So I've been searching for a way to create a file, sign it, and then distribute it to my Firefox extension. Then, verify the integrity of that file before the extension acts on its contents.
I found nsICMSSecureMessage which appeared to be the only scriptable component that I could make use of that was in any way related to digital signatures and the like. So I came up with this: $ cat doc This is a test document. I will sign it. It is safe. $ cmsutil -S -N signtest < doc > doc.signed $ cmsutil -D -n -i doc.signed $ # copy doc.signed to doc.signed2, tamper with doc.signed2 here $ cmsutil -D -n -i doc.signed2 signer 0 status = DigestMismatch cmsutil: problem decoding: Signature verification failed: no signer found, too many signers found, or improper or corrupted data. I believe I now have a valid signed CMS document. I screwed with "signed2", editing the plaintext in the middle to say "EVIL" instead of "safe". And cmsutil told me that the signature was, as a result, invalid. Then, in Firefox javascript: var doc64="MIA...AAA"; // base64 coded version of "doc.signed" var docInvalid64="MIA...AAA"; // base64 coded version of "doc.signed2" var secureMessage=Components.classes["@mozilla.org/nsCMSSecureMessage;1"] .createInstance(Components.interfaces.nsICMSSecureMessage); try { var doc=secureMessage.receiveMessage(doc64); alert(doc); } catch (e) { alert("receive message error:\n"+e); } try { var doc=secureMessage.receiveMessage(docInvalid64); alert(doc); } catch (e) { alert("receive message error:\n"+e); } It alerts the two documents, including the one that was tampered with. Apparently, that call will strip off the signature, but not verify it. Can I tweak this to make it work? If not, is there any method that I have missed to: * Create a document * Digitally sign it * Verify that signature, in a Firefox extension, in Javascript Thanks! _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto