From 22e9de1d7957e558ea8f89f24e402cbbc8d50646 Mon Sep 17 00:00:00 2001
From: Bob Halley <halley@dnspython.org>
Date: Sun, 19 Feb 2017 13:56:50 -0800
Subject: [PATCH] Raise a validation failure exception instead of asserting
 when an ECDSA point is invalid. [Issue #237]

---
 dns/dnssec.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dns/dnssec.py b/dns/dnssec.py
index f316636a..b91a64fe 100644
--- a/dns/dnssec.py
+++ b/dns/dnssec.py
@@ -364,7 +364,8 @@ def _validate_rrsig(rrset, rrsig, keys, origin=None, now=None):
             keyptr = candidate_key.key
             x = Crypto.Util.number.bytes_to_long(keyptr[0:key_len])
             y = Crypto.Util.number.bytes_to_long(keyptr[key_len:key_len * 2])
-            assert ecdsa.ecdsa.point_is_valid(curve.generator, x, y)
+            if not ecdsa.ecdsa.point_is_valid(curve.generator, x, y):
+                raise ValidationFailure('invalid ECDSA key')
             point = ecdsa.ellipticcurve.Point(curve.curve, x, y, curve.order)
             verifying_key = ecdsa.keys.VerifyingKey.from_public_point(point,
                                                                       curve)
-- 
2.47.3