ó ¾[/\c@@sMddlmZddlmZddlmZddlmZddlZddlZddlZddl Z ddl m Z ddl Z ddlZ ejdƒZdZd e jjfd „ƒYZd d „Zd efd„ƒYZddd„ƒYZddd„ƒYZddd„ƒYZd„Zd„Zddd„ƒYZdS(i(tprint_function(tabsolute_import(tunicode_literals(tEnumN(t_udnfi=t DnssecErrorcB@seZdZRS(u- Exception used in the dnssec module (t__name__t __module__t__doc__(((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyR)su _openpgpkeycC@s¢|jdƒ}t|ƒdkr-tƒ‚n|d}|d}tjƒ}|j|jdƒƒtj|j ƒdd!ƒj dƒj ƒ}|d|d|S(u‘ Implements RFC 7929, section 3 https://tools.ietf.org/html/rfc7929#section-3 :param email_address: :param tag: :return: u@iiiuutf-8iu.( tsplittlenRthashlibtsha256tupdatetencodetbase64t b16encodetdigesttdecodetlower(t email_addressttagR tlocaltdomainthashR((s./usr/lib/python2.7/site-packages/dnf/dnssec.pytemail2location0s     tValiditycB@s2eZdZdZdZdZdZdZdZRS(uå Output of the verification algorithm. TODO: this type might be simplified in order to less reflect the underlying DNS layer. TODO: more specifically the variants from 3 to 5 should have more understandable names iiiiii ( RRRtVALIDtREVOKEDtPROVEN_NONEXISTENCEtRESULT_NOT_SECUREt BOGUS_RESULTtERROR(((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyRGstNoKeycB@seZdZRS(uŠ This class represents an absence of a key in the cache. It is an expression of non-existence using the Python's type system. (RRR(((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyR!UstKeyInfocB@s,eZdZddd„Zed„ƒZRS(uv Wrapper class for email and associated verification key, where both are represented in form of a string. cC@s||_||_dS(N(temailtkey(tselfR#R$((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyt__init__bs c C@sàtjd|ƒ}|d kr't‚n|jdƒ}|jdƒjdƒ}d}d}xOtdt|ƒƒD]8}||dkr|}n||dkrp|}qpqpWdj ||d |d!ƒj dƒ}t ||ƒS( u” Since dnf uses different format of the key than the one used in DNS RR, I need to convert the former one into the new one. u <(.*@.*)>iuasciiu iu$-----BEGIN PGP PUBLIC KEY BLOCK-----u"-----END PGP PUBLIC KEY BLOCK-----uiN( tretsearchtNoneRtgroupRR trangeR tjoinRR"( tuseridtraw_keyt input_emailR#R$tstarttstoptitcat_key((s./usr/lib/python2.7/site-packages/dnf/dnssec.pytfrom_rpm_key_objectfs    'N(RRRR)R&t staticmethodR4(((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyR"]stDNSSECKeyVerificationcB@sAeZdZiZed„ƒZed„ƒZed„ƒZRS(u† The main class when it comes to verification itself. It wraps Unbound context and a cache with already obtained results. cC@s1||krtjS|tkr&tjStjSdS(uD Compare the key in case it was found in the cache. N(RRR!RR(t key_uniontinput_key_string((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyt _cache_hitŠs   cC@s›yddl}Wn(tk r:}tdj|ƒƒ‚nX|jƒ}|jddƒdkrotjdƒn|jddƒdkr—tjd ƒn|jƒdkr¹tjd ƒn|j d ƒdkrÞtjd ƒn|j t |j ƒt |jƒ\}}|dkrtjS|jr(tjS|js8tjS|jrHtjS|jsXtjS|jjƒd}tj|ƒ}||jkrtjStjSdS( uz In case the key was not found in the cache, create an Unbound context and contact the DNS system iNuRConfiguration option 'gpgkey_dns_verification' requires libunbound ({})u verbosity:u0u(Unbound context: Failed to set verbosityuqname-minimisation:uyesu1Unbound context: Failed to set qname minimisationu+Unbound context: Failed to read resolv.confu/var/lib/unbound/root.keyu0Unbound context: Failed to add trust anchor file(tunboundt ImportErrort RuntimeErrortformattub_ctxt set_optiontloggertdebugt resolvconft add_ta_filetresolveRR#tRR_TYPE_OPENPGPKEYt RR_CLASS_INRR tbogusRtsecureRtnxdomainRthavedatatdatat as_raw_dataRt b64encodeR$RR(t input_keyR:tetctxtstatustresultRKt dns_data_b64((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyt _cache_miss—s>      cC@s•tjj|jƒ}|dk r4tj||jƒStj|ƒ}|tj krh|jtj|jiu descriptionu iiýÿÿÿu( tdnftrpmt transactiontTransactionWrappertdbMatchRR'R(R*R R,R"R( ttransaction_settpackagest return_listtpkgtpackagerR#t descriptiont key_linestkey_str((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyt_query_db_for_gpg_keysös  #cC@s,tjƒ}tjttdƒƒƒx|D]ø}tj|ƒ}|tj krrtjtdj |j ƒƒƒq,|tj kr£tjtdj |j ƒƒƒq,|tj krÔtjtdj |j ƒƒƒq,|tjkrtjtdj |j ƒƒƒq,tjtdj |j ƒƒƒq,WdS(Nu1Testing already imported keys for their validity.uGPG Key {} is validu,GPG Key {} does not support DNS verificationuŠGPG Key {} could not be verified, because DNSSEC signatures are bogus. Possible causes: wrong configuration of the DNS server, MITM attacku=GPG Key {} has been revoked and should be removed immediatelyuGPG Key {} could not be tested(R^RlR@tinfoR]RR6RWRRR=R#RRR(tkeysR$RR((s./usr/lib/python2.7/site-packages/dnf/dnssec.pytcheck_imported_keys_validitys   "(RRRR5RlRo(((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyR^ís(((((t __future__RRRtenumRRR tloggingR'tdnf.i18nRtdnf.rpm.transactionR_tdnf.exceptionst getLoggerR@REt exceptionstErrorRRRR!R"R6R[R]R^(((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyts*       #Y