Topic: signature inside a signature issue

I took out my script to test this and then put it back in place to try and trouble shoot
Ok here is my message

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

test
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGetyjjQunEb2baXIRAgBhAKCXi99F8V2/SbXQMp6Pyo11knKlCgCghA2P
p8NJaChS363cSozKbvzaOcs=
=lod8
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGetyujQunEb2baXIRAqf4AJ9XnHN8/k1zhcl5hjeIAS8UlSYA9gCgwGvE
hAVXz4H+aIoBUF40f3sRn6A=
=LQMx
-----END PGP SIGNATURE-----


here is the private key I used for this


-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1.4.7 (GNU/Linux)

lQHhBEZ5eGIRBACo8ewHUUgJlYZGq2hOzyecvt6JDTWcVdOx8C2KlsdjMt8FnNJL
hKP3+Y4F8KzoPKanF/xyi91Z0d0MkNHadNN0XI9y4fm6vVZR0x80ngBsgyguRLlU
shDCqTl6jdLTxshzrpkX3UynrpHqJQBzbs7yRmWGQZrWvRXupmb3N2wH0wCgz+1Y
y6DMBXlwKn/E5SVmMQbeo28D/iv0lANfYNiWvOXC7vV2Sc9oRBHEoQWF70uBRg2n
qy5bvq+YliXrS/QI0PaHzAWEiSU1RY/VlDMcPuk3lRtK/eRoBqYqAfKFbzPnkhK4
9MFeX6ElycMZht4ZLF3dal+h8M9V/SuwSo6HISPOgAzFnPz96Y+NADg/vZGgeS6l
ampoBACcRkHhhZrtRz2zHjoU5dsuGZwgasbqBTKeritcAHfJy9C3J2dpWkMafSsZ
7buPz1Cm1E6Cnr7JsdRKFlDX9YAsuyA2CauvAmJye2eN0lBPmYlfFW9Zx4zCV1Ca
YKjT4DmrvGpxCpYxfhJkJLdzb6niKwJxi3/t1zhbeQb/aXfjSv4DAwLzNVNn9FnC
XWAoMOGbsWfRyVeZerxzAkV8POSCZZMRoz5oNRqyVpWCsy75vhXlPHZtrCD347GN
KjRsBLQlVGVzdCAodGhpcyBpcyBhIHRlc3QpIDx0ZXN0QHRlc3QuY29tPohgBBMR
AgAgBQJGeXhiAhsjBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQjQunEb2baXJ7
HwCdE3Ub6ouCN5SsWdVYmsHgxA1cemYAn0Tpb+f9hnCQwoFdTJyK7uwdOsMInQFY
BEZ5eGIQBADSTMSwchMNNwsKCSCnDMmQlJwoK0xRI/8vI4Kfg+51U9XAKb3zqv13
pYFjHndjQ3ztRVMC4DrxUiazIRMuX1h/YbNXxlW4TcI8ihxXXDu+DUy1z9irtyeC
oRpypbhjx7rdNaZMsvIM02Lr7kNquLSPAYwlCEJHQRdZKaRqhK6UcwADBQP/d34w
9nNMyl6y0B3LwnvZcfUMTaz3DVeLQtyAV3JNLMlJfoQ9aSZmNQVHdbz+4cnTt87Q
MWv0HJy9PD+8crp+Q46Zc2wdK+Ij2xcwPmk5iYTuIQbQdxf8/saRBqVL33UJdLoa
erA+ET5yketeJXMzdfUTYBIHZlKI1GWIAoUw0rf+AwMC8zVTZ/RZwl1gnrWcMF/Q
1Wui6ETNZV7CtiI4/c5ltZnRijztgKiTpL9EbxtFjPKyETWLXidnGbCqPUBHB689
/QzvAFnaeFWISQQYEQIACQUCRnl4YgIbDAAKCRCNC6cRvZtpcos0AJ9uSeVtOsUd
2l8ajleNtmxVjkEXygCdHjBj82ydpsaPcqsdC4OOq+edQz4=
=xkyu
-----END PGP PRIVATE KEY BLOCK-----

it is a test one with password "testing"

here is its public key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.7 (GNU/Linux)

mQGiBEZ5eGIRBACo8ewHUUgJlYZGq2hOzyecvt6JDTWcVdOx8C2KlsdjMt8FnNJL
hKP3+Y4F8KzoPKanF/xyi91Z0d0MkNHadNN0XI9y4fm6vVZR0x80ngBsgyguRLlU
shDCqTl6jdLTxshzrpkX3UynrpHqJQBzbs7yRmWGQZrWvRXupmb3N2wH0wCgz+1Y
y6DMBXlwKn/E5SVmMQbeo28D/iv0lANfYNiWvOXC7vV2Sc9oRBHEoQWF70uBRg2n
qy5bvq+YliXrS/QI0PaHzAWEiSU1RY/VlDMcPuk3lRtK/eRoBqYqAfKFbzPnkhK4
9MFeX6ElycMZht4ZLF3dal+h8M9V/SuwSo6HISPOgAzFnPz96Y+NADg/vZGgeS6l
ampoBACcRkHhhZrtRz2zHjoU5dsuGZwgasbqBTKeritcAHfJy9C3J2dpWkMafSsZ
7buPz1Cm1E6Cnr7JsdRKFlDX9YAsuyA2CauvAmJye2eN0lBPmYlfFW9Zx4zCV1Ca
YKjT4DmrvGpxCpYxfhJkJLdzb6niKwJxi3/t1zhbeQb/aXfjSrQlVGVzdCAodGhp
cyBpcyBhIHRlc3QpIDx0ZXN0QHRlc3QuY29tPohgBBMRAgAgBQJGeXhiAhsjBgsJ
CAcDAgQVAggDBBYCAwECHgECF4AACgkQjQunEb2baXJ7HwCdE3Ub6ouCN5SsWdVY
msHgxA1cemYAn0Tpb+f9hnCQwoFdTJyK7uwdOsMIuQENBEZ5eGIQBADSTMSwchMN
NwsKCSCnDMmQlJwoK0xRI/8vI4Kfg+51U9XAKb3zqv13pYFjHndjQ3ztRVMC4Drx
UiazIRMuX1h/YbNXxlW4TcI8ihxXXDu+DUy1z9irtyeCoRpypbhjx7rdNaZMsvIM
02Lr7kNquLSPAYwlCEJHQRdZKaRqhK6UcwADBQP/d34w9nNMyl6y0B3LwnvZcfUM
Taz3DVeLQtyAV3JNLMlJfoQ9aSZmNQVHdbz+4cnTt87QMWv0HJy9PD+8crp+Q46Z
c2wdK+Ij2xcwPmk5iYTuIQbQdxf8/saRBqVL33UJdLoaerA+ET5yketeJXMzdfUT
YBIHZlKI1GWIAoUw0reISQQYEQIACQUCRnl4YgIbDAAKCRCNC6cRvZtpcos0AJ4s
cf0x/AOnHH6AVV49tg35SLNGHgCfUNPiOcpgHcplKPtUacUQN45+OhU=
=iD9W
-----END PGP PUBLIC KEY BLOCK-----

using my script to intercept it looks as if the temporary file it is sending contains the following

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

test
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGetmi+VN5CeSqsGYRAgHOAJoCelH/QuvQYffi9r9PXgKaanlQJQCggN6F
8EdDUK002pZ2eTXOqTd9gfY=
=EENy
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGetnD+VN5CeSqsGYRAsu1AJ9WKhb9oywanoCnr6tqwsEPeggprACeMHoS
TErh0ohxVNn1nHIrJXR/h1o=
=ajFO
-----END PGP

so it looks like it got scrambled could you please verify or deny what I did thanks

Re: signature inside a signature issue

Already reported.

Re: signature inside a signature issue

Did you know that the file being sent to be verified was corrupted?

Re: signature inside a signature issue

Witch file ? The inside sign ? Yes.

Re: signature inside a signature issue

we may be talking about the same file
the files following the --verify <this file>

Re: signature inside a signature issue

Stop make strange files ^^

Re: signature inside a signature issue

ooh I actually see where the problem lies :-)

in cgpg.js verify
replacing text

Re: signature inside a signature issue

the_glu wrote:

Stop make strange files ^^

what?

I'm talking about the file firegpg is creating from the selected text.
firegpg is replacing text in it.

it looks like you are doing a lot of extra work

gpg will ignore text outside of a signature
you should just be able to send the entire content of what is selected

Re: signature inside a signature issue

an idea about what is going wrong. After removing all the text replacement and sending the full content of the selected text it was able to verify my example
I see what you are trying to do and I think I understand the issue. I'd like to introduce and idea of layer searching
as you know a signature inside a signature appends "- " in front so when you search for a close to this you should look for an equal amount of "- "'s at the beginning
we can step through text a little at a time.

I'll try and write something up to demonstrate my idea.

also to append my idea I know there is a limmit to how much can go in a text input box before it wraps and maybe introduce a wrapping before sending it to gpg.

Re: signature inside a signature issue

I found the cause of your bugs and fixed it using your programming logic.
I'd still like to get away from this and I'll see what I can do but here is two problems I found

to get the lastPosition the calculations are comming out wrong because the distance of -----BEGIN PGP SIGNED MESSAGE----- and FIREGPGTRALALABEGINHIHAN are not the same for now I just padded FIREGPGTRALALABEGINHIHAN with extra spaces to make it the same length.

the second mistake is when replacing it back you forgot the extra "- " in front

Re: signature inside a signature issue

The two things I don't like about this method are as follows
1. This is inband tokening meaning someone can mess up this algorithm using keywords like if FIREGPGTRALALABEGINHIHAN
2. to do verifying on inner messages would get difficult if we wish to do this later. I have ideas about doing that with my layered idea
if you want unbreakable inband we could do that too we could have counted how many instances we replaced and made up the space
difference with calculations instead of padding and then use an inband message replacement method like html does or shell escaping method
first replacing key tags with a key tag chain then replace the thing your going after then reverse that on the way back
example

lets say we want to replace "test" with &ourkeyphrase; lets first replace all & with & like html
example test phrase
"a tricky test phrase &"
we would first make our & substitution
"a tricky test phrase &amp;"
then we  do our substitutions
"a tricky &ourkeyphrase; &amp;"
now we have our working string after we are done we make the substitutions back
I'm using an html type method in this example.

now lets combine this with counting displacement characters
first we would count how many "&" 's we have and multiply that by 4 because we have 4 extra characters
then we would count how many "test" 's we have and multiply that by 10 because we have 10 extra characters.
add those numbers together and subtract them from our count total on our working phrase.
if we had less we would subtract

Last edited by jeff.sadowski (2007-06-22 02:33:26)

Re: signature inside a signature issue

how to send patch? or did I describe what I did good enough?

Re: signature inside a signature issue

Counting mistake I made. I said count all "&" 's and "test" 's this is untrue we should only count the ones before the key word, and we should count our replaced items
"&" 's and "&ourphrase;" 's since the calculations are being done after the replacement.

Last edited by jeff.sadowski (2007-06-22 16:20:15)

Re: signature inside a signature issue

1) Can you me more clear ?
2) Can you stop doing a lot of double-post ? You can edit your messages.

Re: signature inside a signature issue

the_glu wrote:

1) Can you me more clear ?
2) Can you stop doing a lot of double-post ? You can edit your messages.

ok sorry I'll try and edit more ;-)

oops I messed up the first time I did this I made some changes FIREGPGTRALALAENDHIHAN was too long

in file firegpg/content/cgpg.js
In the baseVerify function
I changed

from
text = text.replace(reg, "FIREGPGTRALALABEGINHIHAN");
to
text = text.replace(reg, "FIREGPGTRALALABEGINHIHAN123456789012");

and

from
text = text.replace(reg, "FIREGPGTRALALAENDHIHAN");
to
text = text.replace(reg, "FIREGPGTRALALAENDHIHAN1234567");

and

from
reg = new RegExp("FIREGPGTRALALABEGINHIHAN", "gi");
to
reg = new RegExp("FIREGPGTRALALABEGINHIHAN123456789012", "gi");

and

from
text = text.replace(reg, "-----BEGIN PGP SIGNED MESSAGE-----");
to
text = text.replace(reg, "- -----BEGIN PGP SIGNED MESSAGE-----");

and

from
reg = new RegExp("FIREGPGTRALALAENDHIHAN", "gi");
to
reg = new RegExp("FIREGPGTRALALAENDHIHAN1234567", "gi");

and

from
text = text.replace(reg, "-----END PGP SIGNATURE-----");
to
text = text.replace(reg, "- -----END PGP SIGNATURE-----");

Last edited by jeff.sadowski (2007-06-22 20:05:54)

Re: signature inside a signature issue

And it's remove the problem of sign inside signs ?

Re: signature inside a signature issue

the_glu wrote:

And it's remove the problem of sign inside signs ?

yes it fixes this problem

Notes: as originally intended it just validaes the outside signature and the first one

example 1:

--begin sig 1--
- --begin sig 2--
- --end sig 2--
--end sig 1--
--beging sig 3--
--end sig 3--

only sig 1 is validated sig 3 is ignored this looked to me like the original intention

example 2:

--begin sig 1--
--end sig1--
--begin sig2--
- --begin sig3--
- --end sig3--
--end sig2--

again only sig 1 is validated everything after --end sig1-- is ignored.

latter I will demonstrate my nested validating :-)

Last edited by jeff.sadowski (2007-06-22 21:33:35)

Re: signature inside a signature issue

That good ! I add a bug report for the edit on our slide !

Re: signature inside a signature issue

better fix :-)

baseVerify: function(text) {
        this.initGPGACCESS();

        var text = "\n" + text + "\n"; //add new line chars so we can use the following
        var begin = new RegExp("\n-----BEGIN PGP SIGNED MESSAGE-----\n");
        var end   = new RegExp("\n-----END PGP SIGNATURE-----\n");
        var firstPosition = text.search(begin);
        var lastPosition = text.search(end);

        // Verify GPG'data presence
        if(firstPosition == -1 || lastPosition == -1)
            return "noGpg";

        text = text.substring(firstPosition,lastPosition + ("-----END PGP SIGNATURE-----").length);

        // We get the result
        var result = this.GPGAccess.verify(text);

        // If check failled
        if(result.indexOf("GOODSIG") == "-1") {
            return "erreur";
        }
        else {
            // If he work, we get informations of the Key
            var infos = result;

            infos = infos.substring(0,infos.indexOf("GOODSIG") + 8);
            infos = result.replace(infos, "");
            infos = infos.substring(0,infos.indexOf("GNUPG") - 2);

            return infos;
        }
},

Re: signature inside a signature issue

ok i perfected my signature inside signature checking :-)

baseVerify: function(text) {
        this.initGPGACCESS();

        return " \n" + this.layers(text,0);

    },

    layers: function(text,layer) {
        var newline = new RegExp("\r","gi");
        text = text.replace(newline,"\n");
        text="\n" + text;

        var begintxt = "-----BEGIN PGP SIGNED MESSAGE-----";
        var midtxt = "-----BEGIN PGP SIGNATURE-----";
        var endtxt = "-----END PGP SIGNATURE-----";

        var division=0;
        var verifytxt="<br>\n";

        var layerbegin = new RegExp("- " + begintxt,"gi");
        var layermid = new RegExp("- " + midtxt,"gi");
        var layerend = new RegExp("- " + endtxt,"gi");
        var begin = new RegExp("\n" + begintxt,"gi");
        var end = new RegExp("\n" + endtxt,"gi");

        var firstPosition = 0;
        var lastPosition = 0;
        var divisiontxt = "";

        while(firstPosition!=-1 && lastPosition!=-1)
        {
                firstPosition = text.search(begin);
                lastPosition = text.search(end);
                if( firstPosition!=-1 && lastPosition!=-1)
                {
                        division++;
                        var divisiontxt=text.substring(firstPosition,lastPosition+endtxt.length+1);
                        var tmpverifytxt = this.layerverify(divisiontxt,layer,division);
                        divisiontxt = divisiontxt.replace(begin,"");
                        divisiontxt = divisiontxt.replace(end,"");
                        divisiontxt = divisiontxt.replace(layerbegin,begintxt);
                        divisiontxt = divisiontxt.replace(layermid,midtxt);
                        divisiontxt = divisiontxt.replace(layerend,endtxt);
                        verifytxt = verifytxt + tmpverifytxt + this.layers(divisiontxt,layer+1);
                        text=text.substring(lastPosition+endtxt.length);
                }
        }
        return verifytxt;
    },
    layerverify: function(text,layer,division)
    {
        var spaces="";
        tmpverifytxt=this.GPGAccess.verify(text);
        for(x=0;x<layer;x++)
        {
            spaces=spaces+"_";
        }
        var goodsig=tmpverifytxt.indexOf("GOODSIG");
        if(goodsig!=-1)
        {
            tmpverifytxt = "Good Signature from " + tmpverifytxt.substring(goodsig+8,tmpverifytxt.indexOf("\n",goodsig));
        }
        else
        {
            var badsig = tmpverifytxt.indexOf("BADSIG");
            tmpverifytxt = "Bad Signature from " + tmpverifytxt.substring(badsig+7,tmpverifytxt.indexOf("\n",badsig));
        }
        return spaces+tmpverifytxt;
    },

Re: signature inside a signature issue

I'have just added your code (a litle bit edited), thanks smile