[tor-bugs] #13379 [Tor Browser]: Sign our MAR files
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Nov 30 20:25:50 UTC 2014
#13379: Sign our MAR files
-------------------------+-------------------------------------------------
Reporter: | Owner: mcs
mikeperry | Status: needs_review
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-security, TorBrowserTeam201411R
Browser | Parent ID:
Resolution: |
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by mcs):
Replying to [comment:30 gk]:
> There are some wrinkles here when generating certificates:
>
> 1) We are stuck with SHA1 for the moment which is not optimal to say the
least. I've opened https://bugzilla.mozilla.org/show_bug.cgi?id=1105689 to
get that fixed upstream. Not sure how easy it would be to loosen that
constraint ourselves. Maybe we'd just need to get rid of that check in
https://mxr.mozilla.org/mozilla-
central/source/modules/libmar/verify/mar_verify.c#330.
This seems important to fix before we ship a version of the browser that
verifies MAR signatures. I do not fully understand all of the NSS and
libmar code, but it looks to me like a signature algorithm ID of 1 is
arbitrarily assigned to the only signature algorithm that is supported by
the libmar code, SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE. What would be the
best algorithm to use? I guess the signature algorithms that NSS supports
can be seen by reading the sec_DecodeSigAlg() code here:
http://mxr.mozilla.org/mozilla-
esr31/source/security/nss/lib/cryptohi/secvfy.c#213
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13379#comment:31>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list