-
Notifications
You must be signed in to change notification settings - Fork 15
Leading zeroes in in (r|s)-parameters of ECDSA signature cause validation to fail #14
Comments
I can't access your resolver, so I have no idea what's going on there. A simple test based on the example in the readme and Google's public DNS or our internal AD resolver shows no errors:
Result:
|
now also seeing CLASS65280 TXT "Could not establish a chain of trust to keys for [ch.]. Reason: Did not match a DS to a DNSKEY." |
The problem can also be reproduced with 8.8.4.4 Your test probably has a copy-paste error. Also the 2nd time you do: ==> did you really test bger with "vr" ? |
No, sorry, copy/paste. Seems like Switch generated a signature that has a leading 0, which Java since 1.8.121 rejects. See https://stackoverflow.com/a/40343731/1544715 for details (they talk about RSA but it applies to ECDSA as well). Not sure yet where to satisfy Java's (or BouncyCastle's) stupidity.
|
dblacka/jdnssec-tools#4 might be of interest. |
I tried out @Habbie s patch in dnsjava by simply replacing My test case: package sigbugtest;
import org.xbill.DNS.DNSKEYRecord;
import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset;
import org.xbill.DNS.Name;
import org.xbill.DNS.Record;
import org.xbill.DNS.Type;
import org.xbill.DNS.DClass;
public class SigBug {
public static void main(String[] args) throws Exception {
RRset rrset = new RRset();
Record ksk = Record.fromString(Name.fromString("ch."), Type.DNSKEY, DClass.IN, 3600l,
"257 3 13 Cm86XmSSO2FbG/3i9I++7HrRGNa1hNBZ1P7Y38Rg8uUz4YsKWSahAifo yaNMFWUu32VFj5xJQOEjqkrwD3Decw==",
Name.fromString("ch."));
rrset.addRR(Record.fromString(Name.fromString("ch."), Type.DNSKEY, DClass.IN, 3600l,
"256 3 13 Qv739sZhsOAXaYY+2k0ZRr24bvi3Aae0w4JcYds9NQVp+qZbDFIWDMbB rjmELzgpAIXvdfoZScm7VD8iMrlnJQ==",
Name.fromString("ch.")));
rrset.addRR(ksk);
rrset.addRR(Record.fromString(Name.fromString("ch."), Type.DNSKEY, DClass.IN, 3600l,
"256 3 13 c/8Ej2lq1l1r/tCXl90QWJKIPGLRzwp3dTWAAw8BwsC5Ya9rBzZupYWU fY3aLGl5k8qbRcNXxacINKkWv8ahfA==",
Name.fromString("ch.")));
RRSIGRecord rrsig = (RRSIGRecord) Record.fromString(Name.fromString("ch."), Type.RRSIG, DClass.IN, 3600l,
"DNSKEY 13 1 86400 20190307100909 20190120090909 11896 ch. RNSzPMRKwopYI3vwbwdpWulDrBYMn6Aappw4KXKEpUgAF9vb8DDF0GHY B5v4Af7zMTRgBoGFoPTxmjmBPJAMzA==",
Name.fromString("ch."));
DNSSEC.verify(rrset, rrsig, (DNSKEYRecord) ksk);
System.out.println("SIG VERIFICATION OK");
}
} older java ( 1.8.0_111 ) + unpatched dnsjava validates ok |
@gryphius / @Habbie could you please forward that patch to the dnsjava mailing list (dnsjava-users@lists.sourceforge.net) and ask Brian to do a release? |
reported to https://sourceforge.net/p/dnsjava/bugs/64/ |
I can confirm that we tested this patch and it works for us. |
Due to multiple non-response to https://sourceforge.net/p/dnsjava/bugs/64/ https://github.com/xbill-dns/dns has been created to fix the above. If you fix the problem on sf.net or are willing to continue maintaining this good software on github, it's all your's! |
this fix is great, it fixed my problems with the ECDSA signature. |
@mwullink so far, nobody has submitted a patch to the dnsjava mailing list. |
@ibauersachs but a pull request dnsjava/dnsjava#17 - isn't that even more effective than a patch ? |
The maintainer of dnsjava says he has no plans to work on the project in the near future. https://sourceforge.net/p/dnsjava/discussion/57043/thread/132c7639a4/?limit=25#eaf6 |
since this morning, we get
. 0 CLASS65280 TXT "Could not establish validation of INSECURE status of unsigned response. Reason: Did not match a DS to a DNSKEY."
e.g. for MX of bger.ch
any hints what wrong ?
212.25.1.1 is the resolver.
<<query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15318
;; flags: rd ; qd: 1 an: 0 au: 0 ad: 0
;; QUESTIONS:
;; bger.ch., type = MX, class = IN
;; ANSWERS:
;; AUTHORITY RECORDS:
;; ADDITIONAL RECORDS:
;; Message size: 0 bytes
DEBUG [Thread-106] - got response: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15318
;; flags: qr ; qd: 1 an: 0 au: 0 ad: 1
;; QUESTIONS:
;; bger.ch., type = MX, class = IN
;; ANSWERS:
;; AUTHORITY RECORDS:
;; ADDITIONAL RECORDS:
. 0 CLASS65280 TXT "Could not establish validation of INSECURE status of unsigned response. Reason: Did not match a DS to a DNSKEY."
iWay claims they didn't change anything and all is working properly
The text was updated successfully, but these errors were encountered: