Check that we can verify a signature at initialisation time [v9_16] (!6615) · Merge requests · ISC Open Source Projects / BIND

Mark Andrews requested to merge 3469-auto-disable-rsasha1-and-nsec3rsasha1-when-not-supported-by-the-os-v9_16 into v9_16 Jul 25, 2022

Fedora 33 doesn't support RSASHA1 in future mode. There is no easy check for this other than by attempting to perform a verification using known good signatures. We don't attempt to sign with RSASHA1 as that would not work in FIPS mode. RSASHA1 is verify only.

The test vectors were generated using OpenSSL 3.0 and util/gen-rsa-sha-vectors.c. Rerunning will generate a new set of test vectors as the private key is not preserved.

e.g. cc util/gen-rsa-sha-vectors.c -I /opt/local/include
-L /opt/local/lib -lcrypto

(cherry picked from commit cd3f0087)

Closes #3469 (closed)

Edited Jul 25, 2022 by Mark Andrews

Check that we can verify a signature at initialisation time [v9_16]

Merge request reports