionR]R&RQR*R:tunpackR)tCryptot PublicKeytRSAt constructtUtiltnumbert bytes_to_longt signatureRRRRTRtecdsatcurvestNIST256pRtNIST384pt ellipticcurvetPointtcurvetorderRLt VerifyingKeytfrom_public_pointt ECKeyWrappert SignatureR7R%RDt to_digestabletlabelstsplitR;trdtypetrdclasst original_ttltsortedR9RgRbtverify(*trrsetRMRLRtnowt candidate_keytrrnameROR2tkeyptrtbytestrsa_etrsa_ntkeylentpubkeytsigtttoctetstdsa_qtdsa_ptdsa_gtdsa_ytdsa_rtdsa_sR~tkey_lent digest_lentxtytpointt verifying_keytrR$tsuffixt rrnamebuftrrfixedtrrlisttrrtrrdatatrrlenR9tpadlen((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt_validate_rrsigs                               !          5c Cst|ttfr3tjj|tjj}nt|trO|d}n |j}t|tr~|d}|d}n|j}|}|j|}|j|}||krt dnxB|D]:}yt |||||dSWqt k r} qXqWt ddS(sdValidate an RRset @param rrset: The RRset to validate @type rrset: dns.rrset.RRset or (dns.name.Name, dns.rdataset.Rdataset) tuple @param rrsigset: The signature RRset @type rrsigset: dns.rrset.RRset or (dns.name.Name, dns.rdataset.Rdataset) tuple @param keys: The key dictionary. @type keys: a dictionary keyed by dns.name.Name with node or rdataset values @param origin: The origin to use for relative names @type origin: dns.name.Name or None @param now: The time to use when validating the signatures. The default is the current time. @type now: int iisowner names do not matchNsno RRSIGs validated( R3RR4R1R5R6RjRktchoose_relativityRR( RtrrsigsetRLRRRt rrsignamet rrsigrdatasetRMte((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt _validateas*        cOs tddS(Ns#DNSSEC validation requires pycrypto(tNotImplementedError(targstkwargs((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt_need_pycryptosRcBseZdZdZRS(cCs||_||_dS(N(R*R(tselfR*R((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt__init__s cCs+tjjj|}|jjj||S(N(RpRtRuRvR*Rtverifies(RR9Rtdiglong((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyRs(RRRR(((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyRs (JRRR:Rlt dns.exceptionR1tdns.hashtdns.nametdns.nodet dns.rdatasett dns.rdatat dns.rdatatypetdns.rdataclasst exceptiont DNSExceptionRRRRRRR R R R R RRRRRRtdictt iteritemsRRRRRR%RR.RCRPRQRRRTRURVRWRXRYR]RgRRRtCrypto.PublicKey.RSARptCrypto.PublicKey.DSAtCrypto.Util.numbertvalidatetvalidate_rrsigtTruet_have_pycryptot ImportErrortFalseRxt ecdsa.ecdsatecdsa.ellipticcurvet ecdsa.keysRStobjectR(((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyts            1            .