gmane.comp.web.salmon

Re: Re: Magic Signatures implementation in Perl

John Panzer — 2013-02-06T17:51:01

Awesome Nils.  Thank you.
On Feb 6, 2013 5:23 AM, "Nils D." <nils.diewald-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org> wrote:

Re: Re: Magic Signatures implementation in Perl

Nils D. — 2013-02-06T13:23:54

I just published my implementation of MagicSignatures to CPAN in two 
separated distributions for MagicKeys and MagicEnvelopes.

You can find it here:
http://search.cpan.org/~akron/Crypt-MagicSignatures-Key/
http://search.cpan.org/~akron/Crypt-MagicSignatures-Envelope/

Regarding the aforementioned problem I implemented compatibility flags for 
signing and verifying the envelopes.
However, I still don't know if I am doing something wrong when signing the 
base string instead of the data ...

Maybe of interest for other implementors is the test suite (in t/), that 
gathers a lot of test data from various other implementations.

With best regards,
Nils

starting on salmon bridges for facebook and twitter

Ryan B — 2012-05-27T20:34:24

hi all! i've been slowly building facebook and twitter bridges for the
ostatus component protocols, and i'm starting on the one for salmon
now. i wanted to give you all a heads up and solicit any thoughts or
feedback you might have.

background:
http://snarfed.org/2012-03-12_activitystreams_for_facebook_and_twitter
http://snarfed.org/2012-02-22_portablecontacts_for_facebook_and_twitter
http://snarfed.org/2012-01-16_webfinger_for_facebook_and_twitter

i also wanted to check on the status of python libraries. i've looked
at the reference code in http://code.google.com/p/salmon-protocol/ and
a django library,
https://github.com/paulosman/django-salmon/tree/master/django_salmon ,
from paul osman, who i've cc'ed and talked with offline . they're both
good starting points, but reference lib is a bit incomplete, the magic
sig part has two branches :/, and paul's lib is tightly integrated
with django.

do i have that all right? any recommendations on specific code to
reuse or avoid?

btw, the code for this project i

Issue 36 in salmon-protocol: PATCH: minor bug fix to magic signatures spec

2012-05-29T03:06:00

Status: New
Owner: johnrobertpanzer

New issue 36 by heaven: PATCH: minor bug fix to magic signatures spec
http://code.google.com/p/salmon-protocol/issues/detail?id=36

...specifically, s/"data" parameter/"value" parameter/.

Attachments:
magicsigs_spec_fix.patch  2.5 KB

Re: Re: Magic Signatures implementation in Perl

Nils D. — 2011-12-08T17:23:59

Hello,
to make my question slightly more concrete:
If I take the example from [1] with the example key

'RSA.mVgY8RN6URBTstndvmUUPb4UZTdwvwmddSKE5z_jvKUEK6yk1
u3rrC9yN8k6FilGj9K0eeUPe2hf4Pj-5CmHww==.AQAB
.Lgy_yL3hsLBngkFdDw1Jy9TmSRMiH6yihYetQ8jy-jZXdsZXd8V5
ub3kuBHHk4M39i3TduIkcrjcsiWQb77D8Q=='

and the example envelope

<?xml version='1.0'encoding='UTF-8'?>
    <me:env xmlns:me='http://salmon-protocol.org/ns/magic-env'>
    <me:encoding>base64url</me:encoding>
    <me:data type='application/atom+xml'>PD94bWwgdmVyc2lvbj0nMS4wJyBlb
    mNvZGluZz0nVVRGLTgnPz4KPGVudHJ5IHhtbG5zPSdodHRwOi8vd3d3LnczLm9yZy
    8yMDA1L0F0b20nPgogIDxpZD50YWc6ZXhhbXBsZS5jb20sMjAwOTpjbXQtMC40NDc
    3NTcxODwvaWQ-CiAgPGF1dGhvcj48bmFtZT50ZXN0QGV4YW1wbGUuY29tPC9uYW1l
    Pjx1cmk-YWNjdDp0ZXN0QGV4YW1wbGUuY29tPC91cmk-CiAgPC9hdXRob3I-CiAgP
    GNvbnRlbnQ-U2FsbW9uIHN3aW0gdXBzdHJlYW0hPC9jb250ZW50PgogIDx0aXRsZT
    5TYWxtb24gc3dpbSB1cHN0cmVhbSE8L3RpdGxlPgogIDx1cGRhdGVkPjIwMDktMTI
    tMThUMjA6MDQ6MDNaPC91cGRhdGVkPgo8L2VudHJ5Pgo=</me:data>
    <m

Re: Magic Signatures implementation in Perl

Nils D. — 2011-11-26T17:46:51

Thank you for your answers!

Yes, there is an OpenSSL wrapper on CPAN as well as Crypt::RSA, which
is based on PARI.
I tried these as well (although I always wanted as few dependencies as
possible),
but I didn't get it to work with some of the examples I found on the
web.

Today I tried to follow all steps using the implementation of the
MiniMe Microblogging tool [1] and most of all examples now work in my
implementation - in case I sign and verify against the magic envelope
data section instead of the signature base string.
The same seems to be true for one example from the salmon magicsig
reference implementation [2].
So, when I am using the payload instead of the signature base string
for M in [3] and [4] I can verify most of the examples I found.

Any idea what I am doing wrong or am I just misunderstanding the spec?

Thank you very much,
Nils

P.S. The github repository is not up to date regarding the signature -
as I think my implementation is still wrong.

[1] https://code.google.com/p/minime-microblo

Re: Magic Signatures implementation in Perl

Ben Laurie — 2011-11-10T15:49:27

There;s a wrapper for OpenSSL on CPAN.

Re: Magic Signatures implementation in Perl

John Panzer — 2011-11-07T20:18:13

Sorry to take so long to respond.  Yes, we definitely need correct examples
and also canonical data ... and a validator ... there has been some
interest in getting this set up (and there was a Java app running on
AppEngine at one point that did some of this) but I think other things have
intervened.

I haven't done Perl in years.  Anyone?

I note that you're rolling your own RSA crypto code from BigInts; there's
no existing substrate library you can build on or check against?  I'd think
there'd be SOMETHING on CPAN...

--
John Panzer / Google
jpanzer-hpIqsD4AKlfQT0dZR+AlfA< at >public.gmane.org / abstractioneer.org <http://www.abstractioneer.org/> /
< at >jpanzer



On Tue, Oct 25, 2011 at 7:05 AM, Nils D. <nils.diewald-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org> wrote:

Magic Signatures implementation in Perl

Nils D. — 2011-10-25T14:05:54

Hi everyone,

I am afraid, I need some help with my MagicSignatures implementation
in Perl.
I started following the textbooks pretty straight and then adjusted it
to come closer to real world examples I found in some test suites of
other implementations.

However, verification does not work - either because the final
encoding messages do not match or
the length of the signature is not equivalent to the length of the RSA
modulus.

It would be great to have an example with traces of all function input-
outputs for the signing
and verification flows following https://www.ietf.org/rfc/rfc3447.txt
so an implementor could see
where he or she is wrong (with base64enc for binary data of course)!
Is there something available like that?

Or is there a canonical test suite an implementation has to pass?
I read that there are lots of broken (against the spec)
implementations out there which makes
testing especially hard as you don't know, if the signature should
really be verified.

Oh - and ... well - it would be GREAT

Issue 35 in salmon-protocol: signing unicode fails in Envelope

2011-09-02T00:38:47

Status: New
Owner: johnrobertpanzer

New issue 35 by mimecuv...-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org: signing unicode fails in Envelope
http://code.google.com/p/salmon-protocol/issues/detail?id=35

The problem is in magicsig/__init__.py

It seems that all places where it does et.XML(data) should be  
et.XML(data.encode('utf8'))

Issue 34 in salmon-protocol: test_salmon fails

2011-08-26T20:36:43

Status: New
Owner: johnrobertpanzer

New issue 34 by mimecuv...-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org: test_salmon fails
http://code.google.com/p/salmon-protocol/issues/detail?id=34

Traceback (most recent call last):
   File "test_salmon.py", line 36, in <module>
     class TestSalmonProtocol(unittest.TestCase):
   File "test_salmon.py", line 39, in TestSalmonProtocol
     class MockKeyRetriever(magicsig.PublicKeyRetriever):
AttributeError: 'module' object has no attribute 'PublicKeyRetriever'

Should be changed to KeyRetriever.


Then, this error:
Traceback (most recent call last):
   File "test_salmon.py", line 80, in testSignSalmon
     'acct:test-hcDgGtZH8xNBDgjK7y7TUQ< at >public.gmane.org')
    
File "/Users/mime/Sites/helloworld/packages/salmon/../salmon/__init__.py",  
line 61, in SignSalmon
     if not self.magicenv.CheckAuthorship(text,
AttributeError: 'MagicEnvelopeProtocol' object has no  
attribute 'CheckAuthorship'

Should be changed to IsAllowedSigner

and then some more errors - not sure if the

Re: namespace for key_id

Charlie Cauthen — 2011-08-26T18:52:10

Here is a link to the similar section in a more recent draft.
http://salmon-protocol.googlecode.com/svn/trunk/draft-panzer-magicsig-01.html#anchor16

It specifies "xmlns:mk="http://salmon-protocol.org/ns/magic-key"



On Thu, Aug 25, 2011 at 9:55 PM, Mike Macgirvin <mike-KYD6BOZmASaaMJb+Lgu22Q< at >public.gmane.org> wrote:

namespace for key_id

Mike Macgirvin — 2011-08-26T01:55:48

In the latest experimental draft,

<Property type="ns:magic_key" mpk:key_id="1">
 
RSA.mVgY8RN6URBTstndvmUUPb4UZTdwvwmddSKE5z_jvKUEK6yk1u3rrC9yN8k6FilGj9K0eeUPe2hf4Pj-5CmHww.AQAB
</Property>
<Property type="ns:magic_key" mpk:key_id="2">
 
RSA.wvwmdK0eeUPe2hURBTstndvmUUPb4UZTd6wvwmddSrrC89yN8k6FilGwvwmddSKE5z_jvKUEKj9f4Pj-5CmHww.AQAB
</Property>


So that I may parse this correctly, what is the XML namespace attached
to 'mpk'?

Re: Salmon magic signature implementations broken

Astro — 2011-08-04T16:08:27

But it's not interoperable to the spec.

Normally, I'd say change the spec to match the implementations. The
omitted EMSA padding however has its reason:
http://en.wikipedia.org/wiki/RSA#Attacks_against_plain_RSA

I want you implementers to commit to: let's drop compatibility to those
broken versions and fix the code according to the spec.

If interoperability is really crucial at this point of deployment, an
implementation could try sending Salmons with any possible variation,
falling back to the next upon verification error. The receiving part in
StatusNet already yields an HTTP error in that case.

Mind that such a strategy could expose the keys to chosen plaintext
attacks, just as it is the case for implementations w/o the padding
right now.


Astro

Re: Salmon magic signature implementations broken

npena — 2011-08-04T14:05:55


On Aug 1, 9:18 pm, Mike Macgirvin <m...-KYD6BOZmASaaMJb+Lgu22Q< at >public.gmane.org> wrote:

Yes it does.  They all implement the PKCS#1 standards, which mandate
the use of padding bytes.  See <http://tools.ietf.org/html/
rfc3447#section-9.2>.

From the phpseclib sources:

        $ps = str_repeat(chr(0xFF), $emLen - $tLen - 3);

        $em = "\0\1$ps\0$t";



Personally, I think that's a mistake.  You say "openssl sign/verify
exposed to PHP and Ruby doesn't have the emsa padding bytes" and yet
you're proposing using it?

Anyway, if you think none of the afore mentioned libraries do emsa
padding then might I propose that you're not using the above libraries
correctly?  And switching over to another library isn't going to help
you out in this instance either.  If you're going to learn lessons
from your mistakes, make sure you learn the right ones and not the
wrong ones.

Also, personally, I think phpseclib is better anyway.  openssl limits
how many people can use Friendika.  phpseclib doesn't.  Not all web
se

Re: Salmon magic signature implementations broken

npena — 2011-08-04T19:20:25


On Aug 1, 9:18 pm, Mike Macgirvin <m...-KYD6BOZmASaaMJb+Lgu22Q< at >public.gmane.org> wrote:

Yes they do.  They're designed to do what the PKCS#1 standards do, the
relevant section of whic his as follows:

http://tools.ietf.org/html/rfc3447#section-8.2

From the phpseclib sources:

        $ps = str_repeat(chr(0xFF), $emLen - $tLen - 3);

        $em = "\0\1$ps\0$t";

Looks like it's doing the padding you seem to think it isn't doing.

Might I be so bold to suggest that maybe the problem isn't with the
libraries you're using but rather in how you're using them?

phpseclib does OAEP padding by default.  To do PKCS1 padding you need
to do this:

$rsa->setSignatureMode(CRYPT_RSA_SIGNATURE_PKCS1);

Re: Re: Salmon magic signature implementations broken

Daniel E. Renfer — 2011-08-04T22:49:22

If it's any help to you, I'm using the java-salmon stack in Clojure for 
my application. I'm just getting started with it, so my use is far from 
optimal, I'm sure.

If it helps you at all, a good place to look is

https://github.com/duck1123/jiksnu/blob/master/src/main/clojure/jiksnu/model/signature.clj

Re: Salmon magic signature implementations broken

npena — 2011-08-06T18:33:28

I can't reply in that thread (I don't know why) so I'm going to post
by starting a new one.


Bzzzt.  Wrong.  If those implementations didn't do the emsa padding
bytes they wouldn't be interoperable with anything.  The PKCS
standards - http://tools.ietf.org/html/rfc3447#section-9.2 - mandate
they be used.  And phpseclib, for example, does use them.  To quote
from the source code:

        $ps = str_repeat(chr(0xFF), $emLen - $tLen - 3);

        $em = "\0\1$ps\0$t";

If you think phpseclib doesn't do emsa padding you're probably using
it incorrectly.  It does PSS signatures by default because they offer
better security.  To do PKCS#1 signatures you'll need to do the
following:

$rsa->setSignatureMode(CRYPT_RSA_SIGNATURE_PKCS)

On the subject of phpseclib, I saw http://macgirvin.com/display/mike/23816
.  I think using openssl over phpseclib is a mistake.  A lot of hosts
don't have openssl installed.  phpseclib gives you portability.  It
gives you a product that can be installed on any host under the sun.
And

Re: Salmon magic signature implementations broken

Charlie Cauthen — 2011-08-04T18:17:24

Hunter - the Java lib should be easily appengine-able with some small guice 
changes.  I probably already have it done, I'll check tonight.

There is also http://salmon-net.appspot.com/ that will give you an endpoint 
to send salmons to and then give you pshb-enabled feed of the salmons that 
verify.  I haven't looked at it in a while, but it there is interest I will 
be happy to make sure it is up to the latest spec.  just let me know.

Charlie

Salmon magic signature implementations broken

Astro — 2011-07-25T15:33:05

Hi

(Apologies for cross-posting, but the issue is pertaining to
implementers, which are more likely interested in the full OStatus
suite.)


Today I was pointed to a microblog entry[1] claiming that almost all
implementations of the RSASSA-PKCS1-v1_5 padding are broken. This is a
confirmation of my own experience, having unsuccessfully tried to
implement it both with OpenSSL[2] and manually[3].

I propose a few things we could do about this:

* Decide whether to stick with real PKCS padding, or to keep the
  different but already-implemented padding

* Fix the examples in the Salmon protocol specification (known issue[4]
  if you discover it after wondering why your own tests fail)

* Appoint a reference (or known-to-work) implementation for developers
  to test against. I was happy to have had a VM image w/ StatusNet from
  FSW2011, but the OStatus plugin I tested against came with its own PHP
  RSA implementation that hasn't been reviewed as much as OpenSSL has.
  Hence, the potential location of errors i

Re: Re: Salmon magic signature implementations broken

Hunter Freyer — 2011-08-04T16:49:45


Is the Java library AppEngineable? Would it be a better candidate for
reference implementation?

kthxbai,
Hunter