<tt><font size=2>Roland van Rijswijk wrote on 11/27/2009 03:42:03 PM:<br>
<br>
> Hi Matthijs,<br>
> <br>
> IMHO this is a blocking issue, right? It is not acceptable if the<br>
> signatures output by the signer are invalid because of a bug in either<br>
> softHSM or Botan. I assume that Rickard is checking out what causes<br>
> this?</font></tt>
<br>
<br><tt><font size=2>At the moment it is unknown if the bug is in softhsm/botan
or the signer. The work-around is to verify signatures immediately in two
places: softhsm/botan and the signer and when a signature fails, log it,
regenerate it immediately, check it, etc. </font></tt>
<br>
<br><tt><font size=2>> If this cannot be fixed at short notice we should
consider a 'plan<br>
> B' so the release of OpenDNSSEC does not have to be postponed because
of<br>
> a bug in either softHSM or Botan.</font></tt>
<br>
<br><tt><font size=2>We don't know where the bug is, as it might just as
well be in opendnssec part, and I don't want to assume anything right now.
The 'plan b' is the work-around above. That work-around guarantees that
there will not be any false signatures due to this specific bug.</font></tt>
<br><tt><font size=2> <br>
> BTW, is it a reproducable bug -- i.e. will it consistently output
a<br>
> wrong signature given the same input data or is the problem<br>
> intermittent? (the latter would be far worse than the former)</font></tt>
<br>
<br><tt><font size=2>The latter. It only occurred once. On 2009-11-23 12:52:08.
We haven't been able to reproduce it. </font></tt>
<br>
<br><tt><font size=2>We're going to soak-test it, starting monday. Continuous
signing loop on softhsm without the ods signer. Continuous signing loop
on an sca6000 using OpenDNSSEC.</font></tt>
<br><tt><font size=2><br>
There are a few coincidences. </font></tt>
<br>
<br><tt><font size=2>1) The first 52 characters (40 bytes) of the bad signature
are correct. The presentation format causes a wrap after 26 characters.
So the first two lines of the presentation format are correct. This might
be a complete coincidence, but worth checking out. (this is the signer
part).</font></tt>
<br><tt><font size=2>2) Additionally, 40 bytes is a multiple of 20 bytes,
which is exactly the size of the output of SHA1. This is even more far
fetched, but I'm just thinking out loud. (this is botan/softhsm).</font></tt>
<br>
<br><tt><font size=2>Roy </font></tt>