policy.py revision f6096b958c8b58c4709860d7c4dcdde5deeacb7a
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt############################################################################
45c5f403619029a363cf089e0a4b1bb44425dd84Tinderbox User# Copyright (C) 2013-2015 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# Permission to use, copy, modify, and/or distribute this software for any
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# purpose with or without fee is hereby granted, provided that the above
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews# copyright notice and this permission notice appear in all copies.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2f4561bc9cd5e5cdc58e29e600303c812f6902eeAutomatic Updater# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# PERFORMANCE OF THIS SOFTWARE.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt############################################################################
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# This module implements the parser for the dnssec.policy file.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt############################################################################
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Huntfrom string import *
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt############################################################################
39f2d1a96a7c7494b1db0ea0f45e063a6a5ef9bbEvan Hunt# PolicyLex: a lexer for the policy file syntax.
99f6179191e583d23f3c5567d3c00b57b64eb52dEvan Hunt############################################################################
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt 'ALGORITHM_POLICY',
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt 'ALGORITHM',
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt 'DIRECTORY',
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt 'ROLL_PERIOD',
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt 'PRE_PUBLISH',
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt 'POST_PUBLISH',
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt r'/\*(.|\n)*?\*/'
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt r'(?i)(?<=[0-9 \t])(y(?:ears|ear|ea|e)?|mo(?:nths|nth|nt|n)?|w(?:eeks|eek|ee|e)?|d(?:ays|ay|a)?|h(?:ours|our|ou|o)?|mi(?:nutes|nute|nut|nu|n)?|s(?:econds|econd|econ|eco|ec|e)?)\b'
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt t.value = re.match(r'(?i)(y|mo|w|d|h|mi|s)([a-z]*)', t.value).group(1).lower()
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt r'(?i)\b(KSK|ZSK)\b'
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt r'(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECCGOST|ECDSAP256SHA245|ECDSAP384SHA384)\b'
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt r'[A-Za-z._-][\w._-]*'
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt r'"([^"\n]|(\\"))*"'
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt t.type = self.reserved_map.get(t.value, "QSTRING")
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt self.reserved_map[r.lower().translate(maketrans('_', '-'))] = r
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt############################################################################
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt# Policy: this object holds a set of DNSSEC policy settings.
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt############################################################################
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt 'ECCGOST': None,
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt 'ECDSAP256SHA245': None,
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt 'ECDSAP384SHA384': None}
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt def __init__(self, name=None, algorithm=None, parent=None):
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt return ("%spolicy %s:\n"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt "\tinherits %s\n"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt "\tdirectory %s\n"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt "\talgorithm %s\n"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt "\tcoverage %s\n"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt "\tksk_keysize %s\n"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt "\tzsk_keysize %s\n"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt "\tksk_rollperiod %s\n"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt "\tzsk_rollperiod %s\n"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt "\tksk_prepublish %s\n"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt "\tksk_postpublish %s\n"
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews "\tzsk_prepublish %s\n"
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews "\tzsk_postpublish %s\n"
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews "\tksk_standby %s\n"
5ae2eac4c16bdbbef032544bd9fc86f47e7bdc2cMark Andrews "\tzsk_standby %s\n"
2c089bf6d24936de631a57b4958ba6b8b5e3b23dMark Andrews "\tkeyttl %s\n"
e11a0c114cdaf8f7e7832e9f1a011138248093a6Evan Hunt self.directory and ('"' + str(self.directory) + '"') or 'None',
75b8de87879ad017c9cd2ffc328e5d2391d16e99Evan Hunt self.ksk_keysize and str(self.ksk_keysize) or 'None',
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt self.zsk_keysize and str(self.zsk_keysize) or 'None',
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt self.ksk_rollperiod and str(self.ksk_rollperiod) or 'None',
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt self.zsk_rollperiod and str(self.zsk_rollperiod) or 'None',
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt self.ksk_prepublish and str(self.ksk_prepublish) or 'None',
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt self.ksk_postpublish and str(self.ksk_postpublish) or 'None',
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt self.zsk_prepublish and str(self.zsk_prepublish) or 'None',
bbedadf76ab670b01887fb9b41097120ea4fdf14Evan Hunt self.zsk_postpublish and str(self.zsk_postpublish) or 'None',
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt self.ksk_standby and str(self.ksk_standby) or 'None',
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt self.zsk_standby and str(self.zsk_standby) or 'None',
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt return (size_range[0] <= key_size <= size_range[1])
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt """ Check if the values in the policy make sense
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt :return: True/False if the policy passes validation
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt ('KSK pre-publish period (%d) exceeds rollover period %d'
319b8a14881a95996af3a9ba4a20f144eb766b31Evan Hunt ('KSK post-publish period (%d) exceeds rollover period %d'
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt ('ZSK pre-publish period (%d) exceeds rollover period %d'
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt ('ZSK post-publish period (%d) exceeds rollover period %d'
b47c020d5c635b662ac57e5485d266fd62c796c0Evan Hunt self.ksk_prepublish and self.ksk_postpublish and \
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews self.ksk_prepublish + self.ksk_postpublish >= self.ksk_rollperiod:
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews (('KSK pre/post-publish periods (%d/%d) ' +
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews 'combined exceed rollover period %d') %
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews self.zsk_prepublish and self.zsk_postpublish and \
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews self.zsk_prepublish + self.zsk_postpublish >= self.zsk_rollperiod:
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews (('ZSK pre/post-publish periods (%d/%d) ' +
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews 'combined exceed rollover period %d') %
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews # Validate the key size
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews key_sz_range = self.valid_key_sz_per_algo.get(self.algorithm)
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews if key_sz_range is not None:
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews # Verify KSK
0d6328ce5f6b799f8e7c6cbbb3b965cf29bfb7baMark Andrews if not self.__verify_size(self.ksk_keysize, key_sz_range):
677f507de7c546c187c1505c48bc7b440545485cMark Andrews return False, 'KSK key size %d outside valid range %s' \
677f507de7c546c187c1505c48bc7b440545485cMark Andrews # Verify ZSK
677f507de7c546c187c1505c48bc7b440545485cMark Andrews if not self.__verify_size(self.zsk_keysize, key_sz_range):
677f507de7c546c187c1505c48bc7b440545485cMark Andrews return False, 'ZSK key size %d outside valid range %s' \
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrews # Specific check for DSA keys
e01ef6f01c7e8f80122cd80a2e011425a0135489Mark Andrews ('KSK key size %d not divisible by 64 ' +
return False, \
class dnssec_policy:
alg_policy = {}
named_policy = {}
zone_policy = {}
current = None
filename = None
p = Policy()
p.algorithm = None
if filename:
if p.algorithm is None:
if p.directory is None:
if p.coverage is None:
if p.ksk_keysize is None:
if p.zsk_keysize is None:
if p.ksk_rollperiod is None:
if p.zsk_rollperiod is None:
if p.ksk_prepublish is None:
if p.zsk_prepublish is None:
if p.ksk_postpublish is None:
if p.zsk_postpublish is None:
if not valid:
import sys
except Exception as e: