Implement digital signature validation #13351
Comments
|
It's pretty easy to implement (regarding existing js libraries) BUT the main concern is about having something the user can trust because here everything is a matter of trust. |
|
Does this need to be in NSS? Does pdf.js have access to the gecko runtime? |
|
Does (I think/support that non-browsers environments are not an official target for the project but for anyone concerned about support in Node, see https://nodejs.org/api/webcrypto.html#webcrypto_class_subtlecrypto .) |
|
@CetinSert the complication isn't crypto, it is support for certificate decoding, trust stores, path validation, timestamping, CMS, etc so, unfortunately, webcrypto isn't enough. Made https://pkijs.org/ to provide these things on top of WebCrypto but in Mozilla land, NSS would be a natural choice as it has many, but not all of these things. There is the question of trust store contents, this gets more complicated, the Mozilla Trust Store does have a S/MIME policy but nothing for document signing. It also lacks the necessary timestamping and numerous attributes one needs when doing a full implementation so there is still a non-trivial amount of work to do with this approach. |
|
For anyone who's looking for a temporary solution while waiting for official support from this project. |
@calixteman just making sure you saw this ^ |
|
@mozkeeler, thanks for reminding me. |
|
Any estimate on when this will be available in a stable release? |
|
@andrewyu7575 there are no short term plans to implement digital signature validation, but we'd be happy to accept a contribution. |
|
Just bumped into this. Is there any 'simple' way to just display a 'warning' onscreen that the shown signatures are not validated? Now there is only a console.warn, but maybe just show something inside the pdf.js as overlay or something, to warn users that the signatures shown are not displayed? Any Idea where I can put something like this in the code? |
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as off-topic.
This comment was marked as off-topic.
|
Hello, what is required for this to move forward? What would the roadmap be? Could you list the requirements to know how we can contribute? |
|
@lexcorp the path to fix this is what Calixte said in #13351 (comment). We need to write code to validate signatures using NSS, then expose the required functions to pdf.js. |
|
We might be able to rely on part of the TLS certificate chain verification functions we already ship in Gecko/PSM, but that's not enough, we need a root CA store specific to "document signing" (which isn't a well defined notion at this point...). I am restarting the internal discussion by email. |
|
@beurdouche If you need a CA for test, you can use Dogtag Certificate System: https://github.com/dogtagpki/pki https://people.redhat.com/tscherf/articles/lm_en_dogtag.pdf
|
(Previously tracked in #1076.)
PDF.js now displays digital signatures, but doesn't validate them, which is comparable to what other PDF viewers do. However, it would be good if we can also implement validation for them, so this is a tracking issue for that.
The text was updated successfully, but these errors were encountered: