Codebase list dnsviz / d5c8fda
Make wording more intuitive Casey Deccio 3 years ago
3 changed file(s) with 22 addition(s) and 22 deletion(s). Raw diff Collapse all Expand all
+10
-10
dnsviz/analysis/errors.py less more
251251 super(AlgorithmNotSupported, self).__init__(**kwargs)
252252 self.template_kwargs['algorithm_text'] = dns.dnssec.algorithm_to_text(self.template_kwargs['algorithm'])
253253
254 class AlgorithmMustNotValidate(RRSIGError):
255 '''
256 >>> e = AlgorithmMustNotValidate(algorithm=5)
254 class AlgorithmValidationProhibited(RRSIGError):
255 '''
256 >>> e = AlgorithmValidationProhibited(algorithm=5)
257257 >>> e.args
258258 [5]
259259 >>> e.description
261261 '''
262262
263263 _abstract = False
264 code = 'ALGORITHM_MUST_NOT_VALIDATE'
264 code = 'ALGORITHM_VALIDATION_PROHIBITED'
265265 description_template = "DNSSEC specification prohibits validation of RRSIGs with DNSSEC algorithm %(algorithm)d (%(algorithm_text)s)."
266266 references = ['RFC 8624, Sec. 3.1']
267267 required_params = ['algorithm']
268268
269269 def __init__(self, **kwargs):
270 super(AlgorithmMustNotValidate, self).__init__(**kwargs)
270 super(AlgorithmValidationProhibited, self).__init__(**kwargs)
271271 self.template_kwargs['algorithm_text'] = dns.dnssec.algorithm_to_text(self.template_kwargs['algorithm'])
272272
273273 class DNSKEYRevokedRRSIG(RRSIGError):
532532 super(DigestAlgorithmNotSupported, self).__init__(**kwargs)
533533 self.template_kwargs['algorithm_text'] = fmt.DS_DIGEST_TYPES.get(self.template_kwargs['algorithm'], self.template_kwargs['algorithm'])
534534
535 class DigestAlgorithmMustNotValidate(DSDigestError):
536 '''
537 >>> e = DigestAlgorithmMustNotValidate(algorithm=5)
535 class DigestAlgorithmValidationProhibited(DSDigestError):
536 '''
537 >>> e = DigestAlgorithmValidationProhibited(algorithm=5)
538538 >>> e.description
539539 'DNSSEC specification prohibits validation of DS records that use digest algorithm 5 (5).'
540540 '''
541541
542542 _abstract = False
543 code = 'DIGEST_ALGORITHM_MUST_NOT_VALIDATE'
543 code = 'DIGEST_ALGORITHM_VALIDATION_PROHIBITED'
544544 description_template = "DNSSEC specification prohibits validation of DS records that use digest algorithm %(algorithm)d (%(algorithm_text)s)."
545545 references = ['RFC 8624, Sec. 3.2']
546546 required_params = ['algorithm']
547547
548548 def __init__(self, **kwargs):
549 super(DigestAlgorithmMustNotValidate, self).__init__(**kwargs)
549 super(DigestAlgorithmValidationProhibited, self).__init__(**kwargs)
550550 self.template_kwargs['algorithm_text'] = fmt.DS_DIGEST_TYPES.get(self.template_kwargs['algorithm'], self.template_kwargs['algorithm'])
551551
552552 class DNSKEYRevokedDS(DSDigestError):
+2
-2
dnsviz/analysis/offline.py less more
856856
857857 # unless we are overriding, mark prohibited algorithms as not supported
858858 if not validate_prohibited_algs:
859 supported_algs.difference_update(Status.DNSKEY_ALGS_MUST_NOT_VALIDATE)
860 supported_digest_algs.difference_update(Status.DS_DIGEST_ALGS_MUST_NOT_VALIDATE)
859 supported_algs.difference_update(Status.DNSKEY_ALGS_VALIDATION_PROHIBITED)
860 supported_digest_algs.difference_update(Status.DS_DIGEST_ALGS_VALIDATION_PROHIBITED)
861861
862862 self._populate_status(trusted_keys, supported_algs, supported_digest_algs, is_dlv, None, follow_mx)
863863
+10
-10
dnsviz/analysis/status.py less more
170170
171171 # RFC 8624 Section 3.1
172172 DNSKEY_ALGS_NOT_RECOMMENDED = (5, 7, 10)
173 DNSKEY_ALGS_MUST_NOT_SIGN = (1, 3, 6, 12)
174 DNSKEY_ALGS_MUST_NOT_VALIDATE = (1, 3, 6)
173 DNSKEY_ALGS_PROHIBITED = (1, 3, 6, 12)
174 DNSKEY_ALGS_VALIDATION_PROHIBITED = (1, 3, 6)
175175
176176 # RFC 8624 Section 3.2
177177 DS_DIGEST_ALGS_NOT_RECOMMENDED = ()
178 DS_DIGEST_ALGS_MUST_NOT_SIGN = (0, 1, 3)
179 DS_DIGEST_ALGS_MUST_NOT_VALIDATE = ()
178 DS_DIGEST_ALGS_PROHIBITED = (0, 1, 3)
179 DS_DIGEST_ALGS_VALIDATION_PROHIBITED = ()
180180
181181 class RRSIGStatus(object):
182182 def __init__(self, rrset, rrsig, dnskey, zone_name, reference_ts, supported_algs):
206206 else:
207207 # If there is a DNSKEY, then we look at *why* we are ignoring
208208 # the cryptographic signature.
209 if self.dnskey.rdata.algorithm in DNSKEY_ALGS_MUST_NOT_VALIDATE:
209 if self.dnskey.rdata.algorithm in DNSKEY_ALGS_VALIDATION_PROHIBITED:
210210 # In this case, specification dictates that the algorithm
211211 # MUST NOT be validated, so we mark it as ignored.
212212 if self.validation_status == RRSIG_STATUS_VALID:
224224 # Independent of whether or not we considered the cryptographic
225225 # validation, issue a warning if we are using an algorithm for which
226226 # validation has been prohibited.
227 if self.dnskey.rdata.algorithm in DNSKEY_ALGS_MUST_NOT_VALIDATE:
228 self.warnings.append(Errors.AlgorithmMustNotValidate(algorithm=self.rrsig.algorithm))
227 if self.dnskey.rdata.algorithm in DNSKEY_ALGS_VALIDATION_PROHIBITED:
228 self.warnings.append(Errors.AlgorithmValidationProhibited(algorithm=self.rrsig.algorithm))
229229
230230 if self.rrset.ttl_cmp:
231231 if self.rrset.rrset.ttl != self.rrset.rrsig_info[self.rrsig].ttl:
394394 else:
395395 # If there is a DNSKEY, then we look at *why* we are ignoring
396396 # the digest of the DNSKEY.
397 if self.ds.digest_type in DS_DIGEST_ALGS_MUST_NOT_VALIDATE:
397 if self.ds.digest_type in DS_DIGEST_ALGS_VALIDATION_PROHIBITED:
398398 # In this case, specification dictates that the algorithm
399399 # MUST NOT be validated, so we mark it as ignored.
400400 if self.validation_status == DS_STATUS_VALID:
412412 # Independent of whether or not we considered the digest for
413413 # validation, issue a warning if we are using a digest type for which
414414 # validation has been prohibited.
415 if self.ds.digest_type in DS_DIGEST_ALGS_MUST_NOT_VALIDATE:
416 self.warnings.append(Errors.DigestAlgorithmMustNotValidate(algorithm=self.ds.digest_type))
415 if self.ds.digest_type in DS_DIGEST_ALGS_VALIDATION_PROHIBITED:
416 self.warnings.append(Errors.DigestAlgorithmValidationProhibited(algorithm=self.ds.digest_type))
417417
418418 if self.dnskey is not None and \
419419 self.dnskey.rdata.flags & fmt.DNSKEY_FLAGS['revoke']: