106
edits
Talk:Extension Manager:Addon Update Security:Signature: Difference between revisions
Jump to navigation
Jump to search
Talk:Extension Manager:Addon Update Security:Signature (view source)
Revision as of 21:50, 18 September 2007
, 18 September 2007Added a preface
m (update links to RFCs and wiki pages) |
(Added a preface) |
||
| Line 1: | Line 1: | ||
== Introduction == | |||
After learning about this effort to "disable secure extension updates" in [https://bugzilla.mozilla.org/show_bug.cgi?id=378216 b.m.o bug 378216], I inquired (in [https://bugzilla.mozilla.org/show_bug.cgi?id=378216#c95 comment 95]) about a specification for the cryptographic signature formats used. The reply (in [https://bugzilla.mozilla.org/show_bug.cgi?id=378216#c96 comment 96]) pointed me to [[User:Mossop:Fx-Docs:AddonUpdateSecurity]] which contains a link to [[User:Mossop:Fx-Docs:AddonUpdateSignature]] (the article being discussed in this page). | |||
So I went to [[User:Mossop:Fx-Docs:AddonUpdateSignature]] looking for an open specification. I was looking for a specification clear enough that one could implement something that worked based on that specification alone, and not on other existing implementations. It needn't be too formal, but it needs to be complete. What I found instead are examples that don't work. | |||
The discussion of that page (on this page) should not be understood as a criticism of the actual implemented crypto features as much as a discussion about the lack of a <b>specification</b> for them. | |||
Below, Dave explains that there is a [http://developer.mozilla.org/en/docs/Extension_Versioning%2C_Update_and_Compatibility#Update_RDF_Format developer page] with more examples, which may work, but it's still not a specification. | |||
== Nelson's original comments of 2007-09-15T19:15:21 PST == | == Nelson's original comments of 2007-09-15T19:15:21 PST == | ||
| Line 5: | Line 15: | ||
There are certain essential details that are missing. | There are certain essential details that are missing. | ||
Q1. What is the required/expected ASN.1 syntax of the key that is DER encoded | <b>Q1. What is the required/expected ASN.1 syntax of the key that is DER encoded | ||
and base64 encoded? | and base64 encoded?</b> | ||
A1. It is a SubjectPublicKeyInfo sequence (as defined in RFC 3280 and elsewhere) and NOT a simple RSAPublicKey sequence (as defined in PKCS#1) nor as a simple DSAPublicKey . (That's a good definition. It's just missing from the document.) | A1. It is a SubjectPublicKeyInfo sequence (as defined in RFC 3280 and elsewhere) and NOT a simple RSAPublicKey sequence (as defined in PKCS#1) nor as a simple DSAPublicKey . (That's a good definition. It's just missing from the document.) | ||
Q2. What is the required/expected syntax of an RSA signature? | <b>Q2. What is the required/expected syntax of an RSA signature?</b> | ||
A2. According to the example, it is the raw binary RSA signature, base64 encoded. It is not encoded as an ASN.1 bit string, and so is not the same signature format | A2. According to the example, it is the raw binary RSA signature, base64 encoded. It is not encoded as an ASN.1 bit string, and so is not the same signature format as that used in certificates in RFC 3280. Neither is it encoded as an ASN.1 "encryptedDigest" (an octet string) as defined in RFC 2315 (PKCS#7), nor as a "SignatureValue" (also an octet string) as defined in RFC 3852. Whether leading zero octets are to be suppressed or not is not specified. | ||
Q3. What is the required/expected syntax of a DSA signature? | <b>Q3. What is the required/expected syntax of a DSA signature?</b> | ||
A2. Unknown. The answer is not given in the page. The example does not | A2. Unknown. The answer is not given in the page. The example does not | ||