Bill Burns wrote:
I'm trying to do a sample "form signing" and the signature verification
keeps failing. Am I missing something obviously wrong here?
1) I have simple webpage that creates a signed text blob via a form.
2) When I submit the form, the signed text dialog appears.
3) I enter my master password, choose my cert and press "ok".
4) the text is signed.
5) I paste the data and the signed blob into separate files for testing.
6) In a command line, I compare the text to the signed blob using
signver, e.g. "signver -a -d . -s /tmp/data.signed -i /tmp/data -V -v"
7) In every case, I get the same result: "signatureValid=no:Bad PKCS7
signature".
The program is displaying the PKCS7 result, but not the underlying NSS
error code. So, you're not seeing whether it's a cert chain problem,
or ... :-(
I'm using a VeriSign cert that I know is valid..I use it in the same
browser instance to sign data on their websites. I copied the cert7 and
cert7? not cert8? hmmm.
signver shouldn't need any of those from the browser, unless you used
a root CA that's not in the trusted root module.
The program that did the signing should have put the whole cert chain,
(with or without the root CA cert) into the signature. So the only
piece that signver should need is the trusted root CA cert, which
should be in either (a) the trusted roots module, or (b) your cert DB.
If you imported a root CA into your browser and marked it trusted there,
and you used a browser made in the last few years (:-) it would be in
cert8, not cert7.
key3 files from the browser into a directory for the signver tool to
use. I'm using FireFox 1.0 on Mac OS X, and the NSS tools v 3.9.2.
I'm not sure what I'm doing wrong. Any ideas?
Here's a handful of possibilities to investigate:
1. line ending differences. If the data being signed is text,
maybe the signing system thinks lines end with \n and the verifying
system thinks they end with \r\n, or vice versa.
2. missing root cert module. If your signing cert came from a real CA,
then signver needs to know that the root CA is trusted. The shared
library named nssckbi needs to be present in the directory where the
cert and key DBs are.
3. There are PKCS7 signatures that include the signed data in the signature
blob, and there are those that expect the data to be conveyed separately.
Clearly, signver expects to handle the latter kind. I wonder which kind
is being created by your browser.
4. signver's -A -C and -S options may shed more light on this. They tell
you more info about what they found in the PKCS7 signature blob.
/Nelson
_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto
