Certificate Authorities and Digital Signatures

Instead of changing the Universal XPConnect privileges (see "Setting Up XPFE for Remote Applications" earlier in this chapter), you could create signed remote applications that can be granted access to users' computers. A signed application means that the application has a digital signature, which verifies that a file or group of files was created by the person or organization from which you download and that they are trustworthy. In essence, if you trust the person or organization signing the files, then you trust the files themselves.

Digital signatures originate from a certificate authority (CA), an organization that claims responsibility for any digital signature it creates. CAs act as gatekeepers by allowing only people who the organization trusts to create digital signatures. Large CAs like Verisign, whose certificates come preinstalled in many web browsers, enforce validity through large fees. For example, if you can afford $600, then you are an organization with whom the CA would be glad to associate. That $600 then also buys your application respectability with user's web browsers. You can see the CAs that come with the Mozilla browser by going to Privacy & Security > Certificates in your preferences panel and then by selecting the Manage Certificates option. Of the different types of CAs-there's a type for SSL connections, for example, and another one for S/MIME-the Netscape Object Signing certificate is what matters for signed applications.

Fortunately, to get your remote applications signed by a CA, you don't have to pay for a Verisign Netscape Object Signing CA because other options are available. You can use the MozDev CA, for example, and even create your own. The next section tells you how use Mozilla tools to become your own certificate authority so you can sign your own applications and those of other Mozilla developers. The "Creating Signed Remote Applications" section later in this chapter uses the MozDev CA to discuss both avenues.

Mozilla Network Security Services (NSS)

The Mozilla Network Security Services tools, which are described in detail at http://www.mozilla.org/projects/security/pki/nss/, allow you to become your own Netscape Object Signing CA. By becoming your own Netscape Signing CA, you can distribute signing certificates to Mozilla application developers. You can obtain the tools via a simplified distribution of NSS for Windows and Linux at http://certs.mozdev.org. These tools allow you to become a CA and to package signed remote Mozilla applications. Finally, the commands for CertUtil work the same way on Windows, Linux, and any other OS on which you run CertUtil.

 

Yada:
C:\NSS\bin>certutil -N -d CA


Yada.
Example 12-9: Creating a root certificate
C:\NSS\bin>certutil -d CA -S -s "CN=mozdev.org root CA, O=mozdev.org" -n "mozdev.org" -t ",,C" -v 96 -x -1 -2 -5

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished.  Press enter to continue:

Enter Password or Pin for "NSS Certificate DB":


Generating key.  This may take a few moments...

                          0 - Digital Signature
                          1 - Non-repudiation
                          2 - Key encipherment
                          3 - Data encipherment
                          4 - Key agreement
                          5 - Cert signing key
                          6 - CRL signing key
                          Other to finish
5
                          0 - Digital Signature
                          1 - Non-repudiation
                          2 - Key encipherment
                          3 - Data encipherment
                          4 - Key agreement
                          5 - Cert signing key
                          6 - CRL signing key
                          Other to finish
9
Is this a critical extension [y/n]?
y
Is this a CA certificate [y/n]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]:
3
Is this a critical extension [y/n]?
y
                          0 - SSL Client
                          1 - SSL Server
                          2 - S/MIME
                          3 - Object Signing
                          4 - Reserved for futuer use
                          5 - SSL CA
                          6 - S/MIME CA
                          7 - Object Signing CA
                          Other to finish
7
                          0 - SSL Client
                          1 - SSL Server
                          2 - S/MIME
                          3 - Object Signing
                          4 - Reserved for futuer use
                          5 - SSL CA
                          6 - S/MIME CA
                          7 - Object Signing CA
                          Other to finish
9
Is this a critical extension [y/n]?
y

Yada

C:\NSS\bin>certutil -d CA -L
mozdev.org                                                   u,u,Cu

Yada:

C:\NSS\bin>certutil -L -d CA -n "mozdev.org" -a -o CA/mozdev.cacert
Yada
C:\NSS\bin>pp -t certificate -a -i  CA/mozdev.cacert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1545620512 (0x5c204c20)
        Signature Algorithm: PKCS #1 MD5 With RSA Encryption
        Issuer: CN=mozdev.org root CA, O=mozdev.org
        Validity:
            Not Before: Tue Oct 15 00:53:31 2002
            Not After: Sat Jan 15 00:53:31 2011
        Subject: CN=mozdev.org root CA, O=mozdev.org
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    00:d1:d8:77:66:79:96:e9:30:e6:89:15:7b:d0:bd:
                    c7:97:5e:ba:52:68:f1:cc:7d:38:b6:f3:49:a3:35:
                    a8:8b:25:e8:74:db:0b:1e:a8:98:9d:8c:d3:ec:c3:
                    54:19:db:e9:f3:4a:c3:f4:e2:76:54:3d:bd:4d:ae:
                    9b:54:f1:02:21:82:8f:54:40:69:f8:16:46:59:12:
                    2e:e7:2f:19:09:8c:e7:19:4a:e3:10:6e:9c:94:07:
                    70:9f:d6:26:2b:ae:c8:81:ff:d7:94:d4:10:63:10:
                    de:f5:89:4f:6c:43:50:ad:85:22:82:af:22:f9:20:
                    1c:4b:66:81:bb:ed:45:3e:07
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name:
                Certificate Type
            Critical:
                True
            Data: 

            Name:
                Certificate Basic Constraints
            Critical:
                True
            Data: Is a CA with a maximum path length of 3.

            Name:
                Certificate Key Usage
            Critical:
                True
            Data:
                03:02:02:04

    Fingerprint (MD5):
        D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E
    Fingerprint (SHA1):
        DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09

    Signature Algorithm: PKCS #1 MD5 With RSA Encryption
    Signature:
        7b:7b:76:34:b5:4b:7f:f2:81:81:49:76:4f:43:a4:3f:1e:ef:
        72:5d:64:7e:5f:74:7a:68:dc:26:e3:c3:fc:60:3e:dd:62:0f:
        9a:c1:74:8f:0f:19:52:00:70:f3:2b:e5:7a:50:23:7f:1a:16:
        69:bb:31:a8:14:c2:c0:12:6f:a8:26:dc:87:66:c3:71:d0:e5:
        3f:d8:f4:b8:57:51:2c:ba:b2:51:50:29:4a:94:8f:ae:22:99:
        6e:8e:ad:97:bf:99:a8:1e:3c:4b:18:78:5e:c3:c5:0b:3a:08:
        35:81:58:8d:b7:fd:cb:af:8f:e7:b0:89:b1:77:9f:97:d1:4a:
        03:46
Yada:
C:\NSS\bin>certutil -d JAR -A -n "mozdev.org" -t ",,C" -i CA/mozdev.cacert
Enter Password or Pin for "NSS Certificate DB":

Yada:

C:\NSS\bin>certutil -L -d JAR
mozdev.org                                                   ,,C

Yada

C:\NSS\bin>certutil -d JAR -R -o JAR/req.txt -a -s "CN=nelsons object signing cert, O=mozdev.org" -v 95

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished.  Press enter to continue:

Enter Password or Pin for "NSS Certificate DB":


Generating key.  This may take a few moments...

Yada

C:\NSS\bin>certutil -d CA -C -c "mozdev.org"
 -i JAR/req.txt -a -o JAR/cert.txt -1 -2 -5
                          0 - Digital Signature
                          1 - Non-repudiation
                          2 - Key encipherment
                          3 - Data encipherment
                          4 - Key agreement
                          5 - Cert signing key
                          6 - CRL signing key
                          Other to finish
0
                          0 - Digital Signature
                          1 - Non-repudiation
                          2 - Key encipherment
                          3 - Data encipherment
                          4 - Key agreement
                          5 - Cert signing key
                          6 - CRL signing key
                          Other to finish
9
Is this a critical extension [y/n]?
y
Is this a CA certificate [y/n]?
n
Enter the path length constraint, enter to skip [<0 for unlimited path]:
-1
Is this a critical extension [y/n]?
y
                          0 - SSL Client
                          1 - SSL Server
                          2 - S/MIME
                          3 - Object Signing
                          4 - Reserved for futuer use
                          5 - SSL CA
                          6 - S/MIME CA
                          7 - Object Signing CA
                          Other to finish
3
                          0 - SSL Client
                          1 - SSL Server
                          2 - S/MIME
                          3 - Object Signing
                          4 - Reserved for futuer use
                          5 - SSL CA
                          6 - S/MIME CA
                          7 - Object Signing CA
                          Other to finish
9
Is this a critical extension [y/n]?
y
Enter Password or Pin for "NSS Certificate DB":

Yada

C:\NSS\bin>pp -t certificate -a -i JAR/cert.txt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1272441488 (0x4bd7ea90)
        Signature Algorithm: PKCS #1 MD5 With RSA Encryption
        Issuer: CN=mozdev.org root CA, O=mozdev.org
        Validity:
            Not Before: Tue Oct 15 01:40:09 2002
            Not After: Wed Jan 15 01:40:09 2003
        Subject: CN=nelsons object signing cert, O=mozdev.org
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    00:b2:98:55:fb:2a:08:60:06:8c:af:68:bf:c8:a2:
                    d7:7e:80:f3:11:fe:6d:3c:9c:50:20:d2:ad:84:7d:
                    c7:3e:ed:77:08:db:f6:82:ea:bf:98:7a:a1:00:24:
                    21:f9:3d:00:1e:5f:2d:52:31:d7:92:4b:1b:b3:c4:
                    a4:b6:65:34:64:82:ee:c1:f7:56:bc:1f:0c:fd:57:
                    0f:c8:a7:d7:63:47:7e:9e:e8:8b:9d:7f:f0:c1:79:
                    cf:d1:27:99:7c:23:16:7e:ed:fc:61:30:52:8f:b7:
                    07:49:4c:b3:ef:df:ce:d9:19:7f:7a:f1:3b:f9:82:
                    4c:e9:6c:be:47:27:c0:57:d1
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name:
                Certificate Type
            Critical:
                True
            Data: <Object Signing>

            Name:
                Certificate Basic Constraints
            Critical:
                True
            Data: Is not a CA.

            Name:
                Certificate Key Usage
            Critical:
                True
            Data:
                03:02:07:80

    Fingerprint (MD5):
        D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E
    Fingerprint (SHA1):
        DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09

    Signature Algorithm: PKCS #1 MD5 With RSA Encryption
    Signature:
        0d:fb:97:05:5b:de:71:83:8e:6d:6e:31:ac:82:44:3f:99:24:
        95:5e:03:dc:a4:9c:28:76:d6:64:37:2a:77:7e:6c:a4:25:62:
        41:79:53:50:c4:3a:96:c3:9e:0e:c8:62:6d:3a:fe:9f:69:ee:
        d6:8e:7d:a8:a8:e8:e6:14:95:af:57:1c:ef:22:c6:17:19:1e:
        2f:6a:ca:c8:d9:71:d2:9a:fb:ca:fd:d4:d1:5c:c0:f1:59:04:
        a7:f2:49:4a:0a:83:eb:ea:8a:c4:67:3a:ac:ce:8d:31:17:d3:
        61:eb:a5:03:33:5f:bf:82:7c:e6:a5:f1:61:b4:2e:fc:b8:09:
        e4:8d

Yada

C:\NSS\bin>certutil -d JAR -A -n "object signer" -i JAR/cert.txt -a -t "u,u,u"
Enter Password or Pin for "NSS Certificate DB":

Yada

C:\NSS\bin>certutil -L -d JAR -n "object signer"
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1272441488 (0x4bd7ea90)
        Signature Algorithm: PKCS #1 MD5 With RSA Encryption
        Issuer: CN=mozdev.org root CA, O=mozdev.org
        Validity:
            Not Before: Tue Oct 15 01:40:09 2002
            Not After: Wed Jan 15 01:40:09 2003
        Subject: CN=nelsons object signing cert, O=mozdev.org
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    00:b2:98:55:fb:2a:08:60:06:8c:af:68:bf:c8:a2:
                    d7:7e:80:f3:11:fe:6d:3c:9c:50:20:d2:ad:84:7d:
                    c7:3e:ed:77:08:db:f6:82:ea:bf:98:7a:a1:00:24:
                    21:f9:3d:00:1e:5f:2d:52:31:d7:92:4b:1b:b3:c4:
                    a4:b6:65:34:64:82:ee:c1:f7:56:bc:1f:0c:fd:57:
                    0f:c8:a7:d7:63:47:7e:9e:e8:8b:9d:7f:f0:c1:79:
                    cf:d1:27:99:7c:23:16:7e:ed:fc:61:30:52:8f:b7:
                    07:49:4c:b3:ef:df:ce:d9:19:7f:7a:f1:3b:f9:82:
                    4c:e9:6c:be:47:27:c0:57:d1
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name:
                Certificate Type
            Critical:
                True
            Data: <Object Signing>

            Name:
                Certificate Basic Constraints
            Critical:
                True
            Data: Is not a CA.

            Name:
                Certificate Key Usage
            Critical:
                True
            Data:
                03:02:07:80

    Fingerprint (MD5):
        D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E
    Fingerprint (SHA1):
        DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09

    Signature Algorithm: PKCS #1 MD5 With RSA Encryption
    Signature:
        0d:fb:97:05:5b:de:71:83:8e:6d:6e:31:ac:82:44:3f:99:24:
        95:5e:03:dc:a4:9c:28:76:d6:64:37:2a:77:7e:6c:a4:25:62:
        41:79:53:50:c4:3a:96:c3:9e:0e:c8:62:6d:3a:fe:9f:69:ee:
        d6:8e:7d:a8:a8:e8:e6:14:95:af:57:1c:ef:22:c6:17:19:1e:
        2f:6a:ca:c8:d9:71:d2:9a:fb:ca:fd:d4:d1:5c:c0:f1:59:04:
        a7:f2:49:4a:0a:83:eb:ea:8a:c4:67:3a:ac:ce:8d:31:17:d3:
        61:eb:a5:03:33:5f:bf:82:7c:e6:a5:f1:61:b4:2e:fc:b8:09:
        e4:8d
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

Yada:

C:\NSS\bin>signtool -d JAR -k"object signer" -p"password_of_database" -Z"myapp.jar" myappfiles/

Creating Signed Remote Applications

Security in Mozilla's web browser is designed to meet today's advanced scripting needs in a secure manner. Mozilla is a much more secure browser than past Netscape 4.x and Internet Explorer releases because it has a better sense of what remote scripts can and cannot do.

Because of Mozilla's approach toward potentially insecure applications, if you decide to serve up your own application remotely, remember that you will not have automatic access to the chrome in the way you do when you have a registered, locally installed Mozilla application. Unless you sign your application or have the user turn on a special preference (see "Setting Up XPFE for Remote Applications"), services like XPConnect will not be available.

In Mozilla, you can bundle any number of files into a JAR archive (which, you'll recall from Chapter 6, is just a zip file with a JAR suffix) and designate the archive as an object that can be signed. This designation makes it very easy to produce an entire signed and secure remote Mozilla application because it stores your application in a single file type that Mozilla already treats as a separate package.

This section provides an overview of the signed script technology and shows you how to create signed applications that live on the server but take full advantage of the user's local chrome, including Mozilla components.