KTH (Royal Institute of Technology) Computational Biology Yüksek Lisans Öğrencisi
29 Jun 2013
After the GSoC midterm, there were two remaining important objectives to do: to write the NSS code to create a PKCS7 object (which includes the actual signature, encrypted SHA1 digest and the public certificate) and to improve the PDF signing GUI (which can be tested only in the experimental mode).
For the NSS part, first I have used the NSS PKCS7 API (secpkcs7.h and pkcs7t.h) to create the PKCS7 object. But it was very hard for me since NSS lacks a proper documentation (the one in the header files is not sufficient). Anyway, later on, I have decided to use the new and more fine grained NSS CMS (Cryptographic Message Syntax) API (cms.h and cmst.h).
I have followed following steps to create a PKCS7 object:
We need a NSS CERTCertificate structure to operate on the NSS world. So, DER encoded certificate data is obtained via the Encoded attribute of XCertificate and converted to a CERTCertificate structure using the
SHA1 sum of the PDF file is computed using the
PKCS7 object is created:
An empty CMS message is created using
A SignedData is created inside the CMS message using the
Since we use a detached PKCS7 object (which means that the PKCS7 signature object contains only the signature part, excluding the data itself) for the signing, an empty Data object is created inside the SignedData using
Certificate chain and signer info is added to the SignedData, using
SHA1 is added to the CMS message using
CMS message is DER-encoded via
NSS_CMSEncoder_Update is not used since we don’t have a Data).
Finally, DER encoded PKCS object is converted to the HEX representation and written to the relevant structure of the PDF which is prepared in the earlier commits.
And for the GUI part, I have used Thunderbird certificate selection GUI design in the PDF export dialog. Now, the selected certificate information is printed in a disabled Edit control and users are able to clear the selected certificate to cancel the signing operation. (I have also used the
PassWord = True property in the .src file for the certificate password input.)
At the end of the day, however, Adobe acroread shows the PDF signatures as invalid for some reason. But, it shows the certificate details correctly (which was not the case when I have used the old NSS PKCS7 API). So it seems DER/HEX encodings and the inclusion of the certificate chain are correct but there is a bug, apparently. Maybe the calculation of SHA1 or passing the private key password to NSS is wrong. I will try to figure it out soon.
Thanks to kendy and sberg for their devoted support in this GSoC project.