Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Alternative for SGN_DecodeDigestInfo

7 views
Skip to first unread message

Robert Relyea

unread,
Apr 2, 2012, 3:06:15 PM4/2/12
to dev-tec...@lists.mozilla.org
On 03/24/2012 03:05 PM, VJ wrote:
> I'm trying to use RSA_HashCheckSign() function to verify the message.
How are you even Linking with RSA_HashCheckSign()? It's a completely
internal function to softoken. If you want verify an RSA signature you
can use PK11_Verify(), or better yet one of the VFY_ functions.

> I found that, its using SGN_DecodeDigestInfo() function to decode the
> digest using SEC_QuickDERDecodeItem() function.
> My understanding is that SEC_QuickDERDecodeItem() takes the
> sgn_DigestInfoTemplate array, which is loaded from DLL (Is it right?)
> If so, where can I find the source cod for that dll?
Both the quick decoder and the Digest or in nssutil. The question is,
though, why do you need a different template? If your signature isn't an
RSA PKCS #1 signature, what is it (perhaps you should be using a
different mechanism).
>
> Is there any other alternative method in NSS to decode the digest /
> RSA verification?
You are looking pretty low level, so it's hard to answer this question,
what is it you are really trying to do, and what kind of signature are
you using?

>
> Regards,
> Vejey


Brian Smith

unread,
Apr 4, 2012, 7:39:43 PM4/4/12
to mozilla's crypto code discussion list
Robert Relyea wrote:
> On 03/24/2012 03:05 PM, VJ wrote:
> > I'm trying to use RSA_HashCheckSign() function to verify the
> > message.
> How are you even Linking with RSA_HashCheckSign()?

I don't know what platform JV is on, but I know on Mac OS X, all the internal symbols in FreeBL and maybe other libraries are exported. This is how the Firefox Sync developers got so far in developing their JavaScript implementation of J-PAKE based on FreeBL's internal math library; they did all their development and testing on Mac OS X and when they were done, they were surprised to find they were using functions that you can't even reference on Windows (and Linux?).

I am not sure if there is something we can do about this problem for Mac OS X.

- Brian

Wan-Teh Chang

unread,
Apr 4, 2012, 8:57:12 PM4/4/12
to mozilla's crypto code discussion list
On Wed, Apr 4, 2012 at 4:39 PM, Brian Smith <bsm...@mozilla.com> wrote:
>
> I don't know what platform JV is on, but I know on Mac OS X,
> all the internal symbols in FreeBL and maybe other libraries
> are exported. This is how the Firefox Sync developers got
> so far in developing their JavaScript implementation of J-PAKE
> based on FreeBL's internal math library; they did all their
> development and testing on Mac OS X and when they were done,
> they were surprised to find they were using functions that you
> can't even reference on Windows (and Linux?).
>
> I am not sure if there is something we can do about this problem
> for Mac OS X.

The NSS makefiles should restrict the symbols exported from
the dynamic shared libraries on Mac OS X:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/coreconf/rules.mk&rev=1.83&mark=316,343-347#316

Perhaps that makefile rule is not working as intended? Or
perhaps Firefox Sync developers were using the static
library libfreebl.a (which loads libfreebl3.dylib at run time)
on Mac OS X?

Wan-Teh

Robert Relyea

unread,
Apr 5, 2012, 7:08:38 PM4/5/12
to dev-tec...@lists.mozilla.org
Why are they linking with Freebl anyway? It's intended to be a private
interface for softoken. It's a very good way to find yourself backed
into a corner.

bob
>
> Wan-Teh


Brian Smith

unread,
Apr 6, 2012, 3:04:08 PM4/6/12
to mozilla's crypto code discussion list
Robert Relyea wrote:
> Why are they linking with Freebl anyway? It's intended to be a
> private interface for softoken. It's a very good way to find
> yourself backed into a corner.

Right. This was a long time ago. You helped me add the J-PAKE implementation to Softoken after we discovered this problem.

- Brian
0 new messages