shell bypass 403

Cubjrnet7 Shell

: /usr/lib/python3.9/site-packages/dns/__pycache__/ [ drwxr-xr-x ]
upload mass deface mass delete console info server

name : dnssec.cpython-39.opt-1.pyc
a

�M�e���@s<dZddlZddlZddlZddlZddlZddlZddlmZddlm	Z	m
Z
mZmZm
Z
mZmZmZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlZddlmZmZm Z ddlm!Z!m"Z"m#Z#m$Z$ddl%m&Z&ddl'm(Z(dd	l)m*Z*dd
l+m,Z,ddl-m.Z.m/Z/ddl0m1Z1dd
l2m3Z3m4Z4ddl5m6Z6edZ7edZ8e	ej9j:ej;j<gdfZ=e>ed�dd�Z?eee@fe>d�dd�ZAeee>eBe@fe@d�dd�ZCee*e&fe@d�dd�ZDGdd�d�ZEGdd�deE�ZFeFejGejHejIejJhejGejHejIhejKejLejMhejKh�ZNeFeO�eO�eO�eO��ZPeNZQdeeejRjSe>fejTjUeee>feejRjSeeEeVe,d!�d"d#�ZWdfeejRjSe>fejTjUeee>feejRjSe(d$�d%d&�ZXe
ejRjSeejYjZej[j\ffe3eee*d'�d(d)�Z]eej;j<eejRjSejYjZffeejRjSejYjZfd*�d+d,�Z^e_e_e*dd-�d.d/�Z`dgeej;j<eejRjSejYjZffe3e
ejRjSeej[j\ejYjZffeejRjSeeBeeEdd0�d1d2�Zadheej;j<eejRjSejYjZffeej;j<eejRjSejYjZffe
ejRjSeej[j\ejYjZffeejRjSeeBeeEdd3�d4d5�Zbdieej;j<eejRjSejYjZffe8ejRjSe*eeee>e@eBfeeee>e@eBfee@eVeeEeejRjSe3d6�d7d8�Zcdjeej;j<eejRjSejYjZffe3eejRjSe_d9�d:d;�Zde6jed<fe7ee@e>fe@e@e*d=�d>d?�Zfe6jed<fe7ee@e>fe@e@e&d=�d@dA�ZgeejRjSe>feee>e_fe@ee@e>fe>dB�dCdD�Zhdkeej;j<eejRjSejYjZffe
eee>feejRjSejYjZdE�dFdG�ZiejYjZejYjZdH�dIdJ�ZjdleejRjSe>fejYjZeee>feejRjSejYjZdK�dLdM�ZkejYjZejYjZdH�dNdO�Zldmej9j:ej;j<ejRjSeee8e*feee8e*feeee>e@eBfeeee>e@eBfee@eeEeejRjSddP�dQdR�Zmdnejnjoeej9j:eeee8e*feVee@eeee>e@eBfeeee>e@eBfee@ee1ee=eeEddT�dUdV�Zpdoejnjoej9j:ee=ddW�dXdY�ZqdZd[�Zrejs�td\��r�dd]lumvZvdd^lwmxZxdd_lwmyZydd`lwmzZzddalwm{Z{ddblwm|Z|ddcl}m~Z~mZdddl�m�Z�m�Z�ebZ�eaZ�ecZ�efZ�egZ�dSZ�nerZ�erZ�erZ�erZ�erZ�d Z�ejGZGej�Z�ejHZHej�Z�ej�Z�ejIZIej�Z�ej�Z�ej�Z�ejJZJej�Z�ej�Z�ej�Z�ej�Z�ej�Z�ej�Z�ej�Z�dS)pz.Common DNSSEC-related functions and constants.�N)�datetime)�Callable�Dict�List�Optional�Set�Tuple�Union�cast)�	Algorithm�DSDigest�	NSEC3Hash)�AlgorithmKeyMismatch�DeniedByPolicy�UnsupportedAlgorithm�ValidationFailure)�CDNSKEY)�CDS)�DNSKEY)�DS)�NSEC�Bitmap)�
NSEC3PARAM)�RRSIG�sigtime_to_posixtime)�Flag)�GenericPublicKeyzrsa.RSAPublicKeyzec.EllipticCurvePublicKeyzed25519.Ed25519PublicKeyzed448.Ed448PublicKey)�GenericPrivateKeyzrsa.RSAPrivateKeyzec.EllipticCurvePrivateKeyzed25519.Ed25519PrivateKeyzed448.Ed448PrivateKey)�text�returncCs
t�|�S)z�Convert text into a DNSSEC algorithm value.

    *text*, a ``str``, the text to convert to into an algorithm value.

    Returns an ``int``.
    )r�	from_text)r�r!�./usr/lib/python3.9/site-packages/dns/dnssec.py�algorithm_from_textLsr#)�valuercCs
t�|�S)z�Convert a DNSSEC algorithm value to text

    *value*, a ``dns.dnssec.Algorithm``.

    Returns a ``str``, the name of a DNSSEC algorithm.
    )rZto_text�r$r!r!r"�algorithm_to_textWsr&cCsTt|t�rt|���St|t�r(t|�St|t�r:t|�St|t�rH|Std��dS)z%Convert various format to a timestampzUnsupported timestamp typeN)�
isinstancer�intZ	timestamp�strr�float�	TypeErrorr%r!r!r"�to_timestampbs



r,��keyrcCs�|��}|jtjkr(|dd>|dSd}tt|�d�D](}||d|d>|d|d7}q<t|�ddkr�||t|�dd>7}||d?d@7}|d@Sd	S)
z�Return the key id (a 16-bit number) for the specified key.

    *key*, a ``dns.rdtypes.ANY.DNSKEY.DNSKEY``

    Returns an ``int`` between 0 and 65535
    �������r���i��N)�to_wire�	algorithmr�RSAMD5�range�len)r.�rdata�total�ir!r!r"�key_idps&r=c@sTeZdZdd�Zeed�dd�Zeed�dd�Zeed�dd	�Z	eed�d
d�Z
dS)
�PolicycCsdS�Nr!)�selfr!r!r"�__init__�szPolicy.__init__)�_rcCsdS�NFr!�r@rBr!r!r"�
ok_to_sign�szPolicy.ok_to_signcCsdSrCr!rDr!r!r"�ok_to_validate�szPolicy.ok_to_validatecCsdSrCr!rDr!r!r"�ok_to_create_ds�szPolicy.ok_to_create_dscCsdSrCr!rDr!r!r"�ok_to_validate_ds�szPolicy.ok_to_validate_dsN)�__name__�
__module__�__qualname__rAr�boolrErFrrGrHr!r!r!r"r>�s
r>cs\eZdZ�fdd�Zeed�dd�Zeed�dd�Zeed�d	d
�Z	eed�dd�Z
�ZS)
�
SimpleDenycs&t���||_||_||_||_dSr?)�superrA�
_deny_sign�_deny_validate�_deny_create_ds�_deny_validate_ds)r@Z	deny_signZ
deny_validateZdeny_create_dsZdeny_validate_ds��	__class__r!r"rA�s

zSimpleDeny.__init__r-cCs|j|jvSr?)r6rO�r@r.r!r!r"rE�szSimpleDeny.ok_to_signcCs|j|jvSr?)r6rPrUr!r!r"rF�szSimpleDeny.ok_to_validate)r6rcCs
||jvSr?)rQ�r@r6r!r!r"rG�szSimpleDeny.ok_to_create_dscCs
||jvSr?)rRrVr!r!r"rH�szSimpleDeny.ok_to_validate_ds)rIrJrKrArrLrErFrrGrH�
__classcell__r!r!rSr"rM�s
rMF)�namer.r6�origin�policy�
validatingrcCsN|durt}zt|t�r$t|��}WntyDtd|��Yn0|rR|j}n|j}||�sdt	�t|t
tf�sztd��|tj
kr�t��}n4|tjkr�t��}n |tjkr�t��}ntd|��t|t�r�tj�||�}|����}|�|�|�|j|d��|��}	t�dt|�|j|�|	}
tj� tj!j"tj#j$|
dt%|
��}t&t$|�S)a�Create a DS record for a DNSSEC key.

    *name*, a ``dns.name.Name`` or ``str``, the owner name of the DS record.

    *key*, a ``dns.rdtypes.ANY.DNSKEY.DNSKEY`` or ``dns.rdtypes.ANY.DNSKEY.CDNSKEY``,
    the key the DS is about.

    *algorithm*, a ``str`` or ``int`` specifying the hash algorithm.
    The currently supported hashes are "SHA1", "SHA256", and "SHA384". Case
    does not matter for these strings.

    *origin*, a ``dns.name.Name`` or ``None``.  If *key* is a relative name,
    then it will be made absolute using the specified origin.

    *policy*, a ``dns.dnssec.Policy`` or ``None``.  If ``None``, the default policy,
    ``dns.dnssec.default_policy`` is used; this policy defaults to that of RFC 8624.

    *validating*, a ``bool``.  If ``True``, then policy is checked in
    validating mode, i.e. "Is it ok to validate using this digest algorithm?".
    Otherwise the policy is checked in creating mode, i.e. "Is it ok to create a DS with
    this digest algorithm?".

    Raises ``UnsupportedAlgorithm`` if the algorithm is unknown.

    Raises ``DeniedByPolicy`` if the algorithm is denied by policy.

    Returns a ``dns.rdtypes.ANY.DS.DS``
    N�unsupported algorithm "%s"zkey is not a DNSKEY/CDNSKEY�rYz!HBBr)'�default_policyr'r)r�upper�	ExceptionrrHrGrrr�
ValueError�SHA1�hashlib�sha1ZSHA256Zsha256ZSHA384Zsha384�dnsrXr �canonicalizer5�update�digest�struct�packr=r6r:Z	from_wire�
rdataclass�IN�	rdatatyperr9r
)rXr.r6rYrZr[�checkZdshashZwirerhZdsrdata�dsr!r!r"�make_ds�s@%








�rp)rXr.r6rYrcCs0t||||�}t|jtjj|j|j|j|jd�S)a�Create a CDS record for a DNSSEC key.

    *name*, a ``dns.name.Name`` or ``str``, the owner name of the DS record.

    *key*, a ``dns.rdtypes.ANY.DNSKEY.DNSKEY`` or ``dns.rdtypes.ANY.DNSKEY.CDNSKEY``,
    the key the DS is about.

    *algorithm*, a ``str`` or ``int`` specifying the hash algorithm.
    The currently supported hashes are "SHA1", "SHA256", and "SHA384". Case
    does not matter for these strings.

    *origin*, a ``dns.name.Name`` or ``None``.  If *key* is a relative name,
    then it will be made absolute using the specified origin.

    Raises ``UnsupportedAlgorithm`` if the algorithm is unknown.

    Returns a ``dns.rdtypes.ANY.DS.CDS``
    ��rdclass�rdtype�key_tagr6�digest_typerh)	rprrrrermrtr6rurh)rXr.r6rYror!r!r"�make_cdss�rv)�keys�rrsigrcsR|��j�}t|tjj�r0|�tjjtj	j
�}n|}|dur@dS�fdd�|D�S)NcsLg|]D}|j�jkrt|��jkr|jtj@tjkr|jdkrtt|��qS)�)	r6r=rt�flagsr�ZONE�protocolr
r)�.0Zrd�rxr!r"�
<listcomp>2s
�z(_find_candidate_keys.<locals>.<listcomp>)�get�signerr're�node�NodeZget_rdatasetrkrlrmr)rwrxr$�rdatasetr!r~r"�_find_candidate_keys(s
�r�)�rrsetrcCs(t|t�r|d|dfS|j|fSdS)Nrr3)r'�tuplerX)r�r!r!r"�_get_rrname_rdataset<s
r�)�sig�datar.rcCsDt|�j}z|�|�}Wnty2td��Yn0|�||�dS)Nzinvalid public key)�get_algorithm_cls_from_dnskey�
public_clsZfrom_dnskeyrar�verify)r�r�r.r��
public_keyr!r!r"�_validate_signatureEs
r�)r�rxrwrY�nowrZrc	
Cs�|durt}t||�}|dur&td��|dur6t��}|j|krHtd��|j|krZtd��t|||�}|D]B}|�|�szqjzt|j	||�WdSt
tfy�YqjYqj0qjtd��dS)a�Validate an RRset against a single signature rdata, throwing an
    exception if validation is not successful.

    *rrset*, the RRset to validate.  This can be a
    ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``)
    tuple.

    *rrsig*, a ``dns.rdata.Rdata``, the signature to validate.

    *keys*, the key dictionary, used to find the DNSKEY associated
    with a given name.  The dictionary is keyed by a
    ``dns.name.Name``, and has ``dns.node.Node`` or
    ``dns.rdataset.Rdataset`` values.

    *origin*, a ``dns.name.Name`` or ``None``, the origin to use for relative
    names.

    *now*, a ``float`` or ``None``, the time, in seconds since the epoch, to
    use as the current time when validating.  If ``None``, the actual current
    time is used.

    *policy*, a ``dns.dnssec.Policy`` or ``None``.  If ``None``, the default policy,
    ``dns.dnssec.default_policy`` is used; this policy defaults to that of RFC 8624.

    Raises ``ValidationFailure`` if the signature is expired, not yet valid,
    the public key is invalid, the algorithm is unknown, the verification
    fails, etc.

    Raises ``UnsupportedAlgorithm`` if the algorithm is recognized by
    dnspython but not implemented.
    Nzunknown keyZexpiredz
not yet validzverify failure)r^r�r�time�
expiration�	inception�_make_rrsig_signature_datarFr��	signature�InvalidSignature)	r�rxrwrYr�rZZcandidate_keysr�Z
candidate_keyr!r!r"�_validate_rrsigNs*(



r�)r��rrsigsetrwrYr�rZrc

Cs�|durt}t|t�r(tj�|tjj�}t|t�r<|d}n|j}t|t�r^|d}|d}n
|j}|}|�|�}|�|�}||kr�t	d��|D]H}	t|	t
�s�t	d��zt||	||||�WdSt	tfy�Yq�0q�t	d��dS)a�Validate an RRset against a signature RRset, throwing an exception
    if none of the signatures validate.

    *rrset*, the RRset to validate.  This can be a
    ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``)
    tuple.

    *rrsigset*, the signature RRset.  This can be a
    ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``)
    tuple.

    *keys*, the key dictionary, used to find the DNSKEY associated
    with a given name.  The dictionary is keyed by a
    ``dns.name.Name``, and has ``dns.node.Node`` or
    ``dns.rdataset.Rdataset`` values.

    *origin*, a ``dns.name.Name``, the origin to use for relative names;
    defaults to None.

    *now*, an ``int`` or ``None``, the time, in seconds since the epoch, to
    use as the current time when validating.  If ``None``, the actual current
    time is used.

    *policy*, a ``dns.dnssec.Policy`` or ``None``.  If ``None``, the default policy,
    ``dns.dnssec.default_policy`` is used; this policy defaults to that of RFC 8624.

    Raises ``ValidationFailure`` if the signature is expired, not yet valid,
    the public key is invalid, the algorithm is unknown, the verification
    fails, etc.
    Nrr3zowner names do not matchzexpected an RRSIGzno RRSIGs validated)
r^r'r)rerXr �rootr�Zchoose_relativityrrr�r)
r�r�rwrYr�rZ�rrnameZ	rrsignameZ
rrsigrdatasetrxr!r!r"�	_validate�s2'







r�)r��private_keyr��dnskeyr�r��lifetimer�rZrYrc

Csx|durt}|�|�st�t|t�rL|dj}
|dj}|d}|dj}
n|j}
|j}|j}|j}
|durvt	|�}nt
t���}|dur�t	|�}n|dur�||}ntd��|	dur�|�
|	�}t|�d}|��r�|d8}t|
tjj||j||
||t|�|dd�}tj�|||	�}t|t��r&|}n4zt|�}||d�}Wnt�yXtd��Yn0|�||�}tt|j|d	��S)
aSign RRset using private key.

    *rrset*, the RRset to validate.  This can be a
    ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``)
    tuple.

    *private_key*, the private key to use for signing, a
    ``cryptography.hazmat.primitives.asymmetric`` private key class applicable
    for DNSSEC.

    *signer*, a ``dns.name.Name``, the Signer's name.

    *dnskey*, a ``DNSKEY`` matching ``private_key``.

    *inception*, a ``datetime``, ``str``, ``int``, ``float`` or ``None``, the
    signature inception time.  If ``None``, the current time is used.  If a ``str``, the
    format is "YYYYMMDDHHMMSS" or alternatively the number of seconds since the UNIX
    epoch in text form; this is the same the RRSIG rdata's text form.
    Values of type `int` or `float` are interpreted as seconds since the UNIX epoch.

    *expiration*, a ``datetime``, ``str``, ``int``, ``float`` or ``None``, the signature
    expiration time.  If ``None``, the expiration time will be the inception time plus
    the value of the *lifetime* parameter.  See the description of *inception* above
    for how the various parameter types are interpreted.

    *lifetime*, an ``int`` or ``None``, the signature lifetime in seconds.  This
    parameter is only meaningful if *expiration* is ``None``.

    *verify*, a ``bool``.  If set to ``True``, the signer will verify signatures
    after they are created; the default is ``False``.

    *policy*, a ``dns.dnssec.Policy`` or ``None``.  If ``None``, the default policy,
    ``dns.dnssec.default_policy`` is used; this policy defaults to that of RFC 8624.

    *origin*, a ``dns.name.Name`` or ``None``.  If ``None``, the default, then all
    names in the rrset (including its owner name) must be absolute; otherwise the
    specified origin will be used to make names absolute when signing.

    Raises ``DeniedByPolicy`` if the signature is denied by policy.
    Nr3rz(expiration or lifetime must be specified�)rrrsZtype_coveredr6�labels�original_ttlr�r�rtr�r��r.zUnsupported key algorithm)r�)r^rErr'r�rrrs�ttlrXr,r(r�ra�derelativizer9�is_wildrrermr6r=�dnssecr�rr�rr+�signr
�replace)r�r�r�r�r�r�r�r�rZrYrrrsr�r�Zrrsig_inceptionZrrsig_expirationr�Zrrsig_templater�Zsigning_keyZprivate_clsr�r!r!r"�_sign�sb5







�r�)r�rxrYrcs�t�t�rtj��tjj��|j}|��sD�dur:td��|�	��}t
|�\}}d}||j|d�dd�7}||j�|�7}|��s��dur�td��|�	��}t
|�}|��r�|j|dkr�td��|d|jkr�td	��n2|j|dk�r|�|jd�d}tj�d
|�}|��}	t�d|j|j|j�}
�fdd
�|D�}t|�D]6}||	7}||
7}t�dt
|��}
||
7}||7}�qF|S)a�Create signature rdata.

    *rrset*, the RRset to sign/validate.  This can be a
    ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``)
    tuple.

    *rrsig*, a ``dns.rdata.Rdata``, the signature to validate, or the
    signature template used when signing.

    *origin*, a ``dns.name.Name`` or ``None``, the origin to use for relative
    names.

    Raises ``UnsupportedAlgorithm`` if the algorithm is recognized by
    dnspython but not implemented.
    Nz,relative RR name without an origin specifiedr�r]�r2z&wild owner name has wrong label lengthr3z#owner name longer than RRSIG labels�*z!HHIcsg|]}|����qSr!)�
to_digestable)r}r:r]r!r"r�r�z._make_rrsig_signature_data.<locals>.<listcomp>z!H)r'r)rerXr r�r��is_absoluterr�r�r5r�r9r�r��splitrirjrsrrr��sorted)r�rxrYr�r�r�r�Zname_len�suffixZ	rrnamebufZrrfixedZrdatasr:Zrrlenr!r]r"r�UsB



r�ry)r�r6rzr|rcCsDt�|�}t|t�r"|j||d�St|�j}||d�j||d�SdS)a�Convert a public key to DNSKEY Rdata

    *public_key*, a ``PublicKey`` (``GenericPublicKey`` or
    ``cryptography.hazmat.primitives.asymmetric``) to convert.

    *algorithm*, a ``str`` or ``int`` specifying the DNSKEY algorithm.

    *flags*: DNSKEY flags field as an integer.

    *protocol*: DNSKEY protocol field as an integer.

    Raises ``ValueError`` if the specified key algorithm parameters are not
    unsupported, ``TypeError`` if the key type is unsupported,
    `UnsupportedAlgorithm` if the algorithm is unknown and
    `AlgorithmKeyMismatch` if the algorithm does not match the key type.

    Return DNSKEY ``Rdata``.
    )rzr|r�N)rZmaker'rZ	to_dnskey�get_algorithm_clsr�)r�r6rzr|r�r!r!r"�_make_dnskey�s



r�cCs0t||||�}t|jtjj|j|j|j|jd�S)a�Convert a public key to CDNSKEY Rdata

    *public_key*, the public key to convert, a
    ``cryptography.hazmat.primitives.asymmetric`` public key class applicable
    for DNSSEC.

    *algorithm*, a ``str`` or ``int`` specifying the DNSKEY algorithm.

    *flags*: DNSKEY flags field as an integer.

    *protocol*: DNSKEY protocol field as an integer.

    Raises ``ValueError`` if the specified key algorithm parameters are not
    unsupported, ``TypeError`` if the key type is unsupported,
    `UnsupportedAlgorithm` if the algorithm is unknown and
    `AlgorithmKeyMismatch` if the algorithm does not match the key type.

    Return CDNSKEY ``Rdata``.
    �rrrsrzr|r6r.)	r�rrrrermrzr|r6r.)r�r6rzr|r�r!r!r"�
_make_cdnskey�s�r�)�domain�salt�
iterationsr6rc
Cst�dd�}zt|t�r$t|��}Wnty@td��Yn0|tjkrTtd��|durbd}n4t|t�r�t|�ddkr�t	�
|�}q�td��n|}t|tjj
�s�tj�|�}|����}t�||���}t|�D]}t�||���}q�t�|��d	�}	|	�|�}	|	S)
a�
    Calculate the NSEC3 hash, according to
    https://tools.ietf.org/html/rfc5155#section-5

    *domain*, a ``dns.name.Name`` or ``str``, the name to hash.

    *salt*, a ``str``, ``bytes``, or ``None``, the hash salt.  If a
    string, it is decoded as a hex string.

    *iterations*, an ``int``, the number of iterations.

    *algorithm*, a ``str`` or ``int``, the hash algorithm.
    The only defined algorithm is SHA1.

    Returns a ``str``, the encoded NSEC3 hash.
    Z ABCDEFGHIJKLMNOPQRSTUVWXYZ234567Z 0123456789ABCDEFGHIJKLMNOPQRSTUVz-Wrong hash algorithm (only SHA1 is supported)Nr�r2rzInvalid salt lengthzutf-8)r)�	maketransr'r
r_r`rarbr9�bytes�fromhexrerX�Namer rfr5rcrdrhr8�base64Z	b32encode�decode�	translate)
r�r�r�r6Zb32_conversionZsalt_encodedZdomain_encodedrhrB�outputr!r!r"�
nsec3_hash�s4�




r�)r��
algorithmsrYrc		Cst|�\}}|jtjjtjjtjjfvr0td��t�}|D]H}zt	|t
�rVt|��}Wnt
yvtd|��Yn0|�|�q:|jtjjkr�g}t|�D]}|j|vr�|�|�q�t|�dkr�td��tj�|j|�Sg}|D]}|�t||||��q�tj�|j|�S)aCreate a DS record from DNSKEY/CDNSKEY/CDS.

    *rrset*, the RRset to create DS Rdataset for.  This can be a
    ``dns.rrset.RRset`` or a (``dns.name.Name``, ``dns.rdataset.Rdataset``)
    tuple.

    *algorithms*, a set of ``str`` or ``int`` specifying the hash algorithms.
    The currently supported hashes are "SHA1", "SHA256", and "SHA384". Case
    does not matter for these strings. If the RRset is a CDS, only digest
    algorithms matching algorithms are accepted.

    *origin*, a ``dns.name.Name`` or ``None``.  If `key` is a relative name,
    then it will be made absolute using the specified origin.

    Raises ``UnsupportedAlgorithm`` if any of the algorithms are unknown and
    ``ValueError`` if the given RRset is not usable.

    Returns a ``dns.rdataset.Rdataset``
    zrrset not a DNSKEY/CDNSKEY/CDSr\rzno acceptable CDS rdata found)r�rsrermrrrra�setr'r)rr_r`r�add�cds_rdataset_to_ds_rdatasetru�appendr9r��from_rdata_listr��extend�dnskey_rdataset_to_cds_rdataset)	r�r�rYr�r�Z_algorithmsr6�resr:r!r!r"�make_ds_rdatasets6�

r�)r�rcCs\|jtjjkrtd��g}|D],}|�t|jtjj|j|j	|j
|jd��qtj�
|j|�S)z�Create a CDS record from DS.

    *rdataset*, a ``dns.rdataset.Rdataset``, to create DS Rdataset for.

    Raises ``ValueError`` if the rdataset is not CDS.

    Returns a ``dns.rdataset.Rdataset``
    zrdataset not a CDSrq)rsrermrrar�rrrrtr6rurhr�r�r��r�r�r:r!r!r"r�Us��
r�)rXr�r6rYrcCsP|jtjjtjjfvrtd��g}|D]}|�t||||��q&tj�	|j
|�S)a�Create a CDS record from DNSKEY/CDNSKEY.

    *name*, a ``dns.name.Name`` or ``str``, the owner name of the CDS record.

    *rdataset*, a ``dns.rdataset.Rdataset``, to create DS Rdataset for.

    *algorithm*, a ``str`` or ``int`` specifying the hash algorithm.
    The currently supported hashes are "SHA1", "SHA256", and "SHA384". Case
    does not matter for these strings.

    *origin*, a ``dns.name.Name`` or ``None``.  If `key` is a relative name,
    then it will be made absolute using the specified origin.

    Raises ``UnsupportedAlgorithm`` if the algorithm is unknown or
    ``ValueError`` if the rdataset is not DNSKEY/CDNSKEY.

    Returns a ``dns.rdataset.Rdataset``
    zrdataset not a DNSKEY/CDNSKEY)rsrermrrrar�rvr�r�r�)rXr�r6rYr�r:r!r!r"r�rsr�cCsZ|jtjjkrtd��g}|D]*}|�t|j|j|j|j	|j
|jd��qtj�
|j|�S)z�Create a CDNSKEY record from DNSKEY.

    *rdataset*, a ``dns.rdataset.Rdataset``, to create CDNSKEY Rdataset for.

    Returns a ``dns.rdataset.Rdataset``
    zrdataset not a DNSKEYr�)rsrermrrar�rrrrzr|r6r.r�r�r�r�r!r!r"�#dnskey_rdataset_to_cdnskey_rdataset�s
��
r�)�txnr�r��ksks�zsksr�r�r�rZrYrc
Csr|jttjjjtjjjtjjjg�vr,|}
n|}
|
D]8\}}tjj	|||||||||	d�	}
|�
|j|j|
�q4dS)zDefault RRset signer)	r�r�r�r�r�r�r�rZrYN)
rsr�rerm�	RdataTyperrrr�r�r�rXr�)r�r�r�r�r�r�r�r�rZrYrwr�r�rxr!r!r"�default_rrset_signer�s*���r�T)�zoner�rw�
add_dnskey�
dnskey_ttlr�r�r��nsec3�rrset_signerrZrcCsBg}g}|rN|D]*}
|
djtj@r0|�|
�q|�|
�q|sD|}|sR|}ng}|rbt�|�}n|��}|��}|r�|dur�|�|jt	j
j�}|r�|j}n|�|jt	j
j
�}|j}|D]\}}|�|j||�q�|r�td��n@|	�ptjt|j||||||
|jd�	}t|||�Wd�SWd�n1�s40YdS)a?Sign zone.

    *zone*, a ``dns.zone.Zone``, the zone to sign.

    *txn*, a ``dns.transaction.Transaction``, an optional transaction to use for
    signing.

    *keys*, a list of (``PrivateKey``, ``DNSKEY``) tuples, to use for signing. KSK/ZSK
    roles are assigned automatically if the SEP flag is used, otherwise all RRsets are
    signed by all keys.

    *add_dnskey*, a ``bool``.  If ``True``, the default, all specified DNSKEYs are
    automatically added to the zone on signing.

    *dnskey_ttl*, a``int``, specifies the TTL for DNSKEY RRs. If not specified the TTL
    of the existing DNSKEY RRset used or the TTL of the SOA RRset.

    *inception*, a ``datetime``, ``str``, ``int``, ``float`` or ``None``, the signature
    inception time.  If ``None``, the current time is used.  If a ``str``, the format is
    "YYYYMMDDHHMMSS" or alternatively the number of seconds since the UNIX epoch in text
    form; this is the same the RRSIG rdata's text form. Values of type `int` or `float`
    are interpreted as seconds since the UNIX epoch.

    *expiration*, a ``datetime``, ``str``, ``int``, ``float`` or ``None``, the signature
    expiration time.  If ``None``, the expiration time will be the inception time plus
    the value of the *lifetime* parameter.  See the description of *inception* above for
    how the various parameter types are interpreted.

    *lifetime*, an ``int`` or ``None``, the signature lifetime in seconds.  This
    parameter is only meaningful if *expiration* is ``None``.

    *nsec3*, a ``NSEC3PARAM`` Rdata, configures signing using NSEC3. Not yet
    implemented.

    *rrset_signer*, a ``Callable``, an optional function for signing RRsets. The
    function requires two arguments: transaction and RRset. If the not specified,
    ``dns.dnssec.default_rrset_signer`` will be used.

    Returns ``None``.
    r3Nz&Signing with NSEC3 not yet implemented)r�r�r�r�r�r�rZrY)rzrZSEPr��
contextlib�nullcontext�writerr�rYrermrr�ZSOAr��NotImplementedError�	functools�partialr��_sign_zone_nsec)r�r�rwr�r�r�r�r�r�r�rZr�r�r.�cmZ_txnr�ZsoarBZ
_rrset_signerr!r!r"�	sign_zone�sN6

�r�)r�r�r�rc	Cs8dtjjtjjttjjtjjttt	dd�dd�}|�
�j}d}d}t|�
��D]�}|rh|�|�rhqRn$|�|tjj�r�||jkr�|}nd}|r�|�|�}|r�|jD]N}	|	jtjjkr�q�q�|r�|	jtjjkr�q�q�tjj||	jg|	�R�}
|||
�q�|du�r|||||j||�|}qR|�r4||||j|j||�dS)zNSEC zone signerN)r�rX�next_securerrr�r�rc
Ss�ttjjjtjjjg�}|�|�}|r�|r�tdd�|jD��|B}t�	t
|��}	tj�||t|tjjj||	d��}
|�
|
�|r�|||
�dS)zNSEC zone signer helpercSsg|]
}|j�qSr!)rs)r}r�r!r!r"rVr�z:_sign_zone_nsec.<locals>._txn_add_nsec.<locals>.<listcomp>)rrrs�next�windowsN)r�rermr�rr�get_node�	rdatasetsrZfrom_rdtypes�listr��
from_rdatar�)r�rXr�rrr�r�Zmandatory_typesr��typesr�r�r!r!r"�
_txn_add_nsecGs*	�
���

z&_sign_zone_nsec.<locals>._txn_add_nsec)N)re�transaction�TransactionrXr�rrkZ
RdataClassr(�RRsetSignerZget_soaZminimumr�Z
iterate_namesZis_subdomainr�rmZNSrYr�r�rsrrr�r�r�rr)r�r�r�r�Z	rrsig_ttlZ
delegationZlast_securerXr�r�r�r!r!r"r�@sH
�
� 



�r�cOstd��dS)Nz.DNSSEC validation requires python cryptography)�ImportError)�args�kwargsr!r!r"�
_need_pyca�s�r�r�)r�)�dsa)�ec)�ed448)�rsa)�ed25519)r�r�)rr)NNF)N)NNN)NNN)NNNFNN)N)N)N)NNNNN)
NNTNNNNNNN)N)��__doc__r�r�r�rcrir�r�typingrrrrrrr	r
Z
dns._featuresreZ
dns.exceptionZdns.nameZdns.nodeZ	dns.rdataZdns.rdataclassZdns.rdatasetZ
dns.rdatatypeZ	dns.rrsetZdns.transactionZdns.zoneZdns.dnssectypesrrr
rrrrZdns.rdtypes.ANY.CDNSKEYrZdns.rdtypes.ANY.CDSrZdns.rdtypes.ANY.DNSKEYrZdns.rdtypes.ANY.DSrZdns.rdtypes.ANY.NSECrrZdns.rdtypes.ANY.NSEC3PARAMrZdns.rdtypes.ANY.RRSIGrrZdns.rdtypes.dnskeybaserZ	PublicKeyZ
PrivateKeyr�r�r�ZRRsetr�r)r#r(r&r*r,r=r>rMr7ZDSAZDSANSEC3SHA1ZECCGOSTZNULLrbZGOSTZrfc_8624_policyr�Zallow_all_policyr^rXr�r:ZRdatarLrprvr�ZRdatasetr�r�r�r�r�r�r�r�r�r�r{r�r�r�r�r�r�r�r�r�ZZoner�r�r�Z	_featuresZhaveZcryptography.exceptionsr�Z)cryptography.hazmat.primitives.asymmetricr�r�r�r�r�Zdns.dnssecalgsr�r�Zdns.dnssecalgs.baserrZvalidateZvalidate_rrsigr�Zmake_dnskeyZmake_cdnskeyZ
_have_pycaZDHZECCZRSASHA1ZRSASHA1NSEC3SHA1Z	RSASHA256Z	RSASHA512ZECDSAP256SHA256ZECDSAP384SHA384ZED25519ZED448ZINDIRECTZ
PRIVATEDNSZ
PRIVATEOIDr!r!r!r"�<module>s(����

�P�

�% 
��	
�
�I�
�N�
�|�
�D�
�%�
�'
�@�
�;�!�

�"�!�
�*�
�m��O

© 2025 Cubjrnet7