Paying to get RSA signing working in Javascript

[Nefario]

... and here I kinda liked the "shitassfuck" API

That was to solve the problem of why was my script not posting to the server, turned out to be the no-cross domain posting in javascript for ajax.

Jere.Jones, manual check confirms the output isn't correct.

graingert, yeah that will happen but how long's that going to take, I need this fixed now, and am willing to pay. The fixer can then contact the stanford boys, and get their fix in (and get the credit for doing so).

[1714778147]

1714778147

[1714778147]

1714778147

[1714778147]

1714778147

[1714778147]

1714778147

[1714778147]

1714778147

[Jere.Jones]

Actually the update(above) can be seen in http://dev.glbse.com:4567/rsa.html

Jere.Jones, problem seems to persist. Am going to manually check now.

The suspect that the problem on your page is the way <div id="pub_id"> is laid out.  The '\n's are included in the public_id.  Try removing the line feeds.

Jere

[Jere.Jones]

Jere.Jones, manual check confirms the output isn't correct.

Can you be more specific?  The output of what wasn't correct?

Also, I sent you a PM.

Jere

[Nefario]

problem probably isnt the userid(will check later, busy for the next couple of hours), as it would throw up a wrong userid error(normally it would).

So I checked the data and signature that was sent to the server (using the updated lib), and then manually (using irb)checked what the signature would should have been for that private key signing the same data, and compared the results, and indeed the signatures are not the same. This is the result when we run the sendData function to account/balance on the server(that is the signature fails the verification because its not what it should be).

Unless someone else has some other ideas?

The best example to see how this should work is to have a look at te source of the glbse client bmc.py

[Jere.Jones]

Then I would need more data to continue troubleshooting.  The updated jsbn.js fixes sign_and_encode so that given the input you provided, it returns the output you expect.

Jere

[Jere.Jones]

Just for giggles, I put up this page: http://jere.us/rsa_test.html

It has two forms on it that both submit to dev glbse account balance.  The first one submits the data you provided in your first post.  The second one calculates the form data. 

To use the top form:
1. Click the top "Submit" button
2. Notice error page

To use the bottom form:
1. Enter a nonce or click the "Create Nonce" button
2. Click the "Calculate Data and Sig" button
3. Notice that the data and sig are available for inspection
4. Click the bottom "Submit"
5. Notice error page

For my tests the error pages are the same.  Line 58 of base64.rb calls an unknown method.  You have to fix that before I can continue.

Is my page doing anything it should not?  I know the second form submits some stuff it doesn't have to, but that should be ignored anyway so it shouldn't cause a problem.  Or at least, not the problem I'm seeing.

Jere

[Nefario]

Ill have to wait until tomorrow.

[unfinishe]

I confused myself pretty quickly trying to figure out what's going on, so I don't know whether this has anything to do with the problem. Earlier I was trying to replicate the original hash by using openssl on the command line. I first digested the data using sha512, then signed with the private key, and then encoded into base64, but the signature didn't match.

So I looked around and found this thread: http://www.ruby-forum.com/topic/77070
It seems that the sign function in ruby does something different than doing it step by step with openssl like I was trying to. Instead, the private_encrypt function seems to do the trick. Perhaps something like this would work better

Code:

private_key = OpenSSL::PKey::RSA.new(privkey)
data_digest = OpenSSL::Digest::SHA512.hexdigest(data)
b64sig=Base64.encode64(private_key.private_encrypt(data_digest))

[Nefario]

Just for giggles, I put up this page: http://jere.us/rsa_test.html

It has two forms on it that both submit to dev glbse account balance.  The first one submits the data you provided in your first post.  The second one calculates the form data. 

To use the top form:
1. Click the top "Submit" button
2. Notice error page

To use the bottom form:
1. Enter a nonce or click the "Create Nonce" button
2. Click the "Calculate Data and Sig" button
3. Notice that the data and sig are available for inspection
4. Click the bottom "Submit"
5. Notice error page

For my tests the error pages are the same.  Line 58 of base64.rb calls an unknown method.  You have to fix that before I can continue.

Is my page doing anything it should not?  I know the second form submits some stuff it doesn't have to, but that should be ignored anyway so it shouldn't cause a problem.  Or at least, not the problem I'm seeing.

Jere

Hey Jere, the error you were getting is because you were submitting the data wrong.

There are only 2 post fields data, signature
data is the base encoded json string containing all the data elements (nonce, use_id etc.) while signature is the base64 encoded signature.

The reason you were getting that error was because the app was looking for the post field "signature" and that was nil, so of course you can't base64 decode nil can you. Ah, these errors are much nicer in a browser than on the command line.

[Jere.Jones]

Well that makes a difference.

Changing the field name from "sig" to "signature" does make a difference and allows the first form to succeed.

A little bit of testing showed that I needed to strip the line feeds and carriage returns from data before signing and encoding it.  Once I did that, it seems to be working beautifully.  Updated code is at http://jere.us/rsa_test.html

Thanks!
Jere

EDIT:
A balance of 1900000009.  Is that in bitcoins or satoshis?  If it's in bitcoins, can I have that account?

[Jere.Jones]

perhaps you should tell stanford to fix their library?

http://www-cs-students.stanford.edu/~tjw/jsbn/

Done.  I even included the reasoning and the fix. :-)

Jere