New issue
Advanced search Search tips

Issue 899364 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Oct 30
Cc:
kinuko@chromium.org
kouhei@chromium.org
ksakamoto@chromium.org
horo@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Signed Exchange: devtools should differentiate signature DER parse failure from wrong signature

Project Member Reported by twif...@google.com, Oct 26 
To aid implementors of signed exchange generators, devtools could help clarify the "VerifyFinal failed" message.

ECDSA requires the signature be a DER-encoded object per https://tools.ietf.org/html/rfc3279#section-2.2.3.

WebCrypto's ECDSA sign method returns an ArrayBuffer (https://www.w3.org/TR/WebCryptoAPI/#ecdsa-operations) that seems at first glance like it should be pasted into `sig` directly, but it's not in the right encoding. A more specific error message for when the signature fails to parse as a DER-encoded Ecdsa-Sig-Value would help the developer diagnose this issue more quickly.

Comment 1 by ksakamoto@chromium.org, Oct 29 

The signature is parsed deep inside BoringSSL, and signed-exchange layer doesn't get error code that indicates why the verification failed.

I'm reluctant to add DER-parsing in the signed-exchange layer just for showing detailed message (that would be useful only for generator implementors, not for web developers).

Would it be okay if dump-signedexchange tool in github.com/WICG/webpackage showed that diagnose message?

Comment 2 by av...@cloudflare.com, Oct 29 

I think showing that diagnosis in dump-signedexchange would be enough for this

Comment 3 by twif...@google.com, Oct 29 

(Whatever Avery says; I filed this on his behalf.)

Comment 4 by ksakamoto@chromium.org, Oct 30

Status: WontFix (was: Untriaged)
OK, filed https://github.com/WICG/webpackage/issues/319. Let me close this Chromium issue.

Sign in to add a comment