x@NSrSSKJr SSKrSSKrSSKrSSKrSSKrSSK rSSK rSSK rSSK rSSK Jr "SS\RR 5r"SS \RR 5rSrS rS rS rS rSrSrSrSrSrSrSrSrSr \\\\\\\\\\\\\\ S.r!\!RE5VVs0sHupX_M snnr#Sr$Sr%Sr&S3Sjr'S3Sjr(Sr)Sr*Sr+S r,S!r-S"r.S#r/S$r0S%r1S&r2S'r3S4S(jr4S4S)jr5S*r6SS+K7J8r8J9r9J:r:J;r;Jr?Jr@ SS-KAJBrBJCrC SS.KDJErE \5rK\4rLS/rMSSKNrNSSKOrNSSKPrNSSKQrNS/rR"S0S1\S5rTgs snnf!\Fa' SS+KGJ8r8J9r9J:r:J;r;Jr?Jr@ SS-KIJBrBJCrC SS.KJJErE NWf=f!\Fa S2rRgf=f!\Fa \6rK\6rLS2rMS2rRgf=f)5z.Common DNSSEC-related functions and constants.)BytesION) string_typesc\rSrSrSrSrg)UnsupportedAlgorithm"z&The DNSSEC algorithm is not supported.N__name__ __module__ __qualname____firstlineno____doc____static_attributes__r lib/third_party/dns/dnssec.pyrr"s0rrc\rSrSrSrSrg)ValidationFailure&z The DNSSEC signature is invalid.r Nr r rrrr&s*rr )RSAMD5DHDSAECCRSASHA1 DSANSEC3SHA1RSASHA1NSEC3SHA1 RSASHA256 RSASHA512INDIRECTECDSAP256SHA256ECDSAP384SHA384 PRIVATEDNS PRIVATEOIDch[RUR55nUc [U5nU$)zAConvert text into a DNSSEC algorithm value. Returns an ``int``. )_algorithm_by_textgetupperint)textvalues ralgorithm_from_textr8_s-  " "4::< 0E }D  LrcL[RU5nUc [U5nU$)z=Convert a DNSSEC algorithm value to text Returns a ``str``. )_algorithm_by_valuer3str)r7r6s ralgorithm_to_textr<ks'  " "5 )D |5z KrcT[5nURX!S9 UR5$)N)origin)rto_wiregetvalue)recordr>ss r _to_rdatarCws# A NN1N$ ::<rcR[X5n[U5nUR[:XaUSS-US-$Sn[ [ U5S-5HnX2SU-S-USU-S--- nM [ U5S-S:waX2[ U5S- S-- nX3S- S-- nUS-$) zReturn the key id (a 16-bit number) for the specified key. Note the *origin* parameter of this function is historical and is not needed. Returns an ``int`` between 0 and 65535. rrrri)rC bytearray algorithmr#rangelen)keyr>rdatatotalis rkey_idrP}s c "E e E }}b Q%)++s5zQ'A AEla'a!eai ! !E( u:>Q  3u:>*a/ /E B;&()v~rc UR5S:XaSn[R"5nO:UR5S:XaSn[R"5nO[ SU-5e[ U[ 5(a[RRX5nURUR5R55 UR[X55 UR5n[R "S[#U5UR$U5U-n[R&R)[R*R,[R.R0US[3U55$)aCreate a DS record for a DNSSEC key. *name* is the owner name of the DS record. *key* is a ``dns.rdtypes.ANY.DNSKEY``. *algorithm* is a string describing which hash algorithm to use. The currently supported hashes are "SHA1" and "SHA256". Case does not matter for these strings. *origin* is a ``dns.name.Name`` and will be used as the origin if *key* is a relative name. Returns a ``dns.rdtypes.ANY.DS``. SHA1rSHA256rzunsupported algorithm "%s"z!HBBr)r4rRnewrSr isinstancerdnsname from_textupdate canonicalizer?rCdigeststructpackrPrIrM from_wire rdataclassIN rdatatypeDSrK)rWrLrIr>dsalghashr[dsrdatas rmake_dsrfs "F"xxz  h &zz|"#?)#KLL$ %%xx!!$/KK!!#++-.KK #&' [[]Fkk&&+s}}eDvMG 99  s~~00#--2B2BGQ"7| --rc/nURUR5nUcg[U[RR 5(aDUR [RR[RR5nOUnUHKnURUR:XdM[U5UR:XdM:URU5 MM U$![a gf=fN)r3signerrUrVnodeNode find_rdatasetr_r`raDNSKEYKeyErrorrIrPkey_tagappend)keysrrsigcandidate_keysr7rdatasetrMs r_find_candidate_keysrusN HHU\\ "E }%'' **3>>+<+<+.==+?+?AH  ??eoo -u .  ! !% (   s AC$$ C10C1c>U[[[[[4;$rh)r#r'r)r*r+rIs r_is_rsarxs )9"$ $$rc U[[4;$rh)r%r(rws r_is_dsarzs l+ ++rc:[=(a U[[4;$rh) _have_ecdsar-r.rws r _is_ecdsar}s  LI/?)KKLrcU[:H$rh)r#rws r_is_md5rs  rc4U[[[[4;$rh)r%r'r(r)rws r_is_sha1rs g%'79 99rc U[[4;$rh)r*r-rws r _is_sha256rs O4 44rcU[:H$rh)r.rws r _is_sha384rs  ''rcU[:H$rh)r+rws r _is_sha512rs  !!rc[U5(a[R"5$[U5(a[R"5$[ U5(a[ R"5$[U5(a[R"5$[U5(a[R"5$[SU-5e)Nzunknown hash for algorithm %u) rMD5rTrrRrrSrSHA384rSHA512rrws r _make_hashrsywwy xxz)zz|)zz|)zz| ;iG HHrc[U5(a/SQnOM[U5(a/SQnO8[U5(a/SQnO#[U5(a/SQnO[ SU-5e[ U5n[ U5RnS/SU-U-/-SUS-/-S U/-U-S S /-SU/-n[R"S [ U5-/UQ76$) N)*Hrrrr)+rrr) `rrrerrrr) rrrrrrrrrunknown algorithm %u0rrrrrz!%dB) rrrrrrKr digest_sizer\r])rIoidolendlenidbytess r_make_algorithm_idrsy> )  , I  D I  D 6 BCC s8D i , ,DfD4((TAX"&.034Tl"D\*G ;;vG , 7w 77rc R[U[5(a8[RR U[RR 5n[ X!5nUc [S5eUGHn[U[5(a USnUSnOURnUnUc[R"5nURU:a [S5eURU:a [S5e[UR5n [UR5(aURn [ R""SU SS5un U SSn U S:Xa![ R""SU SS 5un U S Sn U SU n XSn [$R&"[(R*"U 5[(R*"U 545nUR.nGO[1UR5(aURn [ R""SU SS5unU SSn S US --nU SS nU S Sn U SUnU USn U SUnU USn U SUn[2R&"[(R*"U5[(R*"U5[(R*"U5[(R*"U545nUR.SSnGO[5UR5(GaURn UR[6:Xa[8R:R<nSnO0UR[>:Xa[8R:R@nSn[(R*"U SW5n[(R*"U UUS -5n[8R8RCWRDUU5(d [S5e[8RFRIURJUUURL5n[8RNRPRSUU5nUU5nUR.SUnUR.USn[8R8RW[(R*"U5[(R*"U55nO[SUR-5eU RY[[X5SS5 U RYUR\R_U55 UR`[cU5S- :aAUReUR`S-5Sn[RR SU5nUR_U5n[ Rf"SURhURjURl5n [oU5n!U!Hxn"U RYU5 U RYU 5 U"R_U5n#[ Rf"S[cU#55n$U RYU$5 U RYU#5 Mz [UR5(a([pRr"U5n%U%RuX5 O[1UR5(a)[vRr"US5n%U%RuX5 O`[5UR5(a.U Ry5n&URuU&U5(d[,eO[SUR-5e g [S5e![,a [S 5ef=f![,a GMf=f)aValidate an RRset against a single signature rdata The owner name of *rrsig* is assumed to be the same as the owner name of *rrset*. *rrset* is the RRset to validate. It can be a ``dns.rrset.RRset`` or a ``(dns.name.Name, dns.rdataset.Rdataset)`` tuple. *rrsig* is a ``dns.rdata.Rdata``, the signature to validate. *keys* is the key dictionary, used to find the DNSKEY associated with a given name. The dictionary is keyed by a ``dns.name.Name``, and has ``dns.node.Node`` or ``dns.rdataset.Rdataset`` values. *origin* is a ``dns.name.Name``, the origin to use for relative names. *now* is an ``int``, the time to use when validating the signatures, in seconds since the UNIX epoch. The default is the current time. Nz unknown keyrrexpiredz not yet validz!Bz!Hrzinvalid public key@r rzinvalid ECDSA keyr*z!HHIz fips-186-3zverify failure)=rUrrVrWrXrootrurtupletime expiration inceptionrrIrxrLr\unpack CryptoRSA constructnumber bytes_to_long ValueError signaturerz CryptoDSAr}r-ecdsacurvesNIST256pr.NIST384ppoint_is_valid generator ellipticcurvePointcurveorderrq VerifyingKeyfrom_public_point ECKeyWrapper SignaturerYrCri to_digestablelabelsrKsplitr]rdtyperdclass original_ttlsortedpkcs1_15rTverifyDSSr[)'rrsetrrrqr>nowrs candidate_keyrrnamertrdkeyptrbytes_rsa_ersa_npubkeysigtoctetsdsa_qdsa_pdsa_gdsa_yrkey_lenxypoint verifying_keyrrBsuffix rrnamebufrrfixedrrlistrrrrdatarrlenverifierr[s' r_validate_rrsigrs*&,''##FCHHMM:)$6N ..'  eU # #1XFQxHZZFH ;))+C   c !#I. . ??S #O4 4%//* 5?? # #"&&F dF1QK8IVABZF{"MM$q < 1V$E7OE >",,))%0))%023 //C U__ % %"&&F==va{3DQABZF!a%ZF1RLEBC[F1V$EFG_F1V$EFG_F1V$E((%%e,%%e,%%e,%%e,./F //!"%C u ' '#&&F/1 --O3 --$$VAg%67A$$VGGaK%@AA;;--eooq!DD'(;<<''--ekk1aME!JJ33EEeFKMM!-9F)A)A++''(<((PQQ k(t , --u >'(<== >l   s 6A[> C%\>\ \&%\&c[U[5(a8[RR U[RR 5n[U[ 5(aUSnO URn[U[ 5(a USnUSnOURnUnURU5nURU5nXV:wa [S5eUHn[XX#U5 g [S5e![a M-f=f)aValidate an RRset. *rrset* is the RRset to validate. It can be a ``dns.rrset.RRset`` or a ``(dns.name.Name, dns.rdataset.Rdataset)`` tuple. *rrsigset* is the signature RRset to be validated. It can be a ``dns.rrset.RRset`` or a ``(dns.name.Name, dns.rdataset.Rdataset)`` tuple. *keys* is the key dictionary, used to find the DNSKEY associated with a given name. The dictionary is keyed by a ``dns.name.Name``, and has ``dns.node.Node`` or ``dns.rdataset.Rdataset`` values. *origin* is a ``dns.name.Name``, the origin to use for relative names. *now* is an ``int``, the time to use when validating the signatures, in seconds since the UNIX epoch. The default is the current time. rrzowner names do not matchNzno RRSIGs validated) rUrrVrWrXrrchoose_relativityrr) rrrsigsetrqr>rr rrsigname rrsigrdatasetrrs r _validaters&&,''##FCHHMM:%q(E""QK   MM   % %f -F++F3I  :;;  E$ <  1 22!   s C77 DDc[S5e)Nz5DNSSEC validation requires pycryptodome/pycryptodomex)NotImplementedError)argskwargss r_need_pycryptors U VVr)rrRrSrr)RSAr%)rr)rTc \rSrSrSrSrSrg)ricXlX lgrhrLr)selfrLrs r__init__ECKeyWrapper.__init__s & rcx[R"U5nURRR X25$rh)rrrLrverifies)rr[rdiglongs rrECKeyWrapper.verifys+ ..v6xx//==rrN)r r r rrrrr rrrrs  ' >rrFrh)NN)Uriorr\r dns.exceptionrVdns.namedns.node dns.rdataset dns.rdata dns.rdatatypedns.rdataclass_compatr exception DNSExceptionrrr#r$r%r&r'r(r)r*r+r-r.r,r/r0r2itemsr:r8r<rCrPrfrurxrzr}rrrrrrrrrr Crypto.HashrrRrSrrCrypto.PublicKeyrrrCrypto.Signaturerr Crypto.Utilr ImportErrorCryptodome.HashCryptodome.PublicKeyCryptodome.SignatureCryptodome.Utilvalidatevalidate_rrsig_have_pycryptor ecdsa.ecdsaecdsa.ellipticcurve ecdsa.keysr|objectr)rrs00rrs$5 !13==551+ 22+            (&&*);(@(@(BC(Bqt(BC   0"-J($ ,M9 5(" I8&V.r-3`W(> +AAG2&H$NN>"  >6 >G DT +EEK6* +(  H#NNK sB1E$E1F*F?FFFFFF$#F$