On 07/07/2014 06:31 AM, Yan Zhu wrote: > On 07/04/2014 06:57 PM, Red wrote: >> >> On 2014-07-04, 3:57 PM, Yan Zhu wrote: >>> One idea is to look through the signing code from Uhura (command line >>> signing utility for Mozilla extensions): >>> http://www.softlights.net/download.html. This should make the correct >>> signature format, since we use it to generate the signature field in >>> update.rdf for HTTPS Everywhere. >>> >>> Actually, it looks like what you want is lines 148-187 in the Linux >>> Uhura script. >> I appreciate the suggestion! >> >> I found that Uhura also uses `openssl dgst` to sign data, which is what >> I have been using more recently. The script also, however, explicitly >> specifies the use of the "-binary" flag, which appears to be the default >> behavior. Just to be sure, I tried signing and then base64-encoding the >> signature of the digest of update.json, but in both cases I ended up >> with the same thing. >> > > Have you been doing the weird ASN1 template conversion that Uhura does > after generating the signature? I think that part is crucial. > > You can either port the Uhura script from Perl (ugh) to something more > sane that takes a generic string or file as input, or you can maybe use > this tool that someone wrote: > http://dxr.mozilla.org/mozilla-central/source/security/nss/cmd/pk1sign/pk1sign.c > > Found the latter via https://bugzilla.mozilla.org/show_bug.cgi?id=685852
I managed to get your test case to pass using a public key and signature generated via nss-tools. Patch attached so you can check that it works for you as well. The process was somewhat convoluted and perhaps infeasible in production (no way to install nss-tools on an airgapped machine), but here is a gist of how I did it: https://gist.github.com/diracdeltas/39d48e315d4ce1a67b83. It would be useful if you could make a python/shell/perl script based on Uhura or pk1sign.c that takes an OpenSSL-generated RSA key and a hash as input and outputs the signature. > > > > > _______________________________________________ > HTTPS-Everywhere mailing list > [email protected] > https://lists.eff.org/mailman/listinfo/https-everywhere > -- Yan Zhu <[email protected]>, <[email protected]> Staff Technologist Electronic Frontier Foundation https://www.eff.org 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x134
From 37eb5753262d5f5621cc3f388bd7c7fae69320a0 Mon Sep 17 00:00:00 2001 From: Yan Zhu <[email protected]> Date: Mon, 7 Jul 2014 07:50:02 -0700 Subject: [PATCH] Correct signature encoding in ruleset signing test Generated using NSS-tools, a la https://gist.github.com/diracdeltas/39d48e315d4ce1a67b83 --- https-everywhere-tests/test/test-rsupdate-verify.js | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/https-everywhere-tests/test/test-rsupdate-verify.js b/https-everywhere-tests/test/test-rsupdate-verify.js index 56e2ed5..f353208 100644 --- a/https-everywhere-tests/test/test-rsupdate-verify.js +++ b/https-everywhere-tests/test/test-rsupdate-verify.js @@ -4,10 +4,13 @@ const { Cc, Ci, Cu } = require('chrome'); const { atob, btoa} = Cu.import('resource://gre/modules/Services.jsm', {}); const PUBKEY = ''+ - 'MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2zPk2N6p2re361bqNCPmQRgaX'+ - '+CQcnrOa2OeQ0HfwEz/9uC1JmwToCYCqXLx4KDNUD9TXGTyN/y8QwpqTC9csFc+n'+ - 'AUbg5gQ/YaL5Jt0n9H7iPr16aoB4BBX3T+yJLleaLSpoqRVpEtyx6XyogsXjJzbQ'+ - 'PRskjDetZDTUc/6/pQIDAQAB'; + 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwMH3pA27nFhz6BpLFB6B'+ + 'wtuRPrfGVIlZ6R9gprfTUJEcZxqC0T2tzxBgQqjEJPeL61YIuXOqXNMsTmHjooxW'+ + 'qeUPUiBqTeXuM3dz+XgL6sxfydN1IwiWYsdD0bQmN9/ixgOamzBKTYxAx+g5TalD'+ + 'Dv+xeHcBpf0Htu0JZPTaZZtmclxS4LvZXlYJYkcnv04jP/nRd0W/u/d8SYFvayld'+ + 'saSiV00+AuHeQwWM5fmMK7t8OlQzXWp7TwqyzFaSaRZnKtzMBdWxK4IzIMYg3T5h'+ + 'YY76I3E0t9s2eqFOH9b4cVvsEFzJl9QOXRPeSGLoF1mTsdLKw1BK+7l7/gUd8ZbI'+ + 'bwIDAQAB'; const UPDATE_JSON = '' + '{"branch": "stable"\n'+ @@ -19,9 +22,12 @@ const UPDATE_JSON = '' + ',"version": "3.5.3.2"}\n'; const UPDATE_JSON_SIG = '' + - 'IS3xOEJZ3E5zsScccgqfmnESnobyHKwdi2o+27T3fTe7BgbynU/a5HdKgKOK2lNP'+ - '9MEeiijuPbLJ8XkbrYsxZ6ylg66fR4ZRRH8KOzny60UC/r9Pmhe8A85ciXnDapp/'+ - 'Ryiaknk+nShRxD1QyqCXl6mP1ZyOG3oQoaIY2Ku7nNA='; + 'MIIBFDANBgkqhkiG9w0BAQUFAAOCAQEApCzWF1KJ2GQno8CxFr6jUNJrPkxU/Wg5'+ + '9s3ikuOb3sXoXzW2FUFI2AdQtTI4b1WTRmphi+vERfxysY0kMhq1eoz+LL4NDQQm'+ + 'fQro021QrIRTvku+MQVwp7E3eS52WS+F2hnuBVpA0t+Zm84v3Xpd6M/VdxkqyZPx'+ + 'MttinAZtyn21tqEWaUF6Rle2VUBK7zAdxCGjXyMx2U9HRgYlwmmQuAXHl+GMNQgq'+ + 'WL01d+2EjV35GlWcwhu4+k4/GjD7sZqiG4TSuokpBevZMWTu7K9tTtb9VmHX6bn+'+ + 'rhVYXVXYCYtEooH4yJYKgyOLn/U4XReR969+sTXW7NbKG3hMMVUFOg=='; function hashSHA256(data) { let converter = Cc['@mozilla.org/intl/scriptableunicodeconverter'] -- 2.0.0
signature.asc
Description: OpenPGP digital signature
_______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
