PNG  IHDR;IDATxܻn0K )(pA 7LeG{ §㻢|ذaÆ 6lذaÆ 6lذaÆ 6lom$^yذag5bÆ 6lذaÆ 6lذa{ 6lذaÆ `}HFkm,mӪôô! x|'ܢ˟;E:9&ᶒ}{v]n&6 h_tڠ͵-ҫZ;Z$.Pkž)!o>}leQfJTu іچ\X=8Rن4`Vwl>nG^is"ms$ui?wbs[m6K4O.4%/bC%t Mז -lG6mrz2s%9s@-k9=)kB5\+͂Zsٲ Rn~GRC wIcIn7jJhۛNCS|j08yiHKֶۛkɈ+;SzL/F*\Ԕ#"5m2[S=gnaPeғL lذaÆ 6l^ḵaÆ 6lذaÆ 6lذa; _ذaÆ 6lذaÆ 6lذaÆ RIENDB`  [/\c@@sMddlmZddlmZddlmZddlmZddlZddlZddlZddl Z ddl m Z ddl Z ddlZ ejdZdZd e jjfd YZd d Zd efdYZdddYZdddYZdddYZdZdZdddYZdS(i(tprint_function(tabsolute_import(tunicode_literals(tEnumN(t_udnfi=t DnssecErrorcB@seZdZRS(u- Exception used in the dnssec module (t__name__t __module__t__doc__(((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyR)su _openpgpkeycC@s|jd}t|dkr-tn|d}|d}tj}|j|jdtj|j dd!j dj }|d|d|S(u Implements RFC 7929, section 3 https://tools.ietf.org/html/rfc7929#section-3 :param email_address: :param tag: :return: u@iiiuutf-8iu.( tsplittlenRthashlibtsha256tupdatetencodetbase64t b16encodetdigesttdecodetlower(t email_addressttagR tlocaltdomainthashR((s./usr/lib/python2.7/site-packages/dnf/dnssec.pytemail2location0s     tValiditycB@s2eZdZdZdZdZdZdZdZRS(u Output of the verification algorithm. TODO: this type might be simplified in order to less reflect the underlying DNS layer. TODO: more specifically the variants from 3 to 5 should have more understandable names iiiiii ( RRRtVALIDtREVOKEDtPROVEN_NONEXISTENCEtRESULT_NOT_SECUREt BOGUS_RESULTtERROR(((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyRGstNoKeycB@seZdZRS(u This class represents an absence of a key in the cache. It is an expression of non-existence using the Python's type system. (RRR(((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyR!UstKeyInfocB@s,eZdZdddZedZRS(uv Wrapper class for email and associated verification key, where both are represented in form of a string. cC@s||_||_dS(N(temailtkey(tselfR#R$((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyt__init__bs c C@stjd|}|d kr'tn|jd}|jdjd}d}d}xOtdt|D]8}||dkr|}n||dkrp|}qpqpWdj ||d |d!j d}t ||S( u Since dnf uses different format of the key than the one used in DNS RR, I need to convert the former one into the new one. u <(.*@.*)>iuasciiu iu$-----BEGIN PGP PUBLIC KEY BLOCK-----u"-----END PGP PUBLIC KEY BLOCK-----uiN( tretsearchtNoneRtgroupRR trangeR tjoinRR"( tuseridtraw_keyt input_emailR#R$tstarttstoptitcat_key((s./usr/lib/python2.7/site-packages/dnf/dnssec.pytfrom_rpm_key_objectfs    'N(RRRR)R&t staticmethodR4(((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyR"]stDNSSECKeyVerificationcB@sAeZdZiZedZedZedZRS(u The main class when it comes to verification itself. It wraps Unbound context and a cache with already obtained results. cC@s1||krtjS|tkr&tjStjSdS(uD Compare the key in case it was found in the cache. N(RRR!RR(t key_uniontinput_key_string((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyt _cache_hits   cC@syddl}Wn(tk r:}tdj|nX|j}|jdddkrotjdn|jdddkrtjd n|jdkrtjd n|j d dkrtjd n|j t |j t |j\}}|dkrtjS|jr(tjS|js8tjS|jrHtjS|jsXtjS|jjd}tj|}||jkrtjStjSdS( uz In case the key was not found in the cache, create an Unbound context and contact the DNS system iNuRConfiguration option 'gpgkey_dns_verification' requires libunbound ({})u verbosity:u0u(Unbound context: Failed to set verbosityuqname-minimisation:uyesu1Unbound context: Failed to set qname minimisationu+Unbound context: Failed to read resolv.confu/var/lib/unbound/root.keyu0Unbound context: Failed to add trust anchor file(tunboundt ImportErrort RuntimeErrortformattub_ctxt set_optiontloggertdebugt resolvconft add_ta_filetresolveRR#tRR_TYPE_OPENPGPKEYt RR_CLASS_INRR tbogusRtsecureRtnxdomainRthavedatatdatat as_raw_dataRt b64encodeR$RR(t input_keyR:tetctxtstatustresultRKt dns_data_b64((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyt _cache_misss>      cC@stjj|j}|dk r4tj||jStj|}|tj krh|jtj|jiu descriptionu iiu( tdnftrpmt transactiontTransactionWrappertdbMatchRR'R(R*R R,R"R( ttransaction_settpackagest return_listtpkgtpackagerR#t descriptiont key_linestkey_str((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyt_query_db_for_gpg_keyss  #cC@s,tj}tjttdx|D]}tj|}|tj krrtjtdj |j q,|tj krtjtdj |j q,|tj krtjtdj |j q,|tjkrtjtdj |j q,tjtdj |j q,WdS(Nu1Testing already imported keys for their validity.uGPG Key {} is validu,GPG Key {} does not support DNS verificationuGPG Key {} could not be verified, because DNSSEC signatures are bogus. Possible causes: wrong configuration of the DNS server, MITM attacku=GPG Key {} has been revoked and should be removed immediatelyuGPG Key {} could not be tested(R^RlR@tinfoR]RR6RWRRR=R#RRR(tkeysR$RR((s./usr/lib/python2.7/site-packages/dnf/dnssec.pytcheck_imported_keys_validitys   "(RRRR5RlRo(((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyR^s(((((t __future__RRRtenumRRR tloggingR'tdnf.i18nRtdnf.rpm.transactionR_tdnf.exceptionst getLoggerR@REt exceptionstErrorRRRR!R"R6R[R]R^(((s./usr/lib/python2.7/site-packages/dnf/dnssec.pyts*       #Y