[tor-dev] [HTTPS-Everywhere] [GSoC] HTTPS Everywhere secure ruleset update mechanism update

Yan Zhu yan at torproject.org
Tue Jul 8 10:48:49 UTC 2014


(resending to tor-dev with tp.o email address)

On 07/08/2014 03:30 AM, Yan Zhu wrote:
> On 07/08/2014 02:55 AM, Ben Laurie wrote:
>> On 7 July 2014 19:40, Red <redwire at riseup.net> wrote:
>>> Despite the fact that the process for producing the signature in
>>> question[2] seemed to work fine- Openssl was able to generate and verify
>>> the signature, the testing code calling the verifyData[3] function used
>>> for verification was returning an undocumented NS_ERROR_FAILURE
>>> exception.  I had spent a great deal of time asking for support in
>>> relevant Firefox extension development IRC channels, reading source code
>>> from unit tests for the nsIDataSignatureVerifier component, and
>>> experimenting with alternative openssl commands in order to try to
>>> figure out why this error was occurring.
>>
>> Looking at the pk1sign source, it looks like the signature needs to be
>> in base64. Was that what you were using?
>>
>> Do you have a test case that fails using command line tools?
> 
> I think Zack's original failing test case was generated via something like:
> $ openssl rsautl -sign -in update.digest -out signtmp.sig -inkey privkey.pem
> $ openssl base64 -in signtmp.sig -out update.json.sig
> 
> as described in the original spec that we wrote:
> https://github.com/redwire/https-everywhere/blob/makeJSONManifest/doc/updateJSONSpec.md
> 
> Here is the diff between the failing test and the passing test:
> https://github.com/redwire/https-everywhere/commit/8b3c85d9d90d679e8b69970173db9f3185fa44c3.
> I generated the data for the passing test with pk1sign.
> 
> The documentation for nsIDataSignatureVerifier does not really describe
> the expected data format for the signature [1], so it took a while to
> figure out that it expects a very specialized form [2].
> 
> [1]
> https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIDataSignatureVerifier
> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=685852#c0
> 
> 
>> _______________________________________________
>> tor-dev mailing list
>> tor-dev at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>>
> 
> 
> 
> 
> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere
> 


-- 
Yan Zhu  <yan at eff.org>, <yan at torproject.org>
Staff Technologist
Electronic Frontier Foundation                  https://www.eff.org
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x134


More information about the tor-dev mailing list