After further investigating, some help from Franziskus, and
rebuilding Firefox on my local machine, it would appear the issue
was caused by using a version of signmar/libmar/nss built for a
different platform. The version I just rebuilt verifies MAR
signatures without issue:

    -d . -n testmar -v /tmp/resigned.mar

    $ echo $?

- Julien

On Tue 19.Jun'18 at  8:50:46 -0400, Julien Vehent wrote:
> Hi everyone,
> I'm reimplementing Firefox MAR signature and would like to verify those
> signatures with signmar. Signmar uses NSS on Linux, and I'm running into
> issues getting it to work. Below are the steps to reproduce:
> Take a signed MAR file from and a public
> RSA key in a self-signed cert from
> Import the cert into a fresh NSS DB using:
>     $ certutil -d . -A -i resigned_rsa.der -n "testmar" -t ",,u"
> This creates pkcs11.txt, key4.db and cert9.db in the current directory.
> `certutil -d . -L` shows the cert has been added, but trust attributes
> remain empty, and I'm unsure if this is an issue.
> At any rate, when I try to verify the signature with signmar, I get:
>     $ signmar -d . -n testmar -v /tmp/resigned.mar 
>     ERROR: Could not initialize NSS
>     ERROR: Could not initialize crypto library.
> Looking through the source of libmar, the operation is failing on
> NSS_Initialize [1]:
>     NSS_Initialize(NSSConfigDir, "", "", SECMOD_DB, NSS_INIT_READONLY);
> Given SECMOD_DB, I tried recreating the NSS db with `-d dbm:.` to create
> an old-style database instead of the sql one. The result is the same,
> but strace shows that signmar accesses secmod.db before failing [2].
> At this point, I'm guessing the issue in in the NSS initialization step,
> but I'm not familiar enough with it to debug it further. Any help would
> be greatly appreciated.
> Thanks,
> Julien
> [1] 
> [2] 
dev-tech-crypto mailing list

Reply via email to