From 171594a92de4f9d594ad288c4cf6a04453c6726a Mon Sep 17 00:00:00 2001
From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Tue, 28 Feb 2017 12:18:34 +0100
Subject: [PATCH 1/3] fix leading zero padding in ECDSA sig conversion

---
 src/com/verisignlabs/dnssec/security/SignUtils.java | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/com/verisignlabs/dnssec/security/SignUtils.java b/src/com/verisignlabs/dnssec/security/SignUtils.java
index 9fbb1e5..5ef1923 100644
--- a/src/com/verisignlabs/dnssec/security/SignUtils.java
+++ b/src/com/verisignlabs/dnssec/security/SignUtils.java
@@ -526,6 +526,15 @@ public class SignUtils
     s_src_pos = (byte) (r_src_pos + r_src_len); s_pad = 0;
     len = (byte) (6 + r_src_len + s_src_len);
 
+    // leading zeroes are forbidden
+    if (signature[r_src_pos] == 0) {
+       r_src_pos++; r_src_len--; len--;
+    }
+    if (signature[s_src_pos] == 0) {
+       s_src_pos++; s_src_len--; len--;
+    }
+
+    // except when they are mandatory
     if (signature[r_src_pos] < 0) {
         r_pad = 1; len++;
     }

From ca2a9324858b6b5a87fde8ce8a5fb2365c85db35 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Thu, 22 Jun 2017 13:21:54 +0200
Subject: [PATCH 2/3] fix multiple leading zeros padding in ECDSA sig
 conversion

---
 .../verisignlabs/dnssec/security/SignUtils.java    | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/com/verisignlabs/dnssec/security/SignUtils.java b/src/com/verisignlabs/dnssec/security/SignUtils.java
index 5ef1923..35be19d 100644
--- a/src/com/verisignlabs/dnssec/security/SignUtils.java
+++ b/src/com/verisignlabs/dnssec/security/SignUtils.java
@@ -527,18 +527,18 @@ public class SignUtils
     len = (byte) (6 + r_src_len + s_src_len);
 
     // leading zeroes are forbidden
-    if (signature[r_src_pos] == 0) {
-       r_src_pos++; r_src_len--; len--;
+    while (signature[r_src_pos] == 0 && r_src_len > 0) {
+      r_src_pos++; r_src_len--; len--;
     }
-    if (signature[s_src_pos] == 0) {
-       s_src_pos++; s_src_len--; len--;
+    while (signature[s_src_pos] == 0 && s_src_len > 0) {
+      s_src_pos++; s_src_len--; len--;
     }
 
     // except when they are mandatory
-    if (signature[r_src_pos] < 0) {
-        r_pad = 1; len++;
+    if (r_src_len > 0 && signature[r_src_pos] < 0) {
+      r_pad = 1; len++;
     }
-    if (signature[s_src_pos] < 0) {
+    if (s_src_len > 0 && signature[s_src_pos] < 0) {
       s_pad = 1; len++;
     }
     byte[] sig = new byte[len];

From 517975ef934dca8f81d768bdc5a8986c397da85c Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Thu, 22 Jun 2017 13:23:43 +0200
Subject: [PATCH 3/3] update ChangeLog

---
 ChangeLog | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index bcea834..ce3bebf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2017-06-22  Peter van Dijk <peter.van.dijk@powerdns.com>, Kees Monshouwer <mind04@monshouwer.eu>
+
+        * Fix leading zero(s) padding in ECDSA sig conversion
+
 2017-01-06  David Blacka  <davidb@verisign.com>
 
         * Released version 0.13