[HTTPS-Everywhere] Verifying signatures in a FF extension?
Yan Zhu
yan at eff.org
Mon Jul 7 08:05:27 PDT 2014
On 07/07/2014 06:31 AM, Yan Zhu wrote:
> On 07/04/2014 06:57 PM, Red wrote:
>>
>> On 2014-07-04, 3:57 PM, Yan Zhu wrote:
>>> One idea is to look through the signing code from Uhura (command line
>>> signing utility for Mozilla extensions):
>>> http://www.softlights.net/download.html. This should make the correct
>>> signature format, since we use it to generate the signature field in
>>> update.rdf for HTTPS Everywhere.
>>>
>>> Actually, it looks like what you want is lines 148-187 in the Linux
>>> Uhura script.
>> I appreciate the suggestion!
>>
>> I found that Uhura also uses `openssl dgst` to sign data, which is what
>> I have been using more recently. The script also, however, explicitly
>> specifies the use of the "-binary" flag, which appears to be the default
>> behavior. Just to be sure, I tried signing and then base64-encoding the
>> signature of the digest of update.json, but in both cases I ended up
>> with the same thing.
>>
>
> Have you been doing the weird ASN1 template conversion that Uhura does
> after generating the signature? I think that part is crucial.
>
> You can either port the Uhura script from Perl (ugh) to something more
> sane that takes a generic string or file as input, or you can maybe use
> this tool that someone wrote:
> http://dxr.mozilla.org/mozilla-central/source/security/nss/cmd/pk1sign/pk1sign.c
>
> Found the latter via https://bugzilla.mozilla.org/show_bug.cgi?id=685852
I managed to get your test case to pass using a public key and signature
generated via nss-tools. Patch attached so you can check that it works
for you as well.
The process was somewhat convoluted and perhaps infeasible in production
(no way to install nss-tools on an airgapped machine), but here is a
gist of how I did it:
https://gist.github.com/diracdeltas/39d48e315d4ce1a67b83.
It would be useful if you could make a python/shell/perl script based on
Uhura or pk1sign.c that takes an OpenSSL-generated RSA key and a hash as
input and outputs the signature.
>
>
>
>
> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere
>
--
Yan Zhu <yan at eff.org>, <yan at torproject.org>
Staff Technologist
Electronic Frontier Foundation https://www.eff.org
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x134
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix-signature.patch
Type: text/x-patch
Size: 2423 bytes
Desc: not available
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140707/d35d084a/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140707/d35d084a/attachment-0001.sig>
More information about the HTTPS-Everywhere
mailing list