Permalink
Browse files

do not hash the message in the ed25519 signer

https://www.rfc-editor.org/errata_search.php?rfc=8080

This is a Native zone
Metadata items: None
Zone has NSEC semantics
keys:
ID = 1 (CSK), flags = 257, tag = 3613, algo = 15, bits = 256      Active ( ED25519 )
CSK DNSKEY = example.com. IN DNSKEY 257 3 15 l02Woi0iS8Aa25FQkUd9RMzZHJpBoRQwAQEX1SxZJA4= ; ( ED25519 )
DS = example.com. IN DS 3613 15 1 b2c63605467c4a40942b47a953e9c0d38f81083a ; ( SHA1 digest )
DS = example.com. IN DS 3613 15 2 3aa5ab37efce57f737fc1627013fee07bdf241bd10f3b1964ab55c78e79a304b ; ( SHA256 digest )
DS = example.com. IN DS 3613 15 4 89389da437fca8372e67359dfc0dd4428fa2615df6e31bc5501677dd068514fea5c4efaf82188530a8a1645d9d3ef884 ; ( SHA-384 digest )

DNSKEY and DS match
  • Loading branch information...
mind04 committed Jun 16, 2017
1 parent 726f596 commit 5a88a8ed50f4efadf7c1417ee075407b75505b04
Showing with 10 additions and 18 deletions.
  1. +5 −1 pdns/dnssecinfra.hh
  2. +5 −17 pdns/sodiumsigners.cc
View
@@ -46,7 +46,11 @@ class DNSCryptoKeyEngine
virtual storvector_t convertToISCVector() const =0;
std::string convertToISC() const ;
virtual std::string sign(const std::string& msg) const =0;
virtual std::string hash(const std::string& msg) const =0;
virtual std::string hash(const std::string& msg) const
{
throw std::runtime_error("hash() function not implemented");
return msg;
}
virtual bool verify(const std::string& msg, const std::string& signature) const =0;
virtual std::string getPubKeyHash()const =0;
View
@@ -15,8 +15,7 @@ class SodiumED25519DNSCryptoKeyEngine : public DNSCryptoKeyEngine
void create(unsigned int bits) override;
storvector_t convertToISCVector() const override;
std::string getPubKeyHash() const override;
std::string sign(const std::string& hash) const override;
std::string hash(const std::string& hash) const override;
std::string sign(const std::string& msg) const override;
bool verify(const std::string& msg, const std::string& signature) const override;
std::string getPublicKeyString() const override;
int getBits() const override;
@@ -106,35 +105,24 @@ void SodiumED25519DNSCryptoKeyEngine::fromPublicKeyString(const std::string& inp
std::string SodiumED25519DNSCryptoKeyEngine::sign(const std::string& msg) const
{
string hash=this->hash(msg);
unsigned long long smlen = hash.length() + crypto_sign_ed25519_BYTES;
unsigned long long smlen = msg.length() + crypto_sign_ed25519_BYTES;
std::unique_ptr<unsigned char[]> sm(new unsigned char[smlen]);
crypto_sign_ed25519(sm.get(), &smlen, (const unsigned char*)hash.c_str(), hash.length(), d_seckey);
crypto_sign_ed25519(sm.get(), &smlen, (const unsigned char*)msg.c_str(), msg.length(), d_seckey);
return string((const char*)sm.get(), crypto_sign_ed25519_BYTES);
}
std::string SodiumED25519DNSCryptoKeyEngine::hash(const std::string& orig) const
{
std::unique_ptr<unsigned char[]> out(new unsigned char[crypto_hash_sha512_BYTES]);
crypto_hash_sha512(out.get(), (const unsigned char*)orig.c_str(), orig.length());
return string((const char*)out.get(), crypto_hash_sha512_BYTES);
}
bool SodiumED25519DNSCryptoKeyEngine::verify(const std::string& msg, const std::string& signature) const
{
if (signature.length() != crypto_sign_ed25519_BYTES)
return false;
string hash=this->hash(msg);
unsigned long long smlen = hash.length() + crypto_sign_ed25519_BYTES;
unsigned long long smlen = msg.length() + crypto_sign_ed25519_BYTES;
std::unique_ptr<unsigned char[]> sm(new unsigned char[smlen]);
memcpy(sm.get(), signature.c_str(), crypto_sign_ed25519_BYTES);
memcpy(sm.get() + crypto_sign_ed25519_BYTES, hash.c_str(), hash.length());
memcpy(sm.get() + crypto_sign_ed25519_BYTES, msg.c_str(), msg.length());
std::unique_ptr<unsigned char[]> m(new unsigned char[smlen]);

0 comments on commit 5a88a8e

Please sign in to comment.