hashlen = 128;
}
else {
//0 type (exact content) not supported yet
@@ -141,7 +144,7 @@
hasher.update(der, len.value);
var binHash = hasher.finish(false);
// convert the binary hash data to a hex string.
var s = [this.charcodeToHexString(binHash.charCodeAt(i)) for (i in binHash)].join("").toUpperCase();
var s = [this.charcodeToHexString(binHash.charCodeAt(i)) for (i in binHash)].join("").toUpperCase().substring(0,hashlen);
org.os3sec.Extval.Extension.logMsg("checking tlsa record: " + s + " / " + tlsa_record[3]);
return s == tlsa_record[3];
},
In my tests, the hasher repeats the first byte after the hash and prevents successful comparison to the TLSA value:
extval: checking tlsa record: 66749697B26211E9AB46AC498D7FF023A882CE988A608994DA8EBE0872A196A3666666666666 / 66749697B26211E9AB46AC498D7FF023A882CE988A608994DA8EBE0872A196A3
Cutting the hash to the appropriate length restores validation:
extval: checking tlsa record: 66749697B26211E9AB46AC498D7FF023A882CE988A608994DA8EBE0872A196A3 / 66749697B26211E9AB46AC498D7FF023A882CE988A608994DA8EBE0872A196A3 extval: dns_trusted = true extval: Changing state to: certDNSSEC(www.hauke-lampe.de)
This patch works for me:
--- Extended-DNSSEC-Validator/add-on/content/Extval.CertTools.js.orig +++ Extended-DNSSEC-Validator/add-on/content/Extval.CertTools.js @@ -125,11 +125,14 @@ check_cert: function(cert, tlsa_record) { var ihash = Components.interfaces.nsICryptoHash; var hasher = Components.classes["@mozilla.org/security/hash;1"].createInstance(ihash);