Hi everyone, I'm reimplementing Firefox MAR signature and would like to verify those signatures with signmar. Signmar uses NSS on Linux, and I'm running into issues getting it to work. Below are the steps to reproduce:
Take a signed MAR file from https://ulfr.io/f/resigned.mar and a public RSA key in a self-signed cert from https://ulfr.io/f/resigned_rsa.der. Import the cert into a fresh NSS DB using: $ certutil -d . -A -i resigned_rsa.der -n "testmar" -t ",,u" This creates pkcs11.txt, key4.db and cert9.db in the current directory. `certutil -d . -L` shows the cert has been added, but trust attributes remain empty, and I'm unsure if this is an issue. At any rate, when I try to verify the signature with signmar, I get: $ signmar -d . -n testmar -v /tmp/resigned.mar ERROR: Could not initialize NSS ERROR: Could not initialize crypto library. Looking through the source of libmar, the operation is failing on NSS_Initialize [1]: NSS_Initialize(NSSConfigDir, "", "", SECMOD_DB, NSS_INIT_READONLY); Given SECMOD_DB, I tried recreating the NSS db with `-d dbm:.` to create an old-style database instead of the sql one. The result is the same, but strace shows that signmar accesses secmod.db before failing [2]. At this point, I'm guessing the issue in in the NSS initialization step, but I'm not familiar enough with it to debug it further. Any help would be greatly appreciated. Thanks, Julien [1] https://searchfox.org/mozilla-central/source/modules/libmar/sign/mar_sign.c#34-45 [2] https://gist.github.com/jvehent/53c0b43dd6fe2626f7f7d69d1b94d02e#file-signmar-strace-L361 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
