a ©!cu-ã@sôddlmZddlmZddlmZddlmZddlZddlZddlZddl Z ddl m Z ddl Z ddlZ e d¡ZdZGd d „d e jjƒZdd d „ZGdd„deƒZGdd„dƒZGdd„dƒZGdd„dƒZdd„Zdd„ZGdd„dƒZdS)é)Úprint_function)Úabsolute_import)Úunicode_literals)ÚEnumN©Ú_Údnfé=c@seZdZdZdd„ZdS)Ú DnssecErrorz- Exception used in the dnssec module cCsd |jdur|jnd¡S)Nzz Not specified)ÚformatÚvalue©Úself©rú./usr/lib/python3.9/site-packages/dnf/dnssec.pyÚ__repr__-sÿzDnssecError.__repr__N)Ú__name__Ú __module__Ú __qualname__Ú__doc__rrrrrr )sr Ú _openpgpkeycCs€| dd¡}t|ƒdkr$d}t|ƒ‚|d}|d}t ¡}| | d¡¡t |  ¡dd…¡  d¡  ¡}|d|d|S) z‘ Implements RFC 7929, section 3 https://tools.ietf.org/html/rfc7929#section-3 :param email_address: :param tag: :return: ú@ééz0Email address must contain exactly one '@' sign.rzutf-8éÚ.) ÚrsplitÚlenr ÚhashlibZsha256ÚupdateÚencodeÚbase64Z b16encodeÚdigestÚdecodeÚlower)Z email_addressÚtagÚsplitÚmsgÚlocalÚdomainÚhashr"rrrÚemail2location2s  ÿr+c@s(eZdZdZdZdZdZdZdZdZ dS) ÚValidityzå Output of the verification algorithm. TODO: this type might be simplified in order to less reflect the underlying DNS layer. TODO: more specifically the variants from 3 to 5 should have more understandable names rréééé N) rrrrÚVALIDÚREVOKEDÚPROVEN_NONEXISTENCEÚRESULT_NOT_SECUREÚ BOGUS_RESULTÚERRORrrrrr,Jsr,c@seZdZdZdS)ÚNoKeyzŠ This class represents an absence of a key in the cache. It is an expression of non-existence using the Python's type system. N)rrrrrrrrr7Xsr7c@s.eZdZdZd dd„Zdd„Zedd„ƒZdS) ÚKeyInfozv Wrapper class for email and associated verification key, where both are represented in form of a string. NcCs||_||_dS)N)ÚemailÚkey)rr9r:rrrÚ__init__eszKeyInfo.__init__cCsd |j|j d¡dd…¡S)NzKeyInfo("{}", "{}...")Úasciié)r r9r:r#r rrrriszKeyInfo.__repr__c Cs˜t d|¡}|durt‚| d¡}| d¡ d¡}d}d}tdt|ƒƒD]$}||dkr\|}||dkrH|}qHd  ||d |d…¡  d¡}t ||ƒS) z” Since dnf uses different format of the key than the one used in DNS RR, I need to convert the former one into the new one. ú <(.*@.*)>Nrr<Ú rz$-----BEGIN PGP PUBLIC KEY BLOCK-----z"-----END PGP PUBLIC KEY BLOCK-----Úr) ÚreÚsearchr Úgroupr#r&ÚrangerÚjoinr r8) ZuseridZraw_keyZ input_emailr9r:ÚstartÚstopÚiZcat_keyrrrÚfrom_rpm_key_objectls     zKeyInfo.from_rpm_key_object)NN)rrrrr;rÚ staticmethodrIrrrrr8`s  r8c@s8eZdZdZiZedd„ƒZedd„ƒZedd„ƒZdS) ÚDNSSECKeyVerificationz† The main class when it comes to verification itself. It wraps Unbound context and a cache with already obtained results. cCsZ||krt d¡tjS|tur0t d¡tjSt d |¡¡t d |¡¡tjSdS)zD Compare the key in case it was found in the cache. zCache hit, valid keyzCache hit, proven non-existencezKey in cache: {}úInput key : {}N)ÚloggerÚdebugr,r1r7r3r r2)Ú key_unionZinput_key_stringrrrÚ _cache_hits  z DNSSECKeyVerification._cache_hitc CsÄz ddl}Wn>tyJ}z&td |¡ƒ}tj |¡‚WYd}~n d}~00| ¡}| dd¡dkrnt   d¡| dd¡dkrˆt   d ¡|  ¡dkržt   d ¡|  d ¡dkr¶t   d ¡|  t|jƒt|j¡\}}|dkrèt   d ¡tjS|jrt   d |j¡¡tjS|js t   d¡tjS|js>|j|jkrN|jsNt   d¡tjS|jsnt   d |j¡¡tjS|j  ¡d}t! "|¡}||j#kr˜tj$St   d |¡¡t   d |j#¡¡tj%SdS)zz In case the key was not found in the cache, create an Unbound context and contact the DNS system rNzLConfiguration option 'gpgkey_dns_verification' requires python3-unbound ({})z verbosity:Ú0z(Unbound context: Failed to set verbosityzqname-minimisation:Zyesz1Unbound context: Failed to set qname minimisationz+Unbound context: Failed to read resolv.confz/var/lib/unbound/root.keyz0Unbound context: Failed to add trust anchor filez%Communication with DNS servers failedz DNSSEC signatures are wrong ({})z!Result is not secured with DNSSECz1Non-existence of this record was proven by DNSSECz&Unknown error in DNS communication: {}zKey from DNS: {}rL)&ÚunboundÚ ImportErrorrr rÚ exceptionsÚErrorZub_ctxZ set_optionrMrNZ resolvconfZ add_ta_fileÚresolver+r9ÚRR_TYPE_OPENPGPKEYZ RR_CLASS_INr,r6ZbogusZ why_bogusr5Zsecurer4ZnxdomainZrcodeZ RCODE_NOERRORZhavedatar3Z rcode_strÚdataZ as_raw_datar!Z b64encoder:r1r2) Ú input_keyrRÚer'ÚctxÚstatusÚresultrXZ dns_data_b64rrrÚ _cache_miss¡sR ÿ"      ÿ     z!DNSSECKeyVerification._cache_misscCszt d |j¡¡tj |j¡}|dur6t ||j¡St  |¡}|t j krZ|jtj|j<n|t j krrt ƒtj|j<|SdS)zI Public API. Use this method to verify a KeyInfo object. z(Running verification for key with id: {}N)rMrNr r9rKÚ_cacheÚgetrPr:r^r,r1r3r7)rYrOr]rrrÚverifyÛs   zDNSSECKeyVerification.verifyN) rrrrr_rJrPr^rarrrrrK†s  9rKcCs8tdƒ|jd}|tjkr(|tdƒS|tdƒSdS)zE Inform the user about key validity in a human readable way. zDNSSEC extension: Key for user ú z is valid.zhas unknown status.N)rr9r,r1)ZkiÚvÚprefixrrrÚ nice_user_msgîs  recCs tdƒ|S)z; Label any given message with DNSSEC extension tag zDNSSEC extension: r)ÚmrrrÚany_msgúsrgc@s(eZdZdZedd„ƒZedd„ƒZdS)ÚRpmImportedKeysaQ Wrapper around keys, that are imported in the RPM database. The keys are stored in packages with name gpg-pubkey, where the version and release is different for each of them. The key content itself is stored as an ASCII armored string in the package description, so it needs to be parsed before it can be used. c CsŠtjj ¡}| dd¡}g}|D]d}tj |d¡}t d|¡ d¡}tj |d¡}|  d¡dd …}d   |¡}|t ||  d ¡ƒg7}q |S) NÚnamez gpg-pubkeyÚpackagerr>rÚ descriptionr?r-éýÿÿÿr@r<) rZrpmZ transactionZTransactionWrapperZdbMatchZ getheaderrArBrCr&rEr8r ) Ztransaction_setZpackagesZ return_listÚpkgrjr9rkZ key_linesZkey_strrrrÚ_query_db_for_gpg_keys s   z&RpmImportedKeys._query_db_for_gpg_keysc Cst ¡}t ttdƒƒ¡|D]ú}zt |¡}WnFtyv}z.t  d  |j |j ¡¡WYd}~qWYd}~n d}~00|t jkršt td  |j ¡ƒ¡q|t jkr¼t td  |j ¡ƒ¡q|t jkrÞt td  |j ¡ƒ¡q|t jkrt td  |j ¡ƒ¡qt td  |j ¡ƒ¡qdS)Nz1Testing already imported keys for their validity.z%DNSSEC extension error (email={}): {}zGPG Key {} is validz,GPG Key {} does not support DNS verificationzŠGPG Key {} could not be verified, because DNSSEC signatures are bogus. Possible causes: wrong configuration of the DNS server, MITM attackz=GPG Key {} has been revoked and should be removed immediatelyzGPG Key {} could not be tested)rhrnrMÚinforgrrKrar Zwarningr r9r r,r1rNr3r5r2)Úkeysr:r]rZrrrÚcheck_imported_keys_validitys4ÿ"   ÿ   þ   ÿ z,RpmImportedKeys.check_imported_keys_validityN)rrrrrJrnrqrrrrrhs  rh)r)Z __future__rrrÚenumrr!rZloggingrAZdnf.i18nrZdnf.rpmrZdnf.exceptionsZ getLoggerrMrWrTrUr r+r,r7r8rKrergrhrrrrÚs*       &h