[HTTPS-Everywhere] Verifying signatures in a FF extension?
Yan Zhu
yan at eff.org
Mon Jul 7 06:31:50 PDT 2014
On 07/04/2014 06:57 PM, Red wrote:
>
> On 2014-07-04, 3:57 PM, Yan Zhu wrote:
>> One idea is to look through the signing code from Uhura (command line
>> signing utility for Mozilla extensions):
>> http://www.softlights.net/download.html. This should make the correct
>> signature format, since we use it to generate the signature field in
>> update.rdf for HTTPS Everywhere.
>>
>> Actually, it looks like what you want is lines 148-187 in the Linux
>> Uhura script.
> I appreciate the suggestion!
>
> I found that Uhura also uses `openssl dgst` to sign data, which is what
> I have been using more recently. The script also, however, explicitly
> specifies the use of the "-binary" flag, which appears to be the default
> behavior. Just to be sure, I tried signing and then base64-encoding the
> signature of the digest of update.json, but in both cases I ended up
> with the same thing.
>
Have you been doing the weird ASN1 template conversion that Uhura does
after generating the signature? I think that part is crucial.
You can either port the Uhura script from Perl (ugh) to something more
sane that takes a generic string or file as input, or you can maybe use
this tool that someone wrote:
http://dxr.mozilla.org/mozilla-central/source/security/nss/cmd/pk1sign/pk1sign.c
Found the latter via https://bugzilla.mozilla.org/show_bug.cgi?id=685852
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140707/0e79eda5/attachment.sig>
More information about the HTTPS-Everywhere
mailing list