You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
No, sorry, copy/paste. Seems like Switch generated a signature that has a leading 0, which Java since 1.8.121 rejects. See https://stackoverflow.com/a/40343731/1544715 for details (they talk about RSA but it applies to ECDSA as well). Not sure yet where to satisfy Java's (or BouncyCastle's) stupidity.
java.io.IOException: Invalid encoding: redundant leading 0s
at java.base/sun.security.util.DerInputBuffer.getBigInteger(DerInputBuffer.java:161)
at java.base/sun.security.util.DerValue.getPositiveBigInteger(DerValue.java:558)
at jdk.crypto.ec/sun.security.ec.ECDSASignature.decodeSignature(ECDSASignature.java:491)
at jdk.crypto.ec/sun.security.ec.ECDSASignature.engineVerify(ECDSASignature.java:412)
at java.base/java.security.Signature$Delegate.engineVerify(Signature.java:1247)
at java.base/java.security.Signature.verify(Signature.java:675)
at org.xbill.DNS.DNSSEC.verify(DNSSEC.java:892)
at org.xbill.DNS.DNSSEC.verify(DNSSEC.java:934)
at org.jitsi.dnssec.validator.DnsSecVerifier.verify(DnsSecVerifier.java:198)
at org.jitsi.dnssec.validator.ValUtils.verifyNewDNSKEYs(ValUtils.java:232)
at org.jitsi.dnssec.validator.ValidatingResolver.processDNSKEYResponse(ValidatingResolver.java:982)
at org.jitsi.dnssec.validator.ValidatingResolver.processFindKey(ValidatingResolver.java:779)
at org.jitsi.dnssec.validator.ValidatingResolver.processDSResponse(ValidatingResolver.java:967)
at org.jitsi.dnssec.validator.ValidatingResolver.processFindKey(ValidatingResolver.java:772)
at org.jitsi.dnssec.validator.ValidatingResolver.processDNSKEYResponse(ValidatingResolver.java:994)
at org.jitsi.dnssec.validator.ValidatingResolver.processFindKey(ValidatingResolver.java:779)
at org.jitsi.dnssec.validator.ValidatingResolver.prepareFindKey(ValidatingResolver.java:715)
at org.jitsi.dnssec.validator.ValidatingResolver.validateAnswerAndGetWildcards(ValidatingResolver.java:390)
at org.jitsi.dnssec.validator.ValidatingResolver.validatePositiveResponse(ValidatingResolver.java:257)
at org.jitsi.dnssec.validator.ValidatingResolver.processValidate(ValidatingResolver.java:1047)
at org.jitsi.dnssec.validator.ValidatingResolver.send(ValidatingResolver.java:1236)
at org.jitsi.dnssec.Example.sendAndPrint(Example.java:37)
at org.jitsi.dnssec.Example.main(Example.java:31)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on ibauersachs/dnssecjava#14 (comment), or mute the thread.
The text was updated successfully, but these errors were encountered:
If you set "org.bouncycastle.asn1.allow_unsafe_integer" to true this will work for BC. It really would be better if people encoded their ASN.1 integers correctly though - regardless of BER/CER/DER there is only one way to encode an ASN.1 integer.
From: Ingo Bauersachs notifications@github.com
Sent: Dienstag, 22. Januar 2019 15:43
To: ibauersachs/dnssecjava dnssecjava@noreply.github.com
Cc: ralfhauser hauser@acm.org; Author author@noreply.github.com
Subject: Re: [ibauersachs/dnssecjava] error "Did not match a DS to a DNSKEY" for MX lookup of non-dnssec domain bger.ch (#14)
No, sorry, copy/paste. Seems like Switch generated a signature that has a leading 0, which Java since 1.8.121 rejects. See https://stackoverflow.com/a/40343731/1544715 for details (they talk about RSA but it applies to ECDSA as well). Not sure yet where to satisfy Java's (or BouncyCastle's) stupidity.
java.io.IOException: Invalid encoding: redundant leading 0s
at java.base/sun.security.util.DerInputBuffer.getBigInteger(DerInputBuffer.java:161)
at java.base/sun.security.util.DerValue.getPositiveBigInteger(DerValue.java:558)
at jdk.crypto.ec/sun.security.ec.ECDSASignature.decodeSignature(ECDSASignature.java:491)
at jdk.crypto.ec/sun.security.ec.ECDSASignature.engineVerify(ECDSASignature.java:412)
at java.base/java.security.Signature$Delegate.engineVerify(Signature.java:1247)
at java.base/java.security.Signature.verify(Signature.java:675)
at org.xbill.DNS.DNSSEC.verify(DNSSEC.java:892)
at org.xbill.DNS.DNSSEC.verify(DNSSEC.java:934)
at org.jitsi.dnssec.validator.DnsSecVerifier.verify(DnsSecVerifier.java:198)
at org.jitsi.dnssec.validator.ValUtils.verifyNewDNSKEYs(ValUtils.java:232)
at org.jitsi.dnssec.validator.ValidatingResolver.processDNSKEYResponse(ValidatingResolver.java:982)
at org.jitsi.dnssec.validator.ValidatingResolver.processFindKey(ValidatingResolver.java:779)
at org.jitsi.dnssec.validator.ValidatingResolver.processDSResponse(ValidatingResolver.java:967)
at org.jitsi.dnssec.validator.ValidatingResolver.processFindKey(ValidatingResolver.java:772)
at org.jitsi.dnssec.validator.ValidatingResolver.processDNSKEYResponse(ValidatingResolver.java:994)
at org.jitsi.dnssec.validator.ValidatingResolver.processFindKey(ValidatingResolver.java:779)
at org.jitsi.dnssec.validator.ValidatingResolver.prepareFindKey(ValidatingResolver.java:715)
at org.jitsi.dnssec.validator.ValidatingResolver.validateAnswerAndGetWildcards(ValidatingResolver.java:390)
at org.jitsi.dnssec.validator.ValidatingResolver.validatePositiveResponse(ValidatingResolver.java:257)
at org.jitsi.dnssec.validator.ValidatingResolver.processValidate(ValidatingResolver.java:1047)
at org.jitsi.dnssec.validator.ValidatingResolver.send(ValidatingResolver.java:1236)
at org.jitsi.dnssec.Example.sendAndPrint(Example.java:37)
at org.jitsi.dnssec.Example.main(Example.java:31)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on ibauersachs/dnssecjava#14 (comment), or mute the thread.
The text was updated successfully, but these errors were encountered: