Uploaded image for project: 'Support'
  1. Support
  2. SUPPORT-21

hsm_get_key_rdata produces wrongly encoded DNSKEYs

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: OpenDNSSEC 1.2.1, OpenDNSSEC 1.2.2, OpenDNSSEC 1.3.0, OpenDNSSEC 1.3.1, OpenDNSSEC 1.3.2, OpenDNSSEC 1.3.3
    • Fix Version/s: None
    • Component/s: PKCS#11 Interface
    • Labels:
      None
    • Environment:

      Linux CentOS 5.6, OpenCryptoki 2.2.4, SCA 6000

      Description

      A member of the local technical community noticed the DNSKEY created for the .nz zone had a different encoding compared to the rest of the TLDs.

      A thorough explanation is provided on this message:
      http://list.waikato.ac.nz/pipermail/nznog/2011-December/018622.html

      We tracked down the problem to the function hsm_get_key_rdata, which basically believes anything the PKCS#11 library tells. In our testing environment, the public_exponent_len is 4, creating a public_exponent with a leading zero. RFC3110, Section 2, explicitly forbids leading zero octets in both public_exponent and modulus.

      You will find a proposed patch prepared using libhsm.c from OpenDNSSEC 1.2.1 that fixes the issue.

        Attachments

          Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. OPENDNSSEC-190 Sanitize DNSKEY Public Key RDATA

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

            Activity

              People

              Assignee:
              rickard Rickard Bellgrim
              Reporter:
              secastro Sebastian Castro
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: