fix bugs with ecdsa/dnssec
This commit is contained in:
parent
58d131d7dd
commit
2ec19e7528
|
@ -60,8 +60,12 @@ Pure-Python version of dns.dnssec._validate_rsig
|
||||||
Uses tlslite instead of PyCrypto
|
Uses tlslite instead of PyCrypto
|
||||||
"""
|
"""
|
||||||
def python_validate_rrsig(rrset, rrsig, keys, origin=None, now=None):
|
def python_validate_rrsig(rrset, rrsig, keys, origin=None, now=None):
|
||||||
from dns.dnssec import ValidationFailure, ECKeyWrapper, ECDSAP256SHA256, ECDSAP384SHA384
|
from dns.dnssec import ValidationFailure, ECDSAP256SHA256, ECDSAP384SHA384
|
||||||
from dns.dnssec import _find_candidate_keys, _make_hash, _is_rsa, _to_rdata, _make_algorithm_id
|
from dns.dnssec import _find_candidate_keys, _make_hash, _is_ecdsa, _is_rsa, _to_rdata, _make_algorithm_id
|
||||||
|
|
||||||
|
import ecdsa
|
||||||
|
from tlslite.utils.keyfactory import _createPublicRSAKey
|
||||||
|
from tlslite.utils.cryptomath import bytesToNumber
|
||||||
|
|
||||||
if isinstance(origin, (str, unicode)):
|
if isinstance(origin, (str, unicode)):
|
||||||
origin = dns.name.from_text(origin, dns.name.root)
|
origin = dns.name.from_text(origin, dns.name.root)
|
||||||
|
@ -89,8 +93,6 @@ def python_validate_rrsig(rrset, rrsig, keys, origin=None, now=None):
|
||||||
hash = _make_hash(rrsig.algorithm)
|
hash = _make_hash(rrsig.algorithm)
|
||||||
|
|
||||||
if _is_rsa(rrsig.algorithm):
|
if _is_rsa(rrsig.algorithm):
|
||||||
from tlslite.utils.keyfactory import _createPublicRSAKey
|
|
||||||
from tlslite.utils.cryptomath import bytesToNumber
|
|
||||||
keyptr = candidate_key.key
|
keyptr = candidate_key.key
|
||||||
(bytes,) = struct.unpack('!B', keyptr[0:1])
|
(bytes,) = struct.unpack('!B', keyptr[0:1])
|
||||||
keyptr = keyptr[1:]
|
keyptr = keyptr[1:]
|
||||||
|
@ -121,9 +123,7 @@ def python_validate_rrsig(rrset, rrsig, keys, origin=None, now=None):
|
||||||
y = ecdsa.util.string_to_number(keyptr[key_len:key_len * 2])
|
y = ecdsa.util.string_to_number(keyptr[key_len:key_len * 2])
|
||||||
assert ecdsa.ecdsa.point_is_valid(curve.generator, x, y)
|
assert ecdsa.ecdsa.point_is_valid(curve.generator, x, y)
|
||||||
point = ecdsa.ellipticcurve.Point(curve.curve, x, y, curve.order)
|
point = ecdsa.ellipticcurve.Point(curve.curve, x, y, curve.order)
|
||||||
verifying_key = ecdsa.keys.VerifyingKey.from_public_point(point,
|
verifying_key = ecdsa.keys.VerifyingKey.from_public_point(point, curve)
|
||||||
curve)
|
|
||||||
pubkey = ECKeyWrapper(verifying_key, key_len)
|
|
||||||
r = rrsig.signature[:key_len]
|
r = rrsig.signature[:key_len]
|
||||||
s = rrsig.signature[key_len:]
|
s = rrsig.signature[key_len:]
|
||||||
sig = ecdsa.ecdsa.Signature(ecdsa.util.string_to_number(r),
|
sig = ecdsa.ecdsa.Signature(ecdsa.util.string_to_number(r),
|
||||||
|
@ -158,7 +158,8 @@ def python_validate_rrsig(rrset, rrsig, keys, origin=None, now=None):
|
||||||
return
|
return
|
||||||
|
|
||||||
elif _is_ecdsa(rrsig.algorithm):
|
elif _is_ecdsa(rrsig.algorithm):
|
||||||
if pubkey.verify(digest, sig):
|
diglong = ecdsa.util.string_to_number(digest)
|
||||||
|
if verifying_key.pubkey.verifies(diglong, sig):
|
||||||
return
|
return
|
||||||
|
|
||||||
else:
|
else:
|
||||||
|
|
Loading…
Reference in New Issue