After further investigating, some help from Franziskus, and rebuilding Firefox on my local machine, it would appear the issue was caused by using a version of signmar/libmar/nss built for a different platform. The version I just rebuilt verifies MAR signatures without issue:
$ LD_LIBRARY_PATH=/home/ulfr/src/hg.mozilla.org/firefox/obj-x86_64-pc-linux-gnu/config/external/sqlite/ \ /home/ulfr/src/hg.mozilla.org/firefox/obj-x86_64-pc-linux-gnu/dist/bin/signmar -d . -n testmar -v /tmp/resigned.mar $ echo $? 0 - Julien On Tue 19.Jun'18 at 8:50:46 -0400, Julien Vehent wrote: > Hi everyone, > > I'm reimplementing Firefox MAR signature and would like to verify those > signatures with signmar. Signmar uses NSS on Linux, and I'm running into > issues getting it to work. Below are the steps to reproduce: > > Take a signed MAR file from https://ulfr.io/f/resigned.mar and a public > RSA key in a self-signed cert from https://ulfr.io/f/resigned_rsa.der. > > Import the cert into a fresh NSS DB using: > > $ certutil -d . -A -i resigned_rsa.der -n "testmar" -t ",,u" > > This creates pkcs11.txt, key4.db and cert9.db in the current directory. > > `certutil -d . -L` shows the cert has been added, but trust attributes > remain empty, and I'm unsure if this is an issue. > > At any rate, when I try to verify the signature with signmar, I get: > > $ signmar -d . -n testmar -v /tmp/resigned.mar > ERROR: Could not initialize NSS > ERROR: Could not initialize crypto library. > > Looking through the source of libmar, the operation is failing on > NSS_Initialize [1]: > > NSS_Initialize(NSSConfigDir, "", "", SECMOD_DB, NSS_INIT_READONLY); > > Given SECMOD_DB, I tried recreating the NSS db with `-d dbm:.` to create > an old-style database instead of the sql one. The result is the same, > but strace shows that signmar accesses secmod.db before failing [2]. > > At this point, I'm guessing the issue in in the NSS initialization step, > but I'm not familiar enough with it to debug it further. Any help would > be greatly appreciated. > > Thanks, > Julien > > [1] > https://searchfox.org/mozilla-central/source/modules/libmar/sign/mar_sign.c#34-45 > [2] > https://gist.github.com/jvehent/53c0b43dd6fe2626f7f7d69d1b94d02e#file-signmar-strace-L361 > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto