[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #20205 [Applications/Tor Messenger]: Implement SASL EXTERNAL
#20205: Implement SASL EXTERNAL
----------------------------------------+-------------------------
Reporter: arlolra | Owner: arlolra
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Messenger | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
----------------------------------------+-------------------------
Comment (by arlolra):
Three reasons why the Webcrypto API was perhaps not the best choice to
quickly push ahead on `ECDSA-NIST256P-CHALLENGE`,
* Raw export of the public key is uncompressed. See "2.2. Subject Public
Key" in https://www.ietf.org/rfc/rfc5480.txt where it says,
> The uncompressed form is indicated by 0x04 ...
which means you need to do something like the following to get the
string to set with nickserv,
{{{
crypto.subtle.exportKey("raw", kp.publicKey).then(function(ab) {
// the first byte of ab indicates the form
let v = new Uint8Array(ab);
let u = v.slice(0, 33); // +1 here for the compressed point
u[0] = 2 + (v[v.length - 1] & 1);
let s = String.fromCharCode.apply(null, u);
console.log(btoa(s));
});
}}}
(note, to retrieve the uncompressed point from a PEM, `openssl ec -noout
-text -conv_form uncompressed -in test.pem`)
* The returned signature from `crypto.subtle.sign` is a byte array of
concatenated `r,s` values, but the protocol wants a base64 encoding of the
DER formatted signature. A library like https://github.com/Brightspace
/node-ecdsa-sig-formatter is useful, once you change the `Buffer` calls to
use `Uint8Array` APIs.
* The biggest issue is the ECDSA algorithm itself. As defined,
https://www.w3.org/TR/WebCryptoAPI/#ecdsa-operations
it necessitates using a hash function before signing, which matches,
https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Signature_generation_algorithm
However, the challenge in the protocol is already the bit length of the
group order (256) and wants that signed w/o hashing.
The tool above just calls `ECDSA_sign` directly,
https://github.com/kaniini/ecdsatool/blob/master/libecdsaauth/op.c#L64
which seems like a showstopper.
Switching to https://github.com/indutny/elliptic, producing a patch that
worked was a lot simpler,
https://github.com/TheTorProject/tor-messenger-
build/commit/5cbff442d43f47672faa23f6c0247ae62f3bfb3c
but adds this ~10k LOC library, which is obviously not ideal.
Here's a build w/ the above patch applied,
https://paganini.erinn.org/~arlolra/tor-messenger/tor-messenger-0.2.0b2
-osx-x86_64-6f7049.dmg
To use it, take the tool linked to above and follow its readme. Then, do
`ecdsatool keyinfo test.pem` and copy the `priv` hex pairs but remove the
newlines and colons. Add the preference `messenger.account.accountN.ecdsa`
in the Tor Messenger config editor, and connect.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20205#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs