Julien Vehent
2018-06-19 12:50:46 UTC
Hi everyone,
I'm reimplementing Firefox MAR signature and would like to verify those
signatures with signmar. Signmar uses NSS on Linux, and I'm running into
issues getting it to work. Below are the steps to reproduce:
Take a signed MAR file from https://ulfr.io/f/resigned.mar and a public
RSA key in a self-signed cert from https://ulfr.io/f/resigned_rsa.der.
Import the cert into a fresh NSS DB using:
$ certutil -d . -A -i resigned_rsa.der -n "testmar" -t ",,u"
This creates pkcs11.txt, key4.db and cert9.db in the current directory.
`certutil -d . -L` shows the cert has been added, but trust attributes
remain empty, and I'm unsure if this is an issue.
At any rate, when I try to verify the signature with signmar, I get:
$ signmar -d . -n testmar -v /tmp/resigned.mar
ERROR: Could not initialize NSS
ERROR: Could not initialize crypto library.
Looking through the source of libmar, the operation is failing on
NSS_Initialize [1]:
NSS_Initialize(NSSConfigDir, "", "", SECMOD_DB, NSS_INIT_READONLY);
Given SECMOD_DB, I tried recreating the NSS db with `-d dbm:.` to create
an old-style database instead of the sql one. The result is the same,
but strace shows that signmar accesses secmod.db before failing [2].
At this point, I'm guessing the issue in in the NSS initialization step,
but I'm not familiar enough with it to debug it further. Any help would
be greatly appreciated.
Thanks,
Julien
[1] https://searchfox.org/mozilla-central/source/modules/libmar/sign/mar_sign.c#34-45
[2] https://gist.github.com/jvehent/53c0b43dd6fe2626f7f7d69d1b94d02e#file-signmar-strace-L361
I'm reimplementing Firefox MAR signature and would like to verify those
signatures with signmar. Signmar uses NSS on Linux, and I'm running into
issues getting it to work. Below are the steps to reproduce:
Take a signed MAR file from https://ulfr.io/f/resigned.mar and a public
RSA key in a self-signed cert from https://ulfr.io/f/resigned_rsa.der.
Import the cert into a fresh NSS DB using:
$ certutil -d . -A -i resigned_rsa.der -n "testmar" -t ",,u"
This creates pkcs11.txt, key4.db and cert9.db in the current directory.
`certutil -d . -L` shows the cert has been added, but trust attributes
remain empty, and I'm unsure if this is an issue.
At any rate, when I try to verify the signature with signmar, I get:
$ signmar -d . -n testmar -v /tmp/resigned.mar
ERROR: Could not initialize NSS
ERROR: Could not initialize crypto library.
Looking through the source of libmar, the operation is failing on
NSS_Initialize [1]:
NSS_Initialize(NSSConfigDir, "", "", SECMOD_DB, NSS_INIT_READONLY);
Given SECMOD_DB, I tried recreating the NSS db with `-d dbm:.` to create
an old-style database instead of the sql one. The result is the same,
but strace shows that signmar accesses secmod.db before failing [2].
At this point, I'm guessing the issue in in the NSS initialization step,
but I'm not familiar enough with it to debug it further. Any help would
be greatly appreciated.
Thanks,
Julien
[1] https://searchfox.org/mozilla-central/source/modules/libmar/sign/mar_sign.c#34-45
[2] https://gist.github.com/jvehent/53c0b43dd6fe2626f7f7d69d1b94d02e#file-signmar-strace-L361
--
dev-tech-crypto mailing list
dev-tech-***@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
dev-tech-crypto mailing list
dev-tech-***@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto