Re: Error while verifying MAR with NSS

Tue, 19 Jun 2018 07:42:53 -0700 

After further investigating, some help from Franziskus, and
rebuilding Firefox on my local machine, it would appear the issue
was caused by using a version of signmar/libmar/nss built for a
different platform. The version I just rebuilt verifies MAR
signatures without issue:

    $ 
LD_LIBRARY_PATH=/home/ulfr/src/hg.mozilla.org/firefox/obj-x86_64-pc-linux-gnu/config/external/sqlite/
 \
    
/home/ulfr/src/hg.mozilla.org/firefox/obj-x86_64-pc-linux-gnu/dist/bin/signmar
    -d . -n testmar -v /tmp/resigned.mar

    $ echo $?
    0

- Julien

On Tue 19.Jun'18 at  8:50:46 -0400, Julien Vehent wrote:
> Hi everyone,
> 
> I'm reimplementing Firefox MAR signature and would like to verify those
> signatures with signmar. Signmar uses NSS on Linux, and I'm running into
> issues getting it to work. Below are the steps to reproduce:
> 
> Take a signed MAR file from https://ulfr.io/f/resigned.mar and a public
> RSA key in a self-signed cert from https://ulfr.io/f/resigned_rsa.der.
> 
> Import the cert into a fresh NSS DB using:
> 
>     $ certutil -d . -A -i resigned_rsa.der -n "testmar" -t ",,u"
> 
> This creates pkcs11.txt, key4.db and cert9.db in the current directory.
> 
> `certutil -d . -L` shows the cert has been added, but trust attributes
> remain empty, and I'm unsure if this is an issue.
> 
> At any rate, when I try to verify the signature with signmar, I get:
> 
>     $ signmar -d . -n testmar -v /tmp/resigned.mar 
>     ERROR: Could not initialize NSS
>     ERROR: Could not initialize crypto library.
> 
> Looking through the source of libmar, the operation is failing on
> NSS_Initialize [1]:
> 
>     NSS_Initialize(NSSConfigDir, "", "", SECMOD_DB, NSS_INIT_READONLY);
> 
> Given SECMOD_DB, I tried recreating the NSS db with `-d dbm:.` to create
> an old-style database instead of the sql one. The result is the same,
> but strace shows that signmar accesses secmod.db before failing [2].
> 
> At this point, I'm guessing the issue in in the NSS initialization step,
> but I'm not familiar enough with it to debug it further. Any help would
> be greatly appreciated.
> 
> Thanks,
> Julien
> 
> [1] 
> https://searchfox.org/mozilla-central/source/modules/libmar/sign/mar_sign.c#34-45
> [2] 
> https://gist.github.com/jvehent/53c0b43dd6fe2626f7f7d69d1b94d02e#file-signmar-strace-L361
> 
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to