Hi,
I have a Firefox extension for Linux/Mac/Windows that uses public key
authentication and other crypt utility routines provided by libnss.
If I recall correct, the code (pasted below) uses a few functions
that are not part of the standard XPCOM interfaces (i.e., the headers
are not included in the xulrunner-sdk), but everything seems to work
when I used them, so I guess Firefox loads the necessary libraries for
internal use.
Well, almost everything works. I keep getting reports from gentoo
users (64 and 32 bit) they when they use the Firefox version from
emerge (apparently it is now in testing, but not the main tree) my
component library Perspectives.so fails to load. In the log it looks
like this:
-1210775856[8058c90]: nsNativeModuleLoader::LoadModule("/home/
dan/.mozilla/firefox/re9q6sk5.default/extensions/[EMAIL PROTECTED]/
platform/Linux_x86-gcc3/components/Perspectives.so") - load FAILED,
rv: 80004005, error:
/home/dan/.mozilla/firefox/re9q6sk5.default/extensions/
[EMAIL PROTECTED]/platform/Linux_x86-gcc3/components/
Perspectives.so: undefined symbol:
SECKEY_DecodeDERSubjectPublicKeyInfo
The extension has several thousand users and pretty much the only
error reports I get is from gentoo users. I've had them make sure that
the NSS libraries are installed. One helpful user even ran pmap on
the running Firefox process, which seems to indicate that the libnss
libraries were successfully loaded.
$ pmap $(pgrep firefox) | grep libnss
b27a2000 272K r-x-- /usr/lib/nss/libnssckbi.so.12
b27e6000 28K r---- /usr/lib/nss/libnssckbi.so.12
b27ed000 16K rw--- /usr/lib/nss/libnssckbi.so.12
b2831000 124K r-x-- /usr/lib/nss/libnssdbm3.so.12
b2850000 4K r---- /usr/lib/nss/libnssdbm3.so.12
b2851000 4K rw--- /usr/lib/nss/libnssdbm3.so.12
b4a25000 16K r-x-- /lib/libnss_dns-2.6.1.so
b4a29000 4K r---- /lib/libnss_dns-2.6.1.so
b4a2a000 4K rw--- /lib/libnss_dns-2.6.1.so
b5b1a000 76K r-x-- /usr/lib/nss/libnssutil3.so.12
b5b2d000 12K r---- /usr/lib/nss/libnssutil3.so.12
b5b30000 4K rw--- /usr/lib/nss/libnssutil3.so.12
b5b31000 1084K r-x-- /usr/lib/nss/libnss3.so.12
b5c40000 16K r---- /usr/lib/nss/libnss3.so.12
b5c44000 4K rw--- /usr/lib/nss/libnss3.so.12
b71a7000 32K r-x-- /lib/libnss_files-2.6.1.so
b71af000 4K r---- /lib/libnss_files-2.6.1.so
b71b0000 4K rw--- /lib/libnss_files-2.6.1.so
b71b1000 32K r-x-- /lib/libnss_nis-2.6.1.so
b71b9000 4K r---- /lib/libnss_nis-2.6.1.so
b71ba000 4K rw--- /lib/libnss_nis-2.6.1.so
b71d2000 24K r-x-- /lib/libnss_compat-2.6.1.so
b71d8000 4K r---- /lib/libnss_compat-2.6.1.so
b71d9000 4K rw--- /lib/libnss_compat-2.6.1.so
I am compiling the library on Ubuntu with flags (excluding unnecessary
lines):
GECKO_LDFLAGS = -L$(GECKO_SDK_PATH)/lib -L$(GECKO_SDK_PATH)/bin -Wl,-
rpath-link,$(GECKO_SDK_PATH)/bin -lxpcomglue_s -lxpcom -lxul -lnss -
lnssutil
$(CXX) -Wall -Os -o $(TARGET) $(GECKO_CONFIG_INCLUDE) $
(GECKO_DEFINES) $(GECKO_INCLUDES) -shared $(CXXFLAGS) $(FILES) $
(GECKO_LDFLAGS)
While searching the group I found, this. Perhaps it too is
related? :
http://groups.google.com/group/mozilla.dev.tech.crypto/msg/539936180510c86b
Can a kind soul perhaps shed some light/experience on my problem? I'd
really appreciate it.
dan
************************ code *********************************
#include "pipnss/nsIDataSignatureVerifier.h"
#include "nsStringAPI.h"
#include "nsXPCOM.h"
#include "nsXPCOM.h"
#include "nsServiceManagerUtils.h"
#include "nsComponentManagerUtils.h"
#include "prprf.h"
#include "prio.h"
#include "prerror.h"
#include "prnetdb.h"
#include "nsEmbedString.h"
#include "nsIX509Cert.h"
#include "nsILocalFile.h"
#include "nsDirectoryServiceDefs.h"
#include "nsDirectoryServiceUtils.h"
#include "nsIPrefService.h"
#include "nsIPrefBranch2.h"
#include "nsMemory.h"
#include <stdlib.h>
#if WIN32
#include <winsock2.h>
#endif
#include "nsCOMPtr.h"
//#include "nsString.h"
#include "keythi.h"
#include "seccomon.h"
#include "nssb64.h"
#include "certt.h"
#include "keyhi.h"
#include "cryptohi.h"
#include "common.h"
PRBool VerifyData(unsigned char *data, unsigned int data_len,
unsigned char *sig, unsigned int sig_len,
char *key64, unsigned int key64_len)
{
// Allocate an arena to handle the majority of the allocations
PRArenaPool *arena;
SECStatus ss;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena)
return false;
DPRINTF(DEBUG_INFO, "Verify sees key = '%s' \n", key64);
// Base 64 decode the key
SECItem keyItem;
PORT_Memset(&keyItem, 0, sizeof(SECItem));
if (!NSSBase64_DecodeBuffer(arena, &keyItem,key64,key64_len)) {
DPRINTF(DEBUG_ERROR, "bad key b64 decode \n");
PORT_FreeArena(arena, PR_FALSE);
return false;
}
// Extract the public key from the data
CERTSubjectPublicKeyInfo *pki =
SECKEY_DecodeDERSubjectPublicKeyInfo(&keyItem);
if (!pki) {
PORT_FreeArena(arena, PR_FALSE);
DPRINTF(DEBUG_ERROR, "bad key DER decode \n");
return false;
}
SECKEYPublicKey *publicKey = SECKEY_ExtractPublicKey(pki);
SECKEY_DestroySubjectPublicKeyInfo(pki);
pki = nsnull;
if (!publicKey) {
PORT_FreeArena(arena, PR_FALSE);
DPRINTF(DEBUG_ERROR, "bad key extract\n");
return false;
}
DPRINTF(DEBUG_INFO, "key len = %d \n", publicKey-
>u.rsa.modulus.len);
SECItem sig_item;
sig_item.type = siBuffer;
sig_item.data = sig;
sig_item.len = sig_len;
SECAlgorithmID algID;
SECOID_SetAlgorithmID(arena,&algID,SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,NULL);
ss = VFY_VerifyDataWithAlgorithmID(data,
data_len, publicKey,
&sig_item,
&algID,
NULL, NULL);
// Clean up remaining objects
SECKEY_DestroyPublicKey(publicKey);
PORT_FreeArena(arena, PR_FALSE);
return(ss == SECSuccess);
}
PRBool verify_signature(char *buf, int msg_len, char *server_key) {
notary_header *hdr = (notary_header*)buf;
int sig_len = ntohs(hdr->sig_len);
int data_len = ntohs(hdr->total_len) - sig_len -
sizeof(notary_header);
unsigned char* data = (unsigned char*)(hdr + 1);
unsigned char *sig = (unsigned char*) (data + data_len);
DPRINTF(DEBUG_INFO, "msg verify: data_len = %d sig_len = %d
\n",data_len, sig_len);
return VerifyData(data, data_len, sig, sig_len, server_key,
strlen(server_key));
}
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
