Skip Menu |

This queue is for tickets about the Net-DNS-SEC CPAN distribution.

Report information
The Basics
Id: 61877
Status: rejected
Priority: 0/
Queue: Net-DNS-SEC
People
Owner: Nobody in particular
Requestors: johani [...] johani.org
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 0.16
Fixed in: (no value)

History Show all quoted text
  Mon Oct 04 09:24:57 2010 johani [...] johani.org - Ticket created
Subject: Failure to validate signatures made by long keys
I've run across problems with software that is depending on Net::DNS::SEC v0.16 that I've traced to failure to verify signatures generated by RSA/SHA256 and RSA/SHA512 keys if the keylength is > 3000 bits. My perl is 5.10.0 I.e. "dnssec-keygen -a rsasha512 -b 3000 ..." generates a key for which signatures can be validated, while "dnssec-keygen -a rsasha512 -b 3001 ..." generates signatures that are not validatable by Net::DNS::SEC As both RSA/SHA256 and RSA/SHA512 specify a key length up to 4096 this is clearly a bug somewhere. I apologize for the somewhat less than precise report. I have logs and error messages on a disk that's unfortunately presently missing among the rest of my luggage. When I get time I'll try to recreate the problem exactly (or hopefully my luggage finds me ;-)). Johan
  Tue Oct 05 05:12:24 2010 johani [...] johani.org - Correspondence added
From: johani [...] johani.org
Luggage and disk found... Here's the error message that I see: Sat Oct 2 19:03:33 2010] [DNS] [NOTICE] Couldn't verify DNSKEY RRSIG made with key 14979 Verification of RSA string generated error: Signature longer than key at /usr/pkg/lib/perl5/vendor_perl/5.10.0/Net/DNS/RR/RRSIG.pm line 839. It is of course just the last part that is form Net::DNS::SEC.
  Fri Sep 14 09:03:35 2012 NLNETLABS [...] cpan.org - Correspondence added
Hi Johani, I was not able to reproduce, but I did find some errors in private key creation and generation while trying to reproduce your error. In trunk there is now a new unit-test especially for big signatures. Could you run that and return me the output? Thanks! On Mon 04 Oct 2010 09:24:57, johani wrote: Show quoted text
> I've run across problems with software that is depending on > Net::DNS::SEC v0.16 that I've > traced to failure to verify signatures generated by RSA/SHA256 and > RSA/SHA512 keys if the > keylength is > 3000 bits. My perl is 5.10.0 > > I.e. "dnssec-keygen -a rsasha512 -b 3000 ..." generates a key for > which signatures can be > validated, while "dnssec-keygen -a rsasha512 -b 3001 ..." generates > signatures that are not > validatable by Net::DNS::SEC > > As both RSA/SHA256 and RSA/SHA512 specify a key length up to 4096 this > is clearly a bug > somewhere. > > I apologize for the somewhat less than precise report. I have logs and > error messages on a > disk that's unfortunately presently missing among the rest of my > luggage. When I get time I'll > try to recreate the problem exactly (or hopefully my luggage finds me > ;-)). > > Johan
  Fri Sep 14 09:03:35 2012 The RT System itself - Status changed from 'new' to 'open'
  Sun Dec 16 16:37:26 2012 NLNETLABS [...] cpan.org - Correspondence added
Rejecting, because no reply from requestor. The error was generated (and probably caused) by OpenSSL anyway.
  Sun Dec 16 16:37:26 2012 NLNETLABS [...] cpan.org - Status changed from 'open' to 'rejected'