Skip Menu |
 

This queue is for tickets about the Net-DNS-SEC CPAN distribution.

Report information
The Basics
Id: 61877
Status: rejected
Priority: 0/
Queue: Net-DNS-SEC

People
Owner: Nobody in particular
Requestors: johani [...] johani.org
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 0.16
Fixed in: (no value)



Subject: Failure to validate signatures made by long keys
Download (untitled) / with headers
text/plain 813b
I've run across problems with software that is depending on Net::DNS::SEC v0.16 that I've traced to failure to verify signatures generated by RSA/SHA256 and RSA/SHA512 keys if the keylength is > 3000 bits. My perl is 5.10.0 I.e. "dnssec-keygen -a rsasha512 -b 3000 ..." generates a key for which signatures can be validated, while "dnssec-keygen -a rsasha512 -b 3001 ..." generates signatures that are not validatable by Net::DNS::SEC As both RSA/SHA256 and RSA/SHA512 specify a key length up to 4096 this is clearly a bug somewhere. I apologize for the somewhat less than precise report. I have logs and error messages on a disk that's unfortunately presently missing among the rest of my luggage. When I get time I'll try to recreate the problem exactly (or hopefully my luggage finds me ;-)). Johan
From: johani [...] johani.org
Download (untitled) / with headers
text/plain 362b
Luggage and disk found... Here's the error message that I see: Sat Oct 2 19:03:33 2010] [DNS] [NOTICE] Couldn't verify DNSKEY RRSIG made with key 14979 Verification of RSA string generated error: Signature longer than key at /usr/pkg/lib/perl5/vendor_perl/5.10.0/Net/DNS/RR/RRSIG.pm line 839. It is of course just the last part that is form Net::DNS::SEC.
Download (untitled) / with headers
text/plain 1.1k
Hi Johani, I was not able to reproduce, but I did find some errors in private key creation and generation while trying to reproduce your error. In trunk there is now a new unit-test especially for big signatures. Could you run that and return me the output? Thanks! On Mon 04 Oct 2010 09:24:57, johani wrote: Show quoted text
> I've run across problems with software that is depending on > Net::DNS::SEC v0.16 that I've > traced to failure to verify signatures generated by RSA/SHA256 and > RSA/SHA512 keys if the > keylength is > 3000 bits. My perl is 5.10.0 > > I.e. "dnssec-keygen -a rsasha512 -b 3000 ..." generates a key for > which signatures can be > validated, while "dnssec-keygen -a rsasha512 -b 3001 ..." generates > signatures that are not > validatable by Net::DNS::SEC > > As both RSA/SHA256 and RSA/SHA512 specify a key length up to 4096 this > is clearly a bug > somewhere. > > I apologize for the somewhat less than precise report. I have logs and > error messages on a > disk that's unfortunately presently missing among the rest of my > luggage. When I get time I'll > try to recreate the problem exactly (or hopefully my luggage finds me > ;-)). > > Johan
Download (untitled) / with headers
text/plain 108b
Rejecting, because no reply from requestor. The error was generated (and probably caused) by OpenSSL anyway.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.