Fix namespace contamination issue that broke DSA validation

author Bob Halley <halley@nominum.com>

Mon, 22 Nov 2010 11:50:04 +0000 (11:50 +0000)

committer Bob Halley <halley@nominum.com>

Mon, 22 Nov 2010 11:50:04 +0000 (11:50 +0000)
author Bob Halley <halley@nominum.com>
Mon, 22 Nov 2010 11:50:04 +0000 (11:50 +0000)
committer Bob Halley <halley@nominum.com>
Mon, 22 Nov 2010 11:50:04 +0000 (11:50 +0000)
diff --git a/ChangeLog b/ChangeLog

index 83d025074020204b8329a2dbca87fae533a8ddb5..de1fe7a72373ac0c0893fa4693ecfcf2e5b90050 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2010-11-22  Bob Halley  <halley@dnspython.org>
+
+       * (Version 1.9.1 released)
+
+2010-11-22  Bob Halley  <halley@dnspython.org>
+
+       * dns/dnssec.py: the "from" style import used to get DSA from
+         PyCrypto trashed a DSA constant.  Now a normal import is used
+         to avoid namespace contamination.
+
  2010-11-20  Bob Halley  <halley@dnspython.org>
  
         * (Version 1.9.0 released)
diff --git a/README b/README

index a868408ad8a870c7bc65685f1d786d67b6b7b70b..f2db0f27d4fed7082fff9e75d0d835fa6d13433f 100644 (file)
--- a/README
+++ b/README
@@ -22,7 +22,16 @@ development by continuing to employ the author :).
  
  ABOUT THIS RELEASE
  
-This is dnspython 1.9.0
+This is dnspython 1.9.1
+
+New since 1.8.0:
+
+       Nothing.
+
+Bugs fixed since 1.9.0
+
+        The dns.dnssec module didn't work with DSA due to namespace
+       contamination from a "from"-style import.
  
  New since 1.8.0:
  
diff --git a/dns/dnssec.py b/dns/dnssec.py

index 3831a145ddf7b937c6df2a3440a8f12b9595588b..d2d607d9d78f58d48ceff5727fc4cf30bbec5732 100644 (file)
--- a/dns/dnssec.py
+++ b/dns/dnssec.py
@@ -249,8 +249,9 @@ def _validate_rrsig(rrset, rrsig, keys, origin=None, now=None):
          rsa_e = keyptr[0:bytes]
          rsa_n = keyptr[bytes:]
          keylen = len(rsa_n) * 8
-        pubkey = RSA.construct((Crypto.Util.number.bytes_to_long(rsa_n),
-                                Crypto.Util.number.bytes_to_long(rsa_e)))
+        pubkey = Crypto.PublicKey.RSA.construct(
+            (Crypto.Util.number.bytes_to_long(rsa_n),
+             Crypto.Util.number.bytes_to_long(rsa_e)))
          sig = (Crypto.Util.number.bytes_to_long(rrsig.signature),)
      elif _is_dsa(rrsig.algorithm):
          keyptr = key.key
@@ -264,10 +265,11 @@ def _validate_rrsig(rrset, rrsig, keys, origin=None, now=None):
          dsa_g = keyptr[0:octets]
          keyptr = keyptr[octets:]
          dsa_y = keyptr[0:octets]
-        pubkey = DSA.construct((Crypto.Util.number.bytes_to_long(dsa_y),
-                                Crypto.Util.number.bytes_to_long(dsa_g),
-                                Crypto.Util.number.bytes_to_long(dsa_p),
-                                Crypto.Util.number.bytes_to_long(dsa_q)))
+        pubkey = Crypto.PublicKey.DSA.construct(
+            (Crypto.Util.number.bytes_to_long(dsa_y),
+             Crypto.Util.number.bytes_to_long(dsa_g),
+             Crypto.Util.number.bytes_to_long(dsa_p),
+             Crypto.Util.number.bytes_to_long(dsa_q)))
          (dsa_r, dsa_s) = struct.unpack('!20s20s', rrsig.signature[1:])
          sig = (Crypto.Util.number.bytes_to_long(dsa_r),
                 Crypto.Util.number.bytes_to_long(dsa_s))
@@ -360,7 +362,7 @@ def _need_pycrypto(*args, **kwargs):
      raise NotImplementedError, "DNSSEC validation requires pycrypto"
  
  try:
-    from Crypto.PublicKey import RSA,DSA
+    import Crypto.PublicKey
      import Crypto.Util.number
      validate = _validate
      validate_rrsig = _validate_rrsig
diff --git a/dns/version.py b/dns/version.py

index 251079f4cfa99123e20cac2d485b5eeff1969ee2..8d20c1343a10a72c4934b53a8546504d160b333a 100644 (file)
--- a/dns/version.py
+++ b/dns/version.py
@@ -17,7 +17,7 @@
  
  MAJOR = 1
  MINOR = 9
-MICRO = 0
+MICRO = 1
  RELEASELEVEL = 0x0f
  SERIAL = 0
  
diff --git a/setup.py b/setup.py

index 51c0ef8c1f8be021a2f3bc8ae87d78fb0835a2f9..01fddf7b54178e26660bb7d64e73686fba050979 100755 (executable)
--- a/setup.py
+++ b/setup.py
@@ -18,7 +18,7 @@
  import sys
  from distutils.core import setup
  
-version = '1.9.0'
+version = '1.9.1'
  
  kwargs = {
      'name' : 'dnspython',
diff --git a/tests/dnssec.py b/tests/dnssec.py

index 719905464de44fe6c1f0e21d5b143a2417b44f53..7e99d410d844713c4de8fe4429322a1396910ff4 100644 (file)
--- a/tests/dnssec.py
+++ b/tests/dnssec.py
@@ -62,31 +62,77 @@ sep_key = dns.rdata.from_text(dns.rdataclass.IN, dns.rdatatype.DNSKEY,
  good_ds = dns.rdata.from_text(dns.rdataclass.IN, dns.rdatatype.DS,
                                '57349 5 2 53A79A3E7488AB44FFC56B2D1109F0699D1796DD977E72108B841F96 E47D7013')
  
+when2 = 1290425644
+
+abs_example = dns.name.from_text('example')
+
+abs_dsa_keys = { abs_example :
+                 dns.rrset.from_text('example.', 86400, 'IN', 'DNSKEY',
+                                     '257 3 3 CI3nCqyJsiCJHTjrNsJOT4RaszetzcJPYuoH3F9ZTVt3KJXncCVR3bwn 1w0iavKljb9hDlAYSfHbFCp4ic/rvg4p1L8vh5s8ToMjqDNl40A0hUGQ Ybx5hsECyK+qHoajilUX1phYSAD8d9WAGO3fDWzUPBuzR7o85NiZCDxz yXuNVfni0uhj9n1KYhEO5yAbbruDGN89wIZcxMKuQsdUY2GYD93ssnBv a55W6XRABYWayKZ90WkRVODLVYLSn53Pj/wwxGH+XdhIAZJXimrZL4yl My7rtBsLMqq8Ihs4Tows7LqYwY7cp6y/50tw6pj8tFqMYcPUjKZV36l1 M/2t5BVg3i7IK61Aidt6aoC3TDJtzAxg3ZxfjZWJfhHjMJqzQIfbW5b9 q1mjFsW5EUv39RaNnX+3JWPRLyDqD4pIwDyqfutMsdk/Py3paHn82FGp CaOg+nicqZ9TiMZURN/XXy5JoXUNQ3RNvbHCUiPUe18KUkY6mTfnyHld 1l9YCWmzXQVClkx/hOYxjJ4j8Ife58+Obu5X',
+                                     '256 3 3 CJE1yb9YRQiw5d2xZrMUMR+cGCTt1bp1KDCefmYKmS+Z1+q9f42ETVhx JRiQwXclYwmxborzIkSZegTNYIV6mrYwbNB27Q44c3UGcspb3PiOw5TC jNPRYEcdwGvDZ2wWy+vkSV/S9tHXY8O6ODiE6abZJDDg/RnITyi+eoDL R3KZ5n/V1f1T1b90rrV6EewhBGQJpQGDogaXb2oHww9Tm6NfXyo7SoMM pbwbzOckXv+GxRPJIQNSF4D4A9E8XCksuzVVdE/0lr37+uoiAiPia38U 5W2QWe/FJAEPLjIp2eTzf0TrADc1pKP1wrA2ASpdzpm/aX3IB5RPp8Ew S9U72eBFZJAUwg635HxJVxH1maG6atzorR566E+e0OZSaxXS9o1o6QqN 3oPlYLGPORDiExilKfez3C/x/yioOupW9K5eKF0gmtaqrHX0oq9s67f/ RIM2xVaKHgG9Vf2cgJIZkhv7sntujr+E4htnRmy9P9BxyFxsItYxPI6Z bzygHAZpGhlI/7ltEGlIwKxyTK3ZKBm67q7B')
+                 }
+
+abs_dsa_soa = dns.rrset.from_text('example.', 86400, 'IN', 'SOA',
+                                  'ns1.example. hostmaster.example. 2 10800 3600 604800 86400')
+
+abs_other_dsa_soa = dns.rrset.from_text('example.', 86400, 'IN', 'SOA',
+                                        'ns1.example. hostmaster.example. 2 10800 3600 604800 86401')
+
+abs_dsa_soa_rrsig = dns.rrset.from_text('example.', 86400, 'IN', 'RRSIG',
+                                        'SOA 3 1 86400 20101129143231 20101122112731 42088 example. CGul9SuBofsktunV8cJs4eRs6u+3NCS3yaPKvBbD+pB2C76OUXDZq9U=')
+
+example_sep_key = dns.rdata.from_text(dns.rdataclass.IN, dns.rdatatype.DNSKEY,
+                                      '257 3 3 CI3nCqyJsiCJHTjrNsJOT4RaszetzcJPYuoH3F9ZTVt3KJXncCVR3bwn 1w0iavKljb9hDlAYSfHbFCp4ic/rvg4p1L8vh5s8ToMjqDNl40A0hUGQ Ybx5hsECyK+qHoajilUX1phYSAD8d9WAGO3fDWzUPBuzR7o85NiZCDxz yXuNVfni0uhj9n1KYhEO5yAbbruDGN89wIZcxMKuQsdUY2GYD93ssnBv a55W6XRABYWayKZ90WkRVODLVYLSn53Pj/wwxGH+XdhIAZJXimrZL4yl My7rtBsLMqq8Ihs4Tows7LqYwY7cp6y/50tw6pj8tFqMYcPUjKZV36l1 M/2t5BVg3i7IK61Aidt6aoC3TDJtzAxg3ZxfjZWJfhHjMJqzQIfbW5b9 q1mjFsW5EUv39RaNnX+3JWPRLyDqD4pIwDyqfutMsdk/Py3paHn82FGp CaOg+nicqZ9TiMZURN/XXy5JoXUNQ3RNvbHCUiPUe18KUkY6mTfnyHld 1l9YCWmzXQVClkx/hOYxjJ4j8Ife58+Obu5X')
+
+example_ds_sha1 = dns.rdata.from_text(dns.rdataclass.IN, dns.rdatatype.DS,
+                                      '18673 3 1 71b71d4f3e11bbd71b4eff12cde69f7f9215bbe7')
+
+example_ds_sha256 = dns.rdata.from_text(dns.rdataclass.IN, dns.rdatatype.DS,
+                                        '18673 3 2 eb8344cbbf07c9d3d3d6c81d10c76653e28d8611a65e639ef8f716e4e4e5d913')
+
  class DNSSECValidatorTestCase(unittest.TestCase):
  
-    def testAbsoluteGood(self):
+    def testAbsoluteRSAGood(self):
          dns.dnssec.validate(abs_soa, abs_soa_rrsig, abs_keys, None, when)
  
-    def testAbsoluteBad(self):
+    def testAbsoluteRSABad(self):
          def bad():
              dns.dnssec.validate(abs_other_soa, abs_soa_rrsig, abs_keys, None,
                                  when)
          self.failUnlessRaises(dns.dnssec.ValidationFailure, bad)
  
-    def testRelativeGood(self):
+    def testRelativeRSAGood(self):
          dns.dnssec.validate(rel_soa, rel_soa_rrsig, rel_keys,
                              abs_dnspython_org, when)
  
-    def testRelativeBad(self):
+    def testRelativeRSABad(self):
          def bad():
              dns.dnssec.validate(rel_other_soa, rel_soa_rrsig, rel_keys,
                                  abs_dnspython_org, when)
          self.failUnlessRaises(dns.dnssec.ValidationFailure, bad)
  
-    def testMakeDS(self):
+    def testMakeSHA256DS(self):
          ds = dns.dnssec.make_ds(abs_dnspython_org, sep_key, 'SHA256')
          self.failUnless(ds == good_ds)
  
+    def testAbsoluteDSAGood(self):
+        dns.dnssec.validate(abs_dsa_soa, abs_dsa_soa_rrsig, abs_dsa_keys, None,
+                            when2)
+
+    def testAbsoluteDSABad(self):
+        def bad():
+            dns.dnssec.validate(abs_other_dsa_soa, abs_dsa_soa_rrsig,
+                                abs_dsa_keys, None, when2)
+        self.failUnlessRaises(dns.dnssec.ValidationFailure, bad)
+
+    def testMakeExampleSHA1DS(self):
+        ds = dns.dnssec.make_ds(abs_example, example_sep_key, 'SHA1')
+        self.failUnless(ds == example_ds_sha1)
+
+    def testMakeExampleSHA256DS(self):
+        ds = dns.dnssec.make_ds(abs_example, example_sep_key, 'SHA256')
+        self.failUnless(ds == example_ds_sha256)
+
  if __name__ == '__main__':
      import_ok = False
      try:
author	Bob Halley <halley@nominum.com>
	Mon, 22 Nov 2010 11:50:04 +0000 (11:50 +0000)
committer	Bob Halley <halley@nominum.com>
	Mon, 22 Nov 2010 11:50:04 +0000 (11:50 +0000)
ChangeLog		patch \| blob \| blame \| history
README		patch \| blob \| blame \| history
dns/dnssec.py		patch \| blob \| blame \| history
dns/version.py		patch \| blob \| blame \| history
setup.py		patch \| blob \| blame \| history
tests/dnssec.py		patch \| blob \| blame \| history