Magic signatures in Bash

[@eschnou]

Hi everyone,

While implementing Salmon Magic Signatures in my node-ostatus library [1], I realized there was no easy way to test and debug interoperability. It seems that some Python code is available but I'm not sure on how to use it and if it has been updated to the latest spec.

So, I hacked a bash script [2] to perform signature in command line using OpenSSL. It is simple to understand and a good peak at how the signature flow goes. Since it uses only command line tools available in every Linux distro, it makes it a good tool to debug your implementations.

You just need to generate a RSA key pair (see the documentation on Github) and then you can sign any file:

./sign.sh input.txt key.pem

It will output the signature as it would appear in me.sign (base64 etc) as well as the key that can be used in the user XRD and plenty of useful stuff.

Now... if some of you could have a quick look at test it with your implementation, I would appreciate. I'm still wondering if I got it right :-)

Thanks,

Laurent

[1] https://github.com/eschnou/node-ostatus

[2] https://github.com/eschnou/salmon-bash

[John Panzer]

Very cool :).

--
John Panzer / Google
jpa...@google.com / abstractioneer.org / @jpanzer

[@eschnou]

Very cool :).

Thanks. It would be great to have a common test framework, a documented test case or a reference implementation to validate implementations. I'm really struggling with interoperability. Could you or someone else spend some time and look into this bash implementation ?

I think it is flawed in fact, because in this example I'm using the hex representation of the SHA256 and not the binary one. This is unclear from the spec (and I have not looked into the RSA PKCS specification to see what is the right way to do it). Would be nice to clarify this in the spec and maybe add a complete example, with all steps documented. 

Cheers,

Laurent