[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #13379 [Tor Browser]: Sign our MAR files



#13379: Sign our MAR files
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  mcs
  mikeperry              |     Status:  needs_review
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-security, TorBrowserTeam201411R
  Browser                |  Parent ID:
   Resolution:           |
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by mcs):

 Replying to [comment:30 gk]:
 > There are some wrinkles here when generating certificates:
 >
 > 1) We are stuck with SHA1 for the moment which is not optimal to say the
 least. I've opened https://bugzilla.mozilla.org/show_bug.cgi?id=1105689 to
 get that fixed upstream. Not sure how easy it would be to loosen that
 constraint ourselves. Maybe we'd just need to get rid of that check in
 https://mxr.mozilla.org/mozilla-
 central/source/modules/libmar/verify/mar_verify.c#330.

 This seems important to fix before we ship a version of the browser that
 verifies MAR signatures.  I do not fully understand all of the NSS and
 libmar code, but it looks to me like a signature algorithm ID of 1 is
 arbitrarily assigned to the only signature algorithm that is supported by
 the libmar code, SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE.  What would be the
 best algorithm to use?  I guess the signature algorithms that NSS supports
 can be seen by reading the sec_DecodeSigAlg() code here:

 http://mxr.mozilla.org/mozilla-
 esr31/source/security/nss/lib/cryptohi/secvfy.c#213

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13379#comment:31>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs