[HTTPS-Everywhere] Verifying signatures in a FF extension?

Vijay P vijayp at qwsrt.com
Fri Jul 4 16:02:19 PDT 2014 

You guys might want to look at keybase.io -- their strategy for
verification of public keys is really nice (look at public locations
such as twitter) and they have an api that can sign and verify
directories nicely.

On Thu, Jul 3, 2014 at 1:00 AM, Red <redwire at riseup.net> wrote:
> Hello everyone,
>     I've been working on writing some tests[1] for signature
> verification and hashing using the unit testing solution Yan built after
> we discussed some new ideas during our meeting last week, but have had
> no success in getting signature verification working.  I've been using
> the nsIDataSignatureVerifier XPCOM component[2] to do this, using some
> testing data and an RSA key pair[3] I generated just for testing. All of
> my tests with hashing have worked perfectly well and are passing, but
> for some reason my attempt at verifying the signature I created are
> leading to an exception being thrown.  I followed the process I outlined
> in the update.json spec to create my key pair, an example update.json
> file, and to sign the hash of the contents of update.json[4].
>
>     I've asked on both the #extdev and #jetpack channels of
> irc.mozilla.org about this, and have scoured Google, Duck Duck Go, MDN,
> and Stack Overflow for an answer to the question of what could cause
> this behavior (and have referenced some code I found on github to
> confirm I had hardcoded my public key and signature correctly), and
> haven't turned up anything that brings me anywhere near a solution.  So,
> I come to you.   As people who have worked on HTTPS Everywhere, are any
> of you familiar with the process for verifying signatures, and could you
> perhaps review my test to see if I've done something wrong?  Are there
> any alternative ways of verifying signatures (perhaps using an external
> library) that might be more reliable?
>
> Thanks,
> Zack
>
> Note1: my `ruleset_update_manifest.py` script doesn't append a newline
> character to the end of the written `update.json` file, but I had added
> one accidentally while playing with the content in vim. Rather than
> hashing and signing the file again, I decided to simply append a newline
> character to the hardcoded data in my test code.
>
> Note2: I've gone through a lot of permutations of, what I hope are,
> reasonable modifications to my test code to try to resolve this issue,
> so I highly recommend having a peek through the commit history on [1] to
> get an idea of what I've been trying.
>
> [1]:
> https://github.com/redwire/https-everywhere/blob/feature/tests/https-everywhere-tests/test/test-rsupdate-verify.js
> [2]:
> https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIDataSignatureVerifier
> [3]:
> https://github.com/redwire/https-everywhere/tree/rulesetUpdating/utils/testing/sign_verify
> [4]:
> https://github.com/redwire/https-everywhere/blob/rulesetUpdating/doc/updateJSONSpec.md#updatejson-and-updatejsonsig
>
>
> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere

More information about the HTTPS-Everywhere mailing list