[Opendnssec-develop] Invalid signature

Rickard Bellgrim rickard.bellgrim at iis.se
Fri Dec 4 14:55:54 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi

As we said in the last meeting, I should start an email thread about the "Invalid signature" problem. At one point we got a bad signature, but we could not reproduce it.

Signer Engine will now check all of the signatures. And SoftHSM has a compiler option to verify the signature before returning it. Both has output to syslog.

Signer Engine:
WARNING: HSM returned BOGUS signature! Abort signing, retry on next resign

SoftHSM (in hexadecimal):
SoftHSM: C_Sign: Error: Could not verify signature. Data: 54657874 Sign: 2E3C50CDFFFC39F146D67730A982DC17C9C5EBBC77394425F3524F8547CE26AC1E13CF13534FCE7BE7FCFF263C8CD2C4DE9EBB295C790C1F989C18A32EF0D0853F7E38222FA6ACBC29E27692D382FB4CE387C5F171F81567EC0678176EFDB43F

Signer Engine also outputs the bad signature into the tmp zone, which does not get distributed:
fprintf(output, "; signing failed: %s\n", ldns_get_errorstr_by_id(status));
ldns_rr_print(output, sig);

I think Roy is setting up a test bed, right?

What else can we do?

And for how long should we keep the verifying on by default in the Signer Engine?

// Rickard

-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSxki+uCjgaNTdVjaAQjTKwf/QIysYWM6aEKNRvxNHKmL7XsWBHnestDC
vXzav+CD+AdhVH9w0RPCTd2TZafTixKm44A0un/e/Y7h1+OfdX8emoaANRHZ8/Rz
TJ6svJynD4cRGGGVZFpqzCbI3sqJgkpqrgoU64MD1tIeXYuWi4UUJU0pauHjMAFU
O0++MgRQ0mD2kDct9TUXCPhweeDzbPJe9dTC1DX+5lC/3l3uQ8R5VI0W6HKc1/La
+D1K9qDSRjh9fqoAJlBqSbFEXdcb3qkRUpKE3q8hPfz8EgU+j/0/2v+EmqADn2Be
BxnCoP1iCJmGOsF49lsTjVhsfRLm6wU+nIl7UU0LXwsE0bz5OWoNfg==
=g/GM
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091204/6d03fd5c/attachment.htm>


More information about the Opendnssec-develop mailing list