Be more explicit about catching parser extensions for DNSSEC keys, ad…

…d test with invalid binary data
badkeys · Feb 1, 2025 · 8be5be8 · 8be5be8
1 parent cc8b4ed
commit 8be5be8
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/keyfinder.py b/keyfinder.py
@@ -125,10 +125,14 @@ def getdnsseckey(kstr):
                                byteorder="big")
             d = int.from_bytes(base64.b64decode(kdata["PrivateExponent"]),
                                byteorder="big")
-            key = makersa(n, e, d)
-        except (ValueError, binascii.Error):
-            # ValueError caused by invalid RSA values
+        except (binascii.Error, ValueError):
             # binascii.Error caused by invalid base64
+            # ValueError caused by non-ASCII characters
+            return False
+        try:
+            key = makersa(n, e, d)
+        except ValueError:
+            # caused by invalid RSA values
             return False
         return key
 

diff --git a/tests/data/invalid/dnssec-binarygarbage.key b/tests/data/invalid/dnssec-binarygarbage.key
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm:       8 (RSASHA256)
+Modulus:         �ի�%���
+PublicExponent:  AQAB
+PrivateExponent: dcHZAQ==
+Prime1:          4c8IvFu1AVXGWeFLLFh5vs7fbdzdC6U82fduE6KkSWk=
+Prime2:          2zZpBE8ZXVnL74QjG4zINlDfH+EOEtjJJ3RtaYDugvE=
+Exponent1:       G2xAPFfK0KGxGANDVNxd1K1c9wOmmJ51mGbzKFFNMFk=
+Exponent2:       GYxP1Pa7CAwtHm8SAGX594qZVofOMhgd6YFCNyeVpKE=
+Coefficient:     icQdNRjlZGPmuJm2TIadubcO8X7V4y07aVhX464tx8Q=