do not hash the message in the ed25519 signer

https://www.rfc-editor.org/errata_search.php?rfc=8080

This is a Native zone
Metadata items: None
Zone has NSEC semantics
keys:
ID = 1 (CSK), flags = 257, tag = 3613, algo = 15, bits = 256      Active ( ED25519 )
CSK DNSKEY = example.com. IN DNSKEY 257 3 15 l02Woi0iS8Aa25FQkUd9RMzZHJpBoRQwAQEX1SxZJA4= ; ( ED25519 )
DS = example.com. IN DS 3613 15 1 b2c63605467c4a40942b47a953e9c0d38f81083a ; ( SHA1 digest )
DS = example.com. IN DS 3613 15 2 3aa5ab37efce57f737fc1627013fee07bdf241bd10f3b1964ab55c78e79a304b ; ( SHA256 digest )
DS = example.com. IN DS 3613 15 4 89389da437fca8372e67359dfc0dd4428fa2615df6e31bc5501677dd068514fea5c4efaf82188530a8a1645d9d3ef884 ; ( SHA-384 digest )

DNSKEY and DS match

diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh
index 27038c34bb7c9018ec711d9e3b6ada2d89266370..58d35df09ca2f86d6a375f64ccaa0994eb24e495 100644 (file)
--- a/pdns/dnssecinfra.hh
+++ b/pdns/dnssecinfra.hh
@@ -46,7 +46,11 @@ class DNSCryptoKeyEngine
     virtual storvector_t convertToISCVector() const =0;
     std::string convertToISC() const ;
     virtual std::string sign(const std::string& msg) const =0;
-    virtual std::string hash(const std::string& msg) const =0;
+    virtual std::string hash(const std::string& msg) const
+    {
+       throw std::runtime_error("hash() function not implemented");
+       return msg;
+    }
     virtual bool verify(const std::string& msg, const std::string& signature) const =0;
     
     virtual std::string getPubKeyHash()const =0;

diff --git a/pdns/sodiumsigners.cc b/pdns/sodiumsigners.cc
index f5bdc6ffc67133597355bc2bdcadaaf7b911977a..af194adc80b69bf2b0154f9bba1322800952f925 100644 (file)
--- a/pdns/sodiumsigners.cc
+++ b/pdns/sodiumsigners.cc
@@ -15,8 +15,7 @@ public:
   void create(unsigned int bits) override;
   storvector_t convertToISCVector() const override;
   std::string getPubKeyHash() const override;
-  std::string sign(const std::string& hash) const override;
-  std::string hash(const std::string& hash) const override;
+  std::string sign(const std::string& msg) const override;
   bool verify(const std::string& msg, const std::string& signature) const override;
   std::string getPublicKeyString() const override;
   int getBits() const override;
@@ -106,35 +105,24 @@ void SodiumED25519DNSCryptoKeyEngine::fromPublicKeyString(const std::string& inp
 
 std::string SodiumED25519DNSCryptoKeyEngine::sign(const std::string& msg) const
 {
-  string hash=this->hash(msg);
-  unsigned long long smlen = hash.length() + crypto_sign_ed25519_BYTES;
+  unsigned long long smlen = msg.length() + crypto_sign_ed25519_BYTES;
   std::unique_ptr<unsigned char[]> sm(new unsigned char[smlen]);
 
-  crypto_sign_ed25519(sm.get(), &smlen, (const unsigned char*)hash.c_str(), hash.length(), d_seckey);
+  crypto_sign_ed25519(sm.get(), &smlen, (const unsigned char*)msg.c_str(), msg.length(), d_seckey);
 
   return string((const char*)sm.get(), crypto_sign_ed25519_BYTES);
 }
 
-std::string SodiumED25519DNSCryptoKeyEngine::hash(const std::string& orig) const
-{
-  std::unique_ptr<unsigned char[]> out(new unsigned char[crypto_hash_sha512_BYTES]);
-
-  crypto_hash_sha512(out.get(), (const unsigned char*)orig.c_str(), orig.length());
-
-  return string((const char*)out.get(), crypto_hash_sha512_BYTES);
-}
-
 bool SodiumED25519DNSCryptoKeyEngine::verify(const std::string& msg, const std::string& signature) const
 {
   if (signature.length() != crypto_sign_ed25519_BYTES)
     return false;
 
-  string hash=this->hash(msg);
-  unsigned long long smlen = hash.length() + crypto_sign_ed25519_BYTES;
+  unsigned long long smlen = msg.length() + crypto_sign_ed25519_BYTES;
   std::unique_ptr<unsigned char[]> sm(new unsigned char[smlen]);
 
   memcpy(sm.get(), signature.c_str(), crypto_sign_ed25519_BYTES);
-  memcpy(sm.get() + crypto_sign_ed25519_BYTES, hash.c_str(), hash.length());
+  memcpy(sm.get() + crypto_sign_ed25519_BYTES, msg.c_str(), msg.length());
 
   std::unique_ptr<unsigned char[]> m(new unsigned char[smlen]);