Ignore unknown service types in key records (LP: #1847020)

2019-10-07 08:34:05 -04:00
parent d1801bb3d5
commit 6db388df39
5 changed files with 20 additions and 3 deletions
@@ -453,6 +453,16 @@ def load_pk_from_dns(name, dnsfunc=get_txt):
      ktag = b'rsa'
  if pub[b'k'] != b'rsa' and pub[b'k'] != b'ed25519':
      raise KeyFormatError('unknown algorithm in k= tag: {0}'.format(pub[b'k']))
+  try:
+      # Ignore unknown service types, RFC 6376 3.6.1
+      if pub[b's'] != b'*' and pub[b's'] != b'email':
+          pk = None
+          keysize = None
+          ktag = None
+          raise KeyFormatError('unknown service type in s= tag: {0}'.format(pub[b's']))
+  except:
+      # Default is '*' - all service types, so no error if missing from key record
+      pass
  return pk, keysize, ktag


@@ -64,7 +64,7 @@ class TestSignAndVerify(unittest.TestCase):

    def dnsfunc(self, domain):
        sample_dns = """\
-k=rsa; \
+k=rsa; s=email;\
 p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANmBe10IgY+u7h3enWTukkqtUD5PR52T\
 b/mPfjC0QJTocVBq6Za/PlzfV+Py92VaCak19F4WrbVTK5Gg5tW220MCAwEAAQ=="""