From 3a5448df84f228fc018bf1955250728236059139 Mon Sep 17 00:00:00 2001 From: Gus Narea Date: Fri, 18 Nov 2022 12:32:25 +0000 Subject: [PATCH] fix: Drop incomplete support for DSA/SHA1 See #50. --- README.md | 1 + src/lib/DnssecAlgorithm.ts | 2 +- src/lib/signing/keyGen.ts | 1 - src/lib/utils/crypto/hashing.spec.ts | 1 - src/lib/utils/crypto/hashing.ts | 1 - 5 files changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index ffa2d55e..3d70dae1 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,7 @@ This library supports producing RRSig records simply for testing purposes: It ma We support all the _Zone Signing_ [DNSSEC algorithms](https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1) as of 2022, except for: +- DSA (`3`) because [it's too insecure and hardly used](https://github.com/relaycorp/dnssec-js/issues/50). - NSEC3 (`6` and `7`) because [we don't currently support Denial of Existence records](https://github.com/relaycorp/dnssec-js/issues/17). - [GOST](https://en.wikipedia.org/wiki/GOST) (`12`) due to lack of support in Node.js, and its lack of popularity and security doesn't seem to justify integrating a third party NPM package supporting it (assuming a suitable one exists). - Private algorithms (`253` and `254`) because we have no use for those, but we'd welcome PRs to implement them. diff --git a/src/lib/DnssecAlgorithm.ts b/src/lib/DnssecAlgorithm.ts index e588b124..ce4319ac 100644 --- a/src/lib/DnssecAlgorithm.ts +++ b/src/lib/DnssecAlgorithm.ts @@ -4,7 +4,7 @@ * @link https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml */ export enum DnssecAlgorithm { - DSA = 3, + // DSA = 3, // See: https://github.com/relaycorp/dnssec-js/issues/50 RSASHA1 = 5, RSASHA256 = 8, RSASHA512 = 10, diff --git a/src/lib/signing/keyGen.ts b/src/lib/signing/keyGen.ts index 2cb392c4..60a6dacd 100644 --- a/src/lib/signing/keyGen.ts +++ b/src/lib/signing/keyGen.ts @@ -15,7 +15,6 @@ const RSA_OPTIONS = { options: { modulusLength: 2048 }, }; const KEY_GEN_OPTIONS: { readonly [key in DnssecAlgorithm]: KeyGenOptions } = { - [DnssecAlgorithm.DSA]: { type: 'dsa' }, [DnssecAlgorithm.ECDSAP256SHA256]: { type: 'ec', options: { namedCurve: 'prime256v1' } }, [DnssecAlgorithm.ECDSAP384SHA384]: { type: 'ec', options: { namedCurve: 'secp384r1' } }, [DnssecAlgorithm.RSASHA1]: RSA_OPTIONS, diff --git a/src/lib/utils/crypto/hashing.spec.ts b/src/lib/utils/crypto/hashing.spec.ts index e7a0c94e..7228395b 100644 --- a/src/lib/utils/crypto/hashing.spec.ts +++ b/src/lib/utils/crypto/hashing.spec.ts @@ -6,7 +6,6 @@ import { DnssecAlgorithm } from '../../DnssecAlgorithm'; describe('getNodejsHashAlgorithmFromDnssecAlgo', () => { test.each([ - [DnssecAlgorithm.DSA, 'sha1'], [DnssecAlgorithm.RSASHA1, 'sha1'], [DnssecAlgorithm.RSASHA256, 'sha256'], [DnssecAlgorithm.RSASHA512, 'sha512'], diff --git a/src/lib/utils/crypto/hashing.ts b/src/lib/utils/crypto/hashing.ts index e4a0d3d4..a717c87d 100644 --- a/src/lib/utils/crypto/hashing.ts +++ b/src/lib/utils/crypto/hashing.ts @@ -4,7 +4,6 @@ import { DigestType } from '../../DigestType'; import { DnssecAlgorithm } from '../../DnssecAlgorithm'; const HASH_BY_DNSSEC_ALGO: { readonly [algo in DnssecAlgorithm]: string | null } = { - [DnssecAlgorithm.DSA]: 'sha1', [DnssecAlgorithm.RSASHA1]: 'sha1', [DnssecAlgorithm.RSASHA256]: 'sha256', [DnssecAlgorithm.RSASHA512]: 'sha512',