Permalink
Browse files

Add support for DNSSEC alg 15 using libnacl

Addresses part of #28.  Thanks @pieterlexis.
  • Loading branch information...
cdeccio committed Jan 4, 2018
1 parent fcb17c1 commit fd2e63794a85d89120a4c51283e36d6c3516b634
Showing with 30 additions and 1 deletion.
  1. +5 −0 README.md
  2. +17 −0 dnsviz/crypto.py
  3. +2 −1 dnsviz/format.py
  4. +4 −0 dnsviz/response.py
  5. +2 −0 share/js/dnsviz.js
View
@@ -51,6 +51,11 @@ powers the Web-based analysis available at http://dnsviz.net/
$ patch -p1 < /path/to/dnsviz-source/contrib/m2crypto-pre0.23.patch
```
* (optional) libnacl - https://github.com/saltstack/libnacl
libnacl is necessary to validate DNSSEC signatures with algorithm 15
(Ed25519).
* (optional) ISC BIND - https://www.isc.org/downloads/bind/
When calling `dnsviz probe` if the `-N` option is used or if a zone file is
View
@@ -51,6 +51,7 @@
_crypto_sources = {
'M2Crypto >= 0.21.1': (set([1,5,7,8,10]), set([1,2,4]), set([1])),
'M2Crypto >= 0.24.0': (set([3,6,12,13,14]), set([3]), set()),
'libnacl': (set([15]), set([3]), set()),
}
_logged_modules = set()
@@ -66,6 +67,13 @@
_supported_nsec3_algs = set([1])
try:
from libnacl.sign import Verifier as ed25519Verifier
except ImportError:
pass
else:
_supported_algs.add(15)
GOST_PREFIX = b'\x30\x63\x30\x1c\x06\x06\x2a\x85\x03\x02\x02\x13\x30\x12\x06\x07\x2a\x85\x03\x02\x02\x23\x01\x06\x07\x2a\x85\x03\x02\x02\x1e\x01\x03\x43\x00\x04\x40'
GOST_DIGEST_NAME = b'GOST R 34.11-94'
@@ -356,6 +364,13 @@ def _validate_rrsig_ec(alg, sig, msg, key):
return pubkey.verify_dsa(digest, r, s) == 1
def _validate_rrsig_ed25519(alg, sig, msg, key):
try:
verifier = ed25519Verifier(binascii.hexlify(key))
return verifier.verify(sig + msg) == msg
except ValueError:
return False
def validate_rrsig(alg, sig, msg, key):
if not alg_is_supported(alg):
_log_unsupported_alg(alg, ALG_TYPE_DNSSEC)
@@ -370,6 +385,8 @@ def validate_rrsig(alg, sig, msg, key):
return _validate_rrsig_gost(alg, sig, msg, key)
elif alg in (13,14):
return _validate_rrsig_ec(alg, sig, msg, key)
elif alg in (15,):
return _validate_rrsig_ed25519(alg, sig, msg, key)
def get_digest_for_nsec3(val, salt, alg, iterations):
if not nsec3_alg_is_supported(alg):
View
@@ -38,7 +38,8 @@
DNSKEY_FLAGS = {'ZONE': 0x0100, 'SEP': 0x0001, 'revoke': 0x0080}
DNSKEY_PROTOCOLS = { 3: 'DNSSEC' }
DNSKEY_ALGORITHMS = { 1: 'RSA/MD5', 2: 'Diffie-Hellman', 3: 'DSA/SHA1', 5: 'RSA/SHA-1', 6: 'DSA-NSEC3-SHA1', 7: 'RSASHA1-NSEC3-SHA1', \
8: 'RSA/SHA-256', 10: 'RSA/SHA-512', 12: 'GOST R 34.10-2001', 13: 'ECDSA Curve P-256 with SHA-256', 14: 'ECDSA Curve P-384 with SHA-384' }
8: 'RSA/SHA-256', 10: 'RSA/SHA-512', 12: 'GOST R 34.10-2001', 13: 'ECDSA Curve P-256 with SHA-256', 14: 'ECDSA Curve P-384 with SHA-384',
15: 'Ed25519', 16: 'Ed448' }
DS_DIGEST_TYPES = { 1: 'SHA-1', 2: 'SHA-256', 3: 'GOST 34.11-94', 4: 'SHA-384' }
NSEC3_FLAGS = {'OPTOUT': 0x01}
View
@@ -731,6 +731,10 @@ def calc_key_len(cls, rdata):
elif rdata.algorithm in (13,14):
return len(key_str)<<3
# EDDSA keys
elif rdata.algorithm in (15,16):
return len(key_str)<<3
# other keys - just guess, based on the length of the raw key material
else:
return len(key_str)<<3
View
@@ -55,6 +55,8 @@ function AuthGraph(anchorElement, maxPaperWidth, imageScale) {
12: 'GOST R 34.10-2001',
13: 'ECDSA Curve P-256 with SHA-256',
14: 'ECDSA Curve P-384 with SHA-384',
15: 'Ed25519',
16: 'Ed448',
}
this._digest_algorithms = {
1: 'SHA-1',

0 comments on commit fd2e637

Please sign in to comment.