From 697c128389f4ec974886030270fe8d1fe3e4eb8c Mon Sep 17 00:00:00 2001 From: DXTimer Date: Wed, 17 Jul 2024 15:52:21 +0700 Subject: [PATCH 1/5] refactor: use crypto:sign instead of crypto:public_decrypt --- .tool-versions | 2 +- include/dnssec_tests.hrl | 5 +++-- src/dnssec.erl | 21 ++++++++++++--------- 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/.tool-versions b/.tool-versions index 15e66ae..c1140d3 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1 +1 @@ -erlang 24.1 +erlang 26.2.5.2 diff --git a/include/dnssec_tests.hrl b/include/dnssec_tests.hrl index 854daca..fb3e187 100644 --- a/include/dnssec_tests.hrl +++ b/include/dnssec_tests.hrl @@ -218,8 +218,9 @@ test_sample_key(dsa, PrivKey, PubKey) -> crypto:verify(dss, sha, Sample, Sig, PubKey); test_sample_key(rsa, PrivKey, PubKey) -> Sample = <<"1234">>, - Cipher = crypto:private_encrypt(rsa, Sample, PrivKey, rsa_pkcs1_padding), - Sample =:= crypto:public_decrypt(rsa, Cipher, PubKey, rsa_pkcs1_padding). + Signature = crypto:sign(rsa, sha, Sample, PrivKey, [{rsa_padding, rsa_pkcs1_padding}]), + crypto:verify(rsa, sha, Sample, Signature, PubKey, [{rsa_padding, rsa_pkcs1_padding}]). + dnskey_pubkey_gen_test_() -> [ diff --git a/src/dnssec.erl b/src/dnssec.erl index 11fb297..8e2fadc 100644 --- a/src/dnssec.erl +++ b/src/dnssec.erl @@ -502,15 +502,13 @@ verify_rrsig( Alg =:= ?DNS_ALG_RSASHA256 orelse Alg =:= ?DNS_ALG_RSASHA512 -> - SigPayload = - try - crypto:public_decrypt( - rsa, Sig, Key, rsa_pkcs1_padding - ) - catch - error:decrypt_failed -> undefined - end, - SigInput =:= SigPayload; + try + crypto:verify( + rsa, dns_algo_to_digest_type(Alg), SigInput, Sig, Key, [{rsa_padding, rsa_pkcs1_padding}] + ) + catch + error:decrypt_failed -> undefined + end; (_) -> false end, @@ -518,6 +516,11 @@ verify_rrsig( ) end. +dns_algo_to_digest_type(?DNS_ALG_NSEC3RSASHA1) -> sha; +dns_algo_to_digest_type(?DNS_ALG_RSASHA1) -> sha; +dns_algo_to_digest_type(?DNS_ALG_RSASHA256) -> sha256; +dns_algo_to_digest_type(?DNS_ALG_RSASHA512) -> sha512. + build_sig_input( SignersName, KeyTag, From ba38a9079f073363a7be3bfb7f9e9c7d5b4887f5 Mon Sep 17 00:00:00 2001 From: DXTimer Date: Thu, 8 Aug 2024 18:48:14 +0700 Subject: [PATCH 2/5] refactor: use non-deprecated functions in crypto module --- src/dnssec.erl | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/src/dnssec.erl b/src/dnssec.erl index 8e2fadc..3052a12 100644 --- a/src/dnssec.erl +++ b/src/dnssec.erl @@ -418,12 +418,19 @@ sign_rrset( Alg =:= ?DNS_ALG_RSASHA256 orelse Alg =:= ?DNS_ALG_RSASHA512 -> - crypto:private_encrypt( + crypto:sign( rsa, + dns_algo_to_digest_type(Alg), BaseSigInput, Key, - rsa_pkcs1_padding + [{rsa_padding, rsa_pkcs1_padding}] ) + % crypto:private_encrypt( + % rsa, + % BaseSigInput, + % Key, + % rsa_pkcs1_padding + % ) end, Data = Data0#dns_rrdata_rrsig{signature = Signature}, #dns_rr{ @@ -503,6 +510,13 @@ verify_rrsig( Alg =:= ?DNS_ALG_RSASHA512 -> try + io:format("SigInput: ~p~n", [SigInput]), + io:format("Sig: ~p~n", [Sig]), + io:format("Data: ~p~n", [Data]), + SigPayload = crypto:public_decrypt( + rsa, Sig, Key, rsa_pkcs1_padding + ), + io:format("SigPayload: ~p~n", [SigPayload]), crypto:verify( rsa, dns_algo_to_digest_type(Alg), SigInput, Sig, Key, [{rsa_padding, rsa_pkcs1_padding}] ) From 3d6943decfae17bd13bc7bbe8013197077a89758 Mon Sep 17 00:00:00 2001 From: atanas argirov Date: Tue, 13 Aug 2024 14:37:44 +0100 Subject: [PATCH 3/5] cleanup of RSA related crypto:{sign,public_decrypt} debug output --- src/dnssec.erl | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/src/dnssec.erl b/src/dnssec.erl index 3052a12..c679db0 100644 --- a/src/dnssec.erl +++ b/src/dnssec.erl @@ -425,12 +425,6 @@ sign_rrset( Key, [{rsa_padding, rsa_pkcs1_padding}] ) - % crypto:private_encrypt( - % rsa, - % BaseSigInput, - % Key, - % rsa_pkcs1_padding - % ) end, Data = Data0#dns_rrdata_rrsig{signature = Signature}, #dns_rr{ @@ -510,13 +504,9 @@ verify_rrsig( Alg =:= ?DNS_ALG_RSASHA512 -> try - io:format("SigInput: ~p~n", [SigInput]), - io:format("Sig: ~p~n", [Sig]), - io:format("Data: ~p~n", [Data]), SigPayload = crypto:public_decrypt( rsa, Sig, Key, rsa_pkcs1_padding ), - io:format("SigPayload: ~p~n", [SigPayload]), crypto:verify( rsa, dns_algo_to_digest_type(Alg), SigInput, Sig, Key, [{rsa_padding, rsa_pkcs1_padding}] ) From 3106096613c50aca4168851f707d940af0b0008f Mon Sep 17 00:00:00 2001 From: atanas argirov Date: Tue, 13 Aug 2024 14:45:31 +0100 Subject: [PATCH 4/5] refactor public_decrypt -> verify crypto API function --- src/dnssec.erl | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/dnssec.erl b/src/dnssec.erl index c679db0..1c9a195 100644 --- a/src/dnssec.erl +++ b/src/dnssec.erl @@ -504,9 +504,6 @@ verify_rrsig( Alg =:= ?DNS_ALG_RSASHA512 -> try - SigPayload = crypto:public_decrypt( - rsa, Sig, Key, rsa_pkcs1_padding - ), crypto:verify( rsa, dns_algo_to_digest_type(Alg), SigInput, Sig, Key, [{rsa_padding, rsa_pkcs1_padding}] ) From 33846889e92c56437155682e4aa88583d6b868de Mon Sep 17 00:00:00 2001 From: Santiago Traversa Date: Tue, 13 Aug 2024 16:31:55 -0300 Subject: [PATCH 5/5] Update ci.yml --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 29c5096..df154ee 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - otp_version: ['26.1', '25.3', '24.3'] + otp_version: ['26.2', '25.3'] steps: - uses: actions/checkout@v4 @@ -40,7 +40,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - otp_version: ['26.1', '25.3', '24.3'] + otp_version: ['26.2', '25.3'] needs: - build