[HTTPS-Everywhere] [tor-dev] [GSoC] HTTPS Everywhere secure ruleset update mechanism update
Yan Zhu
yan at eff.org
Tue Jul 8 03:30:57 PDT 2014
On 07/08/2014 02:55 AM, Ben Laurie wrote:
> On 7 July 2014 19:40, Red <redwire at riseup.net> wrote:
>> Despite the fact that the process for producing the signature in
>> question[2] seemed to work fine- Openssl was able to generate and verify
>> the signature, the testing code calling the verifyData[3] function used
>> for verification was returning an undocumented NS_ERROR_FAILURE
>> exception. I had spent a great deal of time asking for support in
>> relevant Firefox extension development IRC channels, reading source code
>> from unit tests for the nsIDataSignatureVerifier component, and
>> experimenting with alternative openssl commands in order to try to
>> figure out why this error was occurring.
>
> Looking at the pk1sign source, it looks like the signature needs to be
> in base64. Was that what you were using?
>
> Do you have a test case that fails using command line tools?
I think Zack's original failing test case was generated via something like:
$ openssl rsautl -sign -in update.digest -out signtmp.sig -inkey privkey.pem
$ openssl base64 -in signtmp.sig -out update.json.sig
as described in the original spec that we wrote:
https://github.com/redwire/https-everywhere/blob/makeJSONManifest/doc/updateJSONSpec.md
Here is the diff between the failing test and the passing test:
https://github.com/redwire/https-everywhere/commit/8b3c85d9d90d679e8b69970173db9f3185fa44c3.
I generated the data for the passing test with pk1sign.
The documentation for nsIDataSignatureVerifier does not really describe
the expected data format for the signature [1], so it took a while to
figure out that it expects a very specialized form [2].
[1]
https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIDataSignatureVerifier
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=685852#c0
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>
--
Yan Zhu <yan at eff.org>, <yan at torproject.org>
Staff Technologist
Electronic Frontier Foundation https://www.eff.org
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x134
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140708/1badb73f/attachment.sig>
More information about the HTTPS-Everywhere
mailing list