Gracefulness to leading zeroes appropriate ? #448
Comments
|
If you set "org.bouncycastle.asn1.allow_unsafe_integer" to true this will work for BC. It really would be better if people encoded their ASN.1 integers correctly though - regardless of BER/CER/DER there is only one way to encode an ASN.1 integer. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
From: Ingo Bauersachs notifications@github.com
Sent: Dienstag, 22. Januar 2019 15:43
To: ibauersachs/dnssecjava dnssecjava@noreply.github.com
Cc: ralfhauser hauser@acm.org; Author author@noreply.github.com
Subject: Re: [ibauersachs/dnssecjava] error "Did not match a DS to a DNSKEY" for MX lookup of non-dnssec domain bger.ch (#14)
No, sorry, copy/paste. Seems like Switch generated a signature that has a leading 0, which Java since 1.8.121 rejects. See https://stackoverflow.com/a/40343731/1544715 for details (they talk about RSA but it applies to ECDSA as well). Not sure yet where to satisfy Java's (or BouncyCastle's) stupidity.
java.io.IOException: Invalid encoding: redundant leading 0s
at java.base/sun.security.util.DerInputBuffer.getBigInteger(DerInputBuffer.java:161)
at java.base/sun.security.util.DerValue.getPositiveBigInteger(DerValue.java:558)
at jdk.crypto.ec/sun.security.ec.ECDSASignature.decodeSignature(ECDSASignature.java:491)
at jdk.crypto.ec/sun.security.ec.ECDSASignature.engineVerify(ECDSASignature.java:412)
at java.base/java.security.Signature$Delegate.engineVerify(Signature.java:1247)
at java.base/java.security.Signature.verify(Signature.java:675)
at org.xbill.DNS.DNSSEC.verify(DNSSEC.java:892)
at org.xbill.DNS.DNSSEC.verify(DNSSEC.java:934)
at org.jitsi.dnssec.validator.DnsSecVerifier.verify(DnsSecVerifier.java:198)
at org.jitsi.dnssec.validator.ValUtils.verifyNewDNSKEYs(ValUtils.java:232)
at org.jitsi.dnssec.validator.ValidatingResolver.processDNSKEYResponse(ValidatingResolver.java:982)
at org.jitsi.dnssec.validator.ValidatingResolver.processFindKey(ValidatingResolver.java:779)
at org.jitsi.dnssec.validator.ValidatingResolver.processDSResponse(ValidatingResolver.java:967)
at org.jitsi.dnssec.validator.ValidatingResolver.processFindKey(ValidatingResolver.java:772)
at org.jitsi.dnssec.validator.ValidatingResolver.processDNSKEYResponse(ValidatingResolver.java:994)
at org.jitsi.dnssec.validator.ValidatingResolver.processFindKey(ValidatingResolver.java:779)
at org.jitsi.dnssec.validator.ValidatingResolver.prepareFindKey(ValidatingResolver.java:715)
at org.jitsi.dnssec.validator.ValidatingResolver.validateAnswerAndGetWildcards(ValidatingResolver.java:390)
at org.jitsi.dnssec.validator.ValidatingResolver.validatePositiveResponse(ValidatingResolver.java:257)
at org.jitsi.dnssec.validator.ValidatingResolver.processValidate(ValidatingResolver.java:1047)
at org.jitsi.dnssec.validator.ValidatingResolver.send(ValidatingResolver.java:1236)
at org.jitsi.dnssec.Example.sendAndPrint(Example.java:37)
at org.jitsi.dnssec.Example.main(Example.java:31)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on ibauersachs/dnssecjava#14 (comment), or mute the thread.
The text was updated successfully, but these errors were encountered: