(resending to tor-dev with tp.o email address)
On 07/08/2014 03:30 AM, Yan Zhu wrote:
On 07/08/2014 02:55 AM, Ben Laurie wrote:
On 7 July 2014 19:40, Red redwire@riseup.net wrote:
Despite the fact that the process for producing the signature in question[2] seemed to work fine- Openssl was able to generate and verify the signature, the testing code calling the verifyData[3] function used for verification was returning an undocumented NS_ERROR_FAILURE exception. I had spent a great deal of time asking for support in relevant Firefox extension development IRC channels, reading source code from unit tests for the nsIDataSignatureVerifier component, and experimenting with alternative openssl commands in order to try to figure out why this error was occurring.
Looking at the pk1sign source, it looks like the signature needs to be in base64. Was that what you were using?
Do you have a test case that fails using command line tools?
I think Zack's original failing test case was generated via something like: $ openssl rsautl -sign -in update.digest -out signtmp.sig -inkey privkey.pem $ openssl base64 -in signtmp.sig -out update.json.sig
as described in the original spec that we wrote: https://github.com/redwire/https-everywhere/blob/makeJSONManifest/doc/update...
Here is the diff between the failing test and the passing test: https://github.com/redwire/https-everywhere/commit/8b3c85d9d90d679e8b6997017.... I generated the data for the passing test with pk1sign.
The documentation for nsIDataSignatureVerifier does not really describe the expected data format for the signature [1], so it took a while to figure out that it expects a very specialized form [2].
[1] https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interf... [2] https://bugzilla.mozilla.org/show_bug.cgi?id=685852#c0
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
HTTPS-Everywhere mailing list HTTPS-Everywhere@lists.eff.org https://lists.eff.org/mailman/listinfo/https-everywhere