So I've been searching for a way to create a file, sign it, and then
distribute it to my Firefox extension. Then, verify the integrity of
that file before the extension acts on its contents.
I found nsICMSSecureMessage which appeared to be the only scriptable
component that I could make use of that was in any way related to
digital signatures and the like. So I came up with this:
$ cat doc
This is a test document. I will sign it. It is safe.
$ cmsutil -S -N signtest < doc > doc.signed
$ cmsutil -D -n -i doc.signed
$ # copy doc.signed to doc.signed2, tamper with doc.signed2 here
$ cmsutil -D -n -i doc.signed2
signer 0 status = DigestMismatch
cmsutil: problem decoding: Signature verification failed: no signer
found, too many signers found, or improper or corrupted data.
I believe I now have a valid signed CMS document. I screwed with
"signed2", editing the plaintext in the middle to say "EVIL" instead of
"safe". And cmsutil told me that the signature was, as a result, invalid.
Then, in Firefox javascript:
var doc64="MIA...AAA"; // base64 coded version of "doc.signed"
var docInvalid64="MIA...AAA"; // base64 coded version of "doc.signed2"
var secureMessage=Components.classes["@mozilla.org/nsCMSSecureMessage;1"]
.createInstance(Components.interfaces.nsICMSSecureMessage);
try {
var doc=secureMessage.receiveMessage(doc64);
alert(doc);
} catch (e) {
alert("receive message error:\n"+e);
}
try {
var doc=secureMessage.receiveMessage(docInvalid64);
alert(doc);
} catch (e) {
alert("receive message error:\n"+e);
}
It alerts the two documents, including the one that was tampered with.
Apparently, that call will strip off the signature, but not verify it.
Can I tweak this to make it work? If not, is there any method that I
have missed to:
* Create a document
* Digitally sign it
* Verify that signature, in a Firefox extension, in Javascript
Thanks!
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
