3 ft`;,@sddlmZddlmZddlmZddlmZddlZddlZddlZddl Z ddl m Z ddl Z ddlZ ejdZdZGd d d e jjZdd d ZGdddeZGdddZGdddZGdddZddZddZGdddZdS))print_function)absolute_import)unicode_literals)EnumN)_dnf=c@seZdZdZddZdS) DnssecErrorz- Exception used in the dnssec module cCsdj|jdk r|jndS)Nzz Not specified)formatvalue)selfr /usr/lib/python3.6/dnssec.py__repr__-szDnssecError.__repr__N)__name__ __module__ __qualname____doc__rr r r rr )sr _openpgpkeycCs~|jd}t|dkr"d}t||d}|d}tj}|j|jdtj|j ddj dj }|d|d|S) z Implements RFC 7929, section 3 https://tools.ietf.org/html/rfc7929#section-3 :param email_address: :param tag: :return: @z0Email address must contain exactly one '@' sign.rzutf-8.) splitlenr hashlibZsha256updateencodebase64Z b16encodedigestdecodelower)Z email_addresstagrmsgZlocalZdomainhashr r r remail2location2s   r&c@s(eZdZdZdZdZdZdZdZdZ dS) Validityz Output of the verification algorithm. TODO: this type might be simplified in order to less reflect the underlying DNS layer. TODO: more specifically the variants from 3 to 5 should have more understandable names rr N) rrrrVALIDREVOKEDPROVEN_NONEXISTENCERESULT_NOT_SECURE BOGUS_RESULTERRORr r r rr'Jsr'c@seZdZdZdS)NoKeyz This class represents an absence of a key in the cache. It is an expression of non-existence using the Python's type system. N)rrrrr r r rr2Xsr2c@s&eZdZdZdddZeddZdS)KeyInfozv Wrapper class for email and associated verification key, where both are represented in form of a string. NcCs||_||_dS)N)emailkey)r r4r5r r r__init__eszKeyInfo.__init__c Cstjd|}|dkrt|jd}|jdjd}d}d}x6tdt|D]$}||dkr^|}||dkrJ|}qJWd j||d |dj d}t ||S) z Since dnf uses different format of the key than the one used in DNS RR, I need to convert the former one into the new one. z <(.*@.*)>Nrascii rz$-----BEGIN PGP PUBLIC KEY BLOCK-----z"-----END PGP PUBLIC KEY BLOCK-----r) researchr groupr!rrangerjoinrr3) ZuseridZraw_keyZ input_emailr4r5startstopiZcat_keyr r rfrom_rpm_key_objectis     zKeyInfo.from_rpm_key_object)NN)rrrrr6 staticmethodrBr r r rr3`s r3c@s8eZdZdZiZeddZeddZeddZdS) DNSSECKeyVerificationz The main class when it comes to verification itself. It wraps Unbound context and a cache with already obtained results. cCsZ||krtjdtjS|tkr0tjdtjStjdj|tjdj|tjSdS)zD Compare the key in case it was found in the cache. zCache hit, valid keyzCache hit, proven non-existencezKey in cache: {}zInput key : {}N)loggerdebugr'r,r2r.r r-) key_unionZinput_key_stringr r r _cache_hits  z DNSSECKeyVerification._cache_hitc Csy ddl}Wn<tk rH}z tdj|}tjj|WYdd}~XnX|j}|jdddkrlt j d|jdddkrt j d |j dkrt j d |j d dkrt j d |j t|jt|j\}}|dkrt j d tjS|jrt j dtjS|jst j dtjS|jr,t j dtjS|jsDt j dtjS|jjd}tj|}||jkrntj St j dj|t j dj|jtj!SdS)zz In case the key was not found in the cache, create an Unbound context and contact the DNS system rNzLConfiguration option 'gpgkey_dns_verification' requires python3-unbound ({})z verbosity:0z(Unbound context: Failed to set verbosityzqname-minimisation:yesz1Unbound context: Failed to set qname minimisationz+Unbound context: Failed to read resolv.confz/var/lib/unbound/root.keyz0Unbound context: Failed to add trust anchor filez%Communication with DNS servers failedzDNSSEC signatures are wrongz!Result is not secured with DNSSECz1Non-existence of this record was proven by DNSSECz"Unknown error in DNS communicationzKey from DNS: {}zInput key : {})"unbound ImportErrorrr r exceptionsErrorZub_ctxZ set_optionrErFZ resolvconfZ add_ta_fileZresolver&r4RR_TYPE_OPENPGPKEYZ RR_CLASS_INr'r1Zbogusr0Zsecurer/Znxdomainr.ZhavedatadataZ as_raw_datarZ b64encoder5r,r-) input_keyrKer$ZctxZstatusresultrPZ dns_data_b64r r r _cache_misssN              z!DNSSECKeyVerification._cache_misscCsztjdj|jtjj|j}|dk r6tj||jStj |}|t j krZ|jtj|j<n|t j krrt tj|j<|SdS)zI Public API. Use this method to verify a KeyInfo object. z(Running verification for key with id: {}N)rErFr r4rD_cachegetrHr5rTr'r,r.r2)rQrGrSr r rverifys   zDNSSECKeyVerification.verifyN) rrrrrUrCrHrTrWr r r rrDs   9rDcCs8td|jd}|tjkr(|tdS|tdSdS)zE Inform the user about key validity in a human readable way. zDNSSEC extension: Key for user  z is valid.zhas unknown status.N)rr4r'r,)Zkivprefixr r r nice_user_msgs  r[cCs td|S)z; Label any given message with DNSSEC extension tag zDNSSEC extension: )r)mr r rany_msgsr]c@s(eZdZdZeddZeddZdS)RpmImportedKeysaQ Wrapper around keys, that are imported in the RPM database. The keys are stored in packages with name gpg-pubkey, where the version and release is different for each of them. The key content itself is stored as an ASCII armored string in the package description, so it needs to be parsed before it can be used. c Cstjjj}|jdd}g}xl|D]d}tjj|d}tjd|jd}tjj|d}|j ddd }d j |}|t ||j d g7}q"W|S) Nnamez gpg-pubkeypackagerz <(.*@.*)>r descriptionr8r(r9r7) rZrpmZ transactionZTransactionWrapperZdbMatchZ getheaderr:r;r<rr>r3r) Ztransaction_setZpackagesZ return_listZpkgr`r4raZ key_linesZkey_strr r r_query_db_for_gpg_keyss    z&RpmImportedKeys._query_db_for_gpg_keyscCstj}tjttdx|D]}ytj|}Wn:tk rl}ztj dj |j |j w WYdd}~XnX|t jkrtjtdj |j q |t jkrtjtdj |j q |t jkrtjtdj |j q |t jkrtjtdj |j q tjtdj |j q WdS)Nz1Testing already imported keys for their validity.z%DNSSEC extension error (email={}): {}zGPG Key {} is validz,GPG Key {} does not support DNS verificationzGPG Key {} could not be verified, because DNSSEC signatures are bogus. Possible causes: wrong configuration of the DNS server, MITM attackz=GPG Key {} has been revoked and should be removed immediatelyzGPG Key {} could not be tested)r^rcrEinfor]rrDrWr Zwarningr r4r r'r,rFr.r0r-)keysr5rSrRr r rcheck_imported_keys_validitys,        z,RpmImportedKeys.check_imported_keys_validityN)rrrrrCrcrfr r r rr^s r^)r)Z __future__rrrenumrrrZloggingr:Zdnf.i18nrZdnf.rpmrZdnf.exceptionsZ getLoggerrErOrMrNr r&r'r2r3rDr[r]r^r r r rs*       #g