Sign and verify with signmar

.travis.yml

@@ -3,11 +3,18 @@ language: go
 go: '1.10'
 go_import_path: go.mozilla.org/mar
 before_install:
+- sudo apt-get -y install libnss3-tools
 - go get github.com/golang/lint/golint
 - go get golang.org/x/tools/cmd/cover
 - go get github.com/mattn/goveralls
 script:
 - make getkeys
 - make
-- make getmarcorpus testmarcorpus
 - goveralls -coverprofile=coverage.out -service=travis-ci -repotoken $COVERALLS_TOKEN
+- make getmarcorpus testmarcorpus
+# verify a mar signature with Firefox's signmar
+- |
+    crt="$(go run examples/sign.go /tmp/marworkdir/firefox-60.0esr-60.0.1esr.partial.mar /tmp/resigned.mar | grep 'rsa cert'|awk '{print $5}')"
+    mkdir /tmp/nssdb
+    certutil -d /tmp/nssdb -A -i "$crt" -n "testmar" -t ",,u"
+    LD_LIBRARY_PATH=tools/signmar/lib ./tools/signmar/signmar -d /tmp/nssdb -n testmar -v /tmp/resigned.mar

examples/parse.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"log"
@@ -20,10 +21,18 @@ func main() {
 	if err != nil {
 		log.Fatal(err)
 	}
-	fmt.Printf("%s\tsize=%d bytes\tsignatures=%d\tcontent=%d entries\tproduct=%q\trevision=%d\n",
-		file.MarID, file.Size,
-		file.SignaturesHeader.NumSignatures, len(file.Index),
-		file.ProductInformation, file.Revision)
+	if len(os.Args) > 2 && os.Args[2] == "json" {
+		o, err := json.MarshalIndent(file, "", "    ")
+		if err != nil {
+			log.Fatal(err)
+		}
+		fmt.Printf("%s\n", o)
+	} else {
+		fmt.Printf("%s\tsize=%d bytes\tsignatures=%d\tcontent=%d entries\tproduct=%q\trevision=%d\n",
+			file.MarID, file.Size,
+			file.SignaturesHeader.NumSignatures, len(file.Index),
+			file.ProductInformation, file.Revision)
+	}
 	if file.Revision < 2012 {
 		os.Exit(0)
 	}

examples/sign.go

@@ -1,14 +1,17 @@
 package main
 
 import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"crypto/x509/pkix"
 	"fmt"
 	"io/ioutil"
 	"log"
+	"math/big"
 	"os"
+	"time"
 
 	"go.mozilla.org/mar"
 )
@@ -31,17 +34,11 @@ func main() {
 	file.SignaturesHeader.NumSignatures = uint32(0)
 	file.Signatures = nil
 
-	// Add both keys for signature, then finalize
 	rsaKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		log.Fatal(err)
 	}
-	ecdsaKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		log.Fatal(err)
-	}
 	file.PrepareSignature(rsaKey, rsaKey.Public())
-	file.PrepareSignature(ecdsaKey, ecdsaKey.Public())
 
 	// once both keys are added to the file, finalize the signature
 	err = file.FinalizeSignatures()
@@ -67,8 +64,26 @@ func main() {
 	if err != nil {
 		log.Fatal(err)
 	}
-	err = refile.VerifySignature(ecdsaKey.Public())
+
+	// make a certificate from the keys to verify signatures with signmar
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(time.Now().UnixNano()),
+		Subject: pkix.Name{
+			CommonName:         "testmarsig",
+			Organization:       []string{"Mozilla"},
+			OrganizationalUnit: []string{"Firefox"},
+		},
+		NotBefore:             time.Now().Add(-10 * time.Minute),
+		NotAfter:              time.Now().Add(24 * time.Hour),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+	rsaDerBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, rsaKey.Public(), rsaKey)
 	if err != nil {
 		log.Fatal(err)
 	}
+	fname := fmt.Sprintf("/tmp/%x.der", sha256.Sum256(rsaDerBytes))
+	ioutil.WriteFile(fname, rsaDerBytes, 0640)
+	fmt.Printf("rsa cert written to %s\n", fname)
 }