Error while verifying MAR with NSS

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Error while verifying MAR with NSS

Julien Vehent-2
Hi everyone,

I'm reimplementing Firefox MAR signature and would like to verify those
signatures with signmar. Signmar uses NSS on Linux, and I'm running into
issues getting it to work. Below are the steps to reproduce:

Take a signed MAR file from https://ulfr.io/f/resigned.mar and a public
RSA key in a self-signed cert from https://ulfr.io/f/resigned_rsa.der.

Import the cert into a fresh NSS DB using:

    $ certutil -d . -A -i resigned_rsa.der -n "testmar" -t ",,u"

This creates pkcs11.txt, key4.db and cert9.db in the current directory.

`certutil -d . -L` shows the cert has been added, but trust attributes
remain empty, and I'm unsure if this is an issue.

At any rate, when I try to verify the signature with signmar, I get:

    $ signmar -d . -n testmar -v /tmp/resigned.mar
    ERROR: Could not initialize NSS
    ERROR: Could not initialize crypto library.

Looking through the source of libmar, the operation is failing on
NSS_Initialize [1]:

    NSS_Initialize(NSSConfigDir, "", "", SECMOD_DB, NSS_INIT_READONLY);

Given SECMOD_DB, I tried recreating the NSS db with `-d dbm:.` to create
an old-style database instead of the sql one. The result is the same,
but strace shows that signmar accesses secmod.db before failing [2].

At this point, I'm guessing the issue in in the NSS initialization step,
but I'm not familiar enough with it to debug it further. Any help would
be greatly appreciated.

Thanks,
Julien

[1] https://searchfox.org/mozilla-central/source/modules/libmar/sign/mar_sign.c#34-45
[2] https://gist.github.com/jvehent/53c0b43dd6fe2626f7f7d69d1b94d02e#file-signmar-strace-L361

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Error while verifying MAR with NSS

Julien Vehent-2
After further investigating, some help from Franziskus, and
rebuilding Firefox on my local machine, it would appear the issue
was caused by using a version of signmar/libmar/nss built for a
different platform. The version I just rebuilt verifies MAR
signatures without issue:

    $ LD_LIBRARY_PATH=/home/ulfr/src/hg.mozilla.org/firefox/obj-x86_64-pc-linux-gnu/config/external/sqlite/ \
    /home/ulfr/src/hg.mozilla.org/firefox/obj-x86_64-pc-linux-gnu/dist/bin/signmar
    -d . -n testmar -v /tmp/resigned.mar

    $ echo $?
    0

- Julien

On Tue 19.Jun'18 at  8:50:46 -0400, Julien Vehent wrote:

> Hi everyone,
>
> I'm reimplementing Firefox MAR signature and would like to verify those
> signatures with signmar. Signmar uses NSS on Linux, and I'm running into
> issues getting it to work. Below are the steps to reproduce:
>
> Take a signed MAR file from https://ulfr.io/f/resigned.mar and a public
> RSA key in a self-signed cert from https://ulfr.io/f/resigned_rsa.der.
>
> Import the cert into a fresh NSS DB using:
>
>     $ certutil -d . -A -i resigned_rsa.der -n "testmar" -t ",,u"
>
> This creates pkcs11.txt, key4.db and cert9.db in the current directory.
>
> `certutil -d . -L` shows the cert has been added, but trust attributes
> remain empty, and I'm unsure if this is an issue.
>
> At any rate, when I try to verify the signature with signmar, I get:
>
>     $ signmar -d . -n testmar -v /tmp/resigned.mar
>     ERROR: Could not initialize NSS
>     ERROR: Could not initialize crypto library.
>
> Looking through the source of libmar, the operation is failing on
> NSS_Initialize [1]:
>
>     NSS_Initialize(NSSConfigDir, "", "", SECMOD_DB, NSS_INIT_READONLY);
>
> Given SECMOD_DB, I tried recreating the NSS db with `-d dbm:.` to create
> an old-style database instead of the sql one. The result is the same,
> but strace shows that signmar accesses secmod.db before failing [2].
>
> At this point, I'm guessing the issue in in the NSS initialization step,
> but I'm not familiar enough with it to debug it further. Any help would
> be greatly appreciated.
>
> Thanks,
> Julien
>
> [1] https://searchfox.org/mozilla-central/source/modules/libmar/sign/mar_sign.c#34-45
> [2] https://gist.github.com/jvehent/53c0b43dd6fe2626f7f7d69d1b94d02e#file-signmar-strace-L361
>
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto