Abstract: Is there a way, either via Firefox plugin or other means to emulate javascript crypto.signText using an opaque algorithm instead of detached (what it currently does?) to sign arbitrary data. This includes the dialog box and access to the Firefox cert store. Also, the signText documentation doesn’t seem to have been updated since 1998, is it possible my needs have been met since then and I’m missing them?
Any links, tips, etc. would be greatly appreciated.
I’m working on a project where I need to be able to sign data using PKCS7 (CMS) within firefox using a cert from the browsers store.
My first attempt, and what I thought was my savior was window.crypto.signText(), which does exactly what I want (displays the text to sign, prompts to select a cert and signs the text), except that it’s detached and not opaque (meaning the signed text isn’t included in the message).
I’ve been looking around for alternatives and documentation seems to be rather light. I only need to use firefox and so there’s the possibility of using a plugin for this.
If I understand what I’m reading correctly NSS (Firefox’s underlying security service) has support for pkcs7, but it’s just not exposed to Javascript, correct? Is there a way to do it via XPCom? From what I read it seems you could access function like what I needed (PKCS11), but that the stuff I needed wasn’t available.
I’ve also just discovered that js c-types is supported, so I could use the nss lib directly (or maybe openssl) to handle signing.
Either of these options seem fine, but then I lose out on the interface. I had a hard time finding any documentation on accessing the cert store, or duplicating the signText window.
Thanks
For any future searchers, here’s my current (seemingly working) solution.
First, obviously crypto.signText doesn’t work, it’s detached (hence the question), on top of that it’s not great at signing binary data (also a requirement for me).
The next thought was to use the extension XPCOM api provided by firefox. There’s a good deal of nice crypto stuff available for use there. Unfortunately I couldn’t find any evidence in the source or documentation that signing using the XPCOM interface would provide me with an opaque signature.
So we seem to have to expand passed javascript, into java. Originally I was going to try JSS, however it became apparent that JSS actually wasn’t needed, the built in crypto functionality would be enough.
So I wrote an applet that builds on java.security and sun.security (proprietary). There’s a small bit of javascript that passes the users profile directory into the applet (so I can locate the certificate database in the users profile), then I grab the private key. the data and sign a pkcs7 attached(opaque) message.
There’s some fantastic documention located Here.