checking gpg-signatures in JavaScript

Mon Jan 24 14:05:10 CET 2011

Hi List,
i wrote already 2 Mails and got some help but i don't get any further by
myself...

I want to check gpg-clearsigned-signatures in JS,  and with the rfc
https://tools.ietf.org/html/rfc4880 i had some success.

The problem that i have right now is to produce the Hash-value which is
to be signed (to be checked).

I have an example to state my problem:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

{"2011-01-13 13:00":"cno","2011-01-13
14:00":"cno","2011-01-14":"cno","2011-01-15 13:00":"cno"}
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)

iQIcBAEBAgAGBQJNPLs/AAoJEEH+GXMF1XjpY5MQAMSG7NcEJBEV7/mkeEtac1q7
cCYGzPBMnYlu3wY1/Jre6HPzfvY+x8kSsPMHIefndKDCcDFOqyEKpUe3rLZC9kBS
0yJ1Dewcz7/2tTrc6Yq6QfHXyalwpWk+I99bZpALQW5W3xh+hKtlxsZlLVn0MUnZ
r5ZReRhpxefyOhRfJRzVVImvDwUpBn6GrBjmAElQd/Z27ecNtprgUZ46HfA7wHKu
PjGmOHJzrbj34XPl7oqYS/tmE5AGIkyDYa7o81/8SODZxtBdztpZ48NBH9zgNcoV
32cdiGQ62S5DXUQeur+sL5z/vFMbcydtPeT2RW8gQ0Sgy6ogCwYt/QmtVFKNqJta
CNh6onchhkCywjBVpxlqRQBsWvionnIY3EMF7AnQ6DhiRvF6WzVB0n9GBZwX9rvf
0A8k7AnFbGA+hAK1Oq6takm0dP2zBrq1irNe2osJfYnVp5/2m4ok+dVECp5XVG/f
NgIQn1gOjflVzBotSG40VDbBKMNSjItU/xyWvR5h9Xd3p0W1940odUr1/wAwAZcM
ziWa5f2G0CdeTQUQ3dzP7ZvDZZepGP+uLYPEZCDvlI4ARWqC4IdlwVPDsYQbTm9a
BRzII51aiCHLuzQMNFy+Y91T655lhrsqQ6JMuURdhSGdcLvtJqZDWcyPaWflLaz/
nJlucBr0OdSQ04WkAlcA
=McmZ
-----END PGP SIGNATURE-----

The content-part is this (as i understand the rfc):

{"2011-01-13 13:00":"cno","2011-01-13
14:00":"cno","2011-01-14":"cno","2011-01-15 13:00":"cno"}

This has to be concatenated with some data from the header of the
clearsigned Packet, i have:

4,1,1,2,0,6,5,2,77,60,187,63 (as byte-array) which looks sound

The Hash (SHA1) i get for the concatenation is:

ebfc31ab409ac2c4d43ac99421992fb41c7590c8

but the first 16 bits from the hash (included in the header) are:

0x6393

The whole value from which the hash is calculated (as byte-array because
some chars may change due to encoding):

123,34,50,48,49,49,45,48,49,45,49,51,32,49,51,58,48,48,34,58,34,99,110,111,34,44,34,50,48,49,49,45,48,49,45,49,51,32,49,52,58,48,48,34,58,34,99,110,111,34,44,34,50,48,49,49,45,48,49,45,49,52,34,58,34,99,110,111,34,44,34,50,48,49,49,45,48,49,45,49,53,32,49,51,58,48,48,34,58,34,99,110,111,34,125,4,1,1,2,0,6,5,2,77,60,187,63

This can be inserted on a site like
http://home1.paulschou.net/tools/xlate/ to check the SHA1 value and from
what i see my SHA1 is correct.

I would be really happy if someone with knowledge of the implementation
could reproduce my values and tell me where i went wrong :)

I could give anyone with interest in it the code and would be willing to
opensource it when i have my work finished...

The system i'm working on is like www.doodle.com except that userdata is
encrypted and signed in the browser, i'm a student of computer science
so its more a proof of concept.

Thanks in advance,
Ole Rixmann

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20110124/46388989/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110124/46388989/attachment.pgp>