Raise a validation failure exception instead of asserting when an

author Bob Halley <halley@dnspython.org>

Sun, 19 Feb 2017 21:56:50 +0000 (13:56 -0800)

committer Bob Halley <halley@dnspython.org>

Sun, 19 Feb 2017 21:56:50 +0000 (13:56 -0800)
author Bob Halley <halley@dnspython.org>
Sun, 19 Feb 2017 21:56:50 +0000 (13:56 -0800)
committer Bob Halley <halley@dnspython.org>
Sun, 19 Feb 2017 21:56:50 +0000 (13:56 -0800)
diff --git a/dns/dnssec.py b/dns/dnssec.py

index f316636affac768a9969128a2af820e807c968de..b91a64fed29155de6030d40aeb07ee88c49def52 100644 (file)
--- a/dns/dnssec.py
+++ b/dns/dnssec.py
@@ -364,7 +364,8 @@ def _validate_rrsig(rrset, rrsig, keys, origin=None, now=None):
              keyptr = candidate_key.key
              x = Crypto.Util.number.bytes_to_long(keyptr[0:key_len])
              y = Crypto.Util.number.bytes_to_long(keyptr[key_len:key_len * 2])
-            assert ecdsa.ecdsa.point_is_valid(curve.generator, x, y)
+            if not ecdsa.ecdsa.point_is_valid(curve.generator, x, y):
+                raise ValidationFailure('invalid ECDSA key')
              point = ecdsa.ellipticcurve.Point(curve.curve, x, y, curve.order)
              verifying_key = ecdsa.keys.VerifyingKey.from_public_point(point,
                                                                        curve)
author	Bob Halley <halley@dnspython.org>
	Sun, 19 Feb 2017 21:56:50 +0000 (13:56 -0800)
committer	Bob Halley <halley@dnspython.org>
	Sun, 19 Feb 2017 21:56:50 +0000 (13:56 -0800)