Re: Bug in SIG(0) signature generation in 2.1.5

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Jul 26, 2013, at 9:56 AM, Tekto <te...@ge...> wrote:

> Hi,
> 
> -- Description --
> 
> SIG0.signMessage in Version 2.1.5 is calculating a wrong signature. Sending
> following update-request to a server will produce a SERVFAIL:
> 
> 	SimpleResolver resolver = new SimpleResolver("somedns.example.invalid.");
> 	Name sig0zoneName = new Name("sig0.invalid.");
> 	Name sig0hostName = new Name("sometext.sig0.invalid.");
> 
> 	KeyFactory keyFactory = KeyFactory.getInstance("RSA");
> 	RSAPrivateKey privKey = getPrivateZoneCrtKey(keyFactory);
> 	RSAPublicKey pubKey = getPublicZoneKey(keyFactory);
> 
> 	KEYRecord keyRecord = new KEYRecord(sig0zoneName, DClass.IN, 0, Flags.HOST, Protocol.DNSSEC, Algorithm.RSASHA1, pubKey);		
> 	TXTRecord txtRecord = new TXTRecord(sig0hostName, DClass.IN, 0, "Hello World!");
> 	Update updateMessage = new Update(sig0zoneName);
> 	updateMessage.add(txtRecord);
> 
> 	SIG0.signMessage(updateMessage, keyRecord, privKey, null);
> 
> 
> -- How to reproduce --
> 
> Use SIG0.verifyMessage and try to verify updateMessage.toWire() which will
> throw a DNSSEC.DNSSECException.
> 
> 	SIG0.verifyMessage(updateMessage, updateMessage.toWire(), keyRecord, null);

I assume there's some missing code between the signMessage and verifyMessage?  Passing the same Message object to both signMessage and verifyMessage doesn't work, since some of the internal Message state needed to verify is only filled in when the Message is parsed from wire format; that is, something like:

SIG0.signMessage(updateMessage, keyRecord, privKey, null);
byte [] wire = msg.toWire();
Message msg = new Message(wire);
SIG0.verifyMessage(msg, msg.toWire(), keyRecord, null);

Without that, the code throws an ArrayIndexOutOfBoundsException, because it's badly handling the fact that the Message doesn't know where the start of the SIG0 record is (I've locally updated the code to throw a more useful NoSignatureException).

With code like that added, I'm seeing the failure, although I'm not sure why I'm not seeing the same failure in the existing SIG0 test code I have.

I'm going to try and adapt this sample code into a unit test, and commit the changes in the next few days.

Thanks!

Brian