[Opendnssec-develop] Invalid signature
Rickard Bellgrim
rickard.bellgrim at iis.se
Fri Dec 4 14:55:54 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi
As we said in the last meeting, I should start an email thread about the "Invalid signature" problem. At one point we got a bad signature, but we could not reproduce it.
Signer Engine will now check all of the signatures. And SoftHSM has a compiler option to verify the signature before returning it. Both has output to syslog.
Signer Engine:
WARNING: HSM returned BOGUS signature! Abort signing, retry on next resign
SoftHSM (in hexadecimal):
SoftHSM: C_Sign: Error: Could not verify signature. Data: 54657874 Sign: 2E3C50CDFFFC39F146D67730A982DC17C9C5EBBC77394425F3524F8547CE26AC1E13CF13534FCE7BE7FCFF263C8CD2C4DE9EBB295C790C1F989C18A32EF0D0853F7E38222FA6ACBC29E27692D382FB4CE387C5F171F81567EC0678176EFDB43F
Signer Engine also outputs the bad signature into the tmp zone, which does not get distributed:
fprintf(output, "; signing failed: %s\n", ldns_get_errorstr_by_id(status));
ldns_rr_print(output, sig);
I think Roy is setting up a test bed, right?
What else can we do?
And for how long should we keep the verifying on by default in the Signer Engine?
// Rickard
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8
wsBVAwUBSxki+uCjgaNTdVjaAQjTKwf/QIysYWM6aEKNRvxNHKmL7XsWBHnestDC
vXzav+CD+AdhVH9w0RPCTd2TZafTixKm44A0un/e/Y7h1+OfdX8emoaANRHZ8/Rz
TJ6svJynD4cRGGGVZFpqzCbI3sqJgkpqrgoU64MD1tIeXYuWi4UUJU0pauHjMAFU
O0++MgRQ0mD2kDct9TUXCPhweeDzbPJe9dTC1DX+5lC/3l3uQ8R5VI0W6HKc1/La
+D1K9qDSRjh9fqoAJlBqSbFEXdcb3qkRUpKE3q8hPfz8EgU+j/0/2v+EmqADn2Be
BxnCoP1iCJmGOsF49lsTjVhsfRLm6wU+nIl7UU0LXwsE0bz5OWoNfg==
=g/GM
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091204/6d03fd5c/attachment.htm>
More information about the Opendnssec-develop
mailing list