8889841có °ŠSc@s:dZddlZddlZddlZddlZddlZddlZddlZddl Zddl Zddl Zddl Zdej jfd„ƒYZdej jfd„ƒYZdZdZd Zd Zd Zd Zd ZdZdZdZdZdZdZdZied6ed6ed6ed6ed6ed6ed6ed6ed6ed6ed6ed 6ed!6ed"6Ze gej!ƒD]\Z"Z#e#e"f^qŽƒZ$d#„Z%d$„Z&d%„Z'dd&„Z)dd'„Z*d(„Z+d)„Z,d*„Z-d+„Z.d,„Z/d-„Z0d.„Z1d/„Z2d0„Z3d1„Z4d2„Z5ddd3„Z6ddd4„Z7d5„Z8y:ddl9Z:ddl;Z:ddl<Z:e7Z=e6Z>e?Z@Wn#eAk rËe8Z=e8Z>eBZ@nXyPddlCZCddlDZCddlEZCddlFZCe?ZGd6eHfd7„ƒYZIWneAk r5eBZGnXdS(8s.Common DNSSEC-related functions and constants.iÿÿÿÿNtUnsupportedAlgorithmcBseZdZRS(s(Raised if an algorithm is not supported.(t__name__t __module__t__doc__(((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyRstValidationFailurecBseZdZRS(s The DNSSEC signature is invalid.(RRR(((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyR#siiiiiiiii i iiüiýiþtRSAMD5tDHtDSAtECCtRSASHA1t DSANSEC3SHA1tRSASHA1NSEC3SHA1t RSASHA256t RSASHA512tINDIRECTtECDSAP256SHA256tECDSAP384SHA384t PRIVATEDNSt PRIVATEOIDcCs4tj|jƒƒ}|dkr0t|ƒ}n|S(s:Convert text into a DNSSEC algorithm value @rtype: intN(t_algorithm_by_texttgettuppertNonetint(ttexttvalue((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pytalgorithm_from_textMs cCs.tj|ƒ}|dkr*t|ƒ}n|S(s;Convert a DNSSEC algorithm value to text @rtype: stringN(t_algorithm_by_valueRRtstr(RR((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pytalgorithm_to_textVs cCs)tjƒ}|j|d|ƒ|jƒS(Ntorigin(t cStringIOtStringIOtto_wiretgetvalue(trecordRts((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt _to_rdata_s cCsðt||ƒ}|jtkr>t|dƒd>t|dƒSd}xPtt|ƒdƒD]8}|t|d|ƒd>t|d|dƒ7}q[Wt|ƒddkrÒ|t|t|ƒdƒd>7}n||d?d@7}|d@SdS( Niýÿÿÿiiþÿÿÿiiiiiÿÿ(R%t algorithmRtordtrangetlen(tkeyRtrdatattotalti((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pytkey_idds 6%cCs(|jƒdkr0d}tjjdƒƒ}n=|jƒdkr`d}tjjdƒƒ}n td|‚t|ttfƒrštjj ||ƒ}n|j |j ƒj ƒƒ|j t ||ƒƒ|jƒ}tjdt|ƒ|j|ƒ|}tjjtjjtjj|dt|ƒƒS(NtSHA1itSHA256isunsupported algorithm "%s"s!HBBi(RtdnsthashRRt isinstanceRtunicodetnamet from_texttupdatet canonicalizeR!R%tdigesttstructtpackR.R&R+t from_wiret rdataclasstINt rdatatypetDSR)(R5R*R&RtdsalgR2R9tdsrdata((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pytmake_dsqs  %!cCsÉg}|j|jƒ}|dkr(dSt|tjjƒrwy"|jtjj tj j ƒ}Wq}t k rsdSXn|}xE|D]=}|j |j kr„t|ƒ|jkr„|j|ƒq„q„W|S(N(RtsignerRR3R1tnodetNodet find_rdatasetR=R>R?tDNSKEYtKeyErrorR&R.tkey_tagtappend(tkeystrrsigtcandidate_keysRtrdatasetR+((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt_find_candidate_keys…s    cCs|tttttfkS(N(RR R R R (R&((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt_is_rsa˜s cCs|ttfkS(N(RR (R&((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt_is_dsascCsto|ttfkS(N(t _have_ecdsaRR(R&((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt _is_ecdsa scCs |tkS(N(R(R&((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt_is_md5£scCs|ttttfkS(N(RR R R (R&((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt_is_sha1¦s cCs|ttfkS(N(R R(R&((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt _is_sha256ªscCs |tkS(N(R(R&((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt _is_sha384­scCs |tkS(N(R (R&((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt _is_sha512°scCs¬t|ƒrtjjdƒƒSt|ƒr>tjjdƒƒSt|ƒr]tjjdƒƒSt|ƒr|tjjdƒƒSt|ƒr›tjjdƒƒStd|‚dS(NtMD5R/R0tSHA384tSHA512sunknown hash for algorithm %u( RUR1R2RRVRWRXRYR(R&((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt _make_hash³s     c Cs7t|ƒr-ddddddddg}n‘t|ƒrQdd d dd g}nmt|ƒrd ddd dd ddd g }n=t|ƒr±d ddd dd ddd g }n td|‚t|ƒ}t|ƒj}dgd||gd|dgd|g|ddgd|g}djt t |ƒƒS(Ni*i†iHi÷i iii+iiii`iieisunknown algorithm %ui0iiit( RURVRWRYRR)R]t digest_sizetjointmaptchr(R&toidtolentdlentidbytes((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt_make_algorithm_idÀs !  $ $  Hc*Cs›t|ttfƒr3tjj|tjjƒ}nxXt||ƒD]G}|s[td‚nt|t ƒr|d}|d}n|j}|}|dkr«t j ƒ}n|j |krÆtd‚n|j |krátd‚nt|jƒ}t|jƒrá|j} tjd| dd!ƒ\} | d} | dkrctjd| dd!ƒ\} | d} n| d| !} | | } t| ƒd } tjjjtjjj| ƒtjjj| ƒfƒ}tjjj|jƒf}nÁt|jƒr(|j} tjd| dd!ƒ\}| d} d |d }| dd !}| d } | d|!}| |} | d|!}| |} | d|!}tjjjtjjj|ƒtjjj|ƒtjjj|ƒtjjj|ƒfƒ}tjd |jdƒ\}}tjjj|ƒtjjj|ƒf}nzt|jƒr’|jt krat!j"j#}d }d }n3|jt$kr‹t!j"j%}d}d}n td‚|j} tjjj| d|!ƒ}tjjj| ||d!ƒ}t!j!j&|j'||ƒsút(‚t!j)j*|j+|||j,ƒ}t!j-j.j/||ƒ}t0||ƒ}|j| }|j|} t!j!j1tjjj|ƒtjjj| ƒƒ}ntd|j‚|j2t3||ƒd ƒ|j2|j4j5|ƒƒ|j6t|ƒdkr |j7|j6dƒd}!tjjd|!ƒ}n|j5|ƒ}"tj8d|j9|j:|j;ƒ}#t<|ƒ}$xi|$D]a}%|j2|"ƒ|j2|#ƒ|%j5|ƒ}&tj8dt|&ƒƒ}'|j2|'ƒ|j2|&ƒqcW|j=ƒ}(t|jƒrCt>|jƒ|(}(| d t|(ƒd})t?dƒt?dƒt?dƒ|)t?dƒ|(}(n1t|jƒstt|jƒrdntd|j‚|j@|(|ƒrCdSqCWtd‚dS(sªValidate an RRset against a single signature rdata The owner name of the rrsig is assumed to be the same as the owner name of the rrset. @param rrset: The RRset to validate @type rrset: dns.rrset.RRset or (dns.name.Name, dns.rdataset.Rdataset) tuple @param rrsig: The signature rdata @type rrsig: dns.rrset.Rdata @param keys: The key dictionary. @type keys: a dictionary keyed by dns.name.Name with node or rdataset values @param origin: The origin to use for relative names @type origin: dns.name.Name or None @param now: The time to use when validating the signatures. The default is the current time. @type now: int s unknown keyiitexpireds not yet valids!Bs!Hiii@is!20s20si i0sunknown ECDSA curvesunknown algorithm %uit*s!HHIiiÿNsverify failure(AR3RR4R1R5R6trootRPRttupleRttimet expirationt inceptionR]R&RQR*R:tunpackR)tCryptot PublicKeytRSAt constructtUtiltnumbert bytes_to_longt signatureRRRRTRtecdsatcurvestNIST256pRtNIST384ptpoint_is_validt generatortAssertionErrort ellipticcurvetPointtcurvetorderRLt VerifyingKeytfrom_public_pointt ECKeyWrappert SignatureR7R%RDt to_digestabletlabelstsplitR;trdtypetrdclasst original_ttltsortedR9RgRbtverify(*trrsetRMRLRtnowt candidate_keytrrnameROR2tkeyptrtbytestrsa_etrsa_ntkeylentpubkeytsigtttoctetstdsa_qtdsa_ptdsa_gtdsa_ytdsa_rtdsa_sRtkey_lent digest_lentxtytpointt verifying_keytrR$tsuffixt rrnamebuftrrfixedtrrlisttrrtrrdatatrrlenR9tpadlen((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt_validate_rrsigÒsÊ                               !!          5c Cst|ttfƒr3tjj|tjjƒ}nt|tƒrO|d}n |j}t|tƒr~|d}|d}n|j}|}|j|ƒ}|j|ƒ}||krÃt d‚nxB|D]:}yt |||||ƒdSWqÊt k r} qÊXqÊWt d‚dS(sdValidate an RRset @param rrset: The RRset to validate @type rrset: dns.rrset.RRset or (dns.name.Name, dns.rdataset.Rdataset) tuple @param rrsigset: The signature RRset @type rrsigset: dns.rrset.RRset or (dns.name.Name, dns.rdataset.Rdataset) tuple @param keys: The key dictionary. @type keys: a dictionary keyed by dns.name.Name with node or rdataset values @param origin: The origin to use for relative names @type origin: dns.name.Name or None @param now: The time to use when validating the signatures. The default is the current time. @type now: int iisowner names do not matchNsno RRSIGs validated( R3RR4R1R5R6RjRktchoose_relativityRR±( RtrrsigsetRLRRR’t rrsignamet rrsigrdatasetRMte((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt _validateas*        cOs td‚dS(Ns#DNSSEC validation requires pycrypto(tNotImplementedError(targstkwargs((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt_need_pycryptosR…cBseZd„Zd„ZRS(cCs||_||_dS(N(R*R¢(tselfR*R¢((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyt__init__¦s cCs+tjjj|ƒ}|jjj||ƒS(N(RpRtRuRvR*R˜tverifies(R¼R9R™tdiglong((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyRŽ©s(RRR½RŽ(((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyR…¥s (JRRR:Rlt dns.exceptionR1tdns.hashtdns.nametdns.nodet dns.rdatasett dns.rdatat dns.rdatatypetdns.rdataclasst exceptiont DNSExceptionRRRRRRR R R R R RRRRRRtdictt iteritemsR¤R¥RRRR%RR.RCRPRQRRRTRURVRWRXRYR]RgR±R·R»tCrypto.PublicKey.RSARptCrypto.PublicKey.DSAtCrypto.Util.numbertvalidatetvalidate_rrsigtTruet_have_pycryptot ImportErrortFalseRxt ecdsa.ecdsatecdsa.ellipticcurvet ecdsa.keysRStobjectR…(((s0/usr/lib64/python2.7/site-packages/dns/dnssec.pyts¤            1            .