Alberto found his solution independently and requested that
I post this for him.
Arshad Noor
StrongAuth, Inc.
-------- Original Message --------
Subject: RE: About Firefox security.
Date: Fri, 21 Sep 2007 10:30:19 -0500
From: Alberto Hernandez <[EMAIL PROTECTED]>
To: 'Arshad Noor' <[EMAIL PROTECTED]>
References:
<[EMAIL PROTECTED]@crosshorizons.com.mx>
<[EMAIL PROTECTED]>
Thank you!
We already found what was the difference between both signed messages.
Well not exactly the difference but at least how to make our code to work
This is what we are doing... we want to test something for
nonrepudiation... so using Crypto.signText we are asking Firefox to
digitally sign the document. For IE you need to use an ActiveX named
Capicom. Obviously the implementation from Firefox is much better... and
it uses some kind of salt we couldn´t decipher using bouncycastle... you
can't provide the original data if you don't know what the original data
is.
Here is some pseudo code
In IE Client
Capicom.signme("OriginalText");
In the Serverside (BouncyCastle)
Bc.isValid("OriginalText", pkcs7SignedText)
Firefox was not working that way.. so we think that Firefox is using
some kind of salt
Crypto.signText("OriginalText")
Crypto.internally.signText("OriginalText" + new Date() + username) or
something
So in the Serverside (BouncyCastle)
Bc.isValid("OriginalText", pkcs7SignedText) Wouldn't work
But actually Sun's JDK came to the rescue
http://forum.java.sun.com/thread.jspa?threadID=532742&messageID=2569488
This code doesn't compile but the part we need to have... that means the
PKCS#7 validation works fine.
<quote>
// parse the PKCS7 input file...
PKCS7 p7 = new PKCS7(siginfile);
// original data is embedded or "attached" to this P7,
// implicit verification will do...
SignerInfo [] si = p7.verify();
// check the results of the verification
if (si == null)
throw new Exception("Signature failed verification, data has been
tampered");
<quote>
It seems that we where not using the authentication params in our code.
Those params are being used by the internals of this code.
Thank you very much
Carlos Alberto
PD: Please resend this to the forum so this information gets stored
somewhere for a future reference.
-----Original Message-----
From: Arshad Noor [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 20, 2007 5:42 PM
To: Alberto Hernandez
Cc: dev-tech-crypto
Subject: Re: About Firefox security.
Alberto,
when you say "PKCS #7 signature is different from Firefox than from IE..",
are you referring to the signatures used as part of the SSL/TLS protocol
when the browser is connecting up to the secure portal?
Or are you implying that you have created some plug-in that calls native
libraries from Mozilla/CAPI to create digital signatures from keys stored
in the Firefox/IE keystores?
Or is it something else? The question is - how are the PKCS #7 signatures
being created and what role does the browser have in creating them?
Arshad Noor
StrongAuth, Inc.
----- Original Message -----
From: "Alberto Hernandez" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Sent: Wednesday, September 19, 2007 8:27:52 AM (GMT-0800)
America/Los_Angeles
Subject: About Firefox security.
Hello Guys,
My name is Carlos Alberto… I’m working at the Bolsa de Valores (Stock
Exchange, http://www.bmv.com.mx ) of México in some software that is going
to be used for the non repudiation of the exchange instructions.
My team has put some pressure under supporting Firefox in our portal. But
this time that got us into a problem, it seems that the PKCS #7 signature is
different from Firefox than from IE and we haven´t being able to detect how
is it different (rather than the most obvious places) for us to tweak our
process. We are trying to validate the signature using an OS library named
BouncyCastle but we have not being able to do that to the date. We think
that it could be some salt or maybe the encoding… but we can´t advance from
where we are.
Is there a way to simply emulate IE's signature... I'm pretty sure
that the
Firefox implementation is much better and that we are avoiding some other
attack using this salt (I think is a Salt) but we are working with huge
organizations that won´t easily change the way they are working... and that
means we will need to use IE signature style.
Do you happen to have some information about the differences from IE
signed
content and Firefox signed one? How to tweak firefox using javascript for
that? Or any other information that could help us.
Thank you very much, we really appreciate your help
Carlos Alberto
PD: I already tried to send this to 'dev-tech-crypto@lists.mozilla.org' but
I got a cannot be reached error.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
