From: Bob Halley <halley@dnspython.org>
Date: Sun, 19 Feb 2017 21:56:50 +0000 (-0800)
Subject: Raise a validation failure exception instead of asserting when an
X-Git-Tag: v1.16.0~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=22e9de1d7957e558ea8f89f24e402cbbc8d50646;p=thirdparty%2Fdnspython.git

Raise a validation failure exception instead of asserting when an
ECDSA point is invalid.
[Issue #237]
---

diff --git a/dns/dnssec.py b/dns/dnssec.py
index f316636a..b91a64fe 100644
--- a/dns/dnssec.py
+++ b/dns/dnssec.py
@@ -364,7 +364,8 @@ def _validate_rrsig(rrset, rrsig, keys, origin=None, now=None):
             keyptr = candidate_key.key
             x = Crypto.Util.number.bytes_to_long(keyptr[0:key_len])
             y = Crypto.Util.number.bytes_to_long(keyptr[key_len:key_len * 2])
-            assert ecdsa.ecdsa.point_is_valid(curve.generator, x, y)
+            if not ecdsa.ecdsa.point_is_valid(curve.generator, x, y):
+                raise ValidationFailure('invalid ECDSA key')
             point = ecdsa.ellipticcurve.Point(curve.curve, x, y, curve.order)
             verifying_key = ecdsa.keys.VerifyingKey.from_public_point(point,
                                                                       curve)