Make wording more intuitive
Casey Deccio
3 years ago
251 | 251 | super(AlgorithmNotSupported, self).__init__(**kwargs) |
252 | 252 | self.template_kwargs['algorithm_text'] = dns.dnssec.algorithm_to_text(self.template_kwargs['algorithm']) |
253 | 253 | |
254 | class AlgorithmMustNotValidate(RRSIGError): | |
255 | ''' | |
256 | >>> e = AlgorithmMustNotValidate(algorithm=5) | |
254 | class AlgorithmValidationProhibited(RRSIGError): | |
255 | ''' | |
256 | >>> e = AlgorithmValidationProhibited(algorithm=5) | |
257 | 257 | >>> e.args |
258 | 258 | [5] |
259 | 259 | >>> e.description |
261 | 261 | ''' |
262 | 262 | |
263 | 263 | _abstract = False |
264 | code = 'ALGORITHM_MUST_NOT_VALIDATE' | |
264 | code = 'ALGORITHM_VALIDATION_PROHIBITED' | |
265 | 265 | description_template = "DNSSEC specification prohibits validation of RRSIGs with DNSSEC algorithm %(algorithm)d (%(algorithm_text)s)." |
266 | 266 | references = ['RFC 8624, Sec. 3.1'] |
267 | 267 | required_params = ['algorithm'] |
268 | 268 | |
269 | 269 | def __init__(self, **kwargs): |
270 | super(AlgorithmMustNotValidate, self).__init__(**kwargs) | |
270 | super(AlgorithmValidationProhibited, self).__init__(**kwargs) | |
271 | 271 | self.template_kwargs['algorithm_text'] = dns.dnssec.algorithm_to_text(self.template_kwargs['algorithm']) |
272 | 272 | |
273 | 273 | class DNSKEYRevokedRRSIG(RRSIGError): |
532 | 532 | super(DigestAlgorithmNotSupported, self).__init__(**kwargs) |
533 | 533 | self.template_kwargs['algorithm_text'] = fmt.DS_DIGEST_TYPES.get(self.template_kwargs['algorithm'], self.template_kwargs['algorithm']) |
534 | 534 | |
535 | class DigestAlgorithmMustNotValidate(DSDigestError): | |
536 | ''' | |
537 | >>> e = DigestAlgorithmMustNotValidate(algorithm=5) | |
535 | class DigestAlgorithmValidationProhibited(DSDigestError): | |
536 | ''' | |
537 | >>> e = DigestAlgorithmValidationProhibited(algorithm=5) | |
538 | 538 | >>> e.description |
539 | 539 | 'DNSSEC specification prohibits validation of DS records that use digest algorithm 5 (5).' |
540 | 540 | ''' |
541 | 541 | |
542 | 542 | _abstract = False |
543 | code = 'DIGEST_ALGORITHM_MUST_NOT_VALIDATE' | |
543 | code = 'DIGEST_ALGORITHM_VALIDATION_PROHIBITED' | |
544 | 544 | description_template = "DNSSEC specification prohibits validation of DS records that use digest algorithm %(algorithm)d (%(algorithm_text)s)." |
545 | 545 | references = ['RFC 8624, Sec. 3.2'] |
546 | 546 | required_params = ['algorithm'] |
547 | 547 | |
548 | 548 | def __init__(self, **kwargs): |
549 | super(DigestAlgorithmMustNotValidate, self).__init__(**kwargs) | |
549 | super(DigestAlgorithmValidationProhibited, self).__init__(**kwargs) | |
550 | 550 | self.template_kwargs['algorithm_text'] = fmt.DS_DIGEST_TYPES.get(self.template_kwargs['algorithm'], self.template_kwargs['algorithm']) |
551 | 551 | |
552 | 552 | class DNSKEYRevokedDS(DSDigestError): |
856 | 856 | |
857 | 857 | # unless we are overriding, mark prohibited algorithms as not supported |
858 | 858 | if not validate_prohibited_algs: |
859 | supported_algs.difference_update(Status.DNSKEY_ALGS_MUST_NOT_VALIDATE) | |
860 | supported_digest_algs.difference_update(Status.DS_DIGEST_ALGS_MUST_NOT_VALIDATE) | |
859 | supported_algs.difference_update(Status.DNSKEY_ALGS_VALIDATION_PROHIBITED) | |
860 | supported_digest_algs.difference_update(Status.DS_DIGEST_ALGS_VALIDATION_PROHIBITED) | |
861 | 861 | |
862 | 862 | self._populate_status(trusted_keys, supported_algs, supported_digest_algs, is_dlv, None, follow_mx) |
863 | 863 |
170 | 170 | |
171 | 171 | # RFC 8624 Section 3.1 |
172 | 172 | DNSKEY_ALGS_NOT_RECOMMENDED = (5, 7, 10) |
173 | DNSKEY_ALGS_MUST_NOT_SIGN = (1, 3, 6, 12) | |
174 | DNSKEY_ALGS_MUST_NOT_VALIDATE = (1, 3, 6) | |
173 | DNSKEY_ALGS_PROHIBITED = (1, 3, 6, 12) | |
174 | DNSKEY_ALGS_VALIDATION_PROHIBITED = (1, 3, 6) | |
175 | 175 | |
176 | 176 | # RFC 8624 Section 3.2 |
177 | 177 | DS_DIGEST_ALGS_NOT_RECOMMENDED = () |
178 | DS_DIGEST_ALGS_MUST_NOT_SIGN = (0, 1, 3) | |
179 | DS_DIGEST_ALGS_MUST_NOT_VALIDATE = () | |
178 | DS_DIGEST_ALGS_PROHIBITED = (0, 1, 3) | |
179 | DS_DIGEST_ALGS_VALIDATION_PROHIBITED = () | |
180 | 180 | |
181 | 181 | class RRSIGStatus(object): |
182 | 182 | def __init__(self, rrset, rrsig, dnskey, zone_name, reference_ts, supported_algs): |
206 | 206 | else: |
207 | 207 | # If there is a DNSKEY, then we look at *why* we are ignoring |
208 | 208 | # the cryptographic signature. |
209 | if self.dnskey.rdata.algorithm in DNSKEY_ALGS_MUST_NOT_VALIDATE: | |
209 | if self.dnskey.rdata.algorithm in DNSKEY_ALGS_VALIDATION_PROHIBITED: | |
210 | 210 | # In this case, specification dictates that the algorithm |
211 | 211 | # MUST NOT be validated, so we mark it as ignored. |
212 | 212 | if self.validation_status == RRSIG_STATUS_VALID: |
224 | 224 | # Independent of whether or not we considered the cryptographic |
225 | 225 | # validation, issue a warning if we are using an algorithm for which |
226 | 226 | # validation has been prohibited. |
227 | if self.dnskey.rdata.algorithm in DNSKEY_ALGS_MUST_NOT_VALIDATE: | |
228 | self.warnings.append(Errors.AlgorithmMustNotValidate(algorithm=self.rrsig.algorithm)) | |
227 | if self.dnskey.rdata.algorithm in DNSKEY_ALGS_VALIDATION_PROHIBITED: | |
228 | self.warnings.append(Errors.AlgorithmValidationProhibited(algorithm=self.rrsig.algorithm)) | |
229 | 229 | |
230 | 230 | if self.rrset.ttl_cmp: |
231 | 231 | if self.rrset.rrset.ttl != self.rrset.rrsig_info[self.rrsig].ttl: |
394 | 394 | else: |
395 | 395 | # If there is a DNSKEY, then we look at *why* we are ignoring |
396 | 396 | # the digest of the DNSKEY. |
397 | if self.ds.digest_type in DS_DIGEST_ALGS_MUST_NOT_VALIDATE: | |
397 | if self.ds.digest_type in DS_DIGEST_ALGS_VALIDATION_PROHIBITED: | |
398 | 398 | # In this case, specification dictates that the algorithm |
399 | 399 | # MUST NOT be validated, so we mark it as ignored. |
400 | 400 | if self.validation_status == DS_STATUS_VALID: |
412 | 412 | # Independent of whether or not we considered the digest for |
413 | 413 | # validation, issue a warning if we are using a digest type for which |
414 | 414 | # validation has been prohibited. |
415 | if self.ds.digest_type in DS_DIGEST_ALGS_MUST_NOT_VALIDATE: | |
416 | self.warnings.append(Errors.DigestAlgorithmMustNotValidate(algorithm=self.ds.digest_type)) | |
415 | if self.ds.digest_type in DS_DIGEST_ALGS_VALIDATION_PROHIBITED: | |
416 | self.warnings.append(Errors.DigestAlgorithmValidationProhibited(algorithm=self.ds.digest_type)) | |
417 | 417 | |
418 | 418 | if self.dnskey is not None and \ |
419 | 419 | self.dnskey.rdata.flags & fmt.DNSKEY_FLAGS['revoke']: |